From: Wentao Liang <vulab@iscas.ac.cn>
Date: Mon, 18 May 2026 13:10:36 +0000 (+0000)
Subject: pNFS: Fix use-after-free in pnfs_update_layout()
X-Git-Tag: v7.2-rc1~46^2~30
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=13e198a90ca4050f4bee8a3f23680389a6563ccc;p=thirdparty%2Fkernel%2Flinux.git

pNFS: Fix use-after-free in pnfs_update_layout()

When hitting the NFS_LAYOUT_RETURN branch in pnfs_update_layout(),
the code calls pnfs_prepare_to_retry_layoutget(lo). If it succeeds,
pnfs_put_layout_hdr(lo) is called before trace_pnfs_update_layout(),
which still references 'lo'. This results in a use-after-free when the
tracepoint accesses lo's fields.

Fix this by moving the tracepoint call before pnfs_put_layout_hdr(lo).

Fixes: 2c8d5fc37fe2 ("pNFS: Stricter ordering of layoutget and layoutreturn")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
---

diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index fdedeff5f6cc4..cb203821a3971 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -2229,11 +2229,11 @@ lookup_again:
 		dprintk("%s wait for layoutreturn\n", __func__);
 		lseg = ERR_PTR(pnfs_prepare_to_retry_layoutget(lo));
 		if (!IS_ERR(lseg)) {
-			pnfs_put_layout_hdr(lo);
 			dprintk("%s retrying\n", __func__);
 			trace_pnfs_update_layout(ino, pos, count, iomode, lo,
 						 lseg,
 						 PNFS_UPDATE_LAYOUT_RETRY);
+			pnfs_put_layout_hdr(lo);
 			goto lookup_again;
 		}
 		trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,