From owner-svn-src-all@freebsd.org Thu May 12 11:20:19 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A7ACFB383DD; Thu, 12 May 2016 11:20:19 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 15BEA1F89; Thu, 12 May 2016 11:20:18 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:X15N5x/IXW8SXP9uRHKM819IXTAuvvDOBiVQ1KB91u4cTK2v8tzYMVDF4r011RmSDdSdsqMP0LeempujcFJDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIsYL+lS8iL3o/siqibwN76XUZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu5blitCLFOXmAvgtI/rpMYwu3cYh/V0veVHV7/zc+wVC/R9ASUrKSp9sMbmsDHtVwaCzEAwFGIMnUwbLRLC6UTAX5zy+g7zvel51SzSadfzRLs3XTmnx7psRwLljD8HcTUwpjKEwvdshb5W9Ury7yd0xJTZNdmY X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DOAQCGZTRX/61jaINehA2BA7lUAQ2BdiKFcgKBaBQBAQEBAQEBAWQngi2CFgEBBCMEUgwEAgEIFAYCDRkCAlcCBIhCDqsgkQABAQEBAQEBAQEBAQEBAQEBAQEBEwR8hSSBfoJOhCsUgwCCWQWYJ4V+lzmPPwIeAQFCggUbgWcghyY+fwEBAQ X-IronPort-AV: E=Sophos;i="5.24,609,1454994000"; d="scan'208";a="283024829" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-annu.net.uoguelph.ca with ESMTP; 12 May 2016 07:20:17 -0400 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 7B57115F56E; Thu, 12 May 2016 07:20:17 -0400 (EDT) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id skN3Kqo6IuKX; Thu, 12 May 2016 07:20:17 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 08A2C15F574; Thu, 12 May 2016 07:20:17 -0400 (EDT) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bDj0V5PP-qGW; Thu, 12 May 2016 07:20:16 -0400 (EDT) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id E2E7915F56E; Thu, 12 May 2016 07:20:16 -0400 (EDT) Date: Thu, 12 May 2016 07:20:16 -0400 (EDT) From: Rick Macklem To: "Conrad E. Meyer" Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-ID: <1419951537.97517297.1463052016916.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <201605120503.u4C53CiH062765@repo.freebsd.org> References: <201605120503.u4C53CiH062765@repo.freebsd.org> Subject: Re: svn commit: r299514 - head/sys/fs/nfsserver MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.10] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF46 (Win)/8.0.9_GA_6191) Thread-Topic: svn commit: r299514 - head/sys/fs/nfsserver Thread-Index: PfTl/zUsu8nI0aB90fufJe6GQd2nYA== X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2016 11:20:19 -0000 Oh, and I'll MFC it in 2 weeks unless there is an objection, rick ----- Original Message ----- > Author: cem > Date: Thu May 12 05:03:12 2016 > New Revision: 299514 > URL: https://svnweb.freebsd.org/changeset/base/299514 > > Log: > nfsd: Fix use-after-free in NFS4 lock test service > > Trivial use-after-free where stp was freed too soon in the non-error path. > To fix, simply move its release to the end of the routine. > > Reported by: Coverity > CID: 1006105 > Sponsored by: EMC / Isilon Storage Division > > Modified: > head/sys/fs/nfsserver/nfs_nfsdserv.c > > Modified: head/sys/fs/nfsserver/nfs_nfsdserv.c > ============================================================================== > --- head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 04:54:32 2016 (r299513) > +++ head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 05:03:12 2016 (r299514) > @@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd, > if (!nd->nd_repstat) > nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid, > &stateid, exp, nd, p); > - if (stp) > - FREE((caddr_t)stp, M_NFSDSTATE); > if (nd->nd_repstat) { > if (nd->nd_repstat == NFSERR_DENIED) { > NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED); > @@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd, > } > } > vput(vp); > + if (stp) > + FREE((caddr_t)stp, M_NFSDSTATE); > NFSEXITCODE2(0, nd); > return (0); > nfsmout: > >