NFS/pnfs: Fix a credential use-after-free issue in pnfs_roc() (4d8948c7) · Commits · 戴 / test

If the credential returned by pnfs_prepare_layoutreturn() does not match the credential of the RPC call, then we do end up calling pnfs_send_layoutreturn() with that credential, so don't free it! Fixes: ("NFS/pnfs: Reference the layout cred in pnfs_prepare_layoutreturn()") Signed-off-by:

Trond Myklebust <trond.myklebust@hammerspace.com>

fs/nfs/pnfs.c

+2 −5

Original line number	Diff line number	Diff line
		@@ -1458,18 +1458,15 @@ retry:
		/* lo ref dropped in pnfs_roc_release() */
		layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &lc_cred, &iomode);
		/* If the creds don't match, we can't compound the layoutreturn */
		if (!layoutreturn)
		if (!layoutreturn \|\| cred_fscmp(cred, lc_cred) != 0)
		goto out_noroc;
		if (cred_fscmp(cred, lc_cred) != 0)
		goto out_noroc_put_cred;

		roc = layoutreturn;
		pnfs_init_layoutreturn_args(args, lo, &stateid, iomode);
		res->lrs_present = 0;
		layoutreturn = false;

		out_noroc_put_cred:
		put_cred(lc_cred);

		out_noroc:
		spin_unlock(&ino->i_lock);
		rcu_read_unlock();

Admin message