Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3408502rwa; Tue, 23 Aug 2022 04:24:20 -0700 (PDT) X-Google-Smtp-Source: AA6agR7JFT7Zq+aQnZGjTmrYsShxCBYH2k/fSLph//Zj1sKjAm6LoswqSBn1fag7WZ9mqxUk7pWS X-Received: by 2002:a62:1641:0:b0:535:fb2e:4ae9 with SMTP id 62-20020a621641000000b00535fb2e4ae9mr21768747pfw.72.1661253859807; Tue, 23 Aug 2022 04:24:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661253859; cv=none; d=google.com; s=arc-20160816; b=KUivLjno41w59ONAOo5dCM0yyHz1mFAxTh1+W/fOADBrNWPO0S1kcvfJO9JkMg7jA3 a3FDV+l6Zek0OiEshXDAjqvOsi5ON/ZNjcQhNAMCb2Y/9g0jutJTIwYYlwWD7r9BvsXA 8g+ixQ3M7ahdAs2tyItvRthEFg0OuaNgv5zA9L1YI7dpJHYbterhCeZA2wIa/kAcHQS6 DBjxb/YyPd4gZPbMiI5hCNEBU/ugiI5qR43ojAjuwE+mdt+NBekVPCr0va36v+gajP9F ZBRivxbzXLWezh/6Pz+Q/FQVs2w3IYGyCEGUWWNA086988zzdOGTmAUs1Q+xb9399vc2 SZLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Pg7Tj+ABNXI/am0ZLhAZCOKdiXvMZTe+YDUt4i1XYg4=; b=NJWoS7GakUwcKVwW3Fn0zG995yPRqZvP8HcfRoEZEhtJ4cF+5l8zb/1fCxIjSE3j4B xrY85CGViqiWxI/1UcmQkAoEVDaPBpVr/ohFHPGp6pzU2/pZHvSsnolqEfcqbtoMYLI2 RKlEKIMXp0MFRWVjWpOCsV6r5tD8Eg5oT1eDZA7JPFICSmlvzg9fdt9gKqTK+I+qSBBJ qbaRaN/+LYGOoDk5FtTrcMaRTClTrPZvSXgPdF/0Xz16saaHDMbz1aDmxl3WG14JUDVi zLk5WFGnbgSImwuHgKAl5Aa9dW5Cpj/jkhtcTQDJZeS063dZfuyQ/wbPOAME9cH1lAio kvlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sT5v0bIq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i10-20020a17090acf8a00b001fa99b4efc7si16247024pju.127.2022.08.23.04.24.08; Tue, 23 Aug 2022 04:24:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sT5v0bIq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348712AbiHWKzF (ORCPT + 99 others); Tue, 23 Aug 2022 06:55:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355902AbiHWKsU (ORCPT ); Tue, 23 Aug 2022 06:48:20 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7912F74DED; Tue, 23 Aug 2022 02:12:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2E5BFB81C4E; Tue, 23 Aug 2022 09:12:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5B51AC433C1; Tue, 23 Aug 2022 09:12:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661245922; bh=qIoP2uuXfmMzLc+/YOuIVXKKJuiDH36N6oU21shCADY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sT5v0bIqOn9fOusCY/ZgSOPTJ80/Hp2JrWBvz09d3+dTw0PlR6W95iFxnRFSCxBS+ 380UbpwoN20/mTjMq4fMAPgOQOAxtcDTViWVgOx0Q1ev5UFHSlo5sFrLafengtoTAL PHPh9x8YXLSTK2QC+JdYWJ89NnWGlAqehAwOva/I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Trond Myklebust Subject: [PATCH 4.19 232/287] NFSv4/pnfs: Fix a use-after-free bug in open Date: Tue, 23 Aug 2022 10:26:41 +0200 Message-Id: <20220823080108.853280173@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080100.268827165@linuxfoundation.org> References: <20220823080100.268827165@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Trond Myklebust commit 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac upstream. If someone cancels the open RPC call, then we must not try to free either the open slot or the layoutget operation arguments, since they are likely still in use by the hung RPC call. Fixes: 6949493884fe ("NFSv4: Don't hold the layoutget locks across multiple RPC calls") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman --- fs/nfs/nfs4proc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -2920,12 +2920,13 @@ static int _nfs4_open_and_get_state(stru } out: - if (opendata->lgp) { - nfs4_lgopen_release(opendata->lgp); - opendata->lgp = NULL; - } - if (!opendata->cancelled) + if (!opendata->cancelled) { + if (opendata->lgp) { + nfs4_lgopen_release(opendata->lgp); + opendata->lgp = NULL; + } nfs4_sequence_free_slot(&opendata->o_res.seq_res); + } return ret; }