aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhang Le <r0bertz@gentoo.org>2009-03-16 02:44:31 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-03-16 10:51:33 -0400
commitee6f779b9e0851e2f7da292a9f58e0095edf615a (patch)
tree71aa57da0fea292c50b12d9ef73373fcd940162e
parent5bee17f18b595937e6beafeee5197868a3f74a06 (diff)
filp->f_pos not correctly updated in proc_task_readdir
filp->f_pos only get updated at the end of the function. Thus d_off of those dirents who are in the middle will be 0, and this will cause a problem in glibc's readdir implementation, specifically endless loop. Because when overflow occurs, f_pos will be set to next dirent to read, however it will be 0, unless the next one is the last one. So it will start over again and again. There is a sample program in man 2 gendents. This is the output of the program running on a multithread program's task dir before this patch is applied: $ ./a.out /proc/3807/task --------------- nread=128 --------------- i-node# file type d_reclen d_off d_name 506442 directory 16 1 . 506441 directory 16 0 .. 506443 directory 16 0 3807 506444 directory 16 0 3809 506445 directory 16 0 3812 506446 directory 16 0 3861 506447 directory 16 0 3862 506448 directory 16 8 3863 This is the output after this patch is applied $ ./a.out /proc/3807/task --------------- nread=128 --------------- i-node# file type d_reclen d_off d_name 506442 directory 16 1 . 506441 directory 16 2 .. 506443 directory 16 3 3807 506444 directory 16 4 3809 506445 directory 16 5 3812 506446 directory 16 6 3861 506447 directory 16 7 3862 506448 directory 16 8 3863 Signed-off-by: Zhang Le <r0bertz@gentoo.org> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--fs/proc/base.c16
1 files changed, 7 insertions, 9 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 0c9de19a1633..cc6ea2329e71 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -3066,7 +3066,6 @@ static int proc_task_readdir(struct file * filp, void * dirent, filldir_t filldi
3066 int retval = -ENOENT; 3066 int retval = -ENOENT;
3067 ino_t ino; 3067 ino_t ino;
3068 int tid; 3068 int tid;
3069 unsigned long pos = filp->f_pos; /* avoiding "long long" filp->f_pos */
3070 struct pid_namespace *ns; 3069 struct pid_namespace *ns;
3071 3070
3072 task = get_proc_task(inode); 3071 task = get_proc_task(inode);
@@ -3083,18 +3082,18 @@ static int proc_task_readdir(struct file * filp, void * dirent, filldir_t filldi
3083 goto out_no_task; 3082 goto out_no_task;
3084 retval = 0; 3083 retval = 0;
3085 3084
3086 switch (pos) { 3085 switch (filp->f_pos) {
3087 case 0: 3086 case 0:
3088 ino = inode->i_ino; 3087 ino = inode->i_ino;
3089 if (filldir(dirent, ".", 1, pos, ino, DT_DIR) < 0) 3088 if (filldir(dirent, ".", 1, filp->f_pos, ino, DT_DIR) < 0)
3090 goto out; 3089 goto out;
3091 pos++; 3090 filp->f_pos++;
3092 /* fall through */ 3091 /* fall through */
3093 case 1: 3092 case 1:
3094 ino = parent_ino(dentry); 3093 ino = parent_ino(dentry);
3095 if (filldir(dirent, "..", 2, pos, ino, DT_DIR) < 0) 3094 if (filldir(dirent, "..", 2, filp->f_pos, ino, DT_DIR) < 0)
3096 goto out; 3095 goto out;
3097 pos++; 3096 filp->f_pos++;
3098 /* fall through */ 3097 /* fall through */
3099 } 3098 }
3100 3099
@@ -3104,9 +3103,9 @@ static int proc_task_readdir(struct file * filp, void * dirent, filldir_t filldi
3104 ns = filp->f_dentry->d_sb->s_fs_info; 3103 ns = filp->f_dentry->d_sb->s_fs_info;
3105 tid = (int)filp->f_version; 3104 tid = (int)filp->f_version;
3106 filp->f_version = 0; 3105 filp->f_version = 0;
3107 for (task = first_tid(leader, tid, pos - 2, ns); 3106 for (task = first_tid(leader, tid, filp->f_pos - 2, ns);
3108 task; 3107 task;
3109 task = next_tid(task), pos++) { 3108 task = next_tid(task), filp->f_pos++) {
3110 tid = task_pid_nr_ns(task, ns); 3109 tid = task_pid_nr_ns(task, ns);
3111 if (proc_task_fill_cache(filp, dirent, filldir, task, tid) < 0) { 3110 if (proc_task_fill_cache(filp, dirent, filldir, task, tid) < 0) {
3112 /* returning this tgid failed, save it as the first 3111 /* returning this tgid failed, save it as the first
@@ -3117,7 +3116,6 @@ static int proc_task_readdir(struct file * filp, void * dirent, filldir_t filldi
3117 } 3116 }
3118 } 3117 }
3119out: 3118out:
3120 filp->f_pos = pos;
3121 put_task_struct(leader); 3119 put_task_struct(leader);
3122out_no_task: 3120out_no_task:
3123 return retval; 3121 return retval;