Commit 1ccdd6c6 authored by Jeff Layton's avatar Jeff Layton Committed by Greg Kroah-Hartman

nfsd: do nfs4_check_fh in nfs4_check_file instead of nfs4_check_olstateid

commit 8fcd461d upstream.

Currently, preprocess_stateid_op calls nfs4_check_olstateid which
verifies that the open stateid corresponds to the current filehandle in the
call by calling nfs4_check_fh.

If the stateid is a NFS4_DELEG_STID however, then no such check is done.
This could cause incorrect enforcement of permissions, because the
nfsd_permission() call in nfs4_check_file uses current the current
filehandle, but any subsequent IO operation will use the file descriptor
in the stateid.

Move the call to nfs4_check_fh into nfs4_check_file instead so that it
can be done for all stateid types.
Signed-off-by: default avatarJeff Layton <jeff.layton@primarydata.com>
[bfields: moved fh check to avoid NULL deref in special stateid case]
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 3b5c2aed
...@@ -4397,9 +4397,9 @@ laundromat_main(struct work_struct *laundry) ...@@ -4397,9 +4397,9 @@ laundromat_main(struct work_struct *laundry)
queue_delayed_work(laundry_wq, &nn->laundromat_work, t*HZ); queue_delayed_work(laundry_wq, &nn->laundromat_work, t*HZ);
} }
static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_ol_stateid *stp) static inline __be32 nfs4_check_fh(struct svc_fh *fhp, struct nfs4_stid *stp)
{ {
if (!fh_match(&fhp->fh_handle, &stp->st_stid.sc_file->fi_fhandle)) if (!fh_match(&fhp->fh_handle, &stp->sc_file->fi_fhandle))
return nfserr_bad_stateid; return nfserr_bad_stateid;
return nfs_ok; return nfs_ok;
} }
...@@ -4599,9 +4599,6 @@ nfs4_check_olstateid(struct svc_fh *fhp, struct nfs4_ol_stateid *ols, int flags) ...@@ -4599,9 +4599,6 @@ nfs4_check_olstateid(struct svc_fh *fhp, struct nfs4_ol_stateid *ols, int flags)
{ {
__be32 status; __be32 status;
status = nfs4_check_fh(fhp, ols);
if (status)
return status;
status = nfsd4_check_openowner_confirmed(ols); status = nfsd4_check_openowner_confirmed(ols);
if (status) if (status)
return status; return status;
...@@ -4652,6 +4649,9 @@ nfs4_preprocess_stateid_op(struct net *net, struct nfsd4_compound_state *cstate, ...@@ -4652,6 +4649,9 @@ nfs4_preprocess_stateid_op(struct net *net, struct nfsd4_compound_state *cstate,
status = nfserr_bad_stateid; status = nfserr_bad_stateid;
break; break;
} }
if (status)
goto out;
status = nfs4_check_fh(fhp, s);
if (!status && filpp) { if (!status && filpp) {
*filpp = nfs4_find_file(s, flags); *filpp = nfs4_find_file(s, flags);
...@@ -4761,7 +4761,7 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_ ...@@ -4761,7 +4761,7 @@ static __be32 nfs4_seqid_op_checks(struct nfsd4_compound_state *cstate, stateid_
status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate)); status = check_stateid_generation(stateid, &stp->st_stid.sc_stateid, nfsd4_has_session(cstate));
if (status) if (status)
return status; return status;
return nfs4_check_fh(current_fh, stp); return nfs4_check_fh(current_fh, &stp->st_stid);
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment