NFS Client Bugfixes for Linux 6.4-rc

Stable Fix:
   * Don't change task->tk_status after the call to rpc_exit_task
 
 Other Bugfixes:
   * Convert kmap_atomic() to kmap_local_folio()
   * Fix a potential double free with READ_PLUS
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEnZ5MQTpR7cLU7KEp18tUv7ClQOsFAmRrttUACgkQ18tUv7Cl
 QOuhaA//QFHklXZk/vCkQnNQMYWL11GJliWawLoDfcZal6uQ/a2QCQV1Cbmav62B
 FR2BmXDxzM2PRdLu2VHGpkn0CQW3M1tvgaNjGD1xdOxpyIkn47T5lfAd/4X2XPiU
 M1ck2Usc258UB1yoKV+jbUD3ptn2BvC+VMWJInaA578hv8TA6Ouh7lP7rPJfDHoJ
 OfoLxx9/VqGqMWzfExAHnGw328oieXNnOwynETAdapVwjQeiEcYAED82pJmVsD7+
 m++6dRVQRA2bMIMRFWmW8HsO08sR32wzy76XgKws4Xu59Fiy+TQ8PoeUjCtTNq6/
 9ibPwH4R7VbcxXa2eT23EbtO2nSkZw/dFiL0s5VNYqeVrBwwlzyklU1uSvIEPegk
 zHamqxMMlVLkoMwJa83wIKB8/viPKwV5zcF9UjmrJy67+wXZet6M0c7S9HyiTj9U
 NzVbqyK3KhMtsD4ps/EGVWsgGKAIeWbE8wPlP7GF7PHwEw+hWa9pHir6L6BizNqG
 DJ/2zfZxDvOGy2r5OvSqGn07/zsj+0URixzEq0IOn1Li/osFZpvK3EVFncd/qsvW
 NwPRoF+70skFRdXhbdWa/HEUZlyN2uiIU24luraMrN0U4b4X7aw+EMnMekBi+Vec
 bEtWEUJ/vK3mlsOde4gVW0PZBhe8JE6PHlqkQBn5zobV3/cXXCw=
 =6xFZ
 -----END PGP SIGNATURE-----

Merge tag 'nfs-for-6.4-2' of git://git.linux-nfs.org/projects/anna/linux-nfs

Pull NFS client fixes from Anna Schumaker:
 "Stable Fix:

   - Don't change task->tk_status after the call to rpc_exit_task

  Other Bugfixes:

   - Convert kmap_atomic() to kmap_local_folio()

   - Fix a potential double free with READ_PLUS"

* tag 'nfs-for-6.4-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
  NFSv4.2: Fix a potential double free with READ_PLUS
  SUNRPC: Don't change task->tk_status after the call to rpc_exit_task
  NFS: Convert kmap_atomic() to kmap_local_folio()
This commit is contained in:
Linus Torvalds 2023-05-22 12:01:13 -07:00
commit 421ca22e31
3 changed files with 14 additions and 7 deletions

View File

@ -317,7 +317,7 @@ static int nfs_readdir_folio_array_append(struct folio *folio,
name = nfs_readdir_copy_name(entry->name, entry->len); name = nfs_readdir_copy_name(entry->name, entry->len);
array = kmap_atomic(folio_page(folio, 0)); array = kmap_local_folio(folio, 0);
if (!name) if (!name)
goto out; goto out;
ret = nfs_readdir_array_can_expand(array); ret = nfs_readdir_array_can_expand(array);
@ -340,7 +340,7 @@ static int nfs_readdir_folio_array_append(struct folio *folio,
nfs_readdir_array_set_eof(array); nfs_readdir_array_set_eof(array);
out: out:
*cookie = array->last_cookie; *cookie = array->last_cookie;
kunmap_atomic(array); kunmap_local(array);
return ret; return ret;
} }

View File

@ -5437,10 +5437,18 @@ static bool nfs4_read_plus_not_supported(struct rpc_task *task,
return false; return false;
} }
static inline void nfs4_read_plus_scratch_free(struct nfs_pgio_header *hdr)
{
if (hdr->res.scratch) {
kfree(hdr->res.scratch);
hdr->res.scratch = NULL;
}
}
static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr) static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr)
{ {
if (hdr->res.scratch) nfs4_read_plus_scratch_free(hdr);
kfree(hdr->res.scratch);
if (!nfs4_sequence_done(task, &hdr->res.seq_res)) if (!nfs4_sequence_done(task, &hdr->res.seq_res))
return -EAGAIN; return -EAGAIN;
if (nfs4_read_stateid_changed(task, &hdr->args)) if (nfs4_read_stateid_changed(task, &hdr->args))

View File

@ -927,11 +927,10 @@ static void __rpc_execute(struct rpc_task *task)
*/ */
do_action = task->tk_action; do_action = task->tk_action;
/* Tasks with an RPC error status should exit */ /* Tasks with an RPC error status should exit */
if (do_action != rpc_exit_task && if (do_action && do_action != rpc_exit_task &&
(status = READ_ONCE(task->tk_rpc_status)) != 0) { (status = READ_ONCE(task->tk_rpc_status)) != 0) {
task->tk_status = status; task->tk_status = status;
if (do_action != NULL) do_action = rpc_exit_task;
do_action = rpc_exit_task;
} }
/* Callbacks override all actions */ /* Callbacks override all actions */
if (task->tk_callback) { if (task->tk_callback) {