| Message ID | 20181030201040.2024882-1-sorenson@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | sunrpc: correct the computation for page_ptr when truncating | expand |
On Tue, Oct 30, 2018 at 03:10:40PM -0500, Frank Sorenson wrote: > When truncating the encode buffer, the page_ptr is getting > advanced, causing the next page to be skipped while encoding. > The page is still included in the response, so the response > contains a page of bogus data. > > We need to adjust the page_ptr backwards to ensure we encode > the next page into the correct place. Thanks! Queuing this up for 4.20 and stable. Also added one more note to the changelog in case it's useful to someone else who runs across this bug: We saw this triggered when concurrent directory modifications caused nfsd4_encode_direct_fattr() to return nfserr_noent, and the resulting call to xdr_truncate_encode() corrupted the READDIR reply. --b. > > Signed-off-by: Frank Sorenson <sorenson@redhat.com> > --- > net/sunrpc/xdr.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c > index 2bbb8d38d2bf..5cfb9e0a18dc 100644 > --- a/net/sunrpc/xdr.c > +++ b/net/sunrpc/xdr.c > @@ -673,11 +673,10 @@ void xdr_truncate_encode(struct xdr_stream *xdr, size_t len) > WARN_ON_ONCE(xdr->iov); > return; > } > - if (fraglen) { > + if (fraglen) > xdr->end = head->iov_base + head->iov_len; > - xdr->page_ptr--; > - } > /* (otherwise assume xdr->end is already set) */ > + xdr->page_ptr--; > head->iov_len = len; > buf->len = len; > xdr->p = head->iov_base + head->iov_len; > -- > 2.14.5
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c index 2bbb8d38d2bf..5cfb9e0a18dc 100644 --- a/net/sunrpc/xdr.c +++ b/net/sunrpc/xdr.c @@ -673,11 +673,10 @@ void xdr_truncate_encode(struct xdr_stream *xdr, size_t len) WARN_ON_ONCE(xdr->iov); return; } - if (fraglen) { + if (fraglen) xdr->end = head->iov_base + head->iov_len; - xdr->page_ptr--; - } /* (otherwise assume xdr->end is already set) */ + xdr->page_ptr--; head->iov_len = len; buf->len = len; xdr->p = head->iov_base + head->iov_len;
When truncating the encode buffer, the page_ptr is getting advanced, causing the next page to be skipped while encoding. The page is still included in the response, so the response contains a page of bogus data. We need to adjust the page_ptr backwards to ensure we encode the next page into the correct place. Signed-off-by: Frank Sorenson <sorenson@redhat.com> --- net/sunrpc/xdr.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)