nfsd: memory corruption in nfsd4_lock()

New struct nfsd4_blocked_lock allocated in find_or_allocate_block() does not initialized nbl_list and nbl_lru. If conflock allocation fails rollback can call list_del_init() access uninitialized fields and corrupt memory. v2: just initialize nbl_list and nbl_lru right after nbl allocation. Fixes: 76d348fa ("nfsd: have nfsd4_lock use blocking locks for v4.1+ lock") Signed-off-by: N Vasily Averin <vvs@virtuozzo.com> Reviewed-by: N Jeff Layton <jlayton@kernel.org> Signed-off-by: N Chuck Lever <chuck.lever@oracle.com>

nfsd: memory corruption in nfsd4_lock()
New struct nfsd4_blocked_lock allocated in find_or_allocate_block() does not initialized nbl_list and nbl_lru. If conflock allocation fails rollback can call list_del_init() access uninitialized fields and corrupt memory. v2: just initialize nbl_list and nbl_lru right after nbl allocation. Fixes: 76d348fa ("nfsd: have nfsd4_lock use blocking locks for v4.1+ lock") Signed-off-by: N Vasily Averin <vvs@virtuozzo.com> Reviewed-by: N Jeff Layton <jlayton@kernel.org> Signed-off-by: N Chuck Lever <chuck.lever@oracle.com>
e1e8399e · Vasily Averin · Chuck Lever · 8f3d9f35 · e1e8399e
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

fs/nfsd/nfs4state.c fs/nfsd/nfs4state.c +2 -0

未找到文件。
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -267,6 +267,8 @@ find_or_allocate_block(struct nfs4_lockowner *lo, struct knfsd_fh *fh,
 	if (!nbl) {
 		nbl= kmalloc(sizeof(*nbl), GFP_KERNEL);
 		if (nbl) {
+			INIT_LIST_HEAD(&nbl->nbl_list);
+			INIT_LIST_HEAD(&nbl->nbl_lru);
 			fh_copy_shallow(&nbl->nbl_fh, fh);
 			locks_init_lock(&nbl->nbl_lock);
 			nfsd4_init_cb(&nbl->nbl_cb, lo->lo_owner.so_client,