[PATCH] counting bug in svc_tcp_recvfrom causes panic for TCP NFS

From: Ted Phelps (phelps@dstc.edu.au)
Date: Wed Jan 15 2003 - 17:54:32 EST


When svc_tcp_recvfrom() builds up its iovec to receive a packet, it
invokes page_address() with an argument which refers to
rqstp->rq_argused++. For some memory layouts (eg not HIMEM and
not WANT_PAGE_VIRTUAL), page_address() is a macro which evalutes its
argument three times. This results in a kernel panic when an TCP NFS
client sends a packet longer than about 1/3 of the maximum size.

The patch below causes the increment to be performed outside of the
call to page_address(), which avoids the kernel panic. Perhaps a
better solution would be to change page_address() to be consistently
be a function for all memory layouts.

Thanks,
-Ted

--- ./linux-2.5.58-ORIG/net/sunrpc/svcsock.c 2003-01-13 22:30:06.000000000 +0000
+++ ./linux-2.5.58/net/sunrpc/svcsock.c 2003-01-15 22:42:03.000000000 +0000
@@ -924,8 +924,9 @@
         vlen = PAGE_SIZE;
         pnum = 1;
         while (vlen < len) {
- vec[pnum].iov_base = page_address(rqstp->rq_argpages[rqstp->rq_argused++]);
+ vec[pnum].iov_base = page_address(rqstp->rq_argpages[rqstp->rq_argused]);
                 vec[pnum].iov_len = PAGE_SIZE;
+ rqstp->rq_argused++;
                 pnum++;
                 vlen += PAGE_SIZE;
         }
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Wed Jan 15 2003 - 22:00:56 EST