From: Jeff Layton <jlayton@kernel.org>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Chuck Lever <chuck.lever@oracle.com>,
Dai Ngo <dai.ngo@oracle.com>,
"open list:NFS, SUNRPC, AND..." <linux-nfs@vger.kernel.org>
Cc: syzbot <syzbot+ff796f04613b4c84ad89@syzkaller.appspotmail.com>,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] NFSD: unregister shrinker when nfsd_init_net() fails
Date: Mon, 10 Oct 2022 19:18:14 -0400 [thread overview]
Message-ID: <4df8175d03d013e2d394126621775db9ecff13f0.camel@kernel.org> (raw)
In-Reply-To: <66b0ff35-c468-1a5b-3327-7e2ffcc768ee@I-love.SAKURA.ne.jp>
On Mon, 2022-10-10 at 14:59 +0900, Tetsuo Handa wrote:
> syzbot is reporting UAF read at register_shrinker_prepared() [1], for
> commit 7746b32f467b3813 ("NFSD: add shrinker to reap courtesy clients on
> low memory condition") missed that nfsd4_leases_net_shutdown() from
> nfsd_exit_net() is called only when nfsd_init_net() succeeded.
> If nfsd_init_net() fails due to nfsd_reply_cache_init() failure,
> register_shrinker() from nfsd4_init_leases_net() has to be undone
> before nfsd_init_net() returns.
>
> Link: https://syzkaller.appspot.com/bug?extid=ff796f04613b4c84ad89 [1]
> Reported-by: syzbot <syzbot+ff796f04613b4c84ad89@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 7746b32f467b3813 ("NFSD: add shrinker to reap courtesy clients on low memory condition")
> ---
> fs/nfsd/nfsctl.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
> index 6a29bcfc9390..dc74a947a440 100644
> --- a/fs/nfsd/nfsctl.c
> +++ b/fs/nfsd/nfsctl.c
> @@ -1458,12 +1458,14 @@ static __net_init int nfsd_init_net(struct net *net)
> goto out_drc_error;
> retval = nfsd_reply_cache_init(nn);
> if (retval)
> - goto out_drc_error;
> + goto out_cache_error;
> get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key));
> seqlock_init(&nn->writeverf_lock);
>
> return 0;
>
> +out_cache_error:
> + nfsd4_leases_net_shutdown(nn);
> out_drc_error:
> nfsd_idmap_shutdown(net);
> out_idmap_error:
Good catch!
Reviewed-by: Jeff Layton <jlayton@kernel.org>
next prev parent reply other threads:[~2022-10-10 23:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-27 10:52 [syzbot] KASAN: use-after-free Read in register_shrinker_prepared (2) syzbot
2022-10-07 14:21 ` syzbot
2022-10-09 19:45 ` syzbot
2022-10-10 5:59 ` [PATCH] NFSD: unregister shrinker when nfsd_init_net() fails Tetsuo Handa
2022-10-10 23:18 ` Jeff Layton [this message]
2022-10-11 14:13 ` Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4df8175d03d013e2d394126621775db9ecff13f0.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=dai.ngo@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=syzbot+ff796f04613b4c84ad89@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.