NFS/pnfs: Fix a credential use-after-free issue in pnfs_roc()
diff mbox series

Message ID 20200420172807.398960-1-trondmy@kernel.org
State New
Headers show
Series
  • NFS/pnfs: Fix a credential use-after-free issue in pnfs_roc()
Related show

Commit Message

trondmy@kernel.org April 20, 2020, 5:28 p.m. UTC
From: Trond Myklebust <trond.myklebust@hammerspace.com>

If the credential returned by pnfs_prepare_layoutreturn()
does not match the credential of the RPC call, then we do
end up calling pnfs_send_layoutreturn() with that credential,
so don't free it!

Fixes: 44ea8dfce021 ("NFS/pnfs: Reference the layout cred in pnfs_prepare_layoutreturn()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
---
 fs/nfs/pnfs.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

Patch
diff mbox series

diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 3bf6899cba95..dd2e14f5875d 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1458,18 +1458,15 @@  bool pnfs_roc(struct inode *ino,
 	/* lo ref dropped in pnfs_roc_release() */
 	layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &lc_cred, &iomode);
 	/* If the creds don't match, we can't compound the layoutreturn */
-	if (!layoutreturn)
+	if (!layoutreturn || cred_fscmp(cred, lc_cred) != 0)
 		goto out_noroc;
-	if (cred_fscmp(cred, lc_cred) != 0)
-		goto out_noroc_put_cred;
 
 	roc = layoutreturn;
 	pnfs_init_layoutreturn_args(args, lo, &stateid, iomode);
 	res->lrs_present = 0;
 	layoutreturn = false;
-
-out_noroc_put_cred:
 	put_cred(lc_cred);
+
 out_noroc:
 	spin_unlock(&ino->i_lock);
 	rcu_read_unlock();