Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3329584rwa; Tue, 23 Aug 2022 02:59:37 -0700 (PDT) X-Google-Smtp-Source: AA6agR5syumdHpg8Of6Al+MpOMLTm6KdWPSXN6+JrQjck4ZwRN7RnHv5qd5KaKeCoa2MGjCs+9P4 X-Received: by 2002:a17:907:3e1d:b0:73d:a9c9:819d with SMTP id hp29-20020a1709073e1d00b0073da9c9819dmr103875ejc.170.1661248777567; Tue, 23 Aug 2022 02:59:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661248777; cv=none; d=google.com; s=arc-20160816; b=LWBrKwZQHljz5byljGyqrTu7U43cLtEw6iZbqVqtaphUcAFy1hTyp4Iv4RJaj2HWu2 8yBen02iEB3kbakoAWcxolI0Xicld5vQarw9fNJJSfQaoFCDQ0UtS3c7QdWAAOiQLfCi j9Pz3xdCoxePPSZedp0Sp0r+keCZKCEE/O/6ryGBIQzmPXB/W7dT5B5MW/DAJRdcnj3f TLVpaAGMsn/JoEW7yMf2ztR/WJtA5WG7W55Z3HT9nNJLm8XY7NyR2r3wrv4BadyhU3VC xghuegG+VjlOHGQev5bWb1hosPkrD/rWe5aBWtS1oZjTCjrf3gMy/SsI9arEB6TnkPfb MbyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zsF8J8dD5xvH+5hx8QW6uoxszQyC0tnSdhrDzHZC7Fc=; b=nhcsn9BiqMmtF3XIcwqPAhACqboPqo6AEXTz6dzUW7Y/7L1MQIKbBMs9YeZ31voze/ t4w8CxNcV2Mss2t18Q408ff6aT68xt5moP1AQX+07P4Mfwde8vh/wq5AmHTMLil8fVOC UFYQnmN7Wi554RTZB8IfFi+xLRYZ/KBLX99jSjf3vqGtOk/3PzhzRPDuuQML5PWgvrWj /hLEyJqOX1eamGREvXImx0w4v63wgvoEMdTu+7WyqmK5wuYxmFQWINqxwkHRfFKTOGJr zunGwbQw+z+h2cu85JsUBOxaJ90L6yq0ItlMFwHXWVDBYZWLydgPWSBqF+ulx+ueqD53 cUuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RDhT9Vkm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hs27-20020a1709073e9b00b0073d886f0d46si3950393ejc.243.2022.08.23.02.59.10; Tue, 23 Aug 2022 02:59:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RDhT9Vkm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241499AbiHWJrC (ORCPT + 99 others); Tue, 23 Aug 2022 05:47:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41674 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352618AbiHWJlk (ORCPT ); Tue, 23 Aug 2022 05:41:40 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 789CC7AC1C; Tue, 23 Aug 2022 01:42:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0BB42B81C55; Tue, 23 Aug 2022 08:42:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4ECF7C433D6; Tue, 23 Aug 2022 08:42:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661244130; bh=O4OdIvj+qRIuwagZ5tOXpv5FbzYibdhEX136dNJVPbU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RDhT9VkmkRShsqdnR4MSCOKMZKK4eEcy8EkXtIb4Yml/P69tBmErCILyzZgSVNrBT HDzrpccDUcd4Zy19NARvMISA8R8mYI9qOlspfSB5S53jxFNWGAh9GybGYPvpBDk0Ow zQB+cnGrZx67eECc3mKdoCR7Khx2nSFVJZVQ4ROc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Trond Myklebust Subject: [PATCH 5.15 041/244] NFSv4/pnfs: Fix a use-after-free bug in open Date: Tue, 23 Aug 2022 10:23:20 +0200 Message-Id: <20220823080100.435094415@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080059.091088642@linuxfoundation.org> References: <20220823080059.091088642@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Trond Myklebust commit 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac upstream. If someone cancels the open RPC call, then we must not try to free either the open slot or the layoutget operation arguments, since they are likely still in use by the hung RPC call. Fixes: 6949493884fe ("NFSv4: Don't hold the layoutget locks across multiple RPC calls") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman --- fs/nfs/nfs4proc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -3106,12 +3106,13 @@ static int _nfs4_open_and_get_state(stru } out: - if (opendata->lgp) { - nfs4_lgopen_release(opendata->lgp); - opendata->lgp = NULL; - } - if (!opendata->cancelled) + if (!opendata->cancelled) { + if (opendata->lgp) { + nfs4_lgopen_release(opendata->lgp); + opendata->lgp = NULL; + } nfs4_sequence_free_slot(&opendata->o_res.seq_res); + } return ret; }