Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp2716224imn; Tue, 2 Aug 2022 13:16:36 -0700 (PDT) X-Google-Smtp-Source: AGRyM1tBk3o0bV32bIiUwAXIH5kBilP+CXbcZTGvZTNQHLQnKXYsWFYi5Pr+XDzenjvNx5yTvS7h X-Received: by 2002:a63:6cc4:0:b0:41a:ff04:661f with SMTP id h187-20020a636cc4000000b0041aff04661fmr18339873pgc.600.1659471395786; Tue, 02 Aug 2022 13:16:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659471395; cv=none; d=google.com; s=arc-20160816; b=pbLPhbgal5slbsyCz0quc5Qd5K9ibxmATP7RfpAddwZBLpfo9GddQs/ILVUC0PoJPU NnQEXVGDJLtcFIu9Ora/OoiYBfO4SXO3vqYtD5Cz3EU7y0UXXSe3W8AsbQVSTqCHI677 am7xE+zoNNQYVeVSHmi2rQhVglOS6+C1RVXcdhLD4I3J/zDxbXI2LLjTQUUEXLQkMxp6 Yhcwx3LMiC4XOvmPxgl+EfCP4KcurAK5cik0BAtSHFOVhoNXAlVaDiIoISSOJtPSFJnZ s35BpIbXfDHoHnvznbqGTfcU3Icey0NWg/qYqGDEx8DYrC3cfWZOUZ7cg0IX76dKyYmv sRrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:to:from:dkim-signature; bh=IypN2L+PD60mnokt2it23TcXEyqVmvrlkR9uEKHdwh0=; b=DQeI/7G1ogeYBQeGIH/uo9iAbpd2is7MjcddXePBXQieifBSkHe7Ks/CcCjQaBKVZU zqRFN1TviT+Ii1whSkXjrSu8UrhUjw56DlZy3rqVFrR9EyA7yuRuZa2Hn5Lf23RBGMKG 2N7us1iiM16PtxsmJl1uaJxG5sA/o9XHUQifEnISqeOdcHGoeuvquUrNqGNlJkEfQNiI 4XS3i6Q5HaQpFDxNGRKUyQ892Cpqlt+RqXGYCQO4M3CHUV0kzDYHwX9LuTwdu/yLMosI b8P6an0HvktOxMMcQpquy7x682UOB3ieJ9uCKkhAQ6WvLkAMqtA7v4SQOnJ9M8I6pRZZ ou7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HaelRN+a; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m4-20020a6545c4000000b0041c681c99b5si3050030pgr.711.2022.08.02.13.16.20; Tue, 02 Aug 2022 13:16:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=HaelRN+a; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234629AbiHBUPv (ORCPT + 99 others); Tue, 2 Aug 2022 16:15:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57136 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230060AbiHBUPl (ORCPT ); Tue, 2 Aug 2022 16:15:41 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9AA4186E4 for ; Tue, 2 Aug 2022 13:15:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 45C9D6115A for ; Tue, 2 Aug 2022 20:15:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5E142C433D6 for ; Tue, 2 Aug 2022 20:15:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1659471337; bh=VqN9wUXjS5oylqwX7/Coac3pLS5+vAUJdt2X/N2/gjI=; h=From:To:Subject:Date:From; b=HaelRN+a6W588WDQJp4WVOtUYcQ//Il0uTp0MYoIa0Uc0pgkKJdueMSnvY9vT6/22 NEx2P7ZTFwCrG/8gqhf7YLcnPGeulpo3qOgza+3gRKm/sJZjPURIahMI8YNOeSIsEF 67l6EcYZ3cD5qGQIiWePBfE0j6irjG2CKe69Zi+GNgDk7XpJVxFnXLgY6YRZZnw+Xj 5PTmtoCVcgbvqQa/j7Yt6syY0Nk4uGbPHSstJ4blCF0Sv4mcfEpONoAWLePGDdnFpM zDjOowQnAq2BgY4vdWLu+oKQuGHnnKFI79HJZJt7rA/Qau49i928venHVZDMzvtSNS sg5bydjqBW9dg== From: trondmy@kernel.org To: linux-nfs@vger.kernel.org Subject: [PATCH] NFSv4/pnfs: Fix a use-after-free bug in open Date: Tue, 2 Aug 2022 16:09:10 -0400 Message-Id: <20220802200910.381918-1-trondmy@kernel.org> X-Mailer: git-send-email 2.37.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Trond Myklebust If someone cancels the open RPC call, then we must not try to free either the open slot or the layoutget operation arguments, since they are likely still in use by the hung RPC call. Fixes: 6949493884fe ("NFSv4: Don't hold the layoutget locks across multiple RPC calls") Signed-off-by: Trond Myklebust --- fs/nfs/nfs4proc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 2d7c14ade193..3ed14a2a84a4 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -3096,12 +3096,13 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, } out: - if (opendata->lgp) { - nfs4_lgopen_release(opendata->lgp); - opendata->lgp = NULL; - } - if (!opendata->cancelled) + if (!opendata->cancelled) { + if (opendata->lgp) { + nfs4_lgopen_release(opendata->lgp); + opendata->lgp = NULL; + } nfs4_sequence_free_slot(&opendata->o_res.seq_res); + } return ret; } -- 2.37.1