42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Trond Myklebust <trond.myklebust@hammerspace.com>
|
|
Date: Tue, 2 Aug 2022 15:48:50 -0400
|
|
Subject: [PATCH] NFSv4/pnfs: Fix a use-after-free bug in open
|
|
|
|
commit 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac upstream.
|
|
|
|
If someone cancels the open RPC call, then we must not try to free
|
|
either the open slot or the layoutget operation arguments, since they
|
|
are likely still in use by the hung RPC call.
|
|
|
|
Fixes: 6949493884fe ("NFSv4: Don't hold the layoutget locks across multiple RPC calls")
|
|
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
|
---
|
|
fs/nfs/nfs4proc.c | 11 ++++++-----
|
|
1 file changed, 6 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
|
|
index eee2d67d3ac9..831a16fec616 100644
|
|
--- a/fs/nfs/nfs4proc.c
|
|
+++ b/fs/nfs/nfs4proc.c
|
|
@@ -3041,12 +3041,13 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata,
|
|
}
|
|
|
|
out:
|
|
- if (opendata->lgp) {
|
|
- nfs4_lgopen_release(opendata->lgp);
|
|
- opendata->lgp = NULL;
|
|
- }
|
|
- if (!opendata->cancelled)
|
|
+ if (!opendata->cancelled) {
|
|
+ if (opendata->lgp) {
|
|
+ nfs4_lgopen_release(opendata->lgp);
|
|
+ opendata->lgp = NULL;
|
|
+ }
|
|
nfs4_sequence_free_slot(&opendata->o_res.seq_res);
|
|
+ }
|
|
return ret;
|
|
}
|
|
|