Commit c96573c0 authored by Chuck Lever's avatar Chuck Lever
Browse files

NFSD: Never cache a COMPOUND when the SEQUENCE operation fails 



RFC 8881 normatively mandates that operations where the initial
SEQUENCE operation in a compound fails must not modify the slot's
replay cache.

nfsd4_cache_this() doesn't prevent such caching. So when SEQUENCE
fails, cstate.data_offset is not set, allowing
read_bytes_from_xdr_buf() to access uninitialized memory.

Reported-by: default avatar <rtm@csail.mit.edu>
Closes: https://lore.kernel.org/linux-nfs/c3628d57-94ae-48cf-8c9e-49087a28cec9@oracle.com/T/#t


Fixes: 468de9e5 ("nfsd41: expand solo sequence check")
Reviewed-by: default avatarNeilBrown <neil@brown.name>
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
parent ff8141e4

fs/nfsd/nfs4state.c

+14 −1
Original line number Diff line number Diff line
@@ -3487,7 +3487,20 @@ nfsd4_store_cache_entry(struct nfsd4_compoundres *resp) 
	struct nfsd4_slot *slot = resp->cstate.slot;

	unsigned int base;



	dprintk("--> %s slot %p\n", __func__, slot);

	/*

	 * RFC 5661 Section 2.10.6.1.2:

	 *

	 * Any time SEQUENCE ... returns an error ... [t]he replier MUST NOT

	 * modify the reply cache entry for the slot whenever an error is

	 * returned from SEQUENCE ...

	 *

	 * Because nfsd4_store_cache_entry is called only by

	 * nfsd4_sequence_done(), nfsd4_store_cache_entry() is called only

	 * when a SEQUENCE operation was part of the COMPOUND.

	 * nfs41_check_op_ordering() ensures SEQUENCE is the first op.

	 */

	if (resp->opcnt == 1 && resp->cstate.status != nfs_ok)

		return;



	slot->sl_flags |= NFSD4_SLOT_INITIALIZED;

	slot->sl_opcnt = resp->opcnt;