Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp5263828ybi;
        Tue, 30 Jul 2019 17:22:08 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxjnSkEvuYh0DeVvcf6Tn8EIeqFk2nkK++aydR00baOI/ltmdD3+QCoNAVaY/SfZNar41I1
X-Received: by 2002:a65:6294:: with SMTP id f20mr114310207pgv.349.1564532528509;
        Tue, 30 Jul 2019 17:22:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564532528; cv=none;
        d=google.com; s=arc-20160816;
        b=B/s3mNTphMCQEpYH0jfnhezeI48c97byl+l0bzd/B68A3dSQ268kbV6VDGWaVDzrer
         MfSiQUYa9DjuQlpglxTDMEeT6WetOcoAnMNkpCvI34fQ3e3nJMtd/WfxqGzLvmVjnobH
         u6ASkaPCwzCR6bHiLKyBxegoKTgAoTPXjb6Tv1dGvw8grPVNukS545weeFzVqagPKdqX
         CVGar0OOHCYb6SOFu5kySAHax1jUAU4VTlzLeHmp8Pvq+5zrP57GND4ND9BEN45Q9TeU
         3xPWZvVAufpI/OsTURD69AidP+A75NWWet4rb8GdUkCqgTm3fN9Aix1eXNovraKKOhRF
         zXLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=Ag8QTaiRtHeajxdVsL4PRp+xAmJRbSiEpnmvj9pJXDg=;
        b=CcY8ZvA94PV1+bDrUfYA3kp3YO1oLFtDMtfT2K+iXU/RKYvQu5O1ou5I6wGdXD9IuZ
         d8EuAUpFXLhBJb8FgaCRZmEeH7MM468czRtMpkhzJa6uM/gN2cd8CHCNGjin0joTii/C
         YIJd5Zcsc4dfMctU1HMQAb5pW94aILkq2nnE+Qddpj39UjxllFxyWN5z9IMjFocDL9TH
         29BHDCqKHeEFLqdWN0KooaAKytpoMb1To8zxctXvIFb4+yMx9+FE4yF47xmNH1oSsdHB
         Je7xxlmK1QNgAVOnj5thNeOBX+/0VNqga/zZdVYONRAPxTgaKOYqTYeeRs3xeVN5+O0C
         etAA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p7si3607512pgk.377.2019.07.30.17.21.44;
        Tue, 30 Jul 2019 17:22:08 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726712AbfG3XDk (ORCPT <rfc822;zkr7432@gmail.com> + 99 others);
        Tue, 30 Jul 2019 19:03:40 -0400
Received: from fieldses.org ([173.255.197.46]:41902 "EHLO fieldses.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726343AbfG3XDk (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
        Tue, 30 Jul 2019 19:03:40 -0400
Received: by fieldses.org (Postfix, from userid 2815)
        id DADB82010; Tue, 30 Jul 2019 19:03:39 -0400 (EDT)
Date:   Tue, 30 Jul 2019 19:03:39 -0400
From:   "J. Bruce Fields" <bfields@fieldses.org>
To:     Jia-Ju Bai <baijiaju1990@gmail.com>
Cc:     chuck.lever@oracle.com, linux-nfs@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fs: nfsd: Fix three possible null-pointer dereferences
Message-ID: <20190730230339.GD3544@fieldses.org>
References: <20190724082803.1077-1-baijiaju1990@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190724082803.1077-1-baijiaju1990@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

On Wed, Jul 24, 2019 at 04:28:03PM +0800, Jia-Ju Bai wrote:
> In nfs4_xdr_dec_cb_recall(), nfs4_xdr_dec_cb_layout() and
> nfs4_xdr_dec_cb_notify_lock(), there is an if statement to check whether
> cb is NULL.
> 
> When cb is NULL, the three functions all call:
>     decode_cb_op_status(..., &cb->cb_status);
> 
> Thus, possible null-pointer dereferences may occur.
> 
> To fix these possible bugs, -EINVAL is returned when cb is NULL.
> 
> These bugs are found by a static analysis tool STCheck written by us.

Thanks!  But I think actually the correct fix is just to remove the NULL
checks entirely.

--b.

> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
>  fs/nfsd/nfs4callback.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
> index 397eb7820929..55949a158b6b 100644
> --- a/fs/nfsd/nfs4callback.c
> +++ b/fs/nfsd/nfs4callback.c
> @@ -516,7 +516,8 @@ static int nfs4_xdr_dec_cb_recall(struct rpc_rqst *rqstp,
>  		status = decode_cb_sequence4res(xdr, cb);
>  		if (unlikely(status || cb->cb_seq_status))
>  			return status;
> -	}
> +	} else
> +		return -EINVAL;
>  
>  	return decode_cb_op_status(xdr, OP_CB_RECALL, &cb->cb_status);
>  }
> @@ -608,7 +609,9 @@ static int nfs4_xdr_dec_cb_layout(struct rpc_rqst *rqstp,
>  		status = decode_cb_sequence4res(xdr, cb);
>  		if (unlikely(status || cb->cb_seq_status))
>  			return status;
> -	}
> +	} else
> +		return -EINVAL;
> +
>  	return decode_cb_op_status(xdr, OP_CB_LAYOUTRECALL, &cb->cb_status);
>  }
>  #endif /* CONFIG_NFSD_PNFS */
> @@ -667,7 +670,9 @@ static int nfs4_xdr_dec_cb_notify_lock(struct rpc_rqst *rqstp,
>  		status = decode_cb_sequence4res(xdr, cb);
>  		if (unlikely(status || cb->cb_seq_status))
>  			return status;
> -	}
> +	} else
> +		return -EINVAL;
> +	
>  	return decode_cb_op_status(xdr, OP_CB_NOTIFY_LOCK, &cb->cb_status);
>  }
>  
> -- 
> 2.17.0