Olga Kornievskaia 7ca9e472ce nfsd: fix possible badness in FREE_STATEID ... [ Upstream commit c88c150a467fcb670a1608e2272beeee3e86df6e ] When multiple FREE_STATEIDs are sent for the same delegation stateid, it can lead to a possible either use-after-free or counter refcount underflow errors. In nfsd4_free_stateid() under the client lock we find a delegation stateid, however the code drops the lock before calling nfs4_put_stid(), that allows another FREE_STATE to find the stateid again. The first one will proceed to then free the stateid which leads to either use-after-free or decrementing already zeroed counter. Fixes: 3f29cc82a8 ("nfsd: split sc_status out of sc_type") Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> Reviewed-by: Benjamin Coddington <bcodding@redhat.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2024-10-17 15:26:46 +02:00
..
acl.h
auth.c
auth.h
blocklayout.c
blocklayoutxdr.c
blocklayoutxdr.h
cache.h
current_stateid.h
export.c
export.h
filecache.c	NFSD: Mark filecache "down" if init fails	2024-10-17 15:26:42 +02:00
filecache.h
flexfilelayout.c
flexfilelayoutxdr.c
flexfilelayoutxdr.h
idmap.h
Kconfig
lockd.c
Makefile
netlink.c
netlink.h
netns.h	NFSD: Limit the number of concurrent async COPY operations	2024-10-10 12:04:14 +02:00
nfs2acl.c
nfs3acl.c
nfs3proc.c
nfs3xdr.c
nfs4acl.c
nfs4callback.c
nfs4idmap.c
nfs4layouts.c
nfs4proc.c	NFSD: Limit the number of concurrent async COPY operations	2024-10-10 12:04:14 +02:00
nfs4recover.c
nfs4state.c	nfsd: fix possible badness in FREE_STATEID	2024-10-17 15:26:46 +02:00
nfs4xdr.c
nfscache.c
nfsctl.c
nfsd.h
nfsfh.c
nfsfh.h
nfsproc.c
nfssvc.c	nfsd: nfsd_destroy_serv() must call svc_destroy() even if nfsd_startup_net() failed	2024-10-17 15:26:42 +02:00
nfsxdr.c
pnfs.h
state.h
stats.c
stats.h
trace.c
trace.h
vfs.c
vfs.h
xdr.h
xdr3.h
xdr4.h	NFSD: Limit the number of concurrent async COPY operations	2024-10-10 12:04:14 +02:00
xdr4cb.h