aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@citi.umich.edu>2009-05-05 19:04:29 -0400
committerJ. Bruce Fields <bfields@citi.umich.edu>2009-05-06 16:16:36 -0400
commitb2c0cea6b1cb210e962f07047df602875564069e (patch)
treef6327b45df075955d8ef9e9ad93c453ea5fc7a4c
parentccecee1e5e42981f5eb37f4411e8552b9db04d30 (diff)
nfsd4: check for negative dentry before use in nfsv4 readdir
After 2f9092e1020246168b1309b35e085ecd7ff9ff72 "Fix i_mutex vs. readdir handling in nfsd" (and 14f7dd63 "Copy XFS readdir hack into nfsd code"), an entry may be removed between the first mutex_unlock and the second mutex_lock. In this case, lookup_one_len() will return a negative dentry. Check for this case to avoid a NULL dereference. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Reviewed-by: J. R. Okajima <hooanon05@yahoo.co.jp> Cc: stable@kernel.org
-rw-r--r--fs/nfsd/nfs4xdr.c16
1 files changed, 15 insertions, 1 deletions
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index b820c311931c..b73549d293be 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2214,6 +2214,15 @@ nfsd4_encode_dirent_fattr(struct nfsd4_readdir *cd,
2214 dentry = lookup_one_len(name, cd->rd_fhp->fh_dentry, namlen); 2214 dentry = lookup_one_len(name, cd->rd_fhp->fh_dentry, namlen);
2215 if (IS_ERR(dentry)) 2215 if (IS_ERR(dentry))
2216 return nfserrno(PTR_ERR(dentry)); 2216 return nfserrno(PTR_ERR(dentry));
2217 if (!dentry->d_inode) {
2218 /*
2219 * nfsd_buffered_readdir drops the i_mutex between
2220 * readdir and calling this callback, leaving a window
2221 * where this directory entry could have gone away.
2222 */
2223 dput(dentry);
2224 return nfserr_noent;
2225 }
2217 2226
2218 exp_get(exp); 2227 exp_get(exp);
2219 /* 2228 /*
@@ -2276,6 +2285,7 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
2276 struct nfsd4_readdir *cd = container_of(ccd, struct nfsd4_readdir, common); 2285 struct nfsd4_readdir *cd = container_of(ccd, struct nfsd4_readdir, common);
2277 int buflen; 2286 int buflen;
2278 __be32 *p = cd->buffer; 2287 __be32 *p = cd->buffer;
2288 __be32 *cookiep;
2279 __be32 nfserr = nfserr_toosmall; 2289 __be32 nfserr = nfserr_toosmall;
2280 2290
2281 /* In nfsv4, "." and ".." never make it onto the wire.. */ 2291 /* In nfsv4, "." and ".." never make it onto the wire.. */
@@ -2292,7 +2302,7 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
2292 goto fail; 2302 goto fail;
2293 2303
2294 *p++ = xdr_one; /* mark entry present */ 2304 *p++ = xdr_one; /* mark entry present */
2295 cd->offset = p; /* remember pointer */ 2305 cookiep = p;
2296 p = xdr_encode_hyper(p, NFS_OFFSET_MAX); /* offset of next entry */ 2306 p = xdr_encode_hyper(p, NFS_OFFSET_MAX); /* offset of next entry */
2297 p = xdr_encode_array(p, name, namlen); /* name length & name */ 2307 p = xdr_encode_array(p, name, namlen); /* name length & name */
2298 2308
@@ -2306,6 +2316,8 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
2306 goto fail; 2316 goto fail;
2307 case nfserr_dropit: 2317 case nfserr_dropit:
2308 goto fail; 2318 goto fail;
2319 case nfserr_noent:
2320 goto skip_entry;
2309 default: 2321 default:
2310 /* 2322 /*
2311 * If the client requested the RDATTR_ERROR attribute, 2323 * If the client requested the RDATTR_ERROR attribute,
@@ -2324,6 +2336,8 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen,
2324 } 2336 }
2325 cd->buflen -= (p - cd->buffer); 2337 cd->buflen -= (p - cd->buffer);
2326 cd->buffer = p; 2338 cd->buffer = p;
2339 cd->offset = cookiep;
2340skip_entry:
2327 cd->common.err = nfs_ok; 2341 cd->common.err = nfs_ok;
2328 return 0; 2342 return 0;
2329fail: 2343fail: