summaryrefslogtreecommitdiff
path: root/fs/nfsd
diff options
context:
space:
mode:
authorKonstantin Khorenko <khorenko@parallels.com>2011-02-01 17:16:29 +0300
committerGreg Kroah-Hartman <gregkh@suse.de>2011-03-21 12:45:02 -0700
commit74d2a55a8bc405f5f28cf471e0a463f62eaf54d2 (patch)
tree37adb6451e77e70be5e4fec502e72a1702d53544 /fs/nfsd
parentc8a3f6e5a73553f3d3ced5f9d0529e367d4609a1 (diff)
downloadkernel-common-74d2a55a8bc405f5f28cf471e0a463f62eaf54d2.tar.gz
kernel-common-74d2a55a8bc405f5f28cf471e0a463f62eaf54d2.tar.bz2
kernel-common-74d2a55a8bc405f5f28cf471e0a463f62eaf54d2.zip
NFSD: memory corruption due to writing beyond the stat array
commit 3aa6e0aa8ab3e64bbfba092c64d42fd1d006b124 upstream. If nfsd fails to find an exported via NFS file in the readahead cache, it should increment corresponding nfsdstats counter (ra_depth[10]), but due to a bug it may instead write to ra_depth[11], corrupting the following field. In a kernel with NFSDv4 compiled in the corruption takes the form of an increment of a counter of the number of NFSv4 operation 0's received; since there is no operation 0, this is harmless. In a kernel with NFSDv4 disabled it corrupts whatever happens to be in the memory beyond nfsdstats. Signed-off-by: Konstantin Khorenko <khorenko@openvz.org> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'fs/nfsd')
-rw-r--r--fs/nfsd/vfs.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 8715d194561a..c217a940c805 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -831,7 +831,7 @@ nfsd_get_raparms(dev_t dev, ino_t ino)
if (ra->p_count == 0)
frap = rap;
}
- depth = nfsdstats.ra_size*11/10;
+ depth = nfsdstats.ra_size;
if (!frap) {
spin_unlock(&rab->pb_lock);
return NULL;