nfsd: fix potential UAF in nfsd4_cb_getattr_release

Once we drop the delegation reference, the fields embedded in it are no
longer safe to access. Do that last.

Fixes: c5967721e106 ("NFSD: handle GETATTR conflict with write delegation")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 19d39872be325fe840150bba9560cecb5083c2f0..02d43f95146eef128be689cbdcf87846816d5406 100644 (file)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -3078,9 +3078,9 @@ nfsd4_cb_getattr_release(struct nfsd4_callback *cb)
        struct nfs4_delegation *dp =
                        container_of(ncf, struct nfs4_delegation, dl_cb_fattr);
 
-       nfs4_put_stid(&dp->dl_stid);
        clear_bit(CB_GETATTR_BUSY, &ncf->ncf_cb_flags);
        wake_up_bit(&ncf->ncf_cb_flags, CB_GETATTR_BUSY);
+       nfs4_put_stid(&dp->dl_stid);
 }
 
 static const struct nfsd4_callback_ops nfsd4_cb_recall_any_ops = {