| Message ID | 20221105134926.23726-1-jlayton@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint | expand |
> On Nov 5, 2022, at 9:49 AM, Jeff Layton <jlayton@kernel.org> wrote: > > When we fail to insert into the hashtable with a non-retryable error, > we'll free the object and then goto out_status. If the tracepoint is > enabled, it'll end up accessing the freed object when it tries to > grab the fields out of it. > > Set nf to NULL after freeing it to avoid the issue. > > Fixes: 243a5263014a ("nfsd: rework hashtable handling in nfsd_do_file_acquire") > Reported-by: kernel test robot <lkp@intel.com> > Reported-by: Dan Carpenter <error27@gmail.com> > Signed-off-by: Jeff Layton <jlayton@kernel.org> > --- > fs/nfsd/filecache.c | 1 + > 1 file changed, 1 insertion(+) I've applied this to nfsd's for-rc. Thank you! > diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c > index 687ab814b678..02c1454dfe50 100644 > --- a/fs/nfsd/filecache.c > +++ b/fs/nfsd/filecache.c > @@ -1124,6 +1124,7 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp, > goto open_file; > > nfsd_file_slab_free(&nf->nf_rcu); > + nf = NULL; > if (ret == -EEXIST) > goto retry; > trace_nfsd_file_insert_err(rqstp, key.inode, may_flags, ret); > -- > 2.38.1 > -- Chuck Lever
diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c index 687ab814b678..02c1454dfe50 100644 --- a/fs/nfsd/filecache.c +++ b/fs/nfsd/filecache.c @@ -1124,6 +1124,7 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp, goto open_file; nfsd_file_slab_free(&nf->nf_rcu); + nf = NULL; if (ret == -EEXIST) goto retry; trace_nfsd_file_insert_err(rqstp, key.inode, may_flags, ret);
When we fail to insert into the hashtable with a non-retryable error, we'll free the object and then goto out_status. If the tracepoint is enabled, it'll end up accessing the freed object when it tries to grab the fields out of it. Set nf to NULL after freeing it to avoid the issue. Fixes: 243a5263014a ("nfsd: rework hashtable handling in nfsd_do_file_acquire") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> --- fs/nfsd/filecache.c | 1 + 1 file changed, 1 insertion(+)