| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Mar 2019 17:11:09 +0000
From: Trond Myklebust <trondmy@...merspace.com>
To: "catalin.marinas@....com" <catalin.marinas@....com>,
"linux-nfs@...r.kernel.org" <linux-nfs@...r.kernel.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"anna.schumaker@...app.com" <anna.schumaker@...app.com>,
"neilb@...e.com" <neilb@...e.com>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH] NFS: Fix nfs4_lock_state refcounting in
nfs4_alloc_{lock,unlock}data()
On Mon, 2019-03-18 at 17:00 +0000, Catalin Marinas wrote:
> Commit 7b587e1a5a6c ("NFS: use locks_copy_lock() to copy locks.")
> changed the lock copying from memcpy() to the dedicated
> locks_copy_lock() function. The latter correctly increments the
> nfs4_lock_state.ls_count via nfs4_fl_copy_lock(), however, this
> refcount
> has already been incremented in the nfs4_alloc_{lock,unlock}data().
> Kmemleak subsequently reports an unreferenced nfs4_lock_state object
> as
> below (arm64 platform):
>
> unreferenced object 0xffff8000fce0b000 (size 256):
> comm "systemd-sysuser", pid 1608, jiffies 4294892825 (age 32.348s)
> hex dump (first 32 bytes):
> 20 57 4c fb 00 80 ff ff 20 57 4c fb 00 80 ff ff WL..... WL.....
> 00 57 4c fb 00 80 ff ff 01 00 00 00 00 00 00 00 .WL.............
> backtrace:
> [<000000000d15010d>] kmem_cache_alloc+0x178/0x208
> [<00000000d7c1d264>] nfs4_set_lock_state+0x124/0x1f0
> [<000000009c867628>] nfs4_proc_lock+0x90/0x478
> [<000000001686bd74>] do_setlk+0x64/0xe8
> [<00000000e01500d4>] nfs_lock+0xe8/0x1f0
> [<000000004f387d8d>] vfs_lock_file+0x18/0x40
> [<00000000656ab79b>] do_lock_file_wait+0x68/0xf8
> [<00000000f17c4a4b>] fcntl_setlk+0x224/0x280
> [<0000000052a242c6>] do_fcntl+0x418/0x730
> [<000000004f47291a>] __arm64_sys_fcntl+0x84/0xd0
> [<00000000d6856e01>] el0_svc_common+0x80/0xf0
> [<000000009c4bd1df>] el0_svc_handler+0x2c/0x80
> [<00000000b1a0d479>] el0_svc+0x8/0xc
> [<0000000056c62a0f>] 0xffffffffffffffff
>
> This patch removes the original refcount_inc(&lsp->ls_count) that was
> paired with the memcpy() lock copying.
>
> Fixes: 7b587e1a5a6c ("NFS: use locks_copy_lock() to copy locks.")
> Cc: <stable@...r.kernel.org> # 5.0.x-
> Cc: NeilBrown <neilb@...e.com>
> Signed-off-by: Catalin Marinas <catalin.marinas@....com>
> ---
> fs/nfs/nfs4proc.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> index 4dbb0ee23432..6d2812a39287 100644
> --- a/fs/nfs/nfs4proc.c
> +++ b/fs/nfs/nfs4proc.c
> @@ -6301,7 +6301,6 @@ static struct nfs4_unlockdata
> *nfs4_alloc_unlockdata(struct file_lock *fl,
> p->arg.seqid = seqid;
> p->res.seqid = seqid;
> p->lsp = lsp;
> - refcount_inc(&lsp->ls_count);
> /* Ensure we don't close file until we're done freeing locks!
> */
> p->ctx = get_nfs_open_context(ctx);
> p->l_ctx = nfs_get_lock_context(ctx);
> @@ -6526,7 +6525,6 @@ static struct nfs4_lockdata
> *nfs4_alloc_lockdata(struct file_lock *fl,
> p->res.lock_seqid = p->arg.lock_seqid;
> p->lsp = lsp;
> p->server = server;
> - refcount_inc(&lsp->ls_count);
> p->ctx = get_nfs_open_context(ctx);
> locks_init_lock(&p->fl);
> locks_copy_lock(&p->fl, fl);
Thanks Catalin! Good catch...
I'm applying this to my linux-next branch.
--
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@...merspace.com
Powered by blists - more mailing lists