From: Chuck Lever <chuck.lever@oracle.com>
To: linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: [PATCH RFC 1/6] NFSD: Fix NFSv4 SETATTR's handling of large file sizes
Date: Thu, 27 Jan 2022 11:08:31 -0500 [thread overview]
Message-ID: <164329971128.5879.15718457509790221509.stgit@bazille.1015granger.net> (raw)
In-Reply-To: <164329914731.5879.7791856151631542523.stgit@bazille.1015granger.net>
iattr::ia_size is a loff_t. decode_fattr4() dumps a full u64 value
in there. If that value is larger than S64_MAX, then ia_size has
underflowed.
In this case the negative size is passed through to the VFS and
underlying filesystems. I've observed XFS behavior: it returns
EIO but still attempts to access past the end of the device.
IOW it assumes the caller has already sanity-checked the value.
Have our server return NFS4ERR_FBIG to the client when the passed-in
file size cannot be held in a loff_t variable.
> 15.1.4.4. NFS4ERR_FBIG (Error Code 27)
>
> The file is too large. The operation would have caused the file to
> grow beyond the server's limit.
It's likely that other NFSv4 operations that take a fattr4 argument
(such as OPEN) have a similar issue).
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
fs/nfsd/nfs4proc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index ed1ee25647be..b8ac2b9bce74 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -972,6 +972,9 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
int err;
if (setattr->sa_iattr.ia_valid & ATTR_SIZE) {
+ if (setattr->sa_iattr.ia_size < 0)
+ return nfserr_fbig;
+
status = nfs4_preprocess_stateid_op(rqstp, cstate,
&cstate->current_fh, &setattr->sa_stateid,
WR_STATE, NULL, NULL);
next prev parent reply other threads:[~2022-01-27 16:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-27 16:08 [PATCH RFC 0/6] NFSD size, offset, and count sanity Chuck Lever
2022-01-27 16:08 ` Chuck Lever [this message]
2022-01-28 0:36 ` [PATCH RFC 1/6] NFSD: Fix NFSv4 SETATTR's handling of large file sizes Dave Chinner
2022-01-28 1:48 ` Chuck Lever III
2022-02-09 21:55 ` Dave Chinner
2022-01-27 16:08 ` [PATCH RFC 2/6] NFSD: Fix NFSv3 " Chuck Lever
2022-01-27 16:08 ` [PATCH RFC 3/6] NFSD: COMMIT operations must not return NFS?ERR_INVAL Chuck Lever
2022-01-27 16:08 ` [PATCH RFC 4/6] NFSD: Replace directory offset placeholder Chuck Lever
2022-01-27 16:08 ` [PATCH RFC 5/6] NFSD: Remove NFS_OFFSET_MAX Chuck Lever
2022-01-27 16:09 ` [PATCH RFC 6/6] NFSD: Clamp WRITE offsets Chuck Lever
2022-01-27 18:13 ` [PATCH RFC 0/6] NFSD size, offset, and count sanity Frank Filz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=164329971128.5879.15718457509790221509.stgit@bazille.1015granger.net \
--to=chuck.lever@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.