On Fri, 2023-03-17 at 13:44 +0000, Chuck Lever III wrote:
>
> > On Mar 17, 2023, at 6:56 AM, Jeff Layton <jlayton@xxxxxxxxxx> wrote:
> >
> > There's no good way to handle this gracefully, but if rq_next_page ends
> > up pointing outside the array, we can at least crash the box before it
> > scribbles over too much else.
> >
> > Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
> > ---
> > net/sunrpc/svc.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
> > index fea7ce8fba14..864e62945647 100644
> > --- a/net/sunrpc/svc.c
> > +++ b/net/sunrpc/svc.c
> > @@ -845,6 +845,16 @@ EXPORT_SYMBOL_GPL(svc_set_num_threads);
> > */
> > void svc_rqst_replace_page(struct svc_rqst *rqstp, struct page *page)
> > {
> > + struct page **begin, **end;
> > +
> > + /*
> > + * Bounds check: make sure rq_next_page points into the rq_respages
> > + * part of the array.
> > + */
> > + begin = rqstp->rq_pages;
> > + end = &rqstp->rq_pages[RPCSVC_MAXPAGES];
> > + BUG_ON(rqstp->rq_next_page < begin || rqstp->rq_next_page > end);
>
> Linus has stated clearly that he does not want BUG_ON assertions
> if the system is not actually in danger... and this is clearly
> the result of a software bug, so a crash will occur anyway.
>
It'll crash, but only after we scribble over some memory.
Actually, it looks like the splice actor can return an error. We could
return -EIO here or something without doing anything if we hit this case
and then let that bubble back up to the read?
> Can you make this a pr_warn_once() ?
>
>
> > +
> > if (*rqstp->rq_next_page) {
> > if (!pagevec_space(&rqstp->rq_pvec))
> > __pagevec_release(&rqstp->rq_pvec);
> > --
> > 2.39.2
> >
>
> --
> Chuck Lever
>
>
--
Jeff Layton <jlayton@xxxxxxxxxx>
