Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp694229pxx; Thu, 29 Oct 2020 12:08:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyotuE2tTDLGiZC7GynEylpqIwePrWUizYxnchTyShVtOuRXR7MjbgsigNUnBcbThnLL8XQ X-Received: by 2002:aa7:dac4:: with SMTP id x4mr5441379eds.165.1603998486659; Thu, 29 Oct 2020 12:08:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603998486; cv=none; d=google.com; s=arc-20160816; b=mWh/6Zk0lo0c0duS7fCW8AN8Gc1GiBsGYFo/ugEqvj7wTkZUyNyefVSE8BLdjT2jSV xVM3w9WV0W62WxPKBqiQrGAQZnZ7LDHHasvLFFW+xiIFz5cqsIa4O5GutZs6L0VPL9sD rLKZ3iNkiCZi6g+HGoI2DFczq+9L/A6RZFkJNwImX6hl9tx7mBOZ+kHpiI40f5EpmHwc KJ3rpkBGevBizzYS9cOoj/SHZbqDpl5QVf4lFHNuDuQR+kfoaH7yqyEq/Xv1jqAymWwE vDGy0h4PaIrpJkRikn0t0saoKZK6MXWp9H6Nd6pQ11mn/4VPGLgt3H8UCwbBycwiLxGj hBZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=70LXYRhe2LNxNrmgoGYO8cWKvd/na14zPZhGFfpswHA=; b=k4WsHmBu0wZqp7cVfxB+ZVyMd0yyjH4M7KCvZDlf8E2W+TE3EQZs9ErxiK7ZqeBkvs 7N2s7ZwZd4mOk3YZntZ1Wdc7323zfAQ6sp3XJ/0jZD83XYXAQnsH3c6dh/EeumZCgvOc ywg0r0eupwdpTcDT1uQkd99M7W2puqPSxGifKBiKYvFNu0IPOSMQ+KNYAL3PeY4CJeIX jRjG+4GuAJG+hvs3poRH+j1WT9Engl10ys3tcLUvtltH0m7GVxDiyVsHLA0uYNDLQXRv YQ9ICrgXuP8F3t8zcJq6JXr+geEGISdRjyQZOeWDGGy9/YJwrbh+vFhx8L5ZvRLrrVVB UuiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=osBzDlOc; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d12si2545104ejj.237.2020.10.29.12.07.29; Thu, 29 Oct 2020 12:08:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=osBzDlOc; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725791AbgJ2TH0 (ORCPT + 99 others); Thu, 29 Oct 2020 15:07:26 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:49640 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725774AbgJ2THZ (ORCPT ); Thu, 29 Oct 2020 15:07:25 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 09TJ5Get138169; Thu, 29 Oct 2020 19:07:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=corp-2020-01-29; bh=70LXYRhe2LNxNrmgoGYO8cWKvd/na14zPZhGFfpswHA=; b=osBzDlOciOm2IvIcsExsOEkEd/lnUI0lSV/fVB4SQxZFqGcW/pO1yqAXhKlAqe2cadUG VU5dLgecRg3GlCZpSc93gEwI+1vSZXcUb0B+TrvQBbTqtChDoOvln5BT3HEn66p8PgSk R632GocLKxJgljao7cDOf9wHKSxC/3xhiEpO4aTPUb/3e420MYCvrXYPAJ2Q3t0WMfvt hUdM6Q5rzV4y0waXt+SS3vMzFk61T7PBBh9s+AY5diEDLtbqf1xG8Iwy8UPZKoEu5FGE UvtFl5roxy6vMIMXVlZrTYtJfMzkj+0aJObdcqGDjqdXD4X0jSjkGYFsf7M1y9cjRMDM wQ== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by aserp2120.oracle.com with ESMTP id 34cc7m6hs4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 29 Oct 2020 19:07:19 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 09TJ69NZ089706; Thu, 29 Oct 2020 19:07:19 GMT Received: from pps.reinject (localhost [127.0.0.1]) by aserp3020.oracle.com with ESMTP id 34cx60v0uq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 29 Oct 2020 19:07:19 +0000 Received: from aserp3020.oracle.com (aserp3020.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 09TJ71Hf092200; Thu, 29 Oct 2020 19:07:18 GMT Received: from userp3030.oracle.com (ksplice-shell2.us.oracle.com [10.152.118.36]) by aserp3020.oracle.com with ESMTP id 34cx60v0ug-1; Thu, 29 Oct 2020 19:07:18 +0000 From: Dai Ngo To: bfields@fieldses.org Cc: linux-nfs@vger.kernel.org Subject: [PATCH 0/2] NFSD: Fix use-after-free warning when doing inter-server copy Date: Thu, 29 Oct 2020 15:07:14 -0400 Message-Id: <20201029190716.70481-1-dai.ngo@oracle.com> X-Mailer: git-send-email 2.20.1.1226.g1595ea5.dirty MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9789 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 adultscore=0 malwarescore=0 spamscore=0 clxscore=1015 mlxscore=0 suspectscore=3 priorityscore=1501 impostorscore=0 bulkscore=0 phishscore=0 mlxlogscore=919 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010290131 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Observed use-after-free messages in /var/log/messages of destination server when doing inter-server copy. These come from 2 different places in the code, one from the nfsd4_cleanup_inter_ssc when nfsd_file_put is called for the source file and the other from nfs4_put_copy when it's called from nfsd4_cb_offload_release. Fixed by removing the call to nfsd_file_put; the object is not allocated by nfsd_file_alloc, and by initializing refcount for nfsd4_copy in nfsd4_do_async_copy. fs/nfsd/nfs4proc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)