NFSD: Update rq_next_page between COMPOUND operations

A GETATTR with a large result can advance xdr->page_ptr without
updating rq_next_page. If a splice READ follows that GETATTR in the
COMPOUND, nfsd_splice_actor can start splicing at the wrong page.

I've also seen READLINK and READDIR leave rq_next_page in an
unmodified state.

There are potentially a myriad of combinations like this, so play it
safe: move the rq_next_page update to nfsd4_encode_operation.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index b78c239..3887da0 100644 (file)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -5438,6 +5438,12 @@ status:
 release:
        if (opdesc && opdesc->op_release)
                opdesc->op_release(&op->u);
+
+       /*
+        * Account for pages consumed while encoding this operation.
+        * The xdr_stream primitives don't manage rq_next_page.
+        */
+       rqstp->rq_next_page = xdr->page_ptr + 1;
 }
 
 /* 
@@ -5506,9 +5512,6 @@ nfs4svc_encode_compoundres(struct svc_rqst *rqstp, struct xdr_stream *xdr)
        p = resp->statusp;
 
        *p++ = resp->cstate.status;
-
-       rqstp->rq_next_page = xdr->page_ptr + 1;
-
        *p++ = htonl(resp->taglen);
        memcpy(p, resp->tag, resp->taglen);
        p += XDR_QUADLEN(resp->taglen);