--- /dev/null
+From 366a1569bff3fe14abfdf9285e31e05e091745f5 Mon Sep 17 00:00:00 2001
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Mon, 6 Mar 2017 22:29:14 +0800
+Subject: NFSv4: fix a reference leak caused WARNING messages
+
+From: Kinglong Mee <kinglongmee@gmail.com>
+
+commit 366a1569bff3fe14abfdf9285e31e05e091745f5 upstream.
+
+Because nfs4_opendata_access() has close the state when access is denied,
+so the state isn't leak.
+Rather than revert the commit a974deee47, I'd like clean the strange state close.
+
+[ 1615.094218] ------------[ cut here ]------------
+[ 1615.094607] WARNING: CPU: 0 PID: 23702 at lib/list_debug.c:31 __list_add_valid+0x8e/0xa0
+[ 1615.094913] list_add double add: new=ffff9d7901d9f608, prev=ffff9d7901d9f608, next=ffff9d7901ee8dd0.
+[ 1615.095458] Modules linked in: nfsv4(E) nfs(E) nfsd(E) tun bridge stp llc fuse ip_set nfnetlink vmw_vsock_vmci_transport vsock f2fs snd_seq_midi snd_seq_midi_event fscrypto coretemp ppdev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_rapl_perf vmw_balloon snd_ens1371 joydev gameport snd_ac97_codec ac97_bus snd_seq snd_pcm snd_rawmidi snd_timer snd_seq_device snd soundcore nfit parport_pc parport acpi_cpufreq tpm_tis tpm_tis_core tpm i2c_piix4 vmw_vmci shpchp auth_rpcgss nfs_acl lockd(E) grace sunrpc(E) xfs libcrc32c vmwgfx drm_kms_helper ttm drm crc32c_intel mptspi e1000 serio_raw scsi_transport_spi mptscsih mptbase ata_generic pata_acpi fjes [last unloaded: nfs]
+[ 1615.097663] CPU: 0 PID: 23702 Comm: fstest Tainted: G W E 4.11.0-rc1+ #517
+[ 1615.098015] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
+[ 1615.098807] Call Trace:
+[ 1615.099183] dump_stack+0x63/0x86
+[ 1615.099578] __warn+0xcb/0xf0
+[ 1615.099967] warn_slowpath_fmt+0x5f/0x80
+[ 1615.100370] __list_add_valid+0x8e/0xa0
+[ 1615.100760] nfs4_put_state_owner+0x75/0xc0 [nfsv4]
+[ 1615.101136] __nfs4_close+0x109/0x140 [nfsv4]
+[ 1615.101524] nfs4_close_state+0x15/0x20 [nfsv4]
+[ 1615.101949] nfs4_close_context+0x21/0x30 [nfsv4]
+[ 1615.102691] __put_nfs_open_context+0xb8/0x110 [nfs]
+[ 1615.103155] put_nfs_open_context+0x10/0x20 [nfs]
+[ 1615.103586] nfs4_file_open+0x13b/0x260 [nfsv4]
+[ 1615.103978] do_dentry_open+0x20a/0x2f0
+[ 1615.104369] ? nfs4_copy_file_range+0x30/0x30 [nfsv4]
+[ 1615.104739] vfs_open+0x4c/0x70
+[ 1615.105106] ? may_open+0x5a/0x100
+[ 1615.105469] path_openat+0x623/0x1420
+[ 1615.105823] do_filp_open+0x91/0x100
+[ 1615.106174] ? __alloc_fd+0x3f/0x170
+[ 1615.106568] do_sys_open+0x130/0x220
+[ 1615.106920] ? __put_cred+0x3d/0x50
+[ 1615.107256] SyS_open+0x1e/0x20
+[ 1615.107588] entry_SYSCALL_64_fastpath+0x1a/0xa9
+[ 1615.107922] RIP: 0033:0x7fab599069b0
+[ 1615.108247] RSP: 002b:00007ffcf0600d78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
+[ 1615.108575] RAX: ffffffffffffffda RBX: 00007fab59bcfae0 RCX: 00007fab599069b0
+[ 1615.108896] RDX: 0000000000000200 RSI: 0000000000000200 RDI: 00007ffcf060255e
+[ 1615.109211] RBP: 0000000000040010 R08: 0000000000000000 R09: 0000000000000016
+[ 1615.109515] R10: 00000000000006a1 R11: 0000000000000246 R12: 0000000000041000
+[ 1615.109806] R13: 0000000000040010 R14: 0000000000001000 R15: 0000000000002710
+[ 1615.110152] ---[ end trace 96ed63b1306bf2f3 ]---
+
+Fixes: a974deee47 ("NFSv4: Fix memory and state leak in...")
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Cc: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2343,8 +2343,6 @@ static int nfs4_opendata_access(struct r
+ if ((mask & ~cache.mask & (MAY_READ | MAY_EXEC)) == 0)
+ return 0;
+
+- /* even though OPEN succeeded, access is denied. Close the file */
+- nfs4_close_state(state, fmode);
+ return -EACCES;
+ }
+
--- /dev/null
+From df807fffaabde625fa9adb82e3e5b88cdaa5709a Mon Sep 17 00:00:00 2001
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Thu, 27 Apr 2017 11:13:38 +0800
+Subject: NFSv4.x/callback: Create the callback service through svc_create_pooled
+
+From: Kinglong Mee <kinglongmee@gmail.com>
+
+commit df807fffaabde625fa9adb82e3e5b88cdaa5709a upstream.
+
+As the comments for svc_set_num_threads() said,
+" Destroying threads relies on the service threads filling in
+rqstp->rq_task, which only the nfs ones do. Assumes the serv
+has been created using svc_create_pooled()."
+
+If creating service through svc_create(), the svc_pool_map_put()
+will be called in svc_destroy(), but the pool map isn't used.
+So that, the reference of pool map will be drop, the next using
+of pool map will get a zero npools.
+
+[ 137.992130] divide error: 0000 [#1] SMP
+[ 137.992148] Modules linked in: nfsd(E) nfsv4 nfs fscache fuse tun bridge stp llc ip_set nfnetlink vmw_vsock_vmci_transport vsock snd_seq_midi snd_seq_midi_event vmw_balloon coretemp crct10dif_pclmul crc32_pclmul ppdev ghash_clmulni_intel intel_rapl_perf joydev snd_ens1371 gameport snd_ac97_codec ac97_bus snd_seq snd_pcm snd_rawmidi snd_timer snd_seq_device snd soundcore parport_pc parport nfit acpi_cpufreq tpm_tis tpm_tis_core tpm vmw_vmci i2c_piix4 shpchp auth_rpcgss nfs_acl lockd(E) grace sunrpc(E) xfs libcrc32c vmwgfx drm_kms_helper ttm crc32c_intel drm e1000 mptspi scsi_transport_spi serio_raw mptscsih mptbase ata_generic pata_acpi [last unloaded: nfsd]
+[ 137.992336] CPU: 0 PID: 4514 Comm: rpc.nfsd Tainted: G E 4.11.0-rc8+ #536
+[ 137.992777] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
+[ 137.993757] task: ffff955984101d00 task.stack: ffff9873c2604000
+[ 137.994231] RIP: 0010:svc_pool_for_cpu+0x2b/0x80 [sunrpc]
+[ 137.994768] RSP: 0018:ffff9873c2607c18 EFLAGS: 00010246
+[ 137.995227] RAX: 0000000000000000 RBX: ffff95598376f000 RCX: 0000000000000002
+[ 137.995673] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9559944aec00
+[ 137.996156] RBP: ffff9873c2607c18 R08: ffff9559944aec28 R09: 0000000000000000
+[ 137.996609] R10: 0000000001080002 R11: 0000000000000000 R12: ffff95598376f010
+[ 137.997063] R13: ffff95598376f018 R14: ffff9559944aec28 R15: ffff9559944aec00
+[ 137.997584] FS: 00007f755529eb40(0000) GS:ffff9559bb600000(0000) knlGS:0000000000000000
+[ 137.998048] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 137.998548] CR2: 000055f3aecd9660 CR3: 0000000084290000 CR4: 00000000001406f0
+[ 137.999052] Call Trace:
+[ 137.999517] svc_xprt_do_enqueue+0xef/0x260 [sunrpc]
+[ 138.000028] svc_xprt_received+0x47/0x90 [sunrpc]
+[ 138.000487] svc_add_new_perm_xprt+0x76/0x90 [sunrpc]
+[ 138.000981] svc_addsock+0x14b/0x200 [sunrpc]
+[ 138.001424] ? recalc_sigpending+0x1b/0x50
+[ 138.001860] ? __getnstimeofday64+0x41/0xd0
+[ 138.002346] ? do_gettimeofday+0x29/0x90
+[ 138.002779] write_ports+0x255/0x2c0 [nfsd]
+[ 138.003202] ? _copy_from_user+0x4e/0x80
+[ 138.003676] ? write_recoverydir+0x100/0x100 [nfsd]
+[ 138.004098] nfsctl_transaction_write+0x48/0x80 [nfsd]
+[ 138.004544] __vfs_write+0x37/0x160
+[ 138.004982] ? selinux_file_permission+0xd7/0x110
+[ 138.005401] ? security_file_permission+0x3b/0xc0
+[ 138.005865] vfs_write+0xb5/0x1a0
+[ 138.006267] SyS_write+0x55/0xc0
+[ 138.006654] entry_SYSCALL_64_fastpath+0x1a/0xa9
+[ 138.007071] RIP: 0033:0x7f7554b9dc30
+[ 138.007437] RSP: 002b:00007ffc9f92c788 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 138.007807] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f7554b9dc30
+[ 138.008168] RDX: 0000000000000002 RSI: 00005640cd536640 RDI: 0000000000000003
+[ 138.008573] RBP: 00007ffc9f92c780 R08: 0000000000000001 R09: 0000000000000002
+[ 138.008918] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000004
+[ 138.009254] R13: 00005640cdbf77a0 R14: 00005640cdbf7720 R15: 00007ffc9f92c238
+[ 138.009610] Code: 0f 1f 44 00 00 48 8b 87 98 00 00 00 55 48 89 e5 48 83 78 08 00 74 10 8b 05 07 42 02 00 83 f8 01 74 40 83 f8 02 74 19 31 c0 31 d2 <f7> b7 88 00 00 00 5d 89 d0 48 c1 e0 07 48 03 87 90 00 00 00 c3
+[ 138.010664] RIP: svc_pool_for_cpu+0x2b/0x80 [sunrpc] RSP: ffff9873c2607c18
+[ 138.011061] ---[ end trace b3468224cafa7d11 ]---
+
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/callback.c
++++ b/fs/nfs/callback.c
+@@ -279,7 +279,7 @@ static struct svc_serv *nfs_callback_cre
+ printk(KERN_WARNING "nfs_callback_create_svc: no kthread, %d users??\n",
+ cb_info->users);
+
+- serv = svc_create(&nfs4_callback_program, NFS4_CALLBACK_BUFSIZE, sv_ops);
++ serv = svc_create_pooled(&nfs4_callback_program, NFS4_CALLBACK_BUFSIZE, sv_ops);
+ if (!serv) {
+ printk(KERN_ERR "nfs_callback_create_svc: create service failed\n");
+ return ERR_PTR(-ENOMEM);
projects / thirdparty / kernel / stable-queue.git / commitdiff
