From: Yang Erkun <yangerkun@huawei.com> mainline inclusion from mainline-v6.14-rc1 commit c224edca7af028828e2ad866b61d731b5e72b46d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAER CVE: CVE-2024-53216 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- rcu_read_lock/rcu_read_unlock has already provide protection for the pointer we will reference when we call e_show. Therefore, there is no need to obtain a cache reference to help protect cache_head. Additionally, the .put such as expkey_put/svc_export_put will invoke dput, which can sleep and break rcu. Stop get cache reference to fix them all. Fixes: ae74136b4bb6 ("SUNRPC: Allow cache lookups to use RCU protection rather than the r/w spinlock") Suggested-by: NeilBrown <neilb@suse.de> Signed-off-by: Yang Erkun <yangerkun@huawei.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Li Lingfeng <lilingfeng@huaweicloud.com> --- fs/nfsd/export.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c index 265f00d3ed25..81cf2ccfd2e8 100644 --- a/fs/nfsd/export.c +++ b/fs/nfsd/export.c @@ -1246,13 +1246,9 @@ static int e_show(struct seq_file *m, void *p) return 0; } - if (!cache_get_rcu(&exp->h)) + if (cache_check_rcu(cd, &exp->h, NULL)) return 0; - if (cache_check(cd, &exp->h, NULL)) - return 0; - - exp_put(exp); return svc_export_show(m, cd, cp); } -- 2.39.2