NFS: Fix use-after-free issues in nfs_pageio_add_request() (dc9dc2fe) · Commits · 戴 / test

We need to ensure that we create the mirror requests before calling nfs_pageio_add_request_mirror() on the request we are adding. Otherwise, we can end up with a use-after-free if the call to nfs_pageio_add_request_mirror() triggers I/O. Fixes: ("NFS: Fix up NFS I/O subrequest creation") Cc: stable@vger.kernel.org Signed-off-by:

Trond Myklebust <trond.myklebust@hammerspace.com>

fs/nfs/pagelist.c

+24 −24

Original line number	Diff line number	Diff line
		@@ -1191,8 +1191,8 @@ int nfs_pageio_add_request(struct nfs_pageio_descriptor *desc,
		if (desc->pg_error < 0)
		goto out_failed;

		for (midx = 0; midx < desc->pg_mirror_count; midx++) {
		if (midx) {
		/* Create the mirror instances first, and fire them off */
		for (midx = 1; midx < desc->pg_mirror_count; midx++) {
		nfs_page_group_lock(req);

		/* find the last request */
		@@ -1209,19 +1209,19 @@ int nfs_pageio_add_request(struct nfs_pageio_descriptor *desc,
		desc->pg_error = PTR_ERR(dupreq);
		goto out_failed;
		}
		} else
		dupreq = req;

		if (nfs_pgio_has_mirroring(desc))
		desc->pg_mirror_idx = midx;
		if (!nfs_pageio_add_request_mirror(desc, dupreq))
		goto out_cleanup_subreq;
		}

		desc->pg_mirror_idx = 0;
		if (!nfs_pageio_add_request_mirror(desc, req))
		goto out_failed;

		return 1;

		out_cleanup_subreq:
		if (req != dupreq)
		nfs_pageio_cleanup_request(desc, dupreq);
		out_failed:
		nfs_pageio_error_cleanup(desc);

Admin message