[PATCH v2] nfs: maintain nfs_server in the reclaim process

[PATCH v2] nfs: maintain nfs_server in the reclaim process

[Li Lingfeng]

In the reclaim process, there may be a situation where all files are
closed and the file system is unmounted, which will result in the
release of nfs_server.

This will trigger UAF in nfs4_put_open_state when the count of
nfs4_state is decremented to zero, because the freed nfs_server will be
accessed when evicting inode.

Maintaining the nfs_server throughout the entire reclaim process by
adding nfs_sb_active and nfs_sb_deactive to fix it.

Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
---
v1->v2:
  Get reference counting inside the lock's protection.

 fs/nfs/nfs4state.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index dafd61186557..acf608957f57 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1935,6 +1935,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 				continue;
 			if (!atomic_inc_not_zero(&sp->so_count))
 				continue;
+			if (!(server->super && nfs_sb_active(server->super))) {
+				spin_unlock(&clp->cl_lock);
+				rcu_read_unlock();
+				nfs4_put_state_owner(sp);
+				goto restart;
+			}
 			spin_unlock(&clp->cl_lock);
 			rcu_read_unlock();
 
@@ -1947,10 +1953,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 				nfs4_put_state_owner(sp);
 				status = nfs4_recovery_handle_error(clp, status);
 				nfs4_free_state_owners(&freeme);
+				nfs_sb_deactive(server->super);
 				return (status != 0) ? status : -EAGAIN;
 			}
 
 			nfs4_put_state_owner(sp);
+			nfs_sb_deactive(server->super);
 			goto restart;
 		}
 		spin_unlock(&clp->cl_lock);
-- 
2.31.1