We want to give memset() the sizeof(struct posix_acl), not
sizeof(struct posix_acl *).
Signed-off-by: Jesper Juhl <[email protected]>
---
nfsacl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
index 84c27d6..bc6d81b 100644
--- a/fs/nfs_common/nfsacl.c
+++ b/fs/nfs_common/nfsacl.c
@@ -117,7 +117,7 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
* invoked in contexts where a memory allocation failure is
* fatal. Fortunately this fake ACL is small enough to
* construct on the stack. */
- memset(acl2, 0, sizeof(acl2));
+ memset(acl2, 0, sizeof(*acl2));
posix_acl_init(acl2, 4);
/* Insert entries in canonical order: other orders seem
--
Jesper Juhl <[email protected]> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
On Thu, 2011-02-03 at 20:15 +0100, Jesper Juhl wrote:
> We want to give memset() the sizeof(struct posix_acl), not
> sizeof(struct posix_acl *).
>
> Signed-off-by: Jesper Juhl <[email protected]>
> ---
> nfsacl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
> index 84c27d6..bc6d81b 100644
> --- a/fs/nfs_common/nfsacl.c
> +++ b/fs/nfs_common/nfsacl.c
> @@ -117,7 +117,7 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
> * invoked in contexts where a memory allocation failure is
> * fatal. Fortunately this fake ACL is small enough to
> * construct on the stack. */
> - memset(acl2, 0, sizeof(acl2));
> + memset(acl2, 0, sizeof(*acl2));
> posix_acl_init(acl2, 4);
>
> /* Insert entries in canonical order: other orders seem
Ccing Milton Miller who also sent in the same patch.
Neither patch is correct afaics. posix_acl_init() will clobber the above
memset, and so the correct fix is just to get rid of it...
Cheers
Trond
--
Trond Myklebust
Linux NFS client maintainer
NetApp
[email protected]
http://www.netapp.com
On Thu, 3 Feb 2011, Trond Myklebust wrote:
> On Thu, 2011-02-03 at 20:15 +0100, Jesper Juhl wrote:
> > We want to give memset() the sizeof(struct posix_acl), not
> > sizeof(struct posix_acl *).
> >
> > Signed-off-by: Jesper Juhl <[email protected]>
> > ---
> > nfsacl.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
> > index 84c27d6..bc6d81b 100644
> > --- a/fs/nfs_common/nfsacl.c
> > +++ b/fs/nfs_common/nfsacl.c
> > @@ -117,7 +117,7 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
> > * invoked in contexts where a memory allocation failure is
> > * fatal. Fortunately this fake ACL is small enough to
> > * construct on the stack. */
> > - memset(acl2, 0, sizeof(acl2));
> > + memset(acl2, 0, sizeof(*acl2));
> > posix_acl_init(acl2, 4);
> >
> > /* Insert entries in canonical order: other orders seem
>
> Ccing Milton Miller who also sent in the same patch.
>
> Neither patch is correct afaics. posix_acl_init() will clobber the above
> memset, and so the correct fix is just to get rid of it...
>
posix_acl_init() sets a_refcount and a_count, but what about a_entries ...
no problem, nfsacl_encode() itself takes care of that post the
posix_acl_init() call.. it's all good.
So ...
Remove pointless memset() in nfsacl_encode().
Thanks to Trond Myklebust <[email protected]> for pointing out
that it is not needed since posix_acl_init() will set everything
regardless..
Signed-off-by: Jesper Juhl <[email protected]>
---
nfsacl.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
index 84c27d6..ec0f277 100644
--- a/fs/nfs_common/nfsacl.c
+++ b/fs/nfs_common/nfsacl.c
@@ -117,7 +117,6 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
* invoked in contexts where a memory allocation failure is
* fatal. Fortunately this fake ACL is small enough to
* construct on the stack. */
- memset(acl2, 0, sizeof(acl2));
posix_acl_init(acl2, 4);
/* Insert entries in canonical order: other orders seem
--
Jesper Juhl <[email protected]> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
On Feb 3, 2011, at 2:41 PM, Jesper Juhl wrote:
> On Thu, 3 Feb 2011, Trond Myklebust wrote:
>
>> On Thu, 2011-02-03 at 20:15 +0100, Jesper Juhl wrote:
>>> We want to give memset() the sizeof(struct posix_acl), not
>>> sizeof(struct posix_acl *).
>>>
>>> Signed-off-by: Jesper Juhl <[email protected]>
>>> ---
>>> nfsacl.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
>>> index 84c27d6..bc6d81b 100644
>>> --- a/fs/nfs_common/nfsacl.c
>>> +++ b/fs/nfs_common/nfsacl.c
>>> @@ -117,7 +117,7 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
>>> * invoked in contexts where a memory allocation failure is
>>> * fatal. Fortunately this fake ACL is small enough to
>>> * construct on the stack. */
>>> - memset(acl2, 0, sizeof(acl2));
>>> + memset(acl2, 0, sizeof(*acl2));
>>> posix_acl_init(acl2, 4);
>>>
>>> /* Insert entries in canonical order: other orders seem
>>
>> Ccing Milton Miller who also sent in the same patch.
>>
>> Neither patch is correct afaics. posix_acl_init() will clobber the above
>> memset, and so the correct fix is just to get rid of it...
>>
>
> posix_acl_init() sets a_refcount and a_count, but what about a_entries ...
> no problem, nfsacl_encode() itself takes care of that post the
> posix_acl_init() call.. it's all good.
>
> So ...
>
>
> Remove pointless memset() in nfsacl_encode().
>
> Thanks to Trond Myklebust <[email protected]> for pointing out
> that it is not needed since posix_acl_init() will set everything
> regardless..
>
> Signed-off-by: Jesper Juhl <[email protected]>
> ---
> nfsacl.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
> index 84c27d6..ec0f277 100644
> --- a/fs/nfs_common/nfsacl.c
> +++ b/fs/nfs_common/nfsacl.c
> @@ -117,7 +117,6 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
> * invoked in contexts where a memory allocation failure is
> * fatal. Fortunately this fake ACL is small enough to
> * construct on the stack. */
> - memset(acl2, 0, sizeof(acl2));
> posix_acl_init(acl2, 4);
>
> /* Insert entries in canonical order: other orders seem
If there is a guarantee that random data that potentially resides between the fields in that structure will never appear on the wire, then ACK.
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
On Thu, 2011-02-03 at 15:00 -0500, Chuck Lever wrote:
> On Feb 3, 2011, at 2:41 PM, Jesper Juhl wrote:
>
> > On Thu, 3 Feb 2011, Trond Myklebust wrote:
> >
> >> On Thu, 2011-02-03 at 20:15 +0100, Jesper Juhl wrote:
> >>> We want to give memset() the sizeof(struct posix_acl), not
> >>> sizeof(struct posix_acl *).
> >>>
> >>> Signed-off-by: Jesper Juhl <[email protected]>
> >>> ---
> >>> nfsacl.c | 2 +-
> >>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
> >>> index 84c27d6..bc6d81b 100644
> >>> --- a/fs/nfs_common/nfsacl.c
> >>> +++ b/fs/nfs_common/nfsacl.c
> >>> @@ -117,7 +117,7 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
> >>> * invoked in contexts where a memory allocation failure is
> >>> * fatal. Fortunately this fake ACL is small enough to
> >>> * construct on the stack. */
> >>> - memset(acl2, 0, sizeof(acl2));
> >>> + memset(acl2, 0, sizeof(*acl2));
> >>> posix_acl_init(acl2, 4);
> >>>
> >>> /* Insert entries in canonical order: other orders seem
> >>
> >> Ccing Milton Miller who also sent in the same patch.
> >>
> >> Neither patch is correct afaics. posix_acl_init() will clobber the above
> >> memset, and so the correct fix is just to get rid of it...
> >>
> >
> > posix_acl_init() sets a_refcount and a_count, but what about a_entries ...
> > no problem, nfsacl_encode() itself takes care of that post the
> > posix_acl_init() call.. it's all good.
> >
> > So ...
> >
> >
> > Remove pointless memset() in nfsacl_encode().
> >
> > Thanks to Trond Myklebust <[email protected]> for pointing out
> > that it is not needed since posix_acl_init() will set everything
> > regardless..
> >
> > Signed-off-by: Jesper Juhl <[email protected]>
> > ---
> > nfsacl.c | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
> > index 84c27d6..ec0f277 100644
> > --- a/fs/nfs_common/nfsacl.c
> > +++ b/fs/nfs_common/nfsacl.c
> > @@ -117,7 +117,6 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
> > * invoked in contexts where a memory allocation failure is
> > * fatal. Fortunately this fake ACL is small enough to
> > * construct on the stack. */
> > - memset(acl2, 0, sizeof(acl2));
> > posix_acl_init(acl2, 4);
> >
> > /* Insert entries in canonical order: other orders seem
>
> If there is a guarantee that random data that potentially resides between the fields in that structure will never appear on the wire, then ACK.
>
Yes, that is guaranteed. The posix_acl structure is initialised by
posix_acl_init above, and the array itself is initialised by us in the
lines following that...
--
Trond Myklebust
Linux NFS client maintainer
NetApp
[email protected]
http://www.netapp.com
On Feb 3, 2011, at 3:06 PM, Trond Myklebust wrote:
> On Thu, 2011-02-03 at 15:00 -0500, Chuck Lever wrote:
>> On Feb 3, 2011, at 2:41 PM, Jesper Juhl wrote:
>>
>>> On Thu, 3 Feb 2011, Trond Myklebust wrote:
>>>
>>>> On Thu, 2011-02-03 at 20:15 +0100, Jesper Juhl wrote:
>>>>> We want to give memset() the sizeof(struct posix_acl), not
>>>>> sizeof(struct posix_acl *).
>>>>>
>>>>> Signed-off-by: Jesper Juhl <[email protected]>
>>>>> ---
>>>>> nfsacl.c | 2 +-
>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
>>>>> index 84c27d6..bc6d81b 100644
>>>>> --- a/fs/nfs_common/nfsacl.c
>>>>> +++ b/fs/nfs_common/nfsacl.c
>>>>> @@ -117,7 +117,7 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
>>>>> * invoked in contexts where a memory allocation failure is
>>>>> * fatal. Fortunately this fake ACL is small enough to
>>>>> * construct on the stack. */
>>>>> - memset(acl2, 0, sizeof(acl2));
>>>>> + memset(acl2, 0, sizeof(*acl2));
>>>>> posix_acl_init(acl2, 4);
>>>>>
>>>>> /* Insert entries in canonical order: other orders seem
>>>>
>>>> Ccing Milton Miller who also sent in the same patch.
>>>>
>>>> Neither patch is correct afaics. posix_acl_init() will clobber the above
>>>> memset, and so the correct fix is just to get rid of it...
>>>>
>>>
>>> posix_acl_init() sets a_refcount and a_count, but what about a_entries ...
>>> no problem, nfsacl_encode() itself takes care of that post the
>>> posix_acl_init() call.. it's all good.
>>>
>>> So ...
>>>
>>>
>>> Remove pointless memset() in nfsacl_encode().
>>>
>>> Thanks to Trond Myklebust <[email protected]> for pointing out
>>> that it is not needed since posix_acl_init() will set everything
>>> regardless..
>>>
>>> Signed-off-by: Jesper Juhl <[email protected]>
>>> ---
>>> nfsacl.c | 1 -
>>> 1 file changed, 1 deletion(-)
>>>
>>> diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
>>> index 84c27d6..ec0f277 100644
>>> --- a/fs/nfs_common/nfsacl.c
>>> +++ b/fs/nfs_common/nfsacl.c
>>> @@ -117,7 +117,6 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
>>> * invoked in contexts where a memory allocation failure is
>>> * fatal. Fortunately this fake ACL is small enough to
>>> * construct on the stack. */
>>> - memset(acl2, 0, sizeof(acl2));
>>> posix_acl_init(acl2, 4);
>>>
>>> /* Insert entries in canonical order: other orders seem
>>
>> If there is a guarantee that random data that potentially resides between the fields in that structure will never appear on the wire, then ACK.
>>
>
> Yes, that is guaranteed. The posix_acl structure is initialised by
> posix_acl_init above, and the array itself is initialised by us in the
> lines following that...
Sorry, I wasn't clear. IMO, data that is destined for the network is an important case where we have to be careful about the rule of using either assignments or memset(), not both, when initializing a data structure.
If the compiler doesn't pack the fields in struct posix_acl, there is unused space between them. Memory for acl2 comes from the stack, which contains arbitrary data when this function is invoked. The areas between the structure fields are not affected by the variable assignments used here. If the data in acl2 is then simply memcpy'd to the XDR buffer, that old stack data can possibly appear on the wire.
I agree that the current memset() is incorrect. My conditional ACK was more about what happens in xdr_encode_array2() rather than how the posix_acl acl2 is initialized. I think in that regard we are also safe, if the array encoding operates by data type rather than by simply doing a blanket memcpy. See xdr_nfsace_encode(). It's always possible I misunderstood how ACEs are XDR encoded.
It's a nit at this point, so ACK.
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
On Thu, 2011-02-03 at 15:29 -0500, Chuck Lever wrote:
> Sorry, I wasn't clear. IMO, data that is destined for the network is an important case where we have to be careful about the rule of using either assignments or memset(), not both, when initializing a data structure.
>
> If the compiler doesn't pack the fields in struct posix_acl, there is unused space between them. Memory for acl2 comes from the stack, which contains arbitrary data when this function is invoked. The areas between the structure fields are not affected by the variable assignments used here. If the data in acl2 is then simply memcpy'd to the XDR buffer, that old stack data can possibly appear on the wire.
>
> I agree that the current memset() is incorrect. My conditional ACK was more about what happens in xdr_encode_array2() rather than how the posix_acl acl2 is initialized. I think in that regard we are also safe, if the array encoding operates by data type rather than by simply doing a blanket memcpy. See xdr_nfsace_encode(). It's always possible I misunderstood how ACEs are XDR encoded.
We shouldn't ever be memcopying entire structures directly to or from
the XDR buffer, and as far as I know, the current code will always copy
them element by element.
--
Trond Myklebust
Linux NFS client maintainer
NetApp
[email protected]
http://www.netapp.com
On Thu, 3 Feb 2011 about 20:41:05 +0100 (CET), Jesper Juhl wrote:
> On Thu, 3 Feb 2011, Trond Myklebust wrote:
> > On Thu, 2011-02-03 at 20:15 +0100, Jesper Juhl wrote:
> > > We want to give memset() the sizeof(struct posix_acl), not
> > > sizeof(struct posix_acl *).
> > >
> > > Signed-off-by: Jesper Juhl <[email protected]>
> > > ---
> > > nfsacl.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
> > > index 84c27d6..bc6d81b 100644
> > > --- a/fs/nfs_common/nfsacl.c
> > > +++ b/fs/nfs_common/nfsacl.c
> > > @@ -117,7 +117,7 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
> > > * invoked in contexts where a memory allocation failure is
> > > * fatal. Fortunately this fake ACL is small enough to
> > > * construct on the stack. */
> > > - memset(acl2, 0, sizeof(acl2));
> > > + memset(acl2, 0, sizeof(*acl2));
> > > posix_acl_init(acl2, 4);
> > >
> > > /* Insert entries in canonical order: other orders seem
> >
> > Ccing Milton Miller who also sent in the same patch.
> >
> > Neither patch is correct afaics. posix_acl_init() will clobber the above
> > memset, and so the correct fix is just to get rid of it...
> >
>
> posix_acl_init() sets a_refcount and a_count, but what about a_entries ...
> no problem, nfsacl_encode() itself takes care of that post the
> posix_acl_init() call.. it's all good.
>
> So ...
>
>
> Remove pointless memset() in nfsacl_encode().
>
It would be nice to point out that the memset was just added and of
a incorrect size.
> Thanks to Trond Myklebust <[email protected]> for pointing out
> that it is not needed since posix_acl_init() will set everything
> regardless..
>
But I ack the patch since I even pointed out this alternative in my
changelog. I guess that could be Reported-by.
http://lkml.indiana.edu/hypermail/linux/kernel/1102.0/00665.html
> Signed-off-by: Jesper Juhl <[email protected]>
> ---
> nfsacl.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/fs/nfs_common/nfsacl.c b/fs/nfs_common/nfsacl.c
> index 84c27d6..ec0f277 100644
> --- a/fs/nfs_common/nfsacl.c
> +++ b/fs/nfs_common/nfsacl.c
> @@ -117,7 +117,6 @@ int nfsacl_encode(struct xdr_buf *buf, unsigned int base, struct inode *inode,
> * invoked in contexts where a memory allocation failure is
> * fatal. Fortunately this fake ACL is small enough to
> * construct on the stack. */
> - memset(acl2, 0, sizeof(acl2));
> posix_acl_init(acl2, 4);
>
> /* Insert entries in canonical order: other orders seem
>
>
On Thu, 3 Feb 2011, Trond Myklebust wrote:
> On Thu, 2011-02-03 at 15:29 -0500, Chuck Lever wrote:
> > Sorry, I wasn't clear. IMO, data that is destined for the network is an important case where we have to be careful about the rule of using either assignments or memset(), not both, when initializing a data structure.
> >
> > If the compiler doesn't pack the fields in struct posix_acl, there is unused space between them. Memory for acl2 comes from the stack, which contains arbitrary data when this function is invoked. The areas between the structure fields are not affected by the variable assignments used here. If the data in acl2 is then simply memcpy'd to the XDR buffer, that old stack data can possibly appear on the wire.
> >
> > I agree that the current memset() is incorrect. My conditional ACK was more about what happens in xdr_encode_array2() rather than how the posix_acl acl2 is initialized. I think in that regard we are also safe, if the array encoding operates by data type rather than by simply doing a blanket memcpy. See xdr_nfsace_encode(). It's always possible I misunderstood how ACEs are XDR encoded.
>
> We shouldn't ever be memcopying entire structures directly to or from
> the XDR buffer, and as far as I know, the current code will always copy
> them element by element.
>
Ok. So, could we merge the patch that kills the memcpy() ?
--
Jesper Juhl <[email protected]> http://www.chaosbits.net/
Plain text mails only, please.
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
On Wed, 23 Feb 2011, Jesper Juhl wrote:
> On Thu, 3 Feb 2011, Trond Myklebust wrote:
>
> > On Thu, 2011-02-03 at 15:29 -0500, Chuck Lever wrote:
> > > Sorry, I wasn't clear. IMO, data that is destined for the network is an important case where we have to be careful about the rule of using either assignments or memset(), not both, when initializing a data structure.
> > >
> > > If the compiler doesn't pack the fields in struct posix_acl, there is unused space between them. Memory for acl2 comes from the stack, which contains arbitrary data when this function is invoked. The areas between the structure fields are not affected by the variable assignments used here. If the data in acl2 is then simply memcpy'd to the XDR buffer, that old stack data can possibly appear on the wire.
> > >
> > > I agree that the current memset() is incorrect. My conditional ACK was more about what happens in xdr_encode_array2() rather than how the posix_acl acl2 is initialized. I think in that regard we are also safe, if the array encoding operates by data type rather than by simply doing a blanket memcpy. See xdr_nfsace_encode(). It's always possible I misunderstood how ACEs are XDR encoded.
> >
> > We shouldn't ever be memcopying entire structures directly to or from
> > the XDR buffer, and as far as I know, the current code will always copy
> > them element by element.
> >
> Ok. So, could we merge the patch that kills the memcpy() ?
>
I mean memset() of course.
--
Jesper Juhl <[email protected]> http://www.chaosbits.net/
Plain text mails only, please.
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html