> On Jun 30, 2022, at 2:40 PM, Trond Myklebust <trondmy@xxxxxxxxxxxxxxx> wrote: > > On Thu, 2022-06-30 at 14:09 -0400, Anna Schumaker wrote: >> On Thu, Jun 30, 2022 at 2:03 PM Trond Myklebust >> <trondmy@xxxxxxxxxxxxxxx> wrote: >>> >>> On Thu, 2022-06-30 at 13:24 -0400, Chuck Lever wrote: >>>> Looks like there are still cases when "space_left - frag1bytes" >>>> can >>>> legitimately exceed PAGE_SIZE. Ensure that xdr->end always >>>> remains >>>> within the current encode buffer. >>>> >>>> Reported-by: Bruce Fields <bfields@xxxxxxxxxxxx> >>>> Reported-by: Zorro Lang <zlang@xxxxxxxxxx> >>>> Link: https://bugzilla.kernel.org/show_bug.cgi?id=216151 >>>> Fixes: 6c254bf3b637 ("SUNRPC: Fix the calculation of xdr->end in >>>> xdr_get_next_encode_buffer()") >>>> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> >>>> --- >>>> net/sunrpc/xdr.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> Hi- >>>> >>>> I had a few minutes yesterday afternoon to look into this one. >>>> The >>>> following one-liner seems to address the issue and passes my >>>> smoke >>>> tests with NFSv4.1/TCP and NFSv3/RDMA. Any thoughts? >>>> >>>> >>>> diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c >>>> index f87a2d8f23a7..916659be2774 100644 >>>> --- a/net/sunrpc/xdr.c >>>> +++ b/net/sunrpc/xdr.c >>>> @@ -987,7 +987,7 @@ static noinline __be32 >>>> *xdr_get_next_encode_buffer(struct xdr_stream *xdr, >>>> if (space_left - nbytes >= PAGE_SIZE) >>>> xdr->end = p + PAGE_SIZE; >>>> else >>>> - xdr->end = p + space_left - frag1bytes; >>>> + xdr->end = p + min_t(int, space_left - >>>> frag1bytes, >>>> PAGE_SIZE); >>> >>> Since we know that frag1bytes <= nbytes (that is determined in >>> xdr_reserve_space()), isn't this effectively the same thing as >>> changing >>> the condition to >>> >>> if (space_left - frag1bytes >= PAGE_SIZE) >>> xdr->end = p + PAGE_SIZE; >>> else >>> xdr->end = p + space_left - frag1bytes; >> >> I added some printk's without this patch, and I'm seeing space_left >> larger than PAGE_SIZE and frag1bytes set to 0 in that branch right >> before the crash. So the min_t() will choose the PAGE_SIZE option >> sometimes. >> > > Sure. My point is that it makes the test for space_left - nbytes > redundant (and confusing). I didn't immediately see how to collapse the checks together, as I had tried something like that while working on 6c254bf3b637. But I will try out your suggestion. If it tests OK, I will post a v2 of this patch. -- Chuck Lever
