Commit b663c6fd authored Mar 14, 2008 by J. Bruce Fields Committed by Linus Torvalds Mar 14, 2008

nfsd: fix oops on access from high-numbered ports



This bug was always here, but before my commit 6fa02839
("recheck for secure ports in fh_verify"), it could only be triggered by
failure of a kmalloc().  After that commit it could be triggered by a
client making a request from a non-reserved port for access to an export
marked "secure".  (Exports are "secure" by default.)

The result is a struct svc_export with a reference count one too low,
resulting in likely oopses next time the export is accessed.

The reference counting here is not straightforward; a later patch will
clean up fh_verify().

Thanks to Lukas Hejtmanek for the bug report and followup.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 9b89ca7a

fs/nfsd/nfsfh.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -232,6 +232,7 @@ fh_verify(struct svc_rqst rqstp, struct svc_fh fhp, int type, int access)
		fhp->fh_dentry = dentry;
		fhp->fh_export = exp;
		nfsd_nr_verified++;
		cache_get(&exp->h);
		} else {
		/*
		* just rechecking permissions
		@@ -241,6 +242,7 @@ fh_verify(struct svc_rqst rqstp, struct svc_fh fhp, int type, int access)
		dprintk("nfsd: fh_verify - just checking\n");
		dentry = fhp->fh_dentry;
		exp = fhp->fh_export;
		cache_get(&exp->h);
		/*
		* Set user creds for this exportpoint; necessary even
		* in the "just checking" case because this may be a
		@@ -252,8 +254,6 @@ fh_verify(struct svc_rqst rqstp, struct svc_fh fhp, int type, int access)
		if (error)
		goto out;
		}
		cache_get(&exp->h);


		error = nfsd_mode_check(rqstp, dentry->d_inode->i_mode, type);
		if (error)