| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aSaTC51DkxEqQkrZ@kernel.org>
Date: Wed, 26 Nov 2025 00:41:31 -0500
From: Mike Snitzer <snitzer@...nel.org>
To: Zorro Lang <zlang@...hat.com>, anna@...nel.org
Cc: linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] nfs/localio: fix regression due to out-of-order __put_cred
[was: Re: [Bug][xfstests crash on nfs] kernel BUG at kernel/cred.c:104!]
Commit 86855311c117 ("nfs/localio: add refcounting for each iocb IO
associated with NFS pgio header") inadvertantly reintroduced the same
potential for __put_cred() triggering BUG_ON(cred == current->cred)
that commit 992203a1fba5 ("nfs/localio: restore creds before releasing
pageio data") fixed.
Fix this by saving and restoring the cred around each {read,write}_iter
call within the respective for loop of nfs_local_call_{read,write}.
Reported-by: Zorro Lang <zlang@...hat.com>
Fixes: 86855311c117 ("nfs/localio: add refcounting for each iocb IO associated with NFS pgio header")
Signed-off-by: Mike Snitzer <snitzer@...nel.org>
diff --git a/fs/nfs/localio.c b/fs/nfs/localio.c
index 6461ce3ba9a4..eeb05a0d8d26 100644
--- a/fs/nfs/localio.c
+++ b/fs/nfs/localio.c
@@ -623,8 +623,6 @@ static void nfs_local_call_read(struct work_struct *work)
ssize_t status;
int n_iters;
- save_cred = override_creds(filp->f_cred);
-
n_iters = atomic_read(&iocb->n_iters);
for (int i = 0; i < n_iters ; i++) {
if (iocb->iter_is_dio_aligned[i]) {
@@ -637,7 +635,10 @@ static void nfs_local_call_read(struct work_struct *work)
} else
iocb->kiocb.ki_flags &= ~IOCB_DIRECT;
+ save_cred = override_creds(filp->f_cred);
status = filp->f_op->read_iter(&iocb->kiocb, &iocb->iters[i]);
+ revert_creds(save_cred);
+
if (status != -EIOCBQUEUED) {
if (unlikely(status >= 0 && status < iocb->iters[i].count))
force_done = true; /* Partial read */
@@ -647,8 +648,6 @@ static void nfs_local_call_read(struct work_struct *work)
}
}
}
-
- revert_creds(save_cred);
}
static int
@@ -830,7 +829,6 @@ static void nfs_local_call_write(struct work_struct *work)
int n_iters;
current->flags |= PF_LOCAL_THROTTLE | PF_MEMALLOC_NOIO;
- save_cred = override_creds(filp->f_cred);
file_start_write(filp);
n_iters = atomic_read(&iocb->n_iters);
@@ -845,7 +843,10 @@ static void nfs_local_call_write(struct work_struct *work)
} else
iocb->kiocb.ki_flags &= ~IOCB_DIRECT;
+ save_cred = override_creds(filp->f_cred);
status = filp->f_op->write_iter(&iocb->kiocb, &iocb->iters[i]);
+ revert_creds(save_cred);
+
if (status != -EIOCBQUEUED) {
if (unlikely(status >= 0 && status < iocb->iters[i].count))
force_done = true; /* Partial write */
@@ -857,7 +858,6 @@ static void nfs_local_call_write(struct work_struct *work)
}
file_end_write(filp);
- revert_creds(save_cred);
current->flags = old_flags;
}
Powered by blists - more mailing lists