From patchwork Mon Oct 12 14:53:39 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 7376071 Return-Path: X-Original-To: patchwork-linux-rdma@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 42D5FBEEA4 for ; Mon, 12 Oct 2015 14:53:49 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 54245206EB for ; Mon, 12 Oct 2015 14:53:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 38BAB206F3 for ; Mon, 12 Oct 2015 14:53:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752127AbbJLOxp (ORCPT ); Mon, 12 Oct 2015 10:53:45 -0400 Received: from mail-qg0-f44.google.com ([209.85.192.44]:35630 "EHLO mail-qg0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751961AbbJLOxn (ORCPT ); Mon, 12 Oct 2015 10:53:43 -0400 Received: by qgt47 with SMTP id 47so121323972qgt.2; Mon, 12 Oct 2015 07:53:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:subject:to:cc:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; bh=V0ol6ZfodLRVHkqrKnOJs5kJpdpAh5ptEzQlL9qVsKU=; b=EIR123b4kziB+unBFmOyhUK86AUtNKXIjXOmuQTzAsbzqYpYvV0XurZfXAnkCB9H66 NkAfekLlKQCteboNswFC6EX3pyMfeGVmR/4SxQWFHUHX28D5Q4nGCQB1pz1t6/nasCjo V/9UuANfkn6kKPg5qm8s6tZzwRFxgAa913MTwpKxwIk7LbjPl8APGOJqIEoi24tzR6Pk qT0s1TwoS437LR/9xVN4alvcybf0ThbJxXmmBgkBco1y7kMfJFc8AD+zcgfLPBmb9uAM bwJ4S1H824a5WX3kTThtxLKIeWUxzMklEVevFz8p0WFEciXd/b+u51DObkbdFvQQQ6qp 5SQA== X-Received: by 10.140.151.140 with SMTP id 134mr34783501qhx.49.1444661622160; Mon, 12 Oct 2015 07:53:42 -0700 (PDT) Received: from oracle-120.nfsv4bat.org (nat-pool-rdu-u.redhat.com. [66.187.233.203]) by smtp.gmail.com with ESMTPSA id z10sm7200126qhd.15.2015.10.12.07.53.40 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Oct 2015 07:53:40 -0700 (PDT) From: Chuck Lever Subject: [PATCH] svcrdma: Fix NFS server crash triggered by 1MB NFS WRITE To: bfields@fieldses.org Cc: linux-nfs@vger.kernel.org, linux-rdma@vger.kernel.org Date: Mon, 12 Oct 2015 10:53:39 -0400 Message-ID: <20151012145257.3981.13852.stgit@oracle-120.nfsv4bat.org> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Now that the NFS server advertises a maximum payload size of 1MB for RPC/RDMA again, it crashes in svc_process_common() when NFS client sends a 1MB NFS WRITE on an NFS/RDMA mount. The server has set up a 259 element array of struct page pointers in rq_pages[] for each incoming request. The last element of the array is NULL. When an incoming request has been completely received, rdma_read_complete() attempts to set the starting page of the incoming page vector: rqstp->rq_arg.pages = &rqstp->rq_pages[head->hdr_count]; and the page to use for the reply: rqstp->rq_respages = &rqstp->rq_arg.pages[page_no]; But the value of page_no has already accounted for head->hdr_count. Thus rq_respages now points past the end of the incoming pages. For NFS WRITE operations smaller than the maximum, this is harmless. But when the NFS WRITE operation is as large as the server's max payload size, rq_respages now points at the last entry in rq_pages, which is NULL. Fixes: cc9a903d915c ('svcrdma: Change maximum server payload . . .') BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=270 Signed-off-by: Chuck Lever Reviewed-by: Sagi Grimberg Reviewed-by: Steve Wise Reviewed-by: Shirley Ma --- Hi Bruce- This is a regression in 4.3. Can you send this to Linus? net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c index cb51742..37b4341 100644 --- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c @@ -531,7 +531,7 @@ static int rdma_read_complete(struct svc_rqst *rqstp, rqstp->rq_arg.page_base = head->arg.page_base; /* rq_respages starts after the last arg page */ - rqstp->rq_respages = &rqstp->rq_arg.pages[page_no]; + rqstp->rq_respages = &rqstp->rq_pages[page_no]; rqstp->rq_next_page = rqstp->rq_respages + 1; /* Rebuild rq_arg head and tail. */