Fixes for 5.15

[thirdparty/kernel/stable-queue.git] / queue-5.15 / nfsd-fix-problems-with-cleanup-on-errors-in-nfsd4_co.patch

From 135601fe8bddf569c37fc383e2e8fb38a5ddeceb Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Tue, 31 Jan 2023 11:12:29 -0800
Subject: NFSD: fix problems with cleanup on errors in nfsd4_copy

From: Dai Ngo <dai.ngo@oracle.com>

[ Upstream commit 81e722978ad21072470b73d8f6a50ad62c7d5b7d ]

When nfsd4_copy fails to allocate memory for async_copy->cp_src, or
nfs4_init_copy_state fails, it calls cleanup_async_copy to do the
cleanup for the async_copy which causes page fault since async_copy
is not yet initialized.

This patche rearranges the order of initializing the fields in
async_copy and adds checks in cleanup_async_copy to skip un-initialized
fields.

Fixes: ce0887ac96d3 ("NFSD add nfs4 inter ssc to nfsd4_copy")
Fixes: 87689df69491 ("NFSD: Shrink size of struct nfsd4_copy")
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 fs/nfsd/nfs4proc.c  | 12 ++++++++----
 fs/nfsd/nfs4state.c |  5 +++--
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index c95e7ec5fb530..ba53cd89ec62c 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1687,9 +1687,12 @@ static void cleanup_async_copy(struct nfsd4_copy *copy)
 {
        nfs4_free_copy_state(copy);
        release_copy_files(copy);
-       spin_lock(&copy->cp_clp->async_lock);
-       list_del(&copy->copies);
-       spin_unlock(&copy->cp_clp->async_lock);
+       if (copy->cp_clp) {
+               spin_lock(&copy->cp_clp->async_lock);
+               if (!list_empty(&copy->copies))
+                       list_del_init(&copy->copies);
+               spin_unlock(&copy->cp_clp->async_lock);
+       }
        nfs4_put_copy(copy);
 }
 
@@ -1786,12 +1789,13 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
                async_copy = kzalloc(sizeof(struct nfsd4_copy), GFP_KERNEL);
                if (!async_copy)
                        goto out_err;
+               INIT_LIST_HEAD(&async_copy->copies);
+               refcount_set(&async_copy->refcount, 1);
                async_copy->cp_src = kmalloc(sizeof(*async_copy->cp_src), GFP_KERNEL);
                if (!async_copy->cp_src)
                        goto out_err;
                if (!nfs4_init_copy_state(nn, copy))
                        goto out_err;
-               refcount_set(&async_copy->refcount, 1);
                memcpy(&copy->cp_res.cb_stateid, &copy->cp_stateid.cs_stid,
                        sizeof(copy->cp_res.cb_stateid));
                dup_copy_fields(copy, async_copy);
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 773971a75b62d..fab5805b3ca74 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -990,7 +990,6 @@ static int nfs4_init_cp_state(struct nfsd_net *nn, copy_stateid_t *stid,
 
        stid->cs_stid.si_opaque.so_clid.cl_boot = (u32)nn->boot_time;
        stid->cs_stid.si_opaque.so_clid.cl_id = nn->s2s_cp_cl_id;
-       stid->cs_type = cs_type;
 
        idr_preload(GFP_KERNEL);
        spin_lock(&nn->s2s_cp_lock);
@@ -1001,6 +1000,7 @@ static int nfs4_init_cp_state(struct nfsd_net *nn, copy_stateid_t *stid,
        idr_preload_end();
        if (new_id < 0)
                return 0;
+       stid->cs_type = cs_type;
        return 1;
 }
 
@@ -1034,7 +1034,8 @@ void nfs4_free_copy_state(struct nfsd4_copy *copy)
 {
        struct nfsd_net *nn;
 
-       WARN_ON_ONCE(copy->cp_stateid.cs_type != NFS4_COPY_STID);
+       if (copy->cp_stateid.cs_type != NFS4_COPY_STID)
+               return;
        nn = net_generic(copy->cp_clp->net, nfsd_net_id);
        spin_lock(&nn->s2s_cp_lock);
        idr_remove(&nn->s2s_cp_stateids,
-- 
2.43.0