Commit 9c548052 authored by Trond Myklebust's avatar Trond Myklebust Committed by sanglipeng
Browse files

NFS: Fix a use after free in nfs_direct_join_group() 

stable inclusion
from stable-v5.10.193
commit 7c262127d264f28fca52351226d182eeb553abc9
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9399M

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7c262127d264f28fca52351226d182eeb553abc9



--------------------------------

commit be2fd156 upstream.

Be more careful when tearing down the subrequests of an O_DIRECT write
as part of a retransmission.

Reported-by: default avatarChris Mason <clm@fb.com>
Fixes: ed5d588f ("NFS: Try to join page groups before an O_DIRECT retransmission")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarsanglipeng <sanglipeng1@jd.com>
parent e975f2b6

fs/nfs/direct.c

+16 −10
Original line number Diff line number Diff line
@@ -509,20 +509,26 @@ ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter, 
	return result;

}



static void

nfs_direct_join_group(struct list_head *list, struct inode *inode)

static void nfs_direct_join_group(struct list_head *list, struct inode *inode)

{

	struct nfs_page *req, *next;

	struct nfs_page *req, *subreq;



	list_for_each_entry(req, list, wb_list) {

		if (req->wb_head != req || req->wb_this_page == req)

		if (req->wb_head != req)

			continue;

		subreq = req->wb_this_page;

		if (subreq == req)

			continue;

		for (next = req->wb_this_page;

				next != req->wb_head;

				next = next->wb_this_page) {

			nfs_list_remove_request(next);

			nfs_release_request(next);

		do {

			/*

			 * Remove subrequests from this list before freeing

			 * them in the call to nfs_join_page_group().

			 */

			if (!list_empty(&subreq->wb_list)) {

				nfs_list_remove_request(subreq);

				nfs_release_request(subreq);

			}

		} while ((subreq = subreq->wb_this_page) != req);

		nfs_join_page_group(req, inode);

	}

}