From nobody Fri Jan 13 00:50:03 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NtN9l6cCjz2shBp;
	Fri, 13 Jan 2023 00:50:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NtN9l670gz3hB5;
	Fri, 13 Jan 2023 00:50:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1673571003;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=LH4pNJ1v8JYD1lfzkfu0lx6F3CanXJeXOUvFLIxcsc8=;
	b=qeI/Cm10LgUX9K81nCCV7VflW+86z91wVLIl9cfibUDPSmYrTm0MQKwAXL+YzldJ1ORhyT
	R+NOfE11neXAActV6IjOurB1lRzjcKBnwV/cL8ojItWW5jjZcn9n2MwoV8bJ4TP/xkFLjF
	3Oiw7qz0Z1qII4AY1kyyJDyGDaBOJwUHjcM4TnW6mU/XUeKmFXoIsh5/8DhAb+kU5U/UGz
	IkheIUFCnuTyxT91OM+eJasVW2c1T6FecQtIlzYl8pxKCqE9QDoPhT+DgOhJo1Vh4sIUfT
	2RV99J5yuddbmu5gRdqhbx8nMGreg+jHAEQzyheFDOkhmgRxgW6giL89s2wHpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1673571003;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=LH4pNJ1v8JYD1lfzkfu0lx6F3CanXJeXOUvFLIxcsc8=;
	b=w994XoCHTHnbHmqIqLTZXnFHh+jqWd6sSNNXmdtCtic3yDg3z32UUbgE9KX5aoS9UJPuZf
	S0qYs0HWhNkRa0SP6UkXY9EzeXR/azSS9Qbb+m4DvQKrYEfkwkRmPgXz8AahQBRgWewuRQ
	T4sZXzmgGonyYXT+SHUd7D+XKYtLA2e/T2sy/r1Qj7uAehVTTMR96qgu1SHRlDl3KCKF+e
	O6c6kxLc6HTrwQPCb+Ksusvg4M5GkojhnXOYpwfA/IZ8DzY66huYxcDP+ZAD13X8oul/e8
	xpCp19p8ON6bJ8p7A//TsFNZLcElVnNJnqHdyiM9NUqxOuJ2MhE5FUyRyMTJ6w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1673571003; a=rsa-sha256; cv=none;
	b=EwMd8m4bFnGXTyP9xA8vvlOIFLCz9LCyxybjbXq4Olr4mxn7Bl1B4G3UjONl6r2vjA2mWj
	ZVRHi41WoTSLkMatzgx+o2u2zpbXv/++Io/IMyHfIDKFYBJJaWq6rcj9d+wCqM9zJyDG9K
	zBJRkkcfvY82GzbYhKY18cfH1LV93aniRnDAeht1SpM3dBxUr8M72YH+H5Nm1kxkxjwKMG
	85IYpjKuoJU7hqvvfmp2j3/ZFIgAQ5SmpZ4KQYxuS5K6NGOnOQGTuTrtYw06BMF3W7BaFo
	5q3lrlOTKzG0xXCFA8t0eTc/CzeXQbyKjN/cUKUtQRyr9t1UGLLMLZqVcRkMuw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NtN9l5Brrzp9x;
	Fri, 13 Jan 2023 00:50:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30D0o313067962;
	Fri, 13 Jan 2023 00:50:03 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30D0o3xb067957;
	Fri, 13 Jan 2023 00:50:03 GMT
	(envelope-from git)
Date: Fri, 13 Jan 2023 00:50:03 GMT
Message-Id: <202301130050.30D0o3xb067957@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: dcfa3ee44da2 - main - nfsserver: Fix vrele() panic in nfsvno_open()
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: dcfa3ee44da2b139f51a8aedb0f55735c6dfe3f3
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=dcfa3ee44da2b139f51a8aedb0f55735c6dfe3f3

commit dcfa3ee44da2b139f51a8aedb0f55735c6dfe3f3
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2023-01-13 00:45:26 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2023-01-13 00:48:53 +0000

    nfsserver: Fix vrele() panic in nfsvno_open()
    
    Commit 65127e982b94 removed a check for ni_startdir != NULL.
    This allowed the vrele(ndp->ni_dvp) to be called with
    a NULL argument.
    
    This patch adds a new boolean argument to nfsvno_open()
    that can be checked instead of ni_startdir, since mjg@ requested
    that ni_startdir not be used. (Discussed in PR#268828.)
    
    PR:     268828
    Reviewed by:    mjg
    Differential Revision:  https://reviews.freebsd.org/D38032
---
 sys/fs/nfs/nfs_var.h            |  2 +-
 sys/fs/nfsserver/nfs_nfsdport.c |  4 ++--
 sys/fs/nfsserver/nfs_nfsdserv.c | 13 ++++++++-----
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/sys/fs/nfs/nfs_var.h b/sys/fs/nfs/nfs_var.h
index 6692bc19a725..f8fd2229095f 100644
--- a/sys/fs/nfs/nfs_var.h
+++ b/sys/fs/nfs/nfs_var.h
@@ -719,7 +719,7 @@ int nfsvno_statfs(vnode_t, struct statfs *);
 void nfsvno_getfs(struct nfsfsinfo *, int);
 void nfsvno_open(struct nfsrv_descript *, struct nameidata *, nfsquad_t,
     nfsv4stateid_t *, struct nfsstate *, int *, struct nfsvattr *, int32_t *,
-    int, NFSACL_T *, nfsattrbit_t *, struct ucred *,
+    int, NFSACL_T *, nfsattrbit_t *, struct ucred *, bool,
     struct nfsexstuff *, vnode_t *);
 int nfsvno_updfilerev(vnode_t, struct nfsvattr *, struct nfsrv_descript *,
     NFSPROC_T *);
diff --git a/sys/fs/nfsserver/nfs_nfsdport.c b/sys/fs/nfsserver/nfs_nfsdport.c
index 665e2c00ce08..d02653823857 100644
--- a/sys/fs/nfsserver/nfs_nfsdport.c
+++ b/sys/fs/nfsserver/nfs_nfsdport.c
@@ -1835,7 +1835,7 @@ void
 nfsvno_open(struct nfsrv_descript *nd, struct nameidata *ndp,
     nfsquad_t clientid, nfsv4stateid_t *stateidp, struct nfsstate *stp,
     int *exclusive_flagp, struct nfsvattr *nvap, int32_t *cverf, int create,
-    NFSACL_T *aclp, nfsattrbit_t *attrbitp, struct ucred *cred,
+    NFSACL_T *aclp, nfsattrbit_t *attrbitp, struct ucred *cred, bool done_namei,
     struct nfsexstuff *exp, struct vnode **vpp)
 {
 	struct vnode *vp = NULL;
@@ -1918,7 +1918,7 @@ nfsvno_open(struct nfsrv_descript *nd, struct nameidata *ndp,
 		}
 	} else {
 		nfsvno_relpathbuf(ndp);
-		if (create == NFSV4OPEN_CREATE) {
+		if (done_namei && create == NFSV4OPEN_CREATE) {
 			if (ndp->ni_dvp == ndp->ni_vp)
 				vrele(ndp->ni_dvp);
 			else
diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index 709dc84d5d91..0433e9cda656 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -2830,13 +2830,14 @@ nfsrvd_open(struct nfsrv_descript *nd, __unused int isdgram,
 	u_long *hashp;
 	NFSACL_T *aclp = NULL;
 	struct thread *p = curthread;
+	bool done_namei;
 
 #ifdef NFS4_ACL_EXTATTR_NAME
 	aclp = acl_alloc(M_WAITOK);
 	aclp->acl_cnt = 0;
 #endif
 	NFSZERO_ATTRBIT(&attrbits);
-	named.ni_startdir = NULL;
+	done_namei = false;
 	named.ni_cnd.cn_nameiop = 0;
 	NFSM_DISSECT(tl, u_int32_t *, 6 * NFSX_UNSIGNED);
 	i = fxdr_unsigned(int, *(tl + 5));
@@ -3042,6 +3043,7 @@ nfsrvd_open(struct nfsrv_descript *nd, __unused int isdgram,
 		if (!nd->nd_repstat) {
 			nd->nd_repstat = nfsvno_namei(nd, &named, dp, 0, exp,
 			    &dirp);
+			done_namei = true;
 		} else {
 			vrele(dp);
 			nfsvno_relpathbuf(&named);
@@ -3049,7 +3051,7 @@ nfsrvd_open(struct nfsrv_descript *nd, __unused int isdgram,
 		if (create == NFSV4OPEN_CREATE) {
 		    switch (how) {
 		    case NFSCREATE_UNCHECKED:
-			if (named.ni_vp) {
+			if (done_namei && named.ni_vp != NULL) {
 				/*
 				 * Clear the setable attribute bits, except
 				 * for Size, if it is being truncated.
@@ -3061,12 +3063,13 @@ nfsrvd_open(struct nfsrv_descript *nd, __unused int isdgram,
 			}
 			break;
 		    case NFSCREATE_GUARDED:
-			if (named.ni_vp && !nd->nd_repstat)
+			if (done_namei && named.ni_vp != NULL &&
+			    nd->nd_repstat == 0)
 				nd->nd_repstat = EEXIST;
 			break;
 		    case NFSCREATE_EXCLUSIVE:
 			exclusive_flag = 1;
-			if (!named.ni_vp)
+			if (done_namei && named.ni_vp == NULL)
 				nva.na_mode = 0;
 			break;
 		    case NFSCREATE_EXCLUSIVE41:
@@ -3076,7 +3079,7 @@ nfsrvd_open(struct nfsrv_descript *nd, __unused int isdgram,
 		}
 		nfsvno_open(nd, &named, clientid, &stateid, stp,
 		    &exclusive_flag, &nva, cverf, create, aclp, &attrbits,
-		    nd->nd_cred, exp, &vp);
+		    nd->nd_cred, done_namei, exp, &vp);
 	} else if (claim == NFSV4OPEN_CLAIMPREVIOUS || claim ==
 	    NFSV4OPEN_CLAIMFH || claim == NFSV4OPEN_CLAIMDELEGATECURFH ||
 	    claim == NFSV4OPEN_CLAIMDELEGATEPREVFH) {