Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 831771 Details for
Bug 1025907
use after free in new nfsd DRC code
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch -- nfsd: when reusing an existing entry, unhash it first
0001-nfsd-when-reusing-an-existing-repcache-entry-unhash-.patch (text/plain), 1.92 KB, created by
Jeff Layton
on 2013-12-02 20:32:05 UTC
(
hide
)
Description:
patch -- nfsd: when reusing an existing entry, unhash it first
Filename:
MIME Type:
Creator:
Jeff Layton
Created:
2013-12-02 20:32:05 UTC
Size:
1.92 KB
patch
obsolete
>From 1ab0c9925b83c9dd6db7d81aa2f31d458e211753 Mon Sep 17 00:00:00 2001 >From: Jeff Layton <jlayton@redhat.com> >Date: Mon, 2 Dec 2013 14:33:24 -0500 >Subject: [PATCH] nfsd: when reusing an existing repcache entry, unhash it > first > >The DRC code will attempt to reuse an existing, expired cache entry in >preference to allocating a new one. It'll then search the cache, and if >it gets a hit it'll then free the cache entry that it was going to >reuse. > >The cache code doesn't unhash the entry that it's going to reuse >however, so it's possible for it end up designating an entry for reuse >and then subsequently freeing the same entry after it finds it. This >leads it to a later use-after-free situation and usually some list >corruption warnings or an oops. > >Fix this by simply unhashing the entry that we intend to reuse. That >will mean that it's not findable via a search and should prevent this >situation from occurring. > >Cc: stable@vger.kernel.org # v3.10+ >Reported-by: Christoph Hellwig <hch@infradead.org> >Reported-by: g. artim <gartim@gmail.com> >Signed-off-by: Jeff Layton <jlayton@redhat.com> >--- > fs/nfsd/nfscache.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > >diff --git a/fs/nfsd/nfscache.c b/fs/nfsd/nfscache.c >index 9186c7c..b6af150 100644 >--- a/fs/nfsd/nfscache.c >+++ b/fs/nfsd/nfscache.c >@@ -132,6 +132,13 @@ nfsd_reply_cache_alloc(void) > } > > static void >+nfsd_reply_cache_unhash(struct svc_cacherep *rp) >+{ >+ hlist_del_init(&rp->c_hash); >+ list_del_init(&rp->c_lru); >+} >+ >+static void > nfsd_reply_cache_free_locked(struct svc_cacherep *rp) > { > if (rp->c_type == RC_REPLBUFF && rp->c_replvec.iov_base) { >@@ -417,7 +424,7 @@ nfsd_cache_lookup(struct svc_rqst *rqstp) > rp = list_first_entry(&lru_head, struct svc_cacherep, c_lru); > if (nfsd_cache_entry_expired(rp) || > num_drc_entries >= max_drc_entries) { >- lru_put_end(rp); >+ nfsd_reply_cache_unhash(rp); > prune_cache_entries(); > goto search_cache; > } >-- >1.8.4.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=831771">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1025907
: 831771