diff options
author | Trond Myklebust <trond.myklebust@hammerspace.com> | 2020-04-19 23:53:52 -0400 |
---|---|---|
committer | Trond Myklebust <trond.myklebust@hammerspace.com> | 2020-04-19 23:53:52 -0400 |
commit | 4d8948c7334a970eab113a4bcf45b1920a5a1625 (patch) | |
tree | d0884ad10deb4cd34a09209548923ab5a1e94cd7 | |
parent | 7bcc10585bd9b762820fd8ffdc389aafa56ad689 (diff) | |
download | lwn-4d8948c7334a970eab113a4bcf45b1920a5a1625.tar.gz lwn-4d8948c7334a970eab113a4bcf45b1920a5a1625.zip |
NFS/pnfs: Fix a credential use-after-free issue in pnfs_roc()
If the credential returned by pnfs_prepare_layoutreturn()
does not match the credential of the RPC call, then we do
end up calling pnfs_send_layoutreturn() with that credential,
so don't free it!
Fixes: 44ea8dfce021 ("NFS/pnfs: Reference the layout cred in pnfs_prepare_layoutreturn()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
-rw-r--r-- | fs/nfs/pnfs.c | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c index 3bf6899cba95..dd2e14f5875d 100644 --- a/fs/nfs/pnfs.c +++ b/fs/nfs/pnfs.c @@ -1458,18 +1458,15 @@ retry: /* lo ref dropped in pnfs_roc_release() */ layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &lc_cred, &iomode); /* If the creds don't match, we can't compound the layoutreturn */ - if (!layoutreturn) + if (!layoutreturn || cred_fscmp(cred, lc_cred) != 0) goto out_noroc; - if (cred_fscmp(cred, lc_cred) != 0) - goto out_noroc_put_cred; roc = layoutreturn; pnfs_init_layoutreturn_args(args, lo, &stateid, iomode); res->lrs_present = 0; layoutreturn = false; - -out_noroc_put_cred: put_cred(lc_cred); + out_noroc: spin_unlock(&ino->i_lock); rcu_read_unlock(); |