nfsd4: minor NFSv2/v3 write decoding cleanup

debian/changelog

@@ -374,6 +374,7 @@ linux (4.9.25-1) UNRELEASED; urgency=medium
   * macsec: avoid heap overflow in skb_to_sgvec (CVE-2017-7477)
   * macsec: dynamically allocate space for sglist
   * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
+  * nfsd4: minor NFSv2/v3 write decoding cleanup
 
   [ Aurelien Jarno ]
   * [mips*/octeon] Drop obsolete patch adding support for the UBNT E200

debian/patches/bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch

@@ -0,0 +1,84 @@
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 25 Apr 2017 16:21:34 -0400
+Subject: nfsd4: minor NFSv2/v3 write decoding cleanup
+Origin: https://git.kernel.org/linus/db44bac41bbfc0c0d9dd943092d8bded3c9db19b
+
+Use a couple shortcuts that will simplify a following bugfix.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+---
+ fs/nfsd/nfs3xdr.c | 9 +++++----
+ fs/nfsd/nfsxdr.c  | 8 ++++----
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
+index dba2ff8..d18cfdd 100644
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -358,6 +358,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+ {
+ 	unsigned int len, v, hdr, dlen;
+ 	u32 max_blocksize = svc_max_payload(rqstp);
++	struct kvec *head = rqstp->rq_arg.head;
++	struct kvec *tail = rqstp->rq_arg.tail;
+ 
+ 	p = decode_fh(p, &args->fh);
+ 	if (!p)
+@@ -377,9 +379,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+ 	 * Check to make sure that we got the right number of
+ 	 * bytes.
+ 	 */
+-	hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
+-	dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
+-		+ rqstp->rq_arg.tail[0].iov_len - hdr;
++	hdr = (void*)p - head->iov_base;
++	dlen = head->iov_len + rqstp->rq_arg.page_len + tail->iov_len - hdr;
+ 	/*
+ 	 * Round the length of the data which was specified up to
+ 	 * the next multiple of XDR units and then compare that
+@@ -396,7 +397,7 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+ 		len = args->len = max_blocksize;
+ 	}
+ 	rqstp->rq_vec[0].iov_base = (void*)p;
+-	rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
++	rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
+ 	v = 0;
+ 	while (len > rqstp->rq_vec[v].iov_len) {
+ 		len -= rqstp->rq_vec[v].iov_len;
+diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
+index 41b468a..59bd88a 100644
+--- a/fs/nfsd/nfsxdr.c
++++ b/fs/nfsd/nfsxdr.c
+@@ -280,6 +280,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+ 					struct nfsd_writeargs *args)
+ {
+ 	unsigned int len, hdr, dlen;
++	struct kvec *head = rqstp->rq_arg.head;
+ 	int v;
+ 
+ 	p = decode_fh(p, &args->fh);
+@@ -300,9 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+ 	 * Check to make sure that we got the right number of
+ 	 * bytes.
+ 	 */
+-	hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
+-	dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
+-		- hdr;
++	hdr = (void*)p - head->iov_base;
++	dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
+ 
+ 	/*
+ 	 * Round the length of the data which was specified up to
+@@ -316,7 +316,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
+ 		return 0;
+ 
+ 	rqstp->rq_vec[0].iov_base = (void*)p;
+-	rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
++	rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
+ 	v = 0;
+ 	while (len > rqstp->rq_vec[v].iov_len) {
+ 		len -= rqstp->rq_vec[v].iov_len;
+-- 
+2.1.4
+

debian/patches/series

@@ -111,6 +111,7 @@ bugfix/all/ping-implement-proper-locking.patch
 bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
 bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
 bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
+bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch