Patch "NFSv4: fix out path in __nfs4_get_acl_uncached" has been added to the 5.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    NFSv4: fix out path in __nfs4_get_acl_uncached

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfsv4-fix-out-path-in-__nfs4_get_acl_uncached.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit b44aaf8fe4a9ebef0b929a8a3144d7a6038e2596
Author: Fedor Pchelkin <pchelkin@xxxxxxxxx>
Date:   Tue Jul 25 14:59:30 2023 +0300

    NFSv4: fix out path in __nfs4_get_acl_uncached
    
    [ Upstream commit f4e89f1a6dab4c063fc1e823cc9dddc408ff40cf ]
    
    Another highly rare error case when a page allocating loop (inside
    __nfs4_get_acl_uncached, this time) is not properly unwound on error.
    Since pages array is allocated being uninitialized, need to free only
    lower array indices. NULL checks were useful before commit 62a1573fcf84
    ("NFSv4 fix acl retrieval over krb5i/krb5p mounts") when the array had
    been initialized to zero on stack.
    
    Found by Linux Verification Center (linuxtesting.org).
    
    Fixes: 62a1573fcf84 ("NFSv4 fix acl retrieval over krb5i/krb5p mounts")
    Signed-off-by: Fedor Pchelkin <pchelkin@xxxxxxxxx>
    Reviewed-by: Benjamin Coddington <bcodding@xxxxxxxxxx>
    Signed-off-by: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index b9567cc8698ed..2d583bd378869 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5864,9 +5864,8 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
 out_ok:
 	ret = res.acl_len;
 out_free:
-	for (i = 0; i < npages; i++)
-		if (pages[i])
-			__free_page(pages[i]);
+	while (--i >= 0)
+		__free_page(pages[i]);
 	if (res.acl_scratch)
 		__free_page(res.acl_scratch);
 	kfree(pages);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux