From patchwork Sun Jun 21 21:12:14 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Al Viro X-Patchwork-Id: 6652921 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 50F01C05AC for ; Sun, 21 Jun 2015 21:12:35 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B593420641 for ; Sun, 21 Jun 2015 21:12:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0B53C2061F for ; Sun, 21 Jun 2015 21:12:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754026AbbFUVMS (ORCPT ); Sun, 21 Jun 2015 17:12:18 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:37122 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752642AbbFUVMR (ORCPT ); Sun, 21 Jun 2015 17:12:17 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.76 #1 (Red Hat Linux)) id 1Z6mXG-0004uo-0k; Sun, 21 Jun 2015 21:12:14 +0000 Date: Sun, 21 Jun 2015 22:12:14 +0100 From: Al Viro To: Andrey Ryabinin Cc: Linus Torvalds , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [git pull] vfs part 2 Message-ID: <20150621211213.GA18732@ZenIV.linux.org.uk> References: <20150415181406.GL889@ZenIV.linux.org.uk> <5538C66F.4050404@samsung.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <5538C66F.4050404@samsung.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Thu, Apr 23, 2015 at 01:16:15PM +0300, Andrey Ryabinin wrote: > This change caused following: > This could happen when p9pdu_readf() changes 'count' to some value > iov_iter_count(from): > > p9_client_write(): > <...> > int count = iov_iter_count(from); > <...> > *err = p9pdu_readf(req->rc, clnt->proto_version, "d", &count); > <...> > iov_iter_advance(from, count); *blink* That's a bug, all right, but I would love to see how you trigger it. It would require server to respond to "write that many bytes" with "OK, bytes written". We certainly need to cope with that (we can't trust the server to be sane), but if that's what is going on, you've got a server bug as well. Could you check if the patch below triggers WARN_ON() in it on your reproducer? p9_client_read() has a similar issue as well... --- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in diff --git a/net/9p/client.c b/net/9p/client.c index 6f4c4c8..f99bce7 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -1588,6 +1588,10 @@ p9_client_read(struct p9_fid *fid, u64 offset, struct iov_iter *to, int *err) p9_free_req(clnt, req); break; } + if (count > rsize) { + WARN_ON(1); + count = rsize; + } if (non_zc) { int n = copy_to_iter(dataptr, count, to); @@ -1650,6 +1654,10 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err) } p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", count); + if (count > rsize) { + WARN_ON(1); + count = rsize; + } p9_free_req(clnt, req); iov_iter_advance(from, count);