Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp347404ioo; Sat, 21 May 2022 00:47:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx5RsXFE3cXqTnANUYz6/DEihEfsjLl9snFGrnHt6l2Sj/yvdt0t+B60Yo8BctKUrtx7cWe X-Received: by 2002:a17:906:d552:b0:6f5:942e:bc5f with SMTP id cr18-20020a170906d55200b006f5942ebc5fmr11770176ejc.110.1653119220443; Sat, 21 May 2022 00:47:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653119220; cv=none; d=google.com; s=arc-20160816; b=nodI5/+fmLQ6l9M0Alsdb5yPahNSJBkAJnx49pudyXArIRXw3f5VSJjYdgM72As7Xj wctiB78kLj/Tteg1Z7lgtYDFpydfw9IcJefu5+u0s7nELw4gazdPr6iaUJ05HukfSmyJ 8Tgb9HXF8HtFtbrbwVwJ/8d1xk12NJt2ZalIKFKi/PcsF6OkdbR0xzp/HzCdGY2Uzklb qfZ6X5AQoDpcn5Yzpca+vodcEC52DmnX2Ie1ZwOUbHR4k95vlOETA40z81HxvMwHdah6 tYJyzuDV8K9jHp/f01uqcoPgAQ+OmNXv4hAlhr8HQI6+w9B5bV/0QhMiJU0LS1wPOa0C YFcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=QERyrhZdHb8Nqh+tRJk6obC048foiBN7GPCK8SpRzUk=; b=h/Oys7Rd9j/YoWLW7HAaa2pa49ZoqLIJRyh99Y8R/lUSkJU529ZCEhtYKhIdrW7KOH 6nyuc9KjQnXR6gDEiUsTV+F07MFMSP8x5ICgQPhtuep65+R8Uf2sDsIfyZo+3tP4c646 0Md1GhHtaeUWlrFwm7mstkf/3an13+7OJ0lmzs2Yci/uWcnj7Q/gYLeQYSgE2dv4IeuI VMpgM6xLD+tqIbmAJW3kqvHHUhePe0iWUpdwOSR2pS0QcLx1A8VIHwx7DBfhPI260FSE 4gxI3grVfJ0b5+3UUURphGdi2dgXRRCBufbFQMNfbuwN76XzTeGyIHoc9Vz1+/oi/oxK U9iw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y27-20020a1709063a9b00b006fe8d06caf3si5833483ejd.906.2022.05.21.00.46.20; Sat, 21 May 2022 00:47:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232505AbiEUCZK (ORCPT + 99 others); Fri, 20 May 2022 22:25:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232004AbiEUCZJ (ORCPT ); Fri, 20 May 2022 22:25:09 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC0FDFD35B for ; Fri, 20 May 2022 19:25:07 -0700 (PDT) Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4L4nTm1lTVzjWwf; Sat, 21 May 2022 10:24:12 +0800 (CST) Received: from [10.174.176.83] (10.174.176.83) by dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Sat, 21 May 2022 10:25:05 +0800 Subject: Re: [PATCH] nfsd: Fix null-ptr-deref in nfsd_fill_super() To: Bruce Fields , Chuck Lever III CC: Linux NFS Mailing List , "yi.zhang@huawei.com" , "luomeng12@huawei.com" References: <20220520023106.6651-1-zhangxiaoxu5@huawei.com> <20220520160518.GD15318@fieldses.org> From: "zhangxiaoxu (A)" Message-ID: <4b77d8c3-ccbd-6d0e-d93e-395377ab0a09@huawei.com> Date: Sat, 21 May 2022 10:25:04 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <20220520160518.GD15318@fieldses.org> Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.176.83] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpeml500023.china.huawei.com (7.185.36.114) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Thanks for your review. I will send v2 patch to update the commit description and resolve the conflicts in your for-next branch ?? 2022/5/21 0:05, Bruce Fields ะด??: > On Fri, May 20, 2022 at 03:22:51PM +0000, Chuck Lever III wrote: >> [ Note well: Updated Bruce's email address. ] >> >> >>> On May 19, 2022, at 10:31 PM, Zhang Xiaoxu wrote: >>> >>> KASAN report null-ptr-deref as follows: >>> >>> BUG: KASAN: null-ptr-deref in nfsd_fill_super+0xc6/0xe0 [nfsd] >>> Write of size 8 at addr 000000000000005d by task a.out/852 >>> >>> CPU: 7 PID: 852 Comm: a.out Not tainted 5.18.0-rc7-dirty #66 >>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 >>> Call Trace: >>> >>> dump_stack_lvl+0x34/0x44 >>> kasan_report+0xab/0x120 >>> ? nfsd_mkdir+0x71/0x1c0 [nfsd] >>> ? nfsd_fill_super+0xc6/0xe0 [nfsd] >>> nfsd_fill_super+0xc6/0xe0 [nfsd] >>> ? nfsd_mkdir+0x1c0/0x1c0 [nfsd] >>> get_tree_keyed+0x8e/0x100 >>> vfs_get_tree+0x41/0xf0 >>> __do_sys_fsconfig+0x590/0x670 >>> ? fscontext_read+0x180/0x180 >>> ? anon_inode_getfd+0x4f/0x70 >>> do_syscall_64+0x35/0x80 >>> entry_SYSCALL_64_after_hwframe+0x44/0xae >>> >>> This can be reproduce by concurrent operations: >>> 1. fsopen(nfsd)/fsconfig >>> 2. insmod/rmmod nfsd >>> >>> Since the nfsd file system is registered before than nfsd_net allocated, >>> the caller may get the file_system_type and use the nfsd_net before it >>> allocated, then null-ptr-deref occured. >>> >>> So should allocate the nfsd_net firstly, other than register file system. >> >> IIUC, I suggest: "So init_nfsd() should call register_filesystem() last." >> >> >>> Fixes: bd5ae9288d64 ("nfsd: register pernet ops last, unregister first") >>> Cc: stable@kernel.org >>> Signed-off-by: Zhang Xiaoxu >> >> I think this looks right. Bruce, as author of bd5ae9288d64, any >> thoughts? > > I'm not seeing any problem with the patch. > > Reviewed-by: J. Bruce Fields > > --b. > >> >> I need a v2 of this, though. The current version conflicts with the >> courteous server patches already in my for-next branch. See: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/log/?h=for-next >> >> >>> --- >>> fs/nfsd/nfsctl.c | 14 +++++++------- >>> 1 file changed, 7 insertions(+), 7 deletions(-) >>> >>> diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c >>> index 16920e4512bd..e17100e90e19 100644 >>> --- a/fs/nfsd/nfsctl.c >>> +++ b/fs/nfsd/nfsctl.c >>> @@ -1535,20 +1535,20 @@ static int __init init_nfsd(void) >>> retval = create_proc_exports_entry(); >>> if (retval) >>> goto out_free_lockd; >>> - retval = register_filesystem(&nfsd_fs_type); >>> - if (retval) >>> - goto out_free_exports; >>> retval = register_pernet_subsys(&nfsd_net_ops); >>> if (retval < 0) >>> - goto out_free_filesystem; >>> + goto out_free_exports; >>> retval = register_cld_notifier(); >>> + if (retval) >>> + goto out_free_subsys; >>> + retval = register_filesystem(&nfsd_fs_type); >>> if (retval) >>> goto out_free_all; >>> return 0; >>> out_free_all: >>> + unregister_cld_notifier(); >>> +out_free_subsys: >>> unregister_pernet_subsys(&nfsd_net_ops); >>> -out_free_filesystem: >>> - unregister_filesystem(&nfsd_fs_type); >>> out_free_exports: >>> remove_proc_entry("fs/nfs/exports", NULL); >>> remove_proc_entry("fs/nfs", NULL); >>> @@ -1566,6 +1566,7 @@ static int __init init_nfsd(void) >>> >>> static void __exit exit_nfsd(void) >>> { >>> + unregister_filesystem(&nfsd_fs_type); >>> unregister_cld_notifier(); >>> unregister_pernet_subsys(&nfsd_net_ops); >>> nfsd_drc_slab_free(); >>> @@ -1575,7 +1576,6 @@ static void __exit exit_nfsd(void) >>> nfsd_lockd_shutdown(); >>> nfsd4_free_slabs(); >>> nfsd4_exit_pnfs(); >>> - unregister_filesystem(&nfsd_fs_type); >>> } >>> >>> MODULE_AUTHOR("Olaf Kirch "); >>> -- >>> 2.31.1 >>> >> >> -- >> Chuck Lever >> >> > . >