mirror of
https://github.com/FEX-Emu/linux.git
synced 2025-01-08 18:42:53 +00:00
9a307403d3
if we receive a compound such that: - the sessionid, slot, and sequence number in the SEQUENCE op match a cached succesful reply with N ops, and - the Nth operation of the compound is a PUTFH, PUTPUBFH, PUTROOTFH, or RESTOREFH, then nfsd4_sequence will return 0 and set cstate->status to nfserr_replay_cache. The current filehandle will not be set. This will cause us to call check_nfsd_access with first argument NULL. To nfsd4_compound it looks like we just succesfully executed an operation that set a filehandle, but the current filehandle is not set. Fix this by moving the nfserr_replay_cache earlier. There was never any reason to have it after the encode_op label, since the only case where he hit that is when opdesc->op_func sets it. Note that there are two ways we could hit this case: - a client is resending a previously sent compound that ended with one of the four PUTFH-like operations, or - a client is sending a *new* compound that (incorrectly) shares sessionid, slot, and sequence number with a previously sent compound, and the length of the previously sent compound happens to match the position of a PUTFH-like operation in the new compound. The second is obviously incorrect client behavior. The first is also very strange--the only purpose of a PUTFH-like operation is to set the current filehandle to be used by the following operation, so there's no point in having it as the last in a compound. So it's likely this requires a buggy or malicious client to reproduce. Reported-by: Scott Mayhew <smayhew@redhat.com> Cc: stable@kernel.vger.org Signed-off-by: J. Bruce Fields <bfields@redhat.com> |
||
|---|---|---|
| .. | ||
| acl.h | ||
| auth.c | ||
| auth.h | ||
| blocklayout.c | ||
| blocklayoutxdr.c | ||
| blocklayoutxdr.h | ||
| cache.h | ||
| current_stateid.h | ||
| export.c | ||
| export.h | ||
| fault_inject.c | ||
| flexfilelayout.c | ||
| flexfilelayoutxdr.c | ||
| flexfilelayoutxdr.h | ||
| idmap.h | ||
| Kconfig | ||
| lockd.c | ||
| Makefile | ||
| netns.h | ||
| nfs2acl.c | ||
| nfs3acl.c | ||
| nfs3proc.c | ||
| nfs3xdr.c | ||
| nfs4acl.c | ||
| nfs4callback.c | ||
| nfs4idmap.c | ||
| nfs4layouts.c | ||
| nfs4proc.c | ||
| nfs4recover.c | ||
| nfs4state.c | ||
| nfs4xdr.c | ||
| nfscache.c | ||
| nfsctl.c | ||
| nfsd.h | ||
| nfsfh.c | ||
| nfsfh.h | ||
| nfsproc.c | ||
| nfssvc.c | ||
| nfsxdr.c | ||
| pnfs.h | ||
| state.h | ||
| stats.c | ||
| stats.h | ||
| trace.c | ||
| trace.h | ||
| vfs.c | ||
| vfs.h | ||
| xdr3.h | ||
| xdr4.h | ||
| xdr4cb.h | ||
| xdr.h | ||