nfs: fix ->d_revalidate() UAF on ->d_name accesses

	return nfs_lookup_revalidate_done(dir, dentry, inode, 1);

}

static int nfs_lookup_revalidate_dentry(struct inode *dir,

static int nfs_lookup_revalidate_dentry(struct inode *dir, const struct qstr *name,

					struct dentry *dentry,

					struct inode *inode, unsigned int flags)

{

		goto out;

	dir_verifier = nfs_save_change_attribute(dir);

	ret = NFS_PROTO(dir)->lookup(dir, dentry, fhandle, fattr);

	ret = NFS_PROTO(dir)->lookup(dir, dentry, name, fhandle, fattr);

	if (ret < 0)

		goto out;

	if (NFS_STALE(inode))

		goto out_bad;

	return nfs_lookup_revalidate_dentry(dir, dentry, inode, flags);

	return nfs_lookup_revalidate_dentry(dir, name, dentry, inode, flags);

out_valid:

	return nfs_lookup_revalidate_done(dir, dentry, inode, 1);

out_bad:

	dir_verifier = nfs_save_change_attribute(dir);

	trace_nfs_lookup_enter(dir, dentry, flags);

	error = NFS_PROTO(dir)->lookup(dir, dentry, fhandle, fattr);

	error = NFS_PROTO(dir)->lookup(dir, dentry, &dentry->d_name,

				       fhandle, fattr);

	if (error == -ENOENT) {

		if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE))

			dir_verifier = inode_peek_iversion_raw(dir);

reval_dentry:

	if (flags & LOOKUP_RCU)

		return -ECHILD;

	return nfs_lookup_revalidate_dentry(dir, dentry, inode, flags);

	return nfs_lookup_revalidate_dentry(dir, name, dentry, inode, flags);

full_reval:

	return nfs_do_lookup_revalidate(dir, name, dentry, flags);

	d_drop(dentry);

	if (fhandle->size == 0) {

		error = NFS_PROTO(dir)->lookup(dir, dentry, fhandle, fattr);

		error = NFS_PROTO(dir)->lookup(dir, dentry, &dentry->d_name,

					       fhandle, fattr);

		if (error)

			goto out_error;

	}

	int err;

	/* Look it up again to get its attributes */

	err = server->nfs_client->rpc_ops->lookup(d_inode(parent), dentry,

	err = server->nfs_client->rpc_ops->lookup(d_inode(parent), dentry, &dentry->d_name,

						  ctx->mntfh, ctx->clone_data.fattr);

	dput(parent);

	if (err != 0)

}

static int

nfs3_proc_lookup(struct inode *dir, struct dentry *dentry,

nfs3_proc_lookup(struct inode *dir, struct dentry *dentry, const struct qstr *name,

		 struct nfs_fh *fhandle, struct nfs_fattr *fattr)

{

	unsigned short task_flags = 0;

		task_flags |= RPC_TASK_TIMEOUT;

	dprintk("NFS call  lookup %pd2\n", dentry);

	return __nfs3_proc_lookup(dir, dentry->d_name.name,

				  dentry->d_name.len, fhandle, fattr,

	return __nfs3_proc_lookup(dir, name->name, name->len, fhandle, fattr,

				  task_flags);

}

}

static int _nfs4_proc_lookup(struct rpc_clnt *clnt, struct inode *dir,

		struct dentry *dentry, struct nfs_fh *fhandle,

		struct nfs_fattr *fattr)

		struct dentry *dentry, const struct qstr *name,

		struct nfs_fh *fhandle, struct nfs_fattr *fattr)

{

	struct nfs_server *server = NFS_SERVER(dir);

	int		       status;

	struct nfs4_lookup_arg args = {

		.bitmask = server->attr_bitmask,

		.dir_fh = NFS_FH(dir),

		.name = &dentry->d_name,

		.name = name,

	};

	struct nfs4_lookup_res res = {

		.server = server,

}

static int nfs4_proc_lookup_common(struct rpc_clnt **clnt, struct inode *dir,

				   struct dentry *dentry, struct nfs_fh *fhandle,

				   struct nfs_fattr *fattr)

				   struct dentry *dentry, const struct qstr *name,

				   struct nfs_fh *fhandle, struct nfs_fattr *fattr)

{

	struct nfs4_exception exception = {

		.interruptible = true,

	};

	struct rpc_clnt *client = *clnt;

	const struct qstr *name = &dentry->d_name;

	int err;

	do {

		err = _nfs4_proc_lookup(client, dir, dentry, fhandle, fattr);

		err = _nfs4_proc_lookup(client, dir, dentry, name, fhandle, fattr);

		trace_nfs4_lookup(dir, name, err);

		switch (err) {

		case -NFS4ERR_BADNAME:

	return err;

}

static int nfs4_proc_lookup(struct inode *dir, struct dentry *dentry,

static int nfs4_proc_lookup(struct inode *dir, struct dentry *dentry, const struct qstr *name,

			    struct nfs_fh *fhandle, struct nfs_fattr *fattr)

{

	int status;

	struct rpc_clnt *client = NFS_CLIENT(dir);

	status = nfs4_proc_lookup_common(&client, dir, dentry, fhandle, fattr);

	status = nfs4_proc_lookup_common(&client, dir, dentry, name, fhandle, fattr);

	if (client != NFS_CLIENT(dir)) {

		rpc_shutdown_client(client);

		nfs_fixup_secinfo_attributes(fattr);

	struct rpc_clnt *client = NFS_CLIENT(dir);

	int status;

	status = nfs4_proc_lookup_common(&client, dir, dentry, fhandle, fattr);

	status = nfs4_proc_lookup_common(&client, dir, dentry, &dentry->d_name,

					 fhandle, fattr);

	if (status < 0)

		return ERR_PTR(status);

	return (client == NFS_CLIENT(dir)) ? rpc_clone_client(client) : client;

}

static int

nfs_proc_lookup(struct inode *dir, struct dentry *dentry,

nfs_proc_lookup(struct inode *dir, struct dentry *dentry, const struct qstr *name,

		struct nfs_fh *fhandle, struct nfs_fattr *fattr)

{

	struct nfs_diropargs	arg = {

		.fh		= NFS_FH(dir),

		.name		= dentry->d_name.name,

		.len		= dentry->d_name.len

		.name		= name->name,

		.len		= name->len

	};

	struct nfs_diropok	res = {

		.fh		= fhandle,