diff options
author | Konstantin Khorenko <khorenko@parallels.com> | 2011-02-01 17:16:29 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-03-21 12:45:02 -0700 |
commit | 74d2a55a8bc405f5f28cf471e0a463f62eaf54d2 (patch) | |
tree | 37adb6451e77e70be5e4fec502e72a1702d53544 /fs/nfsd | |
parent | c8a3f6e5a73553f3d3ced5f9d0529e367d4609a1 (diff) | |
download | kernel-common-74d2a55a8bc405f5f28cf471e0a463f62eaf54d2.tar.gz kernel-common-74d2a55a8bc405f5f28cf471e0a463f62eaf54d2.tar.bz2 kernel-common-74d2a55a8bc405f5f28cf471e0a463f62eaf54d2.zip |
NFSD: memory corruption due to writing beyond the stat array
commit 3aa6e0aa8ab3e64bbfba092c64d42fd1d006b124 upstream.
If nfsd fails to find an exported via NFS file in the readahead cache, it
should increment corresponding nfsdstats counter (ra_depth[10]), but due to a
bug it may instead write to ra_depth[11], corrupting the following field.
In a kernel with NFSDv4 compiled in the corruption takes the form of an
increment of a counter of the number of NFSv4 operation 0's received; since
there is no operation 0, this is harmless.
In a kernel with NFSDv4 disabled it corrupts whatever happens to be in the
memory beyond nfsdstats.
Signed-off-by: Konstantin Khorenko <khorenko@openvz.org>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'fs/nfsd')
-rw-r--r-- | fs/nfsd/vfs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 8715d194561a..c217a940c805 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -831,7 +831,7 @@ nfsd_get_raparms(dev_t dev, ino_t ino) if (ra->p_count == 0) frap = rap; } - depth = nfsdstats.ra_size*11/10; + depth = nfsdstats.ra_size; if (!frap) { spin_unlock(&rab->pb_lock); return NULL; |