lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 1 Jul 2015 07:27:52 +0100
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Andrey Ryabinin <a.ryabinin@...sung.com>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [git pull] vfs part 2

On Mon, Jun 22, 2015 at 03:02:11PM +0300, Andrey Ryabinin wrote:
> On 06/22/2015 12:12 AM, Al Viro wrote:
> > On Thu, Apr 23, 2015 at 01:16:15PM +0300, Andrey Ryabinin wrote:
> >> This change caused following:
> > 
> >> This could happen when p9pdu_readf() changes 'count' to some value > iov_iter_count(from):
> >>
> >> p9_client_write():
> >> <...>
> >> 		int count = iov_iter_count(from);
> >> <...>
> >> 		*err = p9pdu_readf(req->rc, clnt->proto_version, "d", &count);
> >> <...>
> >> 		iov_iter_advance(from, count);
> > 
> > *blink*
> > 
> > That's a bug, all right, but I would love to see how you trigger it.
> > It would require server to respond to "write that many bytes" with "OK,
> > <greater number> bytes written".  We certainly need to cope with that
> > (we can't trust the server to be sane), but if that's what is going on,
> > you've got a server bug as well.
> > 
> > Could you check if the patch below triggers WARN_ON() in it on your
> > reproducer?  p9_client_read() has a similar issue as well...
> > 
> 
> I've tried something like your patch before to check the read side
> and I haven't seen anything before and don't see it right now.
> Though, this doesn't mean that there is no problem with read.
> I mean that trinity hits this on write and may just not hit this on read.

"This" being the WARN_ON() in that patch?  Could you please run the same
test with the following delta and post its printks?  It's one thing if
you are hitting a buggy server, it gets confused and tells you it has
written more bytes than you told it to write.  Quite a different story
in case if we are miscalculating the size we are putting into RWRITE
packet and/or advancing the iterator when we shouldn't...

What server are you using, BTW?  And which transport (virtio or network -
IOW, is it zero-copy path or not)?

diff --git a/net/9p/client.c b/net/9p/client.c
index 6f4c4c8..80e45a5 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -1638,6 +1638,9 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err)
 			req = p9_client_rpc(clnt, P9_TWRITE, "dqV", fid->fid,
 						    offset, rsize, from);
 		}
+		if (iov_iter_count(from) != count)
+			printk(KERN_ERR "fucked: iterator got advanced [%d -> %zd]\n",
+					count, iov_iter_count(from));
 		if (IS_ERR(req)) {
 			*err = PTR_ERR(req);
 			break;
@@ -1649,6 +1652,10 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err)
 			p9_free_req(clnt, req);
 		}
 
+		if (count > rsize)
+			printk(KERN_ERR "fucked: sent %d, server says it got %d (err = %d)\n",
+				rsize, count, *err);
+
 		p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", count);
 
 		p9_free_req(clnt, req);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ