android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

NFSv4.2: Fix a potential double free with READ_PLUS

Browse Source 
commit 43439d858bbae244a510de47f9a55f667ca4ed52 upstream.

kfree()-ing the scratch page isn't enough, we also need to set the pointer
back to NULL to avoid a double-free in the case of a resend.

Fixes: fbd2a05f29a9 (NFSv4.2: Rework scratch handling for READ_PLUS)
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Anna Schumaker 2023-05-16 11:19:25 -04:00 committed by Greg Kroah-Hartman
parent d9ece8c026
commit 7795634751
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
fs/nfs/nfs4proc.c
View File

@ -5444,10 +5444,18 @@ static bool nfs4_read_plus_not_supported(struct rpc_task *task,
return false;
}
static inline void nfs4_read_plus_scratch_free(struct nfs_pgio_header *hdr)
{
if (hdr->res.scratch) {
kfree(hdr->res.scratch);
hdr->res.scratch = NULL;
}
}
static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr)
{
if (hdr->res.scratch)
kfree(hdr->res.scratch);
nfs4_read_plus_scratch_free(hdr);
if (!nfs4_sequence_done(task, &hdr->res.seq_res))
return -EAGAIN;
if (nfs4_read_stateid_changed(task, &hdr->args))