commit b663c6fd98c9cf586279db03cec3257c413efd00 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

nfsd: fix oops on access from high-numbered ports

This bug was always here, but before my commit 6fa02839bf9412e18e77
("recheck for secure ports in fh_verify"), it could only be triggered by
failure of a kmalloc(). After that commit it could be triggered by a
client making a request from a non-reserved port for access to an export
marked "secure". (Exports are "secure" by default.)

The result is a struct svc_export with a reference count one too low,
resulting in likely oopses next time the export is accessed.

The reference counting here is not straightforward; a later patch will
clean up fh_verify().

Thanks to Lukas Hejtmanek for the bug report and followup.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by J. Bruce Fields and committed by Linus Torvalds 18 years ago b663c6fd 9b89ca7a

+2 -2

1 changed file

expand all

unified split

nfsd

nfsfh.c

+2 -2

fs/nfsd/nfsfh.c

··· 232 fhp->fh_dentry = dentry; 233 fhp->fh_export = exp; 234 nfsd_nr_verified++; 235 } else { 236 /* 237 * just rechecking permissions ··· 242 dprintk("nfsd: fh_verify - just checking\n"); 243 dentry = fhp->fh_dentry; 244 exp = fhp->fh_export; 245 /* 246 * Set user creds for this exportpoint; necessary even 247 * in the "just checking" case because this may be a ··· 254 if (error) 255 goto out; 256 } 257 - cache_get(&exp->h); 258 - 259 260 error = nfsd_mode_check(rqstp, dentry->d_inode->i_mode, type); 261 if (error)

··· 232 fhp->fh_dentry = dentry; 233 fhp->fh_export = exp; 234 nfsd_nr_verified++; 235 + cache_get(&exp->h); 236 } else { 237 /* 238 * just rechecking permissions ··· 241 dprintk("nfsd: fh_verify - just checking\n"); 242 dentry = fhp->fh_dentry; 243 exp = fhp->fh_export; 244 + cache_get(&exp->h); 245 /* 246 * Set user creds for this exportpoint; necessary even 247 * in the "just checking" case because this may be a ··· 252 if (error) 253 goto out; 254 } 255 256 error = nfsd_mode_check(rqstp, dentry->d_inode->i_mode, type); 257 if (error)