Skip to content

Commit fc51b1c

Browse files
author
Trond Myklebust
committed
NFS: Beware when dereferencing the delegation cred
When we look up the delegation cred, we are usually doing so in conjunction with a read of the stateid, and we want to ensure that the look up is atomic with that read. Fixes: 57f188e ("NFSv4: nfs_update_inplace_delegation() should update delegation cred") [[email protected]: Fixed up borken Fixes: line from Trond :-)] Signed-off-by: Trond Myklebust <[email protected]>
1 parent f30a6ea commit fc51b1c

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

fs/nfs/delegation.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1243,8 +1243,10 @@ static int nfs_server_reap_expired_delegations(struct nfs_server *server,
12431243
inode = nfs_delegation_grab_inode(delegation);
12441244
if (inode == NULL)
12451245
goto restart_locked;
1246+
spin_lock(&delegation->lock);
12461247
cred = get_cred_rcu(delegation->cred);
12471248
nfs4_stateid_copy(&stateid, &delegation->stateid);
1249+
spin_unlock(&delegation->lock);
12481250
clear_bit(NFS_DELEGATION_TEST_EXPIRED, &delegation->flags);
12491251
rcu_read_unlock();
12501252
nfs_delegation_test_free_expired(inode, &stateid, cred);
@@ -1363,18 +1365,23 @@ bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags,
13631365
{
13641366
struct nfs_inode *nfsi = NFS_I(inode);
13651367
struct nfs_delegation *delegation;
1366-
bool ret;
1368+
bool ret = false;
13671369

13681370
flags &= FMODE_READ|FMODE_WRITE;
13691371
rcu_read_lock();
13701372
delegation = rcu_dereference(nfsi->delegation);
1373+
if (!delegation)
1374+
goto out;
1375+
spin_lock(&delegation->lock);
13711376
ret = nfs4_is_valid_delegation(delegation, flags);
13721377
if (ret) {
13731378
nfs4_stateid_copy(dst, &delegation->stateid);
13741379
nfs_mark_delegation_referenced(delegation);
13751380
if (cred)
13761381
*cred = get_cred(delegation->cred);
13771382
}
1383+
spin_unlock(&delegation->lock);
1384+
out:
13781385
rcu_read_unlock();
13791386
return ret;
13801387
}

fs/nfs/nfs4proc.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2790,16 +2790,19 @@ static int nfs41_check_delegation_stateid(struct nfs4_state *state)
27902790
return NFS_OK;
27912791
}
27922792

2793+
spin_lock(&delegation->lock);
27932794
nfs4_stateid_copy(&stateid, &delegation->stateid);
27942795

27952796
if (!test_and_clear_bit(NFS_DELEGATION_TEST_EXPIRED,
27962797
&delegation->flags)) {
2798+
spin_unlock(&delegation->lock);
27972799
rcu_read_unlock();
27982800
return NFS_OK;
27992801
}
28002802

28012803
if (delegation->cred)
28022804
cred = get_cred(delegation->cred);
2805+
spin_unlock(&delegation->lock);
28032806
rcu_read_unlock();
28042807
status = nfs41_test_and_free_expired_stateid(server, &stateid, cred);
28052808
trace_nfs4_test_delegation_stateid(state, NULL, status);

0 commit comments

Comments
 (0)