* [PATCH] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun
@ 2016-07-26 1:54 Seiichi Ikarashi
2016-07-26 2:29 ` kbuild test robot
0 siblings, 1 reply; 2+ messages in thread
From: Seiichi Ikarashi @ 2016-07-26 1:54 UTC (permalink / raw)
To: trond.myklebust, anna.schumaker; +Cc: linux-nfs
If over-"RPCSVC_MAXPAGES" pages are sent from file system through pipe_buffer,
nfsd_splice_actor() corrupts struct svc_rqst and results in kernel panic. It
actually occurred with a parallel distributed file system. It needs boundary
checking.
Signed-off-by: Seiichi Ikarashi <s.ikarashi@jp.fujitsu.com>
---
fs/nfsd/vfs.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 6fbd81e..d6cb423 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -811,12 +811,20 @@ nfsd_splice_actor(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
size = sd->len;
if (rqstp->rq_res.page_len == 0) {
+ if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) {
+ WARN_ON(1);
+ return -ENOMEM
+ }
get_page(page);
put_page(*rqstp->rq_next_page);
*(rqstp->rq_next_page++) = page;
rqstp->rq_res.page_base = buf->offset;
rqstp->rq_res.page_len = size;
} else if (page != pp[-1]) {
+ if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) {
+ WARN_ON(1);
+ return -ENOMEM
+ }
get_page(page);
if (*rqstp->rq_next_page)
put_page(*rqstp->rq_next_page);
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun
2016-07-26 1:54 [PATCH] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun Seiichi Ikarashi
@ 2016-07-26 2:29 ` kbuild test robot
0 siblings, 0 replies; 2+ messages in thread
From: kbuild test robot @ 2016-07-26 2:29 UTC (permalink / raw)
To: Seiichi Ikarashi; +Cc: kbuild-all, trond.myklebust, anna.schumaker, linux-nfs
[-- Attachment #1: Type: text/plain, Size: 1446 bytes --]
Hi,
[auto build test ERROR on nfsd/nfsd-next]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Seiichi-Ikarashi/Prevent-rqstp-rq_pages-RPCSVC_MAXPAGES-overrun/20160726-095928
base: git://linux-nfs.org/~bfields/linux.git nfsd-next
config: sparc64-allyesconfig (attached as .config)
compiler: sparc64-linux-gnu-gcc (Debian 5.4.0-6) 5.4.0 20160609
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=sparc64
All errors (new ones prefixed by >>):
fs/nfsd/vfs.c: In function 'nfsd_splice_actor':
>> fs/nfsd/vfs.c:817:3: error: expected ';' before '}' token
}
^
fs/nfsd/vfs.c:827:3: error: expected ';' before '}' token
}
^
vim +817 fs/nfsd/vfs.c
811 size = sd->len;
812
813 if (rqstp->rq_res.page_len == 0) {
814 if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) {
815 WARN_ON(1);
816 return -ENOMEM
> 817 }
818 get_page(page);
819 put_page(*rqstp->rq_next_page);
820 *(rqstp->rq_next_page++) = page;
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/octet-stream, Size: 46465 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-07-26 2:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-26 1:54 [PATCH] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun Seiichi Ikarashi
2016-07-26 2:29 ` kbuild test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).