mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 21:03:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Dai Ngo 6ea71246b7 NFSD: fix use-after-free on source server when doing inter-server copy 
[ Upstream commit 019805fea9 ]

Use-after-free occurred when the laundromat tried to free expired
cpntf_state entry on the s2s_cp_stateids list after inter-server
copy completed. The sc_cp_list that the expired copy state was
inserted on was already freed.

When COPY completes, the Linux client normally sends LOCKU(lock_state x),
FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server.
The nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state
from the s2s_cp_stateids list before freeing the lock state's stid.

However, sometimes the CLOSE was sent before the FREE_STATEID request.
When this happens, the nfsd4_close_open_stateid call from nfsd4_close
frees all lock states on its st_locks list without cleaning up the copy
state on the sc_cp_list list. When the time the FREE_STATEID arrives the
server returns BAD_STATEID since the lock state was freed. This causes
the use-after-free error to occur when the laundromat tries to free
the expired cpntf_state.

This patch adds a call to nfs4_free_cpntf_statelist in
nfsd4_close_open_stateid to clean up the copy state before calling
free_ol_stateid_reaplist to free the lock state's stid on the reaplist.

Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-10-24 09:58:10 +02:00
..
9p 9p: fix EBADF errors in cached mode 2022-06-17 06:03:30 +09:00
adfs fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
affs affs: Convert affs to read_folio 2022-05-09 16:21:44 -04:00
afs afs: Use the operation issue time instead of the reply time for callbacks 2022-09-15 10:47:15 +02:00
autofs
befs befs: Convert befs to read_folio 2022-05-09 16:21:45 -04:00
bfs fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
btrfs btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer 2022-10-24 09:56:53 +02:00
cachefiles cachefiles: make on-demand request distribution fairer 2022-09-08 11:24:00 +02:00
ceph ceph: don't truncate file in atomic_open 2022-10-15 08:01:42 +02:00
cifs cifs: return correct error in ->calc_signature() 2022-10-24 09:58:06 +02:00
coda coda: Convert coda to read_folio 2022-05-09 16:21:45 -04:00
configfs configfs: fix a race in configfs_{,un}register_subsystem() 2022-02-22 18:30:28 +01:00
cramfs cramfs: Convert cramfs to read_folio 2022-05-09 16:21:45 -04:00
crypto fscrypt: add new helper functions for test_dummy_encryption 2022-05-09 16:18:54 -07:00
debugfs debugfs: add debugfs_lookup_and_remove() 2022-09-15 10:47:10 +02:00
devpts fsnotify: fix fsnotify hooks in pseudo filesystems 2022-01-24 14:17:02 +01:00
dlm fs: dlm: fix race in lowcomms 2022-10-24 09:58:08 +02:00
ecryptfs ecryptfs: Convert ecryptfs to read_folio 2022-05-09 16:21:45 -04:00
efivarfs
efs efs: Convert efs symlinks to read_folio 2022-05-09 16:21:45 -04:00
erofs erofs: use kill_anon_super() to kill super in fscache mode 2022-10-24 09:57:02 +02:00
exfat exfat: fix overflow for large capacity partition 2022-09-28 11:32:04 +02:00
exportfs exportfs: support idmapped mounts 2022-04-28 16:31:10 +02:00
ext2 ext2: Add sanity checks for group and filesystem size 2022-10-24 09:56:54 +02:00
ext4 ext4: don't run ext4lazyinit for read-only filesystems 2022-10-24 09:57:46 +02:00
f2fs f2fs: fix to account FS_CP_DATA_IO correctly 2022-10-24 09:58:08 +02:00
fat Not a lot of material this cycle. Many singleton patches against various 2022-05-27 11:22:03 -07:00
freevxfs SPDX changes for 5.19-rc1 2022-06-03 10:34:34 -07:00
fscache fscache: don't leak cookie access refs if invalidation is in progress or failed 2022-08-25 11:45:25 +02:00
fuse fuse: Remove the control interface for virtio-fs 2022-08-17 15:15:56 +02:00
gfs2 Page cache changes for 5.19 2022-05-24 19:55:07 -07:00
hfs fs: Change try_to_free_buffers() to take a folio 2022-05-09 23:12:34 -04:00
hfsplus fs: Change try_to_free_buffers() to take a folio 2022-05-09 23:12:34 -04:00
hostfs hostfs: Convert hostfs to read_folio 2022-05-09 16:21:45 -04:00
hpfs hpfs: Convert symlinks to read_folio 2022-05-09 16:21:45 -04:00
hugetlbfs hugetlbfs: zero partial pages during fallocate hole punch 2022-06-16 19:11:32 -07:00
iomap iomap: iomap: fix memory corruption when recording errors during writeback 2022-10-24 09:57:46 +02:00
isofs isofs: Convert symlinks and zisofs to read_folio 2022-05-09 16:21:45 -04:00
jbd2 jbd2: add miss release buffer head in fc_do_one_pass() 2022-10-24 09:56:54 +02:00
jffs2 This pull request contains fixes for JFFS2, UBI and UBIFS 2022-06-03 14:42:24 -07:00
jfs JFS: One bug fix and some code cleanup 2022-05-27 15:59:21 -07:00
kernfs kernfs: fix potential NULL dereference in __kernfs_remove 2022-08-17 15:15:26 +02:00
ksmbd ksmbd: Fix user namespace mapping 2022-10-24 09:56:52 +02:00
lockd lockd: detect and reject lock arguments that overflow 2022-08-17 15:13:42 +02:00
minix fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
netfs netfs: do not unlock and put the folio twice 2022-07-14 10:10:12 +02:00
nfs NFSv4.2: Update mode bits after ALLOCATE and DEALLOCATE 2022-09-23 14:14:02 +02:00
nfs_common
nfsd NFSD: fix use-after-free on source server when doing inter-server copy 2022-10-24 09:58:10 +02:00
nilfs2 nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure 2022-10-15 08:01:41 +02:00
nls
notify fanotify: refine the validation checks on non-dir inode mask 2022-06-28 11:18:13 +02:00
ntfs ntfs: fix BUG_ON in ntfs_lookup_inode_by_name() 2022-10-05 10:40:44 +02:00
ntfs3 ntfs3: rework xattr handlers and switch to POSIX ACL VFS helpers 2022-10-24 09:57:01 +02:00
ocfs2 ocfs2: fix freeing uninitialized resource on ocfs2_dlm_shutdown 2022-08-31 17:18:16 +02:00
omfs fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
openpromfs fs: allocate inode by using alloc_inode_sb() 2022-03-22 15:57:03 -07:00
orangefs orangefs: Convert to free_folio 2022-05-09 23:12:53 -04:00
overlayfs ovl: warn if trusted xattr creation fails 2022-08-25 11:45:52 +02:00
proc mm/smaps: don't access young/dirty bit if pte unpresent 2022-08-31 17:18:01 +02:00
pstore pstore: Don't use semaphores in always-atomic-context code 2022-03-15 11:08:23 -07:00
qnx4 fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
qnx6 fs: Convert mpage_readpage to mpage_read_folio 2022-05-09 16:21:44 -04:00
quota quota: Check next/prev free block number after reading from quota file 2022-10-24 09:56:44 +02:00
ramfs Merge branch 'akpm' (patches from Andrew) 2021-11-09 10:11:53 -08:00
reiserfs fs: Change try_to_free_buffers() to take a folio 2022-05-09 23:12:34 -04:00
romfs romfs: Convert romfs to read_folio 2022-05-09 16:21:46 -04:00
smbfs_common Add various fsctl structs 2022-05-23 20:24:12 -05:00
squashfs Page cache changes for 5.19 2022-05-24 19:55:07 -07:00
sysfs kobject: kobj_type: remove default_attrs 2022-04-05 15:39:19 +02:00
sysv Not a lot of material this cycle. Many singleton patches against various 2022-05-27 11:22:03 -07:00
tracefs tracefs: Only clobber mode/uid/gid on remount if asked 2022-09-15 10:47:10 +02:00
ubifs This pull request contains fixes for JFFS2, UBI and UBIFS 2022-06-03 14:42:24 -07:00
udf Page cache changes for 5.19 2022-05-24 19:55:07 -07:00
ufs fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
unicode kbuild: unify cmd_copy and cmd_shipped 2022-02-14 10:37:32 +09:00
vboxsf vboxsf: Convert vboxsf to read_folio 2022-05-09 16:21:46 -04:00
verity Page cache changes for 5.19 2022-05-24 19:55:07 -07:00
xfs fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE 2022-10-24 09:56:52 +02:00
zonefs zonefs: fix zonefs_iomap_begin() for reads 2022-06-08 19:13:55 +09:00
aio.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2022-04-01 19:57:03 -07:00
anon_inodes.c
attr.c vfs: Check the truncate maximum size in inode_newsize_ok() 2022-08-17 15:13:46 +02:00
bad_inode.c
binfmt_aout.c
binfmt_elf.c revert "fs/binfmt_elf: use PT_LOAD p_align values for static PIE" 2022-04-15 14:49:56 -07:00
binfmt_elf_fdpic.c coredump: Snapshot the vmas in do_coredump 2022-03-08 12:55:29 -06:00
binfmt_elf_test.c binfmt_elf: Introduce KUnit test 2022-03-03 20:38:56 -08:00
binfmt_flat.c binfmt_flat: Remove shared library support 2022-04-22 10:57:18 -07:00
binfmt_misc.c Fix regression due to "fs: move binfmt_misc sysctl to its own file" 2022-02-09 09:50:02 -08:00
binfmt_script.c
buffer.c fs: Convert drop_buffers() to use a folio 2022-05-09 23:12:34 -04:00
char_dev.c
compat_binfmt_elf.c binfmt_elf: Introduce KUnit test 2022-03-03 20:38:56 -08:00
coredump.c don't use __kernel_write() on kmap_local_page() 2022-10-12 09:51:25 +02:00
d_path.c d_path: fix Kernel doc validator complaining 2021-11-06 13:30:32 -07:00
dax.c fsdax: Fix infinite loop in dax_iomap_rw() 2022-09-28 11:32:26 +02:00
dcache.c mm: dcache: use kmem_cache_alloc_lru() to allocate dentry 2022-03-22 15:57:03 -07:00
direct-io.c direct-io: remove random prefetches 2022-04-17 19:50:02 -06:00
drop_caches.c
eventfd.c
eventpoll.c epoll: autoremove wakers even more aggressively 2022-08-17 15:13:59 +02:00
exec.c posix-cpu-timers: Cleanup CPU timers before freeing them during exec 2022-08-17 15:16:06 +02:00
fcntl.c VFS: add FMODE_CAN_ODIRECT file flag 2022-05-09 18:20:49 -07:00
fhandle.c
file.c fix the breakage in close_fd_get_file() calling conventions change 2022-06-05 15:03:03 -04:00
file_table.c locks: fix TOCTOU race when granting write lease 2022-10-24 09:57:24 +02:00
filesystems.c
fs-writeback.c fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE 2022-10-24 09:56:52 +02:00
fs_context.c vfs: fs_context: fix up param length parsing in legacy_parse_param 2022-01-18 09:23:19 +02:00
fs_parser.c fs_parse: allow parameter value to be empty 2021-12-09 14:09:36 -05:00
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c uninline may_mount() and don't opencode it in fspick(2)/fsopen(2) 2022-05-19 23:25:10 -04:00
init.c
inode.c fs: fix UAF/GPF bug in nilfs_mdt_destroy 2022-10-12 09:51:23 +02:00
internal.h locks: fix TOCTOU race when granting write lease 2022-10-24 09:57:24 +02:00
ioctl.c Fixes for 5.18-rc1: 2022-04-01 19:35:56 -07:00
Kconfig mm: hugetlb_vmemmap: cleanup CONFIG_HUGETLB_PAGE_FREE_VMEMMAP* 2022-04-28 23:16:15 -07:00
Kconfig.binfmt m68knommu: changes for linux 5.19 2022-05-30 10:56:18 -07:00
kernel_read_file.c
libfs.c fs: Convert simple_readpage to simple_read_folio 2022-05-09 16:21:44 -04:00
locks.c fs/lock: add 2 callbacks to lock_manager_operations to resolve conflict 2022-05-19 12:25:39 -04:00
Makefile io_uring: move to separate directory 2022-08-17 15:14:20 +02:00
mbcache.c mbcache: add functions to delete entry if unused 2022-08-17 15:13:56 +02:00
mount.h
mpage.c fs: Change try_to_free_buffers() to take a folio 2022-05-09 23:12:34 -04:00
namei.c __follow_mount_rcu(): verify that mount_lock remains unchanged 2022-08-17 15:16:06 +02:00
namespace.c fs: require CAP_SYS_ADMIN in target namespace for idmapped mounts 2022-08-31 17:18:01 +02:00
no-block.c
nsfs.c
open.c locks: fix TOCTOU race when granting write lease 2022-10-24 09:57:24 +02:00
pipe.c Not a lot of material this cycle. Many singleton patches against various 2022-05-27 11:22:03 -07:00
pnode.c
pnode.h
posix_acl.c fs: fix acl translation 2022-04-19 10:19:02 -07:00
proc_namespace.c fs: add is_idmapped_mnt() helper 2021-12-03 18:44:06 +01:00
read_write.c don't use __kernel_write() on kmap_local_page() 2022-10-12 09:51:25 +02:00
readdir.c
remap_range.c Revert "vf/remap: return the amount of bytes actually deduplicated" 2022-07-14 15:35:24 -07:00
select.c select: Fix indefinitely sleeping task in poll_schedule_timeout() 2022-01-11 09:03:05 -08:00
seq_file.c rxrpc: Fix locking issue 2022-05-22 21:03:01 +01:00
signalfd.c Merge branch 'signal-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2022-01-17 05:49:30 +02:00
splice.c Revert "fs: check FMODE_LSEEK to control internal pipe splicing" 2022-10-24 09:56:38 +02:00
stack.c
stat.c RISC-V Patches for the 5.19 Merge Window, Part 1 2022-05-31 14:10:54 -07:00
statfs.c
super.c block: add a bdev_stable_writes helper 2022-04-17 19:49:59 -06:00
sync.c riscv: compat: syscall: Add compat_sys_call_table implementation 2022-04-26 13:36:25 -07:00
sysctls.c fs: move namespace sysctls and declare fs base directory 2022-01-22 08:33:36 +02:00
timerfd.c
userfaultfd.c userfaultfd: open userfaultfds with O_RDONLY 2022-10-24 09:57:01 +02:00
utimes.c
xattr.c fs: split off do_getxattr from getxattr 2022-04-24 18:18:37 -06:00