In the reclaim process, there may be a situation where all files are
closed and the file system is unmounted, which will result in the
release of nfs_server.
This will trigger UAF in nfs4_put_open_state when the count of
nfs4_state is decremented to zero, because the freed nfs_server will be
accessed when evicting inode.
Maintaining the nfs_server throughout the entire reclaim process by
adding nfs_sb_active and nfs_sb_deactive to fix it.
Signed-off-by: Li Lingfeng <lilingfeng3@xxxxxxxxxx>
---
v1->v2:
Get reference counting inside the lock's protection.
fs/nfs/nfs4state.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index dafd61186557..acf608957f57 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1935,6 +1935,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
continue;
if (!atomic_inc_not_zero(&sp->so_count))
continue;
+ if (!(server->super && nfs_sb_active(server->super))) {
+ spin_unlock(&clp->cl_lock);
+ rcu_read_unlock();
+ nfs4_put_state_owner(sp);
+ goto restart;
+ }
spin_unlock(&clp->cl_lock);
rcu_read_unlock();
@@ -1947,10 +1953,12 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov
nfs4_put_state_owner(sp);
status = nfs4_recovery_handle_error(clp, status);
nfs4_free_state_owners(&freeme);
+ nfs_sb_deactive(server->super);
return (status != 0) ? status : -EAGAIN;
}
nfs4_put_state_owner(sp);
+ nfs_sb_deactive(server->super);
goto restart;
}
spin_unlock(&clp->cl_lock);
--
2.31.1
