From: Al Viro <viro@ZenIV.linux.org.uk>
To: Djalal Harouni <tixxdz@opendz.org>
Cc: David Miller <davem@davemloft.net>,
Nick Piggin <npiggin@kernel.dk>,
Lucas De Marchi <lucas.demarchi@profusion.mobi>,
Andrew Morton <akpm@linux-foundation.org>,
Tejun Heo <tj@kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fs/ncpfs: fix error paths and goto statements in ncp_fill_super()
Date: Wed, 14 Dec 2011 06:52:45 +0000 [thread overview]
Message-ID: <20111214065245.GL2203@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20111213014729.GA7693@dztty>
[davem Cc'd, since there's an ugly socket-related problem in that area]
On Tue, Dec 13, 2011 at 02:47:29AM +0100, Djalal Harouni wrote:
> The label 'out_bdi' should be followed by bdi_destroy() instead of
> fput() which should be after the 'out_fput' label.
>
> If bdi_setup_and_register() fails then jump to the 'out_fput' label
> instead of the 'out_bdi' one.
>
> If fget(data.info_fd) fails then jump to the previously fixed 'out_bdi'
> label to call bdi_destroy() otherwise the bdi object will not be
> destroyed.
>
> Compile tested only.
Applied, but now that I've looked at that code... It, along with several
other places, overwrites a bunch of fields in sock->sk. What happens if
some joker feeds that descriptor to, say, svc_addsock()? It does the
same kind of thing, and both assume that no bonehead programmer would
ever do something that dumb. Moreover, what if somebody feeds the same fd
to ncpfs mount or svc_addsock twice?
I'd done a quick grep and AFAICS, most of the places doing that kind of thing
is acting on internally created socket, so no such problem for them. Or
they take care to check that somebody has already done that to socket in
question. Potentially unpleasant ones:
drivers/scsi/iscsi_tcp.c:iscsi_sw_tcp_conn_bind()
fs/dlm/lowcomms.c:process_sctp_notification()
fs/ncpfs/inode.c:ncp_fill_super()
net/sunrpc/svcsock.c:svc_addsock()
I'm not familiar with that area at all; not even enough to tell if locking
is wrong in svc_addsock() - I suspect that it is, but...
Dave, am I right assuming that all those places ought to check if somebody
is already parasiting on the socket in question and fail with -EBUSY or
something like that?
prev parent reply other threads:[~2011-12-14 6:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-13 1:47 [PATCH] fs/ncpfs: fix error paths and goto statements in ncp_fill_super() Djalal Harouni
2011-12-14 6:52 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111214065245.GL2203@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lucas.demarchi@profusion.mobi \
--cc=npiggin@kernel.dk \
--cc=tixxdz@opendz.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).