linux-hardened/fs/nfsd
Harshula Jayasuriya e4daf1ffbe nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file
The following call chain:
------------------------------------------------------------
nfs4_get_vfs_file
- nfsd_open
  - dentry_open
    - do_dentry_open
      - __get_file_write_access
        - get_write_access
          - return atomic_inc_unless_negative(&inode->i_writecount) ? 0 : -ETXTBSY;
------------------------------------------------------------

can result in the following state:
------------------------------------------------------------
struct nfs4_file {
...
  fi_fds = {0xffff880c1fa65c80, 0xffffffffffffffe6, 0x0},
  fi_access = {{
      counter = 0x1
    }, {
      counter = 0x0
    }},
...
------------------------------------------------------------

1) First time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is
NULL, hence nfsd_open() is called where we get status set to an error
and fp->fi_fds[O_WRONLY] to -ETXTBSY. Thus we do not reach
nfs4_file_get_access() and fi_access[O_WRONLY] is not incremented.

2) Second time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is
NOT NULL (-ETXTBSY), so nfsd_open() is NOT called, but
nfs4_file_get_access() IS called and fi_access[O_WRONLY] is incremented.
Thus we leave a landmine in the form of the nfs4_file data structure in
an incorrect state.

3) Eventually, when __nfs4_file_put_access() is called it finds
fi_access[O_WRONLY] being non-zero, it decrements it and calls
nfs4_file_put_fd() which tries to fput -ETXTBSY.
------------------------------------------------------------
...
     [exception RIP: fput+0x9]
     RIP: ffffffff81177fa9  RSP: ffff88062e365c90  RFLAGS: 00010282
     RAX: ffff880c2b3d99cc  RBX: ffff880c2b3d9978  RCX: 0000000000000002
     RDX: dead000000100101  RSI: 0000000000000001  RDI: ffffffffffffffe6
     RBP: ffff88062e365c90   R8: ffff88041fe797d8   R9: ffff88062e365d58
     R10: 0000000000000008  R11: 0000000000000000  R12: 0000000000000001
     R13: 0000000000000007  R14: 0000000000000000  R15: 0000000000000000
     ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
  #9 [ffff88062e365c98] __nfs4_file_put_access at ffffffffa0562334 [nfsd]
 #10 [ffff88062e365cc8] nfs4_file_put_access at ffffffffa05623ab [nfsd]
 #11 [ffff88062e365ce8] free_generic_stateid at ffffffffa056634d [nfsd]
 #12 [ffff88062e365d18] release_open_stateid at ffffffffa0566e4b [nfsd]
 #13 [ffff88062e365d38] nfsd4_close at ffffffffa0567401 [nfsd]
 #14 [ffff88062e365d88] nfsd4_proc_compound at ffffffffa0557f28 [nfsd]
 #15 [ffff88062e365dd8] nfsd_dispatch at ffffffffa054543e [nfsd]
 #16 [ffff88062e365e18] svc_process_common at ffffffffa04ba5a4 [sunrpc]
 #17 [ffff88062e365e98] svc_process at ffffffffa04babe0 [sunrpc]
 #18 [ffff88062e365eb8] nfsd at ffffffffa0545b62 [nfsd]
 #19 [ffff88062e365ee8] kthread at ffffffff81090886
 #20 [ffff88062e365f48] kernel_thread at ffffffff8100c14a
------------------------------------------------------------

Cc: stable@vger.kernel.org
Signed-off-by: Harshula Jayasuriya <harshula@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2013-07-23 12:15:32 -04:00
..
acl.h nfsd: Remove declaration of nonexistent nfs4_acl_permisison 2013-02-13 06:15:35 -08:00
auth.c nfsd: Properly compare and initialize kuids and kgids 2013-02-13 06:16:09 -08:00
auth.h nfsd: Remove nfsd_luid, nfsd_lgid, nfsd_ruid and nfsd_rgid 2013-02-13 06:15:51 -08:00
cache.h nfsd: add new reply_cache_stats file in nfsdfs 2013-04-03 11:47:24 -04:00
current_stateid.h nfsd41: use current stateid by value 2012-02-15 11:20:45 -05:00
export.c Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux 2013-02-28 18:02:55 -08:00
fault_inject.c Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux 2013-02-28 18:02:55 -08:00
idmap.h nfsd: Convert idmap to use kuids and kgids 2013-02-13 06:15:49 -08:00
Kconfig NFSD: Server implementation of MAC Labeling 2013-05-15 09:27:02 -04:00
lockd.c nfsd: Remove deprecated nfsctl system call and related code. 2011-07-15 18:58:42 -04:00
Makefile NFSD: Added fault injection 2011-11-07 21:10:47 -05:00
netns.h nfsd4: make del_recall_lru per-network-namespace 2013-04-04 13:25:16 -04:00
nfs2acl.c nfsd: handle vfs_getattr errors in acl protocol 2013-02-26 02:46:09 -05:00
nfs3acl.c nfsd4: cleanup: replace rq_resused count by rq_next_page pointer 2012-12-17 22:00:16 -05:00
nfs3proc.c switch vfs_getattr() to struct path 2013-02-26 02:46:08 -05:00
nfs3xdr.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
nfs4acl.c nfsd: Handle kuids and kgids in the nfs4acl to posix_acl conversion 2013-02-13 06:16:06 -08:00
nfs4callback.c nfsd4: check backchannel attributes on create_session 2013-04-09 16:53:56 -04:00
nfs4idmap.c Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux 2013-02-28 18:02:55 -08:00
nfs4proc.c nfsd4: fix minorversion support interface 2013-07-12 16:48:52 -04:00
nfs4recover.c [readdir] constify ->actor 2013-06-29 12:57:05 +04:00
nfs4state.c Merge branch 'for-3.11' of git://linux-nfs.org/~bfields/linux 2013-07-11 10:17:13 -07:00
nfs4xdr.c nfsd4: allow destroy_session over destroyed session 2013-07-08 19:46:38 -04:00
nfscache.c nfsd: make symbol nfsd_reply_cache_shrinker static 2013-04-30 18:19:34 -04:00
nfsctl.c Merge branch 'for-3.10' of git://linux-nfs.org/~bfields/linux 2013-05-03 10:59:39 -07:00
nfsd.h nfsd4: fix minorversion support interface 2013-07-12 16:48:52 -04:00
nfsfh.c exportfs: add FILEID_INVALID to indicate invalid fid_type 2012-11-07 19:22:30 -05:00
nfsfh.h fs: propagate umode_t, misc bits 2012-01-03 22:55:10 -05:00
nfsproc.c switch vfs_getattr() to struct path 2013-02-26 02:46:08 -05:00
nfssvc.c nfsd4: fix minorversion support interface 2013-07-12 16:48:52 -04:00
nfsxdr.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
state.h nfsd4: implement minimal SP4_MACH_CRED 2013-07-01 17:23:06 -04:00
stats.c SUNRPC: register service stats /proc entries in passed network namespace context 2012-01-31 19:28:18 -05:00
vfs.c nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file 2013-07-23 12:15:32 -04:00
vfs.h NFSD: Server implementation of MAC Labeling 2013-05-15 09:27:02 -04:00
xdr.h nfsd: handle vfs_getattr errors in acl protocol 2013-02-26 02:46:09 -05:00
xdr3.h nfsd: handle vfs_getattr errors in acl protocol 2013-02-26 02:46:09 -05:00
xdr4.h NFSD: Server implementation of MAC Labeling 2013-05-15 09:27:02 -04:00
xdr4cb.h nfsd4: check backchannel attributes on create_session 2013-04-09 16:53:56 -04:00