On Fri, Mar 13, 2020 at 02:05:27PM -0700, Linus Torvalds wrote:
Adding more people.
The old stable trees seem to have rather different code.
[ Goes off and looks at the stable trees ]
Petr seems entirely correct - the stable tree backport appears broken.
Because looking at that commit 67a56e9743171 in the stable tree, it doesn't seem to match commit 4b310319c6a8 ("NFS: Fix memory leaks and corruption in readdir") in mainline.
That stable backport looks bogus. It added that
array = kmap(page);line from somewhere else, probably because the stable tree didn't have the line at all, and it was there in the context.
I botched up that backport, sorry.
Because while mainline has that line to initialize array with kmap(), in those stable trees, we have
array = nfs_readdir_get_array(page);and as Petr says, the kmap has been done there already, and it will be kunmap'ed by nfs_readdir_release_array().
And looking closer, this same bug seems to have happened twice: it also exists in 0b0223f9c3a8.
But somebody else should double-check me - somebody who actually knows the code.
As to how I found the other case, do this in the stable git repo with all the stable tags:
git log -p --no-merges --all \ --grep="NFS: Fix memory leaks and corruption in readdir"
to see all the copies of that commit backport.
Add a
-S'kmap(page)'
to that line to see the cases that added that line. Or to just get the commits:
git log --oneline --no-merges --all \ --grep="NFS: Fix memory leaks and corruption in readdir" \ -S'kmap(page)'
and the result is
67a56e974317 NFS: Fix memory leaks and corruption in readdir 0b0223f9c3a8 NFS: Fix memory leaks and corruption in readdir
I've applied to fix to the 4.9 and 4.4 trees, thank you!