From: cel@kernel.org
To: <stable@vger.kernel.org>
Cc: <linux-nfs@vger.kernel.org>, Jeff Layton <jlayton@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>,
Olga Kornievskaia <okorniev@redhat.com>
Subject: [PATCH 5.15 4/5] NFSD: Initialize struct nfsd4_copy earlier
Date: Mon, 18 Nov 2024 16:20:19 -0500 [thread overview]
Message-ID: <20241118212035.3848-8-cel@kernel.org> (raw)
In-Reply-To: <20241118212035.3848-1-cel@kernel.org>
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 63fab04cbd0f96191b6e5beedc3b643b01c15889 ]
Ensure the refcount and async_copies fields are initialized early.
cleanup_async_copy() will reference these fields if an error occurs
in nfsd4_copy(). If they are not correctly initialized, at the very
least, a refcount underflow occurs.
Reported-by: Olga Kornievskaia <okorniev@redhat.com>
Fixes: aadc3bbea163 ("NFSD: Limit the number of concurrent async COPY operations")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Tested-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
fs/nfsd/nfs4proc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 54f43501fed9..6267a41092ae 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1787,14 +1787,14 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
if (!async_copy)
goto out_err;
async_copy->cp_nn = nn;
+ INIT_LIST_HEAD(&async_copy->copies);
+ refcount_set(&async_copy->refcount, 1);
/* Arbitrary cap on number of pending async copy operations */
if (atomic_inc_return(&nn->pending_async_copies) >
(int)rqstp->rq_pool->sp_nrthreads) {
atomic_dec(&nn->pending_async_copies);
goto out_err;
}
- INIT_LIST_HEAD(&async_copy->copies);
- refcount_set(&async_copy->refcount, 1);
async_copy->cp_src = kmalloc(sizeof(*async_copy->cp_src), GFP_KERNEL);
if (!async_copy->cp_src)
goto out_err;
--
2.47.0
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: cel@kernel.org, Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 5.15 4/5] NFSD: Initialize struct nfsd4_copy earlier
Date: Tue, 19 Nov 2024 07:30:51 -0500 [thread overview]
Message-ID: <20241118212035.3848-8-cel@kernel.org> (raw)
Message-ID: <20241119123051.JGXjfUh2kYq2Dt6y35H1hE9L4v2NkCIBClQMORekh8I@z> (raw)
In-Reply-To: <20241118212035.3848-8-cel@kernel.org>
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 63fab04cbd0f96191b6e5beedc3b643b01c15889
WARNING: Author mismatch between patch and upstream commit:
Backport author: cel@kernel.org
Commit author: Chuck Lever <chuck.lever@oracle.com>
Commit in newer trees:
|-----------------|----------------------------------------------|
| 6.11.y | Present (different SHA1: e30a9a2f69c3) |
| 6.6.y | Not found |
| 6.1.y | Not found |
| 5.15.y | Not found |
|-----------------|----------------------------------------------|
Note: The patch differs from the upstream commit:
---
--- - 2024-11-19 00:26:09.417432003 -0500
+++ /tmp/tmp.3m7vS1d9H2 2024-11-19 00:26:09.411459259 -0500
@@ -1,3 +1,5 @@
+[ Upstream commit 63fab04cbd0f96191b6e5beedc3b643b01c15889 ]
+
Ensure the refcount and async_copies fields are initialized early.
cleanup_async_copy() will reference these fields if an error occurs
in nfsd4_copy(). If they are not correctly initialized, at the very
@@ -13,10 +15,10 @@
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
-index b5a6bf4f459fb..5fd1ce3fc8fb7 100644
+index 54f43501fed9..6267a41092ae 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
-@@ -1841,14 +1841,14 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+@@ -1787,14 +1787,14 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
if (!async_copy)
goto out_err;
async_copy->cp_nn = nn;
@@ -33,3 +35,6 @@
async_copy->cp_src = kmalloc(sizeof(*async_copy->cp_src), GFP_KERNEL);
if (!async_copy->cp_src)
goto out_err;
+--
+2.47.0
+
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y | Success | Success |
next prev parent reply other threads:[~2024-11-18 21:20 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-18 21:20 [PATCH 5.15 0/5] Address CVE-2024-49974 cel
2024-11-18 21:20 ` [PATCH 5.15 1/5] NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point cel
2024-11-19 12:31 ` Sasha Levin
2024-11-18 21:20 ` [PATCH 5.15.y 01/18] nfsd: move reply cache initialization into nfsd startup cel
2024-11-18 21:20 ` [PATCH 5.15 2/5] NFSD: Async COPY result needs to return a write verifier cel
2024-11-19 12:31 ` Sasha Levin
2024-11-18 21:20 ` [PATCH 5.15.y 02/18] nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net cel
2024-11-18 21:20 ` [PATCH 5.15 3/5] NFSD: Limit the number of concurrent async COPY operations cel
2024-11-19 12:30 ` Sasha Levin
2024-11-18 21:20 ` [PATCH 5.15.y 03/18] NFSD: Refactor nfsd_reply_cache_free_locked() cel
2024-11-18 21:20 ` cel [this message]
2024-11-19 12:30 ` [PATCH 5.15 4/5] NFSD: Initialize struct nfsd4_copy earlier Sasha Levin
2024-11-18 21:20 ` [PATCH 5.15.y 04/18] NFSD: Rename nfsd_reply_cache_alloc() cel
2024-11-18 21:20 ` [PATCH 5.15 5/5] NFSD: Never decrement pending_async_copies on error cel
2024-11-19 12:31 ` Sasha Levin
2024-11-18 21:20 ` [PATCH 5.15.y 05/18] NFSD: Replace nfsd_prune_bucket() cel
2024-11-18 21:20 ` [PATCH 5.15.y 06/18] NFSD: Refactor the duplicate reply cache shrinker cel
2024-11-18 21:20 ` [PATCH 5.15.y 07/18] NFSD: Rewrite synopsis of nfsd_percpu_counters_init() cel
2024-11-18 21:20 ` [PATCH 5.15.y 08/18] NFSD: Fix frame size warning in svc_export_parse() cel
2024-11-18 21:20 ` [PATCH 5.15.y 09/18] sunrpc: don't change ->sv_stats if it doesn't exist cel
2024-11-18 21:20 ` [PATCH 5.15.y 10/18] nfsd: stop setting ->pg_stats for unused stats cel
2024-11-18 21:20 ` [PATCH 5.15.y 11/18] sunrpc: pass in the sv_stats struct through svc_create_pooled cel
2024-11-18 21:20 ` [PATCH 5.15.y 12/18] sunrpc: remove ->pg_stats from svc_program cel
2024-11-18 21:20 ` [PATCH 5.15.y 13/18] sunrpc: use the struct net as the svc proc private cel
2024-11-18 21:23 ` [PATCH 5.15 0/5] Address CVE-2024-49974 Chuck Lever III
-- strict thread matches above, loose matches on Subject: below --
2024-11-18 21:23 cel
2024-11-18 21:23 ` [PATCH 5.15 4/5] NFSD: Initialize struct nfsd4_copy earlier cel
2024-11-19 12:30 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241118212035.3848-8-cel@kernel.org \
--to=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=okorniev@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.