| From ed4e502c68883bb2231a816eab205b5d155e29cd Mon Sep 17 00:00:00 2001 |
| From: Konstantin Khorenko <khorenko@parallels.com> |
| Date: Tue, 1 Feb 2011 17:16:29 +0300 |
| Subject: [PATCH] NFSD: memory corruption due to writing beyond the stat array |
| |
| commit 3aa6e0aa8ab3e64bbfba092c64d42fd1d006b124 upstream. |
| |
| If nfsd fails to find an exported via NFS file in the readahead cache, it |
| should increment corresponding nfsdstats counter (ra_depth[10]), but due to a |
| bug it may instead write to ra_depth[11], corrupting the following field. |
| |
| In a kernel with NFSDv4 compiled in the corruption takes the form of an |
| increment of a counter of the number of NFSv4 operation 0's received; since |
| there is no operation 0, this is harmless. |
| |
| In a kernel with NFSDv4 disabled it corrupts whatever happens to be in the |
| memory beyond nfsdstats. |
| |
| Signed-off-by: Konstantin Khorenko <khorenko@openvz.org> |
| Signed-off-by: J. Bruce Fields <bfields@redhat.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c |
| index 4eb9baa..054b50b 100644 |
| --- a/fs/nfsd/vfs.c |
| +++ b/fs/nfsd/vfs.c |
| @@ -819,7 +819,7 @@ nfsd_get_raparms(dev_t dev, ino_t ino) |
| if (ra->p_count == 0) |
| frap = rap; |
| } |
| - depth = nfsdstats.ra_size*11/10; |
| + depth = nfsdstats.ra_size; |
| if (!frap) { |
| spin_unlock(&rab->pb_lock); |
| return NULL; |
| -- |
| 1.7.4.4 |
| |