4.1-stable patches

added patches:
	nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch
	nfsd-refactor-nfs4_preprocess_stateid_op.patch

diff --git a/queue-4.1/nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch b/queue-4.1/nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch
new file mode 100644 (file)
index 0000000..0990a03
--- /dev/null
+++ b/queue-4.1/nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch
@@ -0,0 +1,74 @@
+From 8fcd461db7c09337b6d2e22d25eb411123f379e3 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@poochiereds.net>
+Date: Thu, 30 Jul 2015 06:57:46 -0400
+Subject: nfsd: do nfs4_check_fh in nfs4_check_file instead of nfs4_check_olstateid
+
+From: Jeff Layton <jlayton@poochiereds.net>
+
+commit 8fcd461db7c09337b6d2e22d25eb411123f379e3 upstream.
+
+Currently, preprocess_stateid_op calls nfs4_check_olstateid which
+verifies that the open stateid corresponds to the current filehandle in the
+call by calling nfs4_check_fh.
+
+If the stateid is a NFS4_DELEG_STID however, then no such check is done.
+This could cause incorrect enforcement of permissions, because the
+nfsd_permission() call in nfs4_check_file uses current the current
+filehandle, but any subsequent IO operation will use the file descriptor
+in the stateid.
+
+Move the call to nfs4_check_fh into nfs4_check_file instead so that it
+can be done for all stateid types.
+
+Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
+[bfields: moved fh check to avoid NULL deref in special stateid case]
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -4397,9 +4397,9 @@ laundromat_main(struct work_struct *laun
+       queue_delayed_work(laundry_wq, &nn->laundromat_work, t*HZ);
+ }
+ 
+-static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_ol_stateid *stp)
++static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_stid *stp)
+ {
+-      if (!fh_match(&fhp->fh_handle, &stp->st_stid.sc_file->fi_fhandle))
++      if (!fh_match(&fhp->fh_handle, &stp->sc_file->fi_fhandle))
+               return nfserr_bad_stateid;
+       return nfs_ok;
+ }
+@@ -4599,9 +4599,6 @@ nfs4_check_olstateid(struct svc_fh *fhp,
+ {
+       __be32 status;
+ 
+-      status = nfs4_check_fh(fhp, ols);
+-      if (status)
+-              return status;
+       status = nfsd4_check_openowner_confirmed(ols);
+       if (status)
+               return status;
+@@ -4652,6 +4649,9 @@ nfs4_preprocess_stateid_op(struct net *n
+               status = nfserr_bad_stateid;
+               break;
+       }
++      if (status)
++              goto out;
++      status = nfs4_check_fh(fhp, s);
+ 
+       if (!status && filpp) {
+               *filpp = nfs4_find_file(s, flags);
+@@ -4761,7 +4761,7 @@ static __be32 nfs4_seqid_op_checks(struc
+       status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));
+       if (status)
+               return status;
+-      return nfs4_check_fh(current_fh, stp);
++      return nfs4_check_fh(current_fh, &stp->st_stid);
+ }
+ 
+ /* 

diff --git a/queue-4.1/nfsd-refactor-nfs4_preprocess_stateid_op.patch b/queue-4.1/nfsd-refactor-nfs4_preprocess_stateid_op.patch
new file mode 100644 (file)
index 0000000..76c05de
--- /dev/null
+++ b/queue-4.1/nfsd-refactor-nfs4_preprocess_stateid_op.patch
@@ -0,0 +1,156 @@
+From a0649b2d3fffb1cde8745568c767f3a55a3462bc Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 18 Jun 2015 16:44:59 +0200
+Subject: nfsd: refactor nfs4_preprocess_stateid_op
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit a0649b2d3fffb1cde8745568c767f3a55a3462bc upstream.
+
+Split out two self contained helpers to make the function more readable.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Cc: Jeff Layton <jlayton@poochiereds.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c |   97 +++++++++++++++++++++++++++-------------------------
+ 1 file changed, 52 insertions(+), 45 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -4574,20 +4574,51 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+       return nfs_ok;
+ }
+ 
++static struct file *
++nfs4_find_file(struct nfs4_stid *s, int flags)
++{
++      switch (s->sc_type) {
++      case NFS4_DELEG_STID:
++              if (WARN_ON_ONCE(!s->sc_file->fi_deleg_file))
++                      return NULL;
++              return get_file(s->sc_file->fi_deleg_file);
++      case NFS4_OPEN_STID:
++      case NFS4_LOCK_STID:
++              if (flags & RD_STATE)
++                      return find_readable_file(s->sc_file);
++              else
++                      return find_writeable_file(s->sc_file);
++              break;
++      }
++
++      return NULL;
++}
++
++static __be32
++nfs4_check_olstateid(struct svc_fh *fhp, struct nfs4_ol_stateid *ols, int flags)
++{
++      __be32 status;
++
++      status = nfs4_check_fh(fhp, ols);
++      if (status)
++              return status;
++      status = nfsd4_check_openowner_confirmed(ols);
++      if (status)
++              return status;
++      return nfs4_check_openmode(ols, flags);
++}
++
+ /*
+-* Checks for stateid operations
+-*/
++ * Checks for stateid operations
++ */
+ __be32
+ nfs4_preprocess_stateid_op(struct net *net, struct nfsd4_compound_state *cstate,
+                          stateid_t *stateid, int flags, struct file **filpp)
+ {
+-      struct nfs4_stid *s;
+-      struct nfs4_ol_stateid *stp = NULL;
+-      struct nfs4_delegation *dp = NULL;
+-      struct svc_fh *current_fh = &cstate->current_fh;
+-      struct inode *ino = d_inode(current_fh->fh_dentry);
++      struct svc_fh *fhp = &cstate->current_fh;
++      struct inode *ino = d_inode(fhp->fh_dentry);
+       struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+-      struct file *file = NULL;
++      struct nfs4_stid *s;
+       __be32 status;
+ 
+       if (filpp)
+@@ -4597,60 +4628,36 @@ nfs4_preprocess_stateid_op(struct net *n
+               return nfserr_grace;
+ 
+       if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
+-              return check_special_stateids(net, current_fh, stateid, flags);
++              return check_special_stateids(net, fhp, stateid, flags);
+ 
+       status = nfsd4_lookup_stateid(cstate, stateid,
+                               NFS4_DELEG_STID|NFS4_OPEN_STID|NFS4_LOCK_STID,
+                               &s, nn);
+       if (status)
+               return status;
+-      status = check_stateid_generation(stateid, &s->sc_stateid, nfsd4_has_session(cstate));
++      status = check_stateid_generation(stateid, &s->sc_stateid,
++                      nfsd4_has_session(cstate));
+       if (status)
+               goto out;
++
+       switch (s->sc_type) {
+       case NFS4_DELEG_STID:
+-              dp = delegstateid(s);
+-              status = nfs4_check_delegmode(dp, flags);
+-              if (status)
+-                      goto out;
+-              if (filpp) {
+-                      file = dp->dl_stid.sc_file->fi_deleg_file;
+-                      if (!file) {
+-                              WARN_ON_ONCE(1);
+-                              status = nfserr_serverfault;
+-                              goto out;
+-                      }
+-                      get_file(file);
+-              }
++              status = nfs4_check_delegmode(delegstateid(s), flags);
+               break;
+       case NFS4_OPEN_STID:
+       case NFS4_LOCK_STID:
+-              stp = openlockstateid(s);
+-              status = nfs4_check_fh(current_fh, stp);
+-              if (status)
+-                      goto out;
+-              status = nfsd4_check_openowner_confirmed(stp);
+-              if (status)
+-                      goto out;
+-              status = nfs4_check_openmode(stp, flags);
+-              if (status)
+-                      goto out;
+-              if (filpp) {
+-                      struct nfs4_file *fp = stp->st_stid.sc_file;
+-
+-                      if (flags & RD_STATE)
+-                              file = find_readable_file(fp);
+-                      else
+-                              file = find_writeable_file(fp);
+-              }
++              status = nfs4_check_olstateid(fhp, openlockstateid(s), flags);
+               break;
+       default:
+               status = nfserr_bad_stateid;
+-              goto out;
++              break;
++      }
++
++      if (!status && filpp) {
++              *filpp = nfs4_find_file(s, flags);
++              if (!*filpp)
++                      status = nfserr_serverfault;
+       }
+-      status = nfs_ok;
+-      if (file)
+-              *filpp = file;
+ out:
+       nfs4_put_stid(s);
+       return status;

diff --git a/queue-4.1/series b/queue-4.1/series
index e033ab47fa8d0af7bc0744aa8100325e9c0fcf53..5c6b6dab172c2ce6ecd6b61f7cff9c447e07df3f 100644 (file)
--- a/queue-4.1/series
+++ b/queue-4.1/series
@@ -80,3 +80,5 @@ signalfd-fix-information-leak-in-signalfd_copyinfo.patch
 signal-fix-information-leak-in-copy_siginfo_to_user.patch
 signal-fix-information-leak-in-copy_siginfo_from_user32.patch
 kvm-x86-fix-kvm_apic_has_events-to-check-for-null-pointer.patch
+nfsd-refactor-nfs4_preprocess_stateid_op.patch
+nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch