| Message ID | d169e942-03e4-0a4b-8c45-56f4c26cd45c@virtuozzo.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] nfsd: memory corruption in nfsd4_lock() | expand |
On Fri, 2020-03-27 at 07:50 +0300, Vasily Averin wrote: > Dear Chuck, > please use following patch instead. > ----- > New struct nfsd4_blocked_lock allocated in find_or_allocate_block() > does not initialized nbl_list and nbl_lru. > If conflock allocation fails rollback can call list_del_init() > access uninitialized fields and corrupt memory. > > v2: just initialize nbl_list and nbl_lru right after nbl allocation. > > Fixes: 76d348fadff5 ("nfsd: have nfsd4_lock use blocking locks for v4.1+ lock") > Signed-off-by: Vasily Averin <vvs@virtuozzo.com> > --- > fs/nfsd/nfs4state.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c > index 369e574c5092..1b2eb6b35d64 100644 > --- a/fs/nfsd/nfs4state.c > +++ b/fs/nfsd/nfs4state.c > @@ -266,6 +266,8 @@ find_or_allocate_block(struct nfs4_lockowner *lo, struct knfsd_fh *fh, > if (!nbl) { > nbl= kmalloc(sizeof(*nbl), GFP_KERNEL); > if (nbl) { > + INIT_LIST_HEAD(&nbl->nbl_list); > + INIT_LIST_HEAD(&nbl->nbl_lru); > fh_copy_shallow(&nbl->nbl_fh, fh); > locks_init_lock(&nbl->nbl_lock); > nfsd4_init_cb(&nbl->nbl_cb, lo->lo_owner.so_client, Reviewed-by: Jeff Layton <jlayton@kernel.org>
> On Mar 30, 2020, at 6:22 AM, Jeff Layton <jlayton@kernel.org> wrote: > > On Fri, 2020-03-27 at 07:50 +0300, Vasily Averin wrote: >> Dear Chuck, >> please use following patch instead. Somehow this did not make it to my inbox on Friday, but Jeff's Reviewed-by did show up today. I'll apply this one, thanks! >> ----- >> New struct nfsd4_blocked_lock allocated in find_or_allocate_block() >> does not initialized nbl_list and nbl_lru. >> If conflock allocation fails rollback can call list_del_init() >> access uninitialized fields and corrupt memory. >> >> v2: just initialize nbl_list and nbl_lru right after nbl allocation. >> >> Fixes: 76d348fadff5 ("nfsd: have nfsd4_lock use blocking locks for v4.1+ lock") >> Signed-off-by: Vasily Averin <vvs@virtuozzo.com> >> --- >> fs/nfsd/nfs4state.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c >> index 369e574c5092..1b2eb6b35d64 100644 >> --- a/fs/nfsd/nfs4state.c >> +++ b/fs/nfsd/nfs4state.c >> @@ -266,6 +266,8 @@ find_or_allocate_block(struct nfs4_lockowner *lo, struct knfsd_fh *fh, >> if (!nbl) { >> nbl= kmalloc(sizeof(*nbl), GFP_KERNEL); >> if (nbl) { >> + INIT_LIST_HEAD(&nbl->nbl_list); >> + INIT_LIST_HEAD(&nbl->nbl_lru); >> fh_copy_shallow(&nbl->nbl_fh, fh); >> locks_init_lock(&nbl->nbl_lock); >> nfsd4_init_cb(&nbl->nbl_cb, lo->lo_owner.so_client, > > Reviewed-by: Jeff Layton <jlayton@kernel.org> -- Chuck Lever
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index 369e574c5092..1b2eb6b35d64 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -266,6 +266,8 @@ find_or_allocate_block(struct nfs4_lockowner *lo, struct knfsd_fh *fh, if (!nbl) { nbl= kmalloc(sizeof(*nbl), GFP_KERNEL); if (nbl) { + INIT_LIST_HEAD(&nbl->nbl_list); + INIT_LIST_HEAD(&nbl->nbl_lru); fh_copy_shallow(&nbl->nbl_fh, fh); locks_init_lock(&nbl->nbl_lock); nfsd4_init_cb(&nbl->nbl_cb, lo->lo_owner.so_client,
Dear Chuck, please use following patch instead. ----- New struct nfsd4_blocked_lock allocated in find_or_allocate_block() does not initialized nbl_list and nbl_lru. If conflock allocation fails rollback can call list_del_init() access uninitialized fields and corrupt memory. v2: just initialize nbl_list and nbl_lru right after nbl allocation. Fixes: 76d348fadff5 ("nfsd: have nfsd4_lock use blocking locks for v4.1+ lock") Signed-off-by: Vasily Averin <vvs@virtuozzo.com> --- fs/nfsd/nfs4state.c | 2 ++ 1 file changed, 2 insertions(+)