Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1212772ybl; Fri, 6 Dec 2019 13:15:02 -0800 (PST) X-Google-Smtp-Source: APXvYqxEr+XuT5dvFyU4eLugUTnwld2zoCTMnEbhc3qe8Aua7SMFyv6GqG3QlKG5wzbAqwcuiXZT X-Received: by 2002:a9d:6005:: with SMTP id h5mr13501908otj.153.1575666902070; Fri, 06 Dec 2019 13:15:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575666902; cv=none; d=google.com; s=arc-20160816; b=igdpMqVbLSRSCuaAs/dHGgVM0INitnj4RwiDnj6mw/euVb2xrDksAZ7OP9Ud5OoDa7 CGBGFdUctHJz2BElmHDjdpZi8cvNAhIlYgfsyUDNb673Zn+OwVI2aDzhQ7NdSy0JfiUw MryzJHj2eBX5HKFpxUHsbgq0hoieP4FcWw0BOQAwNvp+lIB6eX8HqM6u6xmSOn8xAZ3T e0GObvKDvApHFs/6S3H+rFwMrTowOdp6cBbKYnLZFzD1PCexV6OxZ10Yxj/9b5LvO95n /1scU6o9Re3ObQ7CD0ca1wXse6+QTtOg8QbBVTalm6r9aY58hNkxNLBtXYnRuQ5mdtOB wQBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:from:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:date; bh=Jf0v9Xcd9Ih2GPTJxZWpvBK983AI/ghlWQsGdtY0gSg=; b=ExAuHq9FzASSioHFy19aTunP8/iyu/keJMrzJHz7aDoIUdMMvEqYpky2PSdUVzJ7Lh p/khYQl5AjZL/Ea+DXj1y6uAEWXJBuNTxo5SY2SGRgqGakeBqhG9UJIU53MT6CqH8PHy ySBYHYU51+BDBJUHoehAtIlFLDosvI7V/fMwb4b9qJs9t5EFJWjAyfSiGlgmfCaFsAhu OFb48Tao3+8kV5Gb9/h1u08+9PWtExm3bLecujDYpxelz1+M5nTMEVoGLcvDaIY7WOCP xvonK8lFQGdgNSX5llf44VI1EU2gaxZTRvL4eYt3mBBqq72Mlitm8m78ouY55Ewb7IUO sPzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l7si7922948oil.77.2019.12.06.13.14.45; Fri, 06 Dec 2019 13:15:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726377AbfLFVOn (ORCPT + 99 others); Fri, 6 Dec 2019 16:14:43 -0500 Received: from fieldses.org ([173.255.197.46]:54212 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726371AbfLFVOn (ORCPT ); Fri, 6 Dec 2019 16:14:43 -0500 Received: by fieldses.org (Postfix, from userid 2815) id 05EB51C95; Fri, 6 Dec 2019 16:14:43 -0500 (EST) Date: Fri, 6 Dec 2019 16:14:42 -0500 To: "J. Bruce Fields" Cc: Olga Kornievskaia , Dan Carpenter , linux-nfs Subject: Re: [bug report] NFSD: allow inter server COPY to have a STALE source server fh Message-ID: <20191206211442.GB17524@fieldses.org> References: <20191204080039.ixjqetefkzzlldyt@kili.mountain> <20191204220435.GG40361@pick.fieldses.org> <20191205023826.GA43279@pick.fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191205023826.GA43279@pick.fieldses.org> User-Agent: Mutt/1.5.21 (2010-09-15) From: bfields@fieldses.org (J. Bruce Fields) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, Dec 04, 2019 at 09:38:26PM -0500, J. Bruce Fields wrote: > So, stuff we could do: > > - add an extra check of fh_export or something here. So, I'm applying the following for now. --b. commit a0a906b965b0 Author: J. Bruce Fields Date: Fri Dec 6 16:07:32 2019 -0500 nfsd4: avoid NULL deference on strange COPY compounds With cross-server COPY we've introduced the possibility that the current or saved filehandle might not have fh_dentry/fh_export filled in, but we missed a place that assumed it was. I think this could be triggered by a compound like: PUTFH(foreign filehandle) GETATTR SAVEFH COPY First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE set and GETATTR does not have OP_HANDLES_WRONGSEC set. We should probably also consider tightening the checks in check_if_stalefh_allowed and double-checking that we don't assume the filehandle is verified elsewhere in the compound. But I think this fixes the immediate issue. Reported-by: Dan Carpenter Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " Signed-off-by: J. Bruce Fields diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index d33c39c18cdd..5c7f622fed29 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -2368,7 +2368,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) if (op->opdesc->op_flags & OP_CLEAR_STATEID) clear_current_stateid(cstate); - if (need_wrongsec_check(rqstp)) + if (current->fh->fh_export && + need_wrongsec_check(rqstp)) op->status = check_nfsd_access(current_fh->fh_export, rqstp); } encode_op: