NFSD: fix use-after-free in nfsd4_ssc_setup_dul()

jainanmol84 · jainanmol84 · commit bd7c69d35f69 · 2025-08-06T21:46:42.000+05:30
jira VULN-8056 cve CVE-2023-1652 commit-author Xingyuan Mo <hdthky0@gmail.com> commit e6cf91b If signal_pending() returns true, schedule_timeout() will not be executed, causing the waiting task to remain in the wait queue. Fixed by adding a call to finish_wait(), which ensures that the waiting task will always be removed from the wait queue. Fixes: f4e44b3 ("NFSD: delay unmount source's export after inter-server copy completed.") Signed-off-by: Xingyuan Mo <hdthky0@gmail.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> (cherry picked from commit e6cf91b) Signed-off-by: Anmol Jain <ajain@ciq.com>
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
@@ -1328,6 +1328,7 @@ static __be32 nfsd4_ssc_setup_dul(struct nfsd_net *nn, char *ipaddr,
 			/* allow 20secs for mount/unmount for now - revisit */
 			if (signal_pending(current) ||
 					(schedule_timeout(20*HZ) == 0)) {
+				finish_wait(&nn->nfsd_ssc_waitq, &wait);
 				kfree(work);
 				return nfserr_eagain;
 			}

Original file line number	Diff line number	Diff line change
`@@ -1328,6 +1328,7 @@ static __be32 nfsd4_ssc_setup_dul(struct nfsd_net nn, char ipaddr,`
`1328`	`1328`	`/* allow 20secs for mount/unmount for now - revisit */`
`1329`	`1329`	`if (signal_pending(current) \|\|`
`1330`	`1330`	`(schedule_timeout(20*HZ) == 0)) {`
	`1331`	`+ finish_wait(&nn->nfsd_ssc_waitq, &wait);`
`1331`	`1332`	`kfree(work);`
`1332`	`1333`	`return nfserr_eagain;`
`1333`	`1334`	`}`