Unverified Commit b8723410 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!13066 Fix UAF of rpc_task 

Merge Pull Request from: @ci-robot 
 
PR sync from: Li Lingfeng <lilingfeng3@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/TRAAWFDZNJB5JA4XJWVF4LTPMTGJCRDH/ 
Li Lingfeng (1):
  nfs: fix rpc_task use-after-free when open and close different files
    concurrently

Yang Erkun (1):
  NFSv4: release seqid when open failed for nfs4.0


-- 
2.31.1
 
https://gitee.com/openeuler/kernel/issues/IATZPG
https://gitee.com/openeuler/kernel/issues/IB20ED 
 
Link:https://gitee.com/openeuler/kernel/pulls/13066
parents 15581b7e 4f97f859

fs/nfs/nfs4_fs.h

+1 −0
Original line number Diff line number Diff line
@@ -524,6 +524,7 @@ extern struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter, gfp_ 
extern int nfs_wait_on_sequence(struct nfs_seqid *seqid, struct rpc_task *task);

extern void nfs_increment_open_seqid(int status, struct nfs_seqid *seqid);

extern void nfs_increment_lock_seqid(int status, struct nfs_seqid *seqid);

extern void nfs_release_seqid_inorder(struct nfs_seqid *seqid);

extern void nfs_release_seqid(struct nfs_seqid *seqid);

extern void nfs_free_seqid(struct nfs_seqid *seqid);

extern int nfs4_setup_sequence(struct nfs_client *client,

fs/nfs/nfs4proc.c

+3 −1
Original line number Diff line number Diff line
@@ -2528,6 +2528,8 @@ static void nfs4_open_release(void *calldata) 
	struct nfs4_opendata *data = calldata;

	struct nfs4_state *state = NULL;



	if (data->rpc_status != 0 || !data->rpc_done)

		nfs_release_seqid_inorder(data->o_arg.seqid);

	/* If this request hasn't been cancelled, do nothing */

	if (!data->cancelled)

		goto out_free;
@@ -3610,7 +3612,7 @@ static void nfs4_close_done(struct rpc_task *task, void *data) 
			res_stateid, calldata->arg.fmode);

out_release:

	task->tk_status = 0;

	nfs_release_seqid(calldata->arg.seqid);

	nfs_release_seqid_inorder(calldata->arg.seqid);

	nfs_refresh_inode(calldata->inode, &calldata->fattr);

	dprintk("%s: ret = %d\n", __func__, task->tk_status);

	return;

fs/nfs/nfs4state.c

+18 −0
Original line number Diff line number Diff line
@@ -1087,6 +1087,24 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter, gfp_t gfp_m 
	return new;

}



void nfs_release_seqid_inorder(struct nfs_seqid *seqid)

{

	struct nfs_seqid_counter *sequence;



	if (seqid == NULL || list_empty(&seqid->list))

		return;

	sequence = seqid->sequence;

	spin_lock(&sequence->lock);

	if (!list_is_last(&seqid->list, &sequence->list)) {

		struct nfs_seqid *next;



		next = list_next_entry(seqid, list);

		rpc_wake_up_queued_task(&sequence->wait, next->task);

	}

	list_del_init(&seqid->list);

	spin_unlock(&sequence->lock);

}



void nfs_release_seqid(struct nfs_seqid *seqid)

{

	struct nfs_seqid_counter *sequence;