From 964bdfaf287cdc31eb4792c964b1adad81ca83c9 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 11 Dec 2015 15:48:49 -0800
Subject: [PATCH] remove nfs4-limit-callback-decoding-to-received-bytes.patch

---
 ...-callback-decoding-to-received-bytes.patch | 97 -------------------
 queue-4.2/series                              |  1 -
 ...-callback-decoding-to-received-bytes.patch | 97 -------------------
 queue-4.3/series                              |  1 -
 4 files changed, 196 deletions(-)
 delete mode 100644 queue-4.2/nfs4-limit-callback-decoding-to-received-bytes.patch
 delete mode 100644 queue-4.3/nfs4-limit-callback-decoding-to-received-bytes.patch

diff --git a/queue-4.2/nfs4-limit-callback-decoding-to-received-bytes.patch b/queue-4.2/nfs4-limit-callback-decoding-to-received-bytes.patch
deleted file mode 100644
index bddb1c87e33..00000000000
--- a/queue-4.2/nfs4-limit-callback-decoding-to-received-bytes.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 38b7631fbe42e6e247e9fc9879f961b14a687e3b Mon Sep 17 00:00:00 2001
-From: Benjamin Coddington <bcodding@redhat.com>
-Date: Fri, 20 Nov 2015 09:55:30 -0500
-Subject: nfs4: limit callback decoding to received bytes
-
-From: Benjamin Coddington <bcodding@redhat.com>
-
-commit 38b7631fbe42e6e247e9fc9879f961b14a687e3b upstream.
-
-A truncated cb_compound request will cause the client to decode null or
-data from a previous callback for nfs4.1 backchannel case, or uninitialized
-data for the nfs4.0 case. This is because the path through
-svc_process_common() advances the request's iov_base and decrements iov_len
-without adjusting the overall xdr_buf's len field.  That causes
-xdr_init_decode() to set up the xdr_stream with an incorrect length in
-nfs4_callback_compound().
-
-Fixing this for the nfs4.1 backchannel case first requires setting the
-correct iov_len and page_len based on the length of received data in the
-same manner as the nfs4.0 case.
-
-Then the request's xdr_buf length can be adjusted for both cases based upon
-the remaining iov_len and page_len.
-
-Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
-Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/nfs/callback_xdr.c         |    7 +++++--
- net/sunrpc/backchannel_rqst.c |    8 ++++++++
- net/sunrpc/svc.c              |    1 +
- 3 files changed, 14 insertions(+), 2 deletions(-)
-
---- a/fs/nfs/callback_xdr.c
-+++ b/fs/nfs/callback_xdr.c
-@@ -76,7 +76,8 @@ static __be32 *read_buf(struct xdr_strea
- 
- 	p = xdr_inline_decode(xdr, nbytes);
- 	if (unlikely(p == NULL))
--		printk(KERN_WARNING "NFS: NFSv4 callback reply buffer overflowed!\n");
-+		printk(KERN_WARNING "NFS: NFSv4 callback reply buffer overflowed "
-+							"or truncated request.\n");
- 	return p;
- }
- 
-@@ -892,6 +893,7 @@ static __be32 nfs4_callback_compound(str
- 	struct cb_compound_hdr_arg hdr_arg = { 0 };
- 	struct cb_compound_hdr_res hdr_res = { NULL };
- 	struct xdr_stream xdr_in, xdr_out;
-+	struct xdr_buf *rq_arg = &rqstp->rq_arg;
- 	__be32 *p, status;
- 	struct cb_process_state cps = {
- 		.drc_status = 0,
-@@ -903,7 +905,8 @@ static __be32 nfs4_callback_compound(str
- 
- 	dprintk("%s: start\n", __func__);
- 
--	xdr_init_decode(&xdr_in, &rqstp->rq_arg, rqstp->rq_arg.head[0].iov_base);
-+	rq_arg->len = rq_arg->head[0].iov_len + rq_arg->page_len;
-+	xdr_init_decode(&xdr_in, rq_arg, rq_arg->head[0].iov_base);
- 
- 	p = (__be32*)((char *)rqstp->rq_res.head[0].iov_base + rqstp->rq_res.head[0].iov_len);
- 	xdr_init_encode(&xdr_out, &rqstp->rq_res, p);
---- a/net/sunrpc/backchannel_rqst.c
-+++ b/net/sunrpc/backchannel_rqst.c
-@@ -333,12 +333,20 @@ void xprt_complete_bc_request(struct rpc
- {
- 	struct rpc_xprt *xprt = req->rq_xprt;
- 	struct svc_serv *bc_serv = xprt->bc_serv;
-+	struct xdr_buf *rq_rcv_buf = &req->rq_rcv_buf;
- 
- 	spin_lock(&xprt->bc_pa_lock);
- 	list_del(&req->rq_bc_pa_list);
- 	xprt_dec_alloc_count(xprt, 1);
- 	spin_unlock(&xprt->bc_pa_lock);
- 
-+	if (copied <= rq_rcv_buf->head[0].iov_len) {
-+		rq_rcv_buf->head[0].iov_len = copied;
-+		rq_rcv_buf->page_len = 0;
-+	} else {
-+		rq_rcv_buf->page_len = copied - rq_rcv_buf->head[0].iov_len;
-+	}
-+
- 	req->rq_private_buf.len = copied;
- 	set_bit(RPC_BC_PA_IN_USE, &req->rq_bc_pa_state);
- 
---- a/net/sunrpc/svc.c
-+++ b/net/sunrpc/svc.c
-@@ -1366,6 +1366,7 @@ bc_svc_process(struct svc_serv *serv, st
- 	memcpy(&rqstp->rq_addr, &req->rq_xprt->addr, rqstp->rq_addrlen);
- 	memcpy(&rqstp->rq_arg, &req->rq_rcv_buf, sizeof(rqstp->rq_arg));
- 	memcpy(&rqstp->rq_res, &req->rq_snd_buf, sizeof(rqstp->rq_res));
-+	rqstp->rq_arg.len = req->rq_private_buf.len;
- 
- 	/* reset result send buffer "put" position */
- 	resv->iov_len = 0;
diff --git a/queue-4.2/series b/queue-4.2/series
index 3dab9360e36..5237c581be4 100644
--- a/queue-4.2/series
+++ b/queue-4.2/series
@@ -54,7 +54,6 @@ firewire-ohci-fix-jmicron-jmb38x-it-context-discovery.patch
 nfsd-serialize-state-seqid-morphing-operations.patch
 nfsd-eliminate-sending-duplicate-and-repeated-delegations.patch
 debugfs-fix-refcount-imbalance-in-start_creating.patch
-nfs4-limit-callback-decoding-to-received-bytes.patch
 nfs4-start-callback_ident-at-idr-1.patch
 nfs-if-we-have-no-valid-attrs-then-don-t-declare-the-attribute-cache-valid.patch
 ocfs2-fix-umask-ignored-issue.patch
diff --git a/queue-4.3/nfs4-limit-callback-decoding-to-received-bytes.patch b/queue-4.3/nfs4-limit-callback-decoding-to-received-bytes.patch
deleted file mode 100644
index fc461830b35..00000000000
--- a/queue-4.3/nfs4-limit-callback-decoding-to-received-bytes.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 38b7631fbe42e6e247e9fc9879f961b14a687e3b Mon Sep 17 00:00:00 2001
-From: Benjamin Coddington <bcodding@redhat.com>
-Date: Fri, 20 Nov 2015 09:55:30 -0500
-Subject: nfs4: limit callback decoding to received bytes
-
-From: Benjamin Coddington <bcodding@redhat.com>
-
-commit 38b7631fbe42e6e247e9fc9879f961b14a687e3b upstream.
-
-A truncated cb_compound request will cause the client to decode null or
-data from a previous callback for nfs4.1 backchannel case, or uninitialized
-data for the nfs4.0 case. This is because the path through
-svc_process_common() advances the request's iov_base and decrements iov_len
-without adjusting the overall xdr_buf's len field.  That causes
-xdr_init_decode() to set up the xdr_stream with an incorrect length in
-nfs4_callback_compound().
-
-Fixing this for the nfs4.1 backchannel case first requires setting the
-correct iov_len and page_len based on the length of received data in the
-same manner as the nfs4.0 case.
-
-Then the request's xdr_buf length can be adjusted for both cases based upon
-the remaining iov_len and page_len.
-
-Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
-Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/nfs/callback_xdr.c         |    7 +++++--
- net/sunrpc/backchannel_rqst.c |    8 ++++++++
- net/sunrpc/svc.c              |    1 +
- 3 files changed, 14 insertions(+), 2 deletions(-)
-
---- a/fs/nfs/callback_xdr.c
-+++ b/fs/nfs/callback_xdr.c
-@@ -76,7 +76,8 @@ static __be32 *read_buf(struct xdr_strea
- 
- 	p = xdr_inline_decode(xdr, nbytes);
- 	if (unlikely(p == NULL))
--		printk(KERN_WARNING "NFS: NFSv4 callback reply buffer overflowed!\n");
-+		printk(KERN_WARNING "NFS: NFSv4 callback reply buffer overflowed "
-+							"or truncated request.\n");
- 	return p;
- }
- 
-@@ -892,6 +893,7 @@ static __be32 nfs4_callback_compound(str
- 	struct cb_compound_hdr_arg hdr_arg = { 0 };
- 	struct cb_compound_hdr_res hdr_res = { NULL };
- 	struct xdr_stream xdr_in, xdr_out;
-+	struct xdr_buf *rq_arg = &rqstp->rq_arg;
- 	__be32 *p, status;
- 	struct cb_process_state cps = {
- 		.drc_status = 0,
-@@ -903,7 +905,8 @@ static __be32 nfs4_callback_compound(str
- 
- 	dprintk("%s: start\n", __func__);
- 
--	xdr_init_decode(&xdr_in, &rqstp->rq_arg, rqstp->rq_arg.head[0].iov_base);
-+	rq_arg->len = rq_arg->head[0].iov_len + rq_arg->page_len;
-+	xdr_init_decode(&xdr_in, rq_arg, rq_arg->head[0].iov_base);
- 
- 	p = (__be32*)((char *)rqstp->rq_res.head[0].iov_base + rqstp->rq_res.head[0].iov_len);
- 	xdr_init_encode(&xdr_out, &rqstp->rq_res, p);
---- a/net/sunrpc/backchannel_rqst.c
-+++ b/net/sunrpc/backchannel_rqst.c
-@@ -333,12 +333,20 @@ void xprt_complete_bc_request(struct rpc
- {
- 	struct rpc_xprt *xprt = req->rq_xprt;
- 	struct svc_serv *bc_serv = xprt->bc_serv;
-+	struct xdr_buf *rq_rcv_buf = &req->rq_rcv_buf;
- 
- 	spin_lock(&xprt->bc_pa_lock);
- 	list_del(&req->rq_bc_pa_list);
- 	xprt_dec_alloc_count(xprt, 1);
- 	spin_unlock(&xprt->bc_pa_lock);
- 
-+	if (copied <= rq_rcv_buf->head[0].iov_len) {
-+		rq_rcv_buf->head[0].iov_len = copied;
-+		rq_rcv_buf->page_len = 0;
-+	} else {
-+		rq_rcv_buf->page_len = copied - rq_rcv_buf->head[0].iov_len;
-+	}
-+
- 	req->rq_private_buf.len = copied;
- 	set_bit(RPC_BC_PA_IN_USE, &req->rq_bc_pa_state);
- 
---- a/net/sunrpc/svc.c
-+++ b/net/sunrpc/svc.c
-@@ -1363,6 +1363,7 @@ bc_svc_process(struct svc_serv *serv, st
- 	memcpy(&rqstp->rq_addr, &req->rq_xprt->addr, rqstp->rq_addrlen);
- 	memcpy(&rqstp->rq_arg, &req->rq_rcv_buf, sizeof(rqstp->rq_arg));
- 	memcpy(&rqstp->rq_res, &req->rq_snd_buf, sizeof(rqstp->rq_res));
-+	rqstp->rq_arg.len = req->rq_private_buf.len;
- 
- 	/* reset result send buffer "put" position */
- 	resv->iov_len = 0;
diff --git a/queue-4.3/series b/queue-4.3/series
index 4fc212dcd10..faf3dbfaa66 100644
--- a/queue-4.3/series
+++ b/queue-4.3/series
@@ -61,7 +61,6 @@ firewire-ohci-fix-jmicron-jmb38x-it-context-discovery.patch
 nfsd-serialize-state-seqid-morphing-operations.patch
 nfsd-eliminate-sending-duplicate-and-repeated-delegations.patch
 debugfs-fix-refcount-imbalance-in-start_creating.patch
-nfs4-limit-callback-decoding-to-received-bytes.patch
 nfs4-start-callback_ident-at-idr-1.patch
 nfs4-resend-layoutget-when-there-is-a-race-that-changes-the-seqid.patch
 nfs-if-we-have-no-valid-attrs-then-don-t-declare-the-attribute-cache-valid.patch
-- 
2.47.3