On Sun, 2022-08-28 at 14:50 -0400, Chuck Lever wrote:
> Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries")
> added an explicit computation of the remaining length in the rq_res
> XDR buffer.
>
> The computation appears to suffer from an "off-by-one" bug. Because
> buflen is too large by one page, XDR encoding can run off the end of
> the send buffer by eventually trying to use the struct page address
> in rq_page_end, which always contains NULL.
>
> Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper")
> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
> ---
> include/linux/sunrpc/svc.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
> index 5a830b66f059..0ca8a8ffb47e 100644
> --- a/include/linux/sunrpc/svc.h
> +++ b/include/linux/sunrpc/svc.h
> @@ -587,7 +587,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp)
> xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack;
> buf->len = resv->iov_len;
> xdr->page_ptr = buf->pages - 1;
> - buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages);
> + buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages);
> buf->buflen -= rqstp->rq_auth_slack;
> xdr->rqst = NULL;
> }
>
>
Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>
