Patch "NFSv4: Fix an Oops in the NFSv4 getacl code" has been added to the 3.0-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    NFSv4: Fix an Oops in the NFSv4 getacl code

to the 3.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfsv4-fix-an-oops-in-the-nfsv4-getacl-code.patch
and it can be found in the queue-3.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From jslaby@xxxxxxx  Mon Apr  1 16:36:55 2013
From: Jiri Slaby <jslaby@xxxxxxx>
Date: Tue, 19 Mar 2013 12:36:53 +0100
Subject: NFSv4: Fix an Oops in the NFSv4 getacl code
To: gregkh@xxxxxxxxxxxxxxxxxxx
Cc: jirislaby@xxxxxxxxx, stable@xxxxxxxxxxxxxxx, Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>, Andy Adamson <andros@xxxxxxxxxx>, Jiri Slaby <jslaby@xxxxxxx>
Message-ID: <1363693019-14812-8-git-send-email-jslaby@xxxxxxx>


From: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>

commit 331818f1c468a24e581aedcbe52af799366a9dfe upstream.

Commit bf118a342f10dafe44b14451a1392c3254629a1f (NFSv4: include bitmap
in nfsv4 get acl data) introduces the 'acl_scratch' page for the case
where we may need to decode multi-page data. However it fails to take
into account the fact that the variable may be NULL (for the case where
we're not doing multi-page decode), and it also attaches it to the
encoding xdr_stream rather than the decoding one.

The immediate result is an Oops in nfs4_xdr_enc_getacl due to the
call to page_address() with a NULL page pointer.

Signed-off-by: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>
Cc: Andy Adamson <andros@xxxxxxxxxx>
Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/nfs/nfs4proc.c       |    8 ++++----
 fs/nfs/nfs4xdr.c        |    5 ++++-
 include/linux/nfs_xdr.h |    2 +-
 3 files changed, 9 insertions(+), 6 deletions(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3578,8 +3578,8 @@ static ssize_t __nfs4_get_acl_uncached(s
 	}
 	if (npages > 1) {
 		/* for decoding across pages */
-		args.acl_scratch = alloc_page(GFP_KERNEL);
-		if (!args.acl_scratch)
+		res.acl_scratch = alloc_page(GFP_KERNEL);
+		if (!res.acl_scratch)
 			goto out_free;
 	}
 	args.acl_len = npages * PAGE_SIZE;
@@ -3615,8 +3615,8 @@ out_free:
 	for (i = 0; i < npages; i++)
 		if (pages[i])
 			__free_page(pages[i]);
-	if (args.acl_scratch)
-		__free_page(args.acl_scratch);
+	if (res.acl_scratch)
+		__free_page(res.acl_scratch);
 	return ret;
 }
 
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -2379,7 +2379,6 @@ static void nfs4_xdr_enc_getacl(struct r
 
 	xdr_inline_pages(&req->rq_rcv_buf, replen << 2,
 		args->acl_pages, args->acl_pgbase, args->acl_len);
-	xdr_set_scratch_buffer(xdr, page_address(args->acl_scratch), PAGE_SIZE);
 
 	encode_nops(&hdr);
 }
@@ -5688,6 +5687,10 @@ nfs4_xdr_dec_getacl(struct rpc_rqst *rqs
 	struct compound_hdr hdr;
 	int status;
 
+	if (res->acl_scratch != NULL) {
+		void *p = page_address(res->acl_scratch);
+		xdr_set_scratch_buffer(xdr, p, PAGE_SIZE);
+	}
 	status = decode_compound_hdr(xdr, &hdr);
 	if (status)
 		goto out;
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -588,7 +588,6 @@ struct nfs_getaclargs {
 	size_t				acl_len;
 	unsigned int			acl_pgbase;
 	struct page **			acl_pages;
-	struct page *			acl_scratch;
 	struct nfs4_sequence_args 	seq_args;
 };
 
@@ -598,6 +597,7 @@ struct nfs_getaclres {
 	size_t				acl_len;
 	size_t				acl_data_offset;
 	int				acl_flags;
+	struct page *			acl_scratch;
 	struct nfs4_sequence_res	seq_res;
 };
 


Patches currently in stable-queue which might be from jslaby@xxxxxxx are

queue-3.0/kvm-x86-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
queue-3.0/kvm-x86-invalid-opcode-oops-on-set_sregs-with-osxsave-bit-set-cve-2012-4461.patch
queue-3.0/mm-hotplug-correctly-add-new-zone-to-all-other-nodes-zone-lists.patch
queue-3.0/macvtap-zerocopy-validate-vectors-before-building-skb.patch
queue-3.0/x25-validate-incoming-call-user-data-lengths.patch
queue-3.0/batman-adv-bat_socket_read-missing-checks.patch
queue-3.0/kvm-fix-buffer-overflow-in-kvm_set_irq.patch
queue-3.0/x25-handle-undersized-fragmented-skbs.patch
queue-3.0/nfsv4-include-bitmap-in-nfsv4-get-acl-data.patch
queue-3.0/nfs-nfs_getaclargs.acl_len-is-a-size_t.patch
queue-3.0/nfsv4-fix-an-oops-in-the-nfsv4-getacl-code.patch
queue-3.0/kvm-clean-up-error-handling-during-vcpu-creation.patch
queue-3.0/kvm-ensure-all-vcpus-are-consistent-with-in-kernel-irqchip-settings.patch
queue-3.0/batman-adv-only-write-requested-number-of-byte-to-user-buffer.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]