2018-10-30 20:10:43

by Frank Sorenson

[permalink] [raw]
Subject: [PATCH] sunrpc: correct the computation for page_ptr when truncating

When truncating the encode buffer, the page_ptr is getting
advanced, causing the next page to be skipped while encoding.
The page is still included in the response, so the response
contains a page of bogus data.

We need to adjust the page_ptr backwards to ensure we encode
the next page into the correct place.

Signed-off-by: Frank Sorenson <[email protected]>
---
net/sunrpc/xdr.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 2bbb8d38d2bf..5cfb9e0a18dc 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -673,11 +673,10 @@ void xdr_truncate_encode(struct xdr_stream *xdr, size_t len)
WARN_ON_ONCE(xdr->iov);
return;
}
- if (fraglen) {
+ if (fraglen)
xdr->end = head->iov_base + head->iov_len;
- xdr->page_ptr--;
- }
/* (otherwise assume xdr->end is already set) */
+ xdr->page_ptr--;
head->iov_len = len;
buf->len = len;
xdr->p = head->iov_base + head->iov_len;
--
2.14.5



2018-10-31 14:03:13

by J. Bruce Fields

[permalink] [raw]
Subject: Re: [PATCH] sunrpc: correct the computation for page_ptr when truncating

On Tue, Oct 30, 2018 at 03:10:40PM -0500, Frank Sorenson wrote:
> When truncating the encode buffer, the page_ptr is getting
> advanced, causing the next page to be skipped while encoding.
> The page is still included in the response, so the response
> contains a page of bogus data.
>
> We need to adjust the page_ptr backwards to ensure we encode
> the next page into the correct place.

Thanks! Queuing this up for 4.20 and stable.

Also added one more note to the changelog in case it's useful to someone
else who runs across this bug:

We saw this triggered when concurrent directory modifications
caused nfsd4_encode_direct_fattr() to return nfserr_noent, and
the resulting call to xdr_truncate_encode() corrupted the
READDIR reply.

--b.

>
> Signed-off-by: Frank Sorenson <[email protected]>
> ---
> net/sunrpc/xdr.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
> index 2bbb8d38d2bf..5cfb9e0a18dc 100644
> --- a/net/sunrpc/xdr.c
> +++ b/net/sunrpc/xdr.c
> @@ -673,11 +673,10 @@ void xdr_truncate_encode(struct xdr_stream *xdr, size_t len)
> WARN_ON_ONCE(xdr->iov);
> return;
> }
> - if (fraglen) {
> + if (fraglen)
> xdr->end = head->iov_base + head->iov_len;
> - xdr->page_ptr--;
> - }
> /* (otherwise assume xdr->end is already set) */
> + xdr->page_ptr--;
> head->iov_len = len;
> buf->len = len;
> xdr->p = head->iov_base + head->iov_len;
> --
> 2.14.5