nfsd: fix potential UAF in nfsd4_cb_getattr_release

jtlayton · chucklever · commit 1116e0e372eb · 2024-08-26T11:53:05.000-04:00
Once we drop the delegation reference, the fields embedded in it are no longer safe to access. Do that last. Fixes: c596772 ("NFSD: handle GETATTR conflict with write delegation") Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
@@ -3078,9 +3078,9 @@ nfsd4_cb_getattr_release(struct nfsd4_callback *cb)
 	struct nfs4_delegation *dp =
 			container_of(ncf, struct nfs4_delegation, dl_cb_fattr);
 
-	nfs4_put_stid(&dp->dl_stid);
 	clear_bit(CB_GETATTR_BUSY, &ncf->ncf_cb_flags);
 	wake_up_bit(&ncf->ncf_cb_flags, CB_GETATTR_BUSY);
+	nfs4_put_stid(&dp->dl_stid);
 }
 
 static const struct nfsd4_callback_ops nfsd4_cb_recall_any_ops = {

Original file line number	Diff line number	Diff line change
`@@ -3078,9 +3078,9 @@ nfsd4_cb_getattr_release(struct nfsd4_callback *cb)`
`3078`	`3078`	`struct nfs4_delegation *dp =`
`3079`	`3079`	`container_of(ncf, struct nfs4_delegation, dl_cb_fattr);`
`3080`	`3080`
`3081`		`- nfs4_put_stid(&dp->dl_stid);`
`3082`	`3081`	`clear_bit(CB_GETATTR_BUSY, &ncf->ncf_cb_flags);`
`3083`	`3082`	`wake_up_bit(&ncf->ncf_cb_flags, CB_GETATTR_BUSY);`
	`3083`	`+ nfs4_put_stid(&dp->dl_stid);`
`3084`	`3084`	`}`
`3085`	`3085`
`3086`	`3086`	`static const struct nfsd4_callback_ops nfsd4_cb_recall_any_ops = {`