From patchwork Mon Mar 3 19:56:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: zhangjian X-Patchwork-Id: 13998072 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 974C78632C for ; Mon, 3 Mar 2025 02:42:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.188 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740969747; cv=none; b=qdFf655JPmGZcLRSgop6wOtlGUKYRYvQz/d77p1xhIHJAVNhOG/7lHcrtU/iyEBn6RYWfOZp8b7qkfswV4MCMb3GcyjDR8jFECwciz6enqsRTFj8vlYOmKoWBKisRCN9aHkFl7bRiI27Iae36QvmQQ2QwoDDOAX2icrs+UI8D7o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740969747; c=relaxed/simple; bh=8oYKz/ewRr6nzZPNk/FwObgnHQ43xtf+deaFsgsQjiY=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=TdS8SdbKkrOmHK4QJFV6nQo7fJiCdwGa74OQl0+Jg6kcVH2nEL98p0MRorspzqezKkze4+bzIue5PiHNLgoBaT793WqP8XU/kikm7Z/MBzOGCTvacKzocRrWomVgI3j5+7bz5nC++nl1xj/5ks0MH46LUMwy6prohkkwwMhzPy4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=45.249.212.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.88.194]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4Z5jjS3ZmrzpbQt; Mon, 3 Mar 2025 10:40:44 +0800 (CST) Received: from kwepemp200004.china.huawei.com (unknown [7.202.195.99]) by mail.maildlp.com (Postfix) with ESMTPS id 91DEA14010D; Mon, 3 Mar 2025 10:42:15 +0800 (CST) Received: from huawei.com (10.175.124.27) by kwepemp200004.china.huawei.com (7.202.195.99) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 3 Mar 2025 10:42:14 +0800 From: zhangjian To: , , , , CC: Subject: [PATCH V4] nfsdcld: fix cld pipe read size Date: Tue, 4 Mar 2025 03:56:46 +0800 Message-ID: <20250303195646.2209521-1-zhangjian496@huawei.com> X-Mailer: git-send-email 2.33.0 Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To kwepemp200004.china.huawei.com (7.202.195.99) When nfsd inits failed for detecting cld version in nfsd4_client_tracking_init, kernel may assume nfsdcld support version 1 message format and try to upcall with v1 message size to nfsdcld. There exists one error case in the following process, causeing nfsd hunging for nfsdcld replay: kernel write to pipe->msgs (v1 msg length) |--------- first msg --------|-------- second message -------| nfsdcld read from pipe->msgs (v2 msg length) |------------ first msg --------------|---second message-----| | valid message | ignore | wrong message | When two nfsd kernel thread add two upcall messages to cld pipe with v1 version cld_msg (size == 1034) concurrently,but nfsdcld reads with v2 version size(size == 1067), 33 bytes of the second message will be read and merged with first message. The 33 bytes in second message will be ignored. Nfsdcld will then read 1001 bytes in second message, which cause FATAL in cld_messaged_size checking. Nfsd kernel thread will hang for it forever until nfs server restarts. Signed-off-by: zhangjian Reviewed-by: Scott Mayhew --- utils/nfsdcld/nfsdcld.c | 65 ++++++++++++++++++++++++++++------------- 1 file changed, 45 insertions(+), 20 deletions(-) diff --git a/utils/nfsdcld/nfsdcld.c b/utils/nfsdcld/nfsdcld.c index dbc7a57..f7737d9 100644 --- a/utils/nfsdcld/nfsdcld.c +++ b/utils/nfsdcld/nfsdcld.c @@ -716,35 +716,60 @@ reply: } } -static void -cldcb(int UNUSED(fd), short which, void *data) +static int +cld_pipe_read_msg(struct cld_client *clnt) { - ssize_t len; - struct cld_client *clnt = data; -#if UPCALL_VERSION >= 2 - struct cld_msg_v2 *cmsg = &clnt->cl_u.cl_msg_v2; -#else - struct cld_msg *cmsg = &clnt->cl_u.cl_msg; -#endif + ssize_t len, left_len; + ssize_t hdr_len = sizeof(struct cld_msg_hdr); + struct cld_msg_hdr *hdr = (struct cld_msg_hdr *)&clnt->cl_u; - if (which != EV_READ) - goto out; + len = atomicio(read, clnt->cl_fd, hdr, hdr_len); - len = atomicio(read, clnt->cl_fd, cmsg, sizeof(*cmsg)); if (len <= 0) { xlog(L_ERROR, "%s: pipe read failed: %m", __func__); - cld_pipe_open(clnt); - goto out; + goto fail_read; } - if (cmsg->cm_vers > UPCALL_VERSION) { + switch (hdr->cm_vers) { + case 1: + left_len = sizeof(struct cld_msg) - hdr_len; + break; + case 2: + left_len = sizeof(struct cld_msg_v2) - hdr_len; + break; + default: xlog(L_ERROR, "%s: unsupported upcall version: %hu", - __func__, cmsg->cm_vers); - cld_pipe_open(clnt); - goto out; + __func__, hdr->cm_vers); + goto fail_read; } - switch(cmsg->cm_cmd) { + len = atomicio(read, clnt->cl_fd, hdr + 1, left_len); + + if (len <= 0) { + xlog(L_ERROR, "%s: pipe read failed: %m", __func__); + goto fail_read; + } + + return 0; + +fail_read: + cld_pipe_open(clnt); + return -1; +} + +static void +cldcb(int UNUSED(fd), short which, void *data) +{ + struct cld_client *clnt = data; + struct cld_msg_hdr *hdr = (struct cld_msg_hdr *)&clnt->cl_u; + + if (which != EV_READ) + goto out; + + if (cld_pipe_read_msg(clnt) < 0) + goto out; + + switch (hdr->cm_cmd) { case Cld_Create: cld_create(clnt); break; @@ -765,7 +790,7 @@ cldcb(int UNUSED(fd), short which, void *data) break; default: xlog(L_WARNING, "%s: command %u is not yet implemented", - __func__, cmsg->cm_cmd); + __func__, hdr->cm_cmd); cld_not_implemented(clnt); } out: