lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87ef73932u.fsf@notabene.neil.brown.name>
Date:   Tue, 19 Mar 2019 10:26:33 +1100
From:   NeilBrown <neilb@...e.com>
To:     Trond Myklebust <trondmy@...merspace.com>,
        "catalin.marinas\@arm.com" <catalin.marinas@....com>,
        "linux-nfs\@vger.kernel.org" <linux-nfs@...r.kernel.org>
Cc:     "linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>,
        "anna.schumaker\@netapp.com" <anna.schumaker@...app.com>,
        "stable\@vger.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH] NFS: Fix nfs4_lock_state refcounting in nfs4_alloc_{lock,unlock}data()

On Mon, Mar 18 2019, Trond Myklebust wrote:

> On Mon, 2019-03-18 at 17:00 +0000, Catalin Marinas wrote:
>> Commit 7b587e1a5a6c ("NFS: use locks_copy_lock() to copy locks.")
>> changed the lock copying from memcpy() to the dedicated
>> locks_copy_lock() function. The latter correctly increments the
>> nfs4_lock_state.ls_count via nfs4_fl_copy_lock(), however, this
>> refcount
>> has already been incremented in the nfs4_alloc_{lock,unlock}data().
>> Kmemleak subsequently reports an unreferenced nfs4_lock_state object
>> as
>> below (arm64 platform):
>> 
>> unreferenced object 0xffff8000fce0b000 (size 256):
>>   comm "systemd-sysuser", pid 1608, jiffies 4294892825 (age 32.348s)
>>   hex dump (first 32 bytes):
>>     20 57 4c fb 00 80 ff ff 20 57 4c fb 00 80 ff ff   WL..... WL.....
>>     00 57 4c fb 00 80 ff ff 01 00 00 00 00 00 00 00  .WL.............
>>   backtrace:
>>     [<000000000d15010d>] kmem_cache_alloc+0x178/0x208
>>     [<00000000d7c1d264>] nfs4_set_lock_state+0x124/0x1f0
>>     [<000000009c867628>] nfs4_proc_lock+0x90/0x478
>>     [<000000001686bd74>] do_setlk+0x64/0xe8
>>     [<00000000e01500d4>] nfs_lock+0xe8/0x1f0
>>     [<000000004f387d8d>] vfs_lock_file+0x18/0x40
>>     [<00000000656ab79b>] do_lock_file_wait+0x68/0xf8
>>     [<00000000f17c4a4b>] fcntl_setlk+0x224/0x280
>>     [<0000000052a242c6>] do_fcntl+0x418/0x730
>>     [<000000004f47291a>] __arm64_sys_fcntl+0x84/0xd0
>>     [<00000000d6856e01>] el0_svc_common+0x80/0xf0
>>     [<000000009c4bd1df>] el0_svc_handler+0x2c/0x80
>>     [<00000000b1a0d479>] el0_svc+0x8/0xc
>>     [<0000000056c62a0f>] 0xffffffffffffffff
>> 
>> This patch removes the original refcount_inc(&lsp->ls_count) that was
>> paired with the memcpy() lock copying.
>> 
>> Fixes: 7b587e1a5a6c ("NFS: use locks_copy_lock() to copy locks.")
>> Cc: <stable@...r.kernel.org> # 5.0.x-
>> Cc: NeilBrown <neilb@...e.com>
>> Signed-off-by: Catalin Marinas <catalin.marinas@....com>
>> ---
>>  fs/nfs/nfs4proc.c | 2 --
>>  1 file changed, 2 deletions(-)
>> 
>> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
>> index 4dbb0ee23432..6d2812a39287 100644
>> --- a/fs/nfs/nfs4proc.c
>> +++ b/fs/nfs/nfs4proc.c
>> @@ -6301,7 +6301,6 @@ static struct nfs4_unlockdata
>> *nfs4_alloc_unlockdata(struct file_lock *fl,
>>  	p->arg.seqid = seqid;
>>  	p->res.seqid = seqid;
>>  	p->lsp = lsp;
>> -	refcount_inc(&lsp->ls_count);
>>  	/* Ensure we don't close file until we're done freeing locks!
>> */
>>  	p->ctx = get_nfs_open_context(ctx);
>>  	p->l_ctx = nfs_get_lock_context(ctx);
>> @@ -6526,7 +6525,6 @@ static struct nfs4_lockdata
>> *nfs4_alloc_lockdata(struct file_lock *fl,
>>  	p->res.lock_seqid = p->arg.lock_seqid;
>>  	p->lsp = lsp;
>>  	p->server = server;
>> -	refcount_inc(&lsp->ls_count);
>>  	p->ctx = get_nfs_open_context(ctx);
>>  	locks_init_lock(&p->fl);
>>  	locks_copy_lock(&p->fl, fl);
>
> Thanks Catalin! Good catch...
>
> I'm applying this to my linux-next branch.
>

Yes, thanks a lot!  I wonder how I missed that :-(

NeilBrown

Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ