Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp694844pxx; Thu, 29 Oct 2020 12:08:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1AojhcbNW4ag8NPpRjouzfwLNQAH+F+S112g7eyE1LfOQjbTtnBTx5+v8EeAkqjXE+NQS X-Received: by 2002:a17:906:1418:: with SMTP id p24mr5505333ejc.46.1603998537515; Thu, 29 Oct 2020 12:08:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603998537; cv=none; d=google.com; s=arc-20160816; b=NPOCZmmJuRaFZPeis6YHh2p4A0hlI8w08ldT4TheP11ZirPY1WI8lzI2BCzKQnJTA3 bO74g9E/v09kmEwY89oD/V6hvwU5bXeA+jxlNkBM79ix+lN5SMx7N6phi/PFwvsHXg0K omNwh2Il4dkFH+EHzHyH4YfP3MrTwx0lccEwCDWWmHUoSofV5DvCB8+sD2vTWoxR+n8V lLgyhyyBHgV/i12d/khtAL2cml8l8SAGmG9t8JOCJYSYPIQKEZ00e1WIkTDpkUJ1If3z i0KSi29weU0VVNREoQds723wwrjWP14eTJg9ZkZ1kFLL1zhH/ho3D4Z9/bkZSddOR6qb udbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=JGZlQd1mn6I93M2zGOwxVgto28NIWTAKgE+vs1O8HPg=; b=EWRbY1wA1IA6Oxp/NVgSvvT3kyaicYI3udvwJJk93tNEIdnqQz5lZsehJnHY26UCDN P0Hs05LpnUHHeSRFmS5qLV8XPRXq8c5uRcaP5YAfOzIwXiRIXew9JE2lbgj/IgY/laHh KBVjiGuxdLFUHgySe0zk5Hw+H2mHwQntId5iq5uzMzrzJFWmVawW1dUoWTYrLra+qb+5 1A6eDMb1ylr6s00QdlvuNyA4Ul2vqUgEUm67v+2uQRXw1IJstHJk5Xtf/JKhepkwfmYi BpVHPqcfBK/C3nY9c+pP9pQI12lrP9zcIRs3hJS62W5WimijovGljE2isGgL3giL3s9z v9TA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=zwWsRR8M; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d12si2545104ejj.237.2020.10.29.12.08.33; Thu, 29 Oct 2020 12:08:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=zwWsRR8M; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725774AbgJ2TH0 (ORCPT + 99 others); Thu, 29 Oct 2020 15:07:26 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:49642 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725785AbgJ2THZ (ORCPT ); Thu, 29 Oct 2020 15:07:25 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 09TJ58UN138072; Thu, 29 Oct 2020 19:07:20 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=corp-2020-01-29; bh=JGZlQd1mn6I93M2zGOwxVgto28NIWTAKgE+vs1O8HPg=; b=zwWsRR8MxNwbf4SXu+o+0Psto74AK2SlA/f1s1AZ5Ds/QdLOx0CeSULo2YVNDOvnnMZD SwSwXw/zZviY6s8kaXh9oL8NY8g4tZrT5jrWDscstGjAyXLcnny3GKcfPCByUsN6TGaD W/i1oW+9X/r9cFVn03Z1C7Z9Nf5RCIJkRbQuvseHaWXGz0mhC5LqnPetgNJ15ntZhSgw ofcbEHiFa5mt/Ys9fB8C096tCGg2OI9APnK3XzktSJ118nV+Xw+xdDs/FEOHcFdHaBfD hq2heQXgoIE3dxsGqZUdp0YFO69ojNjsv8ALjhiaNwIa1Z/0QBsQtiVhicfOyRNDqcR6 XQ== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by aserp2120.oracle.com with ESMTP id 34cc7m6hs7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 29 Oct 2020 19:07:19 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 09TJ6AJT089742; Thu, 29 Oct 2020 19:07:19 GMT Received: from pps.reinject (localhost [127.0.0.1]) by aserp3020.oracle.com with ESMTP id 34cx60v0ux-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 29 Oct 2020 19:07:19 +0000 Received: from aserp3020.oracle.com (aserp3020.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 09TJ71Hh092200; Thu, 29 Oct 2020 19:07:19 GMT Received: from userp3030.oracle.com (ksplice-shell2.us.oracle.com [10.152.118.36]) by aserp3020.oracle.com with ESMTP id 34cx60v0ug-2; Thu, 29 Oct 2020 19:07:19 +0000 From: Dai Ngo To: bfields@fieldses.org Cc: linux-nfs@vger.kernel.org Subject: [PATCH 1/2] NFSD: Fix use-after-free warning when doing inter-server copy Date: Thu, 29 Oct 2020 15:07:15 -0400 Message-Id: <20201029190716.70481-2-dai.ngo@oracle.com> X-Mailer: git-send-email 2.20.1.1226.g1595ea5.dirty In-Reply-To: <20201029190716.70481-1-dai.ngo@oracle.com> References: <20201029190716.70481-1-dai.ngo@oracle.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9789 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 adultscore=0 malwarescore=0 spamscore=0 clxscore=1015 mlxscore=0 suspectscore=3 priorityscore=1501 impostorscore=0 bulkscore=0 phishscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010290131 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org The source file nfsd_file is not constructed the same as other nfsd_file's via nfsd_file_alloc. nfsd_file_put should not be called to free the object; nfsd_file_put is not the inverse of kzalloc, instead kfree is called by nfsd4_do_async_copy when done. Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy") Signed-off-by: Dai Ngo --- fs/nfsd/nfs4proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index ad2fa1a8e7ad..9c43cad7e408 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -1299,7 +1299,7 @@ nfsd4_cleanup_inter_ssc(struct vfsmount *ss_mnt, struct nfsd_file *src, struct nfsd_file *dst) { nfs42_ssc_close(src->nf_file); - nfsd_file_put(src); + /* 'src' is freed by nfsd4_do_async_copy */ nfsd_file_put(dst); mntput(ss_mnt); } -- 2.20.1.1226.g1595ea5.dirty