From patchwork Wed Jun 26 18:27:41 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <cel@kernel.org>
X-Patchwork-Id: 13713270
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F1130190699;
	Wed, 26 Jun 2024 18:28:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1719426482; cv=none;
 b=Uh7kpR8Mo5eFUIv0454NbvrV5IB2Tm9A0J/XM8PkK9zcwLXDNqidA3axx3ZieeLHtj0T4XGaNXoazjNEpAHqs3BJqpkaKCFuFw5CJboPXptXC8d9V3vgcg5p28Mwq+lrdUvKjkcxVa3MEv3Wm/MJVaUQ/HrLZkLFHACj7OD69qY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1719426482; c=relaxed/simple;
	bh=lz4BNp2Exc9fBCHQYkJbsU/O6zJopS2cxihAzvadqlc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=bKJfRPCK5E7ZFQC/+SatIr2/oFwWQ2LHK2XrIjVzd+oyEjn7tnQKy8DFq06SGexpE1r93p3LwhQdLhRSE7HrSZKhYcfQ1cuuqUQnirvXTkb8qe3hcWisWCMlXPiCtxFuLj6mhMrz2Tlq8OTvF7n3nDrlQFpj6GlJyqQmBvhiZNc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=rsI5WwKq; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="rsI5WwKq"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 06EE8C32782;
	Wed, 26 Jun 2024 18:28:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1719426481;
	bh=lz4BNp2Exc9fBCHQYkJbsU/O6zJopS2cxihAzvadqlc=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=rsI5WwKq0/sqv4WkNMb69+zAT6DSAYqn8iVPxqUdH+XE3ZXGPfGhe2tykwh+wLfGC
	 WdE8rpXBUDqAq5mlvEQ/ssFiCH09f6sPJX6Oh72iSXvGZCW8awXqixfwXm+r8mqM/2
	 FtoUE0CCr6c+t2ZRZaRuZNnaRmMEsjInrCsUkYVqkW5L4GnTaFRLInytBQNf6FBeNp
	 OP6x6sAkpfpuFb/8zrTUS79xONqihNQEkT/EqSOmvItdCAFo6vEhEXyQF53K35VN9K
	 VOD4qgE+qq7vD0sAvZZZZ6U+HGHwr3PDSgT2B0p7lOIg1J5qEnhllYU6l1pGgEaOdZ
	 rnBBEYZ2w/r0w==
From: cel@kernel.org
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>
Cc: <linux-nfs@vger.kernel.org>,
	<stable@vger.kernel.org>,
	Yunjian Wang <wangyunjian@huawei.com>
Subject: [PATCH 5.10 1/5] SUNRPC: Fix null pointer dereference in
 svc_rqst_free()
Date: Wed, 26 Jun 2024 14:27:41 -0400
Message-ID: <20240626182745.288665-2-cel@kernel.org>
X-Mailer: git-send-email 2.45.1
In-Reply-To: <20240626182745.288665-1-cel@kernel.org>
References: <20240626182745.288665-1-cel@kernel.org>
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Yunjian Wang <wangyunjian@huawei.com>

[ Upstream commit b9f83ffaa0c096b4c832a43964fe6bff3acffe10 ]

When alloc_pages_node() returns null in svc_rqst_alloc(), the
null rq_scratch_page pointer will be dereferenced when calling
put_page() in svc_rqst_free(). Fix it by adding a null check.

Addresses-Coverity: ("Dereference after null check")
Fixes: 5191955d6fc6 ("SUNRPC: Prepare for xdr_stream-style decoding on the server-side")
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/svc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index 26d972c54a59..ac7b3a93d992 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -845,7 +845,8 @@ void
 svc_rqst_free(struct svc_rqst *rqstp)
 {
 	svc_release_buffer(rqstp);
-	put_page(rqstp->rq_scratch_page);
+	if (rqstp->rq_scratch_page)
+		put_page(rqstp->rq_scratch_page);
 	kfree(rqstp->rq_resp);
 	kfree(rqstp->rq_argp);
 	kfree(rqstp->rq_auth_data);

From patchwork Wed Jun 26 18:27:42 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <cel@kernel.org>
X-Patchwork-Id: 13713271
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 219A1190670;
	Wed, 26 Jun 2024 18:28:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1719426484; cv=none;
 b=AUzRLL4JAroWE8l56RsOjIAv1LgBAb+qoUZLNQR9F347VCerEeGWWBpSDyTncRcT7Xt9jZ5O0C/3DXpYnArkaHzhu2uBUO4/BsLuS5gvu+3t+0n9h3XMBckEO6AbJZayT4IDom6Od4Gkbjx6Tt9HRrgY9lQaZ15InPdU9Wi+TLQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1719426484; c=relaxed/simple;
	bh=mUXoOORlfk0p8dZ15nWYoTWVRGfem9OjwPIECWFk5OM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=ocwffVpnpdw74+2buYxSKe23eVuF8LbxZDOCKevgOzsN6WlFcYIPIB0mSU30B84jbJ8C66OjsGGedMXVPb1oU+1rNNclrmBRKcuoEGgc/BpVrmSbggfPLZTIuVT8NOOSXnTNqBgaYmFzno/SMQOWRAtV0sGZbrcX8CpsO+mw/Pg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=FjIDwkaI; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="FjIDwkaI"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76848C32789;
	Wed, 26 Jun 2024 18:28:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1719426484;
	bh=mUXoOORlfk0p8dZ15nWYoTWVRGfem9OjwPIECWFk5OM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=FjIDwkaIiCKbUMJhO/TebQNu1zSYQwAJn1a+Z87pcQ+Ztra74TA6UOELhudnr2szt
	 KI9tJnhhuK8oWOztGKNI4jLbmVEEZtzGBp1cIE+s13/6C9tbY7BtadZ/2ORWqiwIJn
	 Od8z+C1GV+ZtOLPisTabwh6L1WuA/83Yn/WDOXjlCk2tX0CYZB6U3FPDGHzAI3ZxD2
	 eLvBiFGdpnGZr3dWasBjC1bmV+UTuftjaua/wukCW4oN0/Ldl2RaX/tm/RbqbYUkhY
	 pqIJOIPNR3f9fcCsDCtNTUMrH9DPFuMIwnLaxi1dcC3KkHXGatLH/EqDAkMuj3D/ND
	 FkEqdwZTPWoGg==
From: cel@kernel.org
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>
Cc: <linux-nfs@vger.kernel.org>,
	<stable@vger.kernel.org>,
	Chuck Lever <chuck.lever@oracle.com>
Subject: [PATCH 5.10 2/5] SUNRPC: Fix a NULL pointer deref in
 trace_svc_stats_latency()
Date: Wed, 26 Jun 2024 14:27:42 -0400
Message-ID: <20240626182745.288665-3-cel@kernel.org>
X-Mailer: git-send-email 2.45.1
In-Reply-To: <20240626182745.288665-1-cel@kernel.org>
References: <20240626182745.288665-1-cel@kernel.org>
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Chuck Lever <chuck.lever@oracle.com>

[ Upstream commit 5c11720767f70d34357d00a15ba5a0ad052c40fe ]

Some paths through svc_process() leave rqst->rq_procinfo set to
NULL, which triggers a crash if tracing happens to be enabled.

Fixes: 89ff87494c6e ("SUNRPC: Display RPC procedure names instead of proc numbers")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 include/linux/sunrpc/svc.h    |  1 +
 include/trace/events/sunrpc.h |  8 ++++----
 net/sunrpc/svc.c              | 15 +++++++++++++++
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
index 1cf7a7799cc0..8583825c4aea 100644
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -498,6 +498,7 @@ void		   svc_wake_up(struct svc_serv *);
 void		   svc_reserve(struct svc_rqst *rqstp, int space);
 struct svc_pool *  svc_pool_for_cpu(struct svc_serv *serv, int cpu);
 char *		   svc_print_addr(struct svc_rqst *, char *, size_t);
+const char *	   svc_proc_name(const struct svc_rqst *rqstp);
 int		   svc_encode_result_payload(struct svc_rqst *rqstp,
 					     unsigned int offset,
 					     unsigned int length);
diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h
index 56e4a57d2538..5d34deca0f30 100644
--- a/include/trace/events/sunrpc.h
+++ b/include/trace/events/sunrpc.h
@@ -1578,7 +1578,7 @@ TRACE_EVENT(svc_process,
 		__field(u32, vers)
 		__field(u32, proc)
 		__string(service, name)
-		__string(procedure, rqst->rq_procinfo->pc_name)
+		__string(procedure, svc_proc_name(rqst))
 		__string(addr, rqst->rq_xprt ?
 			 rqst->rq_xprt->xpt_remotebuf : "(null)")
 	),
@@ -1588,7 +1588,7 @@ TRACE_EVENT(svc_process,
 		__entry->vers = rqst->rq_vers;
 		__entry->proc = rqst->rq_proc;
 		__assign_str(service, name);
-		__assign_str(procedure, rqst->rq_procinfo->pc_name);
+		__assign_str(procedure, svc_proc_name(rqst));
 		__assign_str(addr, rqst->rq_xprt ?
 			     rqst->rq_xprt->xpt_remotebuf : "(null)");
 	),
@@ -1854,7 +1854,7 @@ TRACE_EVENT(svc_stats_latency,
 	TP_STRUCT__entry(
 		__field(u32, xid)
 		__field(unsigned long, execute)
-		__string(procedure, rqst->rq_procinfo->pc_name)
+		__string(procedure, svc_proc_name(rqst))
 		__string(addr, rqst->rq_xprt->xpt_remotebuf)
 	),
 
@@ -1862,7 +1862,7 @@ TRACE_EVENT(svc_stats_latency,
 		__entry->xid = be32_to_cpu(rqst->rq_xid);
 		__entry->execute = ktime_to_us(ktime_sub(ktime_get(),
 							 rqst->rq_stime));
-		__assign_str(procedure, rqst->rq_procinfo->pc_name);
+		__assign_str(procedure, svc_proc_name(rqst));
 		__assign_str(addr, rqst->rq_xprt->xpt_remotebuf);
 	),
 
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index ac7b3a93d992..f8815ae776e6 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1612,6 +1612,21 @@ u32 svc_max_payload(const struct svc_rqst *rqstp)
 }
 EXPORT_SYMBOL_GPL(svc_max_payload);
 
+/**
+ * svc_proc_name - Return RPC procedure name in string form
+ * @rqstp: svc_rqst to operate on
+ *
+ * Return value:
+ *   Pointer to a NUL-terminated string
+ */
+const char *svc_proc_name(const struct svc_rqst *rqstp)
+{
+	if (rqstp && rqstp->rq_procinfo)
+		return rqstp->rq_procinfo->pc_name;
+	return "unknown";
+}
+
+
 /**
  * svc_encode_result_payload - mark a range of bytes as a result payload
  * @rqstp: svc_rqst to operate on

From patchwork Wed Jun 26 18:27:43 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <cel@kernel.org>
X-Patchwork-Id: 13713272
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACE6F190670;
	Wed, 26 Jun 2024 18:28:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1719426486; cv=none;
 b=UBK7j2AYhyk6e7inUPFLsvGw46XsBDxXle3iciyR23nZLT6Z39y/EOryCbPflFytCAyqMQDbW1baQ11Heu9PQMN1hqCDIs2/ZdYHXGI6aL0GgGvAnbUldr0m37mGHsx9w1M6yy00bpGIaTq4xzKVmSPnWrxja5sCiPt8phh7Rz8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1719426486; c=relaxed/simple;
	bh=KMqAabxC7Hp5S72d6qc8ulWjEDy19zQgNFo25KslFQ4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=lYaUZaX9aQl5GfeEDLNljYlm+4PYw+Emoj2Jpzle7Y5FgbisRhLqQaKaqSLgYsEjd68emrdyAnAi0sAYVckpl+3r7H43NvVVZD/WNFZ8jBTMBdbh87WTaQ3i3lCklB6IxqS69jAr9LVSa4JWeJCFY9ZLemf1/ND4jxexfLJQj/o=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=SZfVzmkH; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="SZfVzmkH"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C58DEC32782;
	Wed, 26 Jun 2024 18:28:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1719426486;
	bh=KMqAabxC7Hp5S72d6qc8ulWjEDy19zQgNFo25KslFQ4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=SZfVzmkHJp6vPSI50RBx51T60A7CMqeUKR36bNuwo2zsOkFTQYFcxjGAbkBc3u6v1
	 J4mOcLLcg2ELcjVNBNOAMLcGAxFBEhLXDcZoIUhr8Rh18EWkPqhpJK8T2wzhIPsoYV
	 2kxCWVOnI8fBRkuOICDPZWBU5u1Zc1ov+uTciv4y8FcQZdETCHbodkhdU+w3OLb+XL
	 m0btvGaXHkV/W9/5Y6yVNP2f0+BBnFxSVrcBQx393b5oJZSW2wsohk8X1VfPEAtYjo
	 UgNta6fY2lVNwyhoTBmlmvNEobhOagi0FW/evDzz/hK/OIij5MmC0M2IQxAS6u072I
	 gmZa0T24Iethw==
From: cel@kernel.org
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>
Cc: <linux-nfs@vger.kernel.org>,
	<stable@vger.kernel.org>,
	Chuck Lever <chuck.lever@oracle.com>,
	Jeff Layton <jlayton@kernel.org>
Subject: [PATCH 5.10 3/5] SUNRPC: Fix svcxdr_init_decode's end-of-buffer
 calculation
Date: Wed, 26 Jun 2024 14:27:43 -0400
Message-ID: <20240626182745.288665-4-cel@kernel.org>
X-Mailer: git-send-email 2.45.1
In-Reply-To: <20240626182745.288665-1-cel@kernel.org>
References: <20240626182745.288665-1-cel@kernel.org>
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Chuck Lever <chuck.lever@oracle.com>

[ Upstream commit 90bfc37b5ab91c1a6165e3e5cfc49bf04571b762 ]

Ensure that stream-based argument decoding can't go past the actual
end of the receive buffer. xdr_init_decode's calculation of the
value of xdr->end over-estimates the end of the buffer because the
Linux kernel RPC server code does not remove the size of the RPC
header from rqstp->rq_arg before calling the upper layer's
dispatcher.

The server-side still uses the svc_getnl() macros to decode the
RPC call header. These macros reduce the length of the head iov
but do not update the total length of the message in the buffer
(buf->len).

A proper fix for this would be to replace the use of svc_getnl() and
friends in the RPC header decoder, but that would be a large and
invasive change that would be difficult to backport.

Fixes: 5191955d6fc6 ("SUNRPC: Prepare for xdr_stream-style decoding on the server-side")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 include/linux/sunrpc/svc.h | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
index 8583825c4aea..f0e09427070c 100644
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -536,16 +536,27 @@ static inline void svc_reserve_auth(struct svc_rqst *rqstp, int space)
 }
 
 /**
- * svcxdr_init_decode - Prepare an xdr_stream for svc Call decoding
+ * svcxdr_init_decode - Prepare an xdr_stream for Call decoding
  * @rqstp: controlling server RPC transaction context
  *
+ * This function currently assumes the RPC header in rq_arg has
+ * already been decoded. Upon return, xdr->p points to the
+ * location of the upper layer header.
  */
 static inline void svcxdr_init_decode(struct svc_rqst *rqstp)
 {
 	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
-	struct kvec *argv = rqstp->rq_arg.head;
+	struct xdr_buf *buf = &rqstp->rq_arg;
+	struct kvec *argv = buf->head;
 
-	xdr_init_decode(xdr, &rqstp->rq_arg, argv->iov_base, NULL);
+	/*
+	 * svc_getnl() and friends do not keep the xdr_buf's ::len
+	 * field up to date. Refresh that field before initializing
+	 * the argument decoding stream.
+	 */
+	buf->len = buf->head->iov_len + buf->page_len + buf->tail->iov_len;
+
+	xdr_init_decode(xdr, buf, argv->iov_base, NULL);
 	xdr_set_scratch_page(xdr, rqstp->rq_scratch_page);
 }
 

From patchwork Wed Jun 26 18:27:44 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <cel@kernel.org>
X-Patchwork-Id: 13713273
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96E4F190670;
	Wed, 26 Jun 2024 18:28:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1719426488; cv=none;
 b=p9oZz30H0GrLsP7VUU0itZQdxAp1JKKPFPvfpj7/dWF2lBqL5A+EC4FMibaJ7Lw3ITbM2jY+mLOCILrW579JQ/MszeRgHlRRmO+jpzJhVVDiOmB9blMK5biaFxMU6d8wFwDWHD9mT+5dBMyTcoviRXj6smk67tGsL4Mki5mHSAs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1719426488; c=relaxed/simple;
	bh=75dKJKIcfqVCCpuSxkTGFgX7Iozwogg8rV3YwmWJHAc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=ZyyJLuXLZstCW00fM4dRu5QjDRVzZmvwg2eQ/U9rfbyWhU4loEZfBW4MpL/rMhCrPrKNkoBMtcgiCGa2hfuWvnLspxmts97L5Nm+BVMpyFN5iKUCGXu89xtB/LxQ6MdNfBslDUS7EgbZJMQo/NaEqrqcpWGiE40uYUk9tqICI+I=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=b0+wl2me; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="b0+wl2me"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id DD1D7C4AF07;
	Wed, 26 Jun 2024 18:28:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1719426488;
	bh=75dKJKIcfqVCCpuSxkTGFgX7Iozwogg8rV3YwmWJHAc=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=b0+wl2meRTcMRhseuzuzrZBhICDE271fPETk6UD3RWLETmFNK9kepoOh//vL/F5No
	 BTHy9v3ub+Mno67cJDIw6oIWRbnHlZsXbLciPBJq735d/4iO5zYSF0mj0AH3lRr1k/
	 x62dhnkf84GeFEj2njwbnTs6broIBVWdWKT+9NsPKGdZdMLtECG/+0yaGwwJOf7siy
	 igJUO00MSf38kblDJoigrjpCg9ov9Tfjk/oTlWlqbNiiAcfrokQeCj+57Lk1g1UoZ9
	 Zgvnt2WIGj0e3Fy/wD3Cpp1YMJPa6OUmJ19Jhljhi3fyIK1e1arblcBeXjj2I8R9hq
	 t6v6DlgX6QdnA==
From: cel@kernel.org
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>
Cc: <linux-nfs@vger.kernel.org>,
	<stable@vger.kernel.org>,
	Chuck Lever <chuck.lever@oracle.com>,
	Jeff Layton <jlayton@kernel.org>
Subject: [PATCH 5.10 4/5] SUNRPC: Fix svcxdr_init_encode's buflen calculation
Date: Wed, 26 Jun 2024 14:27:44 -0400
Message-ID: <20240626182745.288665-5-cel@kernel.org>
X-Mailer: git-send-email 2.45.1
In-Reply-To: <20240626182745.288665-1-cel@kernel.org>
References: <20240626182745.288665-1-cel@kernel.org>
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Chuck Lever <chuck.lever@oracle.com>

[ Upstream commit 1242a87da0d8cd2a428e96ca68e7ea899b0f4624 ]

Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries")
added an explicit computation of the remaining length in the rq_res
XDR buffer.

The computation appears to suffer from an "off-by-one" bug. Because
buflen is too large by one page, XDR encoding can run off the end of
the send buffer by eventually trying to use the struct page address
in rq_page_end, which always contains NULL.

Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 include/linux/sunrpc/svc.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
index f0e09427070c..00303c636a89 100644
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -579,7 +579,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp)
 	xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack;
 	buf->len = resv->iov_len;
 	xdr->page_ptr = buf->pages - 1;
-	buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages);
+	buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages);
 	buf->buflen -= rqstp->rq_auth_slack;
 	xdr->rqst = NULL;
 }

From patchwork Wed Jun 26 18:27:45 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <cel@kernel.org>
X-Patchwork-Id: 13713274
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D7F4190499;
	Wed, 26 Jun 2024 18:28:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1719426490; cv=none;
 b=OIAzGwPJ/dASp0RZaaaACi46PST58wMFs1VlF1PlY0nXwKX04Idn/k8y6thwF1YYuJSiBxMHpAoia8AYdIExeUcwKSazNuNeT4UWhe3QbPtAI0c8yXcBv5DvqW2Gd8tdUBbBjr6pi32nCABPSyJS2kEatkOHivcQhvG/qsbzbrY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1719426490; c=relaxed/simple;
	bh=ef4ueWSfF040KgBl1tE7HmECa+y32yBldqBElPP7X6Q=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=EgGwj79rTsdIiFDeJ1aUT8mcMIgjgzkshn9b5elKXrR3YtAoz45RfeSg61Ba6QOXtCBy0EAKTONf1Y7uDoxW78TV0/jyvowkMH0wpG9veBdNg3LtfrE2NVM9B2uoXuKkboP0S77bqzAqeadO+826Tt1AJqfLboKbPc+UGmAoCB4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=Fq5OWGrC; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="Fq5OWGrC"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D51D0C32782;
	Wed, 26 Jun 2024 18:28:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1719426490;
	bh=ef4ueWSfF040KgBl1tE7HmECa+y32yBldqBElPP7X6Q=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Fq5OWGrC1gMnAdU33yrbeYKb5VswL1n2rQW1QyJE+OdmCnKSFtCJMWlCANg+CRW9K
	 eROAM7SFBP5CVuwwtqqkT/O3bdCGvqj97We0M3Az4iiSv0sDlnAPnYGQCB9kGX3bgV
	 sUGfLQIc2BnQ6OcRtpaWFhIXU7Nla04mSEHrN5yT4a+FPQsTLnwzLY15YAZozTwRyc
	 l1YQ3o3mhGcInl/i9YLXRlfGLRS0id+Cy8n4mAjvnDS4a0URLiabb8LudzdRBBoSE2
	 xyb/Lbfcejk6mjTEYJmyI6j1zoixQe68c0YuhqwgA1/DBH9B8KJMphUQcNW7+M6nuO
	 V8Unf1LEzlgmg==
From: cel@kernel.org
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>
Cc: <linux-nfs@vger.kernel.org>,
	<stable@vger.kernel.org>,
	Jeff Layton <jlayton@kernel.org>,
	Vladimir Benes <vbenes@redhat.com>
Subject: [PATCH 5.10 5/5] nfsd: hold a lighter-weight client reference over
 CB_RECALL_ANY
Date: Wed, 26 Jun 2024 14:27:45 -0400
Message-ID: <20240626182745.288665-6-cel@kernel.org>
X-Mailer: git-send-email 2.45.1
In-Reply-To: <20240626182745.288665-1-cel@kernel.org>
References: <20240626182745.288665-1-cel@kernel.org>
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Jeff Layton <jlayton@kernel.org>

[ Upstream commit 10396f4df8b75ff6ab0aa2cd74296565466f2c8d ]

Currently the CB_RECALL_ANY job takes a cl_rpc_users reference to the
client. While a callback job is technically an RPC that counter is
really more for client-driven RPCs, and this has the effect of
preventing the client from being unhashed until the callback completes.

If nfsd decides to send a CB_RECALL_ANY just as the client reboots, we
can end up in a situation where the callback can't complete on the (now
dead) callback channel, but the new client can't connect because the old
client can't be unhashed. This usually manifests as a NFS4ERR_DELAY
return on the CREATE_SESSION operation.

The job is only holding a reference to the client so it can clear a flag
after the RPC completes. Fix this by having CB_RECALL_ANY instead hold a
reference to the cl_nfsdfs.cl_ref. Typically we only take that sort of
reference when dealing with the nfsdfs info files, but it should work
appropriately here to ensure that the nfs4_client doesn't disappear.

Fixes: 44df6f439a17 ("NFSD: add delegation reaper to react to low memory condition")
Reported-by: Vladimir Benes <vbenes@redhat.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 fs/nfsd/nfs4state.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 228560f3fd0e..8e84ddccce4b 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -2888,12 +2888,9 @@ static void
 nfsd4_cb_recall_any_release(struct nfsd4_callback *cb)
 {
 	struct nfs4_client *clp = cb->cb_clp;
-	struct nfsd_net *nn = net_generic(clp->net, nfsd_net_id);
 
-	spin_lock(&nn->client_lock);
 	clear_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags);
-	put_client_renew_locked(clp);
-	spin_unlock(&nn->client_lock);
+	drop_client(clp);
 }
 
 static const struct nfsd4_callback_ops nfsd4_cb_recall_any_ops = {
@@ -6230,7 +6227,7 @@ deleg_reaper(struct nfsd_net *nn)
 		list_add(&clp->cl_ra_cblist, &cblist);
 
 		/* release in nfsd4_cb_recall_any_release */
-		atomic_inc(&clp->cl_rpc_users);
+		kref_get(&clp->cl_nfsdfs.cl_ref);
 		set_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags);
 		clp->cl_ra_time = ktime_get_boottime_seconds();
 	}