From:   Chuck Lever III <chuck.lever@oracle.com>
To:     Jeff Layton <jlayton@kernel.org>
CC:     Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
        "dcritch@redhat.com" <dcritch@redhat.com>,
        "d.lesca@solinos.it" <d.lesca@solinos.it>,
        Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH v2 2/2] sunrpc: add bounds checking to
 svc_rqst_replace_page
Thread-Topic: [PATCH v2 2/2] sunrpc: add bounds checking to
 svc_rqst_replace_page
Thread-Index: AQHZWPPHhxprfvZio0CVZD7mRL0pxa7/S8kA
Date:   Fri, 17 Mar 2023 18:32:37 +0000
Message-ID: <D67DF2B8-75E1-4468-B264-139A21F1032F@oracle.com>
References: <20230317171309.73607-1-jlayton@kernel.org>
 <20230317171309.73607-2-jlayton@kernel.org>
In-Reply-To: <20230317171309.73607-2-jlayton@kernel.org>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?LhAvyHBn0DTlqS0HYpChURiuR8ojGYSAPPUt+xtJ37/NsGfF9OFJ/TbTdVy5?=
 =?us-ascii?Q?ERIcNyXrf9T3gxenCv1pJ8ABtzbmFm2cxlXtPxtZuP4I/rCf5VAsdpxj8atL?=
 =?us-ascii?Q?vPHlwZoyB47WStQK+4qDXTukBR48mFFpKgivb3fdAgTwNnFbn2WWRUakvBBU?=
 =?us-ascii?Q?Zc2kWV6hsQvzgD0pZU7R+IeEBbKp24Eu8Qcoo/42izDoJHzE+M57urNSeDPB?=
 =?us-ascii?Q?5a6C8R/tNxVG/MNk82IcXomVAVTqFNGRqcd8XDUjFTPMmaE8TwsjsXaw5s5s?=
 =?us-ascii?Q?D0XLEZS4oQOENhmNwVmJ++9vmITbeMh5Xky5DsePvczyMG2bR5X/uvQiWCK4?=
 =?us-ascii?Q?/VpK52nueSpJj9WJMY8W8Ui4BSYSa3iED0h0YLU6k4sn8VepMgld6sS/lcc8?=
 =?us-ascii?Q?qbtJ4nRKI7PLYbxBh/dqNx9XlNx/ee7W9BuG39gAR9KBqagmRLUDpdudiVC0?=
 =?us-ascii?Q?pvA+jHqMwc1Lch9nLZH8oQpgiqbPgGf6xdYLU0BIo6wWG3Bj87UNj5aTRL9B?=
 =?us-ascii?Q?fQeFCsoMpxtAt4QLFbqAzI82u8avs7vcklr5ZHYtS2R+31beGN800UdYaXG+?=
 =?us-ascii?Q?7Y7bLlRjP8SNSOHMZ2kzTdHcZtRQy+jRgPDJEnl4mekT9r9Zbd4PwPZvCSZZ?=
 =?us-ascii?Q?El5h9CLAQkg3HbRRWfB7BV/TeZqtn+AqRAig2QIq+QLzxwOzZETwHOKxuBJQ?=
 =?us-ascii?Q?AuA1JRWP/DI9JL1BkPk8/L75f24dblASQ4gvnP7PBXY2gDYaljWyVqjpv6AN?=
 =?us-ascii?Q?wo61LDcaRo2kkGQ/eWHRQb9C70EHiFwhJFEEmIuourLbhFQJfM+1hPr7D6Nj?=
 =?us-ascii?Q?zikdx6m2IfJy3hAA75h3hG4RBT0hF05WLMrqXoY535o1YqE/U45GN8iIOkQK?=
 =?us-ascii?Q?L7XYxx2rIZzxwiAfsREClJjdntwbvUbbGDpPA6TvjjHurlbfUMJf3NSR6H7t?=
 =?us-ascii?Q?vDicWU5M6oih5XIUKJ3HxjKqIwDd4at74G4lLoC3157f3tG5fNouIjRJG6XA?=
 =?us-ascii?Q?givTWyG/0PGf4UBsMlCc2x/IMA2HUVABYXpKDiBuj2yl0fh+zq1iUC9mBFlJ?=
 =?us-ascii?Q?wx1fpwPvg39gYlC1ukHYQMdYRcjDGOqZH7DMClkyI1gehCk5PZ++8CezUbGj?=
 =?us-ascii?Q?l2+DZQL2OFrm+ShAXQiadteFbq1t0gCgksqtbuw2hdmwgvaNXc/cpCuF/pSc?=
 =?us-ascii?Q?gOJbdYVnyCDWY/6z+xoNToVQDkJLVY26S0yIq7m63xDGnN0JcUYG2XZGzcya?=
 =?us-ascii?Q?EcV0LZ52gRfvk72H8us0qjCILncIxfSLe/skzZJKLGT6g2elAdsB8Ga0Ty1E?=
 =?us-ascii?Q?ReK2RBslUgxc0QOsGUIY/F2RdzyGqnXoTKJVmMk8edvZraB341De/zCo9/o+?=
 =?us-ascii?Q?QfuBA1eOQA7zpa9iFjW+GeHjdoSays+Tl8qa4LFoP5VKSwJCr8b3z98Ax9wo?=
 =?us-ascii?Q?S3JlfOCO8Tf4ue5TAvzWBVUBCq9ZSww3KHbk10fcYxuzMEhq7Da61RJpc+Go?=
 =?us-ascii?Q?e7TiLXeGdpNIIphjN0/qS6MqtYcoxN+Qwh4rL+Lz8wfaVFceJ3390d4DBT8d?=
 =?us-ascii?Q?DSf8tfmBHV7JJyGOijmGpKaJ7A0VMfbIOVv2A82Oybjr8WL7BS5gRJ9BX+nj?=
 =?us-ascii?Q?uQ=3D=3D?=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <4A5BDDD959EB76419E4FE08EC3ECA6D9@namprd10.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: mgg7cTs2kQ1B7OkRQioNpybSegZlnxYX6Ptlr+Uun9tYCa3xACw2HZhVly69bbap3SVzXV+tC5IY++xcOd/kp+sJoApqjuWdUZJBgTPFp29EL4wM9ryHqgEbO5KnuBlmST5So8P9lUMfxQMuhyNDR1tnDAoSQJd+8X+4BVcrQhcvAoO9bN8EzgCvhae4EGUIkbZj75QrpVqxDXS0iS0tNhDACg4RjZrn/bpiXNwx8xIzWr+J6xRELCh0fndzGeJFJ6qT6kH6evD1n3ll30yzh+6UrJNVGFzryG0Eox4vBU6zgxOqwO7me7iXh92iw15sL/fcWQL0TO9tAuhxX06oMflX7u1d5d7xw8sr6lVeO3axnL14i3pDbyNhyE/kYB6kYDKckteguGhAslrjfh9Z3Nb07B8zGPNYR+XPqtkWjMgvOxj0gXVCu4LtnZ4A+rqsYWfKKZotZBI/InNZjZMtRwHTdN/pluISKaS4rHwsVIfQwWJsXMK5T6/33iUPCEWvqFius8L/WrXhVdejrxFOp1G2gMwt9Tt45/Csg1jDwf7Wy/mYRcpk5661ECxBdSsHZ0Lo6pHjjxLzRtLzZLsoyrPOCzDtFS392QjkgfqfFKKjaINU2KZ28NgLARnEkyYS0cOPxw6Jf9Bk3dTGF6tnqFLROGm1g2yIEDRthvnMBiR3NUt3HWH5akIZ6QJefCC5FxtLFGcGeWsx1bPTNkdZUZ4ZkySuk9uQrk4r+SRWGOdit4NosHjnkdhk7cVYwo1iPReEnmq8iRHAHuQP4M+5H2WDBO5YyFGx8UPJZ65X6V1SXUrq41hsqEYP997vAZZB4qPSZnfIMQhwCS2BPks5k4c5rE/00edr/owVVE09mMFFYvhCzjxGi6DAjjoEgf107kznG1r0vIIJk6plsmmsGg==
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB5128.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3569c223-0f08-4473-2b12-08db2715fbce
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2023 18:32:37.4821
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: f5O44JjvZVnMCRYLRrL/avN+0r1rmL3gODJFC+kTb73jhSvco2lcCBKZMiaBedDbJfEUENeQ+SzKIEPLRotJWg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR10MB5822
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22
 definitions=2023-03-17_14,2023-03-16_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxscore=0 phishscore=0
 suspectscore=0 spamscore=0 malwarescore=0 mlxlogscore=999 bulkscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303150002
 definitions=main-2303170126
X-Proofpoint-ORIG-GUID: 2FXSXBiXKDPBx_58qdmEPI3KQLipdOm5
X-Proofpoint-GUID: 2FXSXBiXKDPBx_58qdmEPI3KQLipdOm5
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org


> On Mar 17, 2023, at 1:13 PM, Jeff Layton <jlayton@kernel.org> wrote:
>=20
> If rq_next_page ends up pointing outside the array, then we can corrupt
> memory when we go to change its value. Ensure that it hasn't strayed
> outside the array, and have svc_rqst_replace_page return -EIO without
> changing anything if it has.
>=20
> Fix up nfsd_splice_actor (the only caller) to handle this case by either
> returning an error or a short splice when this happens.
>=20
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
> ---
> fs/nfsd/vfs.c              | 23 +++++++++++++++++------
> include/linux/sunrpc/svc.h |  2 +-
> net/sunrpc/svc.c           | 14 +++++++++++++-
> 3 files changed, 31 insertions(+), 8 deletions(-)
>=20
> diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> index 97b38b47c563..0ebd7a65a9f0 100644
> --- a/fs/nfsd/vfs.c
> +++ b/fs/nfsd/vfs.c
> @@ -939,6 +939,7 @@ nfsd_splice_actor(struct pipe_inode_info *pipe, struc=
t pipe_buffer *buf,
> 	struct page *page =3D buf->page;	// may be a compound one
> 	unsigned offset =3D buf->offset;
> 	struct page *last_page;
> +	int ret =3D 0, consumed =3D 0;
>=20
> 	last_page =3D page + (offset + sd->len - 1) / PAGE_SIZE;
> 	for (page +=3D offset / PAGE_SIZE; page <=3D last_page; page++) {
> @@ -946,13 +947,23 @@ nfsd_splice_actor(struct pipe_inode_info *pipe, str=
uct pipe_buffer *buf,
> 		 * Skip page replacement when extending the contents
> 		 * of the current page.
> 		 */
> -		if (page !=3D *(rqstp->rq_next_page - 1))
> -			svc_rqst_replace_page(rqstp, page);
> +		if (page !=3D *(rqstp->rq_next_page - 1)) {
> +			ret =3D svc_rqst_replace_page(rqstp, page);
> +			if (ret)
> +				break;
> +		}
> +		consumed +=3D min_t(int,
> +				  PAGE_SIZE - offset_in_page(offset),
> +				  sd->len - consumed);
> +		offset =3D 0;
> 	}
> -	if (rqstp->rq_res.page_len =3D=3D 0)	// first call
> -		rqstp->rq_res.page_base =3D offset % PAGE_SIZE;
> -	rqstp->rq_res.page_len +=3D sd->len;
> -	return sd->len;
> +	if (consumed) {
> +		if (rqstp->rq_res.page_len =3D=3D 0)	// first call
> +			rqstp->rq_res.page_base =3D offset % PAGE_SIZE;
> +		rqstp->rq_res.page_len +=3D consumed;
> +		return consumed;
> +	}
> +	return ret;
> }
>=20
> static int nfsd_direct_splice_actor(struct pipe_inode_info *pipe,
> diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
> index 877891536c2f..9ea52f143f49 100644
> --- a/include/linux/sunrpc/svc.h
> +++ b/include/linux/sunrpc/svc.h
> @@ -422,7 +422,7 @@ struct svc_serv *svc_create(struct svc_program *, uns=
igned int,
> 			    int (*threadfn)(void *data));
> struct svc_rqst *svc_rqst_alloc(struct svc_serv *serv,
> 					struct svc_pool *pool, int node);
> -void		   svc_rqst_replace_page(struct svc_rqst *rqstp,
> +int		   svc_rqst_replace_page(struct svc_rqst *rqstp,
> 					 struct page *page);
> void		   svc_rqst_free(struct svc_rqst *);
> void		   svc_exit_thread(struct svc_rqst *);
> diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
> index fea7ce8fba14..d624c02f09be 100644
> --- a/net/sunrpc/svc.c
> +++ b/net/sunrpc/svc.c
> @@ -843,8 +843,19 @@ EXPORT_SYMBOL_GPL(svc_set_num_threads);
>  * When replacing a page in rq_pages, batch the release of the
>  * replaced pages to avoid hammering the page allocator.
>  */
> -void svc_rqst_replace_page(struct svc_rqst *rqstp, struct page *page)
> +int svc_rqst_replace_page(struct svc_rqst *rqstp, struct page *page)
> {
> +	struct page **begin, **end;
> +
> +	/*
> +	 * Bounds check: make sure rq_next_page points into the rq_respages
> +	 * part of the array.
> +	 */
> +	begin =3D rqstp->rq_pages;
> +	end =3D &rqstp->rq_pages[RPCSVC_MAXPAGES];

Would it make sense to use rq_page_end here? Just a thought.


> +	if (WARN_ON_ONCE(rqstp->rq_next_page < begin || rqstp->rq_next_page > e=
nd))
> +		return -EIO;
> +
> 	if (*rqstp->rq_next_page) {
> 		if (!pagevec_space(&rqstp->rq_pvec))
> 			__pagevec_release(&rqstp->rq_pvec);
> @@ -853,6 +864,7 @@ void svc_rqst_replace_page(struct svc_rqst *rqstp, st=
ruct page *page)
>=20
> 	get_page(page);
> 	*(rqstp->rq_next_page++) =3D page;
> +	return 0;
> }
> EXPORT_SYMBOL_GPL(svc_rqst_replace_page);
>=20
> --=20
> 2.39.2
>=20

--
Chuck Lever