From: "J. Bruce Fields" <bfields@fieldses.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable@kernel.org, Lukas Hejtmanek <xhejtman@ics.muni.cz>,
nfsv4@linux-nfs.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Neil Brown <neilb@suse.de>
Subject: [PATCH] nfsd: fix oops on access from high-numbered ports
Date: Fri, 14 Mar 2008 19:37:11 -0400 [thread overview]
Message-ID: <20080314233711.GN2119@fieldses.org> (raw)
In-Reply-To: <20080314200510.GL2119@fieldses.org>
From: J. Bruce Fields <bfields@citi.umich.edu>
This bug was always here, but before my commit 6fa02839bf9412e18e77
("recheck for secure ports in fh_verify"), it could only be triggered by
failure of a kmalloc(). After that commit it could be triggered by a
client making a request from a non-reserved port for access to an export
marked "secure". (Exports are "secure" by default.)
The result is a struct svc_export with a reference count one to low,
resulting in likely oopses next time the export is accessed.
The reference counting here is not straightforward; a later patch will
clean up fh_verify().
Thanks to Lukas Hejtmanek for the bug report and followup.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: Lukas Hejtmanek <xhejtman@ics.muni.cz>
---
fs/nfsd/nfsfh.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
This is appropriate for 2.6.25, 2.6.24.y, and 2.6.23.y (if it's still
maintained).--b.
diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 1eb771d..3e6b3f4 100644
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -232,6 +232,7 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
fhp->fh_dentry = dentry;
fhp->fh_export = exp;
nfsd_nr_verified++;
+ cache_get(&exp->h);
} else {
/*
* just rechecking permissions
@@ -241,6 +242,7 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
dprintk("nfsd: fh_verify - just checking\n");
dentry = fhp->fh_dentry;
exp = fhp->fh_export;
+ cache_get(&exp->h);
/*
* Set user creds for this exportpoint; necessary even
* in the "just checking" case because this may be a
@@ -252,8 +254,6 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
if (error)
goto out;
}
- cache_get(&exp->h);
-
error = nfsd_mode_check(rqstp, dentry->d_inode->i_mode, type);
if (error)
--
1.5.4.rc2.60.gb2e62
next prev parent reply other threads:[~2008-03-14 23:37 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-12 12:25 Oops in NFSv4 server in 2.6.23.17 Lukas Hejtmanek
2008-03-12 16:00 ` J. Bruce Fields
2008-03-13 14:36 ` Lukas Hejtmanek
2008-03-14 18:14 ` J. Bruce Fields
2008-03-14 19:33 ` J. Bruce Fields
2008-03-14 19:53 ` Lukas Hejtmanek
2008-03-14 20:05 ` J. Bruce Fields
2008-03-14 23:37 ` J. Bruce Fields [this message]
2008-03-14 23:42 ` J. Bruce Fields
2008-03-16 23:19 ` Neil Brown
2008-03-19 22:32 ` J. Bruce Fields
2008-03-20 2:31 ` NeilBrown
2008-03-17 8:12 ` Lukas Hejtmanek
2008-03-17 13:15 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080314233711.GN2119@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=neilb@suse.de \
--cc=nfsv4@linux-nfs.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=xhejtman@ics.muni.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox