@@ -940,6 +940,9 @@ static unsigned int svc_tcp_restore_pages(struct svc_sock *svsk, struct svc_rqst
return 0;
len = svsk->sk_datalen;
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ WARN_ON_ONCE(npages > RPCSVC_MAXPAGES);
+ if (npages > RPCSVC_MAXPAGES)
+ npages = RPCSVC_MAXPAGES;
for (i = 0; i < npages; i++) {
if (rqstp->rq_pages[i] != NULL)
put_page(rqstp->rq_pages[i]);
@@ -959,6 +962,9 @@ static void svc_tcp_save_pages(struct svc_sock *svsk, struct svc_rqst *rqstp)
return;
len = svsk->sk_datalen;
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ WARN_ON_ONCE(npages > RPCSVC_MAXPAGES);
+ if (npages > RPCSVC_MAXPAGES)
+ npages = RPCSVC_MAXPAGES;
for (i = 0; i < npages; i++) {
svsk->sk_pages[i] = rqstp->rq_pages[i];
rqstp->rq_pages[i] = NULL;
@@ -973,6 +979,9 @@ static void svc_tcp_clear_pages(struct svc_sock *svsk)
goto out;
len = svsk->sk_datalen;
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ WARN_ON_ONCE(npages > RPCSVC_MAXPAGES);
+ if (npages > RPCSVC_MAXPAGES)
+ npages = RPCSVC_MAXPAGES;
for (i = 0; i < npages; i++) {
if (svsk->sk_pages[i] == NULL) {
WARN_ON_ONCE(1);
To prevent page* buffer overrun that breaks svc_rqst, though I do not know sk_datalen can actually become so large. Signed-off-by: Seiichi Ikarashi <s.ikarashi@jp.fujitsu.com> --- net/sunrpc/svcsock.c | 9 +++++++++ 1 file changed, 9 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html