From: Al Viro <viro@ZenIV.linux.org.uk>
To: Mike Marshall <hubcap@omnibond.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Stephen Rothwell <sfr@canb.auug.org.au>
Subject: Re: Orangefs ABI documentation
Date: Wed, 10 Feb 2016 16:44:36 +0000 [thread overview]
Message-ID: <20160210164435.GA4950@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20160209231328.GK17997@ZenIV.linux.org.uk>
On Tue, Feb 09, 2016 at 11:13:28PM +0000, Al Viro wrote:
> On Tue, Feb 09, 2016 at 10:40:50PM +0000, Al Viro wrote:
>
> > And the version in orangefs-2.9.3.tar.gz (your Frankenstein module?) is
> > vulnerable to the same race. 2.8.1 isn't - it ignores signals on the
> > cancel, but that means waiting for cancel to be processed (or timed out)
> > on any interrupted read() before we return to userland. We can return
> > to that behaviour, of course, but I suspect that offloading it to something
> > async (along with freeing the slot used by original operation) would be
> > better from QoI point of view.
>
> That breakage had been introduced between 2.8.5 and 2.8.6 (at some point
> during the spring of 2012). AFAICS, all versions starting with 2.8.6 are
> vulnerable...
BTW, what about kill -9 delivered to readdir in progress? There's no
cancel for those (and AFAICS the daemon will reject cancel on anything
other than FILE_IO), so what's to stop another thread from picking the
same readdir slot and getting (daemon-side) two of them spewing into
the same area of shared memory? Is it simply that daemon-side the shared
memory on readdir is touched only upon request completion in completely
serialized process_vfs_requests()? That doesn't seem to be enough -
suppose the second readdir request completes (daemon-side) first, its results
get packed into shared memory slot and it is reported to kernel, which
proceeds to repack and copy that data to userland. In the meanwhile,
daemon completes the _earlier_ readdir and proceeds to pack its results into
the same slot of shared memory. Sure, the kernel won't take that (the
op with the matching tag has been gone already), but the data is stored
into shared memory *before* writev() on the control device that would pass
the response to the kernel, so it still gets overwritten. Right under
decoding readdir()...
Or is there something in the daemon that would guarantee readdir responses
to happen in the same order in which it had picked the requests? I'm not
familiar enough with that beast (and overall control flow in there is, er,
not the most transparent one I've seen), so I might be missing something,
but I don't see anything obvious that would guarantee such ordering.
Please, clarify.
next prev parent reply other threads:[~2016-02-10 16:44 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-15 21:46 Orangefs ABI documentation Mike Marshall
2016-01-22 7:11 ` Al Viro
2016-01-22 11:09 ` Mike Marshall
2016-01-22 16:59 ` Mike Marshall
2016-01-22 17:08 ` Al Viro
2016-01-22 17:40 ` Mike Marshall
2016-01-22 17:43 ` Al Viro
2016-01-22 18:17 ` Mike Marshall
2016-01-22 18:37 ` Al Viro
2016-01-22 19:07 ` Mike Marshall
2016-01-22 19:21 ` Mike Marshall
2016-01-22 20:04 ` Al Viro
2016-01-22 20:30 ` Mike Marshall
2016-01-23 0:12 ` Al Viro
2016-01-23 1:28 ` Al Viro
2016-01-23 2:54 ` Mike Marshall
2016-01-23 19:10 ` Al Viro
2016-01-23 19:24 ` Mike Marshall
2016-01-23 21:35 ` Mike Marshall
2016-01-23 22:05 ` Al Viro
2016-01-23 21:40 ` Al Viro
2016-01-23 22:36 ` Mike Marshall
2016-01-24 0:16 ` Al Viro
2016-01-24 4:05 ` Al Viro
2016-01-24 22:12 ` Mike Marshall
2016-01-30 17:22 ` Al Viro
2016-01-26 19:52 ` Martin Brandenburg
2016-01-30 17:34 ` Al Viro
2016-01-30 18:27 ` Al Viro
2016-02-04 23:30 ` Mike Marshall
2016-02-06 19:42 ` Al Viro
2016-02-07 1:38 ` Al Viro
2016-02-07 3:53 ` Al Viro
2016-02-07 20:01 ` [RFC] bufmap-related wait logics (Re: Orangefs ABI documentation) Al Viro
2016-02-08 22:26 ` Orangefs ABI documentation Mike Marshall
2016-02-08 23:35 ` Al Viro
2016-02-09 3:32 ` Al Viro
2016-02-09 14:34 ` Mike Marshall
2016-02-09 17:40 ` Al Viro
2016-02-09 21:06 ` Al Viro
2016-02-09 22:25 ` Mike Marshall
2016-02-11 23:36 ` Mike Marshall
2016-02-09 22:02 ` Mike Marshall
2016-02-09 22:16 ` Al Viro
2016-02-09 22:40 ` Al Viro
2016-02-09 23:13 ` Al Viro
2016-02-10 16:44 ` Al Viro [this message]
2016-02-10 21:26 ` Al Viro
2016-02-11 23:54 ` Mike Marshall
2016-02-12 0:55 ` Al Viro
2016-02-12 12:13 ` Mike Marshall
2016-02-11 0:44 ` Al Viro
2016-02-11 3:22 ` Mike Marshall
2016-02-12 4:27 ` Al Viro
2016-02-12 12:26 ` Mike Marshall
2016-02-12 18:00 ` Martin Brandenburg
2016-02-13 17:18 ` Mike Marshall
2016-02-13 17:47 ` Al Viro
2016-02-14 2:56 ` Al Viro
2016-02-14 3:46 ` [RFC] slot allocator - waitqueue use review needed (Re: Orangefs ABI documentation) Al Viro
2016-02-14 4:06 ` Al Viro
2016-02-16 2:12 ` Al Viro
2016-02-16 19:28 ` Al Viro
2016-02-14 22:31 ` Orangefs ABI documentation Mike Marshall
2016-02-14 23:43 ` Al Viro
2016-02-15 17:46 ` Mike Marshall
2016-02-15 18:45 ` Al Viro
2016-02-15 22:32 ` Martin Brandenburg
2016-02-15 23:04 ` Al Viro
2016-02-16 23:15 ` Mike Marshall
2016-02-16 23:36 ` Al Viro
2016-02-16 23:54 ` Al Viro
2016-02-17 19:24 ` Mike Marshall
2016-02-17 20:11 ` Al Viro
2016-02-17 21:17 ` Al Viro
2016-02-17 22:24 ` Mike Marshall
2016-02-17 22:40 ` Martin Brandenburg
2016-02-17 23:09 ` Al Viro
2016-02-17 23:15 ` Al Viro
2016-02-18 0:04 ` Al Viro
2016-02-18 11:11 ` Al Viro
2016-02-18 18:58 ` Mike Marshall
2016-02-18 19:20 ` Al Viro
2016-02-18 19:49 ` Martin Brandenburg
2016-02-18 20:08 ` Mike Marshall
2016-02-18 20:22 ` Mike Marshall
2016-02-18 20:38 ` Mike Marshall
2016-02-18 20:52 ` Al Viro
2016-02-18 21:50 ` Mike Marshall
2016-02-19 0:25 ` Al Viro
2016-02-19 22:11 ` Mike Marshall
2016-02-19 22:22 ` Al Viro
2016-02-20 12:14 ` Mike Marshall
2016-02-20 13:36 ` Al Viro
2016-02-22 16:20 ` Mike Marshall
2016-02-22 21:22 ` Mike Marshall
2016-02-23 21:58 ` Mike Marshall
2016-02-26 20:21 ` Mike Marshall
2016-02-19 22:32 ` Al Viro
2016-02-19 22:45 ` Martin Brandenburg
2016-02-19 22:50 ` Martin Brandenburg
2016-02-18 20:49 ` Al Viro
2016-02-15 22:47 ` Mike Marshall
2016-01-23 22:46 ` write() semantics (Re: Orangefs ABI documentation) Al Viro
2016-01-23 23:35 ` Linus Torvalds
2016-03-03 22:25 ` Mike Marshall
2016-03-04 20:55 ` Mike Marshall
2016-01-22 20:51 ` Orangefs ABI documentation Mike Marshall
2016-01-22 23:53 ` Mike Marshall
2016-01-22 19:54 ` Al Viro
2016-01-22 19:50 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160210164435.GA4950@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=hubcap@omnibond.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=sfr@canb.auug.org.au \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.