Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755976AbbFUVMX (ORCPT <rfc822;w@1wt.eu>);
	Sun, 21 Jun 2015 17:12:23 -0400
Received: from zeniv.linux.org.uk ([195.92.253.2]:37122 "EHLO
	ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752642AbbFUVMR (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 21 Jun 2015 17:12:17 -0400
Date: Sun, 21 Jun 2015 22:12:14 +0100
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andrey Ryabinin <a.ryabinin@samsung.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [git pull] vfs part 2
Message-ID: <20150621211213.GA18732@ZenIV.linux.org.uk>
References: <20150415181406.GL889@ZenIV.linux.org.uk>
 <5538C66F.4050404@samsung.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5538C66F.4050404@samsung.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1654
Lines: 53

On Thu, Apr 23, 2015 at 01:16:15PM +0300, Andrey Ryabinin wrote:
> This change caused following:

> This could happen when p9pdu_readf() changes 'count' to some value > iov_iter_count(from):
> 
> p9_client_write():
> <...>
> 		int count = iov_iter_count(from);
> <...>
> 		*err = p9pdu_readf(req->rc, clnt->proto_version, "d", &count);
> <...>
> 		iov_iter_advance(from, count);

*blink*

That's a bug, all right, but I would love to see how you trigger it.
It would require server to respond to "write that many bytes" with "OK,
<greater number> bytes written".  We certainly need to cope with that
(we can't trust the server to be sane), but if that's what is going on,
you've got a server bug as well.

Could you check if the patch below triggers WARN_ON() in it on your
reproducer?  p9_client_read() has a similar issue as well...

diff --git a/net/9p/client.c b/net/9p/client.c
index 6f4c4c8..f99bce7 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -1588,6 +1588,10 @@ p9_client_read(struct p9_fid *fid, u64 offset, struct iov_iter *to, int *err)
 			p9_free_req(clnt, req);
 			break;
 		}
+		if (count > rsize) {
+			WARN_ON(1);
+			count = rsize;
+		}
 
 		if (non_zc) {
 			int n = copy_to_iter(dataptr, count, to);
@@ -1650,6 +1654,10 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err)
 		}
 
 		p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", count);
+		if (count > rsize) {
+			WARN_ON(1);
+			count = rsize;
+		}
 
 		p9_free_req(clnt, req);
 		iov_iter_advance(from, count);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
Please read the FAQ at  http://www.tux.org/lkml/