NFS: Beware when dereferencing the delegation cred (fc51b1cf) · Commits · 戴 / test

fs/nfs/delegation.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -1243,8 +1243,10 @@ restart_locked:
		inode = nfs_delegation_grab_inode(delegation);
		if (inode == NULL)
		goto restart_locked;
		spin_lock(&delegation->lock);
		cred = get_cred_rcu(delegation->cred);
		nfs4_stateid_copy(&stateid, &delegation->stateid);
		spin_unlock(&delegation->lock);
		clear_bit(NFS_DELEGATION_TEST_EXPIRED, &delegation->flags);
		rcu_read_unlock();
		nfs_delegation_test_free_expired(inode, &stateid, cred);
		@@ -1363,11 +1365,14 @@ bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags,
		{
		struct nfs_inode *nfsi = NFS_I(inode);
		struct nfs_delegation *delegation;
		bool ret;
		bool ret = false;

		flags &= FMODE_READ\|FMODE_WRITE;
		rcu_read_lock();
		delegation = rcu_dereference(nfsi->delegation);
		if (!delegation)
		goto out;
		spin_lock(&delegation->lock);
		ret = nfs4_is_valid_delegation(delegation, flags);
		if (ret) {
		nfs4_stateid_copy(dst, &delegation->stateid);
		@@ -1375,6 +1380,8 @@ bool nfs4_copy_delegation_stateid(struct inode *inode, fmode_t flags,
		if (cred)
		*cred = get_cred(delegation->cred);
		}
		spin_unlock(&delegation->lock);
		out:
		rcu_read_unlock();
		return ret;
		}

+3 −0

Original line number	Diff line number	Diff line
		@@ -2790,16 +2790,19 @@ static int nfs41_check_delegation_stateid(struct nfs4_state *state)
		return NFS_OK;
		}

		spin_lock(&delegation->lock);
		nfs4_stateid_copy(&stateid, &delegation->stateid);

		if (!test_and_clear_bit(NFS_DELEGATION_TEST_EXPIRED,
		&delegation->flags)) {
		spin_unlock(&delegation->lock);
		rcu_read_unlock();
		return NFS_OK;
		}

		if (delegation->cred)
		cred = get_cred(delegation->cred);
		spin_unlock(&delegation->lock);
		rcu_read_unlock();
		status = nfs41_test_and_free_expired_stateid(server, &stateid, cred);
		trace_nfs4_test_delegation_stateid(state, NULL, status);