From 9fe6e9e7b58944037714442384075c17cfde1c56 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Mon, 18 Mar 2024 17:32:09 +0100
Subject: [PATCH] nfsd: Fix error cleanup path in nfsd_rename()
Git-commit: 9fe6e9e7b58944037714442384075c17cfde1c56
Patch-mainline: v6.9-rc2
References: bsc#1221044 CVE-2023-52591

Commit a8b0026847b8 ("rename(): avoid a deadlock in the case of parents
having no common ancestor") added an error bail out path. However this
path does not drop the remount protection that has been acquired. Fix
the cleanup path to properly drop the remount protection.

Fixes: a8b0026847b8 ("rename(): avoid a deadlock in the case of parents having no common ancestor")
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Acked-by: Jan Kara <jack@suse.cz>

---
 fs/nfsd/vfs.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1714,7 +1714,7 @@ nfsd_rename(struct svc_rqst *rqstp, stru
 	trap = lock_rename(tdentry, fdentry);
 	if (IS_ERR(trap)) {
 		err = (rqstp->rq_vers == 2) ? nfserr_acces : nfserr_xdev;
-		goto out;
+		goto out_want_write;
 	}
 	ffhp->fh_locked = tfhp->fh_locked = true;
 	fill_pre_wcc(ffhp);
@@ -1766,6 +1766,7 @@ nfsd_rename(struct svc_rqst *rqstp, stru
 	fill_post_wcc(ffhp);
 	fill_post_wcc(tfhp);
 	unlock_rename(tdentry, fdentry);
+out_want_write:
 	ffhp->fh_locked = tfhp->fh_locked = false;
 	fh_drop_write(ffhp);