From 1751fc1db36f6f411709e143d5393f92d12137a9 Mon Sep 17 00:00:00 2001
From: Trond Myklebust <trond.myklebust@hammerspace.com>
Date: Thu, 6 Jan 2022 18:24:03 -0500
Subject: [PATCH] NFSv4: nfs_atomic_open() can race when looking up a
 non-regular file
Git-commit: 1751fc1db36f6f411709e143d5393f92d12137a9
Patch-mainline: v5.17-rc2
References: bsc#1195612 CVE-2022-24448

If the file type changes back to being a regular file on the server
between the failed OPEN and our LOOKUP, then we need to re-run the OPEN.

Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Vasant Karasulli <vkarasulli@suse.de>
---
 fs/nfs/dir.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 408c3bb549b1..5df75ed09268 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1589,12 +1589,17 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
 		if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
 		    !S_ISDIR(inode->i_mode))
 			res = ERR_PTR(-ENOTDIR);
+		else if (inode && S_ISREG(inode->i_mode))
+			res = ERR_PTR(-EOPENSTALE);
 	} else if (!IS_ERR(res)) {
 		inode = d_inode(res);
 		if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
 		    !S_ISDIR(inode->i_mode)) {
 			dput(res);
 			res = ERR_PTR(-ENOTDIR);
+		} else if (inode && S_ISREG(inode->i_mode)) {
+			dput(res);
+			res = ERR_PTR(-EOPENSTALE);
 		}
 	}
 	if (switched) {