Commit 2c0929d0 authored Dec 30, 2024 by Chuck Lever Committed by Li Lingfeng Dec 30, 2024

NFSD: Prevent NULL dereference in nfsd4_process_cb_update()

stable inclusion
from stable-v6.6.64
commit eb51733ae5fc73d95bd857d5da26f9f65b202a79
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAET
CVE: CVE-2024-53217

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=eb51733ae5fc73d95bd857d5da26f9f65b202a79



--------------------------------

[ Upstream commit 1e02c641c3a43c88cecc08402000418e15578d38 ]

@ses is initialized to NULL. If __nfsd4_find_backchannel() finds no
available backchannel session, setup_callback_client() will try to
dereference @ses and segfault.

Fixes: dcbeaa68 ("nfsd4: allow backchannel recovery")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>

parent 8fc66242

fs/nfsd/nfs4callback.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1380,6 +1380,8 @@ static void nfsd4_process_cb_update(struct nfsd4_callback *cb)
		ses = c->cn_session;
		}
		spin_unlock(&clp->cl_lock);
		if (!c)
		return;

		err = setup_callback_client(clp, &conn, ses);
		if (err) {