* [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start()
@ 2024-06-24 23:04 NeilBrown
2024-06-24 23:04 ` [PATCH 1/2] nfsd: initialise nfsd_info.mutex early NeilBrown
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: NeilBrown @ 2024-06-24 23:04 UTC (permalink / raw)
To: Chuck Lever, Jeff Layton
Cc: linux-nfs, Olga Kornievskaia, Dai Ngo, Tom Talpey
A recent patch attempted to fix a NULL pointer deref but introduced a
different NULL pointer deref and a possible unbalance unlock.
This series fixes the bug correctly and reverts the faulty fix.
(Sorry for not reviewing this patch earlier)
NeilBrown
[PATCH 1/2] nfsd: initialise nfsd_info.mutex early.
[PATCH 2/2] Revert "nfsd: fix oops when reading pool_stats before
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] nfsd: initialise nfsd_info.mutex early.
2024-06-24 23:04 [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start() NeilBrown
@ 2024-06-24 23:04 ` NeilBrown
2024-06-24 23:04 ` [PATCH 2/2] Revert "nfsd: fix oops when reading pool_stats before server is started" NeilBrown
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: NeilBrown @ 2024-06-24 23:04 UTC (permalink / raw)
To: Chuck Lever, Jeff Layton
Cc: linux-nfs, Olga Kornievskaia, Dai Ngo, Tom Talpey
nfsd_info.mutex can be dereferenced by dsvc_pool_stats_state()
immediately after the the new netns is created. Currently this can
trigger an oops.
Move the initialisation earlier before it can possibly be dereferenced.
Fixes: 7b207ccd9833 ("svc: don't hold reference for poolstats, only mutex.")
Reported-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Closes: https://lore.kernel.org/all/c2e9f6de-1ec4-4d3a-b18d-d5a6ec0814a0@linux.ibm.com/
Signed-off-by: NeilBrown <neilb@suse.de>
---
fs/nfsd/nfsctl.c | 2 ++
fs/nfsd/nfssvc.c | 1 -
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index 533b65057e18..c848ebe5d08f 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -2169,6 +2169,8 @@ static __net_init int nfsd_net_init(struct net *net)
nn->nfsd_svcstats.program = &nfsd_program;
nn->nfsd_versions = NULL;
nn->nfsd4_minorversions = NULL;
+ nn->nfsd_info.mutex = &nfsd_mutex;
+ nn->nfsd_serv = NULL;
nfsd4_init_leases_net(nn);
get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key));
seqlock_init(&nn->writeverf_lock);
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index cd9a6a1a9fc8..89d7918de7b1 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -672,7 +672,6 @@ int nfsd_create_serv(struct net *net)
return error;
}
spin_lock(&nfsd_notifier_lock);
- nn->nfsd_info.mutex = &nfsd_mutex;
nn->nfsd_serv = serv;
spin_unlock(&nfsd_notifier_lock);
--
2.44.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] Revert "nfsd: fix oops when reading pool_stats before server is started"
2024-06-24 23:04 [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start() NeilBrown
2024-06-24 23:04 ` [PATCH 1/2] nfsd: initialise nfsd_info.mutex early NeilBrown
@ 2024-06-24 23:04 ` NeilBrown
2024-06-25 10:16 ` [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start() Jeff Layton
2024-06-25 14:22 ` Chuck Lever
3 siblings, 0 replies; 5+ messages in thread
From: NeilBrown @ 2024-06-24 23:04 UTC (permalink / raw)
To: Chuck Lever, Jeff Layton
Cc: linux-nfs, Olga Kornievskaia, Dai Ngo, Tom Talpey
This reverts commit 8e948c365d9c10b685d1deb946bd833d6a9b43e0.
The reverted commit moves a test on a field protected by a mutex outside
of the protection of that mutex, and so is obviously racey.
Depending on how the race goes, si->serv might be NULL when dereferenced
in svc_pool_stats_start(), or svc_pool_stats_stop() might unlock a mutex
that hadn't been locked.
This bug that the commit tried to fix has been addressed by initialising
->mutex earlier.
Fixes: 8e948c365d9c ("nfsd: fix oops when reading pool_stats before server is started")
Signed-off-by: NeilBrown <neilb@suse.de>
---
net/sunrpc/svc_xprt.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index 49a3bea33f9d..dd86d7f1e97e 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -1421,13 +1421,12 @@ static void *svc_pool_stats_start(struct seq_file *m, loff_t *pos)
dprintk("svc_pool_stats_start, *pidx=%u\n", pidx);
- if (!si->serv)
- return NULL;
-
mutex_lock(si->mutex);
if (!pidx)
return SEQ_START_TOKEN;
+ if (!si->serv)
+ return NULL;
return pidx > si->serv->sv_nrpools ? NULL
: &si->serv->sv_pools[pidx - 1];
}
@@ -1459,8 +1458,7 @@ static void svc_pool_stats_stop(struct seq_file *m, void *p)
{
struct svc_info *si = m->private;
- if (si->serv)
- mutex_unlock(si->mutex);
+ mutex_unlock(si->mutex);
}
static int svc_pool_stats_show(struct seq_file *m, void *p)
--
2.44.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start()
2024-06-24 23:04 [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start() NeilBrown
2024-06-24 23:04 ` [PATCH 1/2] nfsd: initialise nfsd_info.mutex early NeilBrown
2024-06-24 23:04 ` [PATCH 2/2] Revert "nfsd: fix oops when reading pool_stats before server is started" NeilBrown
@ 2024-06-25 10:16 ` Jeff Layton
2024-06-25 14:22 ` Chuck Lever
3 siblings, 0 replies; 5+ messages in thread
From: Jeff Layton @ 2024-06-25 10:16 UTC (permalink / raw)
To: NeilBrown, Chuck Lever; +Cc: linux-nfs, Olga Kornievskaia, Dai Ngo, Tom Talpey
On Tue, 2024-06-25 at 09:04 +1000, NeilBrown wrote:
> A recent patch attempted to fix a NULL pointer deref but introduced a
> different NULL pointer deref and a possible unbalance unlock.
>
> This series fixes the bug correctly and reverts the faulty fix.
>
> (Sorry for not reviewing this patch earlier)
>
> NeilBrown
>
> [PATCH 1/2] nfsd: initialise nfsd_info.mutex early.
> [PATCH 2/2] Revert "nfsd: fix oops when reading pool_stats before
Yes, this looks like a superior fix. Thanks, Neil!
Reviewed-by: Jeff Layton <jlayton@kernel.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start()
2024-06-24 23:04 [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start() NeilBrown
` (2 preceding siblings ...)
2024-06-25 10:16 ` [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start() Jeff Layton
@ 2024-06-25 14:22 ` Chuck Lever
3 siblings, 0 replies; 5+ messages in thread
From: Chuck Lever @ 2024-06-25 14:22 UTC (permalink / raw)
To: NeilBrown; +Cc: Jeff Layton, linux-nfs, Olga Kornievskaia, Dai Ngo, Tom Talpey
On Tue, Jun 25, 2024 at 09:04:55AM +1000, NeilBrown wrote:
> A recent patch attempted to fix a NULL pointer deref but introduced a
> different NULL pointer deref and a possible unbalance unlock.
>
> This series fixes the bug correctly and reverts the faulty fix.
>
> (Sorry for not reviewing this patch earlier)
>
> NeilBrown
>
> [PATCH 1/2] nfsd: initialise nfsd_info.mutex early.
> [PATCH 2/2] Revert "nfsd: fix oops when reading pool_stats before
Applied to nfsd-fixes (for 6.10-rc). Thanks!
--
Chuck Lever
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-06-25 14:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-24 23:04 [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start() NeilBrown
2024-06-24 23:04 ` [PATCH 1/2] nfsd: initialise nfsd_info.mutex early NeilBrown
2024-06-24 23:04 ` [PATCH 2/2] Revert "nfsd: fix oops when reading pool_stats before server is started" NeilBrown
2024-06-25 10:16 ` [PATCH 0/2] nfsd: proper fix for NULL deref in svc_pool_stats_start() Jeff Layton
2024-06-25 14:22 ` Chuck Lever
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox