Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1645498pxv; Fri, 2 Jul 2021 08:44:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz7B1zqB9oCLV8KDE7A/cWQdL9eTAwAeF/PiAB2yzWf6gKLBeVmrOwXZ+MQwRvQYC7pQF6w X-Received: by 2002:a17:906:f747:: with SMTP id jp7mr332778ejb.496.1625240663857; Fri, 02 Jul 2021 08:44:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625240663; cv=none; d=google.com; s=arc-20160816; b=d8e4Tf6MsVKJXMWkXwaLjkU899R6lMDElnSTH1spc6I/OY0qW9/RQKoAuAfdUEw2r/ g9QoykVQ5L3hGtvZa9ttjBQOU3lOCwyTeyVCe9mBgh+egAdH6spCLNCeELjLkloZpzyG mwQCIF6kC25yOptFdiTTYPoFBg7Hd0RHi+6kQ6zFj5JPv5mmln4CLToIY7Vqb58RvWHU 1bXnGDw0OEKgJMFHepQyLOSVdbmI7k0PZl+loQoVf1500pV20Qv3C72FeuJk6XGV1rbA b2hCBIg9JfnavxzlOw01zG4B4taKmPEpdHP+eVdmPn5SltNtqwvRGqH8TxILYz2p+OQT i7yA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:from:user-agent:content-disposition:mime-version :message-id:subject:cc:to:date:dkim-signature:dkim-filter; bh=RMlGmxw1gL9vINTfmaaDQlB36HAck4fofdq2QwTDLfM=; b=V/aajDUJisOBoB4yrjBE2D46xfXkoIvYzIGExzchxSQI2hXAKiU+nbtYk3kRNfUu4N r70WHsDSV7+TRbbaJHi3bqwMWaCQpanWMcDe6fEfx4C2NIOWMEFfyaGqT/PbDnoc8XBT eAKxZRaq/oVZda1Tet6OE47D4d6Rs+nzEs3y8k2W0kZQ8KT5cTXRcDBVw0Ro4szNg7DN fDe88h5r9Rn5+NnBETgaJ0Kv6bbjYQhQDGa9a1LLgvKrslM0ig/mvQbImhNsmRamdw13 98L+CesG8GFadnHNYyAeJFardT3tk2UlUHJu4xx2u9SG6vgULXiYWdQwktw9YY0AVgxx 53+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b="NVKy/i57"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hh15si4012437ejb.125.2021.07.02.08.43.54; Fri, 02 Jul 2021 08:44:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b="NVKy/i57"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232106AbhGBPkY (ORCPT + 99 others); Fri, 2 Jul 2021 11:40:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231883AbhGBPkX (ORCPT ); Fri, 2 Jul 2021 11:40:23 -0400 Received: from fieldses.org (fieldses.org [IPv6:2600:3c00:e000:2f7::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E6874C061762 for ; Fri, 2 Jul 2021 08:37:51 -0700 (PDT) Received: by fieldses.org (Postfix, from userid 2815) id 2646B6482; Fri, 2 Jul 2021 11:37:51 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 fieldses.org 2646B6482 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fieldses.org; s=default; t=1625240271; bh=RMlGmxw1gL9vINTfmaaDQlB36HAck4fofdq2QwTDLfM=; h=Date:To:Cc:Subject:From:From; b=NVKy/i57vRHObguXY7ZZW12vmP/BGGBtpQGTAdVX997nICQABOgKetTCx+SC9sI21 1Gn8C5h8sXNHs09YtODhy1+ofmvHMXrUTmFlppSsNwzyRh0yOi104k/pfJjggt1Esd 25CpEqdg7Ts/mqECFjMjgA+3P+vUSnmZzzrNko3o= Date: Fri, 2 Jul 2021 11:37:51 -0400 To: linux-nfs@vger.kernel.org Cc: Chuck Lever Subject: [PATCH] nfsd: fix NULL dereference in nfs3svc_encode_getaclres Message-ID: <20210702153751.GA29685@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) From: bfields@fieldses.org (J. Bruce Fields) Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: "J. Bruce Fields" In error cases the dentry may be NULL. Before 20798dfe249a, the encoder also checked dentry and d_really_is_positive(dentry), but that looks like overkill to me--zero status should be enough to guarantee a positive dentry. This isn't the first time we've seen an error-case NULL dereference hidden in the initialization of a local variable in an xdr encoder. But I went back through the other recent rewrites and didn't spot any similar bugs. Reported-by: JianHong Yin Fixes: 20798dfe249a ("NFSD: Update the NFSv3 GETACL result encoder...") Signed-off-by: J. Bruce Fields --- fs/nfsd/nfs3acl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/nfsd/nfs3acl.c b/fs/nfsd/nfs3acl.c index a1591feeea22..5dfe7644a517 100644 --- a/fs/nfsd/nfs3acl.c +++ b/fs/nfsd/nfs3acl.c @@ -172,7 +172,7 @@ static int nfs3svc_encode_getaclres(struct svc_rqst *rqstp, __be32 *p) struct nfsd3_getaclres *resp = rqstp->rq_resp; struct dentry *dentry = resp->fh.fh_dentry; struct kvec *head = rqstp->rq_res.head; - struct inode *inode = d_inode(dentry); + struct inode *inode; unsigned int base; int n; int w; @@ -181,6 +181,7 @@ static int nfs3svc_encode_getaclres(struct svc_rqst *rqstp, __be32 *p) return 0; switch (resp->status) { case nfs_ok: + inode = d_inode(dentry); if (!svcxdr_encode_post_op_attr(rqstp, xdr, &resp->fh)) return 0; if (xdr_stream_encode_u32(xdr, resp->mask) < 0) -- 2.31.1