From patchwork Wed May 25 16:07:15 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Boaz Harrosh X-Patchwork-Id: 816502 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter2.kernel.org (8.14.4/8.14.3) with ESMTP id p4PG7esU026174 for ; Wed, 25 May 2011 16:07:40 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933042Ab1EYQHd (ORCPT ); Wed, 25 May 2011 12:07:33 -0400 Received: from daytona.panasas.com ([67.152.220.89]:36447 "EHLO daytona.panasas.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758070Ab1EYQHH (ORCPT ); Wed, 25 May 2011 12:07:07 -0400 Received: from fs2.bhalevy.com ([172.17.33.70]) by daytona.panasas.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 25 May 2011 12:07:06 -0400 Message-ID: <4DDD2933.3000209@panasas.com> Date: Wed, 25 May 2011 19:07:15 +0300 From: Boaz Harrosh User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110430 Remi/fc12 Thunderbird/3.1.10 MIME-Version: 1.0 To: Benny Halevy , Trond Myklebust , linux-nfs@vger.kernel.org, Andy Adamson , Fred Isaman Subject: [PATCH] SQUASHME: pnfs: Fix NULL dereference in the -ENOMEM path References: <4DDA8C3D.5080706@panasas.com> <1306168714-11721-1-git-send-email-bhalevy@panasas.com> In-Reply-To: <1306168714-11721-1-git-send-email-bhalevy@panasas.com> X-OriginalArrivalTime: 25 May 2011 16:07:07.0136 (UTC) FILETIME=[CB8F0800:01CC1AF5] Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Wed, 25 May 2011 16:07:40 +0000 (UTC) In _pnfs_return_layout: lrp pointer is checked for NULL after it was already accessed. The rational here is that in _pnfs_return_layout we want to de-ref and release the layout regardless of if we sent the return or not (forgetfull). An eventual recall can return -ENOMATCHING instead of -EDELAY. So to keep the reasoning above, copy the stateid twice. Benny if it is OK to not release the layout on -ENOMEM then the check could just be moved above the spin_lock(), and the put_layout_hdr removed. Signed-off-by: Boaz Harrosh --- fs/nfs/pnfs.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c index a07b007..c3ec577 100644 --- a/fs/nfs/pnfs.c +++ b/fs/nfs/pnfs.c @@ -628,6 +628,7 @@ _pnfs_return_layout(struct inode *ino) struct nfs_inode *nfsi = NFS_I(ino); LIST_HEAD(tmp_list); struct nfs4_layoutreturn *lrp; + nfs4_stateid stateid; int status = 0; dprintk("--> %s\n", __func__); @@ -642,7 +643,7 @@ _pnfs_return_layout(struct inode *ino) kfree(lrp); goto out; } - lrp->args.stateid = nfsi->layout->plh_stateid; + stateid = nfsi->layout->plh_stateid; /* Reference matched in nfs4_layoutreturn_release */ get_layout_hdr(lo); spin_unlock(&ino->i_lock); @@ -655,6 +656,7 @@ _pnfs_return_layout(struct inode *ino) status = -ENOMEM; goto out; } + lrp->args.stateid = stateid; lrp->args.reclaim = 0; lrp->args.layout_type = NFS_SERVER(ino)->pnfs_curr_ld->id; lrp->args.inode = ino;