This is a note to let you know that I've just added the patch titled
NFS: Fix a use after free in nfs_direct_join_group()
to the 6.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch
and it can be found in the queue-6.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From be2fd1560eb57b7298aa3c258ddcca0d53ecdea3 Mon Sep 17 00:00:00 2001
From: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
Date: Tue, 8 Aug 2023 21:17:11 -0400
Subject: NFS: Fix a use after free in nfs_direct_join_group()
From: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
commit be2fd1560eb57b7298aa3c258ddcca0d53ecdea3 upstream.
Be more careful when tearing down the subrequests of an O_DIRECT write
as part of a retransmission.
Reported-by: Chris Mason <clm@xxxxxx>
Fixes: ed5d588fe47f ("NFS: Try to join page groups before an O_DIRECT retransmission")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/nfs/direct.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -472,20 +472,26 @@ out:
return result;
}
-static void
-nfs_direct_join_group(struct list_head *list, struct inode *inode)
+static void nfs_direct_join_group(struct list_head *list, struct inode *inode)
{
- struct nfs_page *req, *next;
+ struct nfs_page *req, *subreq;
list_for_each_entry(req, list, wb_list) {
- if (req->wb_head != req || req->wb_this_page == req)
+ if (req->wb_head != req)
continue;
- for (next = req->wb_this_page;
- next != req->wb_head;
- next = next->wb_this_page) {
- nfs_list_remove_request(next);
- nfs_release_request(next);
- }
+ subreq = req->wb_this_page;
+ if (subreq == req)
+ continue;
+ do {
+ /*
+ * Remove subrequests from this list before freeing
+ * them in the call to nfs_join_page_group().
+ */
+ if (!list_empty(&subreq->wb_list)) {
+ nfs_list_remove_request(subreq);
+ nfs_release_request(subreq);
+ }
+ } while ((subreq = subreq->wb_this_page) != req);
nfs_join_page_group(req, inode);
}
}
Patches currently in stable-queue which might be from trond.myklebust@xxxxxxxxxxxxxxx are
queue-6.4/xprtrdma-remap-receive-buffers-after-a-reconnect.patch
queue-6.4/nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch
queue-6.4/nfsv4-fix-out-path-in-__nfs4_get_acl_uncached.patch
queue-6.4/nfsv4.2-fix-error-handling-in-nfs42_proc_getxattr.patch
queue-6.4/nfsv4-fix-dropped-lock-for-racing-open-and-delegation-return.patch
