From patchwork Mon Jan 13 08:53:02 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 1222018
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19;
	helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 47x6nH3xJ6z9s29;
	Mon, 13 Jan 2020 19:53:21 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1iqvTG-00067H-Dm; Mon, 13 Jan 2020 08:53:14 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <po-hsu.lin@canonical.com>) id 1iqvTE-00066o-Hi
	for kernel-team@lists.ubuntu.com; Mon, 13 Jan 2020 08:53:12 +0000
Received: from mail-pg1-f199.google.com ([209.85.215.199])
	by youngberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <po-hsu.lin@canonical.com>) id 1iqvTE-0007d1-5n
	for kernel-team@lists.ubuntu.com; Mon, 13 Jan 2020 08:53:12 +0000
Received: by mail-pg1-f199.google.com with SMTP id a4so6053444pgq.23
	for <kernel-team@lists.ubuntu.com>;
	Mon, 13 Jan 2020 00:53:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=6R5YgGMw6GQE0tUgEbNOg3fn4Ch9nCXvWczxr2+IgeU=;
	b=ueBYJh+udmpnq/clSv67njTppKjty9Nb5EldGAZXCJi1XkKkGj+dCqc0KoLYgmmyGE
	UBXr/72u8wbmwiAlgnPcC8Trui+zwaFOhmsndOpNv8mKdlTYwjhgs5+aNPhni21ikKzI
	HTPSqM0a82itWu9469gBrzFm0Ay4KY9o6PsuLLy+ArTvThhCi0OpeUYr8fKlZyeGM5zG
	Oz+E4YnHeXBMub3BRwlK4bONAfoQbnljXVTBg7ggyTwyrHm+c2rvc/8z5uVUwNMFzYqa
	vkattNa4oBAxYiTotkzQrGPDMPIlGnpNbLvbHLycCjCqxashS0fhI5i0YeQanQkSRjX7
	Yv7g==
X-Gm-Message-State: APjAAAXxU36tiVxX1Q80ZTU3ftzheo2Ky2gBG9Zgnku/z1RnIEUDIu/1
	JS2F5MHi6rXBSASmadUA9V0O8N/BKMeP4qPenu9t9XTxWETByDJFbMLVWghoWIISiAhsSxcKL3i
	FPDtx4bE0/cNXgvv3fhwAuxn/7cVFs3H/gvyIyP4D
X-Received: by 2002:a62:3603:: with SMTP id d3mr17733290pfa.37.1578905590615;
	Mon, 13 Jan 2020 00:53:10 -0800 (PST)
X-Google-Smtp-Source: 
 APXvYqw6oKTTLbUQoBdUqufxoG+abnXnsvKdkpQ27QT8OAKj3EPwsK5cGLSVRbX9NmxSTSae0mvN+A==
X-Received: by 2002:a62:3603:: with SMTP id d3mr17733282pfa.37.1578905590447;
	Mon, 13 Jan 2020 00:53:10 -0800 (PST)
Received: from Leggiero.taipei.internal (61-220-137-37.HINET-IP.hinet.net.
	[61.220.137.37]) by smtp.gmail.com with ESMTPSA id
	65sm13368565pfu.140.2020.01.13.00.53.09
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Mon, 13 Jan 2020 00:53:09 -0800 (PST)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [Disco][SRU][PATCH 1/1] SUNRPC: Fix another issue with MIC buffer
	space
Date: Mon, 13 Jan 2020 16:53:02 +0800
Message-Id: <20200113085302.23180-2-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200113085302.23180-1-po-hsu.lin@canonical.com>
References: <20200113085302.23180-1-po-hsu.lin@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Chuck Lever <chuck.lever@oracle.com>

BugLink: https://bugs.launchpad.net/bugs/1858832

xdr_shrink_pagelen() BUG's when @len is larger than buf->page_len.
This can happen when xdr_buf_read_mic() is given an xdr_buf with
a small page array (like, only a few bytes).

Instead, just cap the number of bytes that xdr_shrink_pagelen()
will move.

Fixes: 5f1bc39979d ("SUNRPC: Fix buffer handling of GSS MIC ... ")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
(backported from commit e8d70b321ecc9b23d09b8df63e38a2f73160c209)
[PHLin: fuzzy adjustment]
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
---
 net/sunrpc/xdr.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 6ca833d..b8047f4 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -414,13 +414,12 @@ xdr_shrink_bufhead(struct xdr_buf *buf, size_t len)
 }
 
 /**
- * xdr_shrink_pagelen
+ * xdr_shrink_pagelen - shrinks buf->pages by up to @len bytes
  * @buf: xdr_buf
  * @len: bytes to remove from buf->pages
  *
- * Shrinks XDR buffer's page array buf->pages by
- * 'len' bytes. The extra data is not lost, but is instead
- * moved into the tail.
+ * The extra data is not lost, but is instead moved into buf->tail.
+ * Returns the actual number of bytes moved.
  */
 static void
 xdr_shrink_pagelen(struct xdr_buf *buf, size_t len)
@@ -431,8 +430,8 @@ xdr_shrink_pagelen(struct xdr_buf *buf, size_t len)
 	unsigned int tailbuf_len;
 
 	tail = buf->tail;
-	BUG_ON (len > pglen);
-
+	if (len > buf->page_len)
+		len = buf-> page_len;
 	tailbuf_len = buf->buflen - buf->head->iov_len - buf->page_len;
 
 	/* Shift the tail first */