Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1792483pxp;
        Mon, 7 Mar 2022 02:26:26 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzsUFl7X0PmYuuypPA4RTt2xYuelSbKU05geTxVFDSteIVcZL5t++KNRShPfIfBv/uA8/y2
X-Received: by 2002:a05:6a00:174d:b0:4f6:67e3:965 with SMTP id j13-20020a056a00174d00b004f667e30965mr12064289pfc.39.1646648786744;
        Mon, 07 Mar 2022 02:26:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1646648786; cv=none;
        d=google.com; s=arc-20160816;
        b=sTjwGjxvaUV3UYlevEmB9/hoXcLhNbs7ABfnckKIEcUGYhuAtjQAUQF/OLX1na9MrR
         Qy9d8E49QC78yrr8vYQfv3vc2u+jFGQof+rOJph6yq55VqqTM4Lv6OdeSmLnUJOXKuNi
         +z2c/do+ZjHsDIopk13Cl+4RZwKWinCs0YBU5OCC9Jo62yc6Nr8HpOyJWazmCfgtZ1hl
         iwBiuIfTSANBnjOu2BCFjvfBMqHQaM9j6hW5OFk0ATYmoagQw3wZ3iQcmbAaCUuoo3xj
         j39N2staWKNAoucMubaZQwnxCerjAXDEjwMywSCGHEwRA+Qk9Y2jjnbRDl+j5sllnxUC
         J1oA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=bIWutmuBB3/cU7IKWzzxxvaTyy5m1i1R6kheMuHE/20=;
        b=rShRmvXDqVds/SNlusoCPIeHPYJIo1kxJ52cVGOo8rQeszIxiQbwlZDkM8X0RUxHXi
         GJrv9TTbf15HaMQ/keIae7fiPnUqZwk00Q09d/OVOsol9NqrvPvxZSuULYb3f5AQ9FbB
         yO050UbPhmfrdW2qP8kVWOs1g26tqH7JeR7y335a7LmaovSfSHbtAhVO+EZxSUWQUrgw
         G5iXFj7ssI+tNrScGa7Go0HxUTHBXxQm/7vVBrIb7zLP8rQDbW0DwdudssMOX43Ap+zJ
         OJP1kAbmmOiPCPzpuXNO5anWJ6+OJwZ56vPKs8hLXtIns+dcNEmxxSm5peygEC2OZ8bU
         HP7w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vDpYAQgN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id h3-20020a17090acf0300b001bd14e01fb4si6572792pju.162.2022.03.07.02.26.12;
        Mon, 07 Mar 2022 02:26:26 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vDpYAQgN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238980AbiCGKCy (ORCPT <rfc822;anthony.2lannoy@gmail.com>
        + 99 others); Mon, 7 Mar 2022 05:02:54 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41818 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240938AbiCGJlm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 Mar 2022 04:41:42 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 884CD5B893;
        Mon,  7 Mar 2022 01:38:43 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 1D0BA6116E;
        Mon,  7 Mar 2022 09:38:43 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2CE02C340F3;
        Mon,  7 Mar 2022 09:38:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1646645922;
        bh=3/kkwC3GonZthDwBJEBTO1peZX/rHod02QG4EBjZFYw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=vDpYAQgN+JdKvL8Qj9uBcFcTZE9Hee+S4DwnbKbA6FrFrP6EINk8YOH+7eCLlq9Gn
         y2HNruxXnBFW+g1M5764jKM15Ex41FmnC/8GZupFrVDsWS5S7XqXdwySGRWETf2J7+
         HDd9wnH2Lr/RmMmHEbZZVhAQCox7+k8na8jkF+lc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, rtm@csail.mit.edu,
        "J. Bruce Fields" <bfields@redhat.com>,
        Chuck Lever <chuck.lever@oracle.com>,
        Olga Kornievskaia <kolga@netapp.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 077/262] nfsd: fix crash on COPY_NOTIFY with special stateid
Date:   Mon,  7 Mar 2022 10:17:01 +0100
Message-Id: <20220307091704.665272036@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220307091702.378509770@linuxfoundation.org>
References: <20220307091702.378509770@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: J. Bruce Fields <bfields@redhat.com>

[ Upstream commit 074b07d94e0bb6ddce5690a9b7e2373088e8b33a ]

RTM says "If the special ONE stateid is passed to
nfs4_preprocess_stateid_op(), it returns status=0 but does not set
*cstid. nfsd4_copy_notify() depends on stid being set if status=0, and
thus can crash if the client sends the right COPY_NOTIFY RPC."

RFC 7862 says "The cna_src_stateid MUST refer to either open or locking
states provided earlier by the server.  If it is invalid, then the
operation MUST fail."

The RFC doesn't specify an error, and the choice doesn't matter much as
this is clearly illegal client behavior, but bad_stateid seems
reasonable.

Simplest is just to guarantee that nfs4_preprocess_stateid_op, called
with non-NULL cstid, errors out if it can't return a stateid.

Reported-by: rtm@csail.mit.edu
Fixes: 624322f1adc5 ("NFSD add COPY_NOTIFY operation")
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Olga Kornievskaia <kolga@netapp.com>
Tested-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfsd/nfs4state.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 97090ddcfc94d..db4a47a280dc5 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -6042,7 +6042,11 @@ nfs4_preprocess_stateid_op(struct svc_rqst *rqstp,
 		*nfp = NULL;
 
 	if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) {
-		status = check_special_stateids(net, fhp, stateid, flags);
+		if (cstid)
+			status = nfserr_bad_stateid;
+		else
+			status = check_special_stateids(net, fhp, stateid,
+									flags);
 		goto done;
 	}
 
-- 
2.34.1