[PATCH 07/19] nfsd: add filehandle match check to nfsd4_delegreturn()

Next message: Jeff Layton: "[PATCH 11/19] nfsd: fix FL_SLEEP being set unconditionally for all LOCK types"
Previous message: Jeff Layton: "[PATCH 01/19] nfs/localio: fix nfsd_file ref leak on nfs_local_doio() init failure"
In reply to: Jeff Layton: "Re: [PATCH 01/19] nfs/localio: fix nfsd_file ref leak on nfs_local_doio() init failure"
Next in thread: Jeff Layton: "[PATCH 11/19] nfsd: fix FL_SLEEP being set unconditionally for all LOCK types"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeff Layton

Date: Tue Jun 09 2026 - 13:56:18 EST

nfsd4_delegreturn() is the only stateful NFSv4 operation that does
not call nfs4_check_fh() to verify the delegation's file matches
cstate->current_fh. A client can DELEGRETURN with a mismatched
filehandle, destroying the correct delegation but waking the wrong
inode's waiters.

Add the missing nfs4_check_fh() call after the generation check.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
fs/nfsd/nfs4state.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index c88637406773..19aab4c52548 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -8079,6 +8079,10 @@ nfsd4_delegreturn(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
if (status)
goto put_stateid;

+ status = nfs4_check_fh(&cstate->current_fh, &dp->dl_stid);
+ if (status)
+ goto put_stateid;
+
trace_nfsd_deleg_return(stateid);
destroy_delegation(dp);
smp_mb__after_atomic();

--
2.54.0