nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint

When we fail to insert into the hashtable with a non-retryable error, we'll free the object and then goto out_status. If the tracepoint is enabled, it'll end up accessing the freed object when it tries to grab the fields out of it. Set nf to NULL after freeing it to avoid the issue. Fixes: 243a5263 ("nfsd: rework hashtable handling in nfsd_do_file_acquire") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint
When we fail to insert into the hashtable with a non-retryable error, we'll free the object and then goto out_status. If the tracepoint is enabled, it'll end up accessing the freed object when it tries to grab the fields out of it. Set nf to NULL after freeing it to avoid the issue. Fixes: 243a5263 ("nfsd: rework hashtable handling in nfsd_do_file_acquire") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
bdd6b562 · Jeff Layton · Chuck Lever · d3aefd2b · bdd6b562
Commit bdd6b562 authored Nov 05, 2022 by Jeff Layton Committed by Chuck Lever Nov 05, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

fs/nfsd/filecache.c fs/nfsd/filecache.c +1 -0

No files found.
--- a/fs/nfsd/filecache.c
+++ b/fs/nfsd/filecache.c
@@ -1076,6 +1076,7 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp,
 		goto open_file;

 	nfsd_file_slab_free(&nf->nf_rcu);
+	nf = NULL;
 	if (ret == -EEXIST)
 		goto retry;
 	trace_nfsd_file_insert_err(rqstp, key.inode, may_flags, ret);