On Tue, Oct 30, 2018 at 03:10:40PM -0500, Frank Sorenson wrote:
> When truncating the encode buffer, the page_ptr is getting
> advanced, causing the next page to be skipped while encoding.
> The page is still included in the response, so the response
> contains a page of bogus data.
>
> We need to adjust the page_ptr backwards to ensure we encode
> the next page into the correct place.
Thanks! Queuing this up for 4.20 and stable.
Also added one more note to the changelog in case it's useful to someone
else who runs across this bug:
We saw this triggered when concurrent directory modifications
caused nfsd4_encode_direct_fattr() to return nfserr_noent, and
the resulting call to xdr_truncate_encode() corrupted the
READDIR reply.
--b.
>
> Signed-off-by: Frank Sorenson <sorenson@xxxxxxxxxx>
> ---
> net/sunrpc/xdr.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
> index 2bbb8d38d2bf..5cfb9e0a18dc 100644
> --- a/net/sunrpc/xdr.c
> +++ b/net/sunrpc/xdr.c
> @@ -673,11 +673,10 @@ void xdr_truncate_encode(struct xdr_stream *xdr, size_t len)
> WARN_ON_ONCE(xdr->iov);
> return;
> }
> - if (fraglen) {
> + if (fraglen)
> xdr->end = head->iov_base + head->iov_len;
> - xdr->page_ptr--;
> - }
> /* (otherwise assume xdr->end is already set) */
> + xdr->page_ptr--;
> head->iov_len = len;
> buf->len = len;
> xdr->p = head->iov_base + head->iov_len;
> --
> 2.14.5
