Return-Path: Received: from fieldses.org ([173.255.197.46]:41020 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757109AbcGZUTs (ORCPT ); Tue, 26 Jul 2016 16:19:48 -0400 Date: Tue, 26 Jul 2016 16:19:47 -0400 To: Seiichi Ikarashi Cc: trond.myklebust@primarydata.com, anna.schumaker@netapp.com, linux-nfs@vger.kernel.org Subject: Re: [PATCH v2] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun Message-ID: <20160726201947.GA8387@fieldses.org> References: <28fb2e47-48ce-1af7-3135-15ca9b4e1726@jp.fujitsu.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <28fb2e47-48ce-1af7-3135-15ca9b4e1726@jp.fujitsu.com> From: bfields@fieldses.org (J. Bruce Fields) Sender: linux-nfs-owner@vger.kernel.org List-ID: Thanks for the report. On Tue, Jul 26, 2016 at 11:38:11AM +0900, Seiichi Ikarashi wrote: > If over-"RPCSVC_MAXPAGES" pages are sent from file system through pipe_buffer, > nfsd_splice_actor() corrupts struct svc_rqst and results in kernel panic. It > actually occurred with a parallel distributed file system. It needs boundary > checking. This check might be useful as defensive programming, but the bug was elsewhere. In theory this should be prevented by the "maxcount" calculations in nfsd4_encode_read(). What version of the kernel did you see this happen on? What was the client, and what was it doing? Any other hints on reproducing? --b. > > v2: Fix semicolon-missing bug. > > Signed-off-by: Seiichi Ikarashi > > --- > fs/nfsd/vfs.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c > index 6fbd81e..43393f3 100644 > --- a/fs/nfsd/vfs.c > +++ b/fs/nfsd/vfs.c > @@ -811,12 +811,20 @@ nfsd_splice_actor(struct pipe_inode_info *pipe, struct pipe_buffer *buf, > size = sd->len; > > if (rqstp->rq_res.page_len == 0) { > + if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) { > + WARN_ON(1); > + return -ENOMEM; > + } > get_page(page); > put_page(*rqstp->rq_next_page); > *(rqstp->rq_next_page++) = page; > rqstp->rq_res.page_base = buf->offset; > rqstp->rq_res.page_len = size; > } else if (page != pp[-1]) { > + if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) { > + WARN_ON(1); > + return -ENOMEM; > + } > get_page(page); > if (*rqstp->rq_next_page) > put_page(*rqstp->rq_next_page); > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html