1 files changed, 40 insertions, 67 deletions
diff --git a/fs/nfs/nfs2xdr.c b/fs/nfs/nfs2xdr.c
index db8846a0e82e..e6bf45710cc7 100644
--- a/fs/nfs/nfs2xdr.c
+++ b/fs/nfs/nfs2xdr.c
@@ -337,10 +337,10 @@ nfs_xdr_createargs(struct rpc_rqst *req, __be32 *p, struct nfs_createargs *args)
 static int
 nfs_xdr_renameargs(struct rpc_rqst *req, __be32 *p, struct nfs_renameargs *args)
 {
-        p = xdr_encode_fhandle(p, args->fromfh);
+        p = xdr_encode_fhandle(p, args->old_dir);
-        p = xdr_encode_array(p, args->fromname, args->fromlen);
+        p = xdr_encode_array(p, args->old_name->name, args->old_name->len);
-        p = xdr_encode_fhandle(p, args->tofh);
+        p = xdr_encode_fhandle(p, args->new_dir);
-        p = xdr_encode_array(p, args->toname, args->tolen);
+        p = xdr_encode_array(p, args->new_name->name, args->new_name->len);
        req->rq_slen = xdr_adjust_iovec(req->rq_svec, p);
        return 0;
 }
@@ -423,9 +423,7 @@ nfs_xdr_readdirres(struct rpc_rqst *req, __be32 *p, void *dummy)
        struct page **page;
        size_t hdrlen;
        unsigned int pglen, recvd;
-        u32 len;
        int status, nr = 0;
-        __be32 *end, *entry, *kaddr;
        if ((status = ntohl(*p++)))
                return nfs_stat_to_errno(status);
@@ -445,80 +443,59 @@ nfs_xdr_readdirres(struct rpc_rqst *req, __be32 *p, void *dummy)
        if (pglen > recvd)
                pglen = recvd;
        page = rcvbuf->pages;
-        kaddr = p = kmap_atomic(*page, KM_USER0);
-        end = (__be32 *)((char *)p + pglen);
-        entry = p;
-        /* Make sure the packet actually has a value_follows and EOF entry */
-        if ((entry + 1) > end)
-                goto short_pkt;
-        for (; *p++; nr++) {
-                if (p + 2 > end)
-                        goto short_pkt;
-                p++; /* fileid */
-                len = ntohl(*p++);
-                p += XDR_QUADLEN(len) + 1;      /* name plus cookie */
-                if (len > NFS2_MAXNAMLEN) {
-                        dprintk("NFS: giant filename in readdir (len 0x%x)!\n",
-                                                len);
-                        goto err_unmap;
-                }
-                if (p + 2 > end)
-                        goto short_pkt;
-                entry = p;
-        }
-        /*
-         * Apparently some server sends responses that are a valid size, but
-         * contain no entries, and have value_follows==0 and EOF==0. For
-         * those, just set the EOF marker.
-         */
-        if (!nr && entry[1] == 0) {
-                dprintk("NFS: readdir reply truncated!\n");
-                entry[1] = 1;
-        }
- out:
-        kunmap_atomic(kaddr, KM_USER0);
        return nr;
- short_pkt:
+}
-        /*
-         * When we get a short packet there are 2 possibilities. We can
+static void print_overflow_msg(const char *func, const struct xdr_stream *xdr)
-         * return an error, or fix up the response to look like a valid
+{
-         * response and return what we have so far. If there are no
+        dprintk("nfs: %s: prematurely hit end of receive buffer. "
-         * entries and the packet was short, then return -EIO. If there
+                "Remaining buffer length is %tu words.\n",
-         * are valid entries in the response, return them and pretend that
+                func, xdr->end - xdr->p);
-         * the call was successful, but incomplete. The caller can retry the
-         * readdir starting at the last cookie.
-         */
-        entry[0] = entry[1] = 0;
-        if (!nr)
-                nr = -errno_NFSERR_IO;
-        goto out;
-err_unmap:
-        nr = -errno_NFSERR_IO;
-        goto out;
 }
 __be32 *
-nfs_decode_dirent(__be32 *p, struct nfs_entry *entry, int plus)
+nfs_decode_dirent(struct xdr_stream *xdr, struct nfs_entry *entry, struct nfs_server *server, int plus)
 {
-        if (!*p++) {
+        __be32 *p;
-                if (!*p)
+        p = xdr_inline_decode(xdr, 4);
+        if (unlikely(!p))
+                goto out_overflow;
+        if (!ntohl(*p++)) {
+                p = xdr_inline_decode(xdr, 4);
+                if (unlikely(!p))
+                        goto out_overflow;
+                if (!ntohl(*p++))
                        return ERR_PTR(-EAGAIN);
                entry->eof = 1;
                return ERR_PTR(-EBADCOOKIE);
        }
+        p = xdr_inline_decode(xdr, 8);
+        if (unlikely(!p))
+                goto out_overflow;
        entry->ino        = ntohl(*p++);
        entry->len        = ntohl(*p++);
+        p = xdr_inline_decode(xdr, entry->len + 4);
+        if (unlikely(!p))
+                goto out_overflow;
        entry->name       = (const char *) p;
        p                += XDR_QUADLEN(entry->len);
        entry->prev_cookie        = entry->cookie;
        entry->cookie     = ntohl(*p++);
-        entry->eof        = !p[0] && p[1];
+        p = xdr_inline_peek(xdr, 8);
+        if (p != NULL)
+                entry->eof = !p[0] && p[1];
+        else
+                entry->eof = 0;
        return p;
+out_overflow:
+        print_overflow_msg(__func__, xdr);
+        return ERR_PTR(-EIO);
 }
 /*
@@ -596,7 +573,6 @@ nfs_xdr_readlinkres(struct rpc_rqst *req, __be32 *p, void *dummy)
        struct kvec *iov = rcvbuf->head;
        size_t hdrlen;
        u32 len, recvd;
-        char    *kaddr;
        int     status;
        if ((status = ntohl(*p++)))
@@ -623,10 +599,7 @@ nfs_xdr_readlinkres(struct rpc_rqst *req, __be32 *p, void *dummy)
                return -EIO;
        }
-        /* NULL terminate the string we got */
+        xdr_terminate_string(rcvbuf, len);
-        kaddr = (char *)kmap_atomic(rcvbuf->pages[0], KM_USER0);
-        kaddr[len+rcvbuf->page_base] = '\0';
-        kunmap_atomic(kaddr, KM_USER0);
        return 0;
 }

diff --git a/fs/nfs/nfs2xdr.c b/fs/nfs/nfs2xdr.c index db8846a0e82e..e6bf45710cc7 100644 --- a/fs/nfs/nfs2xdr.c +++ b/fs/nfs/nfs2xdr.c
@@ -337,10 +337,10 @@ nfs_xdr_createargs(struct rpc_rqst req, __be32 p, struct nfs_createargs *args)
337	static int	337	static int
338	nfs_xdr_renameargs(struct rpc_rqst req, __be32 p, struct nfs_renameargs *args)	338	nfs_xdr_renameargs(struct rpc_rqst req, __be32 p, struct nfs_renameargs *args)
339	{	339	{
340	p = xdr_encode_fhandle(p, args->fromfh);	340	p = xdr_encode_fhandle(p, args->old_dir);
341	p = xdr_encode_array(p, args->fromname, args->fromlen);	341	p = xdr_encode_array(p, args->old_name->name, args->old_name->len);
342	p = xdr_encode_fhandle(p, args->tofh);	342	p = xdr_encode_fhandle(p, args->new_dir);
343	p = xdr_encode_array(p, args->toname, args->tolen);	343	p = xdr_encode_array(p, args->new_name->name, args->new_name->len);
344	req->rq_slen = xdr_adjust_iovec(req->rq_svec, p);	344	req->rq_slen = xdr_adjust_iovec(req->rq_svec, p);
345	return 0;	345	return 0;
346	}	346	}
@@ -423,9 +423,7 @@ nfs_xdr_readdirres(struct rpc_rqst req, __be32 p, void *dummy)
423	struct page **page;	423	struct page **page;
424	size_t hdrlen;	424	size_t hdrlen;
425	unsigned int pglen, recvd;	425	unsigned int pglen, recvd;
426	u32 len;
427	int status, nr = 0;	426	int status, nr = 0;
428	__be32 end, entry, *kaddr;
429		427
430	if ((status = ntohl(*p++)))	428	if ((status = ntohl(*p++)))
431	return nfs_stat_to_errno(status);	429	return nfs_stat_to_errno(status);
@@ -445,80 +443,59 @@ nfs_xdr_readdirres(struct rpc_rqst req, __be32 p, void *dummy)
445	if (pglen > recvd)	443	if (pglen > recvd)
446	pglen = recvd;	444	pglen = recvd;
447	page = rcvbuf->pages;	445	page = rcvbuf->pages;
448	kaddr = p = kmap_atomic(*page, KM_USER0);
449	end = (__be32 )((char )p + pglen);
450	entry = p;
451
452	/* Make sure the packet actually has a value_follows and EOF entry */
453	if ((entry + 1) > end)
454	goto short_pkt;
455
456	for (; *p++; nr++) {
457	if (p + 2 > end)
458	goto short_pkt;
459	p++; /* fileid */
460	len = ntohl(*p++);
461	p += XDR_QUADLEN(len) + 1; /* name plus cookie */
462	if (len > NFS2_MAXNAMLEN) {
463	dprintk("NFS: giant filename in readdir (len 0x%x)!\n",
464	len);
465	goto err_unmap;
466	}
467	if (p + 2 > end)
468	goto short_pkt;
469	entry = p;
470	}
471
472	/*
473	* Apparently some server sends responses that are a valid size, but
474	* contain no entries, and have value_follows==0 and EOF==0. For
475	* those, just set the EOF marker.
476	*/
477	if (!nr && entry[1] == 0) {
478	dprintk("NFS: readdir reply truncated!\n");
479	entry[1] = 1;
480	}
481	out:
482	kunmap_atomic(kaddr, KM_USER0);
483	return nr;	446	return nr;
484	short_pkt:	447	}
485	/*	448
486	* When we get a short packet there are 2 possibilities. We can	449	static void print_overflow_msg(const char func, const struct xdr_stream xdr)
487	* return an error, or fix up the response to look like a valid	450	{
488	* response and return what we have so far. If there are no	451	dprintk("nfs: %s: prematurely hit end of receive buffer. "
489	* entries and the packet was short, then return -EIO. If there	452	"Remaining buffer length is %tu words.\n",
490	* are valid entries in the response, return them and pretend that	453	func, xdr->end - xdr->p);
491	* the call was successful, but incomplete. The caller can retry the
492	* readdir starting at the last cookie.
493	*/
494	entry[0] = entry[1] = 0;
495	if (!nr)
496	nr = -errno_NFSERR_IO;
497	goto out;
498	err_unmap:
499	nr = -errno_NFSERR_IO;
500	goto out;
501	}	454	}
502		455
503	__be32 *	456	__be32 *
504	nfs_decode_dirent(__be32 p, struct nfs_entry entry, int plus)	457	nfs_decode_dirent(struct xdr_stream xdr, struct nfs_entry entry, struct nfs_server *server, int plus)
505	{	458	{
506	if (!*p++) {	459	__be32 *p;
507	if (!*p)	460	p = xdr_inline_decode(xdr, 4);
		461	if (unlikely(!p))
		462	goto out_overflow;
		463	if (!ntohl(*p++)) {
		464	p = xdr_inline_decode(xdr, 4);
		465	if (unlikely(!p))
		466	goto out_overflow;
		467	if (!ntohl(*p++))
508	return ERR_PTR(-EAGAIN);	468	return ERR_PTR(-EAGAIN);
509	entry->eof = 1;	469	entry->eof = 1;
510	return ERR_PTR(-EBADCOOKIE);	470	return ERR_PTR(-EBADCOOKIE);
511	}	471	}
512		472
		473	p = xdr_inline_decode(xdr, 8);
		474	if (unlikely(!p))
		475	goto out_overflow;
		476
513	entry->ino = ntohl(*p++);	477	entry->ino = ntohl(*p++);
514	entry->len = ntohl(*p++);	478	entry->len = ntohl(*p++);
		479
		480	p = xdr_inline_decode(xdr, entry->len + 4);
		481	if (unlikely(!p))
		482	goto out_overflow;
515	entry->name = (const char *) p;	483	entry->name = (const char *) p;
516	p += XDR_QUADLEN(entry->len);	484	p += XDR_QUADLEN(entry->len);
517	entry->prev_cookie = entry->cookie;	485	entry->prev_cookie = entry->cookie;
518	entry->cookie = ntohl(*p++);	486	entry->cookie = ntohl(*p++);
519	entry->eof = !p[0] && p[1];	487
		488	p = xdr_inline_peek(xdr, 8);
		489	if (p != NULL)
		490	entry->eof = !p[0] && p[1];
		491	else
		492	entry->eof = 0;
520		493
521	return p;	494	return p;
		495
		496	out_overflow:
		497	print_overflow_msg(__func__, xdr);
		498	return ERR_PTR(-EIO);
522	}	499	}
523		500
524	/*	501	/*
@@ -596,7 +573,6 @@ nfs_xdr_readlinkres(struct rpc_rqst req, __be32 p, void *dummy)
596	struct kvec *iov = rcvbuf->head;	573	struct kvec *iov = rcvbuf->head;
597	size_t hdrlen;	574	size_t hdrlen;
598	u32 len, recvd;	575	u32 len, recvd;
599	char *kaddr;
600	int status;	576	int status;
601		577
602	if ((status = ntohl(*p++)))	578	if ((status = ntohl(*p++)))
@@ -623,10 +599,7 @@ nfs_xdr_readlinkres(struct rpc_rqst req, __be32 p, void *dummy)
623	return -EIO;	599	return -EIO;
624	}	600	}
625		601
626	/* NULL terminate the string we got */	602	xdr_terminate_string(rcvbuf, len);
627	kaddr = (char *)kmap_atomic(rcvbuf->pages[0], KM_USER0);
628	kaddr[len+rcvbuf->page_base] = '\0';
629	kunmap_atomic(kaddr, KM_USER0);
630	return 0;	603	return 0;
631	}	604	}
632		605