> On Oct 5, 2015, at 11:03 AM, Sagi Grimberg <[email protected]> wrote: > > On 10/5/2015 6:03 AM, Chuck Lever wrote: >> Now that the NFS server advertises a maximum payload size of 1MB >> for RPC/RDMA again, it crashes in svc_process_common() when NFS >> client sends a 1MB NFS WRITE on an NFS/RDMA mount. >> >> The server has set up a 259 element array of struct page pointers >> in rq_pages[] for each incoming request. The last element of the >> array is NULL. >> >> When an incoming request has been completely received, >> rdma_read_complete() attempts to set the starting page of the >> incoming page vector: >> >> rqstp->rq_arg.pages = &rqstp->rq_pages[head->hdr_count]; >> >> and the page to use for the reply: >> >> rqstp->rq_respages = &rqstp->rq_arg.pages[page_no]; >> >> But the value of page_no has already accounted for head->hdr_count. >> Thus rq_respages now points past the end of the incoming pages. For >> NFS WRITE operations smaller than the maximum, this is harmless. >> >> But when the NFS WRITE operation is as large as the server's max >> payload size, rq_respages now points at the last entry in rq_pages, >> which is NULL. >> >> Fixes: cc9a903d915c ('svcrdma: Change maximum server payload . . .') >> BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=270 >> Signed-off-by: Chuck Lever <[email protected]> >> --- > > Looks correct, > > Reviewed-by: Sagi Grimberg <[email protected]>
Excellent, thank you! -- Chuck Lever -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
