diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2026-05-26 09:35:57 -0400 |
|---|---|---|
| committer | Chuck Lever <cel@kernel.org> | 2026-06-30 09:13:42 -0400 |
| commit | e23acfe1a00691ee183b77dc3c6a581acd197793 (patch) | |
| tree | 15904adcb08ede55677e5d9307577b3225c7676b /include/linux/iomap.h | |
| parent | 99ad2fc32792d9ab414581d47f4db5b4efd5213f (diff) | |
| download | linux-next-e23acfe1a00691ee183b77dc3c6a581acd197793.tar.gz linux-next-e23acfe1a00691ee183b77dc3c6a581acd197793.zip | |
svcrdma: Reject oversized Read segments at decode time
The RPC/RDMA Read list decoder stores wire-supplied segment
lengths without validation. xdr_count_read_segments() checks
4-byte alignment for non-zero position values but does not
cap the segment length.
An oversized rs_length reaches svc_rdma_build_read_segment(),
which derives nr_bvec from it and can drive a large dynamic
bvec allocation before verifying that enough rq_pages remain.
If the post-allocation page-overrun guard fires, the freshly
acquired rw context is not returned, leaking the resource.
Reject any segment whose length exceeds the receive context's
page budget during Read list decoding, consistent with how
xdr_check_write_chunk() bounds Write segment counts against
rc_maxpages. Also return the rw context on the existing
post-allocation overrun path in svc_rdma_build_read_segment(),
keeping that defensive guard balanced.
Fixes: 5ee62b4a9113 ("svcrdma: use bvec-based RDMA read/write API")
Cc: stable@vger.kernel.org
Acked-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'include/linux/iomap.h')
0 files changed, 0 insertions, 0 deletions
