lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 23 May 2024 10:41:42 -0400
From: Tom Talpey <tom@...pey.com>
To: David Howells <dhowells@...hat.com>, Steve French <sfrench@...ba.org>,
 Paulo Alcantara <pc@...guebit.com>
Cc: Shyam Prasad N <nspmangalore@...il.com>,
 Rohith Surabattula <rohiths.msft@...il.com>, Jeff Layton
 <jlayton@...nel.org>, linux-cifs@...r.kernel.org, netfs@...ts.linux.dev,
 linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH] cifs: Fix credit handling in cifs_io_subrequest
 cleanup

On 5/22/2024 6:59 PM, David Howells wrote:
>      
> When a cifs_io_subrequest (wrapping a netfs_io_subrequest) is cleaned up in
> cifs_free_subrequest(), it releases any credits that are left in
> rdata->credits.  However, this is a problem because smb2_writev_callback()
> calls add_credits() to add the new credits from the response header
> CreditRequest to the available pool.
> 
> This can cause a warning to be emitted in smb2_add_credits() as
> server->in_flight gets doubly decremented and a later operation sees it
> having prematurely reached 0.
> 
> Fix this by clearing the credit count after actually issuing the request on
> the assumption that we've given the credits back to the server (it will
> give us new credits in the reply).

 From a protocol standpoint it's correct to reserve the credits while the
operation is in flight. But from a code standpoint it seems risky to
stop accounting for them. What if the operation is canceled, or times
out?

I'd quibble with the assertion that the server will "give us new credits
in the response". The number of granted credits is always the server's
decision, not guaranteed by the protocol (except for certain edge
conditions).

I guess I'd suggest a deeper review by someone familiar with the
mechanics of fs/smb/client credit accounting. It might be ok!

Tom.

> Signed-off-by: David Howells <dhowells@...hat.com>
> cc: Steve French <sfrench@...ba.org>
> cc: Paulo Alcantara <pc@...guebit.com>
> cc: Shyam Prasad N <nspmangalore@...il.com>
> cc: Rohith Surabattula <rohiths.msft@...il.com>
> cc: Jeff Layton <jlayton@...nel.org>
> cc: linux-cifs@...r.kernel.org
> cc: netfs@...ts.linux.dev
> cc: linux-fsdevel@...r.kernel.org
> ---
>   fs/smb/client/file.c |    7 +++++--
>   1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c
> index 9d5c2440abfc..73e2765c4d2f 100644
> --- a/fs/smb/client/file.c
> +++ b/fs/smb/client/file.c
> @@ -110,6 +110,7 @@ static void cifs_issue_write(struct netfs_io_subrequest *subreq)
>   		goto fail;
>   
>   	wdata->server->ops->async_writev(wdata);
> +	wdata->credits.value = 0;
>   out:
>   	return;
>   
> @@ -205,10 +206,12 @@ static void cifs_req_issue_read(struct netfs_io_subrequest *subreq)
>   
>   	rc = adjust_credits(rdata->server, &rdata->credits, rdata->subreq.len);
>   	if (!rc) {
> -		if (rdata->req->cfile->invalidHandle)
> +		if (rdata->req->cfile->invalidHandle) {
>   			rc = -EAGAIN;
> -		else
> +		} else {
>   			rc = rdata->server->ops->async_readv(rdata);
> +			rdata->credits.value = 0;
> +		}
>   	}
>   
>   out:
> 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ