From patchwork Mon Oct 5 03:03:26 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 7324471 Return-Path: X-Original-To: patchwork-linux-rdma@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id F0691BEEA4 for ; Mon, 5 Oct 2015 03:03:33 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0FFFD20814 for ; Mon, 5 Oct 2015 03:03:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D911F2070A for ; Mon, 5 Oct 2015 03:03:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752028AbbJEDDa (ORCPT ); Sun, 4 Oct 2015 23:03:30 -0400 Received: from mail-ig0-f175.google.com ([209.85.213.175]:33124 "EHLO mail-ig0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752025AbbJEDD3 (ORCPT ); Sun, 4 Oct 2015 23:03:29 -0400 Received: by igbkq10 with SMTP id kq10so53708181igb.0; Sun, 04 Oct 2015 20:03:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:subject:to:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; bh=8M2eIln/xCIocaWcbnzmsbeB0Lu6cmHfqEzS0WspQHU=; b=wkTVmjHzObLaZKp/k2Sd+xOE8RyzkTG4RgreQ7ZQIeah67O8EixUR1//1T00WTLSju AfeUMSBwEsL7Ua4BMmooi8O0H83BcSrnnVFhL/hUYGelzwcZAsbZ35U0Icy40M0XQ4v8 6q+dFB7z+GMns3CXI6nvq0HvhwFpb44ls1mVaiuHLr3Qx5TZfxeYKjDYVLBjrzwYtPa2 QPvOlTZU9ggjJQlcaYFTvAFQiLPKZ11zcaIwUKXbHBwNdFawhQh7/v6it2ysKn2T3/q6 V/Ik1yTJa+NEikkTPj06/aVpIVyP6O3lYF6tUanu2VQNkFBetTQQOCXU5N6ZN57Je1la Tnqw== X-Received: by 10.50.50.197 with SMTP id e5mr174952igo.97.1444014208917; Sun, 04 Oct 2015 20:03:28 -0700 (PDT) Received: from klimt.1015granger.net ([2604:8800:100:81fc:be5f:f4ff:fed6:c3ba]) by smtp.gmail.com with ESMTPSA id p1sm4164719igh.12.2015.10.04.20.03.28 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 04 Oct 2015 20:03:28 -0700 (PDT) From: Chuck Lever Subject: [PATCH] svcrdma: Fix NFS server crash triggered by 1MB NFS WRITE To: linux-nfs@vger.kernel.org, linux-rdma@vger.kernel.org Date: Sun, 04 Oct 2015 23:03:26 -0400 Message-ID: <20151005025022.5074.89318.stgit@klimt.1015granger.net> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Now that the NFS server advertises a maximum payload size of 1MB for RPC/RDMA again, it crashes in svc_process_common() when NFS client sends a 1MB NFS WRITE on an NFS/RDMA mount. The server has set up a 259 element array of struct page pointers in rq_pages[] for each incoming request. The last element of the array is NULL. When an incoming request has been completely received, rdma_read_complete() attempts to set the starting page of the incoming page vector: rqstp->rq_arg.pages = &rqstp->rq_pages[head->hdr_count]; and the page to use for the reply: rqstp->rq_respages = &rqstp->rq_arg.pages[page_no]; But the value of page_no has already accounted for head->hdr_count. Thus rq_respages now points past the end of the incoming pages. For NFS WRITE operations smaller than the maximum, this is harmless. But when the NFS WRITE operation is as large as the server's max payload size, rq_respages now points at the last entry in rq_pages, which is NULL. Fixes: cc9a903d915c ('svcrdma: Change maximum server payload . . .') BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=270 Signed-off-by: Chuck Lever Reviewed-by: Sagi Grimberg Reviewed-by: Steve Wise --- This fixes a 4.3-rc regression. Please apply to 4.3-rc when this patch passes review. It could also be appropriate for stable kernels which do not have commit 7e5be28827bf ("svcrdma: advertise the correct max payload"), though I have not tested them with this patch. net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c index cb51742..37b4341 100644 --- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c @@ -531,7 +531,7 @@ static int rdma_read_complete(struct svc_rqst *rqstp, rqstp->rq_arg.page_base = head->arg.page_base; /* rq_respages starts after the last arg page */ - rqstp->rq_respages = &rqstp->rq_arg.pages[page_no]; + rqstp->rq_respages = &rqstp->rq_pages[page_no]; rqstp->rq_next_page = rqstp->rq_respages + 1; /* Rebuild rq_arg head and tail. */