summaryrefslogtreecommitdiffstats
path: root/fs/nfsd/nfs4callback.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2022-12-19 16:10:33 +0100
committerLinus Torvalds <torvalds@linux-foundation.org>2022-12-19 16:10:33 +0100
commitaeba12b26c79fc35e07e511f692a8907037d95da (patch)
tree43010489850d38c71858b19010adb1943267e1ac /fs/nfsd/nfs4callback.c
parentMerge tag 'rtc-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni... (diff)
parentNFSD: fix use-after-free in __nfs42_ssc_open() (diff)
downloadlinux-aeba12b26c79fc35e07e511f692a8907037d95da.tar.xz
linux-aeba12b26c79fc35e07e511f692a8907037d95da.zip
Merge tag 'nfsd-6.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
Pull more nfsd updates from Chuck Lever: "This contains a number of crasher fixes that were not ready for the initial pull request last week. In particular, Jeff's patch attempts to address reference count underflows in NFSD's filecache, which have been very difficult to track down because there is no reliable reproducer. Common failure modes: https://bugzilla.kernel.org/show_bug.cgi?id=216691#c11 https://bugzilla.kernel.org/show_bug.cgi?id=216674#c6 https://bugzilla.redhat.com/show_bug.cgi?id=2138605 The race windows were found by inspection and the clean-ups appear sensible and pass regression testing, so we include them here in the hope that they address the problem. However we remain vigilant because we don't have 100% certainty yet that the problem is fully addressed. Summary: - Address numerous reports of refcount underflows in NFSD's filecache - Address a UAF in callback setup error handling - Address a UAF during server-to-server copy" * tag 'nfsd-6.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: NFSD: fix use-after-free in __nfs42_ssc_open() nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure nfsd: rework refcounting in filecache
Diffstat (limited to 'fs/nfsd/nfs4callback.c')
-rw-r--r--fs/nfsd/nfs4callback.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index d6e1d3894c82..2a815f5a52c4 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -988,7 +988,6 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
} else {
if (!conn->cb_xprt)
return -EINVAL;
- clp->cl_cb_conn.cb_xprt = conn->cb_xprt;
clp->cl_cb_session = ses;
args.bc_xprt = conn->cb_xprt;
args.prognumber = clp->cl_cb_session->se_cb_prog;
@@ -1008,6 +1007,9 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
rpc_shutdown_client(client);
return -ENOMEM;
}
+
+ if (clp->cl_minorversion != 0)
+ clp->cl_cb_conn.cb_xprt = conn->cb_xprt;
clp->cl_cb_client = client;
clp->cl_cb_cred = cred;
rcu_read_lock();