Commit 1116e0e3 authored by Jeff Layton's avatar Jeff Layton Committed by Chuck Lever
Browse files

nfsd: fix potential UAF in nfsd4_cb_getattr_release 



Once we drop the delegation reference, the fields embedded in it are no
longer safe to access. Do that last.

Fixes: c5967721 ("NFSD: handle GETATTR conflict with write delegation")
Signed-off-by: default avatarJeff Layton <jlayton@kernel.org>
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
parent da05ba23

fs/nfsd/nfs4state.c

+1 −1
Original line number Diff line number Diff line
@@ -3078,9 +3078,9 @@ nfsd4_cb_getattr_release(struct nfsd4_callback *cb) 
	struct nfs4_delegation *dp =

			container_of(ncf, struct nfs4_delegation, dl_cb_fattr);



	nfs4_put_stid(&dp->dl_stid);

	clear_bit(CB_GETATTR_BUSY, &ncf->ncf_cb_flags);

	wake_up_bit(&ncf->ncf_cb_flags, CB_GETATTR_BUSY);

	nfs4_put_stid(&dp->dl_stid);

}



static const struct nfsd4_callback_ops nfsd4_cb_recall_any_ops = {