Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp846230iog; Thu, 30 Jun 2022 11:14:00 -0700 (PDT) X-Google-Smtp-Source: AGRyM1siixqVB+snjls25ji7DcYABt3UsvgvfkfHqa3qOVLRcTpPnJGfh6+WyF1B0T6NpHJg7OJf X-Received: by 2002:a17:902:bd01:b0:16a:65a5:9761 with SMTP id p1-20020a170902bd0100b0016a65a59761mr16921788pls.3.1656612840729; Thu, 30 Jun 2022 11:14:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656612840; cv=none; d=google.com; s=arc-20160816; b=seQ3OpTl2HTlzTNj6hsBLn8pO5/jEECid9PMSAkMNNlSxjtRB01+4eAR+3iR599yuU WxXYqVcT74E12If+jlp/t0D6soKD4xCvoqSlp4qAqbfFPrEDxIrHUgKQbx9aVs+Gmuwx XZRh8oFsSuMcI8R3+5a69YE7JEeNfDWj7KBsSd5rsDNJkVPkIot53qggRry8HMhleGOx FmE5mzTi6EIdw8FVFo7zVWYIZbxZqSAZvNmRU1BQzzzq3YCKhMaTpNdjkcWuj9IbraVx S/ZntVeeXV/1Mm3AWC0IqbJDsEIJ9hck3rOinYNZbLkZ7T0EIhzEPzSmOANxFTXH9YIu 0ikQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=um0+O+Im066oJVRiOH9S+it9rt5ukFDym9sSmC/5imk=; b=YknxgiG5qb6f1qjfoR/SvqpWZAYZ+kKPvW97cmQ48RVS/rov39x1I6UPMeMyFl7u0l ApN/ZKO9HOuNnYLXvK+gnhJrcYlWAH7BICvjj1vkUsCbvvdCkJZwPY0cpGcEPDPgby3w a9uZAM4hwGhvA6I56TYB+1jfzTdCRFUyvdngGvCKyHuYzlWNQbfAdiHDB/ICizzrAAeh PbLOby6Eyp74LJtIIV4lvSleZCQEg+Gw9s0QdQFLvZTgAOV+hJ0crzWHjGiSdRAg5kN5 iW3KL0MZmu4WQkXM1Co6UyrnGr/Dbm6FVttjhrarC415yL4/xsTm2JL3u9PEB0DY/M32 8lgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MGExlnlx; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q17-20020a63e211000000b003aa90e6d50bsi27700495pgh.45.2022.06.30.11.13.41; Thu, 30 Jun 2022 11:14:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=MGExlnlx; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235456AbiF3SJW (ORCPT + 99 others); Thu, 30 Jun 2022 14:09:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231596AbiF3SJV (ORCPT ); Thu, 30 Jun 2022 14:09:21 -0400 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DE8938DB3 for ; Thu, 30 Jun 2022 11:09:20 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id e28so23313423wra.0 for ; Thu, 30 Jun 2022 11:09:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=um0+O+Im066oJVRiOH9S+it9rt5ukFDym9sSmC/5imk=; b=MGExlnlx3CKGjBVGPunOcgF/3RKoOcJCq0MFskBTeX1YqHeI4cUDrKJSNtRKwe92v9 yT4Q9m6wAnrL/zh6M7XGG1GfLL5v8xczZaF2th6NHgGl2gPNNwmbA8Ym9OkVsj9+kVlu 1Ljws4KwhFHrI/yylY3pxu5fa203BPSqItNIswNC/4CCiebw3QzLo/8yGctdW55PCIQG hjdHbeIemTcIckzbn2P8pAYenPU0eX9/bIsChDojnIbzjJvJgdNARbaeZd0YJdtpofLK dwvSw44YJPRMlSMX8tV/aqNLyVekbNrC+7akYSH96k8dLWtfdZOE1Mce34GeRVi69Bpi LDGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=um0+O+Im066oJVRiOH9S+it9rt5ukFDym9sSmC/5imk=; b=LKTYW15cJps985KB2OmGyWpl4luvR12l8ChYqAho3vPWFiLW8+KwO6jGVOcFLwDe9/ uyjg0z+HaDFdD/RTTsjwzN/1uwOkJ4CP0+valVfNbQjgGFGEjQ97r9c/qGL6Qg00yiOZ zNbRlV8DBa8re1VVF2w3QAvxoGBsuiRhMJGPpAE1Ip+SKQFITJo7tHRaVrvRucudrYy0 VrG2nPtJOU3pRZMh5liYHQh9K50VExAiE9VORGeQzQ1QeNWrTjsyrQmLjvbojOJcb/0X of+j1CME/IMMDypoVzFARCr05RgzfJBVeXS0pRP5XLBAjvhG0YBfMdbONUoZjRptAlA+ nkGw== X-Gm-Message-State: AJIora+flaUnlrmYrDZc7CwUKKsWuWHtFzRynIQTYKUOnH7rY9Ma1BrW 1dwBEWOQoWQHHvSDj0vTnSrbwlSPtns0zaSlXjo= X-Received: by 2002:adf:ef11:0:b0:21b:a557:b06d with SMTP id e17-20020adfef11000000b0021ba557b06dmr9786794wro.434.1656612558513; Thu, 30 Jun 2022 11:09:18 -0700 (PDT) MIME-Version: 1.0 References: <165660978413.2453.15153844664543877314.stgit@klimt.1015granger.net> In-Reply-To: From: Anna Schumaker Date: Thu, 30 Jun 2022 14:09:02 -0400 Message-ID: Subject: Re: [PATCH v1] SUNRPC: Fix READ_PLUS crasher To: Trond Myklebust Cc: "linux-nfs@vger.kernel.org" , "chuck.lever@oracle.com" , "bfields@fieldses.org" , "anna.schumaker@netapp.com" , "zlang@redhat.com" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Thu, Jun 30, 2022 at 2:03 PM Trond Myklebust wrote: > > On Thu, 2022-06-30 at 13:24 -0400, Chuck Lever wrote: > > Looks like there are still cases when "space_left - frag1bytes" can > > legitimately exceed PAGE_SIZE. Ensure that xdr->end always remains > > within the current encode buffer. > > > > Reported-by: Bruce Fields > > Reported-by: Zorro Lang > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=216151 > > Fixes: 6c254bf3b637 ("SUNRPC: Fix the calculation of xdr->end in > > xdr_get_next_encode_buffer()") > > Signed-off-by: Chuck Lever > > --- > > net/sunrpc/xdr.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > Hi- > > > > I had a few minutes yesterday afternoon to look into this one. The > > following one-liner seems to address the issue and passes my smoke > > tests with NFSv4.1/TCP and NFSv3/RDMA. Any thoughts? > > > > > > diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c > > index f87a2d8f23a7..916659be2774 100644 > > --- a/net/sunrpc/xdr.c > > +++ b/net/sunrpc/xdr.c > > @@ -987,7 +987,7 @@ static noinline __be32 > > *xdr_get_next_encode_buffer(struct xdr_stream *xdr, > > if (space_left - nbytes >= PAGE_SIZE) > > xdr->end = p + PAGE_SIZE; > > else > > - xdr->end = p + space_left - frag1bytes; > > + xdr->end = p + min_t(int, space_left - frag1bytes, > > PAGE_SIZE); > > Since we know that frag1bytes <= nbytes (that is determined in > xdr_reserve_space()), isn't this effectively the same thing as changing > the condition to > > if (space_left - frag1bytes >= PAGE_SIZE) > xdr->end = p + PAGE_SIZE; > else > xdr->end = p + space_left - frag1bytes; I added some printk's without this patch, and I'm seeing space_left larger than PAGE_SIZE and frag1bytes set to 0 in that branch right before the crash. So the min_t() will choose the PAGE_SIZE option sometimes. Anna > > ? > > > > xdr->buf->page_len += frag2bytes; > > xdr->buf->len += nbytes; > > > > > > -- > Trond Myklebust > Linux NFS client maintainer, Hammerspace > trond.myklebust@hammerspace.com > >