sunrpc: correct the computation for page_ptr when truncating
diff mbox series

Message ID 20181030201040.2024882-1-sorenson@redhat.com
State New
Headers show
Series
  • sunrpc: correct the computation for page_ptr when truncating
Related show

Commit Message

Frank Sorenson Oct. 30, 2018, 8:10 p.m. UTC
When truncating the encode buffer, the page_ptr is getting
advanced, causing the next page to be skipped while encoding.
The page is still included in the response, so the response
contains a page of bogus data.

We need to adjust the page_ptr backwards to ensure we encode
the next page into the correct place.

Signed-off-by: Frank Sorenson <sorenson@redhat.com>
---
 net/sunrpc/xdr.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Comments

J. Bruce Fields Oct. 31, 2018, 2:03 p.m. UTC | #1
On Tue, Oct 30, 2018 at 03:10:40PM -0500, Frank Sorenson wrote:
> When truncating the encode buffer, the page_ptr is getting
> advanced, causing the next page to be skipped while encoding.
> The page is still included in the response, so the response
> contains a page of bogus data.
> 
> We need to adjust the page_ptr backwards to ensure we encode
> the next page into the correct place.

Thanks!  Queuing this up for 4.20 and stable.

Also added one more note to the changelog in case it's useful to someone
else who runs across this bug:

	We saw this triggered when concurrent directory modifications
	caused nfsd4_encode_direct_fattr() to return nfserr_noent, and
	the resulting call to xdr_truncate_encode() corrupted the
	READDIR reply.

--b.

> 
> Signed-off-by: Frank Sorenson <sorenson@redhat.com>
> ---
>  net/sunrpc/xdr.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
> index 2bbb8d38d2bf..5cfb9e0a18dc 100644
> --- a/net/sunrpc/xdr.c
> +++ b/net/sunrpc/xdr.c
> @@ -673,11 +673,10 @@ void xdr_truncate_encode(struct xdr_stream *xdr, size_t len)
>  		WARN_ON_ONCE(xdr->iov);
>  		return;
>  	}
> -	if (fraglen) {
> +	if (fraglen)
>  		xdr->end = head->iov_base + head->iov_len;
> -		xdr->page_ptr--;
> -	}
>  	/* (otherwise assume xdr->end is already set) */
> +	xdr->page_ptr--;
>  	head->iov_len = len;
>  	buf->len = len;
>  	xdr->p = head->iov_base + head->iov_len;
> -- 
> 2.14.5

Patch
diff mbox series

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 2bbb8d38d2bf..5cfb9e0a18dc 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -673,11 +673,10 @@  void xdr_truncate_encode(struct xdr_stream *xdr, size_t len)
 		WARN_ON_ONCE(xdr->iov);
 		return;
 	}
-	if (fraglen) {
+	if (fraglen)
 		xdr->end = head->iov_base + head->iov_len;
-		xdr->page_ptr--;
-	}
 	/* (otherwise assume xdr->end is already set) */
+	xdr->page_ptr--;
 	head->iov_len = len;
 	buf->len = len;
 	xdr->p = head->iov_base + head->iov_len;