CVE request: kernel: NULL pointer dereference in nfs4_proc_lock()

[Eugene Teo <eugeneteo () kernel sg>]

Quote from upstream commit:
"We just had a case in which a buggy server occasionally returns the 
wrong attributes during an OPEN call. While the client does catch this 
sort of condition in nfs4_open_done(), and causes the nfs4_atomic_open() 
to return -EISDIR, the logic in nfs_atomic_lookup() is broken, since it 
causes a fallback to an ordinary lookup instead of just returning the error.

When the buggy server then returns a regular file for the fallback 
lookup, the VFS allows the open, and bad things start to happen, since 
the open file doesn't have any associated NFSv4 state.

The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and 
secondly to ensure that we are always careful when dereferencing the 
nfs_open_context state pointer."

Upstream commit:
http://git.kernel.org/linus/d953126a28f97e (v2.6.31-rc4)

Steps to reproduce the issue/backtraces:
https://bugzilla.redhat.com/show_bug.cgi?id=529227#c0

References:
http://www.spinics.net/linux/lists/linux-nfs/msg03357.html
https://bugzilla.redhat.com/show_bug.cgi?id=529227

Thanks, Eugene