The zero-copy optimization when reading or writing large chunks of data
is quite useful. However, the 9p messages created through the zero-copy
write path have an incorrect message size: it should be the size of the
header + size of the data being written but instead it's just the size
of the header.
This only works if the server ignores the size field of the message and
otherwise breaks the framing of the protocol. Fix this by re-writing the
message size field with the correct value.
Tested by running `dd if=/dev/zero of=out bs=4k count=1` inside a
virtio-9p mount.
Signed-off-by: Chirantan Ekbote <[email protected]>
Reviewed-by: Greg Kurz <[email protected]>
Tested-by: Greg Kurz <[email protected]>
---
net/9p/trans_virtio.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 05006cbb3361..65761381c58f 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -406,6 +406,7 @@ p9_virtio_zc_request(struct p9_client *client, struct p9_req_t *req,
p9_debug(P9_DEBUG_TRANS, "virtio request\n");
if (uodata) {
+ __le32 sz;
int n = p9_get_mapped_pages(chan, &out_pages, uodata,
outlen, &offs, &need_drop);
if (n < 0)
@@ -416,6 +417,12 @@ p9_virtio_zc_request(struct p9_client *client, struct p9_req_t *req,
memcpy(&req->tc->sdata[req->tc->size - 4], &v, 4);
outlen = n;
}
+ /* The size field of the message must include the length of the
+ * header and the length of the data. We didn't actually know
+ * the length of the data until this point so add it in now.
+ */
+ sz = cpu_to_le32(req->tc->size + outlen);
+ memcpy(&req->tc->sdata[0], &sz, sizeof(sz));
} else if (uidata) {
int n = p9_get_mapped_pages(chan, &in_pages, uidata,
inlen, &offs, &need_drop);
--
2.18.0.203.gfac676dfb9-goog
Chirantan Ekbote wrote on Mon, Jul 16, 2018:
> The zero-copy optimization when reading or writing large chunks of data
> is quite useful. However, the 9p messages created through the zero-copy
> write path have an incorrect message size: it should be the size of the
> header + size of the data being written but instead it's just the size
> of the header.
>
> This only works if the server ignores the size field of the message and
> otherwise breaks the framing of the protocol. Fix this by re-writing the
> message size field with the correct value.
>
> Tested by running `dd if=/dev/zero of=out bs=4k count=1` inside a
> virtio-9p mount.
>
> Signed-off-by: Chirantan Ekbote <[email protected]>
> Reviewed-by: Greg Kurz <[email protected]>
> Tested-by: Greg Kurz <[email protected]>
Ack, I've added this to my queue for 4.19
Thanks for moving the memcpy and the updated comment, it makes it more
clear that these are different fields of the message.
> ---
> net/9p/trans_virtio.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
> index 05006cbb3361..65761381c58f 100644
> --- a/net/9p/trans_virtio.c
> +++ b/net/9p/trans_virtio.c
> @@ -406,6 +406,7 @@ p9_virtio_zc_request(struct p9_client *client, struct p9_req_t *req,
> p9_debug(P9_DEBUG_TRANS, "virtio request\n");
>
> if (uodata) {
> + __le32 sz;
> int n = p9_get_mapped_pages(chan, &out_pages, uodata,
> outlen, &offs, &need_drop);
> if (n < 0)
> @@ -416,6 +417,12 @@ p9_virtio_zc_request(struct p9_client *client, struct p9_req_t *req,
> memcpy(&req->tc->sdata[req->tc->size - 4], &v, 4);
> outlen = n;
> }
> + /* The size field of the message must include the length of the
> + * header and the length of the data. We didn't actually know
> + * the length of the data until this point so add it in now.
> + */
> + sz = cpu_to_le32(req->tc->size + outlen);
> + memcpy(&req->tc->sdata[0], &sz, sizeof(sz));
> } else if (uidata) {
> int n = p9_get_mapped_pages(chan, &in_pages, uidata,
> inlen, &offs, &need_drop);
--
Dominique Martinet