Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Dec 2025 03:37:40 +0000
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: ffd47a4bc671 - stable/15 - nfs_nfsdstate.c: Add sanity checks for lock stateids
Message-ID:  <6938eb04.326ed.300fcfa@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 

The branch stable/15 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=ffd47a4bc6716452da795aeaed3429d2392abb73

commit ffd47a4bc6716452da795aeaed3429d2392abb73
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-11-26 19:20:27 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-12-10 03:36:04 +0000

    nfs_nfsdstate.c: Add sanity checks for lock stateids
    
    Bugzilla PR reported a crash caused by a synthetic client
    doing a Lock operation request with a delegation stateid.
    
    This patch fixes the problem by adding sanity checks
    for the type of stateid provided as an argument to the
    Lock and LockU operations.
    
    It has been tested with the FreeBSD, Linux and Solaris 11.4
    clients.  Hopefully, other NFSv4 clients will work ok
    as well.
    
    PR:     291080
    
    (cherry picked from commit aa1cf240887ddcca66dfb969fdc5a8d545396037)
---
 sys/fs/nfsserver/nfs_nfsdstate.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c
index 111b0f26d0b5..3fae2be5af46 100644
--- a/sys/fs/nfsserver/nfs_nfsdstate.c
+++ b/sys/fs/nfsserver/nfs_nfsdstate.c
@@ -1977,6 +1977,20 @@ tryagain:
 			     error = NFSERR_BADSTATEID;
 	      }
 	      
+	      /*
+	       * Sanity check the stateid for the Lock/LockU cases.
+	       */
+	      if (error == 0 && (new_stp->ls_flags & NFSLCK_LOCK) != 0 &&
+		  (((new_stp->ls_flags & NFSLCK_OPENTOLOCK) != 0 &&
+		    (stp->ls_flags & NFSLCK_OPEN) == 0) ||
+		   ((new_stp->ls_flags & NFSLCK_OPENTOLOCK) == 0 &&
+		    (stp->ls_flags & NFSLCK_LOCK) == 0)))
+			error = NFSERR_BADSTATEID;
+	      if (error == 0 && (new_stp->ls_flags & NFSLCK_UNLOCK) != 0 &&
+		  (stp->ls_flags & NFSLCK_LOCK) == 0)
+			error = NFSERR_BADSTATEID;
+
+		/* Sanity check the delegation stateid. */
 		if (error == 0 &&
 		  (stp->ls_flags & (NFSLCK_DELEGREAD | NFSLCK_DELEGWRITE)) &&
 		  getlckret == 0 && stp->ls_lfp != lfp)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6938eb04.326ed.300fcfa>