From nobody Fri Jun 12 12:45:08 2026 Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0042648A2C5 for ; Tue, 9 Jun 2026 17:24:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781025844; cv=none; b=ThQVJ8QHol051ao+qtlrlW7LY3CDDxlGjwsJEW8LD3PHeAhqyozLiK1Ag/rzjPCAkyh2kJ0cujkdwSeOCi+9Te2VgbBR761SXuHaVasQoP+kOgn51MfEjJhqUiKR57cymroLzhrDHlg+s8LUdCGa3yzKEs1paBZpVeqbmIPsuKk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781025844; c=relaxed/simple; bh=4WIQETbdd7ZVgqTHQyb8NbGqFO8RlIZ/rrczYaaOPrE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Ny4kYhEPJGzAYMzYMuBal9kyHgOsphEv0SNlS5jZAcaZ58qds01B8bxnBrYjYqE4gt3Ilbz51w4vzY/KLjNBorIo9xIiRhO23t+xdAxbjCQeQ3kwd6V8pxnVwunK0ibSp+zTc0v0ePACND8nW2r+s4lI7c6N/xfI+I0IzVR7d8U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mOsLRsXo; arc=none smtp.client-ip=209.85.167.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mOsLRsXo" Received: by mail-lf1-f48.google.com with SMTP id 2adb3069b0e04-5aa66893e9fso6925288e87.1 for ; Tue, 09 Jun 2026 10:24:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781025841; x=1781630641; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=kNDHPL4QZCBB2D1DReJErdxEUGCSQvUdM0eZQrbXxbw=; b=mOsLRsXo4a3GQD5Jx9ZiPj2za1E6m8Vc2Tu6wVWnD7zCGAI+iUpGTJEHr56GUJn9RJ d4Kh2B+XLjMzoHaP7XJakbQKsBhXTT1re9bqUKP/o3IWneTjKESMauyLNXSxNZkNONEa e0QQXLflRRS9Uv5AmNnjcWZ05lD8uFJVgjYDey4defHYgbNmI5jrPQZH9MWYFSzG4WUT ToT+0ddpjyeTuPoRsZUG/2cCwZwyfnF+glJy1J+J7NkOhRLR7VOQw0ekXg21H34y1+w/ kdwosRG0yyYKSLL/VOBKRnTPzjqkUskMBLogdcmdcXEHsXMijwgXnQT9ZGZZqFZuG2H8 Vxkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781025841; x=1781630641; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kNDHPL4QZCBB2D1DReJErdxEUGCSQvUdM0eZQrbXxbw=; b=ROchyx+PMuKzJwTxu/IAVpOWFvQT1mu/Yk0fj05f5eb7uXJLh/NqHwxHeWkELm3b8y LasOpOt+voI2q7n2sJCLHaYhy5qed1alkQE96l/N8hwGNKkQrN2fiugz6xFZB/11v35y gZLT6+DYUkn/lMGNh3N0jd8nec/MNbfew57glDEfZ76P4siFyuKugJy1GbuyUhvyUN1J 7UBYBZInhW79lDCB0kokUKxjBSmKd1dZdsW+kRYR8KRX/i/NoUPQ80ym4cAjnCo+FO3v qmiOYz3CypnruQZu586IbolURnQrAJKdbKQ2svEuT7jsYqyrPmWAotfE9TZtS+DhKOn0 JhRw== X-Forwarded-Encrypted: i=1; AFNElJ8L2ybZxrlKOpIbuA0KSXWHUyGRkH6WqbfnlZ8u6eG27/DavmOuwJFbzn4xWHCUDDFed8rp7RZzFQbStZk=@vger.kernel.org X-Gm-Message-State: AOJu0YzLTOR18HclN69YwzjrIqFqAv2Yr5n15gAxbjQJz2cduZ83WBdj Ju8JSiHhnrTU6VksNeuoTngNoe/+13sPTvcfww//v0Os6jQ/BbMQuxYi X-Gm-Gg: Acq92OEsMyhT1llXAa8fHRA9NNGmDPYN7+anXuXeyIoa//NGwKJZ9kU5NzoMLkaybSA wOKX9SdR5sLbNgTAfXpO/Dnc74vbfk3vU62lUFAsBr+fuWvBegbhjqSCmmwhNHrUbuSB7CjctJp hRny6bj8a2gEt2iSXunKbDXuHQGhLQCnligBxfTFZEv1E0p6XQ33PZGp0r5pDVgP5B71YaBLEbY QnkVlQotS6wTywdfgk894fnqlj5cyDXtLOm1Bmub4ytJ0f+t+II4JbKeoYD4cB2YqTbzId0gHXn kujRMUFhz6tarQBdJvfUZAOz+aIWXMLt5338eCLBxhtOb7FysntpCzlyFwQv14qOcyFH2m95nJi JJ+G6+YNKInKkBxtp0tVRQ1+7R2murnK4uJ2wdwqqYEa+vbdur7mtmDAawxuiTunyuSgq7R3a8O Xz8ZlUzCtmOdZ1evgM3Cd4i3BYxAS4xIPmP8bWmEVTbXPvcRMAb5qoAraVhDjaXqaASH59Ll81i MluxL0= X-Received: by 2002:ac2:4e09:0:b0:5ad:a51:20a8 with SMTP id 2adb3069b0e04-5ad0a512258mr1135766e87.18.1781025840827; Tue, 09 Jun 2026 10:24:00 -0700 (PDT) Received: from c0624c666cc5.devsec.astralinux.ru ([93.188.205.42]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5aa7b99c11csm4729939e87.78.2026.06.09.10.23.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2026 10:23:59 -0700 (PDT) From: Vladislav Nikolaev To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Vladislav Nikolaev , "J. Bruce Fields" , Chuck Lever , linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jeff Layton , NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey , lvc-project@linuxtesting.org, syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com Subject: [PATCH 5.10/5.15] nfsd: don't ignore the return code of svc_proc_register() Date: Tue, 9 Jun 2026 20:23:54 +0300 Message-ID: <20260609172356.1887-1-vlad102nikolaev@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jeff Layton commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b upstream. Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM. Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE= @google.com/ Cc: stable@vger.kernel.org # v6.9 Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Vladislav Nikolaev --- Backport fix for CVE-2025-22026 fs/nfsd/nfsctl.c | 9 ++++++++- fs/nfsd/stats.c | 4 ++-- fs/nfsd/stats.h | 2 +- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c index ba2eaf3744ef..cc0dea883fbd 100644 --- a/fs/nfsd/nfsctl.c +++ b/fs/nfsd/nfsctl.c @@ -1460,17 +1460,24 @@ static __net_init int nfsd_init_net(struct net *net) retval =3D nfsd_stat_counters_init(nn); if (retval) goto out_repcache_error; + memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats)); nn->nfsd_svcstats.program =3D &nfsd_program; + if (!nfsd_proc_stat_init(net)) { + retval =3D -ENOMEM; + goto out_proc_error; + } + nn->nfsd_versions =3D NULL; nn->nfsd4_minorversions =3D NULL; nfsd4_init_leases_net(nn); get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key)); seqlock_init(&nn->writeverf_lock); - nfsd_proc_stat_init(net); =20 return 0; =20 +out_proc_error: + nfsd_stat_counters_destroy(nn); out_repcache_error: nfsd_idmap_shutdown(net); out_idmap_error: diff --git a/fs/nfsd/stats.c b/fs/nfsd/stats.c index 7a58dba0045c..6d1c6067c80e 100644 --- a/fs/nfsd/stats.c +++ b/fs/nfsd/stats.c @@ -113,11 +113,11 @@ void nfsd_stat_counters_destroy(struct nfsd_net *nn) nfsd_percpu_counters_destroy(nn->counter, NFSD_STATS_COUNTERS_NUM); } =20 -void nfsd_proc_stat_init(struct net *net) +struct proc_dir_entry *nfsd_proc_stat_init(struct net *net) { struct nfsd_net *nn =3D net_generic(net, nfsd_net_id); =20 - svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); + return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); } =20 void nfsd_proc_stat_shutdown(struct net *net) diff --git a/fs/nfsd/stats.h b/fs/nfsd/stats.h index 14525e854cba..b9329285bc1d 100644 --- a/fs/nfsd/stats.h +++ b/fs/nfsd/stats.h @@ -15,7 +15,7 @@ void nfsd_percpu_counters_reset(struct percpu_counter *co= unters, int num); void nfsd_percpu_counters_destroy(struct percpu_counter *counters, int num= ); int nfsd_stat_counters_init(struct nfsd_net *nn); void nfsd_stat_counters_destroy(struct nfsd_net *nn); -void nfsd_proc_stat_init(struct net *net); +struct proc_dir_entry *nfsd_proc_stat_init(struct net *net); void nfsd_proc_stat_shutdown(struct net *net); =20 static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn) --=20 2.47.3