From owner-svn-src-all@freebsd.org  Thu May 12 11:18:52 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D682B38264;
 Thu, 12 May 2016 11:18:52 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca
 [131.104.91.36])
 by mx1.freebsd.org (Postfix) with ESMTP id 207581CB5;
 Thu, 12 May 2016 11:18:51 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
IronPort-PHdr: 9a23:b5os0xNgpFxN/hM63YUl6mtUPXoX/o7sNwtQ0KIMzox0KPn/rarrMEGX3/hxlliBBdydsKIVzbOH+Pu9EUU7or+/81k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZvIaytQ8iJ35XxjrH5oMCbSj4LrQT+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf9d32JiKAHbtR/94sCt4MwrqHwI6Lpyv/JHBO/ReKIiRLAQIXJuFm0k6deh/U3IQA6nyGERX08tvlxPGQeTvz/gWZKkiCrxtaJY0SKZOcDzBeQuXD2p7KNmTTf1jygaOjoh8Cfcg5oj3+pgvBu9qkknkMbva4aPOa8mcw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2DOAQCGZTRX/61jaINehA2BA7lUAQ2BdiKFcgKBaBQBAQEBAQEBAWQngi2CFgEBBCMEUgwEAgEIFAYCDRkCAlcCBIhCDqsgkQABAQEBAQEBAQEBAQEBAQEBAQEBEwR8hSSBfoJOhCsUgwCCWQWYJ4V+lzmPPwIeAQFCggUbgWcghyY+fwEBAQ
X-IronPort-AV: E=Sophos;i="5.24,609,1454994000"; d="scan'208";a="283024636"
Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca)
 ([131.104.99.173])
 by esa-annu.net.uoguelph.ca with ESMTP; 12 May 2016 07:18:44 -0400
Received: from localhost (localhost [127.0.0.1])
 by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id C759615F56E;
 Thu, 12 May 2016 07:18:44 -0400 (EDT)
Received: from zcs1.mail.uoguelph.ca ([127.0.0.1])
 by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id Uev3lRAqudEY; Thu, 12 May 2016 07:18:44 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
 by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 734E115F578;
 Thu, 12 May 2016 07:18:44 -0400 (EDT)
X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca
Received: from zcs1.mail.uoguelph.ca ([127.0.0.1])
 by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id f3VLDmcqGG1I; Thu, 12 May 2016 07:18:44 -0400 (EDT)
Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18])
 by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 5602315F56E;
 Thu, 12 May 2016 07:18:44 -0400 (EDT)
Date: Thu, 12 May 2016 07:18:44 -0400 (EDT)
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "Conrad E. Meyer" <cem@FreeBSD.org>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, 
 svn-src-head@freebsd.org
Message-ID: <591151865.97516789.1463051924304.JavaMail.zimbra@uoguelph.ca>
In-Reply-To: <201605120503.u4C53CiH062765@repo.freebsd.org>
References: <201605120503.u4C53CiH062765@repo.freebsd.org>
Subject: Re: svn commit: r299514 - head/sys/fs/nfsserver
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.17.95.10]
X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF46 (Win)/8.0.9_GA_6191)
Thread-Topic: svn commit: r299514 - head/sys/fs/nfsserver
Thread-Index: MuQW74D58XJpIiJE+iBEg9+kv5ao/w==
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 11:18:52 -0000

Thanks for spotting/fixing this, rick

----- Original Message -----
> Author: cem
> Date: Thu May 12 05:03:12 2016
> New Revision: 299514
> URL: https://svnweb.freebsd.org/changeset/base/299514
> 
> Log:
>   nfsd: Fix use-after-free in NFS4 lock test service
>   
>   Trivial use-after-free where stp was freed too soon in the non-error path.
>   To fix, simply move its release to the end of the routine.
>   
>   Reported by:	Coverity
>   CID:		1006105
>   Sponsored by:	EMC / Isilon Storage Division
> 
> Modified:
>   head/sys/fs/nfsserver/nfs_nfsdserv.c
> 
> Modified: head/sys/fs/nfsserver/nfs_nfsdserv.c
> ==============================================================================
> --- head/sys/fs/nfsserver/nfs_nfsdserv.c	Thu May 12 04:54:32 2016	(r299513)
> +++ head/sys/fs/nfsserver/nfs_nfsdserv.c	Thu May 12 05:03:12 2016	(r299514)
> @@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
>  	if (!nd->nd_repstat)
>  	  nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
>  	    &stateid, exp, nd, p);
> -	if (stp)
> -		FREE((caddr_t)stp, M_NFSDSTATE);
>  	if (nd->nd_repstat) {
>  	    if (nd->nd_repstat == NFSERR_DENIED) {
>  		NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
> @@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
>  	    }
>  	}
>  	vput(vp);
> +	if (stp)
> +		FREE((caddr_t)stp, M_NFSDSTATE);
>  	NFSEXITCODE2(0, nd);
>  	return (0);
>  nfsmout:
> 
>