From 3ff1bb6605ac2ecea1ed7fa2df5e88e13e0f63df Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 18 Dec 2025 10:02:32 +0800 Subject: [PATCH] nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing mainline inclusion from mainline-v6.18-rc1 commit a890a2e339b929dbd843328f9a92a1625404fe63 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDDEWK CVE: CVE-2025-68185 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a890a2e339b929dbd843328f9a92a1625404fe63 -------------------------------- Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that. Signed-off-by: Al Viro Signed-off-by: Anna Schumaker Signed-off-by: Li Lingfeng --- fs/nfs/nfs4proc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 29cb861ae449..83cb9f013fe0 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -352,7 +352,9 @@ static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dent *p++ = htonl(attrs); /* bitmap */ *p++ = htonl(12); /* attribute buffer length */ *p++ = htonl(NF4DIR); + spin_lock(&dentry->d_lock); p = xdr_encode_hyper(p, NFS_FILEID(d_inode(dentry->d_parent))); + spin_unlock(&dentry->d_lock); readdir->pgbase = (char *)p - (char *)start; readdir->count -= readdir->pgbase; -- Gitee