LinuxLists.cc - [PATCH] nfsd4: fix double free in nfsd4_do_async

2020-01-13 13:24:16

Subject: [PATCH] nfsd4: fix double free in nfsd4_do_async_copy()

This frees "copy->nf_src" before and again after the goto.

Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy")
Signed-off-by: Dan Carpenter <[email protected]>
---
fs/nfsd/nfs4proc.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 1e14b3ed5674..c90c24c35b2e 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1469,7 +1469,6 @@ static int nfsd4_do_async_copy(void *data)
copy->nf_src->nf_file = nfs42_ssc_open(copy->ss_mnt, &copy->c_fh,
&copy->stateid);
if (IS_ERR(copy->nf_src->nf_file)) {
- kfree(copy->nf_src);
copy->nfserr = nfserr_offload_denied;
nfsd4_interssc_disconnect(copy->ss_mnt);
goto do_callback;
--
2.11.0

2020-01-21 21:57:04

by Olga Kornievskaia

[permalink] [raw]

Subject: Re: [PATCH] nfsd4: fix double free in nfsd4_do_async_copy()

On Mon, Jan 13, 2020 at 8:24 AM Dan Carpenter <[email protected]> wrote:
>
> This frees "copy->nf_src" before and again after the goto.
>
> Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy")
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> fs/nfsd/nfs4proc.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
> index 1e14b3ed5674..c90c24c35b2e 100644
> --- a/fs/nfsd/nfs4proc.c
> +++ b/fs/nfsd/nfs4proc.c
> @@ -1469,7 +1469,6 @@ static int nfsd4_do_async_copy(void *data)
> copy->nf_src->nf_file = nfs42_ssc_open(copy->ss_mnt, &copy->c_fh,
> &copy->stateid);
> if (IS_ERR(copy->nf_src->nf_file)) {
> - kfree(copy->nf_src);
> copy->nfserr = nfserr_offload_denied;
> nfsd4_interssc_disconnect(copy->ss_mnt);
> goto do_callback;
> --
> 2.11.0
>

Reviewed-by: Olga Kornievskaia <[email protected]>

Bruce, can you add this to your nfsd-next?

2020-01-30 14:56:37

by J. Bruce Fields

[permalink] [raw]

Subject: Re: [PATCH] nfsd4: fix double free in nfsd4_do_async_copy()

On Tue, Jan 21, 2020 at 04:56:31PM -0500, Olga Kornievskaia wrote:
> On Mon, Jan 13, 2020 at 8:24 AM Dan Carpenter <[email protected]> wrote:
> >
> > This frees "copy->nf_src" before and again after the goto.
> >
> > Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy")
> > Signed-off-by: Dan Carpenter <[email protected]>
> > ---
> > fs/nfsd/nfs4proc.c | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
> > index 1e14b3ed5674..c90c24c35b2e 100644
> > --- a/fs/nfsd/nfs4proc.c
> > +++ b/fs/nfsd/nfs4proc.c
> > @@ -1469,7 +1469,6 @@ static int nfsd4_do_async_copy(void *data)
> > copy->nf_src->nf_file = nfs42_ssc_open(copy->ss_mnt, &copy->c_fh,
> > &copy->stateid);
> > if (IS_ERR(copy->nf_src->nf_file)) {
> > - kfree(copy->nf_src);
> > copy->nfserr = nfserr_offload_denied;
> > nfsd4_interssc_disconnect(copy->ss_mnt);
> > goto do_callback;
> > --
> > 2.11.0
> >
>
> Reviewed-by: Olga Kornievskaia <[email protected]>
>
> Bruce, can you add this to your nfsd-next?

Done, thanks for the reminder.

--b.