mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-28 21:33:52 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Dan Aloni e2f9f03e45 nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure 
[ Upstream commit 3bc8edc98b ]

On error situation `clp->cl_cb_conn.cb_xprt` should not be given
a reference to the xprt otherwise both client cleanup and the
error handling path of the caller call to put it. Better to
delay handing over the reference to a later branch.

[   72.530665] refcount_t: underflow; use-after-free.
[   72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120
[   72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc]
[   72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G           OE     5.15.82-dan #1
[   72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014
[   72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd]
[   72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120
[   72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48
[   72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286
[   72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000
[   72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0
[   72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff
[   72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180
[   72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0
[   72.552089] FS:  0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000
[   72.553175] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0
[   72.554874] Call Trace:
[   72.555278]  <TASK>
[   72.555614]  svc_xprt_put+0xaf/0xe0 [sunrpc]
[   72.556276]  nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd]
[   72.557087]  ? update_load_avg+0x82/0x610
[   72.557652]  ? cpuacct_charge+0x60/0x70
[   72.558212]  ? dequeue_entity+0xdb/0x3e0
[   72.558765]  ? queued_spin_unlock+0x9/0x20
[   72.559358]  nfsd4_run_cb_work+0xfc/0x270 [nfsd]
[   72.560031]  process_one_work+0x1df/0x390
[   72.560600]  worker_thread+0x37/0x3b0
[   72.561644]  ? process_one_work+0x390/0x390
[   72.562247]  kthread+0x12f/0x150
[   72.562710]  ? set_kthread_struct+0x50/0x50
[   72.563309]  ret_from_fork+0x22/0x30
[   72.563818]  </TASK>
[   72.564189] ---[ end trace 031117b1c72ec616 ]---
[   72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018).
[   72.567647] ------------[ cut here ]------------

Fixes: a4abc6b12e ("nfsd: Fix svc_xprt refcnt leak when setup callback client failed")
Cc: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Cc: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Dan Aloni <dan.aloni@vastdata.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-12-31 13:26:37 +01:00
..
9p 9p: Fix some kernel-doc comments 2022-07-02 18:52:21 +09:00
adfs
affs affs: use memcpy_to_page and remove replace kmap_atomic() 2022-08-01 19:53:31 +02:00
afs afs: Fix server->active leak in afs_put_server 2022-12-08 11:30:18 +01:00
autofs autofs: remove unused ino field inode 2022-07-17 17:31:42 -07:00
befs befs: Convert befs_symlink_read_folio() to use a folio 2022-08-02 12:34:03 -04:00
bfs
btrfs btrfs: send: avoid unaligned encoded writes when attempting to clone range 2022-12-14 11:40:48 +01:00
cachefiles cachefiles: make on-demand request distribution fairer 2022-08-31 16:41:10 +01:00
ceph ceph: fix NULL pointer dereference for req->r_session 2022-12-02 17:42:59 +01:00
cifs cifs: fix oops during encryption 2022-12-31 13:25:35 +01:00
coda coda: Convert coda_symlink_filler() to use a folio 2022-08-02 12:34:03 -04:00
configfs configfs: fix possible memory leak in configfs_create_dir() 2022-12-31 13:26:08 +01:00
cramfs cramfs: read_mapping_page() is synchronous 2022-08-02 12:34:02 -04:00
crypto fscrypt: fix keyring memory leak on mount failure 2022-11-10 18:17:30 +01:00
debugfs debugfs: fix error when writing negative value to atomic_t debugfs file 2022-12-31 13:25:45 +01:00
devpts
dlm fs: dlm: fix race in lowcomms 2022-10-21 12:39:02 +02:00
ecryptfs
efivarfs efi: efivars: Fix variable writes without query_variable_store() 2022-10-26 12:22:57 +02:00
efs
erofs erofs: validate the extent length for uncompressed pclusters 2022-12-31 13:25:46 +01:00
exfat exfat: fix overflow for large capacity partition 2022-09-04 09:38:40 +09:00
exportfs
ext2 ext2: Use kvmalloc() for group descriptor array 2022-10-21 12:39:25 +02:00
ext4 ext4: fix use-after-free in ext4_ext_shift_extents 2022-12-02 17:43:10 +01:00
f2fs f2fs: fix iostat parameter for discard 2022-12-31 13:26:23 +01:00
fat Updates to various subsystems which I help look after. lib, ocfs2, 2022-08-07 10:03:24 -07:00
freevxfs freevxfs: Convert vxfs_immed_read_folio() to use a folio 2022-08-02 12:34:03 -04:00
fscache fscache: Fix oops due to race with cookie_lru and use_cookie 2022-12-14 11:40:51 +01:00
fuse fuse: lock inode unconditionally in fuse_fallocate() 2022-12-02 17:43:16 +01:00
gfs2 gfs2: Switch from strlcpy to strscpy 2022-11-26 09:27:55 +01:00
hfs hfs: Fix OOB Write in hfs_asc2mac 2022-12-31 13:25:47 +01:00
hfsplus Folio changes for 6.0 2022-08-03 10:35:43 -07:00
hostfs hostfs: Handle page write errors correctly 2022-08-02 12:34:02 -04:00
hpfs
hugetlbfs hugetlbfs: don't delete error page from pagecache 2022-11-26 09:27:22 +01:00
iomap iomap: iomap: fix memory corruption when recording errors during writeback 2022-10-21 12:38:36 +02:00
isofs fs/buffer: Combine two submit_bh() and ll_rw_block() arguments 2022-07-14 12:14:32 -06:00
jbd2 jbd2: add miss release buffer head in fc_do_one_pass() 2022-10-21 12:37:49 +02:00
jffs2 This pull request contains fixes for JFFS2, UBI and UBIFS 2022-06-03 14:42:24 -07:00
jfs Folio changes for 6.0 2022-08-03 10:35:43 -07:00
kernfs kernfs: fix use-after-free in __kernfs_remove 2022-11-04 00:00:24 +09:00
ksmbd ksmbd: Fix resource leak in ksmbd_session_rpc_open() 2022-12-31 13:26:28 +01:00
lockd lockd: set other missing fields when unlocking files 2022-12-31 13:25:47 +01:00
minix
netfs netfs: Fix dodgy maths 2022-11-26 09:27:38 +01:00
nfs NFSv4.x: Fail client initialisation if state manager thread can't run 2022-12-31 13:26:09 +01:00
nfs_common
nfsd nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure 2022-12-31 13:26:37 +01:00
nilfs2 nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() 2022-12-08 11:30:19 +01:00
nls
notify fsnotify: Fix comment typo 2022-07-26 13:38:47 +02:00
ntfs ntfs: check overflow when iterating ATTR_RECORDs 2022-11-26 09:27:56 +01:00
ntfs3 fs/ntfs3: Fix slab-out-of-bounds read in ntfs_trim_fs 2022-12-31 13:26:32 +01:00
ocfs2 ocfs2: fix memory leak in ocfs2_mount_volume() 2022-12-31 13:25:45 +01:00
omfs
openpromfs
orangefs orangefs: Fix sysfs not cleanup when dev init failed 2022-12-31 13:26:22 +01:00
overlayfs ovl: remove privs in ovl_fallocate() 2022-12-31 13:25:41 +01:00
proc mm: /proc/pid/smaps_rollup: fix no vma's null-deref 2022-10-29 10:08:36 +02:00
pstore pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP 2022-12-31 13:25:40 +01:00
qnx4
qnx6
quota quota: Check next/prev free block number after reading from quota file 2022-10-21 12:37:37 +02:00
ramfs
reiserfs Folio changes for 6.0 2022-08-03 10:35:43 -07:00
romfs
smbfs_common Add various fsctl structs 2022-05-23 20:24:12 -05:00
squashfs squashfs: fix buffer release race condition in readahead code 2022-11-04 00:00:19 +09:00
sysfs
sysv fs: sysv: Fix sysv_nblocks() returns wrong value 2022-12-31 13:25:47 +01:00
tracefs tracefs: Only clobber mode/uid/gid on remount if asked 2022-09-08 17:10:54 -04:00
ubifs - The usual batches of cleanups from Baoquan He, Muchun Song, Miaohe 2022-08-05 16:32:45 -07:00
udf udf: Fix extending file within last block 2022-12-21 17:41:13 +01:00
ufs Folio changes for 6.0 2022-08-03 10:35:43 -07:00
unicode
vboxsf
verity fs-verity: mention btrfs support 2022-07-15 23:42:30 -07:00
xfs fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE 2022-10-21 12:37:47 +02:00
zonefs zonefs: fix zone report size in __zonefs_io_error() 2022-12-02 17:43:15 +01:00
aio.c iov_iter work, part 1 - isolated cleanups and optimizations. 2022-08-03 13:50:22 -07:00
anon_inodes.c
attr.c vfs: Check the truncate maximum size in inode_newsize_ok() 2022-08-08 10:39:29 -07:00
bad_inode.c
binfmt_aout.c
binfmt_elf.c fs/binfmt_elf: Fix memory leak in load_elf_binary() 2022-11-04 00:00:20 +09:00
binfmt_elf_fdpic.c
binfmt_elf_test.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
buffer.c mm: fs: initialize fsdata passed to write_begin/write_end interface 2022-11-26 09:27:56 +01:00
char_dev.c chardev: fix error handling in cdev_device_add() 2022-12-31 13:26:27 +01:00
compat_binfmt_elf.c
coredump.c fix coredump breakage 2022-10-12 09:39:04 +02:00
d_path.c
dax.c Merge branch 'for-6.0/dax' into libnvdimm-fixes 2022-09-24 18:14:12 -07:00
dcache.c dcache: move the DCACHE_OP_COMPARE case out of the __d_lookup_rcu loop 2022-08-17 14:33:03 -07:00
direct-io.c iov_iter: advancing variants of iov_iter_get_pages{,_alloc}() 2022-08-08 22:37:22 -04:00
drop_caches.c
eventfd.c eventfd: guard wake_up in eventfd fs calls as well 2022-10-21 12:38:47 +02:00
eventpoll.c epoll: autoremove wakers even more aggressively 2022-07-17 17:31:40 -07:00
exec.c exec: Copy oldsighand->action under spin-lock 2022-11-04 00:00:21 +09:00
fcntl.c keep iocb_flags() result cached in struct file 2022-06-10 16:10:23 -04:00
fhandle.c
file.c fs: use acquire ordering in __fget_light() 2022-12-14 11:40:46 +01:00
file_table.c locks: fix TOCTOU race when granting write lease 2022-10-21 12:38:31 +02:00
filesystems.c
fs-writeback.c fs: do not update freeing inode i_io_list 2022-12-02 17:43:07 +01:00
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
init.c
inode.c fs: fix UAF/GPF bug in nilfs_mdt_destroy 2022-10-12 09:39:03 +02:00
internal.h locks: fix TOCTOU race when granting write lease 2022-10-21 12:38:31 +02:00
ioctl.c
Kconfig mm: hugetlb_vmemmap: introduce the name HVO 2022-08-08 18:06:42 -07:00
Kconfig.binfmt m68knommu: changes for linux 5.19 2022-05-30 10:56:18 -07:00
kernel_read_file.c fs/kernel_read_file: allow to read files up-to ssize_t 2022-06-16 19:58:21 -07:00
libfs.c libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value 2022-12-31 13:25:45 +01:00
locks.c locks: Fix dropped call to ->fl_release_private() 2022-08-17 15:08:58 -04:00
Makefile io_uring: move to separate directory 2022-07-24 18:39:10 -06:00
mbcache.c mbcache: Avoid nesting of cache->c_list_lock under bit locks 2022-10-21 12:37:37 +02:00
mount.h switch try_to_unlazy_next() to __legitimize_mnt() 2022-07-05 16:18:21 -04:00
mpage.c Folio changes for 6.0 2022-08-03 10:35:43 -07:00
namei.c mm: fs: initialize fsdata passed to write_begin/write_end interface 2022-11-26 09:27:56 +01:00
namespace.c fs: require CAP_SYS_ADMIN in target namespace for idmapped mounts 2022-08-17 11:27:11 +02:00
no-block.c
nsfs.c
open.c locks: fix TOCTOU race when granting write lease 2022-10-21 12:38:31 +02:00
pipe.c Not a lot of material this cycle. Many singleton patches against various 2022-05-27 11:22:03 -07:00
pnode.c
pnode.h
posix_acl.c acl: return EOPNOTSUPP in posix_acl_fix_xattr_common() 2022-10-21 12:37:59 +02:00
proc_namespace.c vfs: escape hash as well 2022-06-28 13:58:05 -04:00
read_write.c vfs: fix copy_file_range() averts filesystem freeze protection 2022-12-08 11:30:16 +01:00
readdir.c
remap_range.c - The usual batches of cleanups from Baoquan He, Muchun Song, Miaohe 2022-08-05 16:32:45 -07:00
select.c
seq_file.c
signalfd.c
splice.c iter_to_pipe(): switch to advancing variant of iov_iter_get_pages() 2022-08-08 22:37:23 -04:00
stack.c
stat.c RISC-V Patches for the 5.19 Merge Window, Part 1 2022-05-31 14:10:54 -07:00
statfs.c
super.c fscrypt: fix keyring memory leak on mount failure 2022-11-10 18:17:30 +01:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c userfaultfd: open userfaultfds with O_RDONLY 2022-10-21 12:37:58 +02:00
utimes.c
xattr.c fs: don't audit the capability check in simple_xattr_list() 2022-12-31 13:25:42 +01:00