This is a note to let you know that I've just added the patch titled
NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk()
to the 3.12-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
nfsv4-fix-a-use-after-free-situation-in-_nfs4_proc_getlk.patch
and it can be found in the queue-3.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From a6f951ddbdfb7bd87d31a44f61abe202ed6ce57f Mon Sep 17 00:00:00 2001
From: Trond Myklebust <[email protected]>
Date: Tue, 1 Oct 2013 14:24:58 -0400
Subject: NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk()
From: Trond Myklebust <[email protected]>
commit a6f951ddbdfb7bd87d31a44f61abe202ed6ce57f upstream.
In nfs4_proc_getlk(), when some error causes a retry of the call to
_nfs4_proc_getlk(), we can end up with Oopses of the form
BUG: unable to handle kernel NULL pointer dereference at 0000000000000134
IP: [<ffffffff8165270e>] _raw_spin_lock+0xe/0x30
<snip>
Call Trace:
[<ffffffff812f287d>] _atomic_dec_and_lock+0x4d/0x70
[<ffffffffa053c4f2>] nfs4_put_lock_state+0x32/0xb0 [nfsv4]
[<ffffffffa053c585>] nfs4_fl_release_lock+0x15/0x20 [nfsv4]
[<ffffffffa0522c06>] _nfs4_proc_getlk.isra.40+0x146/0x170 [nfsv4]
[<ffffffffa052ad99>] nfs4_proc_lock+0x399/0x5a0 [nfsv4]
The problem is that we don't clear the request->fl_ops after the first
try and so when we retry, nfs4_set_lock_state() exits early without
setting the lock stateid.
Regression introduced by commit 70cc6487a4e08b8698c0e2ec935fb48d10490162
(locks: make ->lock release private data before returning in GETLK case)
Reported-by: Weston Andros Adamson <[email protected]>
Reported-by: Jorge Mora <[email protected]>
Signed-off-by: Trond Myklebust <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/nfs/nfs4proc.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5106,6 +5106,7 @@ static int _nfs4_proc_getlk(struct nfs4_
status = 0;
}
request->fl_ops->fl_release_private(request);
+ request->fl_ops = NULL;
out:
return status;
}
Patches currently in stable-queue which might be from
[email protected] are
queue-3.12/nfsv4.2-fix-a-mismatch-between-linux-labeled-nfs-and-the-nfsv4.2-spec.patch
queue-3.12/nfs-fix-oops-when-trying-to-set-selinux-label.patch
queue-3.12/nfs-fix-a-missing-initialisation-when-reading-the-selinux-label.patch
queue-3.12/nfsv4-fix-a-use-after-free-situation-in-_nfs4_proc_getlk.patch
queue-3.12/nfs-fix-inverted-test-for-delegation-in-nfs4_reclaim_open_state.patch
queue-3.12/nfsv4-fix-null-dereference-in-open-recover.patch
queue-3.12/nfs-don-t-retry-detect_trunking-with-rpc_auth_unix-more-than-once.patch
queue-3.12/nfsv4-don-t-reprocess-cached-open-claim_previous.patch
queue-3.12/nfsv4-fix-state-reference-counting-in-_nfs4_opendata_reclaim_to_nfs4_state.patch
queue-3.12/nfsv4-don-t-fail-on-missing-fattr-in-open-recover.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
