nfsd: fix potential UAF in nfsd4_cb_getattr_release

Once we drop the delegation reference, the fields embedded in it are no longer safe to access. Do that last. Fixes: c5967721 ("NFSD: handle GETATTR conflict with write delegation") Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

nfsd: fix potential UAF in nfsd4_cb_getattr_release
Once we drop the delegation reference, the fields embedded in it are no longer safe to access. Do that last. Fixes: c5967721 ("NFSD: handle GETATTR conflict with write delegation") Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
1116e0e3 · Jeff Layton · Chuck Lever · da05ba23 · 1116e0e3
Commit 1116e0e3 authored Aug 23, 2024 by Jeff Layton Committed by Chuck Lever Aug 26, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

fs/nfsd/nfs4state.c fs/nfsd/nfs4state.c +1 -1

No files found.
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -3078,9 +3078,9 @@ nfsd4_cb_getattr_release(struct nfsd4_callback *cb)
 	struct nfs4_delegation *dp =
 			container_of(ncf, struct nfs4_delegation, dl_cb_fattr);
-	nfs4_put_stid(&dp->dl_stid);
 	clear_bit(CB_GETATTR_BUSY, &ncf->ncf_cb_flags);
 	wake_up_bit(&ncf->ncf_cb_flags, CB_GETATTR_BUSY);
+	nfs4_put_stid(&dp->dl_stid);
 }
 static const struct nfsd4_callback_ops nfsd4_cb_recall_any_ops = {