nfsd: Fix another OPEN stateid race
authorTrond Myklebust <trond.myklebust@primarydata.com>
Fri, 3 Nov 2017 12:00:11 +0000 (08:00 -0400)
committerJ. Bruce Fields <bfields@redhat.com>
Mon, 27 Nov 2017 21:45:10 +0000 (16:45 -0500)
commitd8a1a000555ecd1b824ac1ed6df8fe364dfbbbb0
treefe0ba252cdf5aed298444abfbdc989991ec0e84b
parent15ca08d3299682dc49bad73251677b2c5017ef08
nfsd: Fix another OPEN stateid race

If nfsd4_process_open2() is initialising a new stateid, and yet the
call to nfs4_get_vfs_file() fails for some reason, then we must
declare the stateid closed, and unhash it before dropping the mutex.

Right now, we unhash the stateid after dropping the mutex, and without
changing the stateid type, meaning that another OPEN could theoretically
look it up and attempt to use it.

Reported-by: Andrew W Elble <aweits@rit.edu>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
fs/nfsd/nfs4state.c