Commit ed4a567a authored by Chuck Lever's avatar Chuck Lever

NFSD: Update rq_next_page between COMPOUND operations

A GETATTR with a large result can advance xdr->page_ptr without
updating rq_next_page. If a splice READ follows that GETATTR in the
COMPOUND, nfsd_splice_actor can start splicing at the wrong page.

I've also seen READLINK and READDIR leave rq_next_page in an
unmodified state.

There are potentially a myriad of combinations like this, so play it
safe: move the rq_next_page update to nfsd4_encode_operation.
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
parent ba21e20b
...@@ -5438,6 +5438,12 @@ nfsd4_encode_operation(struct nfsd4_compoundres *resp, struct nfsd4_op *op) ...@@ -5438,6 +5438,12 @@ nfsd4_encode_operation(struct nfsd4_compoundres *resp, struct nfsd4_op *op)
release: release:
if (opdesc && opdesc->op_release) if (opdesc && opdesc->op_release)
opdesc->op_release(&op->u); opdesc->op_release(&op->u);
/*
* Account for pages consumed while encoding this operation.
* The xdr_stream primitives don't manage rq_next_page.
*/
rqstp->rq_next_page = xdr->page_ptr + 1;
} }
/* /*
...@@ -5506,9 +5512,6 @@ nfs4svc_encode_compoundres(struct svc_rqst *rqstp, struct xdr_stream *xdr) ...@@ -5506,9 +5512,6 @@ nfs4svc_encode_compoundres(struct svc_rqst *rqstp, struct xdr_stream *xdr)
p = resp->statusp; p = resp->statusp;
*p++ = resp->cstate.status; *p++ = resp->cstate.status;
rqstp->rq_next_page = xdr->page_ptr + 1;
*p++ = htonl(resp->taglen); *p++ = htonl(resp->taglen);
memcpy(p, resp->tag, resp->taglen); memcpy(p, resp->tag, resp->taglen);
p += XDR_QUADLEN(resp->taglen); p += XDR_QUADLEN(resp->taglen);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment