NFSD: Update rq_next_page between COMPOUND operations
A GETATTR with a large result can advance xdr->page_ptr without updating rq_next_page. If a splice READ follows that GETATTR in the COMPOUND, nfsd_splice_actor can start splicing at the wrong page. I've also seen READLINK and READDIR leave rq_next_page in an unmodified state. There are potentially a myriad of combinations like this, so play it safe: move the rq_next_page update to nfsd4_encode_operation. Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
This commit is contained in:
Chuck Lever
parent
ba21e20b30
commit
ed4a567a17
|
|
@ -5438,6 +5438,12 @@ status:
|
|||
release:
|
||||
if (opdesc && opdesc->op_release)
|
||||
opdesc->op_release(&op->u);
|
||||
|
||||
/*
|
||||
* Account for pages consumed while encoding this operation.
|
||||
* The xdr_stream primitives don't manage rq_next_page.
|
||||
*/
|
||||
rqstp->rq_next_page = xdr->page_ptr + 1;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
@ -5506,9 +5512,6 @@ nfs4svc_encode_compoundres(struct svc_rqst *rqstp, struct xdr_stream *xdr)
|
|||
p = resp->statusp;
|
||||
|
||||
*p++ = resp->cstate.status;
|
||||
|
||||
rqstp->rq_next_page = xdr->page_ptr + 1;
|
||||
|
||||
*p++ = htonl(resp->taglen);
|
||||
memcpy(p, resp->tag, resp->taglen);
|
||||
p += XDR_QUADLEN(resp->taglen);
|
||||
|
|
|
|||
Loading…
Reference in New Issue