NFSv4.2: Don't error when exiting early on a READ_PLUS buffer overflow

Expanding the READ_PLUS extents can cause the read buffer to overflow.
If it does, then don't error, but just exit early.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>

diff --git a/fs/nfs/nfs42xdr.c b/fs/nfs/nfs42xdr.c
index 6ba2a28..9ef5261 100644 (file)
--- a/fs/nfs/nfs42xdr.c
+++ b/fs/nfs/nfs42xdr.c
@@ -1025,16 +1025,16 @@ static int decode_deallocate(struct xdr_stream *xdr, struct nfs42_falloc_res *re
        return decode_op_hdr(xdr, OP_DEALLOCATE);
 }
 
-static int decode_read_plus_data(struct xdr_stream *xdr, struct nfs_pgio_res *res,
-                                uint32_t *eof)
+static int decode_read_plus_data(struct xdr_stream *xdr,
+                                struct nfs_pgio_res *res)
 {
        uint32_t count, recvd;
        uint64_t offset;
        __be32 *p;
 
        p = xdr_inline_decode(xdr, 8 + 4);
-       if (unlikely(!p))
-               return -EIO;
+       if (!p)
+               return 1;
 
        p = xdr_decode_hyper(p, &offset);
        count = be32_to_cpup(p);
@@ -1043,13 +1043,8 @@ static int decode_read_plus_data(struct xdr_stream *xdr, struct nfs_pgio_res *re
                recvd = count;
        res->count += recvd;
 
-       if (count > recvd) {
-               dprintk("NFS: server cheating in read reply: "
-                               "count %u > recvd %u\n", count, recvd);
-               *eof = 0;
+       if (count > recvd)
                return 1;
-       }
-
        return 0;
 }
 
@@ -1061,8 +1056,8 @@ static int decode_read_plus_hole(struct xdr_stream *xdr,
        __be32 *p;
 
        p = xdr_inline_decode(xdr, 8 + 8);
-       if (unlikely(!p))
-               return -EIO;
+       if (!p)
+               return 1;
 
        p = xdr_decode_hyper(p, &offset);
        p = xdr_decode_hyper(p, &length);
@@ -1089,10 +1084,8 @@ static int decode_read_plus_hole(struct xdr_stream *xdr,
        recvd = xdr_expand_hole(xdr, res->count, length);
        res->count += recvd;
 
-       if (recvd < length) {
-               *eof = 0;
+       if (recvd < length)
                return 1;
-       }
        return 0;
 }
 
@@ -1121,12 +1114,12 @@ static int decode_read_plus(struct xdr_stream *xdr, struct nfs_pgio_res *res)
 
        for (i = 0; i < segments; i++) {
                p = xdr_inline_decode(xdr, 4);
-               if (unlikely(!p))
-                       return -EIO;
+               if (!p)
+                       goto early_out;
 
                type = be32_to_cpup(p++);
                if (type == NFS4_CONTENT_DATA)
-                       status = decode_read_plus_data(xdr, res, &eof);
+                       status = decode_read_plus_data(xdr, res);
                else if (type == NFS4_CONTENT_HOLE)
                        status = decode_read_plus_hole(xdr, args, res, &eof);
                else
@@ -1135,12 +1128,17 @@ static int decode_read_plus(struct xdr_stream *xdr, struct nfs_pgio_res *res)
                if (status < 0)
                        return status;
                if (status > 0)
-                       break;
+                       goto early_out;
        }
 
 out:
        res->eof = eof;
        return 0;
+early_out:
+       if (unlikely(!i))
+               return -EIO;
+       res->eof = 0;
+       return 0;
 }
 
 static int decode_seek(struct xdr_stream *xdr, struct nfs42_seek_res *res)