SUNRPC: Return an error from xdr_buf_to_bvec() on overflow

xdr_buf_to_bvec() returns a slot count even when the caller's bvec
budget is exhausted partway through the xdr_buf. Callers feed that
count into iov_iter_bvec() and continue as if the conversion had
succeeded, silently sending or writing fewer bytes than the data
length declares. For an NFS WRITE the server reports the truncated
transfer to the client as full success.

The overflow represents an internal invariant violation: a higher
layer reserved a bvec budget too small for the xdr_buf it then
asked the encoder to convert. That is a server-side fault, not a
media I/O failure and not a malformed client argument.

Change xdr_buf_to_bvec() to return a signed int and have the
overflow label return -ESERVERFAULT. Update the three callers to
detect the negative return and fail the request: nfsd_vfs_write()
folds the error into host_err, which nfserrno() translates to
nfserr_serverfault for the WRITE reply; svc_udp_sendto() and
svc_tcp_sendmsg() propagate the error out of the send path.

Reported-by: Chris Mason <clm@meta.com>
Fixes: 2eb2b9358181 ("SUNRPC: Convert svc_tcp_sendmsg to use bio_vecs directly")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index ba97e287c0072ec33f0f9c9640f63261719a9374..cba4739694293c527977b91c45c73964171a6c56 100644 (file)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1440,7 +1440,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp,
        unsigned long           exp_op_flags = 0;
        unsigned int            pflags = current->flags;
        bool                    restore_flags = false;
-       unsigned int            nvecs;
+       int                     nvecs;
 
        trace_nfsd_write_opened(rqstp, fhp, offset, *cnt);
 
@@ -1480,6 +1480,10 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp,
        }
 
        nvecs = xdr_buf_to_bvec(rqstp->rq_bvec, rqstp->rq_maxpages, payload);
+       if (nvecs < 0) {
+               host_err = nvecs;
+               goto out_nfserr;
+       }
 
        since = READ_ONCE(file->f_wb_err);
        if (verf)

diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
index 31971b01d962a70b3789e5223a2455ae55ad1531..b102b4f21e6b79dc1279c0b8d44c6950b3d11d38 100644 (file)
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -138,8 +138,8 @@ void        xdr_terminate_string(const struct xdr_buf *, const u32);
 size_t xdr_buf_pagecount(const struct xdr_buf *buf);
 int    xdr_alloc_bvec(struct xdr_buf *buf, gfp_t gfp);
 void   xdr_free_bvec(struct xdr_buf *buf);
-unsigned int xdr_buf_to_bvec(struct bio_vec *bvec, unsigned int bvec_size,
-                            const struct xdr_buf *xdr);
+int xdr_buf_to_bvec(struct bio_vec *bvec, unsigned int bvec_size,
+                   const struct xdr_buf *xdr);
 int xdr_buf_to_sg(const struct xdr_buf *buf, unsigned int offset,
                  unsigned int len, struct scatterlist *sg, unsigned int nsg);
 int xdr_buf_to_sg_alloc(const struct xdr_buf *buf, unsigned int offset,

diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 7be3de1a1aed91cefd2ae426ea86c96a1ba9388d..c434b6a6637d9b9dcb7febf7d951ad101358ee97 100644 (file)
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -732,7 +732,7 @@ static int svc_udp_sendto(struct svc_rqst *rqstp)
                .msg_flags      = MSG_SPLICE_PAGES,
                .msg_controllen = sizeof(buffer),
        };
-       unsigned int count;
+       int count;
        int err;
 
        svc_udp_release_ctxt(xprt, rqstp->rq_xprt_ctxt);
@@ -746,6 +746,10 @@ static int svc_udp_sendto(struct svc_rqst *rqstp)
                goto out_notconn;
 
        count = xdr_buf_to_bvec(svsk->sk_bvec, SUNRPC_MAX_UDP_SENDPAGES, xdr);
+       if (count < 0) {
+               err = count;
+               goto out_trace;
+       }
 
        iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, svsk->sk_bvec,
                      count, rqstp->rq_res.len);
@@ -757,6 +761,7 @@ static int svc_udp_sendto(struct svc_rqst *rqstp)
                err = sock_sendmsg(svsk->sk_sock, &msg);
        }
 
+out_trace:
        trace_svcsock_udp_send(xprt, err);
 
        mutex_unlock(&xprt->xpt_mutex);
@@ -1237,7 +1242,7 @@ static int svc_tcp_sendmsg(struct svc_sock *svsk, struct svc_rqst *rqstp,
        struct msghdr msg = {
                .msg_flags      = MSG_SPLICE_PAGES,
        };
-       unsigned int count;
+       int count;
        void *buf;
        int ret;
 
@@ -1253,10 +1258,15 @@ static int svc_tcp_sendmsg(struct svc_sock *svsk, struct svc_rqst *rqstp,
 
        count = xdr_buf_to_bvec(svsk->sk_bvec + 1, rqstp->rq_maxpages,
                                &rqstp->rq_res);
+       if (count < 0) {
+               ret = count;
+               goto out;
+       }
 
        iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, svsk->sk_bvec,
                      1 + count, sizeof(marker) + rqstp->rq_res.len);
        ret = sock_sendmsg(svsk->sk_sock, &msg);
+out:
        page_frag_free(buf);
        return ret;
 }

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 8f52782d8a3727e6106f384cbfb0c7d5a68b0594..fa6a30b5f0463f67245850dbfaca608dccd30716 100644 (file)
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -139,13 +139,14 @@ xdr_free_bvec(struct xdr_buf *buf)
 /**
  * xdr_buf_to_bvec - Copy components of an xdr_buf into a bio_vec array
  * @bvec: bio_vec array to populate
- * @bvec_size: element count of @bio_vec
+ * @bvec_size: element count of @bvec
  * @xdr: xdr_buf to be copied
  *
- * Returns the number of entries consumed in @bvec.
+ * Returns the number of entries consumed in @bvec on success, or
+ * -ESERVERFAULT when @xdr does not fit within @bvec_size entries.
  */
-unsigned int xdr_buf_to_bvec(struct bio_vec *bvec, unsigned int bvec_size,
-                            const struct xdr_buf *xdr)
+int xdr_buf_to_bvec(struct bio_vec *bvec, unsigned int bvec_size,
+                   const struct xdr_buf *xdr)
 {
        const struct kvec *head = xdr->head;
        const struct kvec *tail = xdr->tail;
@@ -187,7 +188,7 @@ unsigned int xdr_buf_to_bvec(struct bio_vec *bvec, unsigned int bvec_size,
 
 bvec_overflow:
        pr_warn_once("%s: bio_vec array overflow\n", __func__);
-       return count;
+       return -ESERVERFAULT;
 }
 EXPORT_SYMBOL_GPL(xdr_buf_to_bvec);