Commit 4d8948c7 authored by Trond Myklebust's avatar Trond Myklebust

NFS/pnfs: Fix a credential use-after-free issue in pnfs_roc()

If the credential returned by pnfs_prepare_layoutreturn()
does not match the credential of the RPC call, then we do
end up calling pnfs_send_layoutreturn() with that credential,
so don't free it!

Fixes: 44ea8dfc ("NFS/pnfs: Reference the layout cred in pnfs_prepare_layoutreturn()")
Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
parent 7bcc1058
...@@ -1458,18 +1458,15 @@ bool pnfs_roc(struct inode *ino, ...@@ -1458,18 +1458,15 @@ bool pnfs_roc(struct inode *ino,
/* lo ref dropped in pnfs_roc_release() */ /* lo ref dropped in pnfs_roc_release() */
layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &lc_cred, &iomode); layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &lc_cred, &iomode);
/* If the creds don't match, we can't compound the layoutreturn */ /* If the creds don't match, we can't compound the layoutreturn */
if (!layoutreturn) if (!layoutreturn || cred_fscmp(cred, lc_cred) != 0)
goto out_noroc; goto out_noroc;
if (cred_fscmp(cred, lc_cred) != 0)
goto out_noroc_put_cred;
roc = layoutreturn; roc = layoutreturn;
pnfs_init_layoutreturn_args(args, lo, &stateid, iomode); pnfs_init_layoutreturn_args(args, lo, &stateid, iomode);
res->lrs_present = 0; res->lrs_present = 0;
layoutreturn = false; layoutreturn = false;
out_noroc_put_cred:
put_cred(lc_cred); put_cred(lc_cred);
out_noroc: out_noroc:
spin_unlock(&ino->i_lock); spin_unlock(&ino->i_lock);
rcu_read_unlock(); rcu_read_unlock();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment