2016-07-26 01:56:34

by Seiichi Ikarashi

[permalink] [raw]
Subject: [PATCH] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun

If over-"RPCSVC_MAXPAGES" pages are sent from file system through pipe_buffer,
nfsd_splice_actor() corrupts struct svc_rqst and results in kernel panic. It
actually occurred with a parallel distributed file system. It needs boundary
checking.

Signed-off-by: Seiichi Ikarashi <[email protected]>

---
fs/nfsd/vfs.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 6fbd81e..d6cb423 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -811,12 +811,20 @@ nfsd_splice_actor(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
size = sd->len;

if (rqstp->rq_res.page_len == 0) {
+ if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) {
+ WARN_ON(1);
+ return -ENOMEM
+ }
get_page(page);
put_page(*rqstp->rq_next_page);
*(rqstp->rq_next_page++) = page;
rqstp->rq_res.page_base = buf->offset;
rqstp->rq_res.page_len = size;
} else if (page != pp[-1]) {
+ if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) {
+ WARN_ON(1);
+ return -ENOMEM
+ }
get_page(page);
if (*rqstp->rq_next_page)
put_page(*rqstp->rq_next_page);



2016-07-26 02:30:28

by kernel test robot

[permalink] [raw]
Subject: Re: [PATCH] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun

Hi,

[auto build test ERROR on nfsd/nfsd-next]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url: https://github.com/0day-ci/linux/commits/Seiichi-Ikarashi/Prevent-rqstp-rq_pages-RPCSVC_MAXPAGES-overrun/20160726-095928
base: git://linux-nfs.org/~bfields/linux.git nfsd-next
config: sparc64-allyesconfig (attached as .config)
compiler: sparc64-linux-gnu-gcc (Debian 5.4.0-6) 5.4.0 20160609
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=sparc64

All errors (new ones prefixed by >>):

fs/nfsd/vfs.c: In function 'nfsd_splice_actor':
>> fs/nfsd/vfs.c:817:3: error: expected ';' before '}' token
}
^
fs/nfsd/vfs.c:827:3: error: expected ';' before '}' token
}
^

vim +817 fs/nfsd/vfs.c

811 size = sd->len;
812
813 if (rqstp->rq_res.page_len == 0) {
814 if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) {
815 WARN_ON(1);
816 return -ENOMEM
> 817 }
818 get_page(page);
819 put_page(*rqstp->rq_next_page);
820 *(rqstp->rq_next_page++) = page;

---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation

Attachments:
(No filename) (1.41 kB)
 .config.gz (45.38 kB)
 Download all attachments