From patchwork Tue Aug 2 20:09:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Trond Myklebust X-Patchwork-Id: 12935028 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0E25C00140 for ; Tue, 2 Aug 2022 20:15:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234629AbiHBUPv (ORCPT ); Tue, 2 Aug 2022 16:15:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57136 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230060AbiHBUPl (ORCPT ); Tue, 2 Aug 2022 16:15:41 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9AA4186E4 for ; Tue, 2 Aug 2022 13:15:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 45C9D6115A for ; Tue, 2 Aug 2022 20:15:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5E142C433D6 for ; Tue, 2 Aug 2022 20:15:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1659471337; bh=VqN9wUXjS5oylqwX7/Coac3pLS5+vAUJdt2X/N2/gjI=; h=From:To:Subject:Date:From; b=HaelRN+a6W588WDQJp4WVOtUYcQ//Il0uTp0MYoIa0Uc0pgkKJdueMSnvY9vT6/22 NEx2P7ZTFwCrG/8gqhf7YLcnPGeulpo3qOgza+3gRKm/sJZjPURIahMI8YNOeSIsEF 67l6EcYZ3cD5qGQIiWePBfE0j6irjG2CKe69Zi+GNgDk7XpJVxFnXLgY6YRZZnw+Xj 5PTmtoCVcgbvqQa/j7Yt6syY0Nk4uGbPHSstJ4blCF0Sv4mcfEpONoAWLePGDdnFpM zDjOowQnAq2BgY4vdWLu+oKQuGHnnKFI79HJZJt7rA/Qau49i928venHVZDMzvtSNS sg5bydjqBW9dg== From: trondmy@kernel.org To: linux-nfs@vger.kernel.org Subject: [PATCH] NFSv4/pnfs: Fix a use-after-free bug in open Date: Tue, 2 Aug 2022 16:09:10 -0400 Message-Id: <20220802200910.381918-1-trondmy@kernel.org> X-Mailer: git-send-email 2.37.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Trond Myklebust If someone cancels the open RPC call, then we must not try to free either the open slot or the layoutget operation arguments, since they are likely still in use by the hung RPC call. Fixes: 6949493884fe ("NFSv4: Don't hold the layoutget locks across multiple RPC calls") Signed-off-by: Trond Myklebust --- fs/nfs/nfs4proc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 2d7c14ade193..3ed14a2a84a4 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -3096,12 +3096,13 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, } out: - if (opendata->lgp) { - nfs4_lgopen_release(opendata->lgp); - opendata->lgp = NULL; - } - if (!opendata->cancelled) + if (!opendata->cancelled) { + if (opendata->lgp) { + nfs4_lgopen_release(opendata->lgp); + opendata->lgp = NULL; + } nfs4_sequence_free_slot(&opendata->o_res.seq_res); + } return ret; }