[1/1] NFSv4.2 fix problems with __nfs42_ssc_open

Commit Message

Olga Kornievskaia Aug. 18, 2022, 7:07 p.m. UTC

From: Olga Kornievskaia <kolga@netapp.com>

A destination server while doing a COPY shouldn't accept using the
passed in filehandle if its not a regular filehandle.

If alloc_file_pseudo() has failed, we need to decrement a reference
on the newly created inode, otherwise it leaks.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Fixes: ec4b092508982 ("NFS: inter ssc open")
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
---
 fs/nfs/nfs4file.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Al Viro Aug. 18, 2022, 7:10 p.m. UTC | #1

On Thu, Aug 18, 2022 at 03:07:05PM -0400, Olga Kornievskaia wrote:
> From: Olga Kornievskaia <kolga@netapp.com>
> 
> A destination server while doing a COPY shouldn't accept using the
> passed in filehandle if its not a regular filehandle.
> 
> If alloc_file_pseudo() has failed, we need to decrement a reference
> on the newly created inode, otherwise it leaks.
> 
> Reported-by: Al Viro <viro@zeniv.linux.org.uk>
> Fixes: ec4b092508982 ("NFS: inter ssc open")
> Signed-off-by: Olga Kornievskaia <kolga@netapp.com>

Looks sane from the VFS interactions POV...

Patch

diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c
index e88f6b18445e..9eb181287879 100644
--- a/fs/nfs/nfs4file.c
+++ b/fs/nfs/nfs4file.c
@@ -340,6 +340,11 @@  static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt,
 		goto out;
 	}
 
+	if (!S_ISREG(fattr->mode)) {
+		res = ERR_PTR(-EBADF);
+		goto out;
+	}
+
 	res = ERR_PTR(-ENOMEM);
 	len = strlen(SSC_READ_NAME_BODY) + 16;
 	read_name = kzalloc(len, GFP_KERNEL);
@@ -357,6 +362,7 @@  static struct file *__nfs42_ssc_open(struct vfsmount *ss_mnt,
 				     r_ino->i_fop);
 	if (IS_ERR(filep)) {
 		res = ERR_CAST(filep);
+		iput(r_ino);
 		goto out_free_name;
 	}