From: David Laight <david.laight.linux@gmail.com>
To: "Pierre Barre" <pierre@barre.sh>
Cc: "Eric Van Hensbergen" <ericvh@kernel.org>,
"Latchesar Ionkov" <lucho@ionkov.net>,
"Dominique Martinet" <asmadeus@codewreck.org>,
"Christian Schoenebeck" <linux_oss@crudebyte.com>,
v9fs@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] 9p: use kvzalloc for readdir buffer
Date: Wed, 15 Apr 2026 10:01:57 +0100 [thread overview]
Message-ID: <20260415100157.4aa33364@pumpkin> (raw)
In-Reply-To: <06399e04-b019-4c3d-b941-5771b6ac33c2@app.fastmail.com>
On Wed, 15 Apr 2026 07:45:08 +0200
"Pierre Barre" <pierre@barre.sh> wrote:
> The readdir buffer is sized to msize, so kzalloc() can fail under
> fragmentation with a page allocation failure in v9fs_alloc_rdir_buf()
> / v9fs_dir_readdir_dotl().
>
> The buffer is only a response sink and is never pack_sg_list()'d,
> so kvzalloc() is safe for all transports, unlike the fcall buffers
> fixed in e21d451a82f3.
>
> Signed-off-by: Pierre Barre <pierre@barre.sh>
> ---
> fs/9p/vfs_dir.c | 2 +-
> net/9p/client.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
> index af7f72abbb76..487c177aae38 100644
> --- a/fs/9p/vfs_dir.c
> +++ b/fs/9p/vfs_dir.c
> @@ -70,7 +70,7 @@ static struct p9_rdir *v9fs_alloc_rdir_buf(struct file *filp, int buflen)
> struct p9_fid *fid = filp->private_data;
>
> if (!fid->rdir)
> - fid->rdir = kzalloc(sizeof(struct p9_rdir) + buflen, GFP_KERNEL);
> + fid->rdir = kvzalloc(sizeof(struct p9_rdir) + buflen, GFP_KERNEL);
That code isn't really well thought out at all.
The default for buflen seems to be 128k + 24 - 24.
struct p9_rdir adds another 8 bytes, I'm not sure whether that doubles it to
128k or just adds an extra page (which might be 64k not 4k).
It also looks as though the user can specify an arbitrary buffers size (min 4k).
So who knows how big that (and other associated) buffers actually are.
The buffer seems to persist across readdir() system calls.
I can't see any code that might attempt to honour seekdir().
I hope there is a global lock that stops multiple threads issuing readdir()
on the same fd in parallel.
David
> return fid->rdir;
> }
>
> diff --git a/net/9p/client.c b/net/9p/client.c
> index f60d1d041adb..6d9b9054841e 100644
> --- a/net/9p/client.c
> +++ b/net/9p/client.c
> @@ -765,7 +765,7 @@ static void p9_fid_destroy(struct p9_fid *fid)
> spin_lock_irqsave(&clnt->lock, flags);
> idr_remove(&clnt->fids, fid->fid);
> spin_unlock_irqrestore(&clnt->lock, flags);
> - kfree(fid->rdir);
> + kvfree(fid->rdir);
> kfree(fid);
> }
>
> --
> 2.51.0
>
next prev parent reply other threads:[~2026-04-15 9:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 5:45 [PATCH] 9p: use kvzalloc for readdir buffer Pierre Barre
2026-04-15 9:01 ` David Laight [this message]
2026-04-15 9:27 ` Pierre Barre
2026-04-15 10:36 ` David Laight
2026-04-16 2:31 ` Dominique Martinet
2026-04-16 9:18 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260415100157.4aa33364@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=asmadeus@codewreck.org \
--cc=ericvh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux_oss@crudebyte.com \
--cc=lucho@ionkov.net \
--cc=pierre@barre.sh \
--cc=v9fs@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox