NFSv4: Fix a use-after-free problem in open()
authorTrond Myklebust <trond.myklebust@primarydata.com>
Wed, 26 Mar 2014 20:24:37 +0000 (13:24 -0700)
committerTrond Myklebust <trond.myklebust@primarydata.com>
Sat, 29 Mar 2014 00:12:10 +0000 (20:12 -0400)
commite911b8158ee1def8153849b1641b736026b036e0
treeb9c302ffd9e9580afe59b3d56b2380ea9e76204e
parent494314c415e2d3b308f57c9245ae6525166c70b8
NFSv4: Fix a use-after-free problem in open()

If we interrupt the nfs4_wait_for_completion_rpc_task() call in
nfs4_run_open_task(), then we don't prevent the RPC call from
completing. So freeing up the opendata->f_attr.mdsthreshold
in the error path in _nfs4_do_open() leads to a use-after-free
when the XDR decoder tries to decode the mdsthreshold information
from the server.

Fixes: 82be417aa37c0 (NFSv4.1 cache mdsthreshold values on OPEN)
Tested-by: Steve Dickson <SteveD@redhat.com>
Cc: stable@vger.kernel.org # 3.5+
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
fs/nfs/nfs4proc.c