diff options
author | Chuck Lever <chuck.lever@oracle.com> | 2022-05-31 19:49:01 -0400 |
---|---|---|
committer | Chuck Lever <chuck.lever@oracle.com> | 2022-06-02 13:05:58 -0400 |
commit | b6c71c66b0ad8f2b59d9bc08c7a5079b110bec01 (patch) | |
tree | 95437836d9d92452761afcb80df88156d58bdff9 /fs/nfsd | |
parent | 9ff9f77f34e44a0054eadb9041e459548c955ccb (diff) |
NFSD: Fix potential use-after-free in nfsd_file_put()
nfsd_file_put_noref() can free @nf, so don't dereference @nf
immediately upon return from nfsd_file_put_noref().
Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
Fixes: 999397926ab3 ("nfsd: Clean up nfsd_file_put()")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'fs/nfsd')
-rw-r--r-- | fs/nfsd/filecache.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c index d32fcd8ad457..148b25a43caf 100644 --- a/fs/nfsd/filecache.c +++ b/fs/nfsd/filecache.c @@ -308,11 +308,12 @@ nfsd_file_put(struct nfsd_file *nf) if (test_bit(NFSD_FILE_HASHED, &nf->nf_flags) == 0) { nfsd_file_flush(nf); nfsd_file_put_noref(nf); - } else { + } else if (nf->nf_file) { nfsd_file_put_noref(nf); - if (nf->nf_file) - nfsd_file_schedule_laundrette(); - } + nfsd_file_schedule_laundrette(); + } else + nfsd_file_put_noref(nf); + if (atomic_long_read(&nfsd_filecache_count) >= NFSD_FILE_LRU_LIMIT) nfsd_file_gc(); } |