| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Mar 2019 10:26:33 +1100
From: NeilBrown <neilb@...e.com>
To: Trond Myklebust <trondmy@...merspace.com>,
"catalin.marinas\@arm.com" <catalin.marinas@....com>,
"linux-nfs\@vger.kernel.org" <linux-nfs@...r.kernel.org>
Cc: "linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>,
"anna.schumaker\@netapp.com" <anna.schumaker@...app.com>,
"stable\@vger.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH] NFS: Fix nfs4_lock_state refcounting in nfs4_alloc_{lock,unlock}data()
On Mon, Mar 18 2019, Trond Myklebust wrote:
> On Mon, 2019-03-18 at 17:00 +0000, Catalin Marinas wrote:
>> Commit 7b587e1a5a6c ("NFS: use locks_copy_lock() to copy locks.")
>> changed the lock copying from memcpy() to the dedicated
>> locks_copy_lock() function. The latter correctly increments the
>> nfs4_lock_state.ls_count via nfs4_fl_copy_lock(), however, this
>> refcount
>> has already been incremented in the nfs4_alloc_{lock,unlock}data().
>> Kmemleak subsequently reports an unreferenced nfs4_lock_state object
>> as
>> below (arm64 platform):
>>
>> unreferenced object 0xffff8000fce0b000 (size 256):
>> comm "systemd-sysuser", pid 1608, jiffies 4294892825 (age 32.348s)
>> hex dump (first 32 bytes):
>> 20 57 4c fb 00 80 ff ff 20 57 4c fb 00 80 ff ff WL..... WL.....
>> 00 57 4c fb 00 80 ff ff 01 00 00 00 00 00 00 00 .WL.............
>> backtrace:
>> [<000000000d15010d>] kmem_cache_alloc+0x178/0x208
>> [<00000000d7c1d264>] nfs4_set_lock_state+0x124/0x1f0
>> [<000000009c867628>] nfs4_proc_lock+0x90/0x478
>> [<000000001686bd74>] do_setlk+0x64/0xe8
>> [<00000000e01500d4>] nfs_lock+0xe8/0x1f0
>> [<000000004f387d8d>] vfs_lock_file+0x18/0x40
>> [<00000000656ab79b>] do_lock_file_wait+0x68/0xf8
>> [<00000000f17c4a4b>] fcntl_setlk+0x224/0x280
>> [<0000000052a242c6>] do_fcntl+0x418/0x730
>> [<000000004f47291a>] __arm64_sys_fcntl+0x84/0xd0
>> [<00000000d6856e01>] el0_svc_common+0x80/0xf0
>> [<000000009c4bd1df>] el0_svc_handler+0x2c/0x80
>> [<00000000b1a0d479>] el0_svc+0x8/0xc
>> [<0000000056c62a0f>] 0xffffffffffffffff
>>
>> This patch removes the original refcount_inc(&lsp->ls_count) that was
>> paired with the memcpy() lock copying.
>>
>> Fixes: 7b587e1a5a6c ("NFS: use locks_copy_lock() to copy locks.")
>> Cc: <stable@...r.kernel.org> # 5.0.x-
>> Cc: NeilBrown <neilb@...e.com>
>> Signed-off-by: Catalin Marinas <catalin.marinas@....com>
>> ---
>> fs/nfs/nfs4proc.c | 2 --
>> 1 file changed, 2 deletions(-)
>>
>> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
>> index 4dbb0ee23432..6d2812a39287 100644
>> --- a/fs/nfs/nfs4proc.c
>> +++ b/fs/nfs/nfs4proc.c
>> @@ -6301,7 +6301,6 @@ static struct nfs4_unlockdata
>> *nfs4_alloc_unlockdata(struct file_lock *fl,
>> p->arg.seqid = seqid;
>> p->res.seqid = seqid;
>> p->lsp = lsp;
>> - refcount_inc(&lsp->ls_count);
>> /* Ensure we don't close file until we're done freeing locks!
>> */
>> p->ctx = get_nfs_open_context(ctx);
>> p->l_ctx = nfs_get_lock_context(ctx);
>> @@ -6526,7 +6525,6 @@ static struct nfs4_lockdata
>> *nfs4_alloc_lockdata(struct file_lock *fl,
>> p->res.lock_seqid = p->arg.lock_seqid;
>> p->lsp = lsp;
>> p->server = server;
>> - refcount_inc(&lsp->ls_count);
>> p->ctx = get_nfs_open_context(ctx);
>> locks_init_lock(&p->fl);
>> locks_copy_lock(&p->fl, fl);
>
> Thanks Catalin! Good catch...
>
> I'm applying this to my linux-next branch.
>
Yes, thanks a lot! I wonder how I missed that :-(
NeilBrown
Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)
Powered by blists - more mailing lists