[PATCH] nfs: maintain nfs_server in the reclaim process

Li Lingfeng posted 1 patch 2 months ago
There is a newer version of this series
fs/nfs/nfs4state.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
[PATCH] nfs: maintain nfs_server in the reclaim process
Posted by Li Lingfeng 2 months ago
In the reclaim process, there may be a situation where all files are
closed and the file system is unmounted, which will result in the release
of nfs_server.
This will trigger UAF in nfs4_put_open_state when the count of nfs4_state
is decremented to zero, because the freed nfs_server will be accessed
when evicting inode.

Maintaining the nfs_server throughout the entire reclaim process by adding
nfs_sb_active and nfs_sb_deactive to fix it.

Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
---
 fs/nfs/nfs4state.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index 877f682b45f2..f09f63b5a7c0 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1934,6 +1934,8 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 restart:
 	rcu_read_lock();
 	list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) {
+		if (!(server->super && nfs_sb_active(server->super)))
+			continue;
 		nfs4_purge_state_owners(server, &freeme);
 		spin_lock(&clp->cl_lock);
 		for (pos = rb_first(&server->state_owners);
@@ -1942,10 +1944,14 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 			sp = rb_entry(pos,
 				struct nfs4_state_owner, so_server_node);
 			if (!test_and_clear_bit(ops->owner_flag_bit,
-							&sp->so_flags))
+							&sp->so_flags)) {
+				nfs_sb_deactive(server->super);
 				continue;
-			if (!atomic_inc_not_zero(&sp->so_count))
+			}
+			if (!atomic_inc_not_zero(&sp->so_count)) {
+				nfs_sb_deactive(server->super);
 				continue;
+			}
 			spin_unlock(&clp->cl_lock);
 			rcu_read_unlock();
 
@@ -1961,9 +1967,11 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
 			}
 
 			nfs4_put_state_owner(sp);
+			nfs_sb_deactive(server->super);
 			goto restart;
 		}
 		spin_unlock(&clp->cl_lock);
+		nfs_sb_deactive(server->super);
 	}
 	rcu_read_unlock();
 	nfs4_free_state_owners(&freeme);
-- 
2.31.1