microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/net/sunrpc
История
felix 194454afa6 SUNRPC: Fix RPC client cleaned up the freed pipefs dentries 
[ Upstream commit bfca5fb4e97c46503ddfc582335917b0cc228264 ]

RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()
workqueue,which takes care about pipefs superblock locking.
In some special scenarios, when kernel frees the pipefs sb of the
current client and immediately alloctes a new pipefs sb,
rpc_remove_pipedir function would misjudge the existence of pipefs
sb which is not the one it used to hold. As a result,
the rpc_remove_pipedir would clean the released freed pipefs dentries.

To fix this issue, rpc_remove_pipedir should check whether the
current pipefs sb is consistent with the original pipefs sb.

This error can be catched by KASAN:
=========================================================
[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200
[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503
[  250.500549] Workqueue: events rpc_free_client_work
[  250.501001] Call Trace:
[  250.502880]  kasan_report+0xb6/0xf0
[  250.503209]  ? dget_parent+0x195/0x200
[  250.503561]  dget_parent+0x195/0x200
[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10
[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90
[  250.504781]  rpc_remove_client_dir+0xf5/0x150
[  250.505195]  rpc_free_client_work+0xe4/0x230
[  250.505598]  process_one_work+0x8ee/0x13b0
...
[   22.039056] Allocated by task 244:
[   22.039390]  kasan_save_stack+0x22/0x50
[   22.039758]  kasan_set_track+0x25/0x30
[   22.040109]  __kasan_slab_alloc+0x59/0x70
[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240
[   22.040889]  __d_alloc+0x31/0x8e0
[   22.041207]  d_alloc+0x44/0x1f0
[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140
[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110
[   22.042459]  rpc_create_client_dir+0x34/0x150
[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0
[   22.043284]  rpc_client_register+0x136/0x4e0
[   22.043689]  rpc_new_client+0x911/0x1020
[   22.044057]  rpc_create_xprt+0xcb/0x370
[   22.044417]  rpc_create+0x36b/0x6c0
...
[   22.049524] Freed by task 0:
[   22.049803]  kasan_save_stack+0x22/0x50
[   22.050165]  kasan_set_track+0x25/0x30
[   22.050520]  kasan_save_free_info+0x2b/0x50
[   22.050921]  __kasan_slab_free+0x10e/0x1a0
[   22.051306]  kmem_cache_free+0xa5/0x390
[   22.051667]  rcu_core+0x62c/0x1930
[   22.051995]  __do_softirq+0x165/0x52a
[   22.052347]
[   22.052503] Last potentially related work creation:
[   22.052952]  kasan_save_stack+0x22/0x50
[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0
[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0
[   22.054209]  dentry_free+0xb2/0x140
[   22.054540]  __dentry_kill+0x3be/0x540
[   22.054900]  shrink_dentry_list+0x199/0x510
[   22.055293]  shrink_dcache_parent+0x190/0x240
[   22.055703]  do_one_tree+0x11/0x40
[   22.056028]  shrink_dcache_for_umount+0x61/0x140
[   22.056461]  generic_shutdown_super+0x70/0x590
[   22.056879]  kill_anon_super+0x3a/0x60
[   22.057234]  rpc_kill_sb+0x121/0x200

Fixes: 0157d021d2 ("SUNRPC: handle RPC client pipefs dentries by network namespace aware routines")
Signed-off-by: felix <fuzhen5@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-11-28 16:56:22 +00:00
..
auth_gss SUNRPC: ensure the matching upcall is in-flight upon downcall 2023-01-12 11:59:08 +01:00
xprtrdma xprtrdma: Remap Receive buffers after a reconnect 2023-08-30 16:18:10 +02:00
Kconfig
Makefile sunrpc: Create a sunrpc directory under /sys/kernel/ 2021-07-08 14:03:23 -04:00
addr.c nfsd: don't alloc under spinlock in rpc_parse_scope_id 2021-11-18 19:16:58 +01:00
auth.c sunrpc: fix expiry of auth creds 2022-08-25 11:40:05 +02:00
auth_null.c
auth_unix.c
backchannel_rqst.c SUNRPC: Reinitialise the backchannel request buffers before reuse 2022-08-25 11:40:05 +02:00
cache.c SUNRPC: improve error response to over-size gss credential 2021-09-03 13:38:11 -04:00
clnt.c SUNRPC: Fix RPC client cleaned up the freed pipefs dentries 2023-11-28 16:56:22 +00:00
debugfs.c NFS Client Updates for Linux 5.15 2021-09-04 10:25:26 -07:00
fail.h SUNRPC: Server-side disconnect injection 2021-08-20 13:50:33 -04:00
netns.h
rpc_pipe.c fsnotify: fix fsnotify hooks in pseudo filesystems 2022-02-01 17:27:01 +01:00
rpcb_clnt.c SUNRPC: Add an IS_ERR() check back to where it was 2023-11-28 16:56:21 +00:00
sched.c SUNRPC: remove the maximum number of retries in call_bind_status 2023-05-11 23:00:37 +09:00
socklib.c
socklib.h
stats.c
sunrpc.h
sunrpc_syms.c sunrpc: add IDs to multipath 2021-07-08 14:03:23 -04:00
svc.c SUNRPC: Fix trace_svc_register() call site 2023-05-24 17:36:51 +01:00
svc_xprt.c SUNRPC: always free ctxt when freeing deferred request 2023-05-24 17:36:51 +01:00
svcauth.c SUNRPC: Add svc_rqst::rq_auth_stat 2021-08-10 14:18:35 -04:00
svcauth_unix.c sunrpc: only free unix grouplist after RCU settles 2023-04-13 16:48:19 +02:00
svcsock.c SUNRPC: Fix UAF in svc_tcp_listen_data_ready() 2023-07-23 13:47:20 +02:00
sysctl.c
sysfs.c SUNRPC: Fix null-ptr-deref when xps sysfs alloc failed 2022-11-10 18:15:26 +01:00
sysfs.h SUNRPC: take a xprt offline using sysfs 2021-07-08 14:03:24 -04:00
timer.c
xdr.c SUNRPC: Fix READ_PLUS crasher 2022-07-07 17:53:25 +02:00
xprt.c SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() 2022-05-18 10:26:57 +02:00
xprtmultipath.c SUNRPC keep track of number of transports to unique addresses 2021-08-27 16:36:53 -04:00
xprtsock.c SUNRPC: fix shutdown of NFS TCP client socket 2023-04-05 11:24:55 +02:00