From: Weston Andros Adamson Date: Mon, 20 Jan 2014 03:45:36 +0000 (-0500) Subject: nfs4: fix discover_server_trunking use after free X-Git-Tag: firefly_0821_release~3679^2~2899 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=daab6e7df44ba7d4281379c6ac5780e10d133286;p=firefly-linux-kernel-4.4.55.git nfs4: fix discover_server_trunking use after free commit abad2fa5ba67725a3f9c376c8cfe76fbe94a3041 upstream. If clp is new (cl_count = 1) and it matches another client in nfs4_discover_server_trunking, the nfs_put_client will free clp before ->cl_preserve_clid is set. Signed-off-by: Weston Andros Adamson Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman --- diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c index 3afae9059222..02773aab43c5 100644 --- a/fs/nfs/nfs4client.c +++ b/fs/nfs/nfs4client.c @@ -240,13 +240,11 @@ struct nfs_client *nfs4_init_client(struct nfs_client *clp, error = nfs4_discover_server_trunking(clp, &old); if (error < 0) goto error; - nfs_put_client(clp); - if (clp != old) { - clp->cl_preserve_clid = true; - clp = old; - } - return clp; + if (clp != old) + clp->cl_preserve_clid = true; + nfs_put_client(clp); + return old; error: nfs_mark_client_ready(clp, error);