[PATCH AUTOSEL 6.17-5.4] nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing

[Sasha Levin <sashal@kernel.org>]

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit a890a2e339b929dbd843328f9a92a1625404fe63 ]

Theoretically it's an oopsable race, but I don't believe one can manage
to hit it on real hardware; might become doable on a KVM, but it still
won't be easy to attack.

Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of
put_unaligned_be64(), we can put that under ->d_lock and be done with that.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

YES
- The race is in `fs/nfs/nfs4proc.c:395`, where
  `NFS_FILEID(d_inode(dentry->d_parent))` relied on `d_parent` staying
  stable while another thread might be executing `__d_move`/rename and
  mutating that field under `dentry->d_lock`. Without taking that lock
  we can observe a transient or freed `d_parent`, leading to an oops
  while synthesising the “..” entry during readdir.
- The fix simply wraps the dereference in `spin_lock(&dentry->d_lock)` /
  `spin_unlock(&dentry->d_lock)` (`fs/nfs/nfs4proc.c:394-396`), matching
  dcache locking rules so we never race with rename/unhash. The critical
  section only covers `xdr_encode_hyper` (a `put_unaligned_be64`), so
  there is virtually no new latency or deadlock risk.
- No behavioural changes beyond closing this bug: the rest of
  `nfs4_setup_readdir()` is untouched, there are no dependency patches
  required, and this aligns with the long-standing expectation that
  anyone walking `d_parent` holds the dentry lock.
- Because the bug can crash clients performing `readdir()` while
  directories are being renamed/unlinked—even if the window is
  narrow—this is a correctness fix with minimal risk and well within the
  stable backport guidelines.

 fs/nfs/nfs4proc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 4de3e4bd724b7..b76da06864e53 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -391,7 +391,9 @@ static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dent
 	*p++ = htonl(attrs);                           /* bitmap */
 	*p++ = htonl(12);             /* attribute buffer length */
 	*p++ = htonl(NF4DIR);
+	spin_lock(&dentry->d_lock);
 	p = xdr_encode_hyper(p, NFS_FILEID(d_inode(dentry->d_parent)));
+	spin_unlock(&dentry->d_lock);
 
 	readdir->pgbase = (char *)p - (char *)start;
 	readdir->count -= readdir->pgbase;
-- 
2.51.0