From: Sasha Levin Date: Sat, 22 Feb 2020 19:02:29 +0000 (-0500) Subject: Drop nfsd4-avoid-null-deference-on-strange-copy-compounds.patch X-Git-Tag: v4.19.106~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3504fe75c8a20f8e134224b33062207be6b02e7;p=thirdparty%2Fkernel%2Fstable-queue.git Drop nfsd4-avoid-null-deference-on-strange-copy-compounds.patch Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch b/queue-4.14/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch deleted file mode 100644 index 80edae2758d..00000000000 --- a/queue-4.14/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b712a5f9de40f05543043efe4c34eb17f4e23e35 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 6 Dec 2019 16:07:32 -0500 -Subject: nfsd4: avoid NULL deference on strange COPY compounds - -From: J. Bruce Fields - -[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ] - -With cross-server COPY we've introduced the possibility that the current -or saved filehandle might not have fh_dentry/fh_export filled in, but we -missed a place that assumed it was. I think this could be triggered by -a compound like: - - PUTFH(foreign filehandle) - GETATTR - SAVEFH - COPY - -First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. -Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. -need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE -set and GETATTR does not have OP_HANDLES_WRONGSEC set. - -We should probably also consider tightening the checks in -check_if_stalefh_allowed and double-checking that we don't assume the -filehandle is verified elsewhere in the compound. But I think this -fixes the immediate issue. - -Reported-by: Dan Carpenter -Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " -Signed-off-by: J. Bruce Fields -Signed-off-by: Sasha Levin ---- - fs/nfsd/nfs4proc.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index ee765abad2efb..be42ea2603683 100644 ---- a/fs/nfsd/nfs4proc.c -+++ b/fs/nfsd/nfs4proc.c -@@ -1798,7 +1798,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) - if (op->opdesc->op_flags & OP_CLEAR_STATEID) - clear_current_stateid(cstate); - -- if (need_wrongsec_check(rqstp)) -+ if (current_fh->fh_export && -+ need_wrongsec_check(rqstp)) - op->status = check_nfsd_access(current_fh->fh_export, rqstp); - } - encode_op: --- -2.20.1 - diff --git a/queue-4.14/series b/queue-4.14/series index 40f46861b27..4cb75d7fd55 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -31,7 +31,6 @@ revert-kvm-nvmx-use-correct-root-level-for-nested-ep.patch revert-kvm-vmx-add-non-canonical-check-on-writes-to-.patch kvm-nvmx-use-correct-root-level-for-nested-ept-shado.patch drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch -nfsd4-avoid-null-deference-on-strange-copy-compounds.patch cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch leds-pca963x-fix-open-drain-initialization.patch diff --git a/queue-4.19/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch b/queue-4.19/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch deleted file mode 100644 index a85f73964cb..00000000000 --- a/queue-4.19/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6681e19ad413b85811213e66a1a2e60f231bcda4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 6 Dec 2019 16:07:32 -0500 -Subject: nfsd4: avoid NULL deference on strange COPY compounds - -From: J. Bruce Fields - -[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ] - -With cross-server COPY we've introduced the possibility that the current -or saved filehandle might not have fh_dentry/fh_export filled in, but we -missed a place that assumed it was. I think this could be triggered by -a compound like: - - PUTFH(foreign filehandle) - GETATTR - SAVEFH - COPY - -First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. -Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. -need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE -set and GETATTR does not have OP_HANDLES_WRONGSEC set. - -We should probably also consider tightening the checks in -check_if_stalefh_allowed and double-checking that we don't assume the -filehandle is verified elsewhere in the compound. But I think this -fixes the immediate issue. - -Reported-by: Dan Carpenter -Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " -Signed-off-by: J. Bruce Fields -Signed-off-by: Sasha Levin ---- - fs/nfsd/nfs4proc.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index f35aa9f88b5ec..895123518fd42 100644 ---- a/fs/nfsd/nfs4proc.c -+++ b/fs/nfsd/nfs4proc.c -@@ -1789,7 +1789,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) - if (op->opdesc->op_flags & OP_CLEAR_STATEID) - clear_current_stateid(cstate); - -- if (need_wrongsec_check(rqstp)) -+ if (current_fh->fh_export && -+ need_wrongsec_check(rqstp)) - op->status = check_nfsd_access(current_fh->fh_export, rqstp); - } - encode_op: --- -2.20.1 - diff --git a/queue-4.19/series b/queue-4.19/series index 8b5500672a6..4453458a01a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -8,7 +8,6 @@ revert-kvm-nvmx-use-correct-root-level-for-nested-ep.patch revert-kvm-vmx-add-non-canonical-check-on-writes-to-.patch kvm-nvmx-use-correct-root-level-for-nested-ept-shado.patch drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch -nfsd4-avoid-null-deference-on-strange-copy-compounds.patch cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch leds-pca963x-fix-open-drain-initialization.patch diff --git a/queue-4.4/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch b/queue-4.4/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch deleted file mode 100644 index a98da7a5f4b..00000000000 --- a/queue-4.4/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 1afcc98c1b35802dcf7854cf2b29e19c30416c86 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 6 Dec 2019 16:07:32 -0500 -Subject: nfsd4: avoid NULL deference on strange COPY compounds - -From: J. Bruce Fields - -[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ] - -With cross-server COPY we've introduced the possibility that the current -or saved filehandle might not have fh_dentry/fh_export filled in, but we -missed a place that assumed it was. I think this could be triggered by -a compound like: - - PUTFH(foreign filehandle) - GETATTR - SAVEFH - COPY - -First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. -Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. -need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE -set and GETATTR does not have OP_HANDLES_WRONGSEC set. - -We should probably also consider tightening the checks in -check_if_stalefh_allowed and double-checking that we don't assume the -filehandle is verified elsewhere in the compound. But I think this -fixes the immediate issue. - -Reported-by: Dan Carpenter -Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " -Signed-off-by: J. Bruce Fields -Signed-off-by: Sasha Levin ---- - fs/nfsd/nfs4proc.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index c67064d94096b..0cb956d792f21 100644 ---- a/fs/nfsd/nfs4proc.c -+++ b/fs/nfsd/nfs4proc.c -@@ -1704,7 +1704,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp, - if (opdesc->op_flags & OP_CLEAR_STATEID) - clear_current_stateid(cstate); - -- if (need_wrongsec_check(rqstp)) -+ if (current_fh->fh_export && -+ need_wrongsec_check(rqstp)) - op->status = check_nfsd_access(current_fh->fh_export, rqstp); - } - encode_op: --- -2.20.1 - diff --git a/queue-4.4/series b/queue-4.4/series index f167fd8ac3a..dda82ea2539 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -12,7 +12,6 @@ btrfs-print-message-when-tree-log-replay-starts.patch scsi-qla2xxx-fix-a-potential-null-pointer-dereference.patch revert-kvm-vmx-add-non-canonical-check-on-writes-to-.patch drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch -nfsd4-avoid-null-deference-on-strange-copy-compounds.patch brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch diff --git a/queue-4.9/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch b/queue-4.9/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch deleted file mode 100644 index 206bcb861e1..00000000000 --- a/queue-4.9/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch +++ /dev/null @@ -1,54 +0,0 @@ -From e0d4740dac290b43dd78e4d4d11d01092291209a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 6 Dec 2019 16:07:32 -0500 -Subject: nfsd4: avoid NULL deference on strange COPY compounds - -From: J. Bruce Fields - -[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ] - -With cross-server COPY we've introduced the possibility that the current -or saved filehandle might not have fh_dentry/fh_export filled in, but we -missed a place that assumed it was. I think this could be triggered by -a compound like: - - PUTFH(foreign filehandle) - GETATTR - SAVEFH - COPY - -First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. -Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. -need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE -set and GETATTR does not have OP_HANDLES_WRONGSEC set. - -We should probably also consider tightening the checks in -check_if_stalefh_allowed and double-checking that we don't assume the -filehandle is verified elsewhere in the compound. But I think this -fixes the immediate issue. - -Reported-by: Dan Carpenter -Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " -Signed-off-by: J. Bruce Fields -Signed-off-by: Sasha Levin ---- - fs/nfsd/nfs4proc.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index 66985a6a7047b..33537bbb70b36 100644 ---- a/fs/nfsd/nfs4proc.c -+++ b/fs/nfsd/nfs4proc.c -@@ -1800,7 +1800,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp, - if (opdesc->op_flags & OP_CLEAR_STATEID) - clear_current_stateid(cstate); - -- if (need_wrongsec_check(rqstp)) -+ if (current_fh->fh_export && -+ need_wrongsec_check(rqstp)) - op->status = check_nfsd_access(current_fh->fh_export, rqstp); - } - encode_op: --- -2.20.1 - diff --git a/queue-4.9/series b/queue-4.9/series index 700960cbc5b..34de7782c84 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -15,7 +15,6 @@ btrfs-print-message-when-tree-log-replay-starts.patch scsi-qla2xxx-fix-a-potential-null-pointer-dereference.patch revert-kvm-vmx-add-non-canonical-check-on-writes-to-.patch drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch -nfsd4-avoid-null-deference-on-strange-copy-compounds.patch cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch diff --git a/queue-5.4/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch b/queue-5.4/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch deleted file mode 100644 index bdcf02a3c5a..00000000000 --- a/queue-5.4/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 38711c854041bcd9ee879750c702d3ba598339ab Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 6 Dec 2019 16:07:32 -0500 -Subject: nfsd4: avoid NULL deference on strange COPY compounds - -From: J. Bruce Fields - -[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ] - -With cross-server COPY we've introduced the possibility that the current -or saved filehandle might not have fh_dentry/fh_export filled in, but we -missed a place that assumed it was. I think this could be triggered by -a compound like: - - PUTFH(foreign filehandle) - GETATTR - SAVEFH - COPY - -First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. -Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. -need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE -set and GETATTR does not have OP_HANDLES_WRONGSEC set. - -We should probably also consider tightening the checks in -check_if_stalefh_allowed and double-checking that we don't assume the -filehandle is verified elsewhere in the compound. But I think this -fixes the immediate issue. - -Reported-by: Dan Carpenter -Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " -Signed-off-by: J. Bruce Fields -Signed-off-by: Sasha Levin ---- - fs/nfsd/nfs4proc.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index 4798667af647c..4d1d0bf8e385f 100644 ---- a/fs/nfsd/nfs4proc.c -+++ b/fs/nfsd/nfs4proc.c -@@ -2025,7 +2025,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) - if (op->opdesc->op_flags & OP_CLEAR_STATEID) - clear_current_stateid(cstate); - -- if (need_wrongsec_check(rqstp)) -+ if (current_fh->fh_export && -+ need_wrongsec_check(rqstp)) - op->status = check_nfsd_access(current_fh->fh_export, rqstp); - } - encode_op: --- -2.20.1 - diff --git a/queue-5.4/series b/queue-5.4/series index 4cfefb00d85..2f07096b66e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -8,7 +8,6 @@ drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch ath10k-fix-qmi-init-error-handling.patch wil6210-fix-break-that-is-never-reached-because-of-z.patch drm-qxl-complete-exception-handling-in-qxl_device_in.patch -nfsd4-avoid-null-deference-on-strange-copy-compounds.patch rcu-nocb-fix-dump_tree-hierarchy-print-always-active.patch rcu-fix-missed-wakeup-of-exp_wq-waiters.patch rcu-fix-data-race-due-to-atomic_t-copy-by-value.patch diff --git a/queue-5.5/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch b/queue-5.5/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch deleted file mode 100644 index 07d05cb81c3..00000000000 --- a/queue-5.5/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 37e01a00c2c8333af15909df4975045cc24ec2e0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 6 Dec 2019 16:07:32 -0500 -Subject: nfsd4: avoid NULL deference on strange COPY compounds - -From: J. Bruce Fields - -[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ] - -With cross-server COPY we've introduced the possibility that the current -or saved filehandle might not have fh_dentry/fh_export filled in, but we -missed a place that assumed it was. I think this could be triggered by -a compound like: - - PUTFH(foreign filehandle) - GETATTR - SAVEFH - COPY - -First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. -Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. -need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE -set and GETATTR does not have OP_HANDLES_WRONGSEC set. - -We should probably also consider tightening the checks in -check_if_stalefh_allowed and double-checking that we don't assume the -filehandle is verified elsewhere in the compound. But I think this -fixes the immediate issue. - -Reported-by: Dan Carpenter -Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " -Signed-off-by: J. Bruce Fields -Signed-off-by: Sasha Levin ---- - fs/nfsd/nfs4proc.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c -index 4798667af647c..4d1d0bf8e385f 100644 ---- a/fs/nfsd/nfs4proc.c -+++ b/fs/nfsd/nfs4proc.c -@@ -2025,7 +2025,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) - if (op->opdesc->op_flags & OP_CLEAR_STATEID) - clear_current_stateid(cstate); - -- if (need_wrongsec_check(rqstp)) -+ if (current_fh->fh_export && -+ need_wrongsec_check(rqstp)) - op->status = check_nfsd_access(current_fh->fh_export, rqstp); - } - encode_op: --- -2.20.1 - diff --git a/queue-5.5/series b/queue-5.5/series index ea7489367e1..40d6828df43 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -10,7 +10,6 @@ ath10k-fix-qmi-init-error-handling.patch wil6210-fix-break-that-is-never-reached-because-of-z.patch drm-virtio-fix-byteorder-handling-in-virtio_gpu_cmd_.patch drm-qxl-complete-exception-handling-in-qxl_device_in.patch -nfsd4-avoid-null-deference-on-strange-copy-compounds.patch rcu-nocb-fix-dump_tree-hierarchy-print-always-active.patch rcu-fix-missed-wakeup-of-exp_wq-waiters.patch rcu-fix-data-race-due-to-atomic_t-copy-by-value.patch