summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTrond Myklebust <trond.myklebust@hammerspace.com>2020-04-19 23:53:52 -0400
committerTrond Myklebust <trond.myklebust@hammerspace.com>2020-04-19 23:53:52 -0400
commit4d8948c7334a970eab113a4bcf45b1920a5a1625 (patch)
treed0884ad10deb4cd34a09209548923ab5a1e94cd7
parent7bcc10585bd9b762820fd8ffdc389aafa56ad689 (diff)
downloadlwn-4d8948c7334a970eab113a4bcf45b1920a5a1625.tar.gz
lwn-4d8948c7334a970eab113a4bcf45b1920a5a1625.zip
NFS/pnfs: Fix a credential use-after-free issue in pnfs_roc()
If the credential returned by pnfs_prepare_layoutreturn() does not match the credential of the RPC call, then we do end up calling pnfs_send_layoutreturn() with that credential, so don't free it! Fixes: 44ea8dfce021 ("NFS/pnfs: Reference the layout cred in pnfs_prepare_layoutreturn()") Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
-rw-r--r--fs/nfs/pnfs.c7
1 files changed, 2 insertions, 5 deletions
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 3bf6899cba95..dd2e14f5875d 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1458,18 +1458,15 @@ retry:
/* lo ref dropped in pnfs_roc_release() */
layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &lc_cred, &iomode);
/* If the creds don't match, we can't compound the layoutreturn */
- if (!layoutreturn)
+ if (!layoutreturn || cred_fscmp(cred, lc_cred) != 0)
goto out_noroc;
- if (cred_fscmp(cred, lc_cred) != 0)
- goto out_noroc_put_cred;
roc = layoutreturn;
pnfs_init_layoutreturn_args(args, lo, &stateid, iomode);
res->lrs_present = 0;
layoutreturn = false;
-
-out_noroc_put_cred:
put_cred(lc_cred);
+
out_noroc:
spin_unlock(&ino->i_lock);
rcu_read_unlock();