summaryrefslogtreecommitdiff
path: root/fs/nfsd
diff options
context:
space:
mode:
authorChuck Lever <chuck.lever@oracle.com>2022-05-31 19:49:01 -0400
committerChuck Lever <chuck.lever@oracle.com>2022-06-02 13:05:58 -0400
commitb6c71c66b0ad8f2b59d9bc08c7a5079b110bec01 (patch)
tree95437836d9d92452761afcb80df88156d58bdff9 /fs/nfsd
parent9ff9f77f34e44a0054eadb9041e459548c955ccb (diff)
NFSD: Fix potential use-after-free in nfsd_file_put()
nfsd_file_put_noref() can free @nf, so don't dereference @nf immediately upon return from nfsd_file_put_noref(). Suggested-by: Trond Myklebust <trondmy@hammerspace.com> Fixes: 999397926ab3 ("nfsd: Clean up nfsd_file_put()") Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'fs/nfsd')
-rw-r--r--fs/nfsd/filecache.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
index d32fcd8ad457..148b25a43caf 100644
--- a/fs/nfsd/filecache.c
+++ b/fs/nfsd/filecache.c
@@ -308,11 +308,12 @@ nfsd_file_put(struct nfsd_file *nf)
if (test_bit(NFSD_FILE_HASHED, &nf->nf_flags) == 0) {
nfsd_file_flush(nf);
nfsd_file_put_noref(nf);
- } else {
+ } else if (nf->nf_file) {
nfsd_file_put_noref(nf);
- if (nf->nf_file)
- nfsd_file_schedule_laundrette();
- }
+ nfsd_file_schedule_laundrette();
+ } else
+ nfsd_file_put_noref(nf);
+
if (atomic_long_read(&nfsd_filecache_count) >= NFSD_FILE_LRU_LIMIT)
nfsd_file_gc();
}