Commit 23da844c authored Nov 02, 2024 by Yang Erkun Committed by Li Lingfeng Nov 02, 2024

nfs: maintain nfs_server in the reclaim process

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAUJJ4


CVE: NA

--------------------------------

In the reclaim process, there may be a situation where all files are
closed and the file system is unmounted, which will result in the
release of nfs_server.

This will trigger UAF in nfs4_put_open_state when the count of
nfs4_state is decremented to zero, because the freed nfs_server will be
accessed when evicting inode.

Maintaining the nfs_server throughout the entire reclaim process by
adding nfs_sb_active and nfs_sb_deactive to fix it.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>

parent 59069592

fs/nfs/nfs4state.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -1875,6 +1875,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
		continue;
		if (!atomic_inc_not_zero(&sp->so_count))
		continue;
		if (!(server->super && nfs_sb_active(server->super))) {
		spin_unlock(&clp->cl_lock);
		rcu_read_unlock();
		nfs4_put_state_owner(sp);
		goto restart;
		}
		spin_unlock(&clp->cl_lock);
		rcu_read_unlock();

		@@ -1884,10 +1890,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
		nfs4_put_state_owner(sp);
		status = nfs4_recovery_handle_error(clp, status);
		nfs4_free_state_owners(&freeme);
		nfs_sb_deactive(server->super);
		return (status != 0) ? status : -EAGAIN;
		}

		nfs4_put_state_owner(sp);
		nfs_sb_deactive(server->super);
		goto restart;
		}
		spin_unlock(&clp->cl_lock);