Commit be2fd156 authored by Trond Myklebust's avatar Trond Myklebust
Browse files

NFS: Fix a use after free in nfs_direct_join_group() 



Be more careful when tearing down the subrequests of an O_DIRECT write
as part of a retransmission.

Reported-by: default avatarChris Mason <clm@fb.com>
Fixes: ed5d588f ("NFS: Try to join page groups before an O_DIRECT retransmission")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
parent 1cbc11aa

fs/nfs/direct.c

+16 −10
Original line number Diff line number Diff line
@@ -472,20 +472,26 @@ ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter, 
	return result;

}



static void

nfs_direct_join_group(struct list_head *list, struct inode *inode)

static void nfs_direct_join_group(struct list_head *list, struct inode *inode)

{

	struct nfs_page *req, *next;

	struct nfs_page *req, *subreq;



	list_for_each_entry(req, list, wb_list) {

		if (req->wb_head != req || req->wb_this_page == req)

		if (req->wb_head != req)

			continue;

		subreq = req->wb_this_page;

		if (subreq == req)

			continue;

		for (next = req->wb_this_page;

				next != req->wb_head;

				next = next->wb_this_page) {

			nfs_list_remove_request(next);

			nfs_release_request(next);

		do {

			/*

			 * Remove subrequests from this list before freeing

			 * them in the call to nfs_join_page_group().

			 */

			if (!list_empty(&subreq->wb_list)) {

				nfs_list_remove_request(subreq);

				nfs_release_request(subreq);

			}

		} while ((subreq = subreq->wb_this_page) != req);

		nfs_join_page_group(req, inode);

	}

}