From: Mike Snitzer <snitzer@xxxxxxxxxxxxxxx>
This patch also papers over what seems like an rpcrdma bug, and
Chuck Lever also clarified that this too shouldn't be needed:
"Yes, the extra page needs to come from rq_pages. But I don't see why it
should come from the /end/ of rq_pages."
But this patch at least isolates the same bug further? (by showing
that the bounds expressed in rqstp->rq_bvec[] don't cause manipulation
what READ payload memory is returned to the NFS RDMA client?)
Signed-off-by: Mike Snitzer <snitzer@xxxxxxxxxx>
---
fs/nfsd/vfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 762d745b1b15d..70571a78e7c25 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1263,7 +1263,7 @@ __be32 nfsd_iter_read(struct svc_rqst *rqstp, struct svc_fh *fhp,
if (read_dio.start_extra) {
len = read_dio.start_extra;
bvec_set_page(&rqstp->rq_bvec[v],
- *(rqstp->rq_next_page++),
+ NULL, /* adjusted below */
len, PAGE_SIZE - len);
total -= len;
++v;
@@ -1289,6 +1289,8 @@ __be32 nfsd_iter_read(struct svc_rqst *rqstp, struct svc_fh *fhp,
base = 0;
}
WARN_ON_ONCE(v > rqstp->rq_maxpages);
+ if ((kiocb.ki_flags & IOCB_DIRECT) && read_dio.start_extra)
+ rqstp->rq_bvec[0].bv_page = *(rqstp->rq_next_page++);
trace_nfsd_read_vector(rqstp, fhp, offset, in_count);
iov_iter_bvec(&iter, ITER_DEST, rqstp->rq_bvec, v, in_count);
--
2.44.0
