nfs4: fix discover_server_trunking use after free

commit abad2fa5ba67725a3f9c376c8cfe76fbe94a3041 upstream.

If clp is new (cl_count = 1) and it matches another client in
nfs4_discover_server_trunking, the nfs_put_client will free clp before
->cl_preserve_clid is set.

Signed-off-by: Weston Andros Adamson <dros@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
index 5049c5a20e62ff4ab49dfd99db3f878169fa4856..2b9bfbaab5043dea66213a5965a4252fe7907932 100644 (file)
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -409,13 +409,11 @@ struct nfs_client *nfs4_init_client(struct nfs_client *clp,
        error = nfs4_discover_server_trunking(clp, &old);
        if (error < 0)
                goto error;
-       nfs_put_client(clp);
-       if (clp != old) {
-               clp->cl_preserve_clid = true;
-               clp = old;
-       }
 
-       return clp;
+       if (clp != old)
+               clp->cl_preserve_clid = true;
+       nfs_put_client(clp);
+       return old;
 
 error:
        nfs_mark_client_ready(clp, error);