On Mon, 19 Feb 2024, Fedor Pchelkin wrote:
> Hello Aleksandr,
>
> On 24/02/16 04:45PM, Aleksandr Burakov wrote:
> > Dynamic memory, referenced by 'princhash.data' and 'name.data',
> > is allocated by calling function 'memdup_user' and lost
> > at __cld_pipe_inprogress_downcall() function return
>
> It is not actually lost. If nfs4_client_to_reclaim() fails and thus
> returns NULL - this error case is already properly handled.
>
> If nfs4_client_to_reclaim() succeeds then reference to the memory in
> question is passed to crp->cr_name.data and crp->cr_princhash.data
> correspondingly, and crp->cr_strhash entry is added to the list associated
> with nfsd_net. In this case the memory is supposed to be freed by
> nfs4_remove_reclaim_record(). See comment for nfs4_client_to_reclaim().
>
> So I think the patch just introduces a double-free.
Agreed - this patch is incorrect.
Thanks,
NeilBrown
>
> >
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> >
> > Fixes: 11a60d159259 ("nfsd: add a "GetVersion" upcall for nfsdcld")
> > Signed-off-by: Aleksandr Burakov <a.burakov@xxxxxxxxxxxx>
> > ---
> > fs/nfsd/nfs4recover.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
> > index 2c060e0b1604..02663484782d 100644
> > --- a/fs/nfsd/nfs4recover.c
> > +++ b/fs/nfsd/nfs4recover.c
> > @@ -850,6 +850,8 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> > kfree(princhash.data);
> > return -EFAULT;
> > }
> > + kfree(name.data);
> > + kfree(princhash.data);
> > return nn->client_tracking_ops->msglen;
> > }
> > return -EFAULT;
> > --
> > 2.25.1
>
> --
> Fedor
>
>
