Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3322383rwa; Tue, 23 Aug 2022 02:49:12 -0700 (PDT) X-Google-Smtp-Source: AA6agR6EoEvbwr8Ny/RpuyB6f5DD1X+GSYVyMeYSRk9X2L1eDDni2ZsKVewS/yY+8G8cyUjIJdjC X-Received: by 2002:a17:902:e293:b0:172:e053:dfc9 with SMTP id o19-20020a170902e29300b00172e053dfc9mr11158083plc.103.1661248152188; Tue, 23 Aug 2022 02:49:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661248152; cv=none; d=google.com; s=arc-20160816; b=TeEBTTdYO6KqumrXv9a7Ai7rUgeAH72ks66mFb27ReFONnf/cN4nnsHnEBRjK/xcim o841Vl9XjbXuzqvNBx9hlu8vp/62M+h5CNZYjdTFTZ1cgYpQkoCEA89DReDx0KUBAiZs Rs+7Qt3y7NGdRWMx5FDl1jHRjmGMhtMwhfj7zFgPivjFVS7ZY04utUzE7EawkqqC9ZCI rXYr35XMX3tKMzKb0yuRtUqVqFY+Q7WgIH0mfHA7q12RAD1vD5IFdVomoiXNxPgMKXua NKSW8pwUWZhAV1Mu4HE9FlBej9C/l5bagGGK28Yp0+jC66SRzlaqFOCLunPkpAwOjfbi xPZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dPZhHZY2jLBT1TbS/+EQzyl12PPlEwvryR6gbb1m5XU=; b=Kt0Z+R9KNlWNqICioWXIYi/K/eynAOE9RWDN19iX7cA4ou2In4zeWkPprupzu+JB7L nDqgPWcYZRGL+0fkL+qy4ssJL1MkG8UFD78MXaiCrCU+l+VcvExutks5KlDqxuTeO0g3 3DlvqDnNowWMEqkXE8HgfZTV32bmvhgp/anKL3xbwp3LrTVM9MJEnyF1M/2AyoaPtmP1 77Tk2L0aBn+xHUD8Yqd6Qurty+F75ZPa6Qj7IogNxHS2/fLS0X8ViSbd8JS+1cmzVRhv OrtzzjURyys9d5uxYLt+VHEXIGpO4EeE9TzZKsDy9HuzwZ0zvFCI6mLZawCqnlj/Qzoe vL8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QuqelLoy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qe15-20020a17090b4f8f00b001f72032a511si15341154pjb.89.2022.08.23.02.49.02; Tue, 23 Aug 2022 02:49:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QuqelLoy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242452AbiHWIPV (ORCPT + 99 others); Tue, 23 Aug 2022 04:15:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32812 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242200AbiHWIKw (ORCPT ); Tue, 23 Aug 2022 04:10:52 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE7226AA06; Tue, 23 Aug 2022 01:08:09 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id F224EB81BF8; Tue, 23 Aug 2022 08:08:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3806FC433D6; Tue, 23 Aug 2022 08:08:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242086; bh=lKwkWDN9Xs9hF1mi2rMPA8cEhCxWgue3cYx+0EB+8Qo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QuqelLoyM56qX8AybiCpXz9NF+wVsySz1/QZMFNMnL8BrRbgTsMzWzttZCMya1A0l XrJ70wzJNwa0wNV9qRcFpJJnd4eSAskt/VtwV/yUiWzdacgrqxj16Le3ysQARHQRCS M6z+gq0usS/Ux3+ymxxy/zw7TFT1vLrAxy53N/qA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Trond Myklebust Subject: [PATCH 5.19 056/365] NFSv4/pnfs: Fix a use-after-free bug in open Date: Tue, 23 Aug 2022 09:59:17 +0200 Message-Id: <20220823080120.521722033@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080118.128342613@linuxfoundation.org> References: <20220823080118.128342613@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Trond Myklebust commit 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac upstream. If someone cancels the open RPC call, then we must not try to free either the open slot or the layoutget operation arguments, since they are likely still in use by the hung RPC call. Fixes: 6949493884fe ("NFSv4: Don't hold the layoutget locks across multiple RPC calls") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman --- fs/nfs/nfs4proc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -3096,12 +3096,13 @@ static int _nfs4_open_and_get_state(stru } out: - if (opendata->lgp) { - nfs4_lgopen_release(opendata->lgp); - opendata->lgp = NULL; - } - if (!opendata->cancelled) + if (!opendata->cancelled) { + if (opendata->lgp) { + nfs4_lgopen_release(opendata->lgp); + opendata->lgp = NULL; + } nfs4_sequence_free_slot(&opendata->o_res.seq_res); + } return ret; }