* [PATCH] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun
@ 2016-07-26 1:54 Seiichi Ikarashi
2016-07-26 2:29 ` kbuild test robot
0 siblings, 1 reply; 2+ messages in thread
From: Seiichi Ikarashi @ 2016-07-26 1:54 UTC (permalink / raw)
To: trond.myklebust, anna.schumaker; +Cc: linux-nfs
If over-"RPCSVC_MAXPAGES" pages are sent from file system through pipe_buffer,
nfsd_splice_actor() corrupts struct svc_rqst and results in kernel panic. It
actually occurred with a parallel distributed file system. It needs boundary
checking.
Signed-off-by: Seiichi Ikarashi <s.ikarashi@jp.fujitsu.com>
---
fs/nfsd/vfs.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 6fbd81e..d6cb423 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -811,12 +811,20 @@ nfsd_splice_actor(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
size = sd->len;
if (rqstp->rq_res.page_len == 0) {
+ if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) {
+ WARN_ON(1);
+ return -ENOMEM
+ }
get_page(page);
put_page(*rqstp->rq_next_page);
*(rqstp->rq_next_page++) = page;
rqstp->rq_res.page_base = buf->offset;
rqstp->rq_res.page_len = size;
} else if (page != pp[-1]) {
+ if (rqstp->rq_next_page > &rqstp->rq_pages[RPCSVC_MAXPAGES-1]) {
+ WARN_ON(1);
+ return -ENOMEM
+ }
get_page(page);
if (*rqstp->rq_next_page)
put_page(*rqstp->rq_next_page);
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-07-26 2:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-26 1:54 [PATCH] Prevent rqstp->rq_pages[RPCSVC_MAXPAGES] overrun Seiichi Ikarashi
2016-07-26 2:29 ` kbuild test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).