SUNRPC: Document validity guarantees of the pointer returned by reserve_space

A subtlety of this API is that if the @nbytes region traverses a page boundary, the next __xdr_commit_encode will shift the data item in the XDR encode buffer. This makes the returned pointer point to something else, leading to unexpected behavior. There are a few cases where the caller saves the returned pointer and then later uses it to insert a computed value into an earlier part of the stream. This can be safe only if either: - the data item is guaranteed to be in the XDR buffer's head, and thus is not ever going to be near a page boundary, or - the data item is no larger than 4 octets, since XDR alignment rules require all data items to start on 4-octet boundaries But that safety is only an artifact of the current implementation. It would be less brittle if these "safe" uses were eventually replaced. Reviewed-by: NeilBrown <neilb@suse.de> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2025-04-19 20:58:31 +09:00 · 2024-12-30 19:29:00 -05:00 · 2024-12-30 19:29:00 -05:00 · 1196bdce3d
commit 1196bdce3d
parent 4163ee711c
1 changed files with 6 additions and 0 deletions
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@ -1097,6 +1097,12 @@ out_overflow:
 * Checks that we have enough buffer space to encode 'nbytes' more
 * bytes of data. If so, update the total xdr_buf length, and
 * adjust the length of the current kvec.
+ *
+ * The returned pointer is valid only until the next call to
+ * xdr_reserve_space() or xdr_commit_encode() on @xdr. The current
+ * implementation of this API guarantees that space reserved for a
+ * four-byte data item remains valid until @xdr is destroyed, but
+ * that might not always be true in the future.
 */
 __be32 * xdr_reserve_space(struct xdr_stream *xdr, size_t nbytes)
 {