android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
08a98c345f
android_kernel_samsung_sm8650/net/sunrpc
History
felix 7749fd2dbe SUNRPC: Fix RPC client cleaned up the freed pipefs dentries 
[ Upstream commit bfca5fb4e97c46503ddfc582335917b0cc228264 ]

RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()
workqueue,which takes care about pipefs superblock locking.
In some special scenarios, when kernel frees the pipefs sb of the
current client and immediately alloctes a new pipefs sb,
rpc_remove_pipedir function would misjudge the existence of pipefs
sb which is not the one it used to hold. As a result,
the rpc_remove_pipedir would clean the released freed pipefs dentries.

To fix this issue, rpc_remove_pipedir should check whether the
current pipefs sb is consistent with the original pipefs sb.

This error can be catched by KASAN:
=========================================================
[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200
[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503
[  250.500549] Workqueue: events rpc_free_client_work
[  250.501001] Call Trace:
[  250.502880]  kasan_report+0xb6/0xf0
[  250.503209]  ? dget_parent+0x195/0x200
[  250.503561]  dget_parent+0x195/0x200
[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10
[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90
[  250.504781]  rpc_remove_client_dir+0xf5/0x150
[  250.505195]  rpc_free_client_work+0xe4/0x230
[  250.505598]  process_one_work+0x8ee/0x13b0
...
[   22.039056] Allocated by task 244:
[   22.039390]  kasan_save_stack+0x22/0x50
[   22.039758]  kasan_set_track+0x25/0x30
[   22.040109]  __kasan_slab_alloc+0x59/0x70
[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240
[   22.040889]  __d_alloc+0x31/0x8e0
[   22.041207]  d_alloc+0x44/0x1f0
[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140
[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110
[   22.042459]  rpc_create_client_dir+0x34/0x150
[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0
[   22.043284]  rpc_client_register+0x136/0x4e0
[   22.043689]  rpc_new_client+0x911/0x1020
[   22.044057]  rpc_create_xprt+0xcb/0x370
[   22.044417]  rpc_create+0x36b/0x6c0
...
[   22.049524] Freed by task 0:
[   22.049803]  kasan_save_stack+0x22/0x50
[   22.050165]  kasan_set_track+0x25/0x30
[   22.050520]  kasan_save_free_info+0x2b/0x50
[   22.050921]  __kasan_slab_free+0x10e/0x1a0
[   22.051306]  kmem_cache_free+0xa5/0x390
[   22.051667]  rcu_core+0x62c/0x1930
[   22.051995]  __do_softirq+0x165/0x52a
[   22.052347]
[   22.052503] Last potentially related work creation:
[   22.052952]  kasan_save_stack+0x22/0x50
[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0
[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0
[   22.054209]  dentry_free+0xb2/0x140
[   22.054540]  __dentry_kill+0x3be/0x540
[   22.054900]  shrink_dentry_list+0x199/0x510
[   22.055293]  shrink_dcache_parent+0x190/0x240
[   22.055703]  do_one_tree+0x11/0x40
[   22.056028]  shrink_dcache_for_umount+0x61/0x140
[   22.056461]  generic_shutdown_super+0x70/0x590
[   22.056879]  kill_anon_super+0x3a/0x60
[   22.057234]  rpc_kill_sb+0x121/0x200

Fixes: 0157d021d2 ("SUNRPC: handle RPC client pipefs dentries by network namespace aware routines")
Signed-off-by: felix <fuzhen5@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-11-28 17:07:04 +00:00
..
auth_gss Revert "SUNRPC: Use RMW bitops in single-threaded hot paths" 2023-01-14 10:33:42 +01:00
xprtrdma xprtrdma: Remap Receive buffers after a reconnect 2023-08-30 16:10:57 +02:00
addr.c nfsd: don't alloc under spinlock in rpc_parse_scope_id 2021-09-21 17:51:47 -04:00
auth_null.c SUNRPC: Add rpc_auth::au_ralign field 2019-02-14 11:48:36 -05:00
auth_unix.c SUNRPC: Fix unx_lookup_cred() allocation 2022-03-22 15:52:55 -04:00
auth.c NFS client updates for Linux 5.20 2022-08-10 14:04:32 -07:00
backchannel_rqst.c NFS client updates for Linux 5.20 2022-08-10 14:04:32 -07:00
cache.c treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
clnt.c SUNRPC: Fix RPC client cleaned up the freed pipefs dentries 2023-11-28 17:07:04 +00:00
debugfs.c SUNRPC: Cache deferral injection 2022-05-19 12:25:38 -04:00
fail.h SUNRPC: Cache deferral injection 2022-05-19 12:25:38 -04:00
Kconfig SUNRPC: remove RC4-HMAC-MD5 support from KerberosV 2020-09-11 14:39:15 +10:00
Makefile sunrpc: Create a sunrpc directory under /sys/kernel/ 2021-07-08 14:03:23 -04:00
netns.h
rpc_pipe.c fs: allocate inode by using alloc_inode_sb() 2022-03-22 15:57:03 -07:00
rpcb_clnt.c SUNRPC: Add an IS_ERR() check back to where it was 2023-11-28 17:07:03 +00:00
sched.c SUNRPC: Don't change task->tk_status after the call to rpc_exit_task 2023-05-30 14:03:17 +01:00
socklib.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
socklib.h SUNRPC: Refactor xs_sendpages() 2020-03-16 12:04:33 -04:00
stats.c proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
sunrpc_syms.c sunrpc: add IDs to multipath 2021-07-08 14:03:23 -04:00
sunrpc.h treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_149.RULE 2022-06-10 14:51:35 +02:00
svc_xprt.c SUNRPC: always free ctxt when freeing deferred request 2023-05-24 17:32:45 +01:00
svc.c SUNRPC: Fix trace_svc_register() call site 2023-05-24 17:32:45 +01:00
svcauth_unix.c sunrpc: only free unix grouplist after RCU settles 2023-04-13 16:55:23 +02:00
svcauth.c SUNRPC: Teach server to recognize RPC_AUTH_TLS 2022-02-28 10:26:40 -05:00
svcsock.c SUNRPC: Fix UAF in svc_tcp_listen_data_ready() 2023-07-19 16:21:48 +02:00
sysctl.c net/sunrpc: fix useless comparison in proc_do_xprt() 2020-11-08 16:28:25 -05:00
sysfs.c SUNRPC: Fix null-ptr-deref when xps sysfs alloc failed 2022-10-27 15:52:10 -04:00
sysfs.h SUNRPC: take a xprt offline using sysfs 2021-07-08 14:03:24 -04:00
timer.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
xdr.c SUNRPC: Fix typo in xdr_buf_subsegment's kdoc comment 2022-09-26 14:02:47 -04:00
xprt.c Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
xprtmultipath.c SUNRPC: Directly use ida_alloc()/free() 2022-10-03 11:26:36 -04:00
xprtsock.c SUNRPC: fix shutdown of NFS TCP client socket 2023-04-06 12:10:44 +02:00