Commit 43439d85 authored by Anna Schumaker's avatar Anna Schumaker
Browse files

NFSv4.2: Fix a potential double free with READ_PLUS 



kfree()-ing the scratch page isn't enough, we also need to set the pointer
back to NULL to avoid a double-free in the case of a resend.

Fixes: fbd2a05f (NFSv4.2: Rework scratch handling for READ_PLUS)
Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
parent d180891f

fs/nfs/nfs4proc.c

+10 −2
Original line number Diff line number Diff line
@@ -5437,10 +5437,18 @@ static bool nfs4_read_plus_not_supported(struct rpc_task *task, 
	return false;

}



static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr)

static inline void nfs4_read_plus_scratch_free(struct nfs_pgio_header *hdr)

{

	if (hdr->res.scratch)

	if (hdr->res.scratch) {

		kfree(hdr->res.scratch);

		hdr->res.scratch = NULL;

	}

}



static int nfs4_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr)

{

	nfs4_read_plus_scratch_free(hdr);



	if (!nfs4_sequence_done(task, &hdr->res.seq_res))

		return -EAGAIN;

	if (nfs4_read_stateid_changed(task, &hdr->args))