mirror of
https://github.com/joel16/android_kernel_sony_msm8994.git
synced 2024-12-13 23:50:57 +00:00
[PATCH] RPC: fix accounting bug in the case of a truncated RPC message
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
This commit is contained in:
parent
e053d1ab62
commit
7e06b53d79
@ -160,7 +160,7 @@ typedef struct {
|
|||||||
|
|
||||||
typedef size_t (*skb_read_actor_t)(skb_reader_t *desc, void *to, size_t len);
|
typedef size_t (*skb_read_actor_t)(skb_reader_t *desc, void *to, size_t len);
|
||||||
|
|
||||||
extern int xdr_partial_copy_from_skb(struct xdr_buf *, unsigned int,
|
extern ssize_t xdr_partial_copy_from_skb(struct xdr_buf *, unsigned int,
|
||||||
skb_reader_t *, skb_read_actor_t);
|
skb_reader_t *, skb_read_actor_t);
|
||||||
|
|
||||||
struct socket;
|
struct socket;
|
||||||
|
@ -176,21 +176,23 @@ xdr_inline_pages(struct xdr_buf *xdr, unsigned int offset,
|
|||||||
xdr->buflen += len;
|
xdr->buflen += len;
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
ssize_t
|
||||||
xdr_partial_copy_from_skb(struct xdr_buf *xdr, unsigned int base,
|
xdr_partial_copy_from_skb(struct xdr_buf *xdr, unsigned int base,
|
||||||
skb_reader_t *desc,
|
skb_reader_t *desc,
|
||||||
skb_read_actor_t copy_actor)
|
skb_read_actor_t copy_actor)
|
||||||
{
|
{
|
||||||
struct page **ppage = xdr->pages;
|
struct page **ppage = xdr->pages;
|
||||||
unsigned int len, pglen = xdr->page_len;
|
unsigned int len, pglen = xdr->page_len;
|
||||||
|
ssize_t copied = 0;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
len = xdr->head[0].iov_len;
|
len = xdr->head[0].iov_len;
|
||||||
if (base < len) {
|
if (base < len) {
|
||||||
len -= base;
|
len -= base;
|
||||||
ret = copy_actor(desc, (char *)xdr->head[0].iov_base + base, len);
|
ret = copy_actor(desc, (char *)xdr->head[0].iov_base + base, len);
|
||||||
|
copied += ret;
|
||||||
if (ret != len || !desc->count)
|
if (ret != len || !desc->count)
|
||||||
return 0;
|
goto out;
|
||||||
base = 0;
|
base = 0;
|
||||||
} else
|
} else
|
||||||
base -= len;
|
base -= len;
|
||||||
@ -214,8 +216,11 @@ xdr_partial_copy_from_skb(struct xdr_buf *xdr, unsigned int base,
|
|||||||
* are small by default but can get huge. */
|
* are small by default but can get huge. */
|
||||||
if (unlikely(*ppage == NULL)) {
|
if (unlikely(*ppage == NULL)) {
|
||||||
*ppage = alloc_page(GFP_ATOMIC);
|
*ppage = alloc_page(GFP_ATOMIC);
|
||||||
if (unlikely(*ppage == NULL))
|
if (unlikely(*ppage == NULL)) {
|
||||||
return -ENOMEM;
|
if (copied == 0)
|
||||||
|
copied = -ENOMEM;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
len = PAGE_CACHE_SIZE;
|
len = PAGE_CACHE_SIZE;
|
||||||
@ -233,16 +238,17 @@ xdr_partial_copy_from_skb(struct xdr_buf *xdr, unsigned int base,
|
|||||||
}
|
}
|
||||||
flush_dcache_page(*ppage);
|
flush_dcache_page(*ppage);
|
||||||
kunmap_atomic(kaddr, KM_SKB_SUNRPC_DATA);
|
kunmap_atomic(kaddr, KM_SKB_SUNRPC_DATA);
|
||||||
|
copied += ret;
|
||||||
if (ret != len || !desc->count)
|
if (ret != len || !desc->count)
|
||||||
return 0;
|
goto out;
|
||||||
ppage++;
|
ppage++;
|
||||||
} while ((pglen -= len) != 0);
|
} while ((pglen -= len) != 0);
|
||||||
copy_tail:
|
copy_tail:
|
||||||
len = xdr->tail[0].iov_len;
|
len = xdr->tail[0].iov_len;
|
||||||
if (base < len)
|
if (base < len)
|
||||||
copy_actor(desc, (char *)xdr->tail[0].iov_base + base, len - base);
|
copied += copy_actor(desc, (char *)xdr->tail[0].iov_base + base, len - base);
|
||||||
|
out:
|
||||||
return 0;
|
return copied;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -823,10 +823,15 @@ tcp_copy_data(skb_reader_t *desc, void *p, size_t len)
|
|||||||
{
|
{
|
||||||
if (len > desc->count)
|
if (len > desc->count)
|
||||||
len = desc->count;
|
len = desc->count;
|
||||||
if (skb_copy_bits(desc->skb, desc->offset, p, len))
|
if (skb_copy_bits(desc->skb, desc->offset, p, len)) {
|
||||||
|
dprintk("RPC: failed to copy %zu bytes from skb. %zu bytes remain\n",
|
||||||
|
len, desc->count);
|
||||||
return 0;
|
return 0;
|
||||||
|
}
|
||||||
desc->offset += len;
|
desc->offset += len;
|
||||||
desc->count -= len;
|
desc->count -= len;
|
||||||
|
dprintk("RPC: copied %zu bytes from skb. %zu bytes remain\n",
|
||||||
|
len, desc->count);
|
||||||
return len;
|
return len;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -865,6 +870,8 @@ tcp_read_fraghdr(struct rpc_xprt *xprt, skb_reader_t *desc)
|
|||||||
static void
|
static void
|
||||||
tcp_check_recm(struct rpc_xprt *xprt)
|
tcp_check_recm(struct rpc_xprt *xprt)
|
||||||
{
|
{
|
||||||
|
dprintk("RPC: xprt = %p, tcp_copied = %lu, tcp_offset = %u, tcp_reclen = %u, tcp_flags = %lx\n",
|
||||||
|
xprt, xprt->tcp_copied, xprt->tcp_offset, xprt->tcp_reclen, xprt->tcp_flags);
|
||||||
if (xprt->tcp_offset == xprt->tcp_reclen) {
|
if (xprt->tcp_offset == xprt->tcp_reclen) {
|
||||||
xprt->tcp_flags |= XPRT_COPY_RECM;
|
xprt->tcp_flags |= XPRT_COPY_RECM;
|
||||||
xprt->tcp_offset = 0;
|
xprt->tcp_offset = 0;
|
||||||
@ -909,7 +916,7 @@ tcp_read_request(struct rpc_xprt *xprt, skb_reader_t *desc)
|
|||||||
struct rpc_rqst *req;
|
struct rpc_rqst *req;
|
||||||
struct xdr_buf *rcvbuf;
|
struct xdr_buf *rcvbuf;
|
||||||
size_t len;
|
size_t len;
|
||||||
int r;
|
ssize_t r;
|
||||||
|
|
||||||
/* Find and lock the request corresponding to this xid */
|
/* Find and lock the request corresponding to this xid */
|
||||||
spin_lock(&xprt->sock_lock);
|
spin_lock(&xprt->sock_lock);
|
||||||
@ -932,15 +939,17 @@ tcp_read_request(struct rpc_xprt *xprt, skb_reader_t *desc)
|
|||||||
my_desc.count = len;
|
my_desc.count = len;
|
||||||
r = xdr_partial_copy_from_skb(rcvbuf, xprt->tcp_copied,
|
r = xdr_partial_copy_from_skb(rcvbuf, xprt->tcp_copied,
|
||||||
&my_desc, tcp_copy_data);
|
&my_desc, tcp_copy_data);
|
||||||
desc->count -= len;
|
desc->count -= r;
|
||||||
desc->offset += len;
|
desc->offset += r;
|
||||||
} else
|
} else
|
||||||
r = xdr_partial_copy_from_skb(rcvbuf, xprt->tcp_copied,
|
r = xdr_partial_copy_from_skb(rcvbuf, xprt->tcp_copied,
|
||||||
desc, tcp_copy_data);
|
desc, tcp_copy_data);
|
||||||
xprt->tcp_copied += len;
|
|
||||||
xprt->tcp_offset += len;
|
|
||||||
|
|
||||||
if (r < 0) {
|
if (r > 0) {
|
||||||
|
xprt->tcp_copied += r;
|
||||||
|
xprt->tcp_offset += r;
|
||||||
|
}
|
||||||
|
if (r != len) {
|
||||||
/* Error when copying to the receive buffer,
|
/* Error when copying to the receive buffer,
|
||||||
* usually because we weren't able to allocate
|
* usually because we weren't able to allocate
|
||||||
* additional buffer pages. All we can do now
|
* additional buffer pages. All we can do now
|
||||||
@ -951,9 +960,18 @@ tcp_read_request(struct rpc_xprt *xprt, skb_reader_t *desc)
|
|||||||
* be discarded.
|
* be discarded.
|
||||||
*/
|
*/
|
||||||
xprt->tcp_flags &= ~XPRT_COPY_DATA;
|
xprt->tcp_flags &= ~XPRT_COPY_DATA;
|
||||||
|
dprintk("RPC: XID %08x truncated request\n",
|
||||||
|
ntohl(xprt->tcp_xid));
|
||||||
|
dprintk("RPC: xprt = %p, tcp_copied = %lu, tcp_offset = %u, tcp_reclen = %u\n",
|
||||||
|
xprt, xprt->tcp_copied, xprt->tcp_offset, xprt->tcp_reclen);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
dprintk("RPC: XID %08x read %u bytes\n",
|
||||||
|
ntohl(xprt->tcp_xid), r);
|
||||||
|
dprintk("RPC: xprt = %p, tcp_copied = %lu, tcp_offset = %u, tcp_reclen = %u\n",
|
||||||
|
xprt, xprt->tcp_copied, xprt->tcp_offset, xprt->tcp_reclen);
|
||||||
|
|
||||||
if (xprt->tcp_copied == req->rq_private_buf.buflen)
|
if (xprt->tcp_copied == req->rq_private_buf.buflen)
|
||||||
xprt->tcp_flags &= ~XPRT_COPY_DATA;
|
xprt->tcp_flags &= ~XPRT_COPY_DATA;
|
||||||
else if (xprt->tcp_offset == xprt->tcp_reclen) {
|
else if (xprt->tcp_offset == xprt->tcp_reclen) {
|
||||||
@ -961,12 +979,12 @@ tcp_read_request(struct rpc_xprt *xprt, skb_reader_t *desc)
|
|||||||
xprt->tcp_flags &= ~XPRT_COPY_DATA;
|
xprt->tcp_flags &= ~XPRT_COPY_DATA;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
out:
|
||||||
if (!(xprt->tcp_flags & XPRT_COPY_DATA)) {
|
if (!(xprt->tcp_flags & XPRT_COPY_DATA)) {
|
||||||
dprintk("RPC: %4d received reply complete\n",
|
dprintk("RPC: %4d received reply complete\n",
|
||||||
req->rq_task->tk_pid);
|
req->rq_task->tk_pid);
|
||||||
xprt_complete_rqst(xprt, req, xprt->tcp_copied);
|
xprt_complete_rqst(xprt, req, xprt->tcp_copied);
|
||||||
}
|
}
|
||||||
out:
|
|
||||||
spin_unlock(&xprt->sock_lock);
|
spin_unlock(&xprt->sock_lock);
|
||||||
tcp_check_recm(xprt);
|
tcp_check_recm(xprt);
|
||||||
}
|
}
|
||||||
@ -985,6 +1003,7 @@ tcp_read_discard(struct rpc_xprt *xprt, skb_reader_t *desc)
|
|||||||
desc->count -= len;
|
desc->count -= len;
|
||||||
desc->offset += len;
|
desc->offset += len;
|
||||||
xprt->tcp_offset += len;
|
xprt->tcp_offset += len;
|
||||||
|
dprintk("RPC: discarded %u bytes\n", len);
|
||||||
tcp_check_recm(xprt);
|
tcp_check_recm(xprt);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user