Bug 185232 - [nfs] [patch] Kernel page fault in jailed() via vn_stat() when using uio_td from nfsrv_read()
Summary: [nfs] [patch] Kernel page fault in jailed() via vn_stat() when using uio_td f...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: Rick Macklem
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-27 16:20 UTC by Greg Becker
Modified: 2014-05-09 01:38 UTC (History)
0 users

See Also:


Attachments
file.diff (476 bytes, patch)
2013-12-27 16:20 UTC, Greg Becker
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Greg Becker 2013-12-27 16:20:00 UTC
I'm using a custom nullfs that calls vn_stat() from my null_read() function.  The problem is, nfsrv_read() doesn't set uio_td, so my null_read() function gets whatever was on the caller's stack.

Fix: Either don't use uio_td when being called from nfssrv_read(), or set uio_td to NULL in nfssrv_read().


Patch attached with submission follows:
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2014-04-20 22:57:05 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-fs

Over to maintainer(s).
Comment 2 Rick Macklem freebsd_committer freebsd_triage 2014-04-21 00:03:30 UTC
Responsible Changed
From-To: freebsd-fs->rmacklem


I'll take this one.
Comment 3 dfilter service freebsd_committer freebsd_triage 2014-04-24 21:48:03 UTC
Author: rmacklem
Date: Thu Apr 24 20:47:58 2014
New Revision: 264888
URL: http://svnweb.freebsd.org/changeset/base/264888

Log:
  The PR reported that the old NFS server did not set uio_td == NULL
  for the VOP_READ() call. This patch fixes both the old and new
  server for this case.
  
  PR:		185232
  Submitted by:	PR had patch for old server
  Reviewed by:	kib
  MFC after:	2 weeks

Modified:
  head/sys/fs/nfsserver/nfs_nfsdport.c
  head/sys/nfsserver/nfs_serv.c

Modified: head/sys/fs/nfsserver/nfs_nfsdport.c
==============================================================================
--- head/sys/fs/nfsserver/nfs_nfsdport.c	Thu Apr 24 17:23:16 2014	(r264887)
+++ head/sys/fs/nfsserver/nfs_nfsdport.c	Thu Apr 24 20:47:58 2014	(r264888)
@@ -673,6 +673,7 @@ nfsvno_read(struct vnode *vp, off_t off,
 	uiop->uio_resid = len;
 	uiop->uio_rw = UIO_READ;
 	uiop->uio_segflg = UIO_SYSSPACE;
+	uiop->uio_td = NULL;
 	nh = nfsrv_sequential_heuristic(uiop, vp);
 	ioflag |= nh->nh_seqcount << IO_SEQSHIFT;
 	error = VOP_READ(vp, uiop, IO_NODELOCKED | ioflag, cred);

Modified: head/sys/nfsserver/nfs_serv.c
==============================================================================
--- head/sys/nfsserver/nfs_serv.c	Thu Apr 24 17:23:16 2014	(r264887)
+++ head/sys/nfsserver/nfs_serv.c	Thu Apr 24 20:47:58 2014	(r264888)
@@ -911,6 +911,7 @@ nfsrv_read(struct nfsrv_descript *nfsd, 
 		uiop->uio_resid = len;
 		uiop->uio_rw = UIO_READ;
 		uiop->uio_segflg = UIO_SYSSPACE;
+		uiop->uio_td = NULL;
 		nh = nfsrv_sequential_heuristic(uiop, vp);
 		ioflag |= nh->nh_seqcount << IO_SEQSHIFT;
 		error = VOP_READ(vp, uiop, IO_NODELOCKED | ioflag, cred);
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 4 Rick Macklem freebsd_committer freebsd_triage 2014-05-09 01:37:31 UTC
State Changed
From-To: open->closed


The patch (r264888) has been MFC'd to stable/9 and stable/10.