185232 – [nfs] [patch] Kernel page fault in jailed() via vn_stat() when using uio_td from nfsrv_read()

Bug 185232 - [nfs] [patch] Kernel page fault in jailed() via vn_stat() when using uio_td from nfsrv_read()

Summary: [nfs] [patch] Kernel page fault in jailed() via vn_stat() when using uio_td f...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	Unspecified
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Rick Macklem

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-12-27 16:20 UTC by Greg Becker
Modified:	2014-05-09 01:38 UTC (History)
CC List:	0 users

See Also:

Attachments
file.diff (476 bytes, patch) 2013-12-27 16:20 UTC, Greg Becker	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Greg Becker 2013-12-27 16:20:00 UTC

I'm using a custom nullfs that calls vn_stat() from my null_read() function.  The problem is, nfsrv_read() doesn't set uio_td, so my null_read() function gets whatever was on the caller's stack.

Fix: Either don't use uio_td when being called from nfssrv_read(), or set uio_td to NULL in nfssrv_read().


Patch attached with submission follows:

Comment 1 Mark Linimon freebsd_committer

2014-04-20 22:57:05 UTC

Responsible Changed
From-To: freebsd-bugs->freebsd-fs

Over to maintainer(s).

Comment 2 Rick Macklem freebsd_committer

2014-04-21 00:03:30 UTC

Responsible Changed
From-To: freebsd-fs->rmacklem


I'll take this one.

Comment 3 dfilter service freebsd_committer

2014-04-24 21:48:03 UTC

Author: rmacklem
Date: Thu Apr 24 20:47:58 2014
New Revision: 264888
URL: http://svnweb.freebsd.org/changeset/base/264888

Log:
  The PR reported that the old NFS server did not set uio_td == NULL
  for the VOP_READ() call. This patch fixes both the old and new
  server for this case.
  
  PR:		185232
  Submitted by:	PR had patch for old server
  Reviewed by:	kib
  MFC after:	2 weeks

Modified:
  head/sys/fs/nfsserver/nfs_nfsdport.c
  head/sys/nfsserver/nfs_serv.c

Modified: head/sys/fs/nfsserver/nfs_nfsdport.c
==============================================================================
--- head/sys/fs/nfsserver/nfs_nfsdport.c	Thu Apr 24 17:23:16 2014	(r264887)
+++ head/sys/fs/nfsserver/nfs_nfsdport.c	Thu Apr 24 20:47:58 2014	(r264888)
@@ -673,6 +673,7 @@ nfsvno_read(struct vnode *vp, off_t off,
 	uiop->uio_resid = len;
 	uiop->uio_rw = UIO_READ;
 	uiop->uio_segflg = UIO_SYSSPACE;
+	uiop->uio_td = NULL;
 	nh = nfsrv_sequential_heuristic(uiop, vp);
 	ioflag |= nh->nh_seqcount << IO_SEQSHIFT;
 	error = VOP_READ(vp, uiop, IO_NODELOCKED | ioflag, cred);

Modified: head/sys/nfsserver/nfs_serv.c
==============================================================================
--- head/sys/nfsserver/nfs_serv.c	Thu Apr 24 17:23:16 2014	(r264887)
+++ head/sys/nfsserver/nfs_serv.c	Thu Apr 24 20:47:58 2014	(r264888)
@@ -911,6 +911,7 @@ nfsrv_read(struct nfsrv_descript *nfsd, 
 		uiop->uio_resid = len;
 		uiop->uio_rw = UIO_READ;
 		uiop->uio_segflg = UIO_SYSSPACE;
+		uiop->uio_td = NULL;
 		nh = nfsrv_sequential_heuristic(uiop, vp);
 		ioflag |= nh->nh_seqcount << IO_SEQSHIFT;
 		error = VOP_READ(vp, uiop, IO_NODELOCKED | ioflag, cred);
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Comment 4 Rick Macklem freebsd_committer

2014-05-09 01:37:31 UTC

State Changed
From-To: open->closed


The patch (r264888) has been MFC'd to stable/9 and stable/10.