NFSD: fix use-after-free in nfsd4_ssc_setup_dul()

hdthky · chucklever · commit e6cf91b7b47f · 2023-01-11T21:29:11.000-05:00
If signal_pending() returns true, schedule_timeout() will not be executed, causing the waiting task to remain in the wait queue. Fixed by adding a call to finish_wait(), which ensures that the waiting task will always be removed from the wait queue. Fixes: f4e44b3 ("NFSD: delay unmount source's export after inter-server copy completed.") Signed-off-by: Xingyuan Mo <hdthky0@gmail.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
@@ -1318,6 +1318,7 @@ static __be32 nfsd4_ssc_setup_dul(struct nfsd_net *nn, char *ipaddr,
 			/* allow 20secs for mount/unmount for now - revisit */
 			if (signal_pending(current) ||
 					(schedule_timeout(20*HZ) == 0)) {
+				finish_wait(&nn->nfsd_ssc_waitq, &wait);
 				kfree(work);
 				return nfserr_eagain;
 			}

Original file line number	Diff line number	Diff line change
`@@ -1318,6 +1318,7 @@ static __be32 nfsd4_ssc_setup_dul(struct nfsd_net nn, char ipaddr,`
`1318`	`1318`	`/* allow 20secs for mount/unmount for now - revisit */`
`1319`	`1319`	`if (signal_pending(current) \|\|`
`1320`	`1320`	`(schedule_timeout(20*HZ) == 0)) {`
	`1321`	`+ finish_wait(&nn->nfsd_ssc_waitq, &wait);`
`1321`	`1322`	`kfree(work);`
`1322`	`1323`	`return nfserr_eagain;`
`1323`	`1324`	`}`