diff options
| author | Trond Myklebust <trond.myklebust@primarydata.com> | 2014-02-01 14:53:23 -0500 |
|---|---|---|
| committer | Trond Myklebust <trond.myklebust@primarydata.com> | 2014-02-01 15:13:39 -0500 |
| commit | 17ead6c85c3d0ef57a14d1373f1f1cee2ce60ea8 (patch) | |
| tree | 36fc04d5578037acf69efda944b4e8dd2ff5a0df /include/linux | |
| parent | 8a1f006ad302ea178aefb1f8c67e679c696289e9 (diff) | |
NFSv4: Fix memory corruption in nfs4_proc_open_confirm
nfs41_wake_and_assign_slot() relies on the task->tk_msg.rpc_argp and
task->tk_msg.rpc_resp always pointing to the session sequence arguments.
nfs4_proc_open_confirm tries to pull a fast one by reusing the open
sequence structure, thus causing corruption of the NFSv4 slot table.
Cc: stable@vger.kernel.org # 3.12+
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/nfs_xdr.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h index 3ccfcecf8999..b2fb167b2e6d 100644 --- a/include/linux/nfs_xdr.h +++ b/include/linux/nfs_xdr.h | |||
| @@ -379,12 +379,14 @@ struct nfs_openres { | |||
| 379 | * Arguments to the open_confirm call. | 379 | * Arguments to the open_confirm call. |
| 380 | */ | 380 | */ |
| 381 | struct nfs_open_confirmargs { | 381 | struct nfs_open_confirmargs { |
| 382 | struct nfs4_sequence_args seq_args; | ||
| 382 | const struct nfs_fh * fh; | 383 | const struct nfs_fh * fh; |
| 383 | nfs4_stateid * stateid; | 384 | nfs4_stateid * stateid; |
| 384 | struct nfs_seqid * seqid; | 385 | struct nfs_seqid * seqid; |
| 385 | }; | 386 | }; |
| 386 | 387 | ||
| 387 | struct nfs_open_confirmres { | 388 | struct nfs_open_confirmres { |
| 389 | struct nfs4_sequence_res seq_res; | ||
| 388 | nfs4_stateid stateid; | 390 | nfs4_stateid stateid; |
| 389 | struct nfs_seqid * seqid; | 391 | struct nfs_seqid * seqid; |
| 390 | }; | 392 | }; |