[PATCH openEuler-1.0-LTS 0/2] CVE-2024-53217

List overview All Threads
Download

newer

older

[PATCH OLK-6.6 0/2] CVE-2024-53217

[PATCH openEuler-1.0-LTS] nfs:...

Li Lingfeng

30 Dec 2024 30 Dec '24

2:29 p.m.

Chuck Lever (1): NFSD: Prevent NULL dereference in nfsd4_process_cb_update()

NeilBrown (1): nfsd: restore callback functionality for NFSv4.0

fs/nfsd/nfs4callback.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

-- 2.31.1

Show replies by date

patchwork bot

30 Dec 30 Dec

2:20 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/14361 邮件列表地址：https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Y...

FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/14361 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Y...

Li Lingfeng

2:29 p.m.

New subject: [PATCH openEuler-1.0-LTS 1/2] NFSD: Prevent NULL dereference in nfsd4_process_cb_update()

From: Chuck Lever chuck.lever@oracle.com

stable inclusion from stable-v4.19.325 commit d9a0d1f6e15859ea7a86a327f28491e23deaaa62 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAET CVE: CVE-2024-53217

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 1e02c641c3a43c88cecc08402000418e15578d38 ]

@ses is initialized to NULL. If __nfsd4_find_backchannel() finds no available backchannel session, setup_callback_client() will try to dereference @ses and segfault.

Fixes: dcbeaa68dbbd ("nfsd4: allow backchannel recovery") Reviewed-by: Jeff Layton jlayton@kernel.org Signed-off-by: Chuck Lever chuck.lever@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Li Lingfeng lilingfeng3@huawei.com --- fs/nfsd/nfs4callback.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index b601e5915e6f..7ee25be394dc 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -1145,6 +1145,8 @@ static void nfsd4_process_cb_update(struct nfsd4_callback *cb) ses = c->cn_session; } spin_unlock(&clp->cl_lock); + if (!c) + return;

err = setup_callback_client(clp, &conn, ses); if (err) {

-- 2.31.1

Li Lingfeng

2:29 p.m.

New subject: [PATCH openEuler-1.0-LTS 2/2] nfsd: restore callback functionality for NFSv4.0

From: NeilBrown neilb@suse.de

mainline inclusion from mainline-v6.13-rc5 commit 7917f01a286ce01e9c085e24468421f596ee1a0c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAET CVE: CVE-2024-53217

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

A recent patch inadvertently broke callbacks for NFSv4.0.

In the 4.0 case we do not expect a session to be found but still need to call setup_callback_client() which will not try to dereference it.

This patch moves the check for failure to find a session into the 4.1+ branch of setup_callback_client()

Fixes: 1e02c641c3a4 ("NFSD: Prevent NULL dereference in nfsd4_process_cb_update()") Signed-off-by: NeilBrown neilb@suse.de Reviewed-by: Jeff Layton jlayton@kernel.org Signed-off-by: Chuck Lever chuck.lever@oracle.com

Conflicts: fs/nfsd/nfs4callback.c [Commit 3bc8edc98bd4 ("nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure") move the set of cb_xprt.] Signed-off-by: Li Lingfeng lilingfeng3@huawei.com --- fs/nfsd/nfs4callback.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index 7ee25be394dc..838502aa5160 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -798,7 +798,7 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c args.authflavor = clp->cl_cred.cr_flavor; clp->cl_cb_ident = conn->cb_ident; } else { - if (!conn->cb_xprt) + if (!conn->cb_xprt || !ses) return -EINVAL; clp->cl_cb_conn.cb_xprt = conn->cb_xprt; clp->cl_cb_session = ses; @@ -1145,8 +1145,6 @@ static void nfsd4_process_cb_update(struct nfsd4_callback *cb) ses = c->cn_session; } spin_unlock(&clp->cl_lock); - if (!c) - return;

err = setup_callback_client(clp, &conn, ses); if (err) {

-- 2.31.1

Age (days ago)

Last active (days ago)

kernel@openeuler.org

3 comments

2 participants

tags (0)

participants (2)

Li Lingfeng
patchwork bot