Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3721971pxb; Mon, 24 Jan 2022 16:19:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJxYhHkzXHVSIJa+jFRgREnO1XaKNqfYcDh5CShUaefVTphfIbpGGNxu5ATKfijy3Q2FvhGw X-Received: by 2002:a17:90a:4595:: with SMTP id v21mr810570pjg.73.1643069960227; Mon, 24 Jan 2022 16:19:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643069960; cv=none; d=google.com; s=arc-20160816; b=v3xpXhcgrhtAjWSU2ytqU1yekpxj3db8wpScjxtUKB8jGWAzRXNLW/oGhByv0KEOpm 3HaXHjrBf7C1GigvFgYIJr+V7Ur7HxELi98ecEezkX7u0+OigPTTH0gx6mVxxT2tu29Z jHeszPcu7AzimarwlSQN6BpxyERhWRIlcaZVuMsJQYTnb+UWallFWAAP8kD3fxcdg2qw 76bzQSYjlFT2Bgu6+1beqgCPcRjXOKA3WEOnj2Q7CdxlMjyRGvsHs8IxgB/vry+vV7tA HhnE5mTiqIH+qpymgVlLSd3SY9ifhXRbMll/jF3oCYDnpwF7JQrcXMf0bc3OqIVod3iw fltQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1AuSEUX6jPVmD77N0E6dMFtrFiAeCAg8Q0RnNn9cZz8=; b=xMu7u1PTBfvSDTeVOhjsj2hh8+MxWbGKj+bnZ0uk9/sra0i2kAi1WtdVrXekxEVuhk y62ztAXRkQR5zoIQMw//5wsUuJqZ1CHCRQV58boRTE5IYqqsCSfpdso9jyFPq4wB+TkW SMG4ifUpcheldT839/2QPKQ9SnA+qmz1IBjlb6VlllBWu2CTrbUp+0qQEEYXtd4q4Qyg UBDbd9euqcFKXPBQ9biwDCHpP6L3/Tu97eKE20umy9oE4kHQRV0WaGuyex5zxwZ4bicJ xNzYjwxGuEmJyKBnleu53LS4EOeVv6fWcqDq+tk8Y65dwt5/lYV+/bThEDrRnyWFFWqV pYOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Rbw1MWls; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g7si12505031pgi.14.2022.01.24.16.19.08; Mon, 24 Jan 2022 16:19:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Rbw1MWls; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2373346AbiAYANf (ORCPT + 99 others); Mon, 24 Jan 2022 19:13:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52984 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1835371AbiAXX2X (ORCPT ); Mon, 24 Jan 2022 18:28:23 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C7DAC06137E; Mon, 24 Jan 2022 13:33:37 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BED07B811FB; Mon, 24 Jan 2022 21:33:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D6D9FC340E5; Mon, 24 Jan 2022 21:33:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643060014; bh=AgnJz7sWVdzNBLyQVmv2Q5ZZKhnnlYEXfPsBXRUnz6E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Rbw1MWlsMXlk/y8GTGwP4rgg1C1L+oAvGUp8WaX+XgUFo+wVmkh5KvGMRYlI1oyoH fSq4BdgFlDXBLMhELZCqAFjaiKXg217AGQu6mLf4vjALECjK97tOm8QLQ5pLkfSwzt fLMuWc83FqYF7zW7ig2Fl8L4M7M2F0r1oKkooJiY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, rtm@csail.mit.edu, "J. Bruce Fields" , Chuck Lever , Olga Kornievskaia , Sasha Levin Subject: [PATCH 5.16 0811/1039] nfsd: fix crash on COPY_NOTIFY with special stateid Date: Mon, 24 Jan 2022 19:43:20 +0100 Message-Id: <20220124184152.573221726@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184125.121143506@linuxfoundation.org> References: <20220124184125.121143506@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: J. Bruce Fields [ Upstream commit 074b07d94e0bb6ddce5690a9b7e2373088e8b33a ] RTM says "If the special ONE stateid is passed to nfs4_preprocess_stateid_op(), it returns status=0 but does not set *cstid. nfsd4_copy_notify() depends on stid being set if status=0, and thus can crash if the client sends the right COPY_NOTIFY RPC." RFC 7862 says "The cna_src_stateid MUST refer to either open or locking states provided earlier by the server. If it is invalid, then the operation MUST fail." The RFC doesn't specify an error, and the choice doesn't matter much as this is clearly illegal client behavior, but bad_stateid seems reasonable. Simplest is just to guarantee that nfs4_preprocess_stateid_op, called with non-NULL cstid, errors out if it can't return a stateid. Reported-by: rtm@csail.mit.edu Fixes: 624322f1adc5 ("NFSD add COPY_NOTIFY operation") Signed-off-by: J. Bruce Fields Signed-off-by: Chuck Lever Reviewed-by: Olga Kornievskaia Tested-by: Olga Kornievskaia Signed-off-by: Sasha Levin --- fs/nfsd/nfs4state.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index 1956d377d1a60..b94b3bb2b8a6e 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -6040,7 +6040,11 @@ nfs4_preprocess_stateid_op(struct svc_rqst *rqstp, *nfp = NULL; if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) { - status = check_special_stateids(net, fhp, stateid, flags); + if (cstid) + status = nfserr_bad_stateid; + else + status = check_special_stateids(net, fhp, stateid, + flags); goto done; } -- 2.34.1