nfsd: fh_update should error out in unexpected cases

The reporter saw a NULL dereference when a filesystem's ->mknod returned
success but left the dentry negative, and then nfsd tried to dereference
d_inode (in this case because the CREATE was followed by a GETATTR in
the same nfsv4 compound).

fh_update already checks for this and another broken case, but for some
reason it returns success and leaves nfsd trying to soldier on.  If it
failed we'd avoid the crash.  There's only so much we can do with a
buggy filesystem, but it's easy enough to bail out here, so let's do
that.

Reported-by: Antti Tönkyrä <daedalus@pingtimeout.net>
Tested-by: Antti Tönkyrä <daedalus@pingtimeout.net>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 3d0e15ae6f726311ef82b337e66bea91a26792e4..3c37b160dcad22c6db5dc469f52ff0b2b2f68f00 100644 (file)
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -598,22 +598,20 @@ fh_update(struct svc_fh *fhp)
                _fh_update_old(dentry, fhp->fh_export, &fhp->fh_handle);
        } else {
                if (fhp->fh_handle.fh_fileid_type != FILEID_ROOT)
-                       goto out;
+                       return 0;
 
                _fh_update(fhp, fhp->fh_export, dentry);
                if (fhp->fh_handle.fh_fileid_type == FILEID_INVALID)
                        return nfserr_opnotsupp;
        }
-out:
        return 0;
-
 out_bad:
        printk(KERN_ERR "fh_update: fh not verified!\n");
-       goto out;
+       return nfserr_serverfault;
 out_negative:
        printk(KERN_ERR "fh_update: %pd2 still negative!\n",
                dentry);
-       goto out;
+       return nfserr_serverfault;
 }
 
 /*