Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp1087718rwe; Thu, 1 Sep 2022 12:17:52 -0700 (PDT) X-Google-Smtp-Source: AA6agR5GAoTWqQi0MiBk1mp/GAvdilhWSfFYIQe1IXM6fLDjcAIrxAk80vm+gPz4XZhZ63T1/jM1 X-Received: by 2002:a17:903:120c:b0:170:aa42:dbba with SMTP id l12-20020a170903120c00b00170aa42dbbamr32661071plh.67.1662059872467; Thu, 01 Sep 2022 12:17:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662059872; cv=none; d=google.com; s=arc-20160816; b=G0agNfsaUli91KpRk1/QKdlG11Tz7MhOO+zf/zKsOC7TMqMe3RjZKFGZasTFjAmHOv +f0yK2ltLNY+W3CH3wR0HZmOOQ9hutgB2QjGi5+tpSu4hlhA/MvRAZE143wbjwT1q4Tp I8nFxHElw9Zb1/aAHt6ZrYb0r8if+BZnfgRBElNXddDtfSd4eBgmpnI3DZ8SAtq9iiYf s2TPSHYh5OXePDPZZk0wS4m7W6aIS36cSqxN57r03V04537QbpZ/e3WKOE8DLzjb0xr0 /i5nKSefia7r4qQsTyhWPdA4hysnB48o/Ctn9zYNlG9TY9qMB3jqGcMQ7Nxtm0KWHdQB 8u5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:to:from:subject; bh=7/4AcfCN8ZxzicVeTWZQpCzxcBGYSl2FbVGmBwvxzL0=; b=hsdDOfZ1XhhhJWSZnJgLNT9Ttu5XZxaBJhR2Hf+9wzuK69fG4cCpvjw8HEH0cr+VsO UeKpZQBtvkZMMKvnUNMfbI5JLG4g3Rp2Ojj2rD/ONsqDHcxX5+juI0ZBjco23m2fFtbh cXC9RSW8jvQzvVGE+/GBe11d/4KJYc1I+AFptyy2uS5rAqcF+wC5CcbrcwSNZYHw+ZAf ZThKs8N4z3A9ZYSh+ZGB2LrsL9NzhP0qaPwmpG5a/QaJW5P3TTbfNkhtosGB4igUQJwt UZxUt/6c3ov5MXDD3BxvPyC86iegl5xWkJ1xJD0L8xBP8eOWHBn9s4n6AjkslNc69rfX EBLA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s5-20020aa78bc5000000b005381feef4e7si13248385pfd.320.2022.09.01.12.17.38; Thu, 01 Sep 2022 12:17:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233730AbiIATKJ (ORCPT + 99 others); Thu, 1 Sep 2022 15:10:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45724 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233567AbiIATKE (ORCPT ); Thu, 1 Sep 2022 15:10:04 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F2971759C for ; Thu, 1 Sep 2022 12:10:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BDCE0B828CE for ; Thu, 1 Sep 2022 19:10:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 52553C433C1; Thu, 1 Sep 2022 19:10:00 +0000 (UTC) Subject: [PATCH v3 2/6] SUNRPC: Fix svcxdr_init_encode's buflen calculation From: Chuck Lever To: linux-nfs@vger.kernel.org Date: Thu, 01 Sep 2022 15:09:59 -0400 Message-ID: <166205939934.1435.10147129980334935811.stgit@manet.1015granger.net> In-Reply-To: <166204973526.1435.6068003336048840051.stgit@manet.1015granger.net> References: <166204973526.1435.6068003336048840051.stgit@manet.1015granger.net> User-Agent: StGit/1.5.dev2+g9ce680a5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries") added an explicit computation of the remaining length in the rq_res XDR buffer. The computation appears to suffer from an "off-by-one" bug. Because buflen is too large by one page, XDR encoding can run off the end of the send buffer by eventually trying to use the struct page address in rq_page_end, which always contains NULL. Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper") Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever --- include/linux/sunrpc/svc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h index 5a830b66f059..0ca8a8ffb47e 100644 --- a/include/linux/sunrpc/svc.h +++ b/include/linux/sunrpc/svc.h @@ -587,7 +587,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp) xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack; buf->len = resv->iov_len; xdr->page_ptr = buf->pages - 1; - buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages); + buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages); buf->buflen -= rqstp->rq_auth_slack; xdr->rqst = NULL; }