Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3445955ybb; Mon, 23 Mar 2020 00:55:53 -0700 (PDT) X-Google-Smtp-Source: ADFU+vu1cUE3TJLCwlUY227MMeIRmBLdxawJWI/wAMOmah6NZ4upAf3SBlEhoQ9AJkbPDoJmZlUr X-Received: by 2002:a9d:70d8:: with SMTP id w24mr16204290otj.137.1584950153662; Mon, 23 Mar 2020 00:55:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584950153; cv=none; d=google.com; s=arc-20160816; b=mMpD3JvwUjItXHchtEZMNQev30ETUmOEFrdLEWTCdudC/9uUulc+xN9NmHcuasbTmd thq6cwK/9zL316kjpvK9QPXEeVLp5SFwz/M3kvGtI7QACqu0slcPk5ZUQ5LYp2PZSDai DtqHUZbfpkkaUJfDMlCHlkpUyv9xPQO8o5U2pDMIPO4QQazboPMLsHS0R47xPsDwW/ly Jm4j391BaJ7fKKoJLwQIk0F6wDukIQ5DCPuIHMKx7W9BhoEhIwC8h8uFOq3UpFp6k3Vg HguG6Ser7IBEqYEbKY5kh9yUS9q54LYmyS6Tx30eV1NdwYp1McC50U9PSzjcbos3XDRt N+og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:mime-version:user-agent:date:message-id:cc:to :subject:from; bh=pEFGbium7yK43caqvRXYOSDjxdnm8zqBzjkYCqIfRS8=; b=uTNI8YAAIZjiiC0cssnS4xTAfnz/Tb9b7jVplbyuWo8ATqNhYY6IrOhwWkEVT6M2DR xe6/8otPbUMM1ZeniBPZqgIBotaB3xbbasAKzo4NlD22DQvvzvcK8xKs435g159siCBL a3YB+40wGMaFJ6Hph2ew+weaMLKJn2uHoIzcY8YUzQrBB4r3hcZrh8T9AwFuzhRyfQay zEZMC9yVvtprCRkrcLEPrZc5opO0gdLvpjMPawMzVlkHZnS5d6o79JeRFtuiYrd4IBuk I4AsJ++WEfsZSWVpNqLFVeKUly0LMCPpqXJUfL/nC0ElvA2TiwWtBmZvEeSm9iUSojdD DBTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f136si7602147oig.9.2020.03.23.00.55.27; Mon, 23 Mar 2020 00:55:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727422AbgCWHz0 (ORCPT + 99 others); Mon, 23 Mar 2020 03:55:26 -0400 Received: from relay.sw.ru ([185.231.240.75]:49212 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727428AbgCWHzZ (ORCPT ); Mon, 23 Mar 2020 03:55:25 -0400 Received: from vvs-ws.sw.ru ([172.16.24.21]) by relay.sw.ru with esmtp (Exim 4.92.3) (envelope-from ) id 1jGHvT-0005vz-Q2; Mon, 23 Mar 2020 10:55:12 +0300 From: Vasily Averin Subject: [PATCH] nfsd: memory corruption in nfsd4_lock() To: "J. Bruce Fields" , Chuck Lever , Jeff Layton Cc: linux-nfs@vger.kernel.org Message-ID: Date: Mon, 23 Mar 2020 10:55:11 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org New struct nfsd4_blocked_lock allocated in find_or_allocate_block() does not initialised nbl_list and nbl_lru. If conflock allocation fails rollback can call list_del_init() access uninitialized fields and corrupt memory. Fixes: 76d348fadff5 ("nfsd: have nfsd4_lock use blocking locks for v4.1+ lock") Signed-off-by: Vasily Averin --- fs/nfsd/nfs4state.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index 369e574c5092..176ef8d24fae 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -6524,6 +6524,13 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, goto out; } + conflock = locks_alloc_lock(); + if (!conflock) { + dprintk("NFSD: %s: unable to allocate lock!\n", __func__); + status = nfserr_jukebox; + goto out; + } + nbl = find_or_allocate_block(lock_sop, &fp->fi_fhandle, nn); if (!nbl) { dprintk("NFSD: %s: unable to allocate block!\n", __func__); @@ -6542,13 +6549,6 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, file_lock->fl_end = last_byte_offset(lock->lk_offset, lock->lk_length); nfs4_transform_lock_offset(file_lock); - conflock = locks_alloc_lock(); - if (!conflock) { - dprintk("NFSD: %s: unable to allocate lock!\n", __func__); - status = nfserr_jukebox; - goto out; - } - if (fl_flags & FL_SLEEP) { nbl->nbl_time = jiffies; spin_lock(&nn->blocked_locks_lock); @@ -6581,17 +6581,15 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, status = nfserrno(err); break; } -out: - if (nbl) { - /* dequeue it if we queued it before */ - if (fl_flags & FL_SLEEP) { - spin_lock(&nn->blocked_locks_lock); - list_del_init(&nbl->nbl_list); - list_del_init(&nbl->nbl_lru); - spin_unlock(&nn->blocked_locks_lock); - } - free_blocked_lock(nbl); + /* dequeue it if we queued it before */ + if (fl_flags & FL_SLEEP) { + spin_lock(&nn->blocked_locks_lock); + list_del_init(&nbl->nbl_list); + list_del_init(&nbl->nbl_lru); + spin_unlock(&nn->blocked_locks_lock); } + free_blocked_lock(nbl); +out: if (nf) nfsd_file_put(nf); if (lock_stp) { -- 2.17.1