system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-02 09:18:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
felix bfca5fb4e9 SUNRPC: Fix RPC client cleaned up the freed pipefs dentries 
RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()
workqueue,which takes care about pipefs superblock locking.
In some special scenarios, when kernel frees the pipefs sb of the
current client and immediately alloctes a new pipefs sb,
rpc_remove_pipedir function would misjudge the existence of pipefs
sb which is not the one it used to hold. As a result,
the rpc_remove_pipedir would clean the released freed pipefs dentries.

To fix this issue, rpc_remove_pipedir should check whether the
current pipefs sb is consistent with the original pipefs sb.

This error can be catched by KASAN:
=========================================================
[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200
[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503
[  250.500549] Workqueue: events rpc_free_client_work
[  250.501001] Call Trace:
[  250.502880]  kasan_report+0xb6/0xf0
[  250.503209]  ? dget_parent+0x195/0x200
[  250.503561]  dget_parent+0x195/0x200
[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10
[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90
[  250.504781]  rpc_remove_client_dir+0xf5/0x150
[  250.505195]  rpc_free_client_work+0xe4/0x230
[  250.505598]  process_one_work+0x8ee/0x13b0
...
[   22.039056] Allocated by task 244:
[   22.039390]  kasan_save_stack+0x22/0x50
[   22.039758]  kasan_set_track+0x25/0x30
[   22.040109]  __kasan_slab_alloc+0x59/0x70
[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240
[   22.040889]  __d_alloc+0x31/0x8e0
[   22.041207]  d_alloc+0x44/0x1f0
[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140
[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110
[   22.042459]  rpc_create_client_dir+0x34/0x150
[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0
[   22.043284]  rpc_client_register+0x136/0x4e0
[   22.043689]  rpc_new_client+0x911/0x1020
[   22.044057]  rpc_create_xprt+0xcb/0x370
[   22.044417]  rpc_create+0x36b/0x6c0
...
[   22.049524] Freed by task 0:
[   22.049803]  kasan_save_stack+0x22/0x50
[   22.050165]  kasan_set_track+0x25/0x30
[   22.050520]  kasan_save_free_info+0x2b/0x50
[   22.050921]  __kasan_slab_free+0x10e/0x1a0
[   22.051306]  kmem_cache_free+0xa5/0x390
[   22.051667]  rcu_core+0x62c/0x1930
[   22.051995]  __do_softirq+0x165/0x52a
[   22.052347]
[   22.052503] Last potentially related work creation:
[   22.052952]  kasan_save_stack+0x22/0x50
[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0
[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0
[   22.054209]  dentry_free+0xb2/0x140
[   22.054540]  __dentry_kill+0x3be/0x540
[   22.054900]  shrink_dentry_list+0x199/0x510
[   22.055293]  shrink_dcache_parent+0x190/0x240
[   22.055703]  do_one_tree+0x11/0x40
[   22.056028]  shrink_dcache_for_umount+0x61/0x140
[   22.056461]  generic_shutdown_super+0x70/0x590
[   22.056879]  kill_anon_super+0x3a/0x60
[   22.057234]  rpc_kill_sb+0x121/0x200

Fixes: 0157d021d2 ("SUNRPC: handle RPC client pipefs dentries by network namespace aware routines")
Signed-off-by: felix <fuzhen5@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2023-11-01 15:40:44 -04:00
..
6lowpan
9p net: annotate data-races around sock->ops 2023-08-09 15:32:43 -07:00
802
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
appletalk
atm
ax25 ax25: Kconfig: Update link for linux-ax25.org 2023-09-18 12:56:58 +01:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-24 10:51:39 -07:00
bluetooth Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name 2023-10-13 20:06:33 -07:00
bpf bpf: Prevent inlining of bpf_fentry_test7() 2023-08-30 08:36:17 +02:00
bpfilter
bridge neighbour: fix data-races around n->output 2023-10-01 17:14:37 +01:00
caif
can can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior 2023-10-06 12:54:33 +02:00
ceph libceph: use kernel_connect() 2023-10-09 13:35:24 +02:00
core net: move altnames together with the netdevice 2023-10-19 15:51:16 +02:00
dcb
dccp dccp: fix dccp_v4_err()/dccp_v6_err() again 2023-09-18 07:10:31 +01:00
devlink devlink: Hold devlink lock on health reporter dump get 2023-10-06 15:56:46 -07:00
dns_resolver
dsa net: dsa: mark parsed interface mode for legacy switch drivers 2023-08-09 13:08:09 -07:00
ethernet
ethtool Revert "ethtool: Fix mod state of verbose no_mask bitset" 2023-10-19 09:27:12 -07:00
handshake net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() 2023-09-20 11:54:49 +01:00
hsr net: hsr: Add __packed to struct hsr_sup_tlv. 2023-09-18 08:26:19 +01:00
ieee802154 sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
ife
ipv4 tcp: check mptcp-level constraints for backlog coalescing 2023-10-19 09:10:00 -07:00
ipv6 ipsec-2023-10-17 2023-10-17 18:21:13 -07:00
iucv
kcm kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). 2023-09-14 10:43:51 +02:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
l2tp ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() 2023-10-01 18:19:27 +01:00
l3mdev
lapb
llc net/llc/llc_conn.c: fix 4 instances of -Wmissing-variable-declarations 2023-08-09 15:34:28 -07:00
mac80211 wifi: mac80211: fix error path key leak 2023-10-11 16:36:14 +02:00
mac802154
mctp mctp: perform route lookups under a RCU read-side lock 2023-10-10 19:43:22 -07:00
mpls networking: Update to register_net_sysctl_sz 2023-08-15 15:26:18 -07:00
mptcp mptcp: avoid sending RST when closing the initial subflow 2023-10-19 09:10:00 -07:00
ncsi ncsi: Propagate carrier gain/loss events to the NCSI controller 2023-09-18 07:06:05 +01:00
netfilter netfilter: nf_tables: revert do not remove elements if set backend implements .abort 2023-10-18 13:47:32 +02:00
netlabel
netlink netlink: annotate data-races around sk->sk_err 2023-10-04 17:32:54 -07:00
netrom netrom: Deny concurrent connect(). 2023-08-28 06:58:46 +01:00
nfc nfc: nci: fix possible NULL pointer dereference in send_acknowledge() 2023-10-16 17:34:53 -07:00
nsh
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
packet af_packet: Fix fortified memcpy() without flex array. 2023-10-12 09:15:15 +02:00
phonet
psample
qrtr
rds net: prevent address rewrite in kernel_bind() 2023-10-01 19:31:29 +01:00
rfkill net: rfkill: reduce data->mtx scope in rfkill_fop_open 2023-10-11 16:55:10 +02:00
rose
rxrpc
sched net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve 2023-10-18 18:08:28 -07:00
sctp sctp: update hb timer immediately after users change hb_interval 2023-10-04 17:29:58 -07:00
smc net/smc: return the right falback reason when prefix checks fail 2023-10-16 16:37:40 -07:00
strparser
sunrpc SUNRPC: Fix RPC client cleaned up the freed pipefs dentries 2023-11-01 15:40:44 -04:00
switchdev
tipc tipc: fix a potential deadlock on &tx->lock 2023-10-04 13:24:12 -07:00
tls tcp: allow again tcp_disconnect() when threads are waiting 2023-10-13 16:49:32 -07:00
unix Including fixes from netfilter and bpf. 2023-09-07 18:33:07 -07:00
vmw_vsock
wireless wifi: cfg80211: use system_unbound_wq for wiphy work 2023-10-11 16:36:12 +02:00
x25
xdp xdp: Fix zero-size allocation warning in xskq_create() 2023-10-09 16:13:29 +02:00
xfrm ipsec-2023-10-17 2023-10-17 18:21:13 -07:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c net: prevent address rewrite in kernel_bind() 2023-10-01 19:31:29 +01:00
sysctl_net.c sysctl: Add size to register_net_sysctl function 2023-08-15 15:26:17 -07:00