summaryrefslogtreecommitdiffstats
path: root/Documentation/robust-futex-ABI.txt
diff options
context:
space:
mode:
authorKinglong Mee <kinglongmee@gmail.com>2014-07-07 16:10:56 +0200
committerJ. Bruce Fields <bfields@redhat.com>2014-07-23 16:31:56 +0200
commitf98bac5a30b60a2fca854dd5ee7256221d8ccf0a (patch)
treede5ccad7c101e5f307f7cd3686477675de40b81c /Documentation/robust-futex-ABI.txt
parentnfsd: Fix bad reserving space for encoding rdattr_error (diff)
downloadlinux-f98bac5a30b60a2fca854dd5ee7256221d8ccf0a.tar.xz
linux-f98bac5a30b60a2fca854dd5ee7256221d8ccf0a.zip
NFSD: Fix crash encoding lock reply on 32-bit
Commit 8c7424cff6 "nfsd4: don't try to encode conflicting owner if low on space" forgot to free conf->data in nfsd4_encode_lockt and before sign conf->data to NULL in nfsd4_encode_lock_denied, causing a leak. Worse, kfree() can be called on an uninitialized pointer in the case of a succesful lock (or one that fails for a reason other than a conflict). (Note that lock->lk_denied.ld_owner.data appears it should be zero here, until you notice that it's one arm of a union the other arm of which is written to in the succesful case by the memcpy(&lock->lk_resp_stateid, &lock_stp->st_stid.sc_stateid, sizeof(stateid_t)); in nfsd4_lock(). In the 32-bit case this overwrites ld_owner.data.) Signed-off-by: Kinglong Mee <kinglongmee@gmail.com> Fixes: 8c7424cff6 ""nfsd4: don't try to encode conflicting owner if low on space" Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Diffstat (limited to 'Documentation/robust-futex-ABI.txt')
0 files changed, 0 insertions, 0 deletions