diff -drupN a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c --- a/fs/nfsd/vfs.c 2018-08-06 17:23:04.000000000 +0300 +++ b/fs/nfsd/vfs.c 2022-06-12 05:28:14.000000000 +0300 @@ -30,6 +30,7 @@ #include #include #include +#include #ifdef CONFIG_NFSD_V3 #include "xdr3.h" @@ -75,14 +76,14 @@ struct raparm_hbucket { #define RAPARM_HASH_MASK (RAPARM_HASH_SIZE-1) static struct raparm_hbucket raparm_hash[RAPARM_HASH_SIZE]; -/* - * Called from nfsd_lookup and encode_dirent. Check if we have crossed +/* + * Called from nfsd_lookup and encode_dirent. Check if we have crossed * a mount point. * Returns -EAGAIN or -ETIMEDOUT leaving *dpp and *expp unchanged, * or nfs_ok having possibly changed *dpp and *expp */ int -nfsd_cross_mnt(struct svc_rqst *rqstp, struct dentry **dpp, +nfsd_cross_mnt(struct svc_rqst *rqstp, struct dentry **dpp, struct svc_export **expp) { struct svc_export *exp = *expp, *exp2 = NULL; @@ -656,7 +657,7 @@ nfsd_access(struct svc_rqst *rqstp, stru case nfs_ok: result |= map->access; break; - + /* the following error codes just mean the access was not allowed, * rather than an error occurred */ case nfserr_rofs: @@ -763,6 +764,15 @@ nfsd_open(struct svc_rqst *rqstp, struct goto out_nfserr; } +#ifdef CONFIG_FILE_INTEGRITY + host_err = fivm_open_verify( + file, + path.dentry->d_name.name, + may_flags); + if (host_err) + goto out_nfserr; +#endif + host_err = ima_file_check(file, may_flags, 0); if (host_err) { fput(file); @@ -805,7 +815,7 @@ nfsd_init_raparms(struct file *file) frap = rap; } depth = nfsdstats.ra_size; - if (!frap) { + if (!frap) { spin_unlock(&rab->pb_lock); return NULL; } @@ -889,7 +899,7 @@ nfsd_finish_read(struct file *file, unsi *count = host_err; fsnotify_access(file); return 0; - } else + } else return nfserrno(host_err); } @@ -1377,7 +1387,7 @@ do_nfsd_create(struct svc_rqst *rqstp, s v_mtime = verifier[0]&0x7fffffff; v_atime = verifier[1]&0x7fffffff; } - + if (d_really_is_positive(dchild)) { err = 0; @@ -1438,7 +1448,7 @@ do_nfsd_create(struct svc_rqst *rqstp, s /* Cram the verifier into atime/mtime */ iap->ia_valid = ATTR_MTIME|ATTR_ATIME | ATTR_MTIME_SET|ATTR_ATIME_SET; - /* XXX someone who knows this better please fix it for nsec */ + /* XXX someone who knows this better please fix it for nsec */ iap->ia_mtime.tv_sec = v_mtime; iap->ia_atime.tv_sec = v_atime; iap->ia_mtime.tv_nsec = 0; @@ -1467,7 +1477,7 @@ do_nfsd_create(struct svc_rqst *rqstp, s dput(dchild); fh_drop_write(fhp); return err; - + out_nfserr: err = nfserrno(host_err); goto out; @@ -1920,7 +1930,7 @@ static __be32 nfsd_buffered_readdir(stru * The NFSv3/4 verifier we ignore for now. */ __be32 -nfsd_readdir(struct svc_rqst *rqstp, struct svc_fh *fhp, loff_t *offsetp, +nfsd_readdir(struct svc_rqst *rqstp, struct svc_fh *fhp, loff_t *offsetp, struct readdir_cd *cdp, nfsd_filldir_t func) { __be32 err; @@ -2009,7 +2019,7 @@ nfsd_permission(struct svc_rqst *rqstp, #endif /* Normally we reject any write/sattr etc access on a read-only file - * system. But if it is IRIX doing check on write-access for a + * system. But if it is IRIX doing check on write-access for a * device special file, we ignore rofs. */ if (!(acc & NFSD_MAY_LOCAL_ACCESS))