[PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset
@ 2025-11-07 15:09 Chuck Lever
  2025-11-07 15:09 ` [PATCH 2/3] svcrdma: return 0 on success from svc_rdma_copy_inline_range Chuck Lever
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Chuck Lever @ 2025-11-07 15:09 UTC (permalink / raw)
  To: NeilBrown, Jeff Layton, Olga Kornievskaia, Dai Ngo, Tom Talpey
  Cc: linux-nfs, linux-rdma, Linus Torvalds, Joshua Rogers

From: Joshua Rogers <linux@joshua.hu>

svc_rdma_copy_inline_range added rc_curpage (page index) to the page
base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
land within the current page.

Fixes: 8e122582680c ("svcrdma: Move svc_rdma_read_info::ri_pageno to struct svc_rdma_recv_ctxt")
X-Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c
index 661b3fe2779f..945fbb374331 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -848,7 +848,7 @@ static int svc_rdma_copy_inline_range(struct svc_rqst *rqstp,
 			head->rc_page_count++;
 
 		dst = page_address(rqstp->rq_pages[head->rc_curpage]);
-		memcpy(dst + head->rc_curpage, src + offset, page_len);
+		memcpy((unsigned char *)dst + head->rc_pageoff, src + offset, page_len);
 
 		head->rc_readbytes += page_len;
 		head->rc_pageoff += page_len;
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH 2/3] svcrdma: return 0 on success from svc_rdma_copy_inline_range
  2025-11-07 15:09 [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset Chuck Lever
@ 2025-11-07 15:09 ` Chuck Lever
  2025-11-07 15:09 ` [PATCH 3/3] svcrdma: bound check rq_pages index in inline path Chuck Lever
  2025-11-07 15:23 ` [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset Joshua Rogers
  2 siblings, 0 replies; 6+ messages in thread
From: Chuck Lever @ 2025-11-07 15:09 UTC (permalink / raw)
  To: NeilBrown, Jeff Layton, Olga Kornievskaia, Dai Ngo, Tom Talpey
  Cc: linux-nfs, linux-rdma, Linus Torvalds, Joshua Rogers

From: Joshua Rogers <linux@joshua.hu>

The function comment specifies 0 on success and -EINVAL on invalid
parameters. Make the tail return 0 after a successful copy loop.

Fixes: d7cc73972661 ("svcrdma: support multiple Read chunks per RPC")
X-Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c
index 945fbb374331..e813e5463352 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -860,7 +860,7 @@ static int svc_rdma_copy_inline_range(struct svc_rqst *rqstp,
 		offset += page_len;
 	}
 
-	return -EINVAL;
+	return 0;
 }
 
 /**
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH 3/3] svcrdma: bound check rq_pages index in inline path
  2025-11-07 15:09 [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset Chuck Lever
  2025-11-07 15:09 ` [PATCH 2/3] svcrdma: return 0 on success from svc_rdma_copy_inline_range Chuck Lever
@ 2025-11-07 15:09 ` Chuck Lever
  2025-11-07 15:23 ` [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset Joshua Rogers
  2 siblings, 0 replies; 6+ messages in thread
From: Chuck Lever @ 2025-11-07 15:09 UTC (permalink / raw)
  To: NeilBrown, Jeff Layton, Olga Kornievskaia, Dai Ngo, Tom Talpey
  Cc: linux-nfs, linux-rdma, Linus Torvalds, Joshua Rogers

From: Joshua Rogers <linux@joshua.hu>

svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without
verifying rc_curpage stays within the allocated page array. Add guards
before the first use and after advancing to a new page.

Fixes: d7cc73972661 ("svcrdma: support multiple Read chunks per RPC")
X-Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/xprtrdma/svc_rdma_rw.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c
index e813e5463352..310de7a80be5 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -841,6 +841,9 @@ static int svc_rdma_copy_inline_range(struct svc_rqst *rqstp,
 	for (page_no = 0; page_no < numpages; page_no++) {
 		unsigned int page_len;
 
+		if (head->rc_curpage >= rqstp->rq_maxpages)
+			return -EINVAL;
+
 		page_len = min_t(unsigned int, remaining,
 				 PAGE_SIZE - head->rc_pageoff);
 
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset
  2025-11-07 15:09 [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset Chuck Lever
  2025-11-07 15:09 ` [PATCH 2/3] svcrdma: return 0 on success from svc_rdma_copy_inline_range Chuck Lever
  2025-11-07 15:09 ` [PATCH 3/3] svcrdma: bound check rq_pages index in inline path Chuck Lever
@ 2025-11-07 15:23 ` Joshua Rogers
  2025-11-07 15:30   ` Chuck Lever
  2 siblings, 1 reply; 6+ messages in thread
From: Joshua Rogers @ 2025-11-07 15:23 UTC (permalink / raw)
  To: Chuck Lever
  Cc: NeilBrown, Jeff Layton, Olga Kornievskaia, Dai Ngo, Tom Talpey,
	linux-nfs, linux-rdma, Linus Torvalds, Joshua Rogers

Apologies: is it possible to slightly change the commit msg to include "Found with ZeroPath"? As this bug was, indeed, found with a tool called ZeroPath. If not, it's OK, thought I'd ask.

Thank you.


On Friday, 7 November 2025 at 23:09, Chuck Lever <cel@kernel.org> wrote:

> 
> 
> From: Joshua Rogers linux@joshua.hu
> 
> 
> svc_rdma_copy_inline_range added rc_curpage (page index) to the page
> base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
> land within the current page.
> 
> Fixes: 8e122582680c ("svcrdma: Move svc_rdma_read_info::ri_pageno to struct svc_rdma_recv_ctxt")
> X-Cc: stable@vger.kernel.org
> Signed-off-by: Joshua Rogers linux@joshua.hu
> 
> Signed-off-by: Chuck Lever chuck.lever@oracle.com
> 
> ---
> net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c
> index 661b3fe2779f..945fbb374331 100644
> --- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
> +++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
> @@ -848,7 +848,7 @@ static int svc_rdma_copy_inline_range(struct svc_rqst *rqstp,
> head->rc_page_count++;
> 
> 
> dst = page_address(rqstp->rq_pages[head->rc_curpage]);
> 
> - memcpy(dst + head->rc_curpage, src + offset, page_len);
> 
> + memcpy((unsigned char *)dst + head->rc_pageoff, src + offset, page_len);
> 
> 
> head->rc_readbytes += page_len;
> 
> head->rc_pageoff += page_len;
> 
> --
> 2.51.0

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset
  2025-11-07 15:23 ` [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset Joshua Rogers
@ 2025-11-07 15:30   ` Chuck Lever
  2025-11-07 15:33     ` Joshua Rogers
  0 siblings, 1 reply; 6+ messages in thread
From: Chuck Lever @ 2025-11-07 15:30 UTC (permalink / raw)
  To: Joshua Rogers
  Cc: NeilBrown, Jeff Layton, Olga Kornievskaia, Dai Ngo, Tom Talpey,
	linux-nfs, linux-rdma, Linus Torvalds, Joshua Rogers

On 11/7/25 10:23 AM, Joshua Rogers wrote:
> Apologies: is it possible to slightly change the commit msg to include "Found with ZeroPath"? As this bug was, indeed, found with a tool called ZeroPath. If not, it's OK, thought I'd ask.
> 
> Thank you.

Patch description in my tree now reads:

    svcrdma: use rc_pageoff for memcpy byte offset

    svc_rdma_copy_inline_range added rc_curpage (page index) to the page
    base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
    land within the current page.

    Found by ZeroPath (https://zeropath.com)




> On Friday, 7 November 2025 at 23:09, Chuck Lever <cel@kernel.org> wrote:
> 
>>
>>
>> From: Joshua Rogers linux@joshua.hu
>>
>>
>> svc_rdma_copy_inline_range added rc_curpage (page index) to the page
>> base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
>> land within the current page.
>>
>> Fixes: 8e122582680c ("svcrdma: Move svc_rdma_read_info::ri_pageno to struct svc_rdma_recv_ctxt")
>> X-Cc: stable@vger.kernel.org
>> Signed-off-by: Joshua Rogers linux@joshua.hu
>>
>> Signed-off-by: Chuck Lever chuck.lever@oracle.com
>>
>> ---
>> net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c
>> index 661b3fe2779f..945fbb374331 100644
>> --- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
>> +++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
>> @@ -848,7 +848,7 @@ static int svc_rdma_copy_inline_range(struct svc_rqst *rqstp,
>> head->rc_page_count++;
>>
>>
>> dst = page_address(rqstp->rq_pages[head->rc_curpage]);
>>
>> - memcpy(dst + head->rc_curpage, src + offset, page_len);
>>
>> + memcpy((unsigned char *)dst + head->rc_pageoff, src + offset, page_len);
>>
>>
>> head->rc_readbytes += page_len;
>>
>> head->rc_pageoff += page_len;
>>
>> --
>> 2.51.0
> 


-- 
Chuck Lever

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset
  2025-11-07 15:30   ` Chuck Lever
@ 2025-11-07 15:33     ` Joshua Rogers
  0 siblings, 0 replies; 6+ messages in thread
From: Joshua Rogers @ 2025-11-07 15:33 UTC (permalink / raw)
  To: Chuck Lever
  Cc: NeilBrown, Jeff Layton, Olga Kornievskaia, Dai Ngo, Tom Talpey,
	linux-nfs, linux-rdma, Linus Torvalds, Joshua Rogers

Sounds reasonable, or "Found by Joshua Rogers with ZeroPath(https://zeropath.com)", but I have no problem with either.

thx

On Friday, 7 November 2025 at 23:30, Chuck Lever <cel@kernel.org> wrote:

> 
> 
> On 11/7/25 10:23 AM, Joshua Rogers wrote:
> 
> > Apologies: is it possible to slightly change the commit msg to include "Found with ZeroPath"? As this bug was, indeed, found with a tool called ZeroPath. If not, it's OK, thought I'd ask.
> > 
> > Thank you.
> 
> 
> Patch description in my tree now reads:
> 
> svcrdma: use rc_pageoff for memcpy byte offset
> 
> svc_rdma_copy_inline_range added rc_curpage (page index) to the page
> base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
> land within the current page.
> 
> Found by ZeroPath (https://zeropath.com)
> 
> 
> 
> > On Friday, 7 November 2025 at 23:09, Chuck Lever cel@kernel.org wrote:
> > 
> > > From: Joshua Rogers linux@joshua.hu
> > > 
> > > svc_rdma_copy_inline_range added rc_curpage (page index) to the page
> > > base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
> > > land within the current page.
> > > 
> > > Fixes: 8e122582680c ("svcrdma: Move svc_rdma_read_info::ri_pageno to struct svc_rdma_recv_ctxt")
> > > X-Cc: stable@vger.kernel.org
> > > Signed-off-by: Joshua Rogers linux@joshua.hu
> > > 
> > > Signed-off-by: Chuck Lever chuck.lever@oracle.com
> > > 
> > > ---
> > > net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/net/sunrpc/xprtrdma/svc_rdma_rw.c b/net/sunrpc/xprtrdma/svc_rdma_rw.c
> > > index 661b3fe2779f..945fbb374331 100644
> > > --- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
> > > +++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
> > > @@ -848,7 +848,7 @@ static int svc_rdma_copy_inline_range(struct svc_rqst *rqstp,
> > > head->rc_page_count++;
> > > 
> > > dst = page_address(rqstp->rq_pages[head->rc_curpage]);
> > > 
> > > - memcpy(dst + head->rc_curpage, src + offset, page_len);
> > > 
> > > + memcpy((unsigned char *)dst + head->rc_pageoff, src + offset, page_len);
> > > 
> > > head->rc_readbytes += page_len;
> > > 
> > > head->rc_pageoff += page_len;
> > > 
> > > --
> > > 2.51.0
> 
> 
> 
> --
> Chuck Lever

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2025-11-07 15:33 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-07 15:09 [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset Chuck Lever
2025-11-07 15:09 ` [PATCH 2/3] svcrdma: return 0 on success from svc_rdma_copy_inline_range Chuck Lever
2025-11-07 15:09 ` [PATCH 3/3] svcrdma: bound check rq_pages index in inline path Chuck Lever
2025-11-07 15:23 ` [PATCH 1/3] svcrdma: use rc_pageoff for memcpy byte offset Joshua Rogers
2025-11-07 15:30   ` Chuck Lever
2025-11-07 15:33     ` Joshua Rogers

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.