NFS/pnfs: Fix a credential use-after-free issue in pnfs_roc()

If the credential returned by pnfs_prepare_layoutreturn()
does not match the credential of the RPC call, then we do
end up calling pnfs_send_layoutreturn() with that credential,
so don't free it!

Fixes: 44ea8dfce021 ("NFS/pnfs: Reference the layout cred in pnfs_prepare_layoutreturn()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>

diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 3bf6899cba95bb0bcb8f50eb620ff84e8363117e..dd2e14f5875d852cefaf4dab5887b01b2f5cbbd9 100644 (file)
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1458,18 +1458,15 @@ retry:
        /* lo ref dropped in pnfs_roc_release() */
        layoutreturn = pnfs_prepare_layoutreturn(lo, &stateid, &lc_cred, &iomode);
        /* If the creds don't match, we can't compound the layoutreturn */
-       if (!layoutreturn)
+       if (!layoutreturn || cred_fscmp(cred, lc_cred) != 0)
                goto out_noroc;
-       if (cred_fscmp(cred, lc_cred) != 0)
-               goto out_noroc_put_cred;
 
        roc = layoutreturn;
        pnfs_init_layoutreturn_args(args, lo, &stateid, iomode);
        res->lrs_present = 0;
        layoutreturn = false;
-
-out_noroc_put_cred:
        put_cred(lc_cred);
+
 out_noroc:
        spin_unlock(&ino->i_lock);
        rcu_read_unlock();