NFS client crashes due to index buffer overflow during Direct IO write. In some circumstances, it reaches out of the index after just one memory allocation by kmalloc which is causing kernel panic at random function. (sub_debug shows Redzone is overwritten) Upstream Issue: https://bugzilla.redhat.com/show_bug.cgi?id=1824270
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1835128]
Hi Marian, I'm trying to track this issue for Debian, and looked as well up https://bugzilla.redhat.com/show_bug.cgi?id=1824270. Do you have any additional information on this issue: Did it ever affected mainline/upstream or is the issue specific to the Red Hat kernel? Regards, Salvatore
Hello Salvatore, This flaw is based on the bz you mentioned so there are no additional information apart from that as far as I know. I'm sorry I couldn't be of more help. Best regards. Marian
Hi Marian, (In reply to Marian Rehak from comment #4) > Hello Salvatore, > > This flaw is based on the bz you mentioned so there are no additional > information apart from that as far as I know. I'm sorry I couldn't be of > more help. Okay thanks, I was hoping there was more already known as it mentioned an internal discussion for developing the kernel patches which then were specifically applied to the 3.10 version. I was not able to triggere the issue for instance in 4.19.118, and with only the available information I was suspecting it might be fixed in 3.11-rc1 upstream something related to 18aad3d552c7 ("NFSv4.1 Refactor nfs4_init_session and nfs4_init_channel_attrs") and/or 68bf05efb7fa ("nfs41: fix session fore channel negotiation") or maybe something completely else. This would be as well inline with the fact that a fix was only needed for RHEL7 with kernel-3.10.0-1140.el7? Thanks for taking time here to reply to my query. Regards, Salvatore
In reply to comment #3: > Hi Marian, > > I'm trying to track this issue for Debian, and looked as well up > https://bugzilla.redhat.com/show_bug.cgi?id=1824270. Do you have any > additional information on this issue: Did it ever affected mainline/upstream > or is the issue specific to the Red Hat kernel? > > Regards, > Salvatore Hi Salvatore, Based on the info from engineering: "Upstream, nfs_direct_write_schedule_segment was removed in v3.16, and iovec has been transformed to iov_iter, so this is a RHEL-only patch." which is from our rhel-7 patch. Best Regards, Alexander
Acknowledgments: Name: Jay Shin (Red Hat)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10742