nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint

When we fail to insert into the hashtable with a non-retryable error,
we'll free the object and then goto out_status. If the tracepoint is
enabled, it'll end up accessing the freed object when it tries to
grab the fields out of it.

Set nf to NULL after freeing it to avoid the issue.

Fixes: 243a526301 ("nfsd: rework hashtable handling in nfsd_do_file_acquire")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
This commit is contained in:
Jeff Layton 2022-11-05 09:49:26 -04:00 коммит произвёл Chuck Lever
Родитель d3aefd2b29
Коммит bdd6b5624c
1 изменённых файлов: 1 добавлений и 0 удалений

Просмотреть файл

@ -1076,6 +1076,7 @@ retry:
goto open_file; goto open_file;
nfsd_file_slab_free(&nf->nf_rcu); nfsd_file_slab_free(&nf->nf_rcu);
nf = NULL;
if (ret == -EEXIST) if (ret == -EEXIST)
goto retry; goto retry;
trace_nfsd_file_insert_err(rqstp, key.inode, may_flags, ret); trace_nfsd_file_insert_err(rqstp, key.inode, may_flags, ret);