Received: by 2002:a05:6358:16cd:b0:dc:6189:e246 with SMTP id r13csp2434267rwl; Sat, 5 Nov 2022 06:51:21 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5ZX3EErcX20g51N9VsF6isDZaoSucCiNLhxdYOzJc0w+NJZwg/AlM8SZgGJzz0nks5EVpU X-Received: by 2002:a17:906:2699:b0:781:a473:9791 with SMTP id t25-20020a170906269900b00781a4739791mr39003470ejc.644.1667656281065; Sat, 05 Nov 2022 06:51:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667656281; cv=none; d=google.com; s=arc-20160816; b=B9d1THb//hmyaQJGIV5/v5ZaTBrOmqa5GzCRqFAJaA6iyZLGGyDmwCrooeylJRFGrC q+WSKH0eA/xrzWK67ed+2TKfwdGRja2fRMA/wb7xPufL+6NFSnPZDeEinAFy/VEkHAVy rusTzUEGvw1whjHM7sJubY/o5z1Aut9SqGriEM6TQ//VUeheVBXdqy2hwxSQ2cwnc6we bLnkvmqvKiwIae/Q91auj5V5Kd4BXToV1JHQxbuwoVuwTdiz8UTeIfmAdh11nF6WX4gz xwF0SnPelXNzyvecshwCMXNB485HsV+xC6AX0GsdQEyesImATOpCqOEqlekAwq69lzRV jC7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=tjhsk/X4jC+Z7jPj4FnTtM6VbUYCwfdhZqQPrR21HgA=; b=CQidOA32cxODO9NyWtZFkDVDYDS6Iudp2yL0BnUcyu+wgFfgWqT8N9wooPFRTPE82Q JsXjDDy9DLiz2x8hZKwsJCo52irAKDonk4rjtJP+EcJmYDzPNUvIohARY89FEjp1By1g jRhNTRWCEAhrcz6cFHEYfcrLxH9nPk6kJ/WqugepwLzTzZows1JKAyNXkR0Mi9u+FuPy VQycI7Kyk/rOMm1c7revyxeFhKKgI2qLvX0h3fXHKE0bv4HCO3IxpKTYKIPqBom9WGC9 PV+dY90nVH8JH9bBQuW1gTyn27h+LiN9+ijKyCsFwoqYDKWUfIVoric2/XJCOK/Hgrud 73uw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=sTaFy11i; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qk32-20020a1709077fa000b00782161b3422si2459772ejc.914.2022.11.05.06.50.40; Sat, 05 Nov 2022 06:51:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=sTaFy11i; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229479AbiKENtb (ORCPT + 99 others); Sat, 5 Nov 2022 09:49:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58912 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229453AbiKENtb (ORCPT ); Sat, 5 Nov 2022 09:49:31 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE8CF12613 for ; Sat, 5 Nov 2022 06:49:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7722E60B45 for ; Sat, 5 Nov 2022 13:49:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5A052C433C1; Sat, 5 Nov 2022 13:49:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1667656168; bh=z9U6FXSsDJfcG7IWTtRzElXSpoEX/TjKdF3j7No7uug=; h=From:To:Cc:Subject:Date:From; b=sTaFy11iq5oDEYlEeUbagDo0tyf4VZwmRctAo+ZhgyA1CVoWxmAEniFwn+Tk477SM hjc6mmsqVU4ZbMEuF3JsHw3gi5BOKoT+HmoVkqidS3m6C20S7hOa0pjXOG2Ym6Xz+A 6vgzNiiB5J5zHkPw7FUUJdjnlLkmUUm24PiPoEOoFpKjv97F8PmQ7GJMTu2wi4kav5 t0lADr8ydb7J9lJida3kH/OGihB2Wx/7qFYjA2owkBhlix5WC4YAb3wGMu+5nRkg5Q ODhL9a7hs21epb+Xr+DsSKPWx75Tg/hmCUD2Q4lqZCGMpsmRh1OQ7CdFqrU6WvMNMr NuwMZBhs62vWQ== From: Jeff Layton To: chuck.lever@oracle.com Cc: linux-nfs@vger.kernel.org, kernel test robot , Dan Carpenter Subject: [PATCH] nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint Date: Sat, 5 Nov 2022 09:49:26 -0400 Message-Id: <20221105134926.23726-1-jlayton@kernel.org> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org When we fail to insert into the hashtable with a non-retryable error, we'll free the object and then goto out_status. If the tracepoint is enabled, it'll end up accessing the freed object when it tries to grab the fields out of it. Set nf to NULL after freeing it to avoid the issue. Fixes: 243a5263014a ("nfsd: rework hashtable handling in nfsd_do_file_acquire") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Jeff Layton --- fs/nfsd/filecache.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c index 687ab814b678..02c1454dfe50 100644 --- a/fs/nfsd/filecache.c +++ b/fs/nfsd/filecache.c @@ -1124,6 +1124,7 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp, goto open_file; nfsd_file_slab_free(&nf->nf_rcu); + nf = NULL; if (ret == -EEXIST) goto retry; trace_nfsd_file_insert_err(rqstp, key.inode, may_flags, ret); -- 2.38.1