NFSv4: Fix memory corruption in nfs4_proc_open_confirm

nfs41_wake_and_assign_slot() relies on the task->tk_msg.rpc_argp and task->tk_msg.rpc_resp always pointing to the session sequence arguments. nfs4_proc_open_confirm tries to pull a fast one by reusing the open sequence structure, thus causing corruption of the NFSv4 slot table. Cc: stable@vger.kernel.org # 3.12+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
author: Trond Myklebust <trond.myklebust@primarydata.com> 2014-02-01 14:53:23 -0500
committer: Trond Myklebust <trond.myklebust@primarydata.com> 2014-02-01 15:13:39 -0500
commit: 17ead6c85c3d0ef57a14d1373f1f1cee2ce60ea8 (patch)
tree: 36fc04d5578037acf69efda944b4e8dd2ff5a0df /fs/nfs
parent: 8a1f006ad302ea178aefb1f8c67e679c696289e9 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 42da6af77587..2da6a698b8f7 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -1620,15 +1620,15 @@ static void nfs4_open_confirm_prepare(struct rpc_task *task, void *calldata)
 {
        struct nfs4_opendata *data = calldata;
-        nfs40_setup_sequence(data->o_arg.server, &data->o_arg.seq_args,
+        nfs40_setup_sequence(data->o_arg.server, &data->c_arg.seq_args,
-                                &data->o_res.seq_res, task);
+                                &data->c_res.seq_res, task);
 }
 static void nfs4_open_confirm_done(struct rpc_task *task, void *calldata)
 {
        struct nfs4_opendata *data = calldata;
-        nfs40_sequence_done(task, &data->o_res.seq_res);
+        nfs40_sequence_done(task, &data->c_res.seq_res);
        data->rpc_status = task->tk_status;
        if (data->rpc_status == 0) {
@@ -1686,7 +1686,7 @@ static int _nfs4_proc_open_confirm(struct nfs4_opendata *data)
        };
        int status;
-        nfs4_init_sequence(&data->o_arg.seq_args, &data->o_res.seq_res, 1);
+        nfs4_init_sequence(&data->c_arg.seq_args, &data->c_res.seq_res, 1);
        kref_get(&data->kref);
        data->rpc_done = 0;
        data->rpc_status = 0;
author	Trond Myklebust <trond.myklebust@primarydata.com>	2014-02-01 14:53:23 -0500
committer	Trond Myklebust <trond.myklebust@primarydata.com>	2014-02-01 15:13:39 -0500
commit	17ead6c85c3d0ef57a14d1373f1f1cee2ce60ea8 (patch)
tree	36fc04d5578037acf69efda944b4e8dd2ff5a0df /fs/nfs
parent	8a1f006ad302ea178aefb1f8c67e679c696289e9 (diff)

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 42da6af77587..2da6a698b8f7 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c
@@ -1620,15 +1620,15 @@ static void nfs4_open_confirm_prepare(struct rpc_task task, void calldata)
1620	{	1620	{
1621	struct nfs4_opendata *data = calldata;	1621	struct nfs4_opendata *data = calldata;
1622		1622
1623	nfs40_setup_sequence(data->o_arg.server, &data->o_arg.seq_args,	1623	nfs40_setup_sequence(data->o_arg.server, &data->c_arg.seq_args,
1624	&data->o_res.seq_res, task);	1624	&data->c_res.seq_res, task);
1625	}	1625	}
1626		1626
1627	static void nfs4_open_confirm_done(struct rpc_task task, void calldata)	1627	static void nfs4_open_confirm_done(struct rpc_task task, void calldata)
1628	{	1628	{
1629	struct nfs4_opendata *data = calldata;	1629	struct nfs4_opendata *data = calldata;
1630		1630
1631	nfs40_sequence_done(task, &data->o_res.seq_res);	1631	nfs40_sequence_done(task, &data->c_res.seq_res);
1632		1632
1633	data->rpc_status = task->tk_status;	1633	data->rpc_status = task->tk_status;
1634	if (data->rpc_status == 0) {	1634	if (data->rpc_status == 0) {
@@ -1686,7 +1686,7 @@ static int _nfs4_proc_open_confirm(struct nfs4_opendata *data)
1686	};	1686	};
1687	int status;	1687	int status;
1688		1688
1689	nfs4_init_sequence(&data->o_arg.seq_args, &data->o_res.seq_res, 1);	1689	nfs4_init_sequence(&data->c_arg.seq_args, &data->c_res.seq_res, 1);
1690	kref_get(&data->kref);	1690	kref_get(&data->kref);
1691	data->rpc_done = 0;	1691	data->rpc_done = 0;
1692	data->rpc_status = 0;	1692	data->rpc_status = 0;