nfsd: do nfs4_check_fh in nfs4_check_file instead of nfs4_check_olstateid

jtlayton · J. Bruce Fields · commit 8fcd461db7c0 · 2015-07-31T16:30:26.000-04:00
Currently, preprocess_stateid_op calls nfs4_check_olstateid which
verifies that the open stateid corresponds to the current filehandle in the
call by calling nfs4_check_fh.

If the stateid is a NFS4_DELEG_STID however, then no such check is done.
This could cause incorrect enforcement of permissions, because the
nfsd_permission() call in nfs4_check_file uses current the current
filehandle, but any subsequent IO operation will use the file descriptor
in the stateid.

Move the call to nfs4_check_fh into nfs4_check_file instead so that it
can be done for all stateid types.

Signed-off-by: Jeff Layton &lt;jeff.layton@primarydata.com&gt;
Cc: stable@vger.kernel.org
[bfields: moved fh check to avoid NULL deref in special stateid case]
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
@@ -4396,9 +4396,9 @@ laundromat_main(struct work_struct *laundry)
 	queue_delayed_work(laundry_wq, &nn->laundromat_work, t*HZ);
 }
 
-static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_ol_stateid *stp)
+static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_stid *stp)
 {
-	if (!fh_match(&fhp->fh_handle, &stp->st_stid.sc_file->fi_fhandle))
+	if (!fh_match(&fhp->fh_handle, &stp->sc_file->fi_fhandle))
 		return nfserr_bad_stateid;
 	return nfs_ok;
 }
@@ -4601,9 +4601,6 @@ nfs4_check_olstateid(struct svc_fh *fhp, struct nfs4_ol_stateid *ols, int flags)
 {
 	__be32 status;
 
-	status = nfs4_check_fh(fhp, ols);
-	if (status)
-		return status;
 	status = nfsd4_check_openowner_confirmed(ols);
 	if (status)
 		return status;
@@ -4690,6 +4687,9 @@ nfs4_preprocess_stateid_op(struct svc_rqst *rqstp,
 		status = nfserr_bad_stateid;
 		break;
 	}
+	if (status)
+		goto out;
+	status = nfs4_check_fh(fhp, s);
 
 done:
 	if (!status && filpp)
@@ -4798,7 +4798,7 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_
 	status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));
 	if (status)
 		return status;
-	return nfs4_check_fh(current_fh, stp);
+	return nfs4_check_fh(current_fh, &stp->st_stid);
 }
 
 /* 

Original file line number	Diff line number	Diff line change
`@@ -4396,9 +4396,9 @@ laundromat_main(struct work_struct *laundry)`
`4396`	`4396`	`queue_delayed_work(laundry_wq, &nn->laundromat_work, t*HZ);`
`4397`	`4397`	`}`
`4398`	`4398`
`4399`		`-static inline __be32 nfs4_check_fh(struct svc_fh fhp, struct nfs4_ol_stateid stp)`
	`4399`	`+static inline __be32 nfs4_check_fh(struct svc_fh fhp, struct nfs4_stid stp)`
`4400`	`4400`	`{`
`4401`		`- if (!fh_match(&fhp->fh_handle, &stp->st_stid.sc_file->fi_fhandle))`
	`4401`	`+ if (!fh_match(&fhp->fh_handle, &stp->sc_file->fi_fhandle))`
`4402`	`4402`	`return nfserr_bad_stateid;`
`4403`	`4403`	`return nfs_ok;`
`4404`	`4404`	`}`
`@@ -4601,9 +4601,6 @@ nfs4_check_olstateid(struct svc_fh fhp, struct nfs4_ol_stateid ols, int flags)`
`4601`	`4601`	`{`
`4602`	`4602`	`__be32 status;`
`4603`	`4603`
`4604`		`- status = nfs4_check_fh(fhp, ols);`
`4605`		`- if (status)`
`4606`		`- return status;`
`4607`	`4604`	`status = nfsd4_check_openowner_confirmed(ols);`
`4608`	`4605`	`if (status)`
`4609`	`4606`	`return status;`
`@@ -4690,6 +4687,9 @@ nfs4_preprocess_stateid_op(struct svc_rqst *rqstp,`
`4690`	`4687`	`status = nfserr_bad_stateid;`
`4691`	`4688`	`break;`
`4692`	`4689`	`}`
	`4690`	`+ if (status)`
	`4691`	`+ goto out;`
	`4692`	`+ status = nfs4_check_fh(fhp, s);`
`4693`	`4693`
`4694`	`4694`	`done:`
`4695`	`4695`	`if (!status && filpp)`
`@@ -4798,7 +4798,7 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_`
`4798`	`4798`	`status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));`
`4799`	`4799`	`if (status)`
`4800`	`4800`	`return status;`
`4801`		`- return nfs4_check_fh(current_fh, stp);`
	`4801`	`+ return nfs4_check_fh(current_fh, &stp->st_stid);`
`4802`	`4802`	`}`
`4803`	`4803`
`4804`	`4804`	`/*`