public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-04 08:17:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/sunrpc
History
Chuck Lever 9b1dcbc8cf xprtrdma: Store RDMA credits in unsigned variables 
Dan Carpenter's static checker pointed out:

   net/sunrpc/xprtrdma/rpc_rdma.c:879 rpcrdma_reply_handler()
   warn: can 'credits' be negative?

"credits" is defined as an int. The credits value comes from the
server as a 32-bit unsigned integer.

A malicious or broken server can plant a large unsigned integer in
that field which would result in an underflow in the following
logic, potentially triggering a deadlock of the mount point by
blocking the client from issuing more RPC requests.

net/sunrpc/xprtrdma/rpc_rdma.c:

  876          credits = be32_to_cpu(headerp->rm_credit);
  877          if (credits == 0)
  878                  credits = 1;    /* don't deadlock */
  879          else if (credits > r_xprt->rx_buf.rb_max_requests)
  880                  credits = r_xprt->rx_buf.rb_max_requests;
  881
  882          cwnd = xprt->cwnd;
  883          xprt->cwnd = credits << RPC_CWNDSHIFT;
  884          if (xprt->cwnd > cwnd)
  885                  xprt_release_rqst_cong(rqst->rq_task);

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: eba8ff660b ("xprtrdma: Move credit update to RPC . . .")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2015-02-23 16:54:04 -05:00
..
auth_gss sunrpc: move rq_splice_ok flag into rq_flags 2014-12-09 11:22:21 -05:00
xprtrdma xprtrdma: Store RDMA credits in unsigned variables 2015-02-23 16:54:04 -05:00
addr.c replace strict_strto calls 2014-07-12 18:45:49 -04:00
auth.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
auth_generic.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
auth_null.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
auth_unix.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
backchannel_rqst.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
bc_svc.c
cache.c sunrpc/cache: convert to use string_escape_str() 2014-12-09 11:30:20 -05:00
clnt.c sunrpc: add debugfs file for displaying client rpc_task queue 2014-11-27 13:14:51 -05:00
debugfs.c sunrpc: add a debugfs rpc_xprt directory with an info file in it 2014-11-27 13:14:52 -05:00
Kconfig sunrpc: add debugfs file for displaying client rpc_task queue 2014-11-27 13:14:51 -05:00
Makefile sunrpc: add debugfs file for displaying client rpc_task queue 2014-11-27 13:14:51 -05:00
netns.h Merge branch 'for-3.14' of git://linux-nfs.org/~bfields/linux 2014-01-30 10:18:43 -08:00
rpc_pipe.c rpc_pipe: Drop memory allocation cast 2014-07-12 18:43:44 -04:00
rpcb_clnt.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
sched.c sunrpc: eliminate RPC_TRACEPOINTS 2014-11-24 17:33:12 -05:00
socklib.c net: Save software checksum complete 2014-06-11 15:46:13 -07:00
stats.c SUNRPC: serialize iostats updates 2014-11-25 16:22:15 -05:00
sunrpc.h SUNRPC: track whether a request is coming from a loop-back interface. 2014-05-22 15:59:18 -04:00
sunrpc_syms.c sunrpc: add debugfs file for displaying client rpc_task queue 2014-11-27 13:14:51 -05:00
svc.c sunrpc: convert to lockless lookup of queued server threads 2014-12-09 11:22:22 -05:00
svc_xprt.c sunrpc: only call test_bit once in svc_xprt_received 2014-12-09 11:29:14 -05:00
svcauth.c nfsd4: better reservation of head space for krb5 2014-05-30 17:32:17 -04:00
svcauth_unix.c
svcsock.c sunrpc: move rq_local field to rq_flags 2014-12-09 11:21:21 -05:00
sysctl.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
timer.c
xdr.c rpc: fix xdr_truncate_encode to handle buffer ending on page boundary 2015-01-07 14:03:58 -05:00
xprt.c sunrpc: add a debugfs rpc_xprt directory with an info file in it 2014-11-27 13:14:52 -05:00
xprtsock.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00