From: Greg Kroah-Hartman Date: Fri, 14 Aug 2015 17:29:39 +0000 (-0700) Subject: 4.1-stable patches X-Git-Tag: v3.10.87~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4553ca5f4dcdb255cf019d6ec477abae23d355f3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch nfsd-refactor-nfs4_preprocess_stateid_op.patch --- diff --git a/queue-4.1/nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch b/queue-4.1/nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch new file mode 100644 index 00000000000..0990a036ef9 --- /dev/null +++ b/queue-4.1/nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch @@ -0,0 +1,74 @@ +From 8fcd461db7c09337b6d2e22d25eb411123f379e3 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 30 Jul 2015 06:57:46 -0400 +Subject: nfsd: do nfs4_check_fh in nfs4_check_file instead of nfs4_check_olstateid + +From: Jeff Layton + +commit 8fcd461db7c09337b6d2e22d25eb411123f379e3 upstream. + +Currently, preprocess_stateid_op calls nfs4_check_olstateid which +verifies that the open stateid corresponds to the current filehandle in the +call by calling nfs4_check_fh. + +If the stateid is a NFS4_DELEG_STID however, then no such check is done. +This could cause incorrect enforcement of permissions, because the +nfsd_permission() call in nfs4_check_file uses current the current +filehandle, but any subsequent IO operation will use the file descriptor +in the stateid. + +Move the call to nfs4_check_fh into nfs4_check_file instead so that it +can be done for all stateid types. + +Signed-off-by: Jeff Layton +[bfields: moved fh check to avoid NULL deref in special stateid case] +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4397,9 +4397,9 @@ laundromat_main(struct work_struct *laun + queue_delayed_work(laundry_wq, &nn->laundromat_work, t*HZ); + } + +-static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_ol_stateid *stp) ++static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_stid *stp) + { +- if (!fh_match(&fhp->fh_handle, &stp->st_stid.sc_file->fi_fhandle)) ++ if (!fh_match(&fhp->fh_handle, &stp->sc_file->fi_fhandle)) + return nfserr_bad_stateid; + return nfs_ok; + } +@@ -4599,9 +4599,6 @@ nfs4_check_olstateid(struct svc_fh *fhp, + { + __be32 status; + +- status = nfs4_check_fh(fhp, ols); +- if (status) +- return status; + status = nfsd4_check_openowner_confirmed(ols); + if (status) + return status; +@@ -4652,6 +4649,9 @@ nfs4_preprocess_stateid_op(struct net *n + status = nfserr_bad_stateid; + break; + } ++ if (status) ++ goto out; ++ status = nfs4_check_fh(fhp, s); + + if (!status && filpp) { + *filpp = nfs4_find_file(s, flags); +@@ -4761,7 +4761,7 @@ static __be32 nfs4_seqid_op_checks(struc + status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate)); + if (status) + return status; +- return nfs4_check_fh(current_fh, stp); ++ return nfs4_check_fh(current_fh, &stp->st_stid); + } + + /* diff --git a/queue-4.1/nfsd-refactor-nfs4_preprocess_stateid_op.patch b/queue-4.1/nfsd-refactor-nfs4_preprocess_stateid_op.patch new file mode 100644 index 00000000000..76c05de0314 --- /dev/null +++ b/queue-4.1/nfsd-refactor-nfs4_preprocess_stateid_op.patch @@ -0,0 +1,156 @@ +From a0649b2d3fffb1cde8745568c767f3a55a3462bc Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 18 Jun 2015 16:44:59 +0200 +Subject: nfsd: refactor nfs4_preprocess_stateid_op + +From: Christoph Hellwig + +commit a0649b2d3fffb1cde8745568c767f3a55a3462bc upstream. + +Split out two self contained helpers to make the function more readable. + +Signed-off-by: Christoph Hellwig +Signed-off-by: J. Bruce Fields +Cc: Jeff Layton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 97 +++++++++++++++++++++++++++------------------------- + 1 file changed, 52 insertions(+), 45 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4574,20 +4574,51 @@ nfsd4_lookup_stateid(struct nfsd4_compou + return nfs_ok; + } + ++static struct file * ++nfs4_find_file(struct nfs4_stid *s, int flags) ++{ ++ switch (s->sc_type) { ++ case NFS4_DELEG_STID: ++ if (WARN_ON_ONCE(!s->sc_file->fi_deleg_file)) ++ return NULL; ++ return get_file(s->sc_file->fi_deleg_file); ++ case NFS4_OPEN_STID: ++ case NFS4_LOCK_STID: ++ if (flags & RD_STATE) ++ return find_readable_file(s->sc_file); ++ else ++ return find_writeable_file(s->sc_file); ++ break; ++ } ++ ++ return NULL; ++} ++ ++static __be32 ++nfs4_check_olstateid(struct svc_fh *fhp, struct nfs4_ol_stateid *ols, int flags) ++{ ++ __be32 status; ++ ++ status = nfs4_check_fh(fhp, ols); ++ if (status) ++ return status; ++ status = nfsd4_check_openowner_confirmed(ols); ++ if (status) ++ return status; ++ return nfs4_check_openmode(ols, flags); ++} ++ + /* +-* Checks for stateid operations +-*/ ++ * Checks for stateid operations ++ */ + __be32 + nfs4_preprocess_stateid_op(struct net *net, struct nfsd4_compound_state *cstate, + stateid_t *stateid, int flags, struct file **filpp) + { +- struct nfs4_stid *s; +- struct nfs4_ol_stateid *stp = NULL; +- struct nfs4_delegation *dp = NULL; +- struct svc_fh *current_fh = &cstate->current_fh; +- struct inode *ino = d_inode(current_fh->fh_dentry); ++ struct svc_fh *fhp = &cstate->current_fh; ++ struct inode *ino = d_inode(fhp->fh_dentry); + struct nfsd_net *nn = net_generic(net, nfsd_net_id); +- struct file *file = NULL; ++ struct nfs4_stid *s; + __be32 status; + + if (filpp) +@@ -4597,60 +4628,36 @@ nfs4_preprocess_stateid_op(struct net *n + return nfserr_grace; + + if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) +- return check_special_stateids(net, current_fh, stateid, flags); ++ return check_special_stateids(net, fhp, stateid, flags); + + status = nfsd4_lookup_stateid(cstate, stateid, + NFS4_DELEG_STID|NFS4_OPEN_STID|NFS4_LOCK_STID, + &s, nn); + if (status) + return status; +- status = check_stateid_generation(stateid, &s->sc_stateid, nfsd4_has_session(cstate)); ++ status = check_stateid_generation(stateid, &s->sc_stateid, ++ nfsd4_has_session(cstate)); + if (status) + goto out; ++ + switch (s->sc_type) { + case NFS4_DELEG_STID: +- dp = delegstateid(s); +- status = nfs4_check_delegmode(dp, flags); +- if (status) +- goto out; +- if (filpp) { +- file = dp->dl_stid.sc_file->fi_deleg_file; +- if (!file) { +- WARN_ON_ONCE(1); +- status = nfserr_serverfault; +- goto out; +- } +- get_file(file); +- } ++ status = nfs4_check_delegmode(delegstateid(s), flags); + break; + case NFS4_OPEN_STID: + case NFS4_LOCK_STID: +- stp = openlockstateid(s); +- status = nfs4_check_fh(current_fh, stp); +- if (status) +- goto out; +- status = nfsd4_check_openowner_confirmed(stp); +- if (status) +- goto out; +- status = nfs4_check_openmode(stp, flags); +- if (status) +- goto out; +- if (filpp) { +- struct nfs4_file *fp = stp->st_stid.sc_file; +- +- if (flags & RD_STATE) +- file = find_readable_file(fp); +- else +- file = find_writeable_file(fp); +- } ++ status = nfs4_check_olstateid(fhp, openlockstateid(s), flags); + break; + default: + status = nfserr_bad_stateid; +- goto out; ++ break; ++ } ++ ++ if (!status && filpp) { ++ *filpp = nfs4_find_file(s, flags); ++ if (!*filpp) ++ status = nfserr_serverfault; + } +- status = nfs_ok; +- if (file) +- *filpp = file; + out: + nfs4_put_stid(s); + return status; diff --git a/queue-4.1/series b/queue-4.1/series index e033ab47fa8..5c6b6dab172 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -80,3 +80,5 @@ signalfd-fix-information-leak-in-signalfd_copyinfo.patch signal-fix-information-leak-in-copy_siginfo_to_user.patch signal-fix-information-leak-in-copy_siginfo_from_user32.patch kvm-x86-fix-kvm_apic_has_events-to-check-for-null-pointer.patch +nfsd-refactor-nfs4_preprocess_stateid_op.patch +nfsd-do-nfs4_check_fh-in-nfs4_check_file-instead-of-nfs4_check_olstateid.patch