[PATCH] fix posix lock on NFS

[ASANO Masahiro]

Hi,

I found a problem on NFS client code.  It enables a local user to
crash the system.

NFS client prevents mandatory lock, but there is a flaw on it; Locks
are possibly left if the mode is changed while locking.  And a recent
changes on VFS makes it calls BUG().

For example:
   fd = open("file_on_nfs", O_RDWR | O_CREAT, 0644);
   memset(&lck, 0, sizeof(lck));
   lck.l_type = F_WRLCK;
   fcntl(fd, F_SETLK, &lck);    // get locked
   fchmod(fd, 02644);           // change i_mode to -rw-r-Sr--
   close(fd);                   // "kernel BUG at fs/locks.c:1932!"

The cause is:
   o The situation that locking succeeds but unlocking fails is
     possible, because of i_mode.
   o locks_remove_flock() calls BUG() if posix locks remain on an
     inode when closing.  It was changed at 2.6.13-rc4.

Here is a patch against 2.6.15-rc6.  This permits unlocking even if
the mandatory lock bits are set.

Signed-off-by: ASANO Masahiro <masano@xxxxxxxxxxxxxx>
---

--- linux-2.6.15-rc6/fs/nfs/file.c.orig	2005-12-21 21:30:14.000000000 +0900
+++ linux-2.6.15-rc6/fs/nfs/file.c	2005-12-21 21:42:16.000000000 +0900
@@ -524,7 +524,8 @@ static int nfs_lock(struct file *filp, i
 		return -EINVAL;
 
 	/* No mandatory locks over NFS */
-	if ((inode->i_mode & (S_ISGID | S_IXGRP)) == S_ISGID)
+	if ((inode->i_mode & (S_ISGID | S_IXGRP)) == S_ISGID &&
+	    fl->fl_type != F_UNLCK)
 		return -ENOLCK;
 
 	if (IS_GETLK(cmd))
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/