nfsd: fix error handling in nfs4_set_delegation()
authorAndrew Elble <aweits@rit.edu>
Wed, 18 Apr 2018 21:04:37 +0000 (17:04 -0400)
committerJ. Bruce Fields <bfields@redhat.com>
Fri, 8 Jun 2018 20:42:29 +0000 (16:42 -0400)
I noticed a memory corruption crash in nfsd in
4.17-rc1. This patch corrects the issue.

Fix to return error if the delegation couldn't be hashed or there was
a recall in progress. Use the existing error path instead of
destroy_delegation() for readability.

Signed-off-by: Andrew Elble <aweits@rit.edu>
Fixes: 353601e7d323c ("nfsd: create a separate lease for each delegation")
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
fs/nfsd/nfs4state.c

index fc74d6f46bd5d17a2adf89a4d2ddc80f9e5c44cd..3b40d1b57613b5d57c861bfb7866ea9bbb244127 100644 (file)
@@ -4378,8 +4378,11 @@ nfs4_set_delegation(struct nfs4_client *clp, struct svc_fh *fh,
        spin_unlock(&state_lock);
 
        if (status)
-               destroy_unhashed_deleg(dp);
+               goto out_unlock;
+
        return dp;
+out_unlock:
+       vfs_setlease(fp->fi_deleg_file, F_UNLCK, NULL, (void **)&dp);
 out_clnt_odstate:
        put_clnt_odstate(dp->dl_clnt_odstate);
 out_stid: