Commit e77295dc authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'for-2.6.27' of git://linux-nfs.org/~bfields/linux

* 'for-2.6.27' of git://linux-nfs.org/~bfields/linux:
  nfsd: fix buffer overrun decoding NFSv4 acl
  sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports
  nfsd: fix compound state allocation error handling
  svcrdma: Fix race between svc_rdma_recvfrom thread and the dto_tasklet
parents 1136cf11 91b80969
...@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt) ...@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt)
* enough space for either: * enough space for either:
*/ */
alloc = sizeof(struct posix_ace_state_array) alloc = sizeof(struct posix_ace_state_array)
+ cnt*sizeof(struct posix_ace_state); + cnt*sizeof(struct posix_user_ace_state);
state->users = kzalloc(alloc, GFP_KERNEL); state->users = kzalloc(alloc, GFP_KERNEL);
if (!state->users) if (!state->users)
return -ENOMEM; return -ENOMEM;
......
...@@ -867,11 +867,6 @@ nfsd4_proc_compound(struct svc_rqst *rqstp, ...@@ -867,11 +867,6 @@ nfsd4_proc_compound(struct svc_rqst *rqstp,
int slack_bytes; int slack_bytes;
__be32 status; __be32 status;
status = nfserr_resource;
cstate = cstate_alloc();
if (cstate == NULL)
goto out;
resp->xbuf = &rqstp->rq_res; resp->xbuf = &rqstp->rq_res;
resp->p = rqstp->rq_res.head[0].iov_base + rqstp->rq_res.head[0].iov_len; resp->p = rqstp->rq_res.head[0].iov_base + rqstp->rq_res.head[0].iov_len;
resp->tagp = resp->p; resp->tagp = resp->p;
...@@ -890,6 +885,11 @@ nfsd4_proc_compound(struct svc_rqst *rqstp, ...@@ -890,6 +885,11 @@ nfsd4_proc_compound(struct svc_rqst *rqstp,
if (args->minorversion > NFSD_SUPPORTED_MINOR_VERSION) if (args->minorversion > NFSD_SUPPORTED_MINOR_VERSION)
goto out; goto out;
status = nfserr_resource;
cstate = cstate_alloc();
if (cstate == NULL)
goto out;
status = nfs_ok; status = nfs_ok;
while (!status && resp->opcnt < args->opcnt) { while (!status && resp->opcnt < args->opcnt) {
op = &args->ops[resp->opcnt++]; op = &args->ops[resp->opcnt++];
...@@ -957,9 +957,9 @@ nfsd4_proc_compound(struct svc_rqst *rqstp, ...@@ -957,9 +957,9 @@ nfsd4_proc_compound(struct svc_rqst *rqstp,
nfsd4_increment_op_stats(op->opnum); nfsd4_increment_op_stats(op->opnum);
} }
cstate_free(cstate);
out: out:
nfsd4_release_compoundargs(args); nfsd4_release_compoundargs(args);
cstate_free(cstate);
dprintk("nfsv4 compound returned %d\n", ntohl(status)); dprintk("nfsv4 compound returned %d\n", ntohl(status));
return status; return status;
} }
......
...@@ -143,7 +143,6 @@ struct svcxprt_rdma { ...@@ -143,7 +143,6 @@ struct svcxprt_rdma {
unsigned long sc_flags; unsigned long sc_flags;
struct list_head sc_dto_q; /* DTO tasklet I/O pending Q */ struct list_head sc_dto_q; /* DTO tasklet I/O pending Q */
struct list_head sc_read_complete_q; struct list_head sc_read_complete_q;
spinlock_t sc_read_complete_lock;
struct work_struct sc_work; struct work_struct sc_work;
}; };
/* sc_flags */ /* sc_flags */
......
...@@ -60,24 +60,14 @@ static int proc_do_xprt(ctl_table *table, int write, struct file *file, ...@@ -60,24 +60,14 @@ static int proc_do_xprt(ctl_table *table, int write, struct file *file,
void __user *buffer, size_t *lenp, loff_t *ppos) void __user *buffer, size_t *lenp, loff_t *ppos)
{ {
char tmpbuf[256]; char tmpbuf[256];
int len; size_t len;
if ((*ppos && !write) || !*lenp) { if ((*ppos && !write) || !*lenp) {
*lenp = 0; *lenp = 0;
return 0; return 0;
} }
if (write)
return -EINVAL;
else {
len = svc_print_xprts(tmpbuf, sizeof(tmpbuf)); len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
if (!access_ok(VERIFY_WRITE, buffer, len)) return simple_read_from_buffer(buffer, *lenp, ppos, tmpbuf, len);
return -EFAULT;
if (__copy_to_user(buffer, tmpbuf, len))
return -EFAULT;
}
*lenp -= len;
*ppos += len;
return 0;
} }
static int static int
......
...@@ -443,18 +443,18 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp) ...@@ -443,18 +443,18 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp)
dprintk("svcrdma: rqstp=%p\n", rqstp); dprintk("svcrdma: rqstp=%p\n", rqstp);
spin_lock_bh(&rdma_xprt->sc_read_complete_lock); spin_lock_bh(&rdma_xprt->sc_rq_dto_lock);
if (!list_empty(&rdma_xprt->sc_read_complete_q)) { if (!list_empty(&rdma_xprt->sc_read_complete_q)) {
ctxt = list_entry(rdma_xprt->sc_read_complete_q.next, ctxt = list_entry(rdma_xprt->sc_read_complete_q.next,
struct svc_rdma_op_ctxt, struct svc_rdma_op_ctxt,
dto_q); dto_q);
list_del_init(&ctxt->dto_q); list_del_init(&ctxt->dto_q);
} }
spin_unlock_bh(&rdma_xprt->sc_read_complete_lock); if (ctxt) {
if (ctxt) spin_unlock_bh(&rdma_xprt->sc_rq_dto_lock);
return rdma_read_complete(rqstp, ctxt); return rdma_read_complete(rqstp, ctxt);
}
spin_lock_bh(&rdma_xprt->sc_rq_dto_lock);
if (!list_empty(&rdma_xprt->sc_rq_dto_q)) { if (!list_empty(&rdma_xprt->sc_rq_dto_q)) {
ctxt = list_entry(rdma_xprt->sc_rq_dto_q.next, ctxt = list_entry(rdma_xprt->sc_rq_dto_q.next,
struct svc_rdma_op_ctxt, struct svc_rdma_op_ctxt,
......
...@@ -359,11 +359,11 @@ static void sq_cq_reap(struct svcxprt_rdma *xprt) ...@@ -359,11 +359,11 @@ static void sq_cq_reap(struct svcxprt_rdma *xprt)
if (test_bit(RDMACTXT_F_LAST_CTXT, &ctxt->flags)) { if (test_bit(RDMACTXT_F_LAST_CTXT, &ctxt->flags)) {
struct svc_rdma_op_ctxt *read_hdr = ctxt->read_hdr; struct svc_rdma_op_ctxt *read_hdr = ctxt->read_hdr;
BUG_ON(!read_hdr); BUG_ON(!read_hdr);
spin_lock_bh(&xprt->sc_rq_dto_lock);
set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags); set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
spin_lock_bh(&xprt->sc_read_complete_lock);
list_add_tail(&read_hdr->dto_q, list_add_tail(&read_hdr->dto_q,
&xprt->sc_read_complete_q); &xprt->sc_read_complete_q);
spin_unlock_bh(&xprt->sc_read_complete_lock); spin_unlock_bh(&xprt->sc_rq_dto_lock);
svc_xprt_enqueue(&xprt->sc_xprt); svc_xprt_enqueue(&xprt->sc_xprt);
} }
svc_rdma_put_context(ctxt, 0); svc_rdma_put_context(ctxt, 0);
...@@ -428,7 +428,6 @@ static struct svcxprt_rdma *rdma_create_xprt(struct svc_serv *serv, ...@@ -428,7 +428,6 @@ static struct svcxprt_rdma *rdma_create_xprt(struct svc_serv *serv,
init_waitqueue_head(&cma_xprt->sc_send_wait); init_waitqueue_head(&cma_xprt->sc_send_wait);
spin_lock_init(&cma_xprt->sc_lock); spin_lock_init(&cma_xprt->sc_lock);
spin_lock_init(&cma_xprt->sc_read_complete_lock);
spin_lock_init(&cma_xprt->sc_rq_dto_lock); spin_lock_init(&cma_xprt->sc_rq_dto_lock);
cma_xprt->sc_ord = svcrdma_ord; cma_xprt->sc_ord = svcrdma_ord;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment