Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp791256pxj; Wed, 2 Jun 2021 11:30:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxUU7bK4LrRtC9Lrx8IYj0M4JVfYpZ1Eyz7iKw+JpqsAAD+RTWd4SQLjBLEjDQ0TXOjF7VF X-Received: by 2002:a17:906:6981:: with SMTP id i1mr35261253ejr.289.1622658604419; Wed, 02 Jun 2021 11:30:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622658604; cv=none; d=google.com; s=arc-20160816; b=p+DmoJFW+epqbZxsxstosimlkQh+wYuPGI35Q1iCdOPQJgFyqfTD6AGl0NCmu69RTx IK9sjfMH/79airESiB8CRyE3RUh3ReIk36vAe8/OOzvHHGfyD/yImSDXDnO5ZgtWTuUz Yr1AXtbr8gaq/kia5aOQNvF9lBRMieq3PNP6+vxCQPPR8gX9k4bmeo3OIYemlPHS+yvA vuMvAtegdTsyMiXGtd033esKR6Rb81Bl8hAQqS1RsLtoTD+Xrrh9wPwxmWhGP9Dgt9lS xqD9rqhoi6LWstj/aKTnDTwDNZx73WFLKb4vFGjTpAIYcSIb/BJunltgdd3DdRDnOLRi 0Oug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:sender:dkim-signature; bh=i1/YAhXSiHnqFFYldu2ElK+ccazqY0NTe4Ixv5mzJSE=; b=Gba8VaHLI1z4P4lpRqc8lA9Wgs/t+qA/aSLF6mybz7G5v541avmz9YKcmIhGXYwg4A JhEtwgW+de85BDkAeKzexU3jvRJnp+W09QQFkPSsbNx2kLXgP2xjtjF5kPXtFxk+5I63 /neA4jm5yugc+xUTaWdl65kH2A3Fo3xe/1QMRtJ7RRxtFASH1NOaVtc0xk53KBcpeqJx OfrS+RxFMd/o8SWIPG0RhsU9MD5/zEv1tJKnmRJxrM/imeKt7KARB6MSMCORrkrX5Qrm nWPmeL0R7tgU56nmXi12Hf/3FOEZsJSgwGKcgz3NaEp+/i2/8zI+dL6DmYClbFuRceb/ iMUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MRBWQW4q; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jv22si421710ejc.723.2021.06.02.11.29.33; Wed, 02 Jun 2021 11:30:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MRBWQW4q; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229489AbhFBSa3 (ORCPT + 99 others); Wed, 2 Jun 2021 14:30:29 -0400 Received: from mail-qk1-f177.google.com ([209.85.222.177]:38812 "EHLO mail-qk1-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229467AbhFBSa3 (ORCPT ); Wed, 2 Jun 2021 14:30:29 -0400 Received: by mail-qk1-f177.google.com with SMTP id q10so3369596qkc.5 for ; Wed, 02 Jun 2021 11:28:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=i1/YAhXSiHnqFFYldu2ElK+ccazqY0NTe4Ixv5mzJSE=; b=MRBWQW4qaChtJrg6s2CL7NpQ72969e93mU80TExfjO0PrBGTSkgK8KaT0w+riPSJCv BcPLUVdw7T2d6EDcEyyhElHG4EaNi+d6J1+eNxPCoXQ67ct5fWYYMdNIRhkeZ/tJIb66 Y+i4cw+MV68q1mpppQIZPMMqRoVhFHe5lBdKVVYUIGT9eHVRL764zAUGWbBmV6efuvvQ k8aqmMCKLGhaC8x6ByS3doT3NO3u64UL9uHSchV+JJuYGEBXvXOoxqxSPVjstcmiRzbB hyX8rzd9tvGdooj12ncurOs3K6k/T6+XEDPsUAuqBd8966Ni4DXOzKcHTK6EifmVDiP5 mw+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=i1/YAhXSiHnqFFYldu2ElK+ccazqY0NTe4Ixv5mzJSE=; b=Mz4Cj2Mk9kfElSItt15yOTjtBeHo4JjUjl8UxnnXEqhwVdJ606jCF5Zy3YhF6MNW6k c/7rbZdbS2FWAulQ9WK64q3F4HGWO1uqxqo5l9kRzbA+K4pqqu4IACR6DUcsrKjxqGD9 AmhESS0d0NwA0jB1kBLfqQYDSU8yBoulrWfR39cNdXoE6rJi+s6xjto4t7Jl6+Vat+t1 vnQquNdXCFA5Kg82SF/lqUh+xQ4RGgKa5GJ+UF43/RZMQ6y/N3e67AJvTSheHujy17jR Qk89vrVKZDvfRC40a543QH2wZj8PGYHeQDTnHx6u8lTptdUTFMuOL0sBpz9yiGyfr3i0 DoVA== X-Gm-Message-State: AOAM531/+OPrUpQK4eMmsi7OfyYmz/uBqaGM0SJ/WSjSsG/tgLqkq7Bi 2fIN02Bg+xOSNflaAbu6DUs= X-Received: by 2002:a37:b082:: with SMTP id z124mr28886918qke.446.1622658465300; Wed, 02 Jun 2021 11:27:45 -0700 (PDT) Received: from localhost.localdomain ([2601:401:100:a3a:aa6d:aaff:fe2e:8a6a]) by smtp.gmail.com with ESMTPSA id p2sm350439qkj.94.2021.06.02.11.27.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Jun 2021 11:27:44 -0700 (PDT) Sender: Anna Schumaker From: schumaker.anna@gmail.com X-Google-Original-From: Anna.Schumaker@Netapp.com To: Trond.Myklebust@hammerspace.com, linux-nfs@vger.kernel.org Cc: Anna.Schumaker@Netapp.com Subject: [PATCH] NFS: Fix use-after-free in nfs4_init_client() Date: Wed, 2 Jun 2021 14:27:43 -0400 Message-Id: <20210602182743.531623-1-Anna.Schumaker@Netapp.com> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Anna Schumaker KASAN reports a use-after-free when attempting to mount two different exports through two different NICs that belong to the same server. Olga was able to hit this with kernels starting somewhere between 5.7 and 5.10, but I traced the patch that introduced the clear_bit() call to 4.13. So something must have changed in the refcounting of the clp pointer to make this call to nfs_put_client() the very last one. Signed-off-by: Anna Schumaker --- fs/nfs/nfs4client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c index 889a9f4c0310..42719384e25f 100644 --- a/fs/nfs/nfs4client.c +++ b/fs/nfs/nfs4client.c @@ -435,8 +435,8 @@ struct nfs_client *nfs4_init_client(struct nfs_client *clp, */ nfs_mark_client_ready(clp, -EPERM); } - nfs_put_client(clp); clear_bit(NFS_CS_TSM_POSSIBLE, &clp->cl_flags); + nfs_put_client(clp); return old; error: -- 2.29.2