From: Trond Myklebust <trond.myklebust@hammerspace.com>
Date: Mon, 20 Apr 2020 03:53:52 +0000 (-0400)
Subject: NFS/pnfs: Fix a credential use-after-free issue in pnfs_roc()
X-Git-Tag: v5.7-rc4~5^2~7
X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=4d8948c7334a970eab113a4bcf45b1920a5a1625;p=linux-2.6-block.git

NFS/pnfs: Fix a credential use-after-free issue in pnfs_roc()

If the credential returned by pnfs_prepare_layoutreturn()
does not match the credential of the RPC call, then we do
end up calling pnfs_send_layoutreturn() with that credential,
so don't free it!

Fixes: 44ea8dfce021 ("NFS/pnfs: Reference the layout cred in pnfs_prepare_layoutreturn()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
---

diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 3bf6899cba95..dd2e14f5875d 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1458,18 +1458,15 @@ retry:
 	/* lo ref dropped in pnfs_roc_release() */
 	layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &lc_cred, &iomode);
 	/* If the creds don't match, we can't compound the layoutreturn */
-	if (!layoutreturn)
+	if (!layoutreturn || cred_fscmp(cred, lc_cred) != 0)
 		goto out_noroc;
-	if (cred_fscmp(cred, lc_cred) != 0)
-		goto out_noroc_put_cred;
 
 	roc = layoutreturn;
 	pnfs_init_layoutreturn_args(args, lo, &stateid, iomode);
 	res->lrs_present = 0;
 	layoutreturn = false;
-
-out_noroc_put_cred:
 	put_cred(lc_cred);
+
 out_noroc:
 	spin_unlock(&ino->i_lock);
 	rcu_read_unlock();