• Kinglong Mee's avatar
    NFS4: Avoid NULL reference or double free in nfsd4_fslocs_free() · a1f05514
    Kinglong Mee authored
    If fsloc_parse() failed at kzalloc(), fs/nfsd/export.c
     411
     412         fsloc->locations = kzalloc(fsloc->locations_count
     413                         * sizeof(struct nfsd4_fs_location), GFP_KERNEL);
     414         if (!fsloc->locations)
     415                 return -ENOMEM;
    
    svc_export_parse() will call nfsd4_fslocs_free() with fsloc->locations = NULL,
    so that, "kfree(fsloc->locations[i].path);" will cause a crash.
    
    If fsloc_parse() failed after that, fsloc_parse() will call nfsd4_fslocs_free(),
    and svc_export_parse() will call it again, so that, a double free is caused.
    
    This patch checks the fsloc->locations, and set to NULL after it be freed.
    Signed-off-by: default avatarKinglong Mee <kinglongmee@gmail.com>
    Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    a1f05514
export.c 32.3 KB