From: Jeff Layton <jlayton@kernel.org>
To: Chuck Lever <cel@kernel.org>, NeilBrown <neil@brown.name>,
Olga Kornievskaia <okorniev@redhat.com>,
Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>
Cc: linux-rdma@vger.kernel.org, linux-nfs@vger.kernel.org,
Chuck Lever <chuck.lever@oracle.com>, Chris Mason <clm@meta.com>
Subject: Re: [PATCH 0/6] svcrdma: harden parsed chunk list against malformed wire values
Date: Wed, 27 May 2026 11:19:59 -0400 [thread overview]
Message-ID: <e770cd7628d87611fc924d396e75feff342f4a5b.camel@kernel.org> (raw)
In-Reply-To: <20260526-rpc-kernel-bugs-v1-0-e251306ccca9@oracle.com>
On Tue, 2026-05-26 at 09:35 -0400, Chuck Lever wrote:
> The RPC/RDMA transport stores wire-supplied chunk positions, lengths,
> and segment counts verbatim in the parsed chunk list. Consumer
> functions compute gap lengths and sub-range offsets from these values
> using unsigned subtraction. A malicious or buggy peer can supply
> values that cause these subtractions to underflow, exposing slab
> memory to the Reply channel or driving oversized allocations.
>
> The fix proceeds in two layers. Consumer functions in svc_rdma_rw.c
> gain bounds checks against the saved inline body length before each
> unsigned subtraction, closing the immediate underflow paths. The
> Read list decoder in svc_rdma_recvfrom.c gains a segment-length cap
> against the receive context's page budget, and the existing page-
> overrun guard in svc_rdma_build_read_segment() is corrected to
> release the rw context it has already acquired. These consumer-side
> fixes are backportable independently.
>
> pcl_for_each_segment() uses an inclusive upper bound that underflows
> when ch_segcount is zero, turning a zero-segment Write or Reply
> chunk into an unbounded memory walk. The macro is changed to a
> half-open bound that naturally produces an empty iteration for
> ch_segcount == 0. The decoder then also rejects zero-segment chunks
> at the wire boundary, and reorders pcl_alloc_write() so that only
> fully-populated chunks appear on the list. The macro fix remains as
> defense in depth and is safe to backport to trees without the decoder
> change.
>
> A consolidation pass validates Read chunk positions and overlap
> invariants once, immediately after decoding, so that future PCL
> consumers inherit the guarantee without replicating per-site checks.
>
> ---
> Chris Mason (3):
> svcrdma: Fix offset arithmetic in read_chunk_range
> svcrdma: fix pcl_for_each_segment for empty chunks
> svcrdma: reject Write/Reply chunks with segcount 0
>
> Chuck Lever (3):
> svcrdma: validate Read chunk positions before reconstruction
> svcrdma: reject oversized Read segments at decode time
> svcrdma: Validate Read chunk positions at decode time
>
> include/linux/sunrpc/svc_rdma_pcl.h | 4 ++-
> net/sunrpc/xprtrdma/svc_rdma_pcl.c | 63 ++++++++++++++++++++++++++++++---
> net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 14 ++++++--
> net/sunrpc/xprtrdma/svc_rdma_rw.c | 52 ++++++++++++++++++++-------
> 4 files changed, 113 insertions(+), 20 deletions(-)
> ---
> base-commit: 887d478bb2115cec0be8caae58bad4d4b3109b1a
> change-id: 20260524-rpc-kernel-bugs-fb537a0615ec
>
> Best regards,
> --
> Chuck Lever <chuck.lever@oracle.com>
Acked-by: Jeff Layton <jlayton@kernel.org>
prev parent reply other threads:[~2026-05-27 15:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 13:35 [PATCH 0/6] svcrdma: harden parsed chunk list against malformed wire values Chuck Lever
2026-05-26 13:35 ` [PATCH 1/6] svcrdma: validate Read chunk positions before reconstruction Chuck Lever
2026-05-26 13:35 ` [PATCH 2/6] svcrdma: Fix offset arithmetic in read_chunk_range Chuck Lever
2026-05-26 13:35 ` [PATCH 3/6] svcrdma: reject oversized Read segments at decode time Chuck Lever
2026-05-26 13:35 ` [PATCH 4/6] svcrdma: fix pcl_for_each_segment for empty chunks Chuck Lever
2026-05-26 13:35 ` [PATCH 5/6] svcrdma: reject Write/Reply chunks with segcount 0 Chuck Lever
2026-05-26 13:36 ` [PATCH 6/6] svcrdma: Validate Read chunk positions at decode time Chuck Lever
2026-05-27 15:19 ` Jeff Layton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e770cd7628d87611fc924d396e75feff342f4a5b.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=Dai.Ngo@oracle.com \
--cc=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=clm@meta.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=neil@brown.name \
--cc=okorniev@redhat.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox