[patch 64/76] nfsd: fix oops on access from high-numbered ports

From: Chris Wright
Date: Fri Mar 21 2008 - 18:51:51 EST

Next message: Chris Wright: "[patch 67/76] NETFILTER: nfnetlink_queue: fix computation of allocated size for netlink skb"
Previous message: Chris Wright: "[patch 74/76] SCSI advansys: Fix bug in AdvLoadMicrocode"
In reply to: Chris Wright: "[patch 74/76] SCSI advansys: Fix bug in AdvLoadMicrocode"
Next in thread: Chris Wright: "[patch 67/76] NETFILTER: nfnetlink_queue: fix computation of allocated size for netlink skb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.
---------------------

From: J. Bruce Fields <bfields@xxxxxxxxxxxxxx>

This bug was always here, but before my commit 6fa02839bf9412e18e77
("recheck for secure ports in fh_verify"), it could only be triggered by
failure of a kmalloc(). After that commit it could be triggered by a
client making a request from a non-reserved port for access to an export
marked "secure". (Exports are "secure" by default.)

The result is a struct svc_export with a reference count one too low,
resulting in likely oopses next time the export is accessed.

The reference counting here is not straightforward; a later patch will
clean up fh_verify().

Thanks to Lukas Hejtmanek for the bug report and followup.

Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxxxxxx>
Cc: Lukas Hejtmanek <xhejtman@xxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
fs/nfsd/nfsfh.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -231,6 +231,7 @@ fh_verify(struct svc_rqst *rqstp, struct
fhp->fh_dentry = dentry;
fhp->fh_export = exp;
nfsd_nr_verified++;
+ cache_get(&exp->h);
} else {
/*
* just rechecking permissions
@@ -240,6 +241,7 @@ fh_verify(struct svc_rqst *rqstp, struct
dprintk("nfsd: fh_verify - just checking\n");
dentry = fhp->fh_dentry;
exp = fhp->fh_export;
+ cache_get(&exp->h);
/*
* Set user creds for this exportpoint; necessary even
* in the "just checking" case because this may be a
@@ -251,8 +253,6 @@ fh_verify(struct svc_rqst *rqstp, struct
if (error)
goto out;
}
- cache_get(&exp->h);
-

error = nfsd_mode_check(rqstp, dentry->d_inode->i_mode, type);
if (error)

--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "[patch 67/76] NETFILTER: nfnetlink_queue: fix computation of allocated size for netlink skb"
Previous message: Chris Wright: "[patch 74/76] SCSI advansys: Fix bug in AdvLoadMicrocode"
In reply to: Chris Wright: "[patch 74/76] SCSI advansys: Fix bug in AdvLoadMicrocode"
Next in thread: Chris Wright: "[patch 67/76] NETFILTER: nfnetlink_queue: fix computation of allocated size for netlink skb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]