Fix i_mutex vs. readdir handling in nfsd

	int err;

	struct qstr this;

	WARN_ON_ONCE(!mutex_is_locked(&base->d_inode->i_mutex));

	err = __lookup_one_len(name, &this, base, len);

	if (err)

		return ERR_PTR(err);

		goto out;

	status = vfs_readdir(filp, nfsd4_build_namelist, &names);

	fput(filp);

	mutex_lock(&dir->d_inode->i_mutex);

	while (!list_empty(&names)) {

		entry = list_entry(names.next, struct name_list, list);

		dentry = lookup_one_len(entry->name, dir, HEXDIR_LEN-1);

		if (IS_ERR(dentry)) {

			status = PTR_ERR(dentry);

			goto out;

			break;

		}

		status = f(dir, dentry);

		dput(dentry);

		if (status)

			goto out;

			break;

		list_del(&entry->list);

		kfree(entry);

	}

	mutex_unlock(&dir->d_inode->i_mutex);

out:

	while (!list_empty(&names)) {

		entry = list_entry(names.next, struct name_list, list);

	return status;

}

static int

nfsd4_remove_clid_file(struct dentry *dir, struct dentry *dentry)

{

	int status;

	if (!S_ISREG(dir->d_inode->i_mode)) {

		printk("nfsd4: non-file found in client recovery directory\n");

		return -EINVAL;

	}

	mutex_lock_nested(&dir->d_inode->i_mutex, I_MUTEX_PARENT);

	status = vfs_unlink(dir->d_inode, dentry);

	mutex_unlock(&dir->d_inode->i_mutex);

	return status;

}

static int

nfsd4_clear_clid_dir(struct dentry *dir, struct dentry *dentry)

{

	int status;

	/* For now this directory should already be empty, but we empty it of

	 * any regular files anyway, just in case the directory was created by

	 * a kernel from the future.... */

	nfsd4_list_rec_dir(dentry, nfsd4_remove_clid_file);

	mutex_lock_nested(&dir->d_inode->i_mutex, I_MUTEX_PARENT);

	status = vfs_rmdir(dir->d_inode, dentry);

	mutex_unlock(&dir->d_inode->i_mutex);

	return status;

}

static int

nfsd4_unlink_clid_dir(char *name, int namlen)

{

	mutex_lock(&rec_dir.dentry->d_inode->i_mutex);

	dentry = lookup_one_len(name, rec_dir.dentry, namlen);

	mutex_unlock(&rec_dir.dentry->d_inode->i_mutex);

	if (IS_ERR(dentry)) {

		status = PTR_ERR(dentry);

		return status;

		goto out_unlock;

	}

	status = -ENOENT;

	if (!dentry->d_inode)

		goto out;

	status = nfsd4_clear_clid_dir(rec_dir.dentry, dentry);

	status = vfs_rmdir(rec_dir.dentry->d_inode, dentry);

out:

	dput(dentry);

out_unlock:

	mutex_unlock(&rec_dir.dentry->d_inode->i_mutex);

	return status;

}

	if (nfs4_has_reclaimed_state(child->d_name.name, false))

		return 0;

	status = nfsd4_clear_clid_dir(parent, child);

	status = vfs_rmdir(parent->d_inode, child);

	if (status)

		printk("failed to remove client recovery directory %s\n",

				child->d_name.name);

	return 0;

}

static int nfsd_buffered_readdir(struct file *file, filldir_t func,

static __be32 nfsd_buffered_readdir(struct file *file, filldir_t func,

				    struct readdir_cd *cdp, loff_t *offsetp)

{

	struct readdir_data buf;

	buf.dirent = (void *)__get_free_page(GFP_KERNEL);

	if (!buf.dirent)

		return -ENOMEM;

		return nfserrno(-ENOMEM);

	offset = *offsetp;

	while (1) {

		struct inode *dir_inode = file->f_path.dentry->d_inode;

		unsigned int reclen;

		cdp->err = nfserr_eof; /* will be cleared on successful read */

		if (!size)

			break;

		/*

		 * Various filldir functions may end up calling back into

		 * lookup_one_len() and the file system's ->lookup() method.

		 * These expect i_mutex to be held, as it would within readdir.

		 */

		host_err = mutex_lock_killable(&dir_inode->i_mutex);

		if (host_err)

			break;

		de = (struct buffered_dirent *)buf.dirent;

		while (size > 0) {

			offset = de->offset;

			if (func(cdp, de->name, de->namlen, de->offset,

				 de->ino, de->d_type))

				goto done;

				break;

			if (cdp->err != nfs_ok)

				goto done;

				break;

			reclen = ALIGN(sizeof(*de) + de->namlen,

				       sizeof(u64));

			size -= reclen;

			de = (struct buffered_dirent *)((char *)de + reclen);

		}

		mutex_unlock(&dir_inode->i_mutex);

		if (size > 0) /* We bailed out early */

			break;

		offset = vfs_llseek(file, 0, SEEK_CUR);

	}

 done:

	free_page((unsigned long)(buf.dirent));

	if (host_err)