Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Dec 2025 03:41:57 +0000
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: c8180893d7fe - stable/14 - nfs_nfsdstate.c: Add sanity checks for lock stateids
Message-ID:  <6938ec05.35343.5e5f3f8a@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 

The branch stable/14 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=c8180893d7fef8557d8f8cdd5945468be5023da2

commit c8180893d7fef8557d8f8cdd5945468be5023da2
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-11-26 19:20:27 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-12-10 03:40:53 +0000

    nfs_nfsdstate.c: Add sanity checks for lock stateids
    
    Bugzilla PR reported a crash caused by a synthetic client
    doing a Lock operation request with a delegation stateid.
    
    This patch fixes the problem by adding sanity checks
    for the type of stateid provided as an argument to the
    Lock and LockU operations.
    
    It has been tested with the FreeBSD, Linux and Solaris 11.4
    clients.  Hopefully, other NFSv4 clients will work ok
    as well.
    
    PR:     291080
    
    (cherry picked from commit aa1cf240887ddcca66dfb969fdc5a8d545396037)
---
 sys/fs/nfsserver/nfs_nfsdstate.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c
index cca977b31e8e..ece924630514 100644
--- a/sys/fs/nfsserver/nfs_nfsdstate.c
+++ b/sys/fs/nfsserver/nfs_nfsdstate.c
@@ -1972,6 +1972,20 @@ tryagain:
 			     error = NFSERR_BADSTATEID;
 	      }
 	      
+	      /*
+	       * Sanity check the stateid for the Lock/LockU cases.
+	       */
+	      if (error == 0 && (new_stp->ls_flags & NFSLCK_LOCK) != 0 &&
+		  (((new_stp->ls_flags & NFSLCK_OPENTOLOCK) != 0 &&
+		    (stp->ls_flags & NFSLCK_OPEN) == 0) ||
+		   ((new_stp->ls_flags & NFSLCK_OPENTOLOCK) == 0 &&
+		    (stp->ls_flags & NFSLCK_LOCK) == 0)))
+			error = NFSERR_BADSTATEID;
+	      if (error == 0 && (new_stp->ls_flags & NFSLCK_UNLOCK) != 0 &&
+		  (stp->ls_flags & NFSLCK_LOCK) == 0)
+			error = NFSERR_BADSTATEID;
+
+		/* Sanity check the delegation stateid. */
 		if (error == 0 &&
 		  (stp->ls_flags & (NFSLCK_DELEGREAD | NFSLCK_DELEGWRITE)) &&
 		  getlckret == 0 && stp->ls_lfp != lfp)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6938ec05.35343.5e5f3f8a>