mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-21 18:11:39 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs/nfsd
History
Zhang Xiaoxu 6f6f84aa21 nfsd: Fix null-ptr-deref in nfsd_fill_super() 
KASAN report null-ptr-deref as follows:

  BUG: KASAN: null-ptr-deref in nfsd_fill_super+0xc6/0xe0 [nfsd]
  Write of size 8 at addr 000000000000005d by task a.out/852

  CPU: 7 PID: 852 Comm: a.out Not tainted 5.18.0-rc7-dirty #66
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x34/0x44
   kasan_report+0xab/0x120
   ? nfsd_mkdir+0x71/0x1c0 [nfsd]
   ? nfsd_fill_super+0xc6/0xe0 [nfsd]
   nfsd_fill_super+0xc6/0xe0 [nfsd]
   ? nfsd_mkdir+0x1c0/0x1c0 [nfsd]
   get_tree_keyed+0x8e/0x100
   vfs_get_tree+0x41/0xf0
   __do_sys_fsconfig+0x590/0x670
   ? fscontext_read+0x180/0x180
   ? anon_inode_getfd+0x4f/0x70
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x44/0xae

This can be reproduce by concurrent operations:
	1. fsopen(nfsd)/fsconfig
	2. insmod/rmmod nfsd

Since the nfsd file system is registered before than nfsd_net allocated,
the caller may get the file_system_type and use the nfsd_net before it
allocated, then null-ptr-deref occurred.

So init_nfsd() should call register_filesystem() last.

Fixes: bd5ae9288d ("nfsd: register pernet ops last, unregister first")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2022-05-23 11:06:29 -04:00
..
acl.h nfsd: eliminate an unnecessary acl size limit 2019-08-28 21:13:45 -04:00
auth.c
auth.h
blocklayout.c block: remove genhd.h 2022-02-02 07:49:59 -07:00
blocklayoutxdr.c
blocklayoutxdr.h
cache.h nfsd4: make drc_slab global, not per-net 2020-06-01 17:44:45 -04:00
current_stateid.h
export.c fs: add is_idmapped_mnt() helper 2021-12-03 18:44:06 +01:00
export.h nfsd: report per-export stats 2021-01-25 09:36:28 -05:00
fault_inject.c nfsd: no need to check return value of debugfs_create functions 2019-07-03 16:57:17 +02:00
filecache.c NFSD: Trace filecache opens 2022-05-23 11:06:29 -04:00
filecache.h NFSD: Instantiate a struct file when creating a regular NFSv4 file 2022-05-23 11:06:29 -04:00
flexfilelayout.c nfsd: use correct format characters 2022-03-17 19:47:38 -04:00
flexfilelayoutxdr.c
flexfilelayoutxdr.h
idmap.h
Kconfig NFSD: Remove CONFIG_NFSD_V3 2022-03-11 10:25:14 -05:00
lockd.c NFSD: simplify struct nfsfh 2021-10-02 15:51:10 -04:00
Makefile NFSD: Remove CONFIG_NFSD_V3 2022-03-11 10:25:14 -05:00
netns.h NFSD: Rename boot verifier functions 2022-01-08 14:42:02 -05:00
nfs2acl.c SUNRPC: Return true/false (not 1/0) from bool functions 2022-03-27 23:25:52 -04:00
nfs3acl.c SUNRPC: Change return value type of .pc_encode 2021-10-13 11:34:49 -04:00
nfs3proc.c NFSD: Refactor NFSv3 CREATE 2022-05-20 13:18:24 -04:00
nfs3xdr.c NFSD: Deprecate NFS_OFFSET_MAX 2022-02-09 09:24:40 -05:00
nfs4acl.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
nfs4callback.c NFSD: simplify struct nfsfh 2021-10-02 15:51:10 -04:00
nfs4idmap.c nfsd: Use seq_putc() in two functions 2020-07-13 17:28:46 -04:00
nfs4layouts.c nfsd: fix using the correct variable for sizeof() 2022-03-20 12:49:38 -04:00
nfs4proc.c SUNRPC: Use RMW bitops in single-threaded hot paths 2022-05-23 11:06:29 -04:00
nfs4recover.c nfsd: Fix nsfd startup race (again) 2021-12-10 11:54:59 -05:00
nfs4state.c NFSD: Move documenting comment for nfsd4_process_open2() 2022-05-23 11:06:29 -04:00
nfs4xdr.c SUNRPC: Use RMW bitops in single-threaded hot paths 2022-05-23 11:06:29 -04:00
nfscache.c NFSD: Streamline the rare "found" case 2022-02-28 10:26:38 -05:00
nfsctl.c nfsd: Fix null-ptr-deref in nfsd_fill_super() 2022-05-23 11:06:29 -04:00
nfsd.h NFSD: move create/destroy of laundry_wq to init_nfsd and exit_nfsd 2022-05-19 12:25:39 -04:00
nfsfh.c NFSD: Remove CONFIG_NFSD_V3 2022-03-11 10:25:14 -05:00
nfsfh.h NFSD: Remove CONFIG_NFSD_V3 2022-03-11 10:25:14 -05:00
nfsproc.c NFSD: prevent underflow in nfssvc_decode_writeargs() 2022-03-15 09:35:56 -04:00
nfssvc.c NFSD: Remove CONFIG_NFSD_V3 2022-03-11 10:25:14 -05:00
nfsxdr.c SUNRPC: Change return value type of .pc_encode 2021-10-13 11:34:49 -04:00
pnfs.h
state.h NFSD: add courteous server support for thread with only delegation 2022-05-19 12:25:39 -04:00
stats.c nfsd: make nfsd_stats.th_cnt atomic_t 2021-12-13 13:42:51 -05:00
stats.h nfsd: make nfsd_stats.th_cnt atomic_t 2021-12-13 13:42:51 -05:00
trace.c NFSD: Add SPDX header for fs/nfsd/trace.c 2020-11-30 13:00:24 -05:00
trace.h NFSD: Clean up the show_nf_flags() macro 2022-05-23 11:06:29 -04:00
vfs.c NFSD: Clean up nfsd_open_verified() 2022-05-20 13:18:25 -04:00
vfs.h NFSD: Clean up nfsd_open_verified() 2022-05-20 13:18:25 -04:00
xdr.h NFSD: prevent underflow in nfssvc_decode_writeargs() 2022-03-15 09:35:56 -04:00
xdr3.h SUNRPC: Change return value type of .pc_encode 2021-10-13 11:34:49 -04:00
xdr4.h NFSD: Instantiate a struct file when creating a regular NFSv4 file 2022-05-23 11:06:29 -04:00
xdr4cb.h NFSD CB_OFFLOAD xdr 2018-09-25 20:34:54 -04:00