nfsd_set_fh_dentry() gets a dentry reference before checking whether an
NFSv2 or NFSv3 filehandle resolves to a V4ROOT export. Such filehandles
are rejected, but the rejection path jumps to out before the dentry is
stored in fhp->fh_dentry.
As a result, fh_put() will not see the dentry, and the out path only
drops the export reference. The dentry reference obtained by dget() or
exportfs_decode_fh_raw() is therefore leaked.
Add a separate error path for the V4ROOT rejection case that drops the
dentry reference before dropping the export reference.
Fixes: 8a7348a9ed70 ("nfsd: fix refcount leak in nfsd_set_fh_dentry()")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
fs/nfsd/nfsfh.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 429ca5c6ec08..2ca5bb5b5e88 100644
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -345,20 +345,22 @@ static __be32 nfsd_set_fh_dentry(struct svc_rqst *rqstp, struct net *net,
fhp->fh_no_wcc = true;
fhp->fh_64bit_cookies = true;
if (exp->ex_flags & NFSEXP_V4ROOT)
- goto out;
+ goto out_dput;
break;
case NFS_FHSIZE:
fhp->fh_no_wcc = true;
if (EX_WGATHER(exp))
fhp->fh_use_wgather = true;
if (exp->ex_flags & NFSEXP_V4ROOT)
- goto out;
+ goto out_dput;
}
fhp->fh_dentry = dentry;
fhp->fh_export = exp;
return 0;
+out_dput:
+ dput(dentry);
out:
exp_put(exp);
return error;
--
2.43.0