Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2289393ybb; Mon, 30 Mar 2020 03:24:11 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuYHupguhOTjVobj5TM8JkSfSH3NcQaFmhTFA89BOsqzZ3n6ksYXB5fnVa2hXVqQ5iI9TcR X-Received: by 2002:aca:edcf:: with SMTP id l198mr6883991oih.97.1585563851604; Mon, 30 Mar 2020 03:24:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585563851; cv=none; d=google.com; s=arc-20160816; b=PGpExsfTHFIDsDm4Z9OvByGHMJ8UQa34oLDyCBQFbeGb7v+HbsmKtyJUpQW9KqiaGb XZLZh0NSh9TsULRZfW2RS/Iq2xGb7jrSzEJzEq8sjWW0mkDKeIJ66+Zt/hrcHuatLK7j B9soVFlUPz5LHYX50d7B3GMyFwDnT9f5Mjn7PnSDL6AcNr8W/9cAzRp9hV38qBsQddEf SmrXxMyMHbj3jIh97j5N3r8HLk9ze9cQ+J0Rf4Wrs5BT1Q+/dw4xUAZJFEbkuVZk+/CS a8zpHHJPTBi0peuLvaFYAmHAFDlb1k8KRoT+3C0tfjnufeG4SM0fjec0HLoTLiNtqqaw SgLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=2Ryf8H7fliHApII9R/ZMP8KU1P9X9JZK3NRTsMfwmf8=; b=RwSBYrFsqY7ePsrRQxgT4GIR9vVkhh2x/P3x+CGh1LkNuWSbl75ZylNYd2U3pzDwAO IXhmoo8sBHS6XG9EKtF4nrQ+ly9J8SaIIz+Vg6wM4JAonDgLyvp+SU3CqHYXpw+VvZ9a 0h5VhntgppaCbu4kofMM8IS7uy4FmxF7LxcTPlMPgBzjC2+lnRhkspH1agIcmLilqNgx HZf9XXtFjg43bU/lTVm3VLplfjAujmW2v8IEpsNqGcsrRj5+/OVFwr5ImqSIurKcKalI /CWMHIRH/Ek3Pvwc4hGGSQgq/Vit6b4ZO0u87rt6R1VyoJO9bDF2RnZcuaS/w1oKxLkq 8trw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yOBn3zUZ; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e24si6097722otk.203.2020.03.30.03.23.47; Mon, 30 Mar 2020 03:24:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yOBn3zUZ; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729307AbgC3KWs (ORCPT + 99 others); Mon, 30 Mar 2020 06:22:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:34118 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729241AbgC3KWs (ORCPT ); Mon, 30 Mar 2020 06:22:48 -0400 Received: from tleilax.poochiereds.net (68-20-15-154.lightspeed.rlghnc.sbcglobal.net [68.20.15.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CF83F206DB; Mon, 30 Mar 2020 10:22:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585563768; bh=ZrDA4XEe+oooR3I5ta+CCjaMOqer6mFM9Ab+oPDGTFQ=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=yOBn3zUZwPtXEVIi9Uv+HHtBnECPA3FReKWBjQlBBWMHqzUCoLq+8v5qLwbohgbQ8 y+v51Oh3DQ7oPlSmY+48ynaDkDW29wkHS9N6o4jn3z/SvJFRu0hakR4y7W6S1z3++O 5b9aRl/lYeOLukStHG7Va2PlvNfxc/3/9eNaOibE= Message-ID: <80e1506f0a997f1f925990fe12c4469947b7b184.camel@kernel.org> Subject: Re: [PATCH v2] nfsd: memory corruption in nfsd4_lock() From: Jeff Layton To: Vasily Averin , "J. Bruce Fields" , Chuck Lever Cc: linux-nfs@vger.kernel.org Date: Mon, 30 Mar 2020 06:22:46 -0400 In-Reply-To: References: <7E365A05-4D39-4BF9-8E44-244136173FC7@oracle.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.4 (3.34.4-1.fc31) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Fri, 2020-03-27 at 07:50 +0300, Vasily Averin wrote: > Dear Chuck, > please use following patch instead. > ----- > New struct nfsd4_blocked_lock allocated in find_or_allocate_block() > does not initialized nbl_list and nbl_lru. > If conflock allocation fails rollback can call list_del_init() > access uninitialized fields and corrupt memory. > > v2: just initialize nbl_list and nbl_lru right after nbl allocation. > > Fixes: 76d348fadff5 ("nfsd: have nfsd4_lock use blocking locks for v4.1+ lock") > Signed-off-by: Vasily Averin > --- > fs/nfsd/nfs4state.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c > index 369e574c5092..1b2eb6b35d64 100644 > --- a/fs/nfsd/nfs4state.c > +++ b/fs/nfsd/nfs4state.c > @@ -266,6 +266,8 @@ find_or_allocate_block(struct nfs4_lockowner *lo, struct knfsd_fh *fh, > if (!nbl) { > nbl= kmalloc(sizeof(*nbl), GFP_KERNEL); > if (nbl) { > + INIT_LIST_HEAD(&nbl->nbl_list); > + INIT_LIST_HEAD(&nbl->nbl_lru); > fh_copy_shallow(&nbl->nbl_fh, fh); > locks_init_lock(&nbl->nbl_lock); > nfsd4_init_cb(&nbl->nbl_cb, lo->lo_owner.so_client, Reviewed-by: Jeff Layton