On Sun, Dec 18, 2016 at 04:06:06AM +0000, Al Viro wrote: > On Sat, Dec 17, 2016 at 07:34:45PM -0800, Linus Torvalds wrote: > > > What else am I missing there? > > > > I absolutely *abhor* this part: > > > > *len = isize - pos_in; > > > > because the whole code then depends on the overflow checking a few > > lines down, and it's not at all obvious. We have not tested that > > "pos_in" is smaller than "isize", even though the comment above the > > "isize == 0" test inplies we did some kind of "past the end check" (we > > did not). > > > > The whole "depend on overflow checking" being nasty is particularly > > true when that checking itself is damn subtle, and depends deeply on > > the type of "*len" being unsigned and larger than "loff_t". Which in > > turn is true, but it's all really nasty, and it's subtle. "loff_t" is > > "long long", while "*len" is u64, and it's almost just luck that the > > comparison does in fact end up unsigned. > > I agree, but that one is a straight move - exact same thing is there in > xfs_reflink.c counterpart in the current mainline.
Ok, fair enough. I thought it was ok but then I've spent so much time staring at the reflink code it's good to have a fresh set of eyes. :) I'll add a if (pos_in > isize) return -EINVAL there to make it more explicit. > > So I think that code really needs a fair amount of loving. > > Indeed. Darrick, would you add a followup cleaning that up? It can be > done after the move to fs/read_write.c - no need to reorder/rebase that > thing. While we are at it, it might be better to turn the return value > into -E.../0/1, 0 being "no error, but nothing to do" and 1 - the normal > success case. That would get rid of using *len = 0 as signalling mechanism - > the caller would simply do > ret = vfs_..._inodes(.....); > if (ret <= 0) > goto out_unlock; > /* returned positive, we have work to do */ Sounds good. I'll post a cleanup patch once it goes through the xfstests wringer. --D
