Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp793218pxj; Wed, 2 Jun 2021 11:32:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzBnZJ1KatEBsKnjPeadOanU83vGF9dYT4Cved6WfFxIvMGcwSoKl4ku2zejIt3BNO8ayVM X-Received: by 2002:a17:906:f111:: with SMTP id gv17mr19033345ejb.435.1622658779142; Wed, 02 Jun 2021 11:32:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622658779; cv=none; d=google.com; s=arc-20160816; b=enzo1R8xsz1NXxTGwwt9E56gsHo+ttkWtl8pZOqjlw82YiZwI7Rri7trl6eEnpvDEd s9ERhg5hvA2XAikHlQy+tCWyjUYI/cBEHXpecE/4WtVsy6Whq/nFwioPGdm2DzvqAoKu dNjN5ppi8ia9Im5TMt09F4lLbjyF74+Nui6N9lraxNjWVVeMWDoXuA5XIEK7S4MT4sVG /OUIBiGP4vkfH4ejJJvEnYoJlckEalA0m54L0TC4KMg3ivA0GCFQy/3Izhdums026t5/ qStBe2G9p64cRS0HLXkPlTQqdSsXJqILWU7nktWya4uTFs9Gce7pXRl8w8i8uemiWxx2 GEnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:sender:dkim-signature; bh=PpZDnFgEJP5vuNO17ms63fpsb709lUpfB1sjHKIlcgU=; b=aOQfTA27hurKRvYOwA4lwqG7Y7OcnFfwjoFZRdtiCFOcGyQzNw13NOSZL6xXFXRROp b1Jkm5CN2onrpUrerNgVIhZtPdl5ee7sRqOEnoczdOqlJMm+crAZuEtkHbJRmVgIN5Kb BZ08+VFYvc6RXy8zWVD/sL9HOLlzYjEB9cxE//NvN/oBub6bJ9vkT+I3k2m+4xQQ/uVR WrWVw4qw8E6n51WopsGZgwfcdzciMvELtNcHqW7N9lsCmJtOMbEvzlSFlk/j1HtNgGAx qAHM0bRYa4NOoXp//Fa2I8zIsj5isWCI5XTQpt3Q7pytchGUM+6rPVlOK/qWEkFcfn/W 0f7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=EpfzFJOQ; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x9si497578eje.114.2021.06.02.11.32.34; Wed, 02 Jun 2021 11:32:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=EpfzFJOQ; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229558AbhFBSeH (ORCPT + 99 others); Wed, 2 Jun 2021 14:34:07 -0400 Received: from mail-qt1-f176.google.com ([209.85.160.176]:40659 "EHLO mail-qt1-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229491AbhFBSeG (ORCPT ); Wed, 2 Jun 2021 14:34:06 -0400 Received: by mail-qt1-f176.google.com with SMTP id i12so2545040qtr.7 for ; Wed, 02 Jun 2021 11:32:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=PpZDnFgEJP5vuNO17ms63fpsb709lUpfB1sjHKIlcgU=; b=EpfzFJOQJkQktwjE0cKdeo1pNdcEDISEVxdbhgCn7D0HRbdLpmI7z+ZdUCO7Nntbb1 z+tY8UTbSt4x4l9dp4MXDU4qUVmLtHmMBbLPLj2QvrdtMxTUGRYVjvD2W84zX1oXGdpn 4QC/GAnADnmb6W0X1MNaAcVAeGeKwkBEzE91frHA+BdVHEW4HU27aOqni14esHfOJuGB VIfdYuiXMCAVIlW0HPryoaJ3ZdHGqJUkF2NpoPtAER+X04UbxBf1YE/wQnmQ3CRR/3Ky ZYaIO8xnNy47+AHrUUch6P1IdeB+spoobf5CH857fSMqlImifTcZxtXx2YwRIwtLdwop dd9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=PpZDnFgEJP5vuNO17ms63fpsb709lUpfB1sjHKIlcgU=; b=A3rDVrNsEsVguoyZ7GlNrNA7nf3FhDfixOI7Mileuq+TOi+5lX9/iDImbI+ffi8t// s6T6JK3nt/xT4GsaKbei8xslZ/JUJBRfs0C7bbUDqMyCwtp+IQMPM46ONretA49eDwYW X/tS7FTECTc/YwDUKkJZbwecSZ8ZplZdxCkI/+/eu2zBx7syovnDojo5wSGjZHnYfjji XfmKZ+lvKg2/Qu4eH7NHbxjS8m0YHAEx6lJqEKFxfXGA8j9wLFB4+/1Z1Ow/Ig5pcpbZ IfCGMBNepv9+1VUB3eZY2696z3zqjd+/nPXKu/KrefOzTiyY5n2rz9aMj24agCsezTlG qmJg== X-Gm-Message-State: AOAM533ZGLOpWaXxT3o98hYIZedYOiomF6EBvSIzAvPkRNNzYQDRHbB5 n6nfD3klejkw5/Z2yxRDdSw= X-Received: by 2002:ac8:6911:: with SMTP id e17mr25599814qtr.135.1622658682569; Wed, 02 Jun 2021 11:31:22 -0700 (PDT) Received: from localhost.localdomain ([2601:401:100:a3a:aa6d:aaff:fe2e:8a6a]) by smtp.gmail.com with ESMTPSA id t11sm299219qta.8.2021.06.02.11.31.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Jun 2021 11:31:22 -0700 (PDT) Sender: Anna Schumaker From: schumaker.anna@gmail.com X-Google-Original-From: Anna.Schumaker@Netapp.com To: Trond.Myklebust@hammerspace.com, linux-nfs@vger.kernel.org Cc: Anna.Schumaker@Netapp.com Subject: [PATCH v2] NFS: Fix use-after-free in nfs4_init_client() Date: Wed, 2 Jun 2021 14:31:20 -0400 Message-Id: <20210602183120.532206-1-Anna.Schumaker@Netapp.com> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Anna Schumaker KASAN reports a use-after-free when attempting to mount two different exports through two different NICs that belong to the same server. Olga was able to hit this with kernels starting somewhere between 5.7 and 5.10, but I traced the patch that introduced the clear_bit() call to 4.13. So something must have changed in the refcounting of the clp pointer to make this call to nfs_put_client() the very last one. Fixes: 8dcbec6d20 ("NFSv41: Handle EXCHID4_FLAG_CONFIRMED_R during NFSv4.1 migration") Cc: stable@vger.kernel.org # 4.13+ Signed-off-by: Anna Schumaker --- v2: No changes except adding the fixes tag that I initially forgot --- fs/nfs/nfs4client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c index 889a9f4c0310..42719384e25f 100644 --- a/fs/nfs/nfs4client.c +++ b/fs/nfs/nfs4client.c @@ -435,8 +435,8 @@ struct nfs_client *nfs4_init_client(struct nfs_client *clp, */ nfs_mark_client_ready(clp, -EPERM); } - nfs_put_client(clp); clear_bit(NFS_CS_TSM_POSSIBLE, &clp->cl_flags); + nfs_put_client(clp); return old; error: -- 2.29.2