<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/sunrpc, branch linux-2.6.26.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports</title>
<updated>2008-09-08T11:44:30+00:00</updated>
<author>
<name>Cyrill Gorcunov</name>
<email>gorcunov@gmail.com</email>
</author>
<published>2008-09-01T18:51:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=94d5272a13ad73b0960826c61f3944cf7eb7286a'/>
<id>94d5272a13ad73b0960826c61f3944cf7eb7286a</id>
<content type='text'>
commit 27df6f25ff218072e0e879a96beeb398a79cdbc8 upstream

Vegard Nossum reported
----------------------
&gt; I noticed that something weird is going on with /proc/sys/sunrpc/transports.
&gt; This file is generated in net/sunrpc/sysctl.c, function proc_do_xprt(). When
&gt; I "cat" this file, I get the expected output:
&gt;    $ cat /proc/sys/sunrpc/transports
&gt;    tcp 1048576
&gt;    udp 32768

&gt; But I think that it does not check the length of the buffer supplied by
&gt; userspace to read(). With my original program, I found that the stack was
&gt; being overwritten by the characters above, even when the length given to
&gt; read() was just 1.

David Wagner added (among other things) that copy_to_user could be
probably used here.

Ingo Oeser suggested to use simple_read_from_buffer() here.

The conclusion is that proc_do_xprt doesn't check for userside buffer
size indeed so fix this by using Ingo's suggestion.

Reported-by: Vegard Nossum &lt;vegard.nossum@gmail.com&gt;
Signed-off-by: Cyrill Gorcunov &lt;gorcunov@gmail.com&gt;
CC: Ingo Oeser &lt;ioe-lkml@rameria.de&gt;
Cc: Neil Brown &lt;neilb@suse.de&gt;
Cc: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Cc: Greg Banks &lt;gnb@sgi.com&gt;
Cc: Tom Tucker &lt;tom@opengridcomputing.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@citi.umich.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 27df6f25ff218072e0e879a96beeb398a79cdbc8 upstream

Vegard Nossum reported
----------------------
&gt; I noticed that something weird is going on with /proc/sys/sunrpc/transports.
&gt; This file is generated in net/sunrpc/sysctl.c, function proc_do_xprt(). When
&gt; I "cat" this file, I get the expected output:
&gt;    $ cat /proc/sys/sunrpc/transports
&gt;    tcp 1048576
&gt;    udp 32768

&gt; But I think that it does not check the length of the buffer supplied by
&gt; userspace to read(). With my original program, I found that the stack was
&gt; being overwritten by the characters above, even when the length given to
&gt; read() was just 1.

David Wagner added (among other things) that copy_to_user could be
probably used here.

Ingo Oeser suggested to use simple_read_from_buffer() here.

The conclusion is that proc_do_xprt doesn't check for userside buffer
size indeed so fix this by using Ingo's suggestion.

Reported-by: Vegard Nossum &lt;vegard.nossum@gmail.com&gt;
Signed-off-by: Cyrill Gorcunov &lt;gorcunov@gmail.com&gt;
CC: Ingo Oeser &lt;ioe-lkml@rameria.de&gt;
Cc: Neil Brown &lt;neilb@suse.de&gt;
Cc: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Cc: Greg Banks &lt;gnb@sgi.com&gt;
Cc: Tom Tucker &lt;tom@opengridcomputing.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@citi.umich.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: Fix an rpcbind breakage for the case of IPv6 lookups</title>
<updated>2008-07-08T19:23:10+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>Trond.Myklebust@netapp.com</email>
</author>
<published>2008-07-01T19:20:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=803a9067e19714ea7b7da760fe92f0d53bfa6994'/>
<id>803a9067e19714ea7b7da760fe92f0d53bfa6994</id>
<content type='text'>
Now that rpcb_next_version has been split into an IPv4 version and an IPv6
version, we Oops when rpcb_call_async attempts to look up the IPv6-specific
RPC procedure in rpcb_next_version.

Fix the Oops simply by having rpcb_getport_async pass the correct RPC
procedure as an argument.

Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Now that rpcb_next_version has been split into an IPv4 version and an IPv6
version, we Oops when rpcb_call_async attempts to look up the IPv6-specific
RPC procedure in rpcb_next_version.

Fix the Oops simply by having rpcb_getport_async pass the correct RPC
procedure as an argument.

Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: Fix a double-free in rpcbind</title>
<updated>2008-07-08T19:23:00+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>Trond.Myklebust@netapp.com</email>
</author>
<published>2008-07-07T16:18:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0d3a34b48c87a374b37d7a21a60d257d076484f3'/>
<id>0d3a34b48c87a374b37d7a21a60d257d076484f3</id>
<content type='text'>
It is wrong to be freeing up the rpcbind arguments if the call to
rpcb_call_async() fails, since they should already have been freed up by
rpcb_map_release().

Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
It is wrong to be freeing up the rpcbind arguments if the call to
rpcb_call_async() fails, since they should already have been freed up by
rpcb_map_release().

Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>svcrpc: fix handling of garbage args</title>
<updated>2008-07-03T19:46:56+00:00</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@citi.umich.edu</email>
</author>
<published>2008-07-03T19:26:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b620754bfeb8b0e0c6622b03d5ee2f1af1d3082f'/>
<id>b620754bfeb8b0e0c6622b03d5ee2f1af1d3082f</id>
<content type='text'>
To return garbage_args, the accept_stat must be 0, and we must have a
verifier.  So we shouldn't be resetting the write pointer as we reject
the call.

Also, we must add the two placeholder words here regardless of success
of the unwrap, to ensure the output buffer is left in a consistent state
for svcauth_gss_release().

This fixes a BUG() in svcauth_gss.c:svcauth_gss_release().

Thanks to Aime Le Rouzic for bug report, debugging help, and testing.

Signed-off-by: J. Bruce Fields &lt;bfields@citi.umich.edu&gt;
Tested-by: Aime Le Rouzic &lt;aime.le-rouzic@bull.net&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
To return garbage_args, the accept_stat must be 0, and we must have a
verifier.  So we shouldn't be resetting the write pointer as we reject
the call.

Also, we must add the two placeholder words here regardless of success
of the unwrap, to ensure the output buffer is left in a consistent state
for svcauth_gss_release().

This fixes a BUG() in svcauth_gss.c:svcauth_gss_release().

Thanks to Aime Le Rouzic for bug report, debugging help, and testing.

Signed-off-by: J. Bruce Fields &lt;bfields@citi.umich.edu&gt;
Tested-by: Aime Le Rouzic &lt;aime.le-rouzic@bull.net&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'for-2.6.26' of git://linux-nfs.org/~bfields/linux</title>
<updated>2008-05-21T02:30:54+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2008-05-21T02:30:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d40ace0c7b4a329f7d869d0fbf27435543bb2acc'/>
<id>d40ace0c7b4a329f7d869d0fbf27435543bb2acc</id>
<content type='text'>
* 'for-2.6.26' of git://linux-nfs.org/~bfields/linux: (25 commits)
  svcrdma: Verify read-list fits within RPCSVC_MAXPAGES
  svcrdma: Change svc_rdma_send_error return type to void
  svcrdma: Copy transport address and arm CQ before calling rdma_accept
  svcrdma: Set rqstp transport address in rdma_read_complete function
  svcrdma: Use ib verbs version of dma_unmap
  svcrdma: Cleanup queued, but unprocessed I/O in svc_rdma_free
  svcrdma: Move the QP and cm_id destruction to svc_rdma_free
  svcrdma: Add reference for each SQ/RQ WR
  svcrdma: Move destroy to kernel thread
  svcrdma: Shrink scope of spinlock on RQ CQ
  svcrdma: Use standard Linux lists for context cache
  svcrdma: Simplify RDMA_READ deferral buffer management
  svcrdma: Remove unused READ_DONE context flags bit
  svcrdma: Return error from rdma_read_xdr so caller knows to free context
  svcrdma: Fix error handling during listening endpoint creation
  svcrdma: Free context on post_recv error in send_reply
  svcrdma: Free context on ib_post_recv error
  svcrdma: Add put of connection ESTABLISHED reference in rdma_cma_handler
  svcrdma: Fix return value in svc_rdma_send
  svcrdma: Fix race with dto_tasklet in svc_rdma_send
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
* 'for-2.6.26' of git://linux-nfs.org/~bfields/linux: (25 commits)
  svcrdma: Verify read-list fits within RPCSVC_MAXPAGES
  svcrdma: Change svc_rdma_send_error return type to void
  svcrdma: Copy transport address and arm CQ before calling rdma_accept
  svcrdma: Set rqstp transport address in rdma_read_complete function
  svcrdma: Use ib verbs version of dma_unmap
  svcrdma: Cleanup queued, but unprocessed I/O in svc_rdma_free
  svcrdma: Move the QP and cm_id destruction to svc_rdma_free
  svcrdma: Add reference for each SQ/RQ WR
  svcrdma: Move destroy to kernel thread
  svcrdma: Shrink scope of spinlock on RQ CQ
  svcrdma: Use standard Linux lists for context cache
  svcrdma: Simplify RDMA_READ deferral buffer management
  svcrdma: Remove unused READ_DONE context flags bit
  svcrdma: Return error from rdma_read_xdr so caller knows to free context
  svcrdma: Fix error handling during listening endpoint creation
  svcrdma: Free context on post_recv error in send_reply
  svcrdma: Free context on ib_post_recv error
  svcrdma: Add put of connection ESTABLISHED reference in rdma_cma_handler
  svcrdma: Fix return value in svc_rdma_send
  svcrdma: Fix race with dto_tasklet in svc_rdma_send
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'from-tomtucker' into for-2.6.26</title>
<updated>2008-05-20T23:57:38+00:00</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@citi.umich.edu</email>
</author>
<published>2008-05-20T23:57:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=68432a03f8ff93a9eecee95cc8f02e7fe2025cc9'/>
<id>68432a03f8ff93a9eecee95cc8f02e7fe2025cc9</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>svcrdma: Verify read-list fits within RPCSVC_MAXPAGES</title>
<updated>2008-05-19T12:34:02+00:00</updated>
<author>
<name>Tom Tucker</name>
<email>tom@opengridcomputing.com</email>
</author>
<published>2008-05-13T14:16:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a6f911c04e20b98feb4b33d3aba2976851977d6a'/>
<id>a6f911c04e20b98feb4b33d3aba2976851977d6a</id>
<content type='text'>
A RDMA read-list cannot contain more elements than RPCSVC_MAXPAGES or
it will overflow the DTO context. Verify this when processing the
protocol header.

Signed-off-by: Tom Tucker &lt;tom@opengridcomputing.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
A RDMA read-list cannot contain more elements than RPCSVC_MAXPAGES or
it will overflow the DTO context. Verify this when processing the
protocol header.

Signed-off-by: Tom Tucker &lt;tom@opengridcomputing.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>svcrdma: Change svc_rdma_send_error return type to void</title>
<updated>2008-05-19T12:34:01+00:00</updated>
<author>
<name>Tom Tucker</name>
<email>tom@opengridcomputing.com</email>
</author>
<published>2008-05-07T20:47:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=008fdbc57164b0ac237ad6ee2766944f02ac9c28'/>
<id>008fdbc57164b0ac237ad6ee2766944f02ac9c28</id>
<content type='text'>
The svc_rdma_send_error function is called when an RPCRDMA protocol
error is detected. This function attempts to post an error reply message.
Since an error posting to a transport in error is ignored, change
the return type to void.

Signed-off-by: Tom Tucker &lt;tom@opengridcomputing.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The svc_rdma_send_error function is called when an RPCRDMA protocol
error is detected. This function attempts to post an error reply message.
Since an error posting to a transport in error is ignored, change
the return type to void.

Signed-off-by: Tom Tucker &lt;tom@opengridcomputing.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>svcrdma: Copy transport address and arm CQ before calling rdma_accept</title>
<updated>2008-05-19T12:34:00+00:00</updated>
<author>
<name>Tom Tucker</name>
<email>tom@opengridcomputing.com</email>
</author>
<published>2008-05-07T18:52:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=af261af4db14230fb35bcdc0ba9ef78ed6cf7bc1'/>
<id>af261af4db14230fb35bcdc0ba9ef78ed6cf7bc1</id>
<content type='text'>
This race was found by inspection. Messages can be received from the peer
immediately following the rdma_accept call, however, the CQ have not yet
been armed and the transport address has not yet been set.

Set the transport address in the connect request handler and arm the CQ
prior to calling rdma_accept.

Signed-off-by: Tom Tucker &lt;tom@opengridcomputing.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This race was found by inspection. Messages can be received from the peer
immediately following the rdma_accept call, however, the CQ have not yet
been armed and the transport address has not yet been set.

Set the transport address in the connect request handler and arm the CQ
prior to calling rdma_accept.

Signed-off-by: Tom Tucker &lt;tom@opengridcomputing.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>svcrdma: Set rqstp transport address in rdma_read_complete function</title>
<updated>2008-05-19T12:33:59+00:00</updated>
<author>
<name>Tom Tucker</name>
<email>tom@opengridcomputing.com</email>
</author>
<published>2008-05-07T18:49:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=69500c43b45f7155b72dcadad31cd55cda789c93'/>
<id>69500c43b45f7155b72dcadad31cd55cda789c93</id>
<content type='text'>
The rdma_read_complete function needs to copy the rqstp transport address
from the transport. Failure to do so can result in using the wrong
authentication method for the RPC or bug checking if the rqstp address
is not valid.

Signed-off-by: Tom Tucker &lt;tom@opengridcomputing.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The rdma_read_complete function needs to copy the rqstp transport address
from the transport. Failure to do so can result in using the wrong
authentication method for the RPC or bug checking if the rqstp address
is not valid.

Signed-off-by: Tom Tucker &lt;tom@opengridcomputing.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
