Patch "NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 18 Jun 2024 07:59:42 -0400

This is a note to let you know that I've just added the patch titled

    NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfsd-use-xdr_inline_decode-to-decode-nfsv3-symlinks.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3f313123b6b5256edab59005e5fe3c8e2c07cff6
Author: Chuck Lever <chuck.lever@xxxxxxxxxx>
Date:   Mon Sep 12 17:23:02 2022 -0400

    NFSD: Use xdr_inline_decode() to decode NFSv3 symlinks
    
    [ Upstream commit c3d2a04f05c590303c125a176e6e43df4a436fdb ]
    
    Replace the check for buffer over/underflow with a helper that is
    commonly used for this purpose. The helper also sets xdr->nwords
    correctly after successfully linearizing the symlink argument into
    the stream's scratch buffer.
    
    Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>
    Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
index 0293b8d65f10f..71e32cf288854 100644
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -616,8 +616,6 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, struct xdr_stream *xdr)
 {
 	struct nfsd3_symlinkargs *args = rqstp->rq_argp;
 	struct kvec *head = rqstp->rq_arg.head;
-	struct kvec *tail = rqstp->rq_arg.tail;
-	size_t remaining;
 
 	if (!svcxdr_decode_diropargs3(xdr, &args->ffh, &args->fname, &args->flen))
 		return false;
@@ -626,16 +624,10 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, struct xdr_stream *xdr)
 	if (xdr_stream_decode_u32(xdr, &args->tlen) < 0)
 		return false;
 
-	/* request sanity */
-	remaining = head->iov_len + rqstp->rq_arg.page_len + tail->iov_len;
-	remaining -= xdr_stream_pos(xdr);
-	if (remaining < xdr_align_size(args->tlen))
-		return false;
-
-	args->first.iov_base = xdr->p;
+	/* symlink_data */
 	args->first.iov_len = head->iov_len - xdr_stream_pos(xdr);
-
-	return true;
+	args->first.iov_base = xdr_inline_decode(xdr, args->tlen);
+	return args->first.iov_base != NULL;
 }
 
 bool







