diff mbox series

nfsd4: fix double free in nfsd4_do_async_copy()

Message ID 20200113132307.frp6ur5zhzolu5ys@kili.mountain (mailing list archive)
State New, archived
Headers show
Series nfsd4: fix double free in nfsd4_do_async_copy() | expand

Commit Message

Dan Carpenter Jan. 13, 2020, 1:23 p.m. UTC 
This frees "copy->nf_src" before and again after the goto.

Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 fs/nfsd/nfs4proc.c | 1 -
 1 file changed, 1 deletion(-)

Comments

Olga Kornievskaia Jan. 21, 2020, 9:56 p.m. UTC | #1 
On Mon, Jan 13, 2020 at 8:24 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> This frees "copy->nf_src" before and again after the goto.
>
> Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  fs/nfsd/nfs4proc.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
> index 1e14b3ed5674..c90c24c35b2e 100644
> --- a/fs/nfsd/nfs4proc.c
> +++ b/fs/nfsd/nfs4proc.c
> @@ -1469,7 +1469,6 @@ static int nfsd4_do_async_copy(void *data)
>                 copy->nf_src->nf_file = nfs42_ssc_open(copy->ss_mnt, &copy->c_fh,
>                                               &copy->stateid);
>                 if (IS_ERR(copy->nf_src->nf_file)) {
> -                       kfree(copy->nf_src);
>                         copy->nfserr = nfserr_offload_denied;
>                         nfsd4_interssc_disconnect(copy->ss_mnt);
>                         goto do_callback;
> --
> 2.11.0
>

Reviewed-by: Olga Kornievskaia <kolga@netapp.com>

Bruce, can you add this to your nfsd-next?
J. Bruce Fields Jan. 30, 2020, 2:56 p.m. UTC | #2 
On Tue, Jan 21, 2020 at 04:56:31PM -0500, Olga Kornievskaia wrote:
> On Mon, Jan 13, 2020 at 8:24 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > This frees "copy->nf_src" before and again after the goto.
> >
> > Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> >  fs/nfsd/nfs4proc.c | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
> > index 1e14b3ed5674..c90c24c35b2e 100644
> > --- a/fs/nfsd/nfs4proc.c
> > +++ b/fs/nfsd/nfs4proc.c
> > @@ -1469,7 +1469,6 @@ static int nfsd4_do_async_copy(void *data)
> >                 copy->nf_src->nf_file = nfs42_ssc_open(copy->ss_mnt, &copy->c_fh,
> >                                               &copy->stateid);
> >                 if (IS_ERR(copy->nf_src->nf_file)) {
> > -                       kfree(copy->nf_src);
> >                         copy->nfserr = nfserr_offload_denied;
> >                         nfsd4_interssc_disconnect(copy->ss_mnt);
> >                         goto do_callback;
> > --
> > 2.11.0
> >
> 
> Reviewed-by: Olga Kornievskaia <kolga@netapp.com>
> 
> Bruce, can you add this to your nfsd-next?

Done, thanks for the reminder.

--b.
diff mbox series

Patch

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 1e14b3ed5674..c90c24c35b2e 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1469,7 +1469,6 @@  static int nfsd4_do_async_copy(void *data)
 		copy->nf_src->nf_file = nfs42_ssc_open(copy->ss_mnt, &copy->c_fh,
 					      &copy->stateid);
 		if (IS_ERR(copy->nf_src->nf_file)) {
-			kfree(copy->nf_src);
 			copy->nfserr = nfserr_offload_denied;
 			nfsd4_interssc_disconnect(copy->ss_mnt);
 			goto do_callback;