Are we talking about the following hunk?
@@ -969,7 +969,7 @@ static void encode_share_access(struct xdr_stream *xdr, int open_flags)
                        WRITE32(NFS4_SHARE_ACCESS_BOTH);
                        break;
                default:
-                       BUG();
+                       WRITE32(0);
        }
        WRITE32(0);             /* for linux, share_deny = 0 always */
 }

If yes then how we can ever bug on that? The switch looks as follows:

        switch (open_flags & (FMODE_READ|FMODE_WRITE)) {
                case FMODE_READ:
                        WRITE32(NFS4_SHARE_ACCESS_READ);
                        break;
                case FMODE_WRITE:
                        WRITE32(NFS4_SHARE_ACCESS_WRITE);
                        break;
                case FMODE_READ|FMODE_WRITE:
                        WRITE32(NFS4_SHARE_ACCESS_BOTH);
                        break;
                default:
                        BUG();
        }

At least in SLES10* branches. The mentioned patch has been introduced in 2.6.29
so all other kernels should be unaffected.

Or am I overlooking something?

ping

when open_flags &(FMODE_READ|FMODE_WRITE) == 0 the default case will be used.
likely mknod triggers this path somehow.

and yes, this seems to be the integral part

Ok I see. mknod with a proper mode could trigger this. I guess that open with O_CREATE will do the same?

Anyway I will attach the patch in the next comment.

Created attachment 472537 [details]
fix for sles10-sp3-td

I will apply this patch to sles10sp4 as well but I would like another pair of eyes on this.

Hi Michal,
 your patch simply removes the BUG, where as comment #1 and the upstream code
replace it with WRITE32(0);.
I think you really do want the 'WRITE32' there.

OK, thanks for pointing this out. I thought that a single write32(0) would be sufficient. I will update the patch.

Created attachment 473200 [details]
updated fix for sles10-sp3-td

Niel, could you confirm that the patch is OK?

I am also little bit confused about the double WRITE32(0). Could you clarify this a bit, please?

Yes, patch looks fine.

The code is building an RPC request to send to the server.
Each WRITE32() enters a specific field into the request.
If you leave one out, then all the following fields will be incorrectly aligned and so will be misunderstood by the serer.

OK, thanks for the clarification.

I have pushed the fix into SLES10-SP3-TD and SLES10_SP4_BRANCH branches.
The patch for sles9 will follow

Created attachment 473745 [details]
fix for sles9

pushed to SLES9-SP3-TD and SLES9_SP4_BRANCH.

I guess we are done here

that should cover all affected. thanks!

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Update released for: kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-xen, kernel-xen-debug, um-host-kernel, xen-kmp, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)

We have just released a SUSE Linux Enterprise 10 SP4 kernel update that fixes/mentions this bug. The released version was 2.6.16.60-0.97.1.

Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (i386)
SLE-DESKTOP 10-SP4 (i386)
SLE-SDK 10-SP4 (i386)
SLE-SERVER 10-SP4 (i386)

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ia64)
SLE-SDK 10-SP4 (ia64)
SLE-SERVER 10-SP4 (ia64)

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (x86_64)
SLE-DESKTOP 10-SP4 (x86_64)
SLE-SDK 10-SP4 (x86_64)
SLE-SERVER 10-SP4 (x86_64)

Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ppc)
SLE-SDK 10-SP4 (ppc)
SLE-SERVER 10-SP4 (ppc)

Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (s390x)
SLE-SERVER 10-SP4 (s390x)

The SWAMPID for this issue is 54954.
This issue was rated as moderate.
Please submit fixed packages until 2013-11-20.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (s390x)
SLE-SERVER 10-SP3-LTSS (s390x)

Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386)
SLE-SERVER 10-SP3-LTSS (i386)