Message ID | 5496b3fb-b6d1-edd1-13a4-500b776a079c@jp.fujitsu.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Hi, [auto build test ERROR on nfsd/nfsd-next] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Seiichi-Ikarashi/Prevent-rqstp-rq_pages-RPCSVC_MAXPAGES-overrun/20160726-095928 base: git://linux-nfs.org/~bfields/linux.git nfsd-next config: sparc64-allyesconfig (attached as .config) compiler: sparc64-linux-gnu-gcc (Debian 5.4.0-6) 5.4.0 20160609 reproduce: wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=sparc64 All errors (new ones prefixed by >>): fs/nfsd/vfs.c: In function 'nfsd_splice_actor': >> fs/nfsd/vfs.c:817:3: error: expected ';' before '}' token } ^ fs/nfsd/vfs.c:827:3: error: expected ';' before '}' token } ^ vim +817 fs/nfsd/vfs.c 811 size = sd->len; 812 813 if (rqstp->rq_res.page_len == 0) { 814 if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) { 815 WARN_ON(1); 816 return -ENOMEM > 817 } 818 get_page(page); 819 put_page(*rqstp->rq_next_page); 820 *(rqstp->rq_next_page++) = page; --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 6fbd81e..d6cb423 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -811,12 +811,20 @@ nfsd_splice_actor(struct pipe_inode_info *pipe, struct pipe_buffer *buf, size = sd->len; if (rqstp->rq_res.page_len == 0) { + if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) { + WARN_ON(1); + return -ENOMEM + } get_page(page); put_page(*rqstp->rq_next_page); *(rqstp->rq_next_page++) = page; rqstp->rq_res.page_base = buf->offset; rqstp->rq_res.page_len = size; } else if (page != pp[-1]) { + if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) { + WARN_ON(1); + return -ENOMEM + } get_page(page); if (*rqstp->rq_next_page) put_page(*rqstp->rq_next_page);
If over-"RPCSVC_MAXPAGES" pages are sent from file system through pipe_buffer, nfsd_splice_actor() corrupts struct svc_rqst and results in kernel panic. It actually occurred with a parallel distributed file system. It needs boundary checking. Signed-off-by: Seiichi Ikarashi <s.ikarashi@jp.fujitsu.com> --- fs/nfsd/vfs.c | 8 ++++++++ 1 file changed, 8 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html