diff options
author | Chuck Lever <chuck.lever@oracle.com> | 2023-05-18 13:45:50 -0400 |
---|---|---|
committer | Chuck Lever <chuck.lever@oracle.com> | 2023-06-11 16:37:45 -0400 |
commit | ed4a567a179ec15c15f78fa60ca6de9cc4f34897 (patch) | |
tree | 02b219b7a15e64bfdcb3c40c9e74f46f7bcf4fa8 /fs/nfsd | |
parent | ba21e20b309564c64761f4953db4456ec8c4e49c (diff) | |
download | lwn-ed4a567a179ec15c15f78fa60ca6de9cc4f34897.tar.gz lwn-ed4a567a179ec15c15f78fa60ca6de9cc4f34897.zip |
NFSD: Update rq_next_page between COMPOUND operations
A GETATTR with a large result can advance xdr->page_ptr without
updating rq_next_page. If a splice READ follows that GETATTR in the
COMPOUND, nfsd_splice_actor can start splicing at the wrong page.
I've also seen READLINK and READDIR leave rq_next_page in an
unmodified state.
There are potentially a myriad of combinations like this, so play it
safe: move the rq_next_page update to nfsd4_encode_operation.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'fs/nfsd')
-rw-r--r-- | fs/nfsd/nfs4xdr.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index b78c2391a2a1..3887da048232 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -5438,6 +5438,12 @@ status: release: if (opdesc && opdesc->op_release) opdesc->op_release(&op->u); + + /* + * Account for pages consumed while encoding this operation. + * The xdr_stream primitives don't manage rq_next_page. + */ + rqstp->rq_next_page = xdr->page_ptr + 1; } /* @@ -5506,9 +5512,6 @@ nfs4svc_encode_compoundres(struct svc_rqst *rqstp, struct xdr_stream *xdr) p = resp->statusp; *p++ = resp->cstate.status; - - rqstp->rq_next_page = xdr->page_ptr + 1; - *p++ = htonl(resp->taglen); memcpy(p, resp->tag, resp->taglen); p += XDR_QUADLEN(resp->taglen); |