CVE-2023-52909

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: fix handling of cached open files in nfsd4_open codepath<br /> <br /> Commit fb70bf124b05 ("NFSD: Instantiate a struct file when creating a<br /> regular NFSv4 file") added the ability to cache an open fd over a<br /> compound. There are a couple of problems with the way this currently<br /> works:<br /> <br /> It&amp;#39;s racy, as a newly-created nfsd_file can end up with its PENDING bit<br /> cleared while the nf is hashed, and the nf_file pointer is still zeroed<br /> out. Other tasks can find it in this state and they expect to see a<br /> valid nf_file, and can oops if nf_file is NULL.<br /> <br /> Also, there is no guarantee that we&amp;#39;ll end up creating a new nfsd_file<br /> if one is already in the hash. If an extant entry is in the hash with a<br /> valid nf_file, nfs4_get_vfs_file will clobber its nf_file pointer with<br /> the value of op_file and the old nf_file will leak.<br /> <br /> Fix both issues by making a new nfsd_file_acquirei_opened variant that<br /> takes an optional file pointer. If one is present when this is called,<br /> we&amp;#39;ll take a new reference to it instead of trying to open the file. If<br /> the nfsd_file already has a valid nf_file, we&amp;#39;ll just ignore the<br /> optional file and pass the nfsd_file back as-is.<br /> <br /> Also rework the tracepoints a bit to allow for an "opened" variant and<br /> don&amp;#39;t try to avoid counting acquisitions in the case where we already<br /> have a cached open file.