Patch "SUNRPC: Fix svcxdr_init_encode's buflen calculation" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    SUNRPC: Fix svcxdr_init_encode's buflen calculation

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sunrpc-fix-svcxdr_init_encode-s-buflen-calculation.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c001d6331baa0bef0d35e79301df8053e62743cb
Author: Chuck Lever <chuck.lever@xxxxxxxxxx>
Date:   Thu Sep 1 15:09:59 2022 -0400

    SUNRPC: Fix svcxdr_init_encode's buflen calculation
    
    [ Upstream commit 1242a87da0d8cd2a428e96ca68e7ea899b0f4624 ]
    
    Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries")
    added an explicit computation of the remaining length in the rq_res
    XDR buffer.
    
    The computation appears to suffer from an "off-by-one" bug. Because
    buflen is too large by one page, XDR encoding can run off the end of
    the send buffer by eventually trying to use the struct page address
    in rq_page_end, which always contains NULL.
    
    Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper")
    Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>
    Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
index 6be55d0e73fd..045f34add206 100644
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -609,7 +609,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp)
 	xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack;
 	buf->len = resv->iov_len;
 	xdr->page_ptr = buf->pages - 1;
-	buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages);
+	buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages);
 	buf->buflen -= rqstp->rq_auth_slack;
 	xdr->rqst = NULL;
 }



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux