NFSD: Insulate nfsd4_encode_secinfo() from page boundaries in the encode buffer

chucklever · chucklever · commit b786caa65d4b · 2025-01-10T23:42:20.000-05:00
There's no guarantee that the pointer returned from
xdr_reserve_space() will still point to the correct reserved space
in the encode buffer after one or more intervening calls to
xdr_reserve_space(). It just happens to work with the current
implementation of xdr_reserve_space().

Reviewed-by: NeilBrown &lt;neilb@suse.de&gt;
Reviewed-by: Jeff Layton &lt;jlayton@kernel.org&gt;
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
@@ -4643,13 +4643,13 @@ nfsd4_encode_secinfo4(struct xdr_stream *xdr, rpc_authflavor_t pf,
 }
 
 static __be32
-nfsd4_do_encode_secinfo(struct xdr_stream *xdr, struct svc_export *exp)
+nfsd4_encode_SECINFO4resok(struct xdr_stream *xdr, struct svc_export *exp)
 {
 	u32 i, nflavs, supported;
 	struct exp_flavor_info *flavs;
 	struct exp_flavor_info def_flavs[2];
-	__be32 *flavorsp;
-	__be32 status;
+	unsigned int count_offset;
+	__be32 status, wire_count;
 
 	if (exp->ex_nflavors) {
 		flavs = exp->ex_flavors;
@@ -4671,8 +4671,8 @@ nfsd4_do_encode_secinfo(struct xdr_stream *xdr, struct svc_export *exp)
 		}
 	}
 
-	flavorsp = xdr_reserve_space(xdr, XDR_UNIT);
-	if (!flavorsp)
+	count_offset = xdr->buf->len;
+	if (unlikely(!xdr_reserve_space(xdr, XDR_UNIT)))
 		return nfserr_resource;
 
 	for (i = 0, supported = 0; i < nflavs; i++) {
@@ -4682,7 +4682,9 @@ nfsd4_do_encode_secinfo(struct xdr_stream *xdr, struct svc_export *exp)
 			return status;
 	}
 
-	*flavorsp = cpu_to_be32(supported);
+	wire_count = cpu_to_be32(supported);
+	write_bytes_to_xdr_buf(xdr->buf, count_offset, &wire_count,
+			       XDR_UNIT);
 	return 0;
 }
 
@@ -4693,7 +4695,7 @@ nfsd4_encode_secinfo(struct nfsd4_compoundres *resp, __be32 nfserr,
 	struct nfsd4_secinfo *secinfo = &u->secinfo;
 	struct xdr_stream *xdr = resp->xdr;
 
-	return nfsd4_do_encode_secinfo(xdr, secinfo->si_exp);
+	return nfsd4_encode_SECINFO4resok(xdr, secinfo->si_exp);
 }
 
 static __be32
@@ -4703,7 +4705,7 @@ nfsd4_encode_secinfo_no_name(struct nfsd4_compoundres *resp, __be32 nfserr,
 	struct nfsd4_secinfo_no_name *secinfo = &u->secinfo_no_name;
 	struct xdr_stream *xdr = resp->xdr;
 
-	return nfsd4_do_encode_secinfo(xdr, secinfo->sin_exp);
+	return nfsd4_encode_SECINFO4resok(xdr, secinfo->sin_exp);
 }
 
 static __be32

Original file line number	Diff line number	Diff line change
`@@ -4643,13 +4643,13 @@ nfsd4_encode_secinfo4(struct xdr_stream *xdr, rpc_authflavor_t pf,`
`4643`	`4643`	`}`
`4644`	`4644`
`4645`	`4645`	`static __be32`
`4646`		`-nfsd4_do_encode_secinfo(struct xdr_stream xdr, struct svc_export exp)`
	`4646`	`+nfsd4_encode_SECINFO4resok(struct xdr_stream xdr, struct svc_export exp)`
`4647`	`4647`	`{`
`4648`	`4648`	`u32 i, nflavs, supported;`
`4649`	`4649`	`struct exp_flavor_info *flavs;`
`4650`	`4650`	`struct exp_flavor_info def_flavs[2];`
`4651`		`- __be32 *flavorsp;`
`4652`		`- __be32 status;`
	`4651`	`+ unsigned int count_offset;`
	`4652`	`+ __be32 status, wire_count;`
`4653`	`4653`
`4654`	`4654`	`if (exp->ex_nflavors) {`
`4655`	`4655`	`flavs = exp->ex_flavors;`
`@@ -4671,8 +4671,8 @@ nfsd4_do_encode_secinfo(struct xdr_stream xdr, struct svc_export exp)`
`4671`	`4671`	`}`
`4672`	`4672`	`}`
`4673`	`4673`
`4674`		`- flavorsp = xdr_reserve_space(xdr, XDR_UNIT);`
`4675`		`- if (!flavorsp)`
	`4674`	`+ count_offset = xdr->buf->len;`
	`4675`	`+ if (unlikely(!xdr_reserve_space(xdr, XDR_UNIT)))`
`4676`	`4676`	`return nfserr_resource;`
`4677`	`4677`
`4678`	`4678`	`for (i = 0, supported = 0; i < nflavs; i++) {`
`@@ -4682,7 +4682,9 @@ nfsd4_do_encode_secinfo(struct xdr_stream xdr, struct svc_export exp)`
`4682`	`4682`	`return status;`
`4683`	`4683`	`}`
`4684`	`4684`
`4685`		`- *flavorsp = cpu_to_be32(supported);`
	`4685`	`+ wire_count = cpu_to_be32(supported);`
	`4686`	`+ write_bytes_to_xdr_buf(xdr->buf, count_offset, &wire_count,`
	`4687`	`+ XDR_UNIT);`
`4686`	`4688`	`return 0;`
`4687`	`4689`	`}`
`4688`	`4690`
`@@ -4693,7 +4695,7 @@ nfsd4_encode_secinfo(struct nfsd4_compoundres *resp, __be32 nfserr,`
`4693`	`4695`	`struct nfsd4_secinfo *secinfo = &u->secinfo;`
`4694`	`4696`	`struct xdr_stream *xdr = resp->xdr;`
`4695`	`4697`
`4696`		`- return nfsd4_do_encode_secinfo(xdr, secinfo->si_exp);`
	`4698`	`+ return nfsd4_encode_SECINFO4resok(xdr, secinfo->si_exp);`
`4697`	`4699`	`}`
`4698`	`4700`
`4699`	`4701`	`static __be32`
`@@ -4703,7 +4705,7 @@ nfsd4_encode_secinfo_no_name(struct nfsd4_compoundres *resp, __be32 nfserr,`
`4703`	`4705`	`struct nfsd4_secinfo_no_name *secinfo = &u->secinfo_no_name;`
`4704`	`4706`	`struct xdr_stream *xdr = resp->xdr;`
`4705`	`4707`
`4706`		`- return nfsd4_do_encode_secinfo(xdr, secinfo->sin_exp);`
	`4708`	`+ return nfsd4_encode_SECINFO4resok(xdr, secinfo->sin_exp);`
`4707`	`4709`	`}`
`4708`	`4710`
`4709`	`4711`	`static __be32`