much thanks to all! -- Gary On Wed, Dec 18, 2013 at 10:12 AM, <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > This is a note to let you know that I've just added the patch titled > > nfsd: when reusing an existing repcache entry, unhash it first > > to the 3.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > The filename of the patch is: > nfsd-when-reusing-an-existing-repcache-entry-unhash-it-first.patch > and it can be found in the queue-3.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable@xxxxxxxxxxxxxxx> know about it. > > > From 781c2a5a5f75eacc04663aced0f0f1a648d4f308 Mon Sep 17 00:00:00 2001 > From: Jeff Layton <jlayton@xxxxxxxxxx> > Date: Mon, 2 Dec 2013 15:26:19 -0500 > Subject: nfsd: when reusing an existing repcache entry, unhash it first > > From: Jeff Layton <jlayton@xxxxxxxxxx> > > commit 781c2a5a5f75eacc04663aced0f0f1a648d4f308 upstream. > > The DRC code will attempt to reuse an existing, expired cache entry in > preference to allocating a new one. It'll then search the cache, and if > it gets a hit it'll then free the cache entry that it was going to > reuse. > > The cache code doesn't unhash the entry that it's going to reuse > however, so it's possible for it end up designating an entry for reuse > and then subsequently freeing the same entry after it finds it. This > leads it to a later use-after-free situation and usually some list > corruption warnings or an oops. > > Fix this by simply unhashing the entry that we intend to reuse. That > will mean that it's not findable via a search and should prevent this > situation from occurring. > > Reported-by: Christoph Hellwig <hch@xxxxxxxxxxxxx> > Reported-by: g. artim <gartim@xxxxxxxxx> > Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx> > Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > --- > fs/nfsd/nfscache.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > --- a/fs/nfsd/nfscache.c > +++ b/fs/nfsd/nfscache.c > @@ -132,6 +132,13 @@ nfsd_reply_cache_alloc(void) > } > > static void > +nfsd_reply_cache_unhash(struct svc_cacherep *rp) > +{ > + hlist_del_init(&rp->c_hash); > + list_del_init(&rp->c_lru); > +} > + > +static void > nfsd_reply_cache_free_locked(struct svc_cacherep *rp) > { > if (rp->c_type == RC_REPLBUFF && rp->c_replvec.iov_base) { > @@ -417,7 +424,7 @@ nfsd_cache_lookup(struct svc_rqst *rqstp > rp = list_first_entry(&lru_head, struct svc_cacherep, c_lru); > if (nfsd_cache_entry_expired(rp) || > num_drc_entries >= max_drc_entries) { > - lru_put_end(rp); > + nfsd_reply_cache_unhash(rp); > prune_cache_entries(); > goto search_cache; > } > > > Patches currently in stable-queue which might be from jlayton@xxxxxxxxxx are > > queue-3.12/nfsd-when-reusing-an-existing-repcache-entry-unhash-it-first.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html