This is a note to let you know that I've just added the patch titled
NFSv4.2: Fix a potential double free with READ_PLUS
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
nfsv4.2-fix-a-potential-double-free-with-read_plus.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 43439d858bbae244a510de47f9a55f667ca4ed52 Mon Sep 17 00:00:00 2001
From: Anna Schumaker <Anna.Schumaker@xxxxxxxxxx>
Date: Tue, 16 May 2023 11:19:25 -0400
Subject: NFSv4.2: Fix a potential double free with READ_PLUS
From: Anna Schumaker <Anna.Schumaker@xxxxxxxxxx>
commit 43439d858bbae244a510de47f9a55f667ca4ed52 upstream.
kfree()-ing the scratch page isn't enough, we also need to set the pointer
back to NULL to avoid a double-free in the case of a resend.
Fixes: fbd2a05f29a9 (NFSv4.2: Rework scratch handling for READ_PLUS)
Signed-off-by: Anna Schumaker <Anna.Schumaker@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/nfs/nfs4proc.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5444,10 +5444,18 @@ static bool nfs4_read_plus_not_supported
return false;
}
-static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr)
+static inline void nfs4_read_plus_scratch_free(struct nfs_pgio_header *hdr)
{
- if (hdr->res.scratch)
+ if (hdr->res.scratch) {
kfree(hdr->res.scratch);
+ hdr->res.scratch = NULL;
+ }
+}
+
+static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr)
+{
+ nfs4_read_plus_scratch_free(hdr);
+
if (!nfs4_sequence_done(task, &hdr->res.seq_res))
return -EAGAIN;
if (nfs4_read_stateid_changed(task, &hdr->args))
Patches currently in stable-queue which might be from Anna.Schumaker@xxxxxxxxxx are
queue-6.1/pnfs-fix-assignment-of-xprtdata.cred.patch
queue-6.1/nfsv4.2-fix-a-potential-double-free-with-read_plus.patch
queue-6.1/nfs-guard-against-readdir-loop-when-entry-names-exce.patch
queue-6.1/nfs-blocklayout-use-the-passed-in-gfp-flags.patch
queue-6.1/nfsv4.2-fix-handling-of-copy-err_offload_no_req.patch
queue-6.1/nfsv4.2-fix-up-read_plus-alignment.patch
queue-6.1/nfsv4.2-fix-read_plus-size-calculations.patch
queue-6.1/nfsv4.2-fix-read_plus-smatch-warnings.patch
queue-6.1/nfsv4.2-rework-scratch-handling-for-read_plus-again.patch
queue-6.1/nfsv4.2-rework-scratch-handling-for-read_plus.patch
