diff options
| author | Wentao Liang <vulab@iscas.ac.cn> | 2026-05-18 16:10:36 +0300 |
|---|---|---|
| committer | Anna Schumaker <anna.schumaker@hammerspace.com> | 2026-06-08 17:21:55 +0300 |
| commit | 13e198a90ca4050f4bee8a3f23680389a6563ccc (patch) | |
| tree | 4e5c87fc830678bf352d7bb89e08aa68f5c0d84a | |
| parent | 35168eb947f230aaa35fd8416a30563ef89f5421 (diff) | |
| download | linux-13e198a90ca4050f4bee8a3f23680389a6563ccc.tar.xz | |
pNFS: Fix use-after-free in pnfs_update_layout()
When hitting the NFS_LAYOUT_RETURN branch in pnfs_update_layout(),
the code calls pnfs_prepare_to_retry_layoutget(lo). If it succeeds,
pnfs_put_layout_hdr(lo) is called before trace_pnfs_update_layout(),
which still references 'lo'. This results in a use-after-free when the
tracepoint accesses lo's fields.
Fix this by moving the tracepoint call before pnfs_put_layout_hdr(lo).
Fixes: 2c8d5fc37fe2 ("pNFS: Stricter ordering of layoutget and layoutreturn")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
| -rw-r--r-- | fs/nfs/pnfs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c index fdedeff5f6cc..cb203821a397 100644 --- a/fs/nfs/pnfs.c +++ b/fs/nfs/pnfs.c @@ -2229,11 +2229,11 @@ lookup_again: dprintk("%s wait for layoutreturn\n", __func__); lseg = ERR_PTR(pnfs_prepare_to_retry_layoutget(lo)); if (!IS_ERR(lseg)) { - pnfs_put_layout_hdr(lo); dprintk("%s retrying\n", __func__); trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg, PNFS_UPDATE_LAYOUT_RETRY); + pnfs_put_layout_hdr(lo); goto lookup_again; } trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg, |
