This is a note to let you know that I've just added the patch titled nfsd4: fix corruption of NFSv4 read data to the 3.16-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: nfsd4-fix-corruption-of-nfsv4-read-data.patch and it can be found in the queue-3.16 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 15b23ef5d348ea51c5e7573e2ef4116fbc7cb099 Mon Sep 17 00:00:00 2001 From: "J. Bruce Fields" <bfields@xxxxxxxxxx> Date: Wed, 24 Sep 2014 16:32:34 -0400 Subject: nfsd4: fix corruption of NFSv4 read data From: "J. Bruce Fields" <bfields@xxxxxxxxxx> commit 15b23ef5d348ea51c5e7573e2ef4116fbc7cb099 upstream. The calculation of page_ptr here is wrong in the case the read doesn't start at an offset that is a multiple of a page. The result is that nfs4svc_encode_compoundres sets rq_next_page to a value one too small, and then the loop in svc_free_res_pages may incorrectly fail to clear a page pointer in rq_respages[]. Pages left in rq_respages[] are available for the next rpc request to use, so xdr data may be written to that page, which may hold data still waiting to be transmitted to the client or data in the page cache. The observed result was silent data corruption seen on an NFSv4 client. We tag this as "fixing" 05638dc73af2 because that commit exposed this bug, though the incorrect calculation predates it. Particular thanks to Andrea Arcangeli and David Gilbert for analysis and testing. Fixes: 05638dc73af2 "nfsd4: simplify server xdr->next_page use" Reported-by: Andrea Arcangeli <aarcange@xxxxxxxxxx> Tested-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx> Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/nfsd/nfs4xdr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -3112,7 +3112,8 @@ static __be32 nfsd4_encode_splice_read( buf->page_len = maxcount; buf->len += maxcount; - xdr->page_ptr += (maxcount + PAGE_SIZE - 1) / PAGE_SIZE; + xdr->page_ptr += (buf->page_base + maxcount + PAGE_SIZE - 1) + / PAGE_SIZE; /* Use rest of head for padding and remaining ops: */ buf->tail[0].iov_base = xdr->p; Patches currently in stable-queue which might be from bfields@xxxxxxxxxx are queue-3.16/nfsd4-fix-corruption-of-nfsv4-read-data.patch queue-3.16/nfsd4-fix-rd_dircount-enforcement.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html