Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 317571 Details for
Bug 463720
nfsd v3: encode_fattr3() may get invalid inode attributes.
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
the patch that fixes the problem above
invalid_inode_attribute.patch (text/plain), 7.90 KB, created by
Wengang Wang
on 2008-09-24 08:34:57 UTC
(
hide
)
Description:
the patch that fixes the problem above
Filename:
MIME Type:
Creator:
Wengang Wang
Created:
2008-09-24 08:34:57 UTC
Size:
7.90 KB
patch
obsolete
>diff -u -p -r kernel-2.6.9-78.EL.orig/linux-2.6.9/fs/nfsd/nfs3acl.c kernel-2.6.9-78.EL/linux-2.6.9/fs/nfsd/nfs3acl.c >--- kernel-2.6.9-78.EL.orig/linux-2.6.9/fs/nfsd/nfs3acl.c 2008-09-24 10:54:45.000000000 +0800 >+++ kernel-2.6.9-78.EL/linux-2.6.9/fs/nfsd/nfs3acl.c 2008-09-24 15:12:59.000000000 +0800 >@@ -166,9 +166,14 @@ static int nfs3svc_decode_setaclargs(str > static int nfs3svc_encode_getaclres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_getaclres *resp) > { >+ u32 *bk = p; > struct dentry *dentry = resp->fh.fh_dentry; > > p = nfs3svc_encode_post_op_attr(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > if (resp->status == 0 && dentry && dentry->d_inode) { > struct inode *inode = dentry->d_inode; > int w = nfsacl_size( >@@ -211,8 +216,13 @@ static int nfs3svc_encode_getaclres(stru > static int nfs3svc_encode_setaclres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_attrstat *resp) > { >- p = nfs3svc_encode_post_op_attr(rqstp, p, &resp->fh); >+ u32 *bk = p; > >+ p = nfs3svc_encode_post_op_attr(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > return xdr_ressize_check(rqstp, p); > } > >diff -u -p -r kernel-2.6.9-78.EL.orig/linux-2.6.9/fs/nfsd/nfs3xdr.c kernel-2.6.9-78.EL/linux-2.6.9/fs/nfsd/nfs3xdr.c >--- kernel-2.6.9-78.EL.orig/linux-2.6.9/fs/nfsd/nfs3xdr.c 2008-09-24 10:54:45.000000000 +0800 >+++ kernel-2.6.9-78.EL/linux-2.6.9/fs/nfsd/nfs3xdr.c 2008-09-24 13:31:11.000000000 +0800 >@@ -176,8 +176,12 @@ encode_fattr3(struct svc_rqst *rqstp, u3 > struct dentry *dentry = fhp->fh_dentry; > struct kstat64 stat; > struct timespec time; >+ int err; > >- vfs_getattr64(mnt, dentry, &stat); >+ err = vfs_getattr64(mnt, dentry, &stat); >+ if (err) { >+ return ERR_PTR(err); >+ } > > *p++ = htonl(nfs3_ftypes[(stat.mode & S_IFMT) >> 12]); > *p++ = htonl((u32) stat.mode); >@@ -661,8 +665,16 @@ int > nfs3svc_encode_attrstat(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_attrstat *resp) > { >- if (resp->status == 0) >+ if (resp->status == 0) { >+ u32 *bk = p; >+ > p = encode_fattr3(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ /* the prior of bk must be the status to return */ >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } >+ } > return xdr_ressize_check(rqstp, p); > } > >@@ -671,7 +683,13 @@ int > nfs3svc_encode_wccstat(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_attrstat *resp) > { >+ u32 *bk = p; >+ > p = encode_wcc_data(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > return xdr_ressize_check(rqstp, p); > } > >@@ -680,11 +698,20 @@ int > nfs3svc_encode_diropres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_diropres *resp) > { >+ u32 *bk = p; >+ > if (resp->status == 0) { > p = encode_fh(p, &resp->fh); > p = encode_post_op_attr(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) >+ goto encode_err; > } > p = encode_post_op_attr(rqstp, p, &resp->dirfh); >+ if (IS_ERR(p)) { >+encode_err: >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > return xdr_ressize_check(rqstp, p); > } > >@@ -693,7 +720,13 @@ int > nfs3svc_encode_accessres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_accessres *resp) > { >+ u32 *bk = p; >+ > p = encode_post_op_attr(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > if (resp->status == 0) > *p++ = htonl(resp->access); > return xdr_ressize_check(rqstp, p); >@@ -704,7 +737,13 @@ int > nfs3svc_encode_readlinkres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_readlinkres *resp) > { >+ u32 *bk = p; >+ > p = encode_post_op_attr(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > if (resp->status == 0) { > *p++ = htonl(resp->len); > xdr_ressize_check(rqstp, p); >@@ -726,7 +765,13 @@ int > nfs3svc_encode_readres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_readres *resp) > { >+ u32 *bk = p; >+ > p = encode_post_op_attr(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > if (resp->status == 0) { > *p++ = htonl(resp->count); > *p++ = htonl(resp->eof); >@@ -751,7 +796,13 @@ int > nfs3svc_encode_writeres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_writeres *resp) > { >+ u32 *bk = p; >+ > p = encode_wcc_data(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > if (resp->status == 0) { > *p++ = htonl(resp->count); > *p++ = htonl(resp->committed); >@@ -766,12 +817,21 @@ int > nfs3svc_encode_createres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_diropres *resp) > { >+ u32 *bk = p; >+ > if (resp->status == 0) { > *p++ = xdr_one; > p = encode_fh(p, &resp->fh); > p = encode_post_op_attr(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) >+ goto encode_err; > } > p = encode_wcc_data(rqstp, p, &resp->dirfh); >+ if (IS_ERR(p)) { >+encode_err: >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > return xdr_ressize_check(rqstp, p); > } > >@@ -780,8 +840,17 @@ int > nfs3svc_encode_renameres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_renameres *resp) > { >+ u32 *bk = p; >+ > p = encode_wcc_data(rqstp, p, &resp->ffh); >+ if (IS_ERR(p)) >+ goto encode_err; > p = encode_wcc_data(rqstp, p, &resp->tfh); >+ if (IS_ERR(p)) { >+encode_err: >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > return xdr_ressize_check(rqstp, p); > } > >@@ -790,8 +859,17 @@ int > nfs3svc_encode_linkres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_linkres *resp) > { >+ u32 *bk = p; >+ > p = encode_post_op_attr(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) >+ goto encode_err; > p = encode_wcc_data(rqstp, p, &resp->tfh); >+ if (IS_ERR(p)) { >+encode_err: >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > return xdr_ressize_check(rqstp, p); > } > >@@ -800,7 +878,13 @@ int > nfs3svc_encode_readdirres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_readdirres *resp) > { >+ u32 *bk = p; >+ > p = encode_post_op_attr(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > > if (resp->status == 0) { > /* stupid readdir cookie */ >@@ -840,8 +924,12 @@ encode_entryplus_baggage(struct nfsd3_re > struct svc_fh *fhp) > { > p = encode_post_op_attr(cd->rqstp, p, fhp); >+ if (IS_ERR(p)) >+ goto fh_put_ret; > *p++ = xdr_one; /* yes, a file handle follows */ > p = encode_fh(p, fhp); >+ >+fh_put_ret: > fh_put(fhp); > return p; > } >@@ -942,6 +1030,7 @@ encode_entry(struct readdir_cd *ccd, con > > if ((caddr_t)(cd->buffer + elen) < (curr_page_addr + PAGE_SIZE)) { > /* encode entry in current page */ >+ u32 *bk = p; > > p = encode_entry_baggage(cd, p, name, namlen, ino); > >@@ -952,8 +1041,11 @@ encode_entry(struct readdir_cd *ccd, con > if (compose_entry_fh(cd, &fh, name, namlen) > 0) { > *p++ = 0; > *p++ = 0; >- } else >+ } else { > p = encode_entryplus_baggage(cd, p, &fh); >+ if (IS_ERR(p)) >+ p = bk; >+ } > } > num_entry_words = p - cd->buffer; > } else if (cd->rqstp->rq_respages[pn+1] != NULL) { >@@ -961,9 +1053,11 @@ encode_entry(struct readdir_cd *ccd, con > * current and next page in rq_respages[] */ > u32 *p1, *tmp; > int len1, len2; >+ u32 *bk; > > /* grab next page for temporary storage of entry */ > p1 = tmp = page_address(cd->rqstp->rq_respages[pn+1]); >+ bk = p1; > > p1 = encode_entry_baggage(cd, p1, name, namlen, ino); > >@@ -975,8 +1069,11 @@ encode_entry(struct readdir_cd *ccd, con > /* zero out the filehandle */ > *p1++ = 0; > *p1++ = 0; >- } else >+ } else { > p1 = encode_entryplus_baggage(cd, p1, &fh); >+ if (IS_ERR(p1)) >+ p1 = bk; >+ } > } > > /* determine entry word length and lengths to go in pages */ >@@ -1133,7 +1230,13 @@ int > nfs3svc_encode_commitres(struct svc_rqst *rqstp, u32 *p, > struct nfsd3_commitres *resp) > { >+ u32 *bk = p; >+ > p = encode_wcc_data(rqstp, p, &resp->fh); >+ if (IS_ERR(p)) { >+ *(bk-1) = resp->status = nfserrno(PTR_ERR(p)); >+ p = bk; >+ } > /* Write verifier */ > if (resp->status == 0) { > *p++ = htonl(nfssvc_boot.tv_sec);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=317571">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 463720
:
317571
|
328723
|
328727