summaryrefslogtreecommitdiff
path: root/fs/nfs
diff options
context:
space:
mode:
authorFedor Pchelkin <pchelkin@ispras.ru>2023-07-25 14:59:30 +0300
committerTrond Myklebust <trond.myklebust@hammerspace.com>2023-08-19 10:26:29 -0400
commitf4e89f1a6dab4c063fc1e823cc9dddc408ff40cf (patch)
tree3b21acfddd5a02c4eb60cd0eb63f9b7bfa38ce54 /fs/nfs
parent4e3733fd2b0f677faae21cf838a43faf317986d3 (diff)
downloadlwn-f4e89f1a6dab4c063fc1e823cc9dddc408ff40cf.tar.gz
lwn-f4e89f1a6dab4c063fc1e823cc9dddc408ff40cf.zip
NFSv4: fix out path in __nfs4_get_acl_uncached
Another highly rare error case when a page allocating loop (inside __nfs4_get_acl_uncached, this time) is not properly unwound on error. Since pages array is allocated being uninitialized, need to free only lower array indices. NULL checks were useful before commit 62a1573fcf84 ("NFSv4 fix acl retrieval over krb5i/krb5p mounts") when the array had been initialized to zero on stack. Found by Linux Verification Center (linuxtesting.org). Fixes: 62a1573fcf84 ("NFSv4 fix acl retrieval over krb5i/krb5p mounts") Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Reviewed-by: Benjamin Coddington <bcodding@redhat.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Diffstat (limited to 'fs/nfs')
-rw-r--r--fs/nfs/nfs4proc.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 4604e9f3d1b0..832fa226b8f2 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -6004,9 +6004,8 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf,
out_ok:
ret = res.acl_len;
out_free:
- for (i = 0; i < npages; i++)
- if (pages[i])
- __free_page(pages[i]);
+ while (--i >= 0)
+ __free_page(pages[i]);
if (res.acl_scratch)
__free_page(res.acl_scratch);
kfree(pages);