NFSv4/pnfs: Fix a use-after-free bug in open

commit 1fb7932ae859c3a433e847cbda2039119d0e4c90 upstream.

If someone cancels the open RPC call, then we must not try to free
either the open slot or the layoutget operation arguments, since they
are likely still in use by the hung RPC call.

Fixes: 0f708016b758 ("NFSv4: Don't hold the layoutget locks across multiple RPC calls")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 76157d31310f98a151720369926437ec746a215c..7c5dfed0437f7b8d4ce136513e5ed2733dba72d3 100644 (file)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3039,12 +3039,13 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata,
        }
 
 out:
-       if (opendata->lgp) {
-               nfs4_lgopen_release(opendata->lgp);
-               opendata->lgp = NULL;
-       }
-       if (!opendata->cancelled)
+       if (!opendata->cancelled) {
+               if (opendata->lgp) {
+                       nfs4_lgopen_release(opendata->lgp);
+                       opendata->lgp = NULL;
+               }
                nfs4_sequence_free_slot(&opendata->o_res.seq_res);
+       }
        return ret;
 }