From: Tom Tucker <tom-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org>
To: "David J. Wilder" <dwilder-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
pradeep-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org
Subject: Re: rnfs: rq_respages pointer is bad
Date: Mon, 01 Mar 2010 21:35:00 -0600 [thread overview]
Message-ID: <4B8C8764.9080409@opengridcomputing.com> (raw)
In-Reply-To: <1267489621.9774.41.camel-XfwDJb4SXxnMbYB6QlFGEg@public.gmane.org>
Hi David:
That looks like a bug to me and it looks like what you propose is the
correct fix. My only reservation is that if you are correct then how did
this work at all without data corruption for large writes on x86_64?
I'm on the road right now, so I can't dig too deep until Wednesday, but
at this point your analysis looks correct to me.
Tom
David J. Wilder wrote:
> Tom
>
> I have been chasing an rnfs related Oops in svc_process(). I have found
> the source of the Oops but I am not sure of my fix. I am seeing the
> problem on ppc64, kernel 2.6.32, I have not tried other arch yet.
>
> The source of the problem is in rdma_read_complete(), I am finding that
> rqstp->rq_respages is set to point past the end of the rqstp->rq_pages
> page list. This results in a NULL reference in svc_process() when
> passing rq_respages[0] to page_address().
>
> In rdma_read_complete() we are using rqstp->rq_arg.pages as the base of
> the page list then indexing by page_no, however rq_arg.pages is not
> pointing to the start of the list so rq_respages ends up pointing to:
>
> rqstp->rq_pages[(head->count+1) + head->hdr_count]
>
> In my case, it ends up pointing one past the end of the list by one.
>
> Here is the change I made.
>
> static int rdma_read_complete(struct svc_rqst *rqstp,
> struct svc_rdma_op_ctxt *head)
> {
> int page_no;
> int ret;
>
> BUG_ON(!head);
>
> /* Copy RPC pages */
> for (page_no = 0; page_no < head->count; page_no++) {
> put_page(rqstp->rq_pages[page_no]);
> rqstp->rq_pages[page_no] = head->pages[page_no];
> }
> /* Point rq_arg.pages past header */
> rqstp->rq_arg.pages = &rqstp->rq_pages[head->hdr_count];
> rqstp->rq_arg.page_len = head->arg.page_len;
> rqstp->rq_arg.page_base = head->arg.page_base;
>
> /* rq_respages starts after the last arg page */
> - rqstp->rq_respages = &rqstp->rq_arg.pages[page_no];
> + rqstp->rq_respages = &rqstp->rq_pages[page_no];
> .
> .
> .
>
> The change works for me, but I am not sure it is safe to assume the
> rqstp->rq_pages[head->count] will always point to the last arg page.
>
> Dave.
>
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2010-03-02 3:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-02 0:27 rnfs: rq_respages pointer is bad David J. Wilder
[not found] ` <1267489621.9774.41.camel-XfwDJb4SXxnMbYB6QlFGEg@public.gmane.org>
2010-03-02 3:35 ` Tom Tucker [this message]
[not found] ` <4B8C8764.9080409-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org>
2010-03-03 16:20 ` David J. Wilder
2010-03-11 17:05 ` Tom Tucker
2010-03-11 21:32 ` Roland Dreier
[not found] ` <adar5nqczov.fsf-BjVyx320WGW9gfZ95n9DRSW4+XlvGpQz@public.gmane.org>
2010-03-11 21:37 ` Tom Tucker
2010-05-05 22:58 ` Roland Dreier
[not found] ` <ada6332arcw.fsf-BjVyx320WGW9gfZ95n9DRSW4+XlvGpQz@public.gmane.org>
2010-05-06 1:35 ` Tom Tucker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B8C8764.9080409@opengridcomputing.com \
--to=tom-7bpotxp6k4+p2yhjcf5u+vpxobypeauw@public.gmane.org \
--cc=dwilder-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=pradeep-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox