summaryrefslogtreecommitdiff
path: root/include/linux/efi-bgrt.h
diff options
context:
space:
mode:
authorChuck Lever <chuck.lever@oracle.com>2026-05-26 09:35:57 -0400
committerChuck Lever <cel@kernel.org>2026-06-30 09:13:42 -0400
commite23acfe1a00691ee183b77dc3c6a581acd197793 (patch)
tree15904adcb08ede55677e5d9307577b3225c7676b /include/linux/efi-bgrt.h
parent99ad2fc32792d9ab414581d47f4db5b4efd5213f (diff)
downloadlinux-next-e23acfe1a00691ee183b77dc3c6a581acd197793.tar.gz
linux-next-e23acfe1a00691ee183b77dc3c6a581acd197793.zip
svcrdma: Reject oversized Read segments at decode time
The RPC/RDMA Read list decoder stores wire-supplied segment lengths without validation. xdr_count_read_segments() checks 4-byte alignment for non-zero position values but does not cap the segment length. An oversized rs_length reaches svc_rdma_build_read_segment(), which derives nr_bvec from it and can drive a large dynamic bvec allocation before verifying that enough rq_pages remain. If the post-allocation page-overrun guard fires, the freshly acquired rw context is not returned, leaking the resource. Reject any segment whose length exceeds the receive context's page budget during Read list decoding, consistent with how xdr_check_write_chunk() bounds Write segment counts against rc_maxpages. Also return the rw context on the existing post-allocation overrun path in svc_rdma_build_read_segment(), keeping that defensive guard balanced. Fixes: 5ee62b4a9113 ("svcrdma: use bvec-based RDMA read/write API") Cc: stable@vger.kernel.org Acked-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'include/linux/efi-bgrt.h')
0 files changed, 0 insertions, 0 deletions