{"id":2232252,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2232252/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260504041108.88774-3-matthew.ruffell@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.2/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260504041108.88774-3-matthew.ruffell@canonical.com>","list_archive_url":null,"date":"2026-05-04T04:10:57","name":"[SRU,J,2/3] SUNRPC: lock against ->sock changing during sysfs read","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"fb0701d8aa0198c451c01b8a3261b6593e447f6f","submitter":{"id":76884,"url":"http://patchwork.ozlabs.org/api/1.2/people/76884/?format=json","name":"Matthew Ruffell","email":"matthew.ruffell@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260504041108.88774-3-matthew.ruffell@canonical.com/mbox/","series":[{"id":502608,"url":"http://patchwork.ozlabs.org/api/1.2/series/502608/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=502608","date":"2026-05-04T04:10:58","name":"SUNRPC: System wide grep leads to NULL pointer deference in sysfs reads","version":1,"mbox":"http://patchwork.ozlabs.org/series/502608/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2232252/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2232252/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=KYIvH+Uv;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g87WX0vm4z1yKS\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 04 May 2026 14:11:50 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wJkeR-0001Vb-9h; Mon, 04 May 2026 04:11:23 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <matthew.ruffell@canonical.com>)\n id 1wJkeQ-0001UD-3V\n for kernel-team@lists.ubuntu.com; Mon, 04 May 2026 04:11:22 +0000","from mail-pj1-f69.google.com (mail-pj1-f69.google.com\n [209.85.216.69])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 01E393F181\n for <kernel-team@lists.ubuntu.com>; Mon,  4 May 2026 04:11:22 +0000 (UTC)","by mail-pj1-f69.google.com with SMTP id\n 98e67ed59e1d1-354c44bf176so4021503a91.0\n for <kernel-team@lists.ubuntu.com>; Sun, 03 May 2026 21:11:21 -0700 (PDT)","from Garunix (122-58-201-163-adsl.sparkbb.co.nz. [122.58.201.163])\n by smtp.gmail.com with ESMTPSA id\n 98e67ed59e1d1-364ec027690sm9665264a91.13.2026.05.03.21.11.18\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sun, 03 May 2026 21:11:20 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777867882;\n bh=qvrEePqlKqF0begP2SjBK+A4M9kvco59pMiNB3SB7YQ=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=KYIvH+Uv+kmJstYGW8EYPf83qIUbKZfHfe/HOGaaefcBeg2EPS8JgInThnake1gUL\n 6J6bFO78EbcLoOzbH2ZzJl9MXuRbX7lFQo4oZiRezAZY2nXNb7AaoucQj93EAh+NA0\n SG6zP+VACvgNKb3ErZZIOrOkNy4yQU8LboEmXa8coqxSByJHMx4yNB5HHPsBzGhcct\n 9c8zK/4ca0VKhN1Fvo9V3tzVD1XB07N0NlvvY70Bx86jeUopYmE1zBheTXSNzmHwEf\n I0u2/G3dvEimno8KFpssepgbc5lG3DzoenjPGdPW4rVF2DgVoBEBQ3T0Q294hLowrK\n 6rO2FJ12JO9a8hlv+R1k/LjDYv8CqhQijtCiTYdn2Z0D99yze7BH+kS28StodNJxWM\n 2EtzvRO6MRSP+9SLtjQKfIKc9IMqVDyfeg2U3OONoD6rv2gG3H7gg317xoTJhgTVZ/\n 5EugtnZOr1R2HvcnbfRPqE9KGYi8Hwk275y3aKDaHCQn5YnIr4DaUpFfaHVElXummL\n tntAhuHUED32w/ajjcUwoRb5sbS6TN001/j3265bILRVuRPpL1bmKsiZXWvfS4FGZU\n WDkLfohk43UKurUl3YukktmwczuY5chxyMBs/2de76cFRqqlQyb3Age/GYrUlDuw79\n mTNt2TNfbbYSLqdfxzGbca8A=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777867880; x=1778472680;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=qvrEePqlKqF0begP2SjBK+A4M9kvco59pMiNB3SB7YQ=;\n b=J1fRVXHyN/XW7SCZoBveHFQXyZiYZy1VBI4KYCVooZXVCZS2N2ZOiai2Rxtr6dlKaA\n ViCNMuKckhM+zuYCBz43xMSB9EIVLHICSYBw7gPvvsiDciiPYoys8i2/eNlsXaiUzT5X\n 8ocgFx7ZkMR6im5ky9CfloX0zHH/KNpVqQiLd4QzV1Ty0ml2AspBZpOAIopTQIa8RZVu\n jjcPzzvA83epIO2rvc2xLe3V01AoIINjLaLGkl+7i6w6a/JdpCHy868L9aioD/sx7HP5\n f9LyuguxH+4llIDBMM6h8Y+o4vCu7v/VTm+Nz/AZVy9aTeQDLu2Mkxk2jWW2NbPMPn3L\n 186A==","X-Gm-Message-State":"AOJu0YzygH5eajVstN7Xsq6f3ld1DCGMR+rL0WFG+80H8F8xVU4GGdq2\n 0Gt36QXICWYppq3NzKIKLEkJg+xWV2NXBxmy86UCg++XJ1hjBdME+IRubCams5Oq2V5zzOMIveh\n B5HyfLEOf6H/1AGAJM4KyJlRy+ISa9nnf8t+a7zsGGQsH3of3uPcMCNr6kh/8IyTN8niybaihFU\n uMgZr+Uvpxw8npcw==","X-Gm-Gg":"AeBDietelnPpLPl4+8XV0y6NXf1GeasKtWDi6cmQchq4lDkSriOy8/VEPenlAWxnzFr\n K4BHQy+ImLGs6KbFIlyxTI5lhnoDt5f9BN0c3qQ3r52yrenW01n2xbwMqNS33V1i5CtHZPzB3iw\n PbaUugiLkCbrUZBg63bhWKq72h1bun8Ovs8NEEktvpIkEd2fW2cMWoQscs8fzkuIzdvBPukP1jJ\n tvKgMb7L/5A7tcwQSN91cxpi4TmW1asZgdrZJf8NnNV40RwoZJlPTd8JL7HPtqdEhcI2by+3Pe6\n Lptm55vbzdIH3bKYkDHOLBv+zK7USB2TVMwKHMYBer1Sbz+ZrrQ4MuvvNUBKuUos7J9+J66i699\n h279Nz/XDTkzwyI7mOIRF53tZU7Z81cDXGi+zsu0TB6463+mqs6k4Estg5Lij8wnLqPIgFAwY0C\n Ds","X-Received":["by 2002:a17:90b:1845:b0:35f:bf4b:c396 with SMTP id\n 98e67ed59e1d1-3650cd25209mr7826454a91.1.1777867880704;\n Sun, 03 May 2026 21:11:20 -0700 (PDT)","by 2002:a17:90b:1845:b0:35f:bf4b:c396 with SMTP id\n 98e67ed59e1d1-3650cd25209mr7826439a91.1.1777867880313;\n Sun, 03 May 2026 21:11:20 -0700 (PDT)"],"From":"Matthew Ruffell <matthew.ruffell@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J][PATCH 2/3] SUNRPC: lock against ->sock changing during sysfs\n read","Date":"Mon,  4 May 2026 16:10:57 +1200","Message-ID":"<20260504041108.88774-3-matthew.ruffell@canonical.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260504041108.88774-1-matthew.ruffell@canonical.com>","References":"<20260504041108.88774-1-matthew.ruffell@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: NeilBrown <neilb@suse.de>\n\nBugLink: https://bugs.launchpad.net/bugs/2149767\n\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\nSo it is important to hold that mutex.  Otherwise a sysfs read can\ntrigger an oops.\nCommit 17f09d3f619a (\"SUNRPC: Check if the xprt is connected before\nhandling sysfs reads\") appears to attempt to fix this problem, but it\nonly narrows the race window.\n\nFixes: 17f09d3f619a (\"SUNRPC: Check if the xprt is connected before handling sysfs reads\")\nFixes: a8482488a7d6 (\"SUNRPC query transport's source port\")\nSigned-off-by: NeilBrown <neilb@suse.de>\nSigned-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>\n(cherry picked from commit b49ea673e119f59c71645e2f65b3ccad857c90ee)\nCVE-2022-48816\nSigned-off-by: Matthew Ruffell <matthew.ruffell@canonical.com>\n---\n net/sunrpc/sysfs.c    | 5 ++++-\n net/sunrpc/xprtsock.c | 7 ++++++-\n 2 files changed, 10 insertions(+), 2 deletions(-)","diff":"diff --git a/net/sunrpc/sysfs.c b/net/sunrpc/sysfs.c\nindex 66785d1f90b8..33e8fb85ce4f 100644\n--- a/net/sunrpc/sysfs.c\n+++ b/net/sunrpc/sysfs.c\n@@ -115,11 +115,14 @@ static ssize_t rpc_sysfs_xprt_srcaddr_show(struct kobject *kobj,\n \t}\n \n \tsock = container_of(xprt, struct sock_xprt, xprt);\n-\tif (kernel_getsockname(sock->sock, (struct sockaddr *)&saddr) < 0)\n+\tmutex_lock(&sock->recv_mutex);\n+\tif (sock->sock == NULL ||\n+\t    kernel_getsockname(sock->sock, (struct sockaddr *)&saddr) < 0)\n \t\tgoto out;\n \n \tret = sprintf(buf, \"%pISc\\n\", &saddr);\n out:\n+\tmutex_unlock(&sock->recv_mutex);\n \txprt_put(xprt);\n \treturn ret + 1;\n }\ndiff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c\nindex ee32ed8d07af..e8baecec6d1d 100644\n--- a/net/sunrpc/xprtsock.c\n+++ b/net/sunrpc/xprtsock.c\n@@ -1680,7 +1680,12 @@ static int xs_get_srcport(struct sock_xprt *transport)\n unsigned short get_srcport(struct rpc_xprt *xprt)\n {\n \tstruct sock_xprt *sock = container_of(xprt, struct sock_xprt, xprt);\n-\treturn xs_sock_getport(sock->sock);\n+\tunsigned short ret = 0;\n+\tmutex_lock(&sock->recv_mutex);\n+\tif (sock->sock)\n+\t\tret = xs_sock_getport(sock->sock);\n+\tmutex_unlock(&sock->recv_mutex);\n+\treturn ret;\n }\n EXPORT_SYMBOL(get_srcport);\n \n","prefixes":["SRU","J","2/3"]}