| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Oct 2020 19:54:09 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
Cc: Dave Wysochanski <dwysocha@...hat.com>,
Anna Schumaker <Anna.Schumaker@...app.com>,
Sasha Levin <sashal@...nel.org>, linux-nfs@...r.kernel.org
Subject: [PATCH AUTOSEL 5.4 13/80] NFS4: Fix oops when copy_file_range is attempted with NFS4.0 source
From: Dave Wysochanski <dwysocha@...hat.com>
[ Upstream commit d8a6ad913c286d4763ae20b14c02fe6f39d7cd9f ]
The following oops is seen during xfstest/565 when the 'test'
(source of the copy) is NFS4.0 and 'scratch' (destination) is NFS4.2
[ 59.692458] run fstests generic/565 at 2020-08-01 05:50:35
[ 60.613588] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 60.624970] #PF: supervisor read access in kernel mode
[ 60.627671] #PF: error_code(0x0000) - not-present page
[ 60.630347] PGD 0 P4D 0
[ 60.631853] Oops: 0000 [#1] SMP PTI
[ 60.634086] CPU: 6 PID: 2828 Comm: xfs_io Kdump: loaded Not tainted 5.8.0-rc3 #1
[ 60.637676] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 60.639901] RIP: 0010:nfs4_check_serverowner_major_id+0x5/0x30 [nfsv4]
[ 60.642719] Code: 89 ff e8 3e b3 b8 e1 e9 71 fe ff ff 41 bc da d8 ff ff e9 c3 fe ff ff e8 e9 9d 08 e2 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <8b> 57 08 31 c0 3b 56 08 75 12 48 83 c6 0c 48 83 c7 0c e8 c4 97 bb
[ 60.652629] RSP: 0018:ffffc265417f7e10 EFLAGS: 00010287
[ 60.655379] RAX: ffffa0664b066400 RBX: 0000000000000000 RCX: 0000000000000001
[ 60.658754] RDX: ffffa066725fb000 RSI: ffffa066725fd000 RDI: 0000000000000000
[ 60.662292] RBP: 0000000000020000 R08: 0000000000020000 R09: 0000000000000000
[ 60.666189] R10: 0000000000000003 R11: 0000000000000000 R12: ffffa06648258d00
[ 60.669914] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa06648258100
[ 60.673645] FS: 00007faa9fb35800(0000) GS:ffffa06677d80000(0000) knlGS:0000000000000000
[ 60.677698] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 60.680773] CR2: 0000000000000008 CR3: 0000000203f14000 CR4: 00000000000406e0
[ 60.684476] Call Trace:
[ 60.685809] nfs4_copy_file_range+0xfc/0x230 [nfsv4]
[ 60.688704] vfs_copy_file_range+0x2ee/0x310
[ 60.691104] __x64_sys_copy_file_range+0xd6/0x210
[ 60.693527] do_syscall_64+0x4d/0x90
[ 60.695512] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 60.698006] RIP: 0033:0x7faa9febc1bd
Signed-off-by: Dave Wysochanski <dwysocha@...hat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@...app.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
fs/nfs/nfs4file.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c
index 534b6fd70ffdb..6b31cb5f9c9db 100644
--- a/fs/nfs/nfs4file.c
+++ b/fs/nfs/nfs4file.c
@@ -138,7 +138,8 @@ static ssize_t __nfs4_copy_file_range(struct file *file_in, loff_t pos_in,
/* Only offload copy if superblock is the same */
if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb)
return -EXDEV;
- if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY))
+ if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY) ||
+ !nfs_server_capable(file_inode(file_in), NFS_CAP_COPY))
return -EOPNOTSUPP;
if (file_inode(file_in) == file_inode(file_out))
return -EOPNOTSUPP;
--
2.25.1
Powered by blists - more mailing lists