git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jeff Layton <jlayton@kernel.org>
	Wed, 4 Jun 2025 16:01:10 +0000 (12:01 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 28 Aug 2025 14:28:11 +0000 (16:28 +0200)
commit	d71abd1ae4e0413707cd42b10c24a11d1aa71772
tree	0f9eadfd3481ddf92059e6f18285cd30e69e1d14	tree
parent	3b53dc1c641f2884d4750fc25aaf6c36b90db606	commit \| diff

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

commit 908e4ead7f757504d8b345452730636e298cbf68 upstream.

Lei Lu recently reported that nfsd4_setclientid_confirm() did not check
the return value from get_client_locked(). a SETCLIENTID_CONFIRM could
race with a confirmed client expiring and fail to get a reference. That
could later lead to a UAF.

Fix this by getting a reference early in the case where there is an
extant confirmed client. If that fails then treat it as if there were no
confirmed client found at all.

In the case where the unconfirmed client is expiring, just fail and
return the result from get_client_locked().

Reported-by: lei lu <llfamsec@gmail.com>
Closes: https://lore.kernel.org/linux-nfs/CAEBF3_b=UvqzNKdnfD_52L05Mqrqui9vZ2eFamgAbV0WG+FNWQ@mail.gmail.com/
Fixes: d20c11d86d8f ("nfsd: Protect session creation and client confirm using client_lock")
Cc: stable@vger.kernel.org
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>