>From 2558382c8a030f7261e47977ac62412cd78e6d38 Mon Sep 17 00:00:00 2001
From: Arun KS <[email protected]>
Date: Thu, 8 Aug 2013 18:23:04 +0530
Subject: Seq File: Return error if d_path fails
Return error if d_path fails in seq_path funciton. If we do not return
from here,
seq_commit sets seq_file state as overflow. And this continues in a
loop utill we
increase the size of seq buf beyond KMALLOC_MAX_SIZE.
[ 363.192565] ------------[ cut here ]------------
[ 363.199462] WARNING: at mm/slab_common.c:377 kmalloc_slab+0x34/0x9c()
[ 363.208557] Modules linked in:
[ 363.212219] CPU: 1 PID: 1742 Comm: Binder_2 Tainted: G W
3.10.0+ #17
[ 363.222930] [<c00151c4>] (unwind_backtrace+0x0/0x11c) from
[<c0011a24>] (show_stack+0x10/0x14)
[ 363.235229] [<c0011a24>] (show_stack+0x10/0x14) from [<c0059fb0>]
(warn_slowpath_common+0x4c/0x68)
[ 363.247253] [<c0059fb0>] (warn_slowpath_common+0x4c/0x68) from
[<c0059fe4>] (warn_slowpath_null+0x18/0x1c)
[ 363.259307] [<c0059fe4>] (warn_slowpath_null+0x18/0x1c) from
[<c00fa400>] (kmalloc_slab+0x34/0x9c)
[ 363.270812] [<c00fa400>] (kmalloc_slab+0x34/0x9c) from [<c010ec20>]
(__kmalloc+0x14/0x1fc)
[ 363.281433] [<c010ec20>] (__kmalloc+0x14/0x1fc) from [<c012ef70>]
(seq_read+0x24c/0x438)
[ 363.291992] [<c012ef70>] (seq_read+0x24c/0x438) from [<c011389c>]
(vfs_read+0xac/0x124)
[ 363.302398] [<c011389c>] (vfs_read+0xac/0x124) from [<c0113a38>]
(SyS_read+0x3c/0x60)
[ 363.312591] [<c0113a38>] (SyS_read+0x3c/0x60) from [<c000e180>]
(ret_fast_syscall+0x0/0x48)
[ 363.323303] ---[ end trace 46c6467e2db7bcd4 ]---
Change-Id: If6b97a0f83aa3293c09d5b2e9aca5d0ac5fd0774
Signed-off-by: Arun KS <[email protected]>
---
fs/seq_file.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/seq_file.c b/fs/seq_file.c
index 774c1eb..3d08377 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -471,7 +471,8 @@ int seq_path(struct seq_file *m, const struct path
*path, const char *esc)
char *end = mangle_path(buf, p, esc);
if (end)
res = end - buf;
- }
+ } else
+ return PTR_ERR(p);
}
seq_commit(m, res);
--
1.8.2
On Thu, 8 Aug 2013 19:03:31 +0530 Arun KS <[email protected]> wrote:
> >From 2558382c8a030f7261e47977ac62412cd78e6d38 Mon Sep 17 00:00:00 2001
> From: Arun KS <[email protected]>
> Date: Thu, 8 Aug 2013 18:23:04 +0530
> Subject: Seq File: Return error if d_path fails
>
> Return error if d_path fails in seq_path funciton. If we do not return
> from here,
> seq_commit sets seq_file state as overflow. And this continues in a
> loop utill we
> increase the size of seq buf beyond KMALLOC_MAX_SIZE.
>
> ...
>
> --- a/fs/seq_file.c
> +++ b/fs/seq_file.c
> @@ -471,7 +471,8 @@ int seq_path(struct seq_file *m, const struct path
> *path, const char *esc)
> char *end = mangle_path(buf, p, esc);
> if (end)
> res = end - buf;
> - }
> + } else
> + return PTR_ERR(p);
> }
> seq_commit(m, res);
hm, does that really fix the bug? Isn't the core problem the word "or":
/**
* seq_commit - commit data to the buffer
* @m: the seq_file handle
* @num: the number of bytes to commit
*
* Commit @num bytes of data written to a buffer previously acquired
* by seq_buf_get. To signal an error condition, or that the data
^^
* didn't fit in the available space, pass a negative @num value.
*/
seq_path()/seq_commit() is treating a d_path() failure as an overflow
condition, but it isn't.
Hi Andrew,
On Tue, Aug 13, 2013 at 3:19 AM, Andrew Morton
<[email protected]> wrote:
> On Thu, 8 Aug 2013 19:03:31 +0530 Arun KS <[email protected]> wrote:
>
>> >From 2558382c8a030f7261e47977ac62412cd78e6d38 Mon Sep 17 00:00:00 2001
>> From: Arun KS <[email protected]>
>> Date: Thu, 8 Aug 2013 18:23:04 +0530
>> Subject: Seq File: Return error if d_path fails
>>
>> Return error if d_path fails in seq_path funciton. If we do not return
>> from here,
>> seq_commit sets seq_file state as overflow. And this continues in a
>> loop utill we
>> increase the size of seq buf beyond KMALLOC_MAX_SIZE.
>>
>> ...
>>
>> --- a/fs/seq_file.c
>> +++ b/fs/seq_file.c
>> @@ -471,7 +471,8 @@ int seq_path(struct seq_file *m, const struct path
>> *path, const char *esc)
>> char *end = mangle_path(buf, p, esc);
>> if (end)
>> res = end - buf;
>> - }
>> + } else
>> + return PTR_ERR(p);
>> }
>> seq_commit(m, res);
>
> hm, does that really fix the bug? Isn't the core problem the word "or":
>
> /**
> * seq_commit - commit data to the buffer
> * @m: the seq_file handle
> * @num: the number of bytes to commit
> *
> * Commit @num bytes of data written to a buffer previously acquired
> * by seq_buf_get. To signal an error condition, or that the data
> ^^
> * didn't fit in the available space, pass a negative @num value.
> */
>
> seq_path()/seq_commit() is treating a d_path() failure as an overflow
> condition, but it isn't.
>
I ll send a new patch.
Thanks,
Arun