mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-21 18:11:39 +00:00
6f6f84aa21
KASAN report null-ptr-deref as follows:
BUG: KASAN: null-ptr-deref in nfsd_fill_super+0xc6/0xe0 [nfsd]
Write of size 8 at addr 000000000000005d by task a.out/852
CPU: 7 PID: 852 Comm: a.out Not tainted 5.18.0-rc7-dirty #66
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
kasan_report+0xab/0x120
? nfsd_mkdir+0x71/0x1c0 [nfsd]
? nfsd_fill_super+0xc6/0xe0 [nfsd]
nfsd_fill_super+0xc6/0xe0 [nfsd]
? nfsd_mkdir+0x1c0/0x1c0 [nfsd]
get_tree_keyed+0x8e/0x100
vfs_get_tree+0x41/0xf0
__do_sys_fsconfig+0x590/0x670
? fscontext_read+0x180/0x180
? anon_inode_getfd+0x4f/0x70
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
This can be reproduce by concurrent operations:
1. fsopen(nfsd)/fsconfig
2. insmod/rmmod nfsd
Since the nfsd file system is registered before than nfsd_net allocated,
the caller may get the file_system_type and use the nfsd_net before it
allocated, then null-ptr-deref occurred.
So init_nfsd() should call register_filesystem() last.
Fixes:
|
||
---|---|---|
.. | ||
acl.h | ||
auth.c | ||
auth.h | ||
blocklayout.c | ||
blocklayoutxdr.c | ||
blocklayoutxdr.h | ||
cache.h | ||
current_stateid.h | ||
export.c | ||
export.h | ||
fault_inject.c | ||
filecache.c | ||
filecache.h | ||
flexfilelayout.c | ||
flexfilelayoutxdr.c | ||
flexfilelayoutxdr.h | ||
idmap.h | ||
Kconfig | ||
lockd.c | ||
Makefile | ||
netns.h | ||
nfs2acl.c | ||
nfs3acl.c | ||
nfs3proc.c | ||
nfs3xdr.c | ||
nfs4acl.c | ||
nfs4callback.c | ||
nfs4idmap.c | ||
nfs4layouts.c | ||
nfs4proc.c | ||
nfs4recover.c | ||
nfs4state.c | ||
nfs4xdr.c | ||
nfscache.c | ||
nfsctl.c | ||
nfsd.h | ||
nfsfh.c | ||
nfsfh.h | ||
nfsproc.c | ||
nfssvc.c | ||
nfsxdr.c | ||
pnfs.h | ||
state.h | ||
stats.c | ||
stats.h | ||
trace.c | ||
trace.h | ||
vfs.c | ||
vfs.h | ||
xdr.h | ||
xdr3.h | ||
xdr4.h | ||
xdr4cb.h |