From: Al Viro <viro@ZenIV.linux.org.uk>
To: Mike Marshall <hubcap@omnibond.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Stephen Rothwell <sfr@canb.auug.org.au>
Subject: Re: Orangefs ABI documentation
Date: Wed, 10 Feb 2016 21:26:03 +0000 [thread overview]
Message-ID: <20160210212603.GL17997@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20160210164435.GA4950@ZenIV.linux.org.uk>
On Wed, Feb 10, 2016 at 04:44:36PM +0000, Al Viro wrote:
> > That breakage had been introduced between 2.8.5 and 2.8.6 (at some point
> > during the spring of 2012). AFAICS, all versions starting with 2.8.6 are
> > vulnerable...
>
> BTW, what about kill -9 delivered to readdir in progress? There's no
> cancel for those (and AFAICS the daemon will reject cancel on anything
> other than FILE_IO), so what's to stop another thread from picking the
> same readdir slot and getting (daemon-side) two of them spewing into
> the same area of shared memory? Is it simply that daemon-side the shared
> memory on readdir is touched only upon request completion in completely
> serialized process_vfs_requests()? That doesn't seem to be enough -
> suppose the second readdir request completes (daemon-side) first, its results
> get packed into shared memory slot and it is reported to kernel, which
> proceeds to repack and copy that data to userland. In the meanwhile,
> daemon completes the _earlier_ readdir and proceeds to pack its results into
> the same slot of shared memory. Sure, the kernel won't take that (the
> op with the matching tag has been gone already), but the data is stored
> into shared memory *before* writev() on the control device that would pass
> the response to the kernel, so it still gets overwritten. Right under
> decoding readdir()...
>
> Or is there something in the daemon that would guarantee readdir responses
> to happen in the same order in which it had picked the requests? I'm not
> familiar enough with that beast (and overall control flow in there is, er,
> not the most transparent one I've seen), so I might be missing something,
> but I don't see anything obvious that would guarantee such ordering.
>
> Please, clarify.
Two more questions:
* why do we need cancel to be held back while we are going through
ORANGEFS_DEV_REMOUNT_ALL? IOW, why do we need to take request_mutex for
them?
* your ->kill_sb() starts with telling daemon that fs is gone,
then proceeds to evict dentries/inodes. Sure, you don't have page cache
(or that would've been instantly fatal - dirty pages would need to be
written out, for one thing), but why do it in this order? IOW, why not
_start_ with kill_anon_super(), then do the rest of the work?
next prev parent reply other threads:[~2016-02-10 21:26 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-15 21:46 Orangefs ABI documentation Mike Marshall
2016-01-22 7:11 ` Al Viro
2016-01-22 11:09 ` Mike Marshall
2016-01-22 16:59 ` Mike Marshall
2016-01-22 17:08 ` Al Viro
2016-01-22 17:40 ` Mike Marshall
2016-01-22 17:43 ` Al Viro
2016-01-22 18:17 ` Mike Marshall
2016-01-22 18:37 ` Al Viro
2016-01-22 19:07 ` Mike Marshall
2016-01-22 19:21 ` Mike Marshall
2016-01-22 20:04 ` Al Viro
2016-01-22 20:30 ` Mike Marshall
2016-01-23 0:12 ` Al Viro
2016-01-23 1:28 ` Al Viro
2016-01-23 2:54 ` Mike Marshall
2016-01-23 19:10 ` Al Viro
2016-01-23 19:24 ` Mike Marshall
2016-01-23 21:35 ` Mike Marshall
2016-01-23 22:05 ` Al Viro
2016-01-23 21:40 ` Al Viro
2016-01-23 22:36 ` Mike Marshall
2016-01-24 0:16 ` Al Viro
2016-01-24 4:05 ` Al Viro
2016-01-24 22:12 ` Mike Marshall
2016-01-30 17:22 ` Al Viro
2016-01-26 19:52 ` Martin Brandenburg
2016-01-30 17:34 ` Al Viro
2016-01-30 18:27 ` Al Viro
2016-02-04 23:30 ` Mike Marshall
2016-02-06 19:42 ` Al Viro
2016-02-07 1:38 ` Al Viro
2016-02-07 3:53 ` Al Viro
2016-02-07 20:01 ` [RFC] bufmap-related wait logics (Re: Orangefs ABI documentation) Al Viro
2016-02-08 22:26 ` Orangefs ABI documentation Mike Marshall
2016-02-08 23:35 ` Al Viro
2016-02-09 3:32 ` Al Viro
2016-02-09 14:34 ` Mike Marshall
2016-02-09 17:40 ` Al Viro
2016-02-09 21:06 ` Al Viro
2016-02-09 22:25 ` Mike Marshall
2016-02-11 23:36 ` Mike Marshall
2016-02-09 22:02 ` Mike Marshall
2016-02-09 22:16 ` Al Viro
2016-02-09 22:40 ` Al Viro
2016-02-09 23:13 ` Al Viro
2016-02-10 16:44 ` Al Viro
2016-02-10 21:26 ` Al Viro [this message]
2016-02-11 23:54 ` Mike Marshall
2016-02-12 0:55 ` Al Viro
2016-02-12 12:13 ` Mike Marshall
2016-02-11 0:44 ` Al Viro
2016-02-11 3:22 ` Mike Marshall
2016-02-12 4:27 ` Al Viro
2016-02-12 12:26 ` Mike Marshall
2016-02-12 18:00 ` Martin Brandenburg
2016-02-13 17:18 ` Mike Marshall
2016-02-13 17:47 ` Al Viro
2016-02-14 2:56 ` Al Viro
2016-02-14 3:46 ` [RFC] slot allocator - waitqueue use review needed (Re: Orangefs ABI documentation) Al Viro
2016-02-14 4:06 ` Al Viro
2016-02-16 2:12 ` Al Viro
2016-02-16 19:28 ` Al Viro
2016-02-14 22:31 ` Orangefs ABI documentation Mike Marshall
2016-02-14 23:43 ` Al Viro
2016-02-15 17:46 ` Mike Marshall
2016-02-15 18:45 ` Al Viro
2016-02-15 22:32 ` Martin Brandenburg
2016-02-15 23:04 ` Al Viro
2016-02-16 23:15 ` Mike Marshall
2016-02-16 23:36 ` Al Viro
2016-02-16 23:54 ` Al Viro
2016-02-17 19:24 ` Mike Marshall
2016-02-17 20:11 ` Al Viro
2016-02-17 21:17 ` Al Viro
2016-02-17 22:24 ` Mike Marshall
2016-02-17 22:40 ` Martin Brandenburg
2016-02-17 23:09 ` Al Viro
2016-02-17 23:15 ` Al Viro
2016-02-18 0:04 ` Al Viro
2016-02-18 11:11 ` Al Viro
2016-02-18 18:58 ` Mike Marshall
2016-02-18 19:20 ` Al Viro
2016-02-18 19:49 ` Martin Brandenburg
2016-02-18 20:08 ` Mike Marshall
2016-02-18 20:22 ` Mike Marshall
2016-02-18 20:38 ` Mike Marshall
2016-02-18 20:52 ` Al Viro
2016-02-18 21:50 ` Mike Marshall
2016-02-19 0:25 ` Al Viro
2016-02-19 22:11 ` Mike Marshall
2016-02-19 22:22 ` Al Viro
2016-02-20 12:14 ` Mike Marshall
2016-02-20 13:36 ` Al Viro
2016-02-22 16:20 ` Mike Marshall
2016-02-22 21:22 ` Mike Marshall
2016-02-23 21:58 ` Mike Marshall
2016-02-26 20:21 ` Mike Marshall
2016-02-19 22:32 ` Al Viro
2016-02-19 22:45 ` Martin Brandenburg
2016-02-19 22:50 ` Martin Brandenburg
2016-02-18 20:49 ` Al Viro
2016-02-15 22:47 ` Mike Marshall
2016-01-23 22:46 ` write() semantics (Re: Orangefs ABI documentation) Al Viro
2016-01-23 23:35 ` Linus Torvalds
2016-03-03 22:25 ` Mike Marshall
2016-03-04 20:55 ` Mike Marshall
2016-01-22 20:51 ` Orangefs ABI documentation Mike Marshall
2016-01-22 23:53 ` Mike Marshall
2016-01-22 19:54 ` Al Viro
2016-01-22 19:50 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160210212603.GL17997@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=hubcap@omnibond.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=sfr@canb.auug.org.au \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.