Hello Aleksandr,
On 24/02/16 04:45PM, Aleksandr Burakov wrote:
> Dynamic memory, referenced by 'princhash.data' and 'name.data',
> is allocated by calling function 'memdup_user' and lost
> at __cld_pipe_inprogress_downcall() function return
It is not actually lost. If nfs4_client_to_reclaim() fails and thus
returns NULL - this error case is already properly handled.
If nfs4_client_to_reclaim() succeeds then reference to the memory in
question is passed to crp->cr_name.data and crp->cr_princhash.data
correspondingly, and crp->cr_strhash entry is added to the list associated
with nfsd_net. In this case the memory is supposed to be freed by
nfs4_remove_reclaim_record(). See comment for nfs4_client_to_reclaim().
So I think the patch just introduces a double-free.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 11a60d159259 ("nfsd: add a "GetVersion" upcall for nfsdcld")
> Signed-off-by: Aleksandr Burakov <a.burakov@xxxxxxxxxxxx>
> ---
> fs/nfsd/nfs4recover.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
> index 2c060e0b1604..02663484782d 100644
> --- a/fs/nfsd/nfs4recover.c
> +++ b/fs/nfsd/nfs4recover.c
> @@ -850,6 +850,8 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> kfree(princhash.data);
> return -EFAULT;
> }
> + kfree(name.data);
> + kfree(princhash.data);
> return nn->client_tracking_ops->msglen;
> }
> return -EFAULT;
> --
> 2.25.1
--
Fedor
