forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

NFSv4/pnfs: Fix a use-after-free bug in open

Browse source 
commit 2135e5d562 upstream.

If someone cancels the open RPC call, then we must not try to free
either the open slot or the layoutget operation arguments, since they
are likely still in use by the hung RPC call.

Fixes: 6949493884 ("NFSv4: Don't hold the layoutget locks across multiple RPC calls")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Trond Myklebust 2022-08-02 15:48:50 -04:00 committed by Greg Kroah-Hartman
commit 76ffd20424
1 changed files with 6 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
fs/nfs/nfs4proc.c
View file

@ -3084,12 +3084,13 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata,
}
out:
if (opendata->lgp) {
nfs4_lgopen_release(opendata->lgp);
opendata->lgp = NULL;
}
if (!opendata->cancelled)
if (!opendata->cancelled) {
if (opendata->lgp) {
nfs4_lgopen_release(opendata->lgp);
opendata->lgp = NULL;
}
nfs4_sequence_free_slot(&opendata->o_res.seq_res);
}
return ret;
}