From: Chuck Lever <cel@kernel.org>
To: NeilBrown <neil@brown.name>, Jeff Layton <jlayton@kernel.org>,
Olga Kornievskaia <okorniev@redhat.com>,
Dai Ngo <dai.ngo@oracle.com>, Tom Talpey <tom@talpey.com>
Cc: <linux-nfs@vger.kernel.org>, Chuck Lever <chuck.lever@oracle.com>
Subject: [RFC PATCH] NFSD: Remove WARN_ON_ONCE in nfsd_iter_read()
Date: Thu, 11 Sep 2025 16:18:58 -0400 [thread overview]
Message-ID: <20250911201858.1630-1-cel@kernel.org> (raw)
From: Chuck Lever <chuck.lever@oracle.com>
The *count parameter does not appear to be explicitly restricted
to being smaller than rsize, so it might be possible to overrun
the rq_bvec array.
Rather than overrunning the array (damage done!) and then WARNING
once, let's harden the loop so that it terminates before the end of
rq_bvec. This should result in a short read, which is OK (clients
recover by sending additional READ requests for the remaining unread
bytes).
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
fs/nfsd/vfs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
There might be a similar issue with rq_next_page in this loop?
Suppose that nfsd4_encode_readv() encounters a second READ operation
in a COMPOUND, and the two READ operations together comprise more
than "rsize" total bytes of payload. Each rq_bvec is under the page
limit, but the total number of pages consumed from rq_pages might
exceed rq_maxpages.
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 714777c221ed..e2f0fe3f82c0 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1120,13 +1120,13 @@ __be32 nfsd_iter_read(struct svc_rqst *rqstp, struct svc_fh *fhp,
bvec_set_page(&rqstp->rq_bvec[v], *(rqstp->rq_next_page++),
len, base);
total -= len;
- ++v;
base = 0;
+ if (++v >= rqstp->rq_maxpages)
+ break;
}
- WARN_ON_ONCE(v > rqstp->rq_maxpages);
- trace_nfsd_read_vector(rqstp, fhp, offset, *count);
- iov_iter_bvec(&iter, ITER_DEST, rqstp->rq_bvec, v, *count);
+ trace_nfsd_read_vector(rqstp, fhp, offset, *count - total);
+ iov_iter_bvec(&iter, ITER_DEST, rqstp->rq_bvec, v, *count - total);
host_err = vfs_iocb_iter_read(file, &kiocb, &iter);
return nfsd_finish_read(rqstp, fhp, file, offset, count, eof, host_err);
}
--
2.50.0
next reply other threads:[~2025-09-11 20:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-11 20:18 Chuck Lever [this message]
2025-09-12 13:25 ` [RFC PATCH] NFSD: Remove WARN_ON_ONCE in nfsd_iter_read() Mike Snitzer
2025-09-13 5:37 ` NeilBrown
2025-09-13 16:01 ` Chuck Lever
2025-09-14 0:34 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250911201858.1630-1-cel@kernel.org \
--to=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=dai.ngo@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neil@brown.name \
--cc=okorniev@redhat.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox