[PATCH OLK-5.10] nfsd: call cache_put if xdr_reserve_space returns NULL - Kernel

22 Oct 2024

From: Guoqing Jiang guoqing.jiang@linux.dev
stable inclusion
from stable-v5.10.227
commit 9f03f0016ff797932551881c7e06ae50e9c39134
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRM
CVE: CVE-2024-47737
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit d078cbf5c38de83bc31f83c47dcd2184c04a50c7 ]
If not enough buffer space available, but idmap_lookup has triggered
lookup_fn which calls cache_get and returns successfully. Then we
missed to call cache_put here which pairs with cache_get.
Fixes: ddd1ea563672 ("nfsd4: use xdr_reserve_space in attribute encoding")
Signed-off-by: Guoqing Jiang guoqing.jiang@linux.dev
Reviwed-by: Jeff Layton jlayton@kernel.org
Signed-off-by: Chuck Lever chuck.lever@oracle.com
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Li Lingfeng lilingfeng3@huawei.com
---
 fs/nfsd/nfs4idmap.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c
index f92161ce1f97..9062b5e14b66 100644
--- a/fs/nfsd/nfs4idmap.c
+++ b/fs/nfsd/nfs4idmap.c
@@ -580,6 +580,7 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
    	.id = id,
    	.type = type,
    };
+	__be32 status = nfs_ok;
    __be32 *p;
    int ret;
    struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
@@ -592,12 +593,16 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
    	return nfserrno(ret);
    ret = strlen(item->name);
    WARN_ON_ONCE(ret > IDMAP_NAMESZ);
+
    p = xdr_reserve_space(xdr, ret + 4);
-	if (!p)
-		return nfserr_resource;
-	p = xdr_encode_opaque(p, item->name, ret);
+	if (unlikely(!p)) {
+		status = nfserr_resource;
+		goto out_put;
+	}
+	xdr_encode_opaque(p, item->name, ret);
+out_put:
    cache_put(&item->h, nn->idtoname_cache);
-	return 0;
+	return status;
 }
static bool
-- 
2.31.1


    