Li Lingfeng (1): nfs: fix memory leak in error path of nfs4_do_reclaim
Yang Erkun (1): nfs: maintain nfs_server in the reclaim process
fs/nfs/nfs4state.c | 9 +++++++++ 1 file changed, 9 insertions(+)
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/12887 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/P...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/12887 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/P...
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAOYZS CVE: NA
--------------------------------
Commit c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()") separate out the freeing of the state owners from nfs4_purge_state_owners() and finish it outside the rcu lock. However, the error path is omitted. As a result, the state owners in "freeme" will not be released. Fix it by adding freeing in the error path.
Fixes: c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()") Signed-off-by: Li Lingfeng lilingfeng3@huawei.com --- fs/nfs/nfs4state.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index c843917f8e2c..fa3621e19307 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c @@ -1883,6 +1883,7 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov set_bit(ops->owner_flag_bit, &sp->so_flags); nfs4_put_state_owner(sp); status = nfs4_recovery_handle_error(clp, status); + nfs4_free_state_owners(&freeme); return (status != 0) ? status : -EAGAIN; }
From: Yang Erkun yangerkun@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAUJJ4 CVE: NA
--------------------------------
In the reclaim process, there may be a situation where all files are closed and the file system is unmounted, which will result in the release of nfs_server.
This will trigger UAF in nfs4_put_open_state when the count of nfs4_state is decremented to zero, because the freed nfs_server will be accessed when evicting inode.
Maintaining the nfs_server throughout the entire reclaim process by adding nfs_sb_active and nfs_sb_deactive to fix it.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Erkun yangerkun@huawei.com Signed-off-by: Li Lingfeng lilingfeng3@huawei.com --- fs/nfs/nfs4state.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index fa3621e19307..2073f56f7e21 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c @@ -1875,6 +1875,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov continue; if (!atomic_inc_not_zero(&sp->so_count)) continue; + if (!(server->super && nfs_sb_active(server->super))) { + spin_unlock(&clp->cl_lock); + rcu_read_unlock(); + nfs4_put_state_owner(sp); + goto restart; + } spin_unlock(&clp->cl_lock); rcu_read_unlock();
@@ -1884,10 +1890,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov nfs4_put_state_owner(sp); status = nfs4_recovery_handle_error(clp, status); nfs4_free_state_owners(&freeme); + nfs_sb_deactive(server->super); return (status != 0) ? status : -EAGAIN; }
nfs4_put_state_owner(sp); + nfs_sb_deactive(server->super); goto restart; } spin_unlock(&clp->cl_lock);
-
Li Lingfeng -
patchwork bot