From: Chuck Lever <cel@kernel.org>
To: NeilBrown <neil@brown.name>, Jeff Layton <jlayton@kernel.org>,
Olga Kornievskaia <okorniev@redhat.com>,
Dai Ngo <dai.ngo@oracle.com>, Tom Talpey <tom@talpey.com>
Cc: <linux-nfs@vger.kernel.org>, Chuck Lever <chuck.lever@oracle.com>
Subject: [RFC PATCH] NFSD: Remove WARN_ON_ONCE in nfsd_iter_read()
Date: Thu, 11 Sep 2025 16:18:58 -0400 [thread overview]
Message-ID: <20250911201858.1630-1-cel@kernel.org> (raw)
From: Chuck Lever <chuck.lever@oracle.com>
The *count parameter does not appear to be explicitly restricted
to being smaller than rsize, so it might be possible to overrun
the rq_bvec array.
Rather than overrunning the array (damage done!) and then WARNING
once, let's harden the loop so that it terminates before the end of
rq_bvec. This should result in a short read, which is OK (clients
recover by sending additional READ requests for the remaining unread
bytes).
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
fs/nfsd/vfs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
There might be a similar issue with rq_next_page in this loop?
Suppose that nfsd4_encode_readv() encounters a second READ operation
in a COMPOUND, and the two READ operations together comprise more
than "rsize" total bytes of payload. Each rq_bvec is under the page
limit, but the total number of pages consumed from rq_pages might
exceed rq_maxpages.
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 714777c221ed..e2f0fe3f82c0 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1120,13 +1120,13 @@ __be32 nfsd_iter_read(struct svc_rqst *rqstp, struct svc_fh *fhp,
bvec_set_page(&rqstp->rq_bvec[v], *(rqstp->rq_next_page++),
len, base);
total -= len;
- ++v;
base = 0;
+ if (++v >= rqstp->rq_maxpages)
+ break;
}
- WARN_ON_ONCE(v > rqstp->rq_maxpages);
- trace_nfsd_read_vector(rqstp, fhp, offset, *count);
- iov_iter_bvec(&iter, ITER_DEST, rqstp->rq_bvec, v, *count);
+ trace_nfsd_read_vector(rqstp, fhp, offset, *count - total);
+ iov_iter_bvec(&iter, ITER_DEST, rqstp->rq_bvec, v, *count - total);
host_err = vfs_iocb_iter_read(file, &kiocb, &iter);
return nfsd_finish_read(rqstp, fhp, file, offset, count, eof, host_err);
}
--
2.50.0
next reply other threads:[~2025-09-11 20:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-11 20:18 Chuck Lever [this message]
2025-09-12 13:25 ` [RFC PATCH] NFSD: Remove WARN_ON_ONCE in nfsd_iter_read() Mike Snitzer
2025-09-13 5:37 ` NeilBrown
2025-09-13 16:01 ` Chuck Lever
2025-09-14 0:34 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250911201858.1630-1-cel@kernel.org \
--to=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=dai.ngo@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neil@brown.name \
--cc=okorniev@redhat.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.