LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, NeilBrown <neilb@suse.de>
Subject: [patch 35/59] knfsd: fix an NFSD bug with full sized, non-page-aligned reads.
Date: Fri, 02 Feb 2007 18:35:39 -0800	[thread overview]
Message-ID: <20070203024309.888535000@sous-sol.org> (raw)
In-Reply-To: <20070203023504.435051000@sous-sol.org>

[-- Attachment #1: knfsd-fix-an-nfsd-bug-with-full-sized-non-page-aligned-reads.patch --]
[-- Type: text/plain, Size: 2423 bytes --]

-stable review patch.  If anyone has any objections, please let us know.
------------------

From: NeilBrown <neilb@suse.de>

NFSd assumes that largest number of pages that will be needed
for a request+response is 2+N where N pages is the size of the largest
permitted read/write request.  The '2' are 1 for the non-data part of
the request, and 1 for the non-data part of the reply.

However, when a read request is not page-aligned, and we choose to use
->sendfile to send it directly from the page cache, we may need N+1
pages to hold the whole reply.  This can overflow and array and cause
an Oops.

This patch increases size of the array for holding pages by one and
makes sure that entry is NULL when it is not in use.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 fs/nfsd/vfs.c              |    3 ++-
 include/linux/sunrpc/svc.h |    5 ++++-
 net/sunrpc/svcsock.c       |    2 ++
 3 files changed, 8 insertions(+), 2 deletions(-)

--- linux-2.6.19.2.orig/fs/nfsd/vfs.c
+++ linux-2.6.19.2/fs/nfsd/vfs.c
@@ -822,7 +822,8 @@ nfsd_read_actor(read_descriptor_t *desc,
 		rqstp->rq_res.page_len = size;
 	} else if (page != pp[-1]) {
 		get_page(page);
-		put_page(*pp);
+		if (*pp)
+			put_page(*pp);
 		*pp = page;
 		rqstp->rq_resused++;
 		rqstp->rq_res.page_len += size;
--- linux-2.6.19.2.orig/include/linux/sunrpc/svc.h
+++ linux-2.6.19.2/include/linux/sunrpc/svc.h
@@ -144,8 +144,11 @@ extern u32 svc_max_payload(const struct 
  *
  * Each request/reply pair can have at most one "payload", plus two pages,
  * one for the request, and one for the reply.
+ * We using ->sendfile to return read data, we might need one extra page
+ * if the request is not page-aligned.  So add another '1'.
  */
-#define RPCSVC_MAXPAGES		((RPCSVC_MAXPAYLOAD+PAGE_SIZE-1)/PAGE_SIZE + 2)
+#define RPCSVC_MAXPAGES		((RPCSVC_MAXPAYLOAD+PAGE_SIZE-1)/PAGE_SIZE \
+				+ 2 + 1)
 
 static inline u32 svc_getnl(struct kvec *iov)
 {
--- linux-2.6.19.2.orig/net/sunrpc/svcsock.c
+++ linux-2.6.19.2/net/sunrpc/svcsock.c
@@ -1248,6 +1248,8 @@ svc_recv(struct svc_rqst *rqstp, long ti
 				schedule_timeout_uninterruptible(msecs_to_jiffies(500));
 			rqstp->rq_pages[i] = p;
 		}
+	rqstp->rq_pages[i++] = NULL; /* this might be seen in nfs_read_actor */
+	BUG_ON(pages >= RPCSVC_MAXPAGES);
 
 	/* Make arg->head point to first page and arg->pages point to rest */
 	arg = &rqstp->rq_arg;

--

  parent reply	other threads:[~2007-02-03  2:38 UTC|newest]

Thread overview: 69+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-03  2:35 [patch 00/59] -stable review Chris Wright
2007-02-03  2:35 ` [patch 01/59] i2c-mv64xxx: Fix random oops at boot Chris Wright
2007-02-03  2:35 ` [patch 02/59] i2c/m41t00: Do not forget to write year Chris Wright
2007-02-03  2:35 ` [patch 03/59] Check for populated zone in __drain_pages Chris Wright
2007-02-03  2:35 ` [patch 04/59] Fix HWRNG built-in initcalls priority Chris Wright
2007-02-03  2:35 ` [patch 05/59] md: pass down BIO_RW_SYNC in raid{1,10} Chris Wright
2007-02-03  2:35 ` [patch 06/59] NETFILTER: Fix routing of REJECT target generated packets in output chain Chris Wright
2007-02-03  2:35 ` [patch 07/59] NETFILTER: nf_conntrack_ipv6: fix crash when handling fragments Chris Wright
2007-02-03  2:35 ` [patch 08/59] NETFILTER: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value Chris Wright
2007-02-03  2:35 ` [patch 09/59] NETFILTER: arp_tables: fix userspace compilation Chris Wright
2007-02-03  2:35 ` [patch 10/59] Repair snd-usb-usx2y over OHCI Chris Wright
2007-02-03  2:35 ` [patch 11/59] [stable] [PATCH] IB/mthca: Fix off-by-one in FMR handling on memfree Chris Wright
2007-02-03  2:35 ` [patch 12/59] [PATCH] Fix reparenting to the same thread group. (take 2) Chris Wright
2007-02-03  2:35 ` [patch 13/59] ieee1394: sbp2: fix probing of some DVD-ROM/RWs Chris Wright
2007-02-03  2:35 ` [patch 14/59] sched: tasks cannot run on cpus onlined after boot Chris Wright
2007-02-03  2:35 ` [patch 15/59] Fix up CIFS for "test_clear_page_dirty()" removal Chris Wright
2007-02-03  2:35 ` [patch 16/59] start_kernel: test if irqs got enabled early, barf, and disable them again Chris Wright
2007-02-03  2:35 ` [patch 17/59] PCI: prevent down_read when pci_devices is empty Chris Wright
2007-02-03 16:16   ` Kumar Gala
2007-02-05 17:04     ` Chris Wright
2007-02-03  2:35 ` [patch 18/59] IPV6 MCAST: Fix joining all-node multicast group on device initialization Chris Wright
2007-02-03  2:35 ` [patch 19/59] NETFILTER: ctnetlink: check for status attribute existence on conntrack creation Chris Wright
2007-02-03  2:35 ` [patch 20/59] NETFILTER: ctnetlink: fix leak in ctnetlink_create_conntrack error path Chris Wright
2007-02-03  2:35 ` [patch 21/59] IPSEC: Policy list disorder Chris Wright
2007-02-03  2:35 ` [patch 22/59] ALSA hda-codec - Fix NULL dereference in generic hda code Chris Wright
2007-02-03  2:35 ` [patch 23/59] SELinux: fix an oops with NetLabel and non-MLS SELinux policy Chris Wright
2007-02-03  2:35 ` [patch 24/59] IB/iser: return error code when PDUs may not be sent Chris Wright
2007-02-03  2:35 ` [patch 25/59] Fix UML on non-standard VM split hosts Chris Wright
2007-02-04  1:06   ` Randy Dunlap
2007-02-04  3:11     ` Jeff Dike
2007-02-04  4:19       ` Randy Dunlap
2007-02-03  2:35 ` [patch 26/59] ACPI: fix cpufreq regression Chris Wright
2007-02-03  2:35 ` [patch 27/59] x86: Work around gcc 4.2 over aggressive optimizer Chris Wright
2007-02-03  2:35 ` [patch 28/59] NETFILTER: Fix iptables ABI breakage on (at least) CRIS Chris Wright
2007-02-03  2:35 ` [patch 29/59] elevator: move clearing of unplug flag earlier Chris Wright
2007-02-03  2:35 ` [patch 30/59] Revert "[PATCH] Fix up mmap_kmem" Chris Wright
2007-02-03  2:35 ` [patch 31/59] remove __devinit markings from rtc_sysfs_add_device() Chris Wright
2007-02-03  2:35 ` [patch 32/59] SPARC64: Set g4/g5 properly in sun4v dtlb-prot handling Chris Wright
2007-02-03  2:35 ` [patch 33/59] sis190: failure to set the MAC address from EEPROM Chris Wright
2007-02-03  2:35 ` [patch 34/59] knfsd: fix setting of ACL server versions Chris Wright
2007-02-03  2:35 ` Chris Wright [this message]
2007-02-03  2:35 ` [patch 36/59] knfsd: fix type mismatch with filldir_t used by nfsd Chris Wright
2007-02-03  2:35 ` [patch 37/59] knfsd: fix up some bit-rot in exp_export Chris Wright
2007-02-03  2:35 ` [patch 38/59] md: assorted md and raid1 one-liners Chris Wright
2007-02-03  2:35 ` [patch 39/59] md: make repair actually work for raid1 Chris Wright
2007-02-03  2:35 ` [patch 40/59] md: fix a few problems with the interface (sysfs and ioctl) to md Chris Wright
2007-02-03  2:35 ` [patch 41/59] md: fix potential memalloc deadlock in md Chris Wright
2007-02-03  2:35 ` [patch 42/59] libata: use kmap_atomic(KM_IRQ0) in SCSI simulator Chris Wright
2007-02-03  2:35 ` [patch 43/59] Dont allow the stack to grow into hugetlb reserved regions Chris Wright
2007-02-03  2:35 ` [patch 44/59] uml: fix signal frame alignment Chris Wright
2007-02-03  2:35 ` [patch 45/59] bonding: ARP monitoring broken on x86_64 Chris Wright
2007-02-03  2:35 ` [patch 46/59] jmicron: 40/80pin primary detection Chris Wright
2007-02-03  2:35 ` [patch 47/59] DECNET: Handle a failure in neigh_parms_alloc (take 2) Chris Wright
2007-02-03  2:35 ` [patch 48/59] SPARC32: Fix over-optimization by GCC near ip_fast_csum Chris Wright
2007-02-03  2:35 ` [patch 49/59] IPV4: Fix the fib trie iterator to work with a single entry routing tables Chris Wright
2007-02-03  2:35 ` [patch 50/59] IPV4: Fix single-entry /proc/net/fib_trie output Chris Wright
2007-02-03  2:35 ` [patch 51/59] AF_PACKET: Fix BPF handling Chris Wright
2007-02-03  2:35 ` [patch 52/59] AF_PACKET: Check device down state before hard header callbacks Chris Wright
2007-02-03  2:35 ` [patch 53/59] TCP: rare bad TCP checksum with 2.6.19 Chris Wright
2007-02-03  2:35 ` [patch 54/59] TCP: Fix sorting of SACK blocks Chris Wright
2007-02-03  2:35 ` [patch 55/59] TCP: skb is unexpectedly freed Chris Wright
2007-02-03  2:36 ` [patch 56/59] NETFILTER: xt_connbytes: fix division by zero Chris Wright
2007-02-03  2:36 ` [patch 57/59] SUNRPC: Give cloned RPC clients their own rpc_pipefs directory Chris Wright
2007-02-03  2:36 ` [patch 58/59] move_task_off_dead_cpu() should be called with disabled ints Chris Wright
2007-02-03  2:36 ` [patch 59/59] sched: fix cond_resched_softirq() offset Chris Wright
2007-02-03  2:59 ` [stable] [patch 00/59] -stable review Chris Wright
2007-02-04  6:08   ` Randy Dunlap
2007-02-04 13:36     ` Dave Jones
2007-02-04 17:30       ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070203024309.888535000@sous-sol.org \
    --to=chrisw@sous-sol.org \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=neilb@suse.de \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    --subject='Re: [patch 35/59] knfsd: fix an NFSD bug with full sized, non-page-aligned reads.' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).