diff --git a/patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch b/patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch new file mode 100644 index 0000000..9d314e1 --- /dev/null +++ b/patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch @@ -0,0 +1,62 @@ +From: "J. Bruce Fields" +Date: Mon, 29 Nov 2021 15:08:00 -0500 +Subject: [PATCH] nfsd: fix use-after-free due to delegation race +Git-commit: 548ec0805c399c65ed66c6641be467f717833ab5 +Patch-mainline: v5.16 +References: bsc#1208813 + +A delegation break could arrive as soon as we've called vfs_setlease. A +delegation break runs a callback which immediately (in +nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we +then exit nfs4_set_delegation without hashing the delegation, it will be +freed as soon as the callback is done with it, without ever being +removed from del_recall_lru. + +Symptoms show up later as use-after-free or list corruption warnings, +usually in the laundromat thread. + +I suspect aba2072f4523 "nfsd: grant read delegations to clients holding +writes" made this bug easier to hit, but I looked as far back as v3.0 +and it looks to me it already had the same problem. So I'm not sure +where the bug was introduced; it may have been there from the beginning. + +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Acked-by: NeilBrown + +--- + fs/nfsd/nfs4state.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1047,6 +1047,11 @@ hash_delegation_locked(struct nfs4_deleg + return 0; + } + ++static bool delegation_hashed(struct nfs4_delegation *dp) ++{ ++ return !(list_empty(&dp->dl_perfile)); ++} ++ + static bool + unhash_delegation_locked(struct nfs4_delegation *dp) + { +@@ -1054,7 +1059,7 @@ unhash_delegation_locked(struct nfs4_del + + lockdep_assert_held(&state_lock); + +- if (list_empty(&dp->dl_perfile)) ++ if (!delegation_hashed(dp)) + return false; + + dp->dl_stid.sc_type = NFS4_CLOSED_DELEG_STID; +@@ -4505,7 +4510,7 @@ static void nfsd4_cb_recall_prepare(stru + * queued for a lease break. Don't queue it again. + */ + spin_lock(&state_lock); +- if (dp->dl_time == 0) { ++ if (delegation_hashed(dp) && dp->dl_time == 0) { + dp->dl_time = get_seconds(); + list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru); + } diff --git a/series.conf b/series.conf index fa83288..c061ddf 100644 --- a/series.conf +++ b/series.conf @@ -22957,6 +22957,7 @@ patches.suse/signalfd-use-wake_up_pollfree.patch patches.suse/aio-keep-poll-requests-on-waitqueue-until-completed.patch patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch + patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch patches.suse/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch patches.suse/phonet-refcount-leak-in-pep_sock_accep.patch