From patchwork Thu Jun 30 17:24:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 12902037 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FC1FC433EF for ; Thu, 30 Jun 2022 17:24:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235650AbiF3RY0 (ORCPT ); Thu, 30 Jun 2022 13:24:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235207AbiF3RYZ (ORCPT ); Thu, 30 Jun 2022 13:24:25 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4553434641 for ; Thu, 30 Jun 2022 10:24:24 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E7B52B82CC1 for ; Thu, 30 Jun 2022 17:24:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3F2A1C34115; Thu, 30 Jun 2022 17:24:21 +0000 (UTC) Subject: [PATCH v1] SUNRPC: Fix READ_PLUS crasher From: Chuck Lever To: linux-nfs@vger.kernel.org Cc: anna.schumaker@netapp.com, bfields@fieldses.org, zlang@redhat.com Date: Thu, 30 Jun 2022 13:24:20 -0400 Message-ID: <165660978413.2453.15153844664543877314.stgit@klimt.1015granger.net> User-Agent: StGit/1.5.dev3+g9561319 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Looks like there are still cases when "space_left - frag1bytes" can legitimately exceed PAGE_SIZE. Ensure that xdr->end always remains within the current encode buffer. Reported-by: Bruce Fields Reported-by: Zorro Lang Link: https://bugzilla.kernel.org/show_bug.cgi?id=216151 Fixes: 6c254bf3b637 ("SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()") Signed-off-by: Chuck Lever --- net/sunrpc/xdr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Hi- I had a few minutes yesterday afternoon to look into this one. The following one-liner seems to address the issue and passes my smoke tests with NFSv4.1/TCP and NFSv3/RDMA. Any thoughts? diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c index f87a2d8f23a7..916659be2774 100644 --- a/net/sunrpc/xdr.c +++ b/net/sunrpc/xdr.c @@ -987,7 +987,7 @@ static noinline __be32 *xdr_get_next_encode_buffer(struct xdr_stream *xdr, if (space_left - nbytes >= PAGE_SIZE) xdr->end = p + PAGE_SIZE; else - xdr->end = p + space_left - frag1bytes; + xdr->end = p + min_t(int, space_left - frag1bytes, PAGE_SIZE); xdr->buf->page_len += frag2bytes; xdr->buf->len += nbytes;