android_kernel_google_msm/fs
Trond Myklebust 143f412eb4 [PATCH] NFS: Fix a potential panic in O_DIRECT
Based on an original patch by Mike O'Connor and Greg Banks of SGI.

Mike states:

A normal user can panic an NFS client and cause a local DoS with
'judicious'(?) use of O_DIRECT.  Any O_DIRECT write to an NFS file where the
user buffer starts with a valid mapped page and contains an unmapped page,
will crash in this way.  I haven't followed the code, but O_DIRECT reads with
similar user buffers will probably also crash albeit in different ways.

Details: when nfs_get_user_pages() calls get_user_pages(), it detects and
correctly handles get_user_pages() returning an error, which happens if the
first page covered by the user buffer's address range is unmapped.  However,
if the first page is mapped but some subsequent page isn't, get_user_pages()
will return a positive number which is less than the number of pages requested
(this behaviour is sort of analagous to a short write() call and appears to be
intentional).  nfs_get_user_pages() doesn't detect this and hands off the
array of pages (whose last few elements are random rubbish from the newly
allocated array memory) to it's caller, whence they go to
nfs_direct_write_seg(), which then totally ignores the nr_pages it's given,
and calculates its own idea of how many pages are in the array from the user
buffer length.  Needless to say, when it comes to transmit those uninitialised
page* pointers, we see a crash in the network stack.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-03-14 07:57:17 -08:00
..
9p [PATCH] v9fs: fix for access to unitialized variables or freed memory 2006-03-08 14:14:02 -08:00
adfs [PATCH] changing CONFIG_LOCALVERSION rebuilds too much, for no good reason 2005-11-09 07:55:57 -08:00
affs [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
afs add loglevel to printk in fs/afs/cmservice.c 2006-01-11 01:52:40 +01:00
autofs [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
autofs4 [PATCH] autofs4 oops fix 2006-01-14 18:25:19 -08:00
befs remove unused fs/befs/attribute.c 2005-11-08 16:54:53 +01:00
bfs
cifs [CIFS] Always match oplock break (cache notification) to the right tcp 2006-03-05 03:39:55 +00:00
coda [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
configfs [PATCH] BUG_ON() Conversion in fs/configfs/ 2006-02-03 14:03:09 -08:00
cramfs [PATCH] cramfs mounts provide corrupted content since 2.6.15 2006-03-06 18:40:43 -08:00
debugfs [PATCH] debugfs: trivial comment fix 2006-02-06 12:17:18 -08:00
devfs [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
devpts [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
efs return statement cleanup - kill pointless parentheses 2006-01-15 02:37:08 +01:00
exportfs [PATCH] exportfs: add find_acceptable_alias helper 2006-01-18 19:20:28 -08:00
ext2 [PATCH] fix deadlock in ext2 2006-02-17 13:59:26 -08:00
ext3 [PATCH] ext3: fix nobh mode for chattr +j inodes 2006-03-11 09:19:34 -08:00
fat [PATCH] fat: Fix truncate() write ordering 2006-02-03 08:32:10 -08:00
freevxfs [PATCH] fix possible PAGE_CACHE_SHIFT overflows 2006-01-08 20:13:54 -08:00
fuse [PATCH] fuse: fix bug in negative lookup 2006-02-28 20:53:43 -08:00
hfs [PATCH] hfs: cleanup HFS prints 2006-01-18 19:20:23 -08:00
hfsplus [PATCH] hfs: set type/creator for symlinks 2006-01-18 19:20:23 -08:00
hostfs [PATCH] uml: hostfs - fix possible PAGE_CACHE_SHIFT overflows 2005-12-29 09:48:15 -08:00
hpfs [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
hppfs [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
hugetlbfs [PATCH] mm: hugepage accounting fix 2006-02-01 08:53:15 -08:00
isofs [PATCH] isofs: remove d_splice_alias NULL check from isofs_lookup 2006-01-14 18:27:12 -08:00
jbd [PATCH] jbd: revert checkpoint list changes 2006-02-14 16:09:34 -08:00
jffs [PATCH] fs/jffs/intrep.c: 255 is unsigned char 2006-02-03 08:32:05 -08:00
jffs2 [PATCH] mtd: 64 bit fixes 2006-03-09 19:47:37 -08:00
jfs [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
lockd [PATCH] NLM: Fix the NLM_GRANTED callback checks 2006-02-14 16:09:34 -08:00
minix
msdos
ncpfs [PATCH] ncpfs: remove kmalloc wrapper 2006-01-14 18:27:12 -08:00
nfs [PATCH] NFS: Fix a potential panic in O_DIRECT 2006-03-14 07:57:17 -08:00
nfs_common
nfsd [PATCH] knfsd: fix nfs4_open lock leak 2006-02-07 16:12:31 -08:00
nls
ntfs NTFS: Do more detailed reporting of why we cannot mount read-write by 2006-02-24 10:48:14 +00:00
ocfs2 [PATCH] ocfs2: use hlists for lockres hash 2006-03-01 12:18:16 -08:00
openpromfs [PATCH] kfree cleanup: fs 2005-11-07 07:54:06 -08:00
partitions [PATCH] s390: dasd partition detection 2006-03-08 14:14:01 -08:00
proc [PATCH] smaps: shared fix 2006-03-06 18:40:45 -08:00
qnx4 fs/qnx4/bitmap.c: #if 0 qnx4_new_block() 2006-01-03 13:21:37 +01:00
ramfs [PATCH] ramfs needs to update directory m/ctime on symlink 2006-03-06 18:40:45 -08:00
reiserfs [PATCH] reiserfs: fix unaligned bitmap usage 2006-03-02 10:37:59 -08:00
relayfs [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
romfs [PATCH] fix possible PAGE_CACHE_SHIFT overflows 2006-01-08 20:13:54 -08:00
smbfs [PATCH] smbfs readdir vs signal fix 2006-02-01 08:53:09 -08:00
sysfs [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
sysv correct email address of Manfred Spraul 2006-01-15 02:43:54 +01:00
udf [PATCH] udf: fix uid/gid options and add uid/gid=ignore and forget options 2006-03-08 14:14:00 -08:00
ufs [PATCH] ufs: fix hang during `rm' 2006-02-03 08:32:04 -08:00
vfat
xfs [XFS] Don't map non-uptodate buffers in xfs_probe_cluster; also fixes 2006-02-28 12:30:30 +11:00
aio.c [PATCH] rcu file: use atomic primitives 2006-01-08 20:13:48 -08:00
attr.c [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
bad_inode.c
binfmt_aout.c [PATCH] dump_thread() cleanup 2006-01-10 08:01:25 -08:00
binfmt_elf.c [PATCH] x86_64: Check for bad elf entry address. 2006-02-26 09:53:30 -08:00
binfmt_elf_fdpic.c [PATCH] fs/binfmt_elf: Remove unneeded kmalloc() return value casts 2006-01-10 08:02:01 -08:00
binfmt_em86.c
binfmt_flat.c [PATCH] uclinux: delay binfmt_flat trace 2006-01-10 09:31:27 -08:00
binfmt_misc.c [PATCH] Unlinline a bunch of other functions 2006-01-14 18:27:06 -08:00
binfmt_script.c
binfmt_som.c
bio.c [BLOCK] A few kerneldoc fixups 2006-01-31 15:24:34 +01:00
block_dev.c [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
buffer.c [PATCH] Trivial optimization of ll_rw_block() 2006-02-03 08:32:10 -08:00
char_dev.c [PATCH] convert /proc/devices to use seq_file interface 2006-01-14 18:25:19 -08:00
compat.c [PATCH] select: time comparison fixes 2006-02-17 13:59:28 -08:00
compat_ioctl.c [NET] compat ifconf: fix limits 2006-03-08 16:46:08 -08:00
dcache.c [PATCH] fix file counting 2006-03-08 14:14:01 -08:00
dcookies.c [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
direct-io.c [PATCH] fix O_DIRECT read of last block in a sparse file 2006-02-03 08:32:07 -08:00
dnotify.c
dquot.c [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
drop_caches.c [PATCH] drop-pagecache 2006-01-08 20:12:40 -08:00
eventpoll.c
exec.c [PATCH] Add mm->task_size and fix powerpc vdso 2006-02-28 20:53:44 -08:00
fcntl.c [PATCH] fcntl F_SETFL and read-only IS_APPEND files 2006-02-03 08:32:07 -08:00
fifo.c Simplify fifo_open() locking logic 2006-03-07 09:16:35 -08:00
file.c [PATCH] percpu data: only iterate over possible CPUs 2006-02-05 11:06:51 -08:00
file_table.c [PATCH] fix file counting 2006-03-08 14:14:01 -08:00
filesystems.c
fs-writeback.c [PATCH] kernel-docs: fix kernel-doc format problems 2005-11-07 07:53:55 -08:00
inode.c [PATCH] DocBook: fix some kernel-doc comments in fs and block 2006-02-01 08:53:27 -08:00
inotify.c [PATCH] inotify: fix one-shot support 2006-02-07 16:12:33 -08:00
ioctl.c [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
ioprio.c [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
Kconfig o Remove confusing Kconfig text for CONFIGFS_FS. 2006-02-03 13:47:17 -08:00
Kconfig.binfmt [PATCH] frv: suppress configuration of certain features for FRV 2006-01-08 20:13:36 -08:00
libfs.c [PATCH] debugfs: hard link count wrong 2006-02-03 08:32:11 -08:00
locks.c [PATCH] tiny: Uninline some fslocks.c functions 2006-01-08 20:14:10 -08:00
Makefile [PATCH] sanitize building of fs/compat_ioctl.c 2006-01-10 08:01:33 -08:00
mbcache.c [PATCH] Unlinline a bunch of other functions 2006-01-14 18:27:06 -08:00
mpage.c [PATCH] fix possible PAGE_CACHE_SHIFT overflows 2006-01-08 20:13:54 -08:00
namei.c [PATCH] ext3: ext3_symlink should use GFP_NOFS allocations inside 2006-03-11 09:19:34 -08:00
namespace.c [PATCH] umount_tree() decrements mount count on wrong dentry 2006-02-07 21:01:15 -05:00
nfsctl.c [PATCH] EDAC: atomic scrub operations 2006-01-18 19:20:30 -08:00
open.c [PATCH] vfs: *at functions: core 2006-01-18 19:20:29 -08:00
pipe.c Mark the pipe file operations static 2006-03-08 14:03:09 -08:00
pnode.c [PATCH] shared mounts: cleanup 2006-01-08 20:13:56 -08:00
pnode.h [PATCH] unbindable mounts 2005-11-07 18:18:11 -08:00
posix_acl.c
quota.c [PATCH] capable/capability.h (fs/) 2006-01-11 18:42:13 -08:00
quota_v1.c
quota_v2.c [PATCH] quota_v2: printk warning fixes 2006-02-03 08:32:03 -08:00
read_write.c [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
readdir.c [PATCH] mutex subsystem, semaphore to mutex: VFS, ->i_sem 2006-01-09 15:59:24 -08:00
select.c [PATCH] select: time comparison fixes 2006-02-17 13:59:28 -08:00
seq_file.c [PATCH] allow callers of seq_open do allocation themselves 2005-11-07 18:18:09 -08:00
stat.c [PATCH] fstatat64 support 2006-02-11 21:41:10 -08:00
super.c Revert mount/umount uevent removal 2006-02-22 09:39:02 -08:00
xattr.c [PATCH] move xattr permission checks into the VFS 2006-01-10 08:01:29 -08:00
xattr_acl.c