Merge tag 'nfs-for-3.18-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs

Pull NFS client bugfixes from Trond Myklebust:
 "Highlights include:

   - stable patches to fix NFSv4.x delegation reclaim error paths
   - fix a bug whereby we were advertising NFSv4.1 but using NFSv4.2
     features
   - fix a use-after-free problem with pNFS block layouts
   - fix a memory leak in the pNFS files O_DIRECT code
   - replace an intrusive and Oops-prone performance fix in the NFSv4
     atomic open code with a safer one-line version and revert the two
     original patches"

* tag 'nfs-for-3.18-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
  sunrpc: fix sleeping under rcu_read_lock in gss_stringify_acceptor
  NFS: Don't try to reclaim delegation open state if recovery failed
  NFSv4: Ensure that we call FREE_STATEID when NFSv4.x stateids are revoked
  NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return
  NFSv4.1: nfs41_clear_delegation_stateid shouldn't trust NFS_DELEGATED_STATE
  NFSv4: Ensure that we remove NFSv4.0 delegations when state has expired
  NFS: SEEK is an NFS v4.2 feature
  nfs: Fix use of uninitialized variable in nfs_getattr()
  nfs: Remove bogus assignment
  nfs: remove spurious WARN_ON_ONCE in write path
  pnfs/blocklayout: serialize GETDEVICEINFO calls
  nfs: fix pnfs direct write memory leak
  Revert "NFS: nfs4_do_open should add negative results to the dcache."
  Revert "NFS: remove BUG possibility in nfs4_open_and_get_state"
  NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT

1 files changed, 30 insertions, 5 deletions

diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index afb292cd797d..53ed8d3f8897 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -1353,6 +1353,7 @@ gss_stringify_acceptor(struct rpc_cred *cred)
         char *string = NULL;
         struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
         struct gss_cl_ctx *ctx;
+        unsigned int len;
         struct xdr_netobj *acceptor;
 
         rcu_read_lock();
@@ -1360,15 +1361,39 @@ gss_stringify_acceptor(struct rpc_cred *cred)
         if (!ctx)
                 goto out;
 
-        acceptor = &ctx->gc_acceptor;
+        len = ctx->gc_acceptor.len;
+        rcu_read_unlock();
 
         /* no point if there's no string */
-        if (!acceptor->len)
-                goto out;
-
-        string = kmalloc(acceptor->len + 1, GFP_KERNEL);
+        if (!len)
+                return NULL;
+realloc:
+        string = kmalloc(len + 1, GFP_KERNEL);
         if (!string)
+                return NULL;
+
+        rcu_read_lock();
+        ctx = rcu_dereference(gss_cred->gc_ctx);
+
+        /* did the ctx disappear or was it replaced by one with no acceptor? */
+        if (!ctx || !ctx->gc_acceptor.len) {
+                kfree(string);
+                string = NULL;
                 goto out;
+        }
+
+        acceptor = &ctx->gc_acceptor;
+
+        /*
+         * Did we find a new acceptor that's longer than the original? Allocate
+         * a longer buffer and try again.
+         */
+        if (len < acceptor->len) {
+                len = acceptor->len;
+                rcu_read_unlock();
+                kfree(string);
+                goto realloc;
+        }
 
         memcpy(string, acceptor->data, acceptor->len);
         string[acceptor->len] = '\0';