From: Jeff Layton <jlayton@kernel.org> mainline inclusion from mainline-v6.15-rc1 commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC1QT8 CVE: CVE-2025-22026 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM. Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.c... Cc: stable@vger.kernel.org # v6.9 Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Conflicts: fs/nfsd/nfsctl.c fs/nfsd/stats.c fs/nfsd/stats.h [Commit 73598a0cfb21 ("nfsd: don't allocate the versions array.") declare an array to the max size instead of using kmalloc to allocate an array; commit 7d12cce8784c ("fs: nfsd: use group allocation/free of per-cpu counters API") remove some functions;] Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com> --- fs/nfsd/nfsctl.c | 9 ++++++++- fs/nfsd/stats.c | 4 ++-- fs/nfsd/stats.h | 2 +- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c index 887035b74467..f9015635fb37 100644 --- a/fs/nfsd/nfsctl.c +++ b/fs/nfsd/nfsctl.c @@ -1527,17 +1527,24 @@ static __net_init int nfsd_net_init(struct net *net) retval = nfsd_stat_counters_init(nn); if (retval) goto out_repcache_error; + memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats)); nn->nfsd_svcstats.program = &nfsd_program; + if (!nfsd_proc_stat_init(net)) { + retval = -ENOMEM; + goto out_proc_error; + } + nn->nfsd_versions = NULL; nn->nfsd4_minorversions = NULL; nfsd4_init_leases_net(nn); get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key)); seqlock_init(&nn->writeverf_lock); - nfsd_proc_stat_init(net); return 0; +out_proc_error: + nfsd_stat_counters_destroy(nn); out_repcache_error: nfsd_idmap_shutdown(net); out_idmap_error: diff --git a/fs/nfsd/stats.c b/fs/nfsd/stats.c index 9f606fa08bd4..0a629a18831f 100644 --- a/fs/nfsd/stats.c +++ b/fs/nfsd/stats.c @@ -115,11 +115,11 @@ void nfsd_stat_counters_destroy(struct nfsd_net *nn) nfsd_percpu_counters_destroy(nn->counter, NFSD_STATS_COUNTERS_NUM); } -void nfsd_proc_stat_init(struct net *net) +struct proc_dir_entry *nfsd_proc_stat_init(struct net *net) { struct nfsd_net *nn = net_generic(net, nfsd_net_id); - svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); + return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); } void nfsd_proc_stat_shutdown(struct net *net) diff --git a/fs/nfsd/stats.h b/fs/nfsd/stats.h index d2753e975dfd..b1f7d21cbcd1 100644 --- a/fs/nfsd/stats.h +++ b/fs/nfsd/stats.h @@ -15,7 +15,7 @@ void nfsd_percpu_counters_reset(struct percpu_counter *counters, int num); void nfsd_percpu_counters_destroy(struct percpu_counter *counters, int num); int nfsd_stat_counters_init(struct nfsd_net *nn); void nfsd_stat_counters_destroy(struct nfsd_net *nn); -void nfsd_proc_stat_init(struct net *net); +struct proc_dir_entry *nfsd_proc_stat_init(struct net *net); void nfsd_proc_stat_shutdown(struct net *net); static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn) -- 2.46.1