r228827 fixed a problem where copying of NFSv4 open credentials into

a credential structure would corrupt it. This happened when the
p argument was != NULL. However, I now realize that the copying of
open credentials should only happen for p == NULL, since that indicates
that it is a read-ahead or write-behind. This patch fixes this.
After this commit, r228827 could be reverted, but I think the code is
clearer and safer with the patch, so I am going to leave it in.
Without this patch, it was possible that a NFSv4 VOP_SETATTR() could have
changed the credentials of the caller. This would have happened if
the process doing the VOP_SETATTR() did not have the file open, but
some other process running as a different uid had the file open for writing
at the same time.

MFC after:	5 days

1 files changed, 6 insertions, 2 deletions

diff --git a/sys/fs/nfsclient/nfs_clstate.c b/sys/fs/nfsclient/nfs_clstate.c
index 765b6b9..b54805d 100644
--- a/sys/fs/nfsclient/nfs_clstate.c
+++ b/sys/fs/nfsclient/nfs_clstate.c
@@ -559,8 +559,12 @@ nfscl_getstateid(vnode_t vp, u_int8_t *nfhp, int fhlen, u_int32_t mode,
 			NFSUNLOCKCLSTATE();
 			return (ENOENT);
 		}
-		/* for read aheads or write behinds, use the open cred */
-		newnfs_copycred(&op->nfso_cred, cred);
+		/*
+		 * For read aheads or write behinds, use the open cred.
+		 * A read ahead or write behind is indicated by p == NULL.
+		 */
+		if (p == NULL)
+			newnfs_copycred(&op->nfso_cred, cred);
 	}
 
 	/*