diff options
| author | Anna Schumaker <Anna.Schumaker@Netapp.com> | 2023-05-16 11:19:25 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-09-13 09:43:05 +0200 |
| commit | 7795634751622709cab9ce4cad2bcd93f871fae3 (patch) | |
| tree | 6e94b1d92e049b0648f4c9c093dad0c465e3dad5 | |
| parent | d9ece8c0269f4efe391bfa1022266bdb78d8cbad (diff) | |
| download | linux-7795634751622709cab9ce4cad2bcd93f871fae3.tar.gz linux-7795634751622709cab9ce4cad2bcd93f871fae3.tar.bz2 linux-7795634751622709cab9ce4cad2bcd93f871fae3.zip | |
NFSv4.2: Fix a potential double free with READ_PLUS
commit 43439d858bbae244a510de47f9a55f667ca4ed52 upstream.
kfree()-ing the scratch page isn't enough, we also need to set the pointer
back to NULL to avoid a double-free in the case of a resend.
Fixes: fbd2a05f29a9 (NFSv4.2: Rework scratch handling for READ_PLUS)
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/nfs/nfs4proc.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 3f96ccc386c3..b707a23c25e9 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -5444,10 +5444,18 @@ static bool nfs4_read_plus_not_supported(struct rpc_task *task, return false; } -static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr) +static inline void nfs4_read_plus_scratch_free(struct nfs_pgio_header *hdr) { - if (hdr->res.scratch) + if (hdr->res.scratch) { kfree(hdr->res.scratch); + hdr->res.scratch = NULL; + } +} + +static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr) +{ + nfs4_read_plus_scratch_free(hdr); + if (!nfs4_sequence_done(task, &hdr->res.seq_res)) return -EAGAIN; if (nfs4_read_stateid_changed(task, &hdr->args)) |