Commit 427a5df4 authored Oct 22, 2024 by Guoqing Jiang Committed by Li Lingfeng Oct 22, 2024

nfsd: call cache_put if xdr_reserve_space returns NULL

stable inclusion
from stable-v5.10.227
commit 9f03f0016ff797932551881c7e06ae50e9c39134
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRM
CVE: CVE-2024-47737

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9f03f0016ff797932551881c7e06ae50e9c39134



--------------------------------

[ Upstream commit d078cbf5c38de83bc31f83c47dcd2184c04a50c7 ]

If not enough buffer space available, but idmap_lookup has triggered
lookup_fn which calls cache_get and returns successfully. Then we
missed to call cache_put here which pairs with cache_get.

Fixes: ddd1ea56 ("nfsd4: use xdr_reserve_space in attribute encoding")
Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
Reviwed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>

parent 31421c83

fs/nfsd/nfs4idmap.c

+9 −4

Original line number	Diff line number	Diff line
		@@ -580,6 +580,7 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
		.id = id,
		.type = type,
		};
		__be32 status = nfs_ok;
		__be32 *p;
		int ret;
		struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
		@@ -592,12 +593,16 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
		return nfserrno(ret);
		ret = strlen(item->name);
		WARN_ON_ONCE(ret > IDMAP_NAMESZ);

		p = xdr_reserve_space(xdr, ret + 4);
		if (!p)
		return nfserr_resource;
		p = xdr_encode_opaque(p, item->name, ret);
		if (unlikely(!p)) {
		status = nfserr_resource;
		goto out_put;
		}
		xdr_encode_opaque(p, item->name, ret);
		out_put:
		cache_put(&item->h, nn->idtoname_cache);
		return 0;
		return status;
		}

		static bool