• Chuck Lever's avatar
    NFS: Fix rpcrdma_inline_fixup() crash with new LISTXATTRS operation · 5482e09a
    Chuck Lever authored
    By switching to an XFS-backed export, I am able to reproduce the
    ibcomp worker crash on my client with xfstests generic/013.
    
    For the failing LISTXATTRS operation, xdr_inline_pages() is called
    with page_len=12 and buflen=128.
    
    - When ->send_request() is called, rpcrdma_marshal_req() does not
      set up a Reply chunk because buflen is smaller than the inline
      threshold. Thus rpcrdma_convert_iovs() does not get invoked at
      all and the transport's XDRBUF_SPARSE_PAGES logic is not invoked
      on the receive buffer.
    
    - During reply processing, rpcrdma_inline_fixup() tries to copy
      received data into rq_rcv_buf->pages because page_len is positive.
      But there are no receive pages because rpcrdma_marshal_req() never
      allocated them.
    
    The result is that the ibcomp worker faults and dies. Sometimes that
    causes a visible crash, and sometimes it results in a transport hang
    without other symptoms.
    
    RPC/RDMA's XDRBUF_SPARSE_PAGES support is not entirely correct, and
    should eventually be fixed or replaced. However, my preference is
    that upper-layer operations should explicitly allocate their receive
    buffers (using GFP_KERNEL) when possible, rather than relying on
    XDRBUF_SPARSE_PAGES.
    Reported-by: default avatarOlga kornievskaia <kolga@netapp.com>
    Suggested-by: default avatarOlga kornievskaia <kolga@netapp.com>
    Fixes: c10a7514 ("NFSv4.2: add the extended attribute proc functions.")
    Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
    Reviewed-by: default avatarOlga kornievskaia <kolga@netapp.com>
    Reviewed-by: default avatarFrank van der Linden <fllinden@amazon.com>
    Tested-by: default avatarOlga kornievskaia <kolga@netapp.com>
    Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
    5482e09a
nfs42xdr.c 39.8 KB