Home Explore Help
Sign In
PUBLIC_REPOS
/
ti-processor-sdk-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge tag 'nfsd-4.12-1' of git://linux-nfs.org/~bfields/linux

Pull nfsd fixes from Bruce Fields:
 "Revert patch accidentally included in the merge window pull request,
  and fix a crash that was likely a result of buggy client behavior"

* tag 'nfsd-4.12-1' of git://linux-nfs.org/~bfields/linux:
  nfsd4: fix null dereference on replay
  nfsd: Revert "nfsd: check for oversized NFSv2/v3 arguments"
Linus Torvalds 8 years ago
parent
2f48641cfc 9a307403d3
commit
3b1e342be2
4 changed files with 17 additions and 35 deletions
Split View Show Diff Stats
  1. 6 17
      fs/nfsd/nfs3xdr.c
  2. 6 7
      fs/nfsd/nfs4proc.c
  3. 3 10
      fs/nfsd/nfsxdr.c
  4. 2 1
      include/linux/sunrpc/svc.h

+ 6 - 17
fs/nfsd/nfs3xdr.c
View File 

@@ -334,11 +334,8 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
 
 	if (!p)
 
 		return 0;
 
 	p = xdr_decode_hyper(p, &args->offset);
 
-	args->count = ntohl(*p++);
 
-
 
-	if (!xdr_argsize_check(rqstp, p))
 
-		return 0;
 
 
+	args->count = ntohl(*p++);
 
 	len = min(args->count, max_blocksize);
 
 
 	/* set up the kvec */
 
@@ -352,7 +349,7 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
 
 		v++;
 
 	}
 
 	args->vlen = v;
 
-	return 1;
 
+	return xdr_argsize_check(rqstp, p);
 
 }
 
 
 int
 
@@ -544,11 +541,9 @@ nfs3svc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p,
 
 	p = decode_fh(p, &args->fh);
 
 	if (!p)
 
 		return 0;
 
-	if (!xdr_argsize_check(rqstp, p))
 
-		return 0;
 
 	args->buffer = page_address(*(rqstp->rq_next_page++));
 
 
-	return 1;
 
+	return xdr_argsize_check(rqstp, p);
 
 }
 
 
 int
 
@@ -574,14 +569,10 @@ nfs3svc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p,
 
 	args->verf   = p; p += 2;
 
 	args->dircount = ~0;
 
 	args->count  = ntohl(*p++);
 
-
 
-	if (!xdr_argsize_check(rqstp, p))
 
-		return 0;
 
-
 
 	args->count  = min_t(u32, args->count, PAGE_SIZE);
 
 	args->buffer = page_address(*(rqstp->rq_next_page++));
 
 
-	return 1;
 
+	return xdr_argsize_check(rqstp, p);
 
 }
 
 
 int
 
@@ -599,9 +590,6 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p,
 
 	args->dircount = ntohl(*p++);
 
 	args->count    = ntohl(*p++);
 
 
-	if (!xdr_argsize_check(rqstp, p))
 
-		return 0;
 
-
 
 	len = args->count = min(args->count, max_blocksize);
 
 	while (len > 0) {
 
 		struct page *p = *(rqstp->rq_next_page++);
 
@@ -609,7 +597,8 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p,
 
 			args->buffer = page_address(p);
 
 		len -= PAGE_SIZE;
 
 	}
 
-	return 1;
 
+
 
+	return xdr_argsize_check(rqstp, p);
 
 }
 
 
 int

+ 6 - 7
fs/nfsd/nfs4proc.c
View File 

@@ -1769,6 +1769,12 @@ nfsd4_proc_compound(struct svc_rqst *rqstp,
 
 			opdesc->op_get_currentstateid(cstate, &op->u);
 
 		op->status = opdesc->op_func(rqstp, cstate, &op->u);
 
 
+		/* Only from SEQUENCE */
 
+		if (cstate->status == nfserr_replay_cache) {
 
+			dprintk("%s NFS4.1 replay from cache\n", __func__);
 
+			status = op->status;
 
+			goto out;
 
+		}
 
 		if (!op->status) {
 
 			if (opdesc->op_set_currentstateid)
 
 				opdesc->op_set_currentstateid(cstate, &op->u);
 
@@ -1779,14 +1785,7 @@ nfsd4_proc_compound(struct svc_rqst *rqstp,
 
 			if (need_wrongsec_check(rqstp))
 
 				op->status = check_nfsd_access(current_fh->fh_export, rqstp);
 
 		}
 
-
 
 encode_op:
 
-		/* Only from SEQUENCE */
 
-		if (cstate->status == nfserr_replay_cache) {
 
-			dprintk("%s NFS4.1 replay from cache\n", __func__);
 
-			status = op->status;
 
-			goto out;
 
-		}
 
 		if (op->status == nfserr_replay_me) {
 
 			op->replay = &cstate->replay_owner->so_replay;
 
 			nfsd4_encode_replay(&resp->xdr, op);

+ 3 - 10
fs/nfsd/nfsxdr.c
View File 

@@ -257,9 +257,6 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
 
 	len = args->count     = ntohl(*p++);
 
 	p++; /* totalcount - unused */
 
 
-	if (!xdr_argsize_check(rqstp, p))
 
-		return 0;
 
-
 
 	len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);
 
 
 	/* set up somewhere to store response.
 
@@ -275,7 +272,7 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
 
 		v++;
 
 	}
 
 	args->vlen = v;
 
-	return 1;
 
+	return xdr_argsize_check(rqstp, p);
 
 }
 
 
 int
 
@@ -365,11 +362,9 @@ nfssvc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, struct nfsd_readli
 
 	p = decode_fh(p, &args->fh);
 
 	if (!p)
 
 		return 0;
 
-	if (!xdr_argsize_check(rqstp, p))
 
-		return 0;
 
 	args->buffer = page_address(*(rqstp->rq_next_page++));
 
 
-	return 1;
 
+	return xdr_argsize_check(rqstp, p);
 
 }
 
 
 int
 
@@ -407,11 +402,9 @@ nfssvc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p,
 
 	args->cookie = ntohl(*p++);
 
 	args->count  = ntohl(*p++);
 
 	args->count  = min_t(u32, args->count, PAGE_SIZE);
 
-	if (!xdr_argsize_check(rqstp, p))
 
-		return 0;
 
 	args->buffer = page_address(*(rqstp->rq_next_page++));
 
 
-	return 1;
 
+	return xdr_argsize_check(rqstp, p);
 
 }
 
 
 /*

+ 2 - 1
include/linux/sunrpc/svc.h
View File 

@@ -336,7 +336,8 @@ xdr_argsize_check(struct svc_rqst *rqstp, __be32 *p)
 
 {
 
 	char *cp = (char *)p;
 
 	struct kvec *vec = &rqstp->rq_arg.head[0];
 
-	return cp == (char *)vec->iov_base + vec->iov_len;
 
+	return cp >= (char*)vec->iov_base
 
+		&& cp <= (char*)vec->iov_base + vec->iov_len;
 
 }
 
 
 static inline int