From nobody Mon Dec 13 05:30:46 2021
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DFAF918E76B3
	for <bugs@mlmmj.nyi.freebsd.org>; Mon, 13 Dec 2021 05:30:46 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JC98Q4dLSz4vfV
	for <bugs@FreeBSD.org>; Mon, 13 Dec 2021 05:30:46 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7FFFA6C75
	for <bugs@FreeBSD.org>; Mon, 13 Dec 2021 05:30:46 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1BD5UkCd064922
	for <bugs@FreeBSD.org>; Mon, 13 Dec 2021 05:30:46 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1BD5UkhN064921
	for bugs@FreeBSD.org; Mon, 13 Dec 2021 05:30:46 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 260293] big counts in LAYOUTRETURN can cause NFS v4
 nfsrv_flexlayouterr() to page-fault
Date: Mon, 13 Dec 2021 05:30:46 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rmacklem@FreeBSD.org
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: rmacklem@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: assigned_to bug_status attachments.created
Message-ID: <bug-260293-227-ZUFvSPk9rV@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-260293-227@https.bugs.freebsd.org/bugzilla/>
References: <bug-260293-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1639373446;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=dOpeSdARHgBC0zHhwS9F9FsTvmPf7M6CaxahhjG6pkY=;
	b=tLYGdmsUghgXZr//vOJ7lu2EolspHFtHTMtqhEf/FIdklc9CCeWv47Ue89bu1PLLb0BiI6
	TtxcMuwdL0czBEwTT7/r7EJx/hkxEJxkg1LW39MR2WrVYl5yVBAIGQWoKQzXXBbMKFIfZx
	29asf9i+vzbOSbNekvqoFPx8dZB854B65O7pQWYuQHjAh9NBlw+JZ6zHDJcMVshBh8GoIn
	nXU2mzLO0TU9hp/gVM0wb5ncfPlyWRvkHFrmIC+N6pel/z50ZOArFtymHDd7Uv2T9bLcpe
	4YfW8hHczP3DMP5BYmbLuOU3UC8HrXkgMEYX649Bz3urdPFoJyuDS6lmfiEWdg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639373446; a=rsa-sha256; cv=none;
	b=f5GTrTP+qQk2v8HBe+C7/scUAaX6Q5r82CgSPzqk/AqBw2Shpap0Cahmusm73BEu1Z5Yc8
	VIvzVXHd5sMt/SNj4EWFW1LQXaSbXymig+ukw+kBZ7M/wtEff7IPagGWTJfyybETSNzvaZ
	TSq47hoxENdelSgF7v4KJEeitD6UZuDGmX6TkhREaTLfvkyk9qt16+eTbMuBFHA+8LlSw8
	fuQ9VEHc3Jt3/Zl3bodnhPj0mRnPlrf+f5NajFS9ec0Sta45g7XdkZHJjuidrJZlG/BuYs
	IWtN8qEJ4VY9oIzDI18yP2h0HHusJ/bvpXofz95Q+zImFvlR6U6AJBEB0nRD3g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260293

Rick Macklem <rmacklem@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|bugs@FreeBSD.org            |rmacklem@FreeBSD.org
             Status|New                         |Open

--- Comment #1 from Rick Macklem <rmacklem@FreeBSD.org> ---
Created attachment 230070
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D230070&action=
=3Dedit
check against maxcnt when parsing a flex file error reply

This patch decrements maxcnt by the appropriate
number of bytes during parsing and checks to see
if there is data remaining.  If not, it just returns
from nfsrv_flexlayouterr() without further processing.

This should fix the crashes.

Maybe the reporter can check to confirm that the patch
fixes the problem for him?

--=20
You are receiving this mail because:
You are the assignee for the bug.=