summaryrefslogtreecommitdiffstats
path: root/fs/nfsd
diff options
context:
space:
mode:
authorJeff Layton <jlayton@kernel.org>2022-11-05 14:49:26 +0100
committerChuck Lever <chuck.lever@oracle.com>2022-11-05 16:29:55 +0100
commitbdd6b5624c62d0acd350d07564f1c82fe649235f (patch)
tree774b245113c2fdf51f0c82ca20aaa878ba679d38 /fs/nfsd
parentnfsd: fix net-namespace logic in __nfsd_file_cache_purge (diff)
downloadlinux-bdd6b5624c62d0acd350d07564f1c82fe649235f.tar.xz
linux-bdd6b5624c62d0acd350d07564f1c82fe649235f.zip
nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint
When we fail to insert into the hashtable with a non-retryable error, we'll free the object and then goto out_status. If the tracepoint is enabled, it'll end up accessing the freed object when it tries to grab the fields out of it. Set nf to NULL after freeing it to avoid the issue. Fixes: 243a5263014a ("nfsd: rework hashtable handling in nfsd_do_file_acquire") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'fs/nfsd')
-rw-r--r--fs/nfsd/filecache.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
index adc4e87a71d2..ec3fceb92236 100644
--- a/fs/nfsd/filecache.c
+++ b/fs/nfsd/filecache.c
@@ -1076,6 +1076,7 @@ retry:
goto open_file;
nfsd_file_slab_free(&nf->nf_rcu);
+ nf = NULL;
if (ret == -EEXIST)
goto retry;
trace_nfsd_file_insert_err(rqstp, key.inode, may_flags, ret);