pNFS: Fix use-after-free in pnfs_update_layout()

When hitting the NFS_LAYOUT_RETURN branch in pnfs_update_layout(),
the code calls pnfs_prepare_to_retry_layoutget(lo). If it succeeds,
pnfs_put_layout_hdr(lo) is called before trace_pnfs_update_layout(),
which still references 'lo'. This results in a use-after-free when the
tracepoint accesses lo's fields.

Fix this by moving the tracepoint call before pnfs_put_layout_hdr(lo).

Fixes: 2c8d5fc37fe2 ("pNFS: Stricter ordering of layoutget and layoutreturn")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>

diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index fdedeff5f6cc41675ce1e53950866e94196d5502..cb203821a3971bbf902422b52d0acd72047a9394 100644 (file)
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -2229,11 +2229,11 @@ lookup_again:
                dprintk("%s wait for layoutreturn\n", __func__);
                lseg = ERR_PTR(pnfs_prepare_to_retry_layoutget(lo));
                if (!IS_ERR(lseg)) {
-                       pnfs_put_layout_hdr(lo);
                        dprintk("%s retrying\n", __func__);
                        trace_pnfs_update_layout(ino, pos, count, iomode, lo,
                                                 lseg,
                                                 PNFS_UPDATE_LAYOUT_RETRY);
+                       pnfs_put_layout_hdr(lo);
                        goto lookup_again;
                }
                trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,