nfs4: fix discover_server_trunking use after free (abad2fa5) · Commits · e / devices / android_kernel_samsung_exynos9810

If clp is new (cl_count = 1) and it matches another client in nfs4_discover_server_trunking, the nfs_put_client will free clp before ->cl_preserve_clid is set. Cc: stable@vger.kernel.org # 3.7+ Signed-off-by:

Weston Andros Adamson <dros@primarydata.com> Signed-off-by:

Trond Myklebust <trond.myklebust@primarydata.com>

fs/nfs/nfs4client.c

+4 −6

Original line number	Original line	Diff line number	Diff line
	@@ -414,13 +414,11 @@ struct nfs_client nfs4_init_client(struct nfs_client clp,
	error = nfs4_discover_server_trunking(clp, &old);		error = nfs4_discover_server_trunking(clp, &old);
	if (error < 0)		if (error < 0)
	goto error;		goto error;
	nfs_put_client(clp);
	if (clp != old) {
	clp->cl_preserve_clid = true;
	clp = old;
	}

	return clp;		if (clp != old)
			clp->cl_preserve_clid = true;
			nfs_put_client(clp);
			return old;

	error:		error:
	nfs_mark_client_ready(clp, error);		nfs_mark_client_ready(clp, error);