[PATCH 3.12 07/32] NFSv4: Fix memory corruption in nfs4_proc_open_confirm

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Trond Myklebust <trond.myklebust@primarydata.com>
Subject: [PATCH 3.12 07/32] NFSv4: Fix memory corruption in nfs4_proc_open_confirm
Date: Tue, 18 Feb 2014 14:47:07 -0800	[thread overview]
Message-ID: <20140218224500.316229517@linuxfoundation.org> (raw)
In-Reply-To: <20140218224500.101465031@linuxfoundation.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>

commit 17ead6c85c3d0ef57a14d1373f1f1cee2ce60ea8 upstream.

nfs41_wake_and_assign_slot() relies on the task->tk_msg.rpc_argp and
task->tk_msg.rpc_resp always pointing to the session sequence arguments.

nfs4_proc_open_confirm tries to pull a fast one by reusing the open
sequence structure, thus causing corruption of the NFSv4 slot table.

Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/nfs4proc.c       |    8 ++++----
 include/linux/nfs_xdr.h |    2 ++
 2 files changed, 6 insertions(+), 4 deletions(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -1611,15 +1611,15 @@ static void nfs4_open_confirm_prepare(st
 {
 	struct nfs4_opendata *data = calldata;
 
-	nfs40_setup_sequence(data->o_arg.server, &data->o_arg.seq_args,
-				&data->o_res.seq_res, task);
+	nfs40_setup_sequence(data->o_arg.server, &data->c_arg.seq_args,
+				&data->c_res.seq_res, task);
 }
 
 static void nfs4_open_confirm_done(struct rpc_task *task, void *calldata)
 {
 	struct nfs4_opendata *data = calldata;
 
-	nfs40_sequence_done(task, &data->o_res.seq_res);
+	nfs40_sequence_done(task, &data->c_res.seq_res);
 
 	data->rpc_status = task->tk_status;
 	if (data->rpc_status == 0) {
@@ -1677,7 +1677,7 @@ static int _nfs4_proc_open_confirm(struc
 	};
 	int status;
 
-	nfs4_init_sequence(&data->o_arg.seq_args, &data->o_res.seq_res, 1);
+	nfs4_init_sequence(&data->c_arg.seq_args, &data->c_res.seq_res, 1);
 	kref_get(&data->kref);
 	data->rpc_done = 0;
 	data->rpc_status = 0;
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -379,12 +379,14 @@ struct nfs_openres {
  * Arguments to the open_confirm call.
  */
 struct nfs_open_confirmargs {
+	struct nfs4_sequence_args	seq_args;
 	const struct nfs_fh *	fh;
 	nfs4_stateid *		stateid;
 	struct nfs_seqid *	seqid;
 };
 
 struct nfs_open_confirmres {
+	struct nfs4_sequence_res	seq_res;
 	nfs4_stateid            stateid;
 	struct nfs_seqid *	seqid;
 };

next prev parent reply	other threads:[~2014-02-18 23:06 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-18 22:47 [PATCH 3.12 00/32] 3.12.12-stable review Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 01/32] SELinux: Fix kernel BUG on empty security contexts Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 02/32] Btrfs: disable snapshot aware defrag for now Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 03/32] crypto: s390 - fix concurrency issue in aes-ctr mode Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 04/32] crypto: s390 - fix des and des3_ede cbc concurrency issue Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 05/32] crypto: s390 - fix des and des3_ede ctr " Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 06/32] NFSv4.1: nfs4_destroy_session must call rpc_destroy_waitqueue Greg Kroah-Hartman
2014-02-18 22:47 ` Greg Kroah-Hartman [this message]
2014-02-18 22:47 ` [PATCH 3.12 08/32] irqchip: armada-370-xp: fix IPI race condition Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 09/32] arm64: vdso: update wtm fields for CLOCK_MONOTONIC_COARSE Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 10/32] arm64: vdso: prevent ld from aligning PT_LOAD segments to 64k Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 11/32] arm64: Invalidate the TLB when replacing pmd entries during boot Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 12/32] arm64: vdso: fix coarse clock handling Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 13/32] arm64: add DSB after icache flush in __flush_icache_all() Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 14/32] ALSA: usb-audio: Add missing kconfig dependecy Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 15/32] ALSA: hda - Fix missing VREF setup for Mac Pro 1,1 Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 16/32] ALSA: hda - Fix silent output on Toshiba Satellite L40 Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 17/32] ALSA: hda - Add missing mixer widget for AD1983 Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 18/32] ALSA: hda - Improve loopback path lookups " Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 19/32] mm/swap: fix race on swap_info reuse between swapoff and swapon Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 20/32] mm: __set_page_dirty_nobuffers() uses spin_lock_irqsave() instead of spin_lock_irq() Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 21/32] mm: __set_page_dirty uses spin_lock_irqsave instead of spin_lock_irq Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 22/32] x86: mm: change tlb_flushall_shift for IvyBridge Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 23/32] [media] af9035: add ID [2040:f900] Hauppauge WinTV-MiniStick 2 Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 24/32] [media] mxl111sf: Fix unintentional garbage stack read Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 26/32] [media] Revert "[media] videobuf_vm_{open,close} race fixes" Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 27/32] x86, hweight: Fix BUG when booting with CONFIG_GCOV_PROFILE_ALL=y Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 28/32] genirq: Generic irq chip requires IRQ_DOMAIN Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 29/32] pinctrl: at91: use locked variant of irq_set_handler Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 30/32] pinctrl: vt8500: Change devicetree data parsing Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 31/32] pinctrl: protect pinctrl_list add Greg Kroah-Hartman
2014-02-18 22:47 ` [PATCH 3.12 32/32] intel_pstate: Take core C0 time into account for core busy calculation Greg Kroah-Hartman
2014-02-19  4:29 ` [PATCH 3.12 00/32] 3.12.12-stable review Guenter Roeck
2014-02-20  0:04 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140218224500.316229517@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=trond.myklebust@primarydata.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox