summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWentao Liang <vulab@iscas.ac.cn>2026-05-18 16:10:36 +0300
committerAnna Schumaker <anna.schumaker@hammerspace.com>2026-06-08 17:21:55 +0300
commit13e198a90ca4050f4bee8a3f23680389a6563ccc (patch)
tree4e5c87fc830678bf352d7bb89e08aa68f5c0d84a
parent35168eb947f230aaa35fd8416a30563ef89f5421 (diff)
downloadlinux-13e198a90ca4050f4bee8a3f23680389a6563ccc.tar.xz
pNFS: Fix use-after-free in pnfs_update_layout()
When hitting the NFS_LAYOUT_RETURN branch in pnfs_update_layout(), the code calls pnfs_prepare_to_retry_layoutget(lo). If it succeeds, pnfs_put_layout_hdr(lo) is called before trace_pnfs_update_layout(), which still references 'lo'. This results in a use-after-free when the tracepoint accesses lo's fields. Fix this by moving the tracepoint call before pnfs_put_layout_hdr(lo). Fixes: 2c8d5fc37fe2 ("pNFS: Stricter ordering of layoutget and layoutreturn") Cc: stable@vger.kernel.org Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
-rw-r--r--fs/nfs/pnfs.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index fdedeff5f6cc..cb203821a397 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -2229,11 +2229,11 @@ lookup_again:
dprintk("%s wait for layoutreturn\n", __func__);
lseg = ERR_PTR(pnfs_prepare_to_retry_layoutget(lo));
if (!IS_ERR(lseg)) {
- pnfs_put_layout_hdr(lo);
dprintk("%s retrying\n", __func__);
trace_pnfs_update_layout(ino, pos, count, iomode, lo,
lseg,
PNFS_UPDATE_LAYOUT_RETRY);
+ pnfs_put_layout_hdr(lo);
goto lookup_again;
}
trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,