diff options
author | Trond Myklebust <trond.myklebust@primarydata.com> | 2014-02-01 23:53:23 +0400 |
---|---|---|
committer | Trond Myklebust <trond.myklebust@primarydata.com> | 2014-02-02 00:13:39 +0400 |
commit | 17ead6c85c3d0ef57a14d1373f1f1cee2ce60ea8 (patch) | |
tree | 36fc04d5578037acf69efda944b4e8dd2ff5a0df /include/linux | |
parent | 8a1f006ad302ea178aefb1f8c67e679c696289e9 (diff) | |
download | linux-17ead6c85c3d0ef57a14d1373f1f1cee2ce60ea8.tar.xz |
NFSv4: Fix memory corruption in nfs4_proc_open_confirm
nfs41_wake_and_assign_slot() relies on the task->tk_msg.rpc_argp and
task->tk_msg.rpc_resp always pointing to the session sequence arguments.
nfs4_proc_open_confirm tries to pull a fast one by reusing the open
sequence structure, thus causing corruption of the NFSv4 slot table.
Cc: stable@vger.kernel.org # 3.12+
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/nfs_xdr.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h index 3ccfcecf8999..b2fb167b2e6d 100644 --- a/include/linux/nfs_xdr.h +++ b/include/linux/nfs_xdr.h @@ -379,12 +379,14 @@ struct nfs_openres { * Arguments to the open_confirm call. */ struct nfs_open_confirmargs { + struct nfs4_sequence_args seq_args; const struct nfs_fh * fh; nfs4_stateid * stateid; struct nfs_seqid * seqid; }; struct nfs_open_confirmres { + struct nfs4_sequence_res seq_res; nfs4_stateid stateid; struct nfs_seqid * seqid; }; |