[PATCH] nfsd: Fix dentry refcount leak in nfsd_set_fh_dentry()

Guangshuo Li posted 1 patch an hour ago
fs/nfsd/nfsfh.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
[PATCH] nfsd: Fix dentry refcount leak in nfsd_set_fh_dentry()
Posted by Guangshuo Li an hour ago
nfsd_set_fh_dentry() gets a dentry reference before checking whether an
NFSv2 or NFSv3 filehandle resolves to a V4ROOT export. Such filehandles
are rejected, but the rejection path jumps to out before the dentry is
stored in fhp->fh_dentry.

As a result, fh_put() will not see the dentry, and the out path only
drops the export reference. The dentry reference obtained by dget() or
exportfs_decode_fh_raw() is therefore leaked.

Add a separate error path for the V4ROOT rejection case that drops the
dentry reference before dropping the export reference.

Fixes: 8a7348a9ed70 ("nfsd: fix refcount leak in nfsd_set_fh_dentry()")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 fs/nfsd/nfsfh.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 429ca5c6ec08..2ca5bb5b5e88 100644
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -345,20 +345,22 @@ static __be32 nfsd_set_fh_dentry(struct svc_rqst *rqstp, struct net *net,
 			fhp->fh_no_wcc = true;
 		fhp->fh_64bit_cookies = true;
 		if (exp->ex_flags & NFSEXP_V4ROOT)
-			goto out;
+			goto out_dput;
 		break;
 	case NFS_FHSIZE:
 		fhp->fh_no_wcc = true;
 		if (EX_WGATHER(exp))
 			fhp->fh_use_wgather = true;
 		if (exp->ex_flags & NFSEXP_V4ROOT)
-			goto out;
+			goto out_dput;
 	}
 
 	fhp->fh_dentry = dentry;
 	fhp->fh_export = exp;
 
 	return 0;
+out_dput:
+	dput(dentry);
 out:
 	exp_put(exp);
 	return error;
-- 
2.43.0