Revert patch accidentally included in the merge window pull request, and
fix a crash that was likely a result of buggy client behavior. -----BEGIN PGP SIGNATURE----- iQIcBAABAgAGBQJZMHDGAAoJECebzXlCjuG+wVAP/RC2THsrHEfWQSrc+/wkKron 7PUZo6VRhoasjBInSJB/tdy+Yb82NbfLoXfJ71ddAwRUZlte74aI762HHuMdWtHY 8mCum5ea1AfRX5N/L/isO6lh4utO0vQEJ8r+P095d3EDwl0DnLYC3JVlKd/1r2VS ELy8DZkyaVHZO9xiT+mnRgsq4aMjxG3F7DTHpcKDDFzG5Ts00zBQIXDu/rKmw3fD WEuQjjrit1gFrUIUzJbSqwSokDCcf7v9HtGTI5+t+pIZ4Q2SyuKuTZvjtg+hb7Qa K+F2SNNQsqfTW65zllhVR3gYpCykoqYPAJDw9MlqLN5tCmXFZLYhFHEUFx5kuobx 7+Dc3z1o5BgOiXcnKBVe+uONxXxcMYXLbU0e5Gac39GYW5xWzrU1+O6mMi0Q01YS QsGRZEqHE2/3j1TAl0Q2SqT8gtG+A7piU4s5VavIHKIzI3/WubZ1GjLQ+RfXjuNa DvkcAvSYfHyxzdWlyxjkzM09edt6SN3yEYdIRv9hiJEbUO3itVm9ycXTHLJUQUL0 sfVeXkm49e8gZZxHn+XuJubkT8HYlDGLQVSzK1zWFgt+zxd9LiP9iY+zs+vL9ryJ DM9VmlJxZvNx9T7zSradW7gbIwOgxmBfRHFD05oODS1Tymb029akuU0YACb0sVnQ LzDaZejUmURp7vlUffFp =wznG -----END PGP SIGNATURE----- Merge tag 'nfsd-4.12-1' of git://linux-nfs.org/~bfields/linux Pull nfsd fixes from Bruce Fields: "Revert patch accidentally included in the merge window pull request, and fix a crash that was likely a result of buggy client behavior" * tag 'nfsd-4.12-1' of git://linux-nfs.org/~bfields/linux: nfsd4: fix null dereference on replay nfsd: Revert "nfsd: check for oversized NFSv2/v3 arguments"
This commit is contained in:
commit
3b1e342be2
4 changed files with 17 additions and 35 deletions
|
@ -334,11 +334,8 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
|
|||
if (!p)
|
||||
return 0;
|
||||
p = xdr_decode_hyper(p, &args->offset);
|
||||
|
||||
args->count = ntohl(*p++);
|
||||
|
||||
if (!xdr_argsize_check(rqstp, p))
|
||||
return 0;
|
||||
|
||||
len = min(args->count, max_blocksize);
|
||||
|
||||
/* set up the kvec */
|
||||
|
@ -352,7 +349,7 @@ nfs3svc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
|
|||
v++;
|
||||
}
|
||||
args->vlen = v;
|
||||
return 1;
|
||||
return xdr_argsize_check(rqstp, p);
|
||||
}
|
||||
|
||||
int
|
||||
|
@ -544,11 +541,9 @@ nfs3svc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p,
|
|||
p = decode_fh(p, &args->fh);
|
||||
if (!p)
|
||||
return 0;
|
||||
if (!xdr_argsize_check(rqstp, p))
|
||||
return 0;
|
||||
args->buffer = page_address(*(rqstp->rq_next_page++));
|
||||
|
||||
return 1;
|
||||
return xdr_argsize_check(rqstp, p);
|
||||
}
|
||||
|
||||
int
|
||||
|
@ -574,14 +569,10 @@ nfs3svc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p,
|
|||
args->verf = p; p += 2;
|
||||
args->dircount = ~0;
|
||||
args->count = ntohl(*p++);
|
||||
|
||||
if (!xdr_argsize_check(rqstp, p))
|
||||
return 0;
|
||||
|
||||
args->count = min_t(u32, args->count, PAGE_SIZE);
|
||||
args->buffer = page_address(*(rqstp->rq_next_page++));
|
||||
|
||||
return 1;
|
||||
return xdr_argsize_check(rqstp, p);
|
||||
}
|
||||
|
||||
int
|
||||
|
@ -599,9 +590,6 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p,
|
|||
args->dircount = ntohl(*p++);
|
||||
args->count = ntohl(*p++);
|
||||
|
||||
if (!xdr_argsize_check(rqstp, p))
|
||||
return 0;
|
||||
|
||||
len = args->count = min(args->count, max_blocksize);
|
||||
while (len > 0) {
|
||||
struct page *p = *(rqstp->rq_next_page++);
|
||||
|
@ -609,7 +597,8 @@ nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, __be32 *p,
|
|||
args->buffer = page_address(p);
|
||||
len -= PAGE_SIZE;
|
||||
}
|
||||
return 1;
|
||||
|
||||
return xdr_argsize_check(rqstp, p);
|
||||
}
|
||||
|
||||
int
|
||||
|
|
|
@ -1769,6 +1769,12 @@ nfsd4_proc_compound(struct svc_rqst *rqstp,
|
|||
opdesc->op_get_currentstateid(cstate, &op->u);
|
||||
op->status = opdesc->op_func(rqstp, cstate, &op->u);
|
||||
|
||||
/* Only from SEQUENCE */
|
||||
if (cstate->status == nfserr_replay_cache) {
|
||||
dprintk("%s NFS4.1 replay from cache\n", __func__);
|
||||
status = op->status;
|
||||
goto out;
|
||||
}
|
||||
if (!op->status) {
|
||||
if (opdesc->op_set_currentstateid)
|
||||
opdesc->op_set_currentstateid(cstate, &op->u);
|
||||
|
@ -1779,14 +1785,7 @@ nfsd4_proc_compound(struct svc_rqst *rqstp,
|
|||
if (need_wrongsec_check(rqstp))
|
||||
op->status = check_nfsd_access(current_fh->fh_export, rqstp);
|
||||
}
|
||||
|
||||
encode_op:
|
||||
/* Only from SEQUENCE */
|
||||
if (cstate->status == nfserr_replay_cache) {
|
||||
dprintk("%s NFS4.1 replay from cache\n", __func__);
|
||||
status = op->status;
|
||||
goto out;
|
||||
}
|
||||
if (op->status == nfserr_replay_me) {
|
||||
op->replay = &cstate->replay_owner->so_replay;
|
||||
nfsd4_encode_replay(&resp->xdr, op);
|
||||
|
|
|
@ -257,9 +257,6 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
|
|||
len = args->count = ntohl(*p++);
|
||||
p++; /* totalcount - unused */
|
||||
|
||||
if (!xdr_argsize_check(rqstp, p))
|
||||
return 0;
|
||||
|
||||
len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);
|
||||
|
||||
/* set up somewhere to store response.
|
||||
|
@ -275,7 +272,7 @@ nfssvc_decode_readargs(struct svc_rqst *rqstp, __be32 *p,
|
|||
v++;
|
||||
}
|
||||
args->vlen = v;
|
||||
return 1;
|
||||
return xdr_argsize_check(rqstp, p);
|
||||
}
|
||||
|
||||
int
|
||||
|
@ -365,11 +362,9 @@ nfssvc_decode_readlinkargs(struct svc_rqst *rqstp, __be32 *p, struct nfsd_readli
|
|||
p = decode_fh(p, &args->fh);
|
||||
if (!p)
|
||||
return 0;
|
||||
if (!xdr_argsize_check(rqstp, p))
|
||||
return 0;
|
||||
args->buffer = page_address(*(rqstp->rq_next_page++));
|
||||
|
||||
return 1;
|
||||
return xdr_argsize_check(rqstp, p);
|
||||
}
|
||||
|
||||
int
|
||||
|
@ -407,11 +402,9 @@ nfssvc_decode_readdirargs(struct svc_rqst *rqstp, __be32 *p,
|
|||
args->cookie = ntohl(*p++);
|
||||
args->count = ntohl(*p++);
|
||||
args->count = min_t(u32, args->count, PAGE_SIZE);
|
||||
if (!xdr_argsize_check(rqstp, p))
|
||||
return 0;
|
||||
args->buffer = page_address(*(rqstp->rq_next_page++));
|
||||
|
||||
return 1;
|
||||
return xdr_argsize_check(rqstp, p);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -336,7 +336,8 @@ xdr_argsize_check(struct svc_rqst *rqstp, __be32 *p)
|
|||
{
|
||||
char *cp = (char *)p;
|
||||
struct kvec *vec = &rqstp->rq_arg.head[0];
|
||||
return cp == (char *)vec->iov_base + vec->iov_len;
|
||||
return cp >= (char*)vec->iov_base
|
||||
&& cp <= (char*)vec->iov_base + vec->iov_len;
|
||||
}
|
||||
|
||||
static inline int
|
||||
|
|
Loading…
Reference in a new issue