1. 10 12月, 2014 2 次提交
  2. 08 11月, 2014 2 次提交
  3. 24 10月, 2014 1 次提交
    • J
      nfsd4: fix crash on unknown operation number · 51904b08
      J. Bruce Fields 提交于
      Unknown operation numbers are caught in nfsd4_decode_compound() which
      sets op->opnum to OP_ILLEGAL and op->status to nfserr_op_illegal.  The
      error causes the main loop in nfsd4_proc_compound() to skip most
      processing.  But nfsd4_proc_compound also peeks ahead at the next
      operation in one case and doesn't take similar precautions there.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      51904b08
  4. 21 10月, 2014 1 次提交
  5. 30 9月, 2014 1 次提交
  6. 05 8月, 2014 1 次提交
  7. 01 8月, 2014 1 次提交
  8. 30 7月, 2014 1 次提交
  9. 10 7月, 2014 1 次提交
  10. 09 7月, 2014 4 次提交
    • K
      NFSD: Remove iattr parameter from nfsd_symlink() · 1e444f5b
      Kinglong Mee 提交于
      Commit db2e747b (vfs: remove mode parameter from vfs_symlink())
      have remove mode parameter from vfs_symlink.
      So that, iattr isn't needed by nfsd_symlink now, just remove it.
      Signed-off-by: NKinglong Mee <kinglongmee@gmail.com>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      1e444f5b
    • J
      nfsd4: rename cr_linkname->cr_data · 7fb84306
      J. Bruce Fields 提交于
      The name of a link is currently stored in cr_name and cr_namelen, and
      the content in cr_linkname and cr_linklen.  That's confusing.
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      7fb84306
    • J
      nfsd: let nfsd_symlink assume null-terminated data · 52ee0433
      J. Bruce Fields 提交于
      Currently nfsd_symlink has a weird hack to serve callers who don't
      null-terminate symlink data: it looks ahead at the next byte to see if
      it's zero, and copies it to a new buffer to null-terminate if not.
      
      That means callers don't have to null-terminate, but they *do* have to
      ensure that the byte following the end of the data is theirs to read.
      
      That's a bit subtle, and the NFSv4 code actually got this wrong.
      
      So let's just throw out that code and let callers pass null-terminated
      strings; we've already fixed them to do that.
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      52ee0433
    • J
      nfsd: fix rare symlink decoding bug · b829e919
      J. Bruce Fields 提交于
      An NFS operation that creates a new symlink includes the symlink data,
      which is xdr-encoded as a length followed by the data plus 0 to 3 bytes
      of zero-padding as required to reach a 4-byte boundary.
      
      The vfs, on the other hand, wants null-terminated data.
      
      The simple way to handle this would be by copying the data into a newly
      allocated buffer with space for the final null.
      
      The current nfsd_symlink code tries to be more clever by skipping that
      step in the (likely) case where the byte following the string is already
      0.
      
      But that assumes that the byte following the string is ours to look at.
      In fact, it might be the first byte of a page that we can't read, or of
      some object that another task might modify.
      
      Worse, the NFSv4 code tries to fix the problem by actually writing to
      that byte.
      
      In the NFSv2/v3 cases this actually appears to be safe:
      
      	- nfs3svc_decode_symlinkargs explicitly null-terminates the data
      	  (after first checking its length and copying it to a new
      	  page).
      	- NFSv2 limits symlinks to 1k.  The buffer holding the rpc
      	  request is always at least a page, and the link data (and
      	  previous fields) have maximum lengths that prevent the request
      	  from reaching the end of a page.
      
      In the NFSv4 case the CREATE op is potentially just one part of a long
      compound so can end up on the end of a page if you're unlucky.
      
      The minimal fix here is to copy and null-terminate in the NFSv4 case.
      The nfsd_symlink() interface here seems too fragile, though.  It should
      really either do the copy itself every time or just require a
      null-terminated string.
      Reported-by: NJeff Layton <jlayton@primarydata.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      b829e919
  11. 28 6月, 2014 1 次提交
    • J
      nfsd: fix rare symlink decoding bug · 76f47128
      J. Bruce Fields 提交于
      An NFS operation that creates a new symlink includes the symlink data,
      which is xdr-encoded as a length followed by the data plus 0 to 3 bytes
      of zero-padding as required to reach a 4-byte boundary.
      
      The vfs, on the other hand, wants null-terminated data.
      
      The simple way to handle this would be by copying the data into a newly
      allocated buffer with space for the final null.
      
      The current nfsd_symlink code tries to be more clever by skipping that
      step in the (likely) case where the byte following the string is already
      0.
      
      But that assumes that the byte following the string is ours to look at.
      In fact, it might be the first byte of a page that we can't read, or of
      some object that another task might modify.
      
      Worse, the NFSv4 code tries to fix the problem by actually writing to
      that byte.
      
      In the NFSv2/v3 cases this actually appears to be safe:
      
      	- nfs3svc_decode_symlinkargs explicitly null-terminates the data
      	  (after first checking its length and copying it to a new
      	  page).
      	- NFSv2 limits symlinks to 1k.  The buffer holding the rpc
      	  request is always at least a page, and the link data (and
      	  previous fields) have maximum lengths that prevent the request
      	  from reaching the end of a page.
      
      In the NFSv4 case the CREATE op is potentially just one part of a long
      compound so can end up on the end of a page if you're unlucky.
      
      The minimal fix here is to copy and null-terminate in the NFSv4 case.
      The nfsd_symlink() interface here seems too fragile, though.  It should
      really either do the copy itself every time or just require a
      null-terminated string.
      Reported-by: NJeff Layton <jlayton@primarydata.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      76f47128
  12. 23 6月, 2014 4 次提交
  13. 07 6月, 2014 1 次提交
    • J
      nfsd4: simplify server xdr->next_page use · 05638dc7
      J. Bruce Fields 提交于
      The rpc code makes available to the NFS server an array of pages to
      encod into.  The server represents its reply as an xdr buf, with the
      head pointing into the first page in that array, the pages ** array
      starting just after that, and the tail (if any) sharing any leftover
      space in the page used by the head.
      
      While encoding, we use xdr_stream->page_ptr to keep track of which page
      we're currently using.
      
      Currently we set xdr_stream->page_ptr to buf->pages, which makes the
      head a weird exception to the rule that page_ptr always points to the
      page we're currently encoding into.  So, instead set it to buf->pages -
      1 (the page actually containing the head), and remove the need for a
      little unintuitive logic in xdr_get_next_encode_buffer() and
      xdr_truncate_encode.
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      05638dc7
  14. 05 6月, 2014 2 次提交
  15. 31 5月, 2014 10 次提交
  16. 29 5月, 2014 3 次提交
  17. 27 5月, 2014 1 次提交
  18. 23 5月, 2014 3 次提交