> On Oct 5, 2015, at 11:03 AM, Sagi Grimberg <sagig@xxxxxxxxxxxxxxxxxx> wrote:
>
> On 10/5/2015 6:03 AM, Chuck Lever wrote:
>> Now that the NFS server advertises a maximum payload size of 1MB
>> for RPC/RDMA again, it crashes in svc_process_common() when NFS
>> client sends a 1MB NFS WRITE on an NFS/RDMA mount.
>>
>> The server has set up a 259 element array of struct page pointers
>> in rq_pages[] for each incoming request. The last element of the
>> array is NULL.
>>
>> When an incoming request has been completely received,
>> rdma_read_complete() attempts to set the starting page of the
>> incoming page vector:
>>
>> rqstp->rq_arg.pages = &rqstp->rq_pages[head->hdr_count];
>>
>> and the page to use for the reply:
>>
>> rqstp->rq_respages = &rqstp->rq_arg.pages[page_no];
>>
>> But the value of page_no has already accounted for head->hdr_count.
>> Thus rq_respages now points past the end of the incoming pages. For
>> NFS WRITE operations smaller than the maximum, this is harmless.
>>
>> But when the NFS WRITE operation is as large as the server's max
>> payload size, rq_respages now points at the last entry in rq_pages,
>> which is NULL.
>>
>> Fixes: cc9a903d915c ('svcrdma: Change maximum server payload . . .')
>> BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=270
>> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
>> ---
>
> Looks correct,
>
> Reviewed-by: Sagi Grimberg <sagig@xxxxxxxxxxxx>
Excellent, thank you!
--
Chuck Lever
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
