In the reclaim process, there may be a situation where all files are
closed and the file system is unmounted, which will result in the release
of nfs_server.
This will trigger UAF in nfs4_put_open_state when the count of nfs4_state
is decremented to zero, because the freed nfs_server will be accessed
when evicting inode.
Maintaining the nfs_server throughout the entire reclaim process by adding
nfs_sb_active and nfs_sb_deactive to fix it.
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
---
fs/nfs/nfs4state.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index 877f682b45f2..f09f63b5a7c0 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1934,6 +1934,8 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
restart:
rcu_read_lock();
list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) {
+ if (!(server->super && nfs_sb_active(server->super)))
+ continue;
nfs4_purge_state_owners(server, &freeme);
spin_lock(&clp->cl_lock);
for (pos = rb_first(&server->state_owners);
@@ -1942,10 +1944,14 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
sp = rb_entry(pos,
struct nfs4_state_owner, so_server_node);
if (!test_and_clear_bit(ops->owner_flag_bit,
- &sp->so_flags))
+ &sp->so_flags)) {
+ nfs_sb_deactive(server->super);
continue;
- if (!atomic_inc_not_zero(&sp->so_count))
+ }
+ if (!atomic_inc_not_zero(&sp->so_count)) {
+ nfs_sb_deactive(server->super);
continue;
+ }
spin_unlock(&clp->cl_lock);
rcu_read_unlock();
@@ -1961,9 +1967,11 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
}
nfs4_put_state_owner(sp);
+ nfs_sb_deactive(server->super);
goto restart;
}
spin_unlock(&clp->cl_lock);
+ nfs_sb_deactive(server->super);
}
rcu_read_unlock();
nfs4_free_state_owners(&freeme);
--
2.31.1