From patchwork Sat Sep 1 06:07:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Sorenson X-Patchwork-Id: 10584621 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8C2F1920 for ; Sat, 1 Sep 2018 06:07:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 659422B22D for ; Sat, 1 Sep 2018 06:07:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 57B942B242; Sat, 1 Sep 2018 06:07:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B6D622B22D for ; Sat, 1 Sep 2018 06:07:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726158AbeIAKSM (ORCPT ); Sat, 1 Sep 2018 06:18:12 -0400 Received: from mail-io0-f194.google.com ([209.85.223.194]:45406 "EHLO mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726044AbeIAKSM (ORCPT ); Sat, 1 Sep 2018 06:18:12 -0400 Received: by mail-io0-f194.google.com with SMTP id e12-v6so12096428iok.12 for ; Fri, 31 Aug 2018 23:07:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=RhQ9ncQEtxh0M5k+5CC4H7vw3SkH/rxEHdfMCjfkQME=; b=iGPvzkk2lJce6RnFylXWC4iCnQoGyPQpH/F8+Fx0qIln4O+KxxaumeVm6it5C5gnw5 JDLmd1gy9wylzr7O6ttxFM0OsKl12hpxL+YZeiLZZEqu/RQyZ7ZNjdOI/fckSFUhVazd a+fwhNywOmiOSoy8WpEYNp7g1t+CC3DStgzOIeY0oPaEZ/JL8lHE2sNtqhZzxsbx2mNJ 3aQbOgQN0dIp3ApkSAiOXvbJhyEvUgHX7R7n7pKGtsCWyRk6n6GV6veXUwOfv29fYac1 JFUpcs1dFZcfmMQEjljWUeY1AONNMnXzqeEW0g8Acr4R++DJ68L46iI+e/3gusqibZJh q/UA== X-Gm-Message-State: APzg51AnQo8qk/OB/34P3eV1fzSiSJnct+lStotYfWBuxtn4KpAZz7fM Ph0SXyzJEGY8mIE2ncr2NyFObD6v6co= X-Google-Smtp-Source: ANB0VdYFXJq1wMQxWVvMajqJvxSfk6QSWlO8hMdRfFh/jHgEKTDhCYUwEiRAkl9bL9jGHtf9/cNvgA== X-Received: by 2002:a6b:9303:: with SMTP id v3-v6mr13876068iod.264.1535782043224; Fri, 31 Aug 2018 23:07:23 -0700 (PDT) Received: from hut.sorensonfamily.com ([2603:300a:2104:9500:4eeb:42ff:fec7:ee1c]) by smtp.gmail.com with ESMTPSA id h11-v6sm2902880itf.4.2018.08.31.23.07.22 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 Aug 2018 23:07:22 -0700 (PDT) To: linux-nfs@vger.kernel.org From: Frank Sorenson Subject: [nfs-utils PATCH] statd: fix use-after-free in monitor list if insertion fails Message-ID: Date: Sat, 1 Sep 2018 01:07:21 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 Content-Language: en-US Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If nsm_insert_monitored_host() fails while saving the record to stable storage, we can't just assume the entry was new. Existing records must be removed from the list before being freed. Signed-off-by: Frank Sorenson Reviewed-by: Chuck Lever diff --git a/utils/statd/monitor.c b/utils/statd/monitor.c index 45c4346..9400048 100644 --- a/utils/statd/monitor.c +++ b/utils/statd/monitor.c @@ -197,7 +197,7 @@ sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp) if (!nsm_insert_monitored_host(dnsname, (struct sockaddr *)(char *)&my_addr, argp)) { - nlist_free(NULL, clnt); + nlist_free(existing ? &rtnl : NULL, clnt); goto failure; }