Description of problem: When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to. So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page. We never encountered this in testing because typically the only operations which use more than two pages are write-like operations, which have their own decoding logic. Something like a getattr after a write may cross a page boundary, but it would be very unusual for it to cross another boundary after that. Upstream commit: http://git.kernel.org/linus/2bc3c1179c781b359d4f2f3439cb3df72afc17fc
Introduced in commit 89fc0a31 (v2.5.49) and 099e99f0 (v2.6.0-test3). Fixed in v2.6.34-rc6.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for Network File System (NFS) version 4. Future updates in Red Hat Enterprise 4, 5, and Red Hat Enterprise MRG may address this flaw.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0606 https://rhn.redhat.com/errata/RHSA-2010-0606.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0610 https://rhn.redhat.com/errata/RHSA-2010-0610.html
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html
This is not an issue for mrg-1.3 [bug #612031] since we are based on a stable release that already includes this fix.
This issue has been addressed in following products: Red Hat Enterprise Linux 5.3.Z - Server Only Via RHSA-2010:0893 https://rhn.redhat.com/errata/RHSA-2010-0893.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5.4.Z - Server Only Via RHSA-2010:0907 https://rhn.redhat.com/errata/RHSA-2010-0907.html