diff options
| author |  Anna Schumaker <Anna.Schumaker@Netapp.com>
| 2023-05-16 11:19:25 -0400 |
|---|---|---|
| committer | Anna Schumaker <Anna.Schumaker@Netapp.com>
| 2023-05-19 17:11:59 -0400 |
| commit | 43439d858bbae244a510de47f9a55f667ca4ed52 (patch) | |
| tree | faaf5058f6c06f65e62beb1b6d6dfe4b77c94f36 /fs | |
| parent | SUNRPC: Don't change task->tk_status after the call to rpc_exit_task (diff) | |
| download | linux-43439d858bbae244a510de47f9a55f667ca4ed52.tar.gz linux-43439d858bbae244a510de47f9a55f667ca4ed52.tar.bz2 linux-43439d858bbae244a510de47f9a55f667ca4ed52.zip | |
NFSv4.2: Fix a potential double free with READ_PLUS
kfree()-ing the scratch page isn't enough, we also need to set the pointer
back to NULL to avoid a double-free in the case of a resend.
Fixes: fbd2a05f29a9 (NFSv4.2: Rework scratch handling for READ_PLUS)
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/nfs/nfs4proc.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 18f25ff4bff7..d3665390c4cb 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -5437,10 +5437,18 @@ static bool nfs4_read_plus_not_supported(struct rpc_task *task, return false; } -static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr) +static inline void nfs4_read_plus_scratch_free(struct nfs_pgio_header *hdr) { - if (hdr->res.scratch) + if (hdr->res.scratch) { kfree(hdr->res.scratch); + hdr->res.scratch = NULL; + } +} + +static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr) +{ + nfs4_read_plus_scratch_free(hdr); + if (!nfs4_sequence_done(task, &hdr->res.seq_res)) return -EAGAIN; if (nfs4_read_stateid_changed(task, &hdr->args)) |