Patch "NFSD: Fix the behavior of READ near OFFSET_MAX" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 26 Oct 2022 21:55:55 -0400

This is a note to let you know that I've just added the patch titled

    NFSD: Fix the behavior of READ near OFFSET_MAX

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfsd-fix-the-behavior-of-read-near-offset_max.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3d69c488be74d18b9be2d42a67f4f2326a499362
Author: Chuck Lever <chuck.lever@xxxxxxxxxx>
Date:   Fri Feb 4 15:19:34 2022 -0500

    NFSD: Fix the behavior of READ near OFFSET_MAX
    
    [ Upstream commit 0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960 ]
    
    Dan Aloni reports:
    > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to
    > the RPC read layers") on the client, a read of 0xfff is aligned up
    > to server rsize of 0x1000.
    >
    > As a result, in a test where the server has a file of size
    > 0x7fffffffffffffff, and the client tries to read from the offset
    > 0x7ffffffffffff000, the read causes loff_t overflow in the server
    > and it returns an NFS code of EINVAL to the client. The client as
    > a result indefinitely retries the request.
    
    The Linux NFS client does not handle NFS?ERR_INVAL, even though all
    NFS specifications permit servers to return that status code for a
    READ.
    
    Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed
    and return a short result. Set the EOF flag in the result to prevent
    the client from retrying the READ request. This behavior appears to
    be consistent with Solaris NFS servers.
    
    Note that NFSv3 and NFSv4 use u64 offset values on the wire. These
    must be converted to loff_t internally before use -- an implicit
    type cast is not adequate for this purpose. Otherwise VFS checks
    against sb->s_maxbytes do not work properly.
    
    Reported-by: Dan Aloni <dan.aloni@xxxxxxxxxxxx>
    Cc: stable@xxxxxxxxxxxxxxx
    Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
    Stable-dep-of: fa6be9cc6e80 ("NFSD: Protect against send buffer overflow in NFSv3 READ")
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c
index 104e7d705ea8..60faa5b8eccf 100644
--- a/fs/nfsd/nfs3proc.c
+++ b/fs/nfsd/nfs3proc.c
@@ -148,13 +148,17 @@ nfsd3_proc_read(struct svc_rqst *rqstp)
 	unsigned int len;
 	int v;
 
-	argp->count = min_t(u32, argp->count, max_blocksize);
-
 	dprintk("nfsd: READ(3) %s %lu bytes at %Lu\n",
 				SVCFH_fmt(&argp->fh),
 				(unsigned long) argp->count,
 				(unsigned long long) argp->offset);
 
+	argp->count = min_t(u32, argp->count, max_blocksize);
+	if (argp->offset > (u64)OFFSET_MAX)
+		argp->offset = (u64)OFFSET_MAX;
+	if (argp->offset + argp->count > (u64)OFFSET_MAX)
+		argp->count = (u64)OFFSET_MAX - argp->offset;
+
 	v = 0;
 	len = argp->count;
 	while (len > 0) {
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 5054dc66cbf9..363df0a795bc 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -772,12 +772,16 @@ nfsd4_read(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 	__be32 status;
 
 	read->rd_nf = NULL;
-	if (read->rd_offset >= OFFSET_MAX)
-		return nfserr_inval;
 
 	trace_nfsd_read_start(rqstp, &cstate->current_fh,
 			      read->rd_offset, read->rd_length);
 
+	read->rd_length = min_t(u32, read->rd_length, svc_max_payload(rqstp));
+	if (read->rd_offset > (u64)OFFSET_MAX)
+		read->rd_offset = (u64)OFFSET_MAX;
+	if (read->rd_offset + read->rd_length > (u64)OFFSET_MAX)
+		read->rd_length = (u64)OFFSET_MAX - read->rd_offset;
+
 	/*
 	 * If we do a zero copy read, then a client will see read data
 	 * that reflects the state of the file *after* performing the
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index d0af93a0558f..930bed3e40a4 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3754,10 +3754,8 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr,
 	}
 	xdr_commit_encode(xdr);
 
-	maxcount = svc_max_payload(resp->rqstp);
-	maxcount = min_t(unsigned long, maxcount,
+	maxcount = min_t(unsigned long, read->rd_length,
 			 (xdr->buf->buflen - xdr->buf->len));
-	maxcount = min_t(unsigned long, maxcount, read->rd_length);
 
 	if (file->f_op->splice_read &&
 	    test_bit(RQ_SPLICE_OK, &resp->rqstp->rq_flags))
@@ -4585,10 +4583,8 @@ nfsd4_encode_read_plus(struct nfsd4_compoundres *resp, __be32 nfserr,
 		return nfserr_resource;
 	xdr_commit_encode(xdr);
 
-	maxcount = svc_max_payload(resp->rqstp);
-	maxcount = min_t(unsigned long, maxcount,
+	maxcount = min_t(unsigned long, read->rd_length,
 			 (xdr->buf->buflen - xdr->buf->len));
-	maxcount = min_t(unsigned long, maxcount, read->rd_length);
 	count    = maxcount;
 
 	eof = read->rd_offset >= i_size_read(file_inode(file));






