Thread (4 messages) 4 messages, 2 authors, 2023-01-24
STALE1254d

[PATCH 1/1] NFSD: fix problems with cleanup on errors in nfsd4_copy

From: Dai Ngo <dai.ngo@oracle.com>
Date: 2023-01-24 05:32:48
Subsystem: filesystems (vfs and infrastructure), kernel nfsd, sunrpc, and lockd servers, the rest · Maintainers: Alexander Viro, Christian Brauner, Chuck Lever, Jeff Layton, Linus Torvalds

When nfsd4_copy fails to allocate memory for async_copy->cp_src, or
nfs4_init_copy_state fails, it calls cleanup_async_copy to do the
cleanup for the async_copy which causes page fault since async_copy
is not yet initialized.

This patche sets async_copy to NULL to skip cleanup_async_copy
if async_copy is not yet initialized.

Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy")
Fixes: 87689df69491 ("NFSD: Shrink size of struct nfsd4_copy")
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
---
 fs/nfsd/nfs4proc.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 3b73e4d342bf..b4e7e18e1761 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1688,7 +1688,8 @@ static void cleanup_async_copy(struct nfsd4_copy *copy)
 	if (!nfsd4_ssc_is_inter(copy))
 		nfsd_file_put(copy->nf_src);
 	spin_lock(&copy->cp_clp->async_lock);
-	list_del(&copy->copies);
+	if (!list_empty(&copy->copies))
+		list_del(&copy->copies);
 	spin_unlock(&copy->cp_clp->async_lock);
 	nfs4_put_copy(copy);
 }
@@ -1789,9 +1790,15 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 			goto out_err;
 		async_copy->cp_src = kmalloc(sizeof(*async_copy->cp_src), GFP_KERNEL);
 		if (!async_copy->cp_src)
+			goto no_mem;
+		if (!nfs4_init_copy_state(nn, copy)) {
+			kfree(async_copy->cp_src);
+no_mem:
+			kfree(async_copy);
+			async_copy = NULL;
 			goto out_err;
-		if (!nfs4_init_copy_state(nn, copy))
-			goto out_err;
+		}
+		INIT_LIST_HEAD(&async_copy->copies);
 		refcount_set(&async_copy->refcount, 1);
 		memcpy(&copy->cp_res.cb_stateid, &copy->cp_stateid.cs_stid,
 			sizeof(copy->cp_res.cb_stateid));
-- 
2.9.5
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help