From 1926cada4a7acf48aa7cbf5ef8bb8942ae10b522 Mon Sep 17 00:00:00 2001 From: Shreyas Siravara Date: Thu, 7 Dec 2017 08:00:16 -0800 Subject: nfs: Reference count export items Export items are used in the auth cache and need to be reference counted to avoid use-after free bugs. Change-Id: I5cdcdc1cc6abad26c7077d66a14f263da07678ac BUG: 1522847 Signed-off-by: Shreyas Siravara --- xlators/nfs/server/src/auth-cache.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'xlators/nfs/server/src/auth-cache.c') diff --git a/xlators/nfs/server/src/auth-cache.c b/xlators/nfs/server/src/auth-cache.c index 2b37a7f06bd..a1aacaba61a 100644 --- a/xlators/nfs/server/src/auth-cache.c +++ b/xlators/nfs/server/src/auth-cache.c @@ -232,6 +232,8 @@ auth_cache_get (struct auth_cache *cache, char *hashkey, if (_auth_cache_expired (cache, lookup_res)) { ret = ENTRY_EXPIRED; + GF_REF_PUT (lookup_res->item); + lookup_res->item = NULL; /* free entry and remove from the cache */ GF_FREE (lookup_res); @@ -473,7 +475,11 @@ cache_nfs_fh (struct auth_cache *cache, struct nfs3_fh *fh, } entry->timestamp = time (NULL); - entry->item = export_item; + /* Update entry->item if it is pointing to a different export_item */ + if (entry->item && entry->item != export_item) { + GF_REF_PUT (entry->item); + } + entry->item = GF_REF_GET (export_item); ret = auth_cache_add (cache, hashkey, entry); GF_REF_PUT (entry); -- cgit