--- /dev/null
+From 987da4791052fa298b7cfcde4dea9f6f2bbc786b Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@infradead.org>
+Date: Mon, 18 Nov 2013 05:07:47 -0800
+Subject: nfsd: make sure to balance get/put_write_access
+
+From: Christoph Hellwig <hch@infradead.org>
+
+commit 987da4791052fa298b7cfcde4dea9f6f2bbc786b upstream.
+
+Use a straight goto error label style in nfsd_setattr to make sure
+we always do the put_write_access call after we got it earlier.
+
+Note that the we have been failing to do that in the case
+nfsd_break_lease() returns an error, a bug introduced into 2.6.38 with
+6a76bebefe15d9a08864f824d7f8d5beaf37c997 "nfsd4: break lease on nfsd
+setattr".
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/vfs.c | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -443,27 +443,28 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+
+ iap->ia_valid |= ATTR_CTIME;
+
+- err = nfserr_notsync;
+- if (!check_guard || guardtime == inode->i_ctime.tv_sec) {
+- host_err = nfsd_break_lease(inode);
+- if (host_err)
+- goto out_nfserr;
+- fh_lock(fhp);
+-
+- host_err = notify_change(dentry, iap);
+- err = nfserrno(host_err);
+- fh_unlock(fhp);
++ if (check_guard && guardtime != inode->i_ctime.tv_sec) {
++ err = nfserr_notsync;
++ goto out_put_write_access;
+ }
++
++ host_err = nfsd_break_lease(inode);
++ if (host_err)
++ goto out_put_write_access_nfserror;
++
++ fh_lock(fhp);
++ host_err = notify_change(dentry, iap);
++ fh_unlock(fhp);
++
++out_put_write_access_nfserror:
++ err = nfserrno(host_err);
++out_put_write_access:
+ if (size_change)
+ put_write_access(inode);
+ if (!err)
+ commit_metadata(fhp);
+ out:
+ return err;
+-
+-out_nfserr:
+- err = nfserrno(host_err);
+- goto out;
+ }
+
+ #if defined(CONFIG_NFSD_V2_ACL) || \
--- /dev/null
+From 427d6c6646d868fbd3094e7e2e1644d480cd9204 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Fri, 13 Sep 2013 11:08:45 -0400
+Subject: nfsd: return better errors to exportfs
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 427d6c6646d868fbd3094e7e2e1644d480cd9204 upstream.
+
+Someone noticed exportfs happily accepted exports that would later be
+rejected when mountd tried to give them to the kernel. Fix this.
+
+This is a regression from 4c1e1b34d5c800ad3ac9a7e2805b0bea70ad2278
+"nfsd: Store ex_anon_uid and ex_anon_gid as kuids and kgids".
+
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Reported-by: Yin.JianHong <jiyin@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/export.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/fs/nfsd/export.c
++++ b/fs/nfsd/export.c
+@@ -536,16 +536,12 @@ static int svc_export_parse(struct cache
+ if (err)
+ goto out3;
+ exp.ex_anon_uid= make_kuid(&init_user_ns, an_int);
+- if (!uid_valid(exp.ex_anon_uid))
+- goto out3;
+
+ /* anon gid */
+ err = get_int(&mesg, &an_int);
+ if (err)
+ goto out3;
+ exp.ex_anon_gid= make_kgid(&init_user_ns, an_int);
+- if (!gid_valid(exp.ex_anon_gid))
+- goto out3;
+
+ /* fsid */
+ err = get_int(&mesg, &an_int);
+@@ -583,6 +579,17 @@ static int svc_export_parse(struct cache
+ exp.ex_uuid);
+ if (err)
+ goto out4;
++ /*
++ * For some reason exportfs has been passing down an
++ * invalid (-1) uid & gid on the "dummy" export which it
++ * uses to test export support. To make sure exportfs
++ * sees errors from check_export we therefore need to
++ * delay these checks till after check_export:
++ */
++ if (!uid_valid(exp.ex_anon_uid))
++ goto out4;
++ if (!gid_valid(exp.ex_anon_gid))
++ goto out4;
+ }
+
+ expp = svc_export_lookup(&exp);
--- /dev/null
+From 818e5a22e907fbae75e9c1fd78233baec9fa64b6 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@infradead.org>
+Date: Mon, 18 Nov 2013 05:07:30 -0800
+Subject: nfsd: split up nfsd_setattr
+
+From: Christoph Hellwig <hch@infradead.org>
+
+commit 818e5a22e907fbae75e9c1fd78233baec9fa64b6 upstream.
+
+Split out two helpers to make the code more readable and easier to verify
+for correctness.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/vfs.c | 144 +++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 84 insertions(+), 60 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -297,41 +297,12 @@ commit_metadata(struct svc_fh *fhp)
+ }
+
+ /*
+- * Set various file attributes.
+- * N.B. After this call fhp needs an fh_put
++ * Go over the attributes and take care of the small differences between
++ * NFS semantics and what Linux expects.
+ */
+-__be32
+-nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
+- int check_guard, time_t guardtime)
++static void
++nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
+ {
+- struct dentry *dentry;
+- struct inode *inode;
+- int accmode = NFSD_MAY_SATTR;
+- umode_t ftype = 0;
+- __be32 err;
+- int host_err;
+- int size_change = 0;
+-
+- if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE))
+- accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE;
+- if (iap->ia_valid & ATTR_SIZE)
+- ftype = S_IFREG;
+-
+- /* Get inode */
+- err = fh_verify(rqstp, fhp, ftype, accmode);
+- if (err)
+- goto out;
+-
+- dentry = fhp->fh_dentry;
+- inode = dentry->d_inode;
+-
+- /* Ignore any mode updates on symlinks */
+- if (S_ISLNK(inode->i_mode))
+- iap->ia_valid &= ~ATTR_MODE;
+-
+- if (!iap->ia_valid)
+- goto out;
+-
+ /*
+ * NFSv2 does not differentiate between "set-[ac]time-to-now"
+ * which only requires access, and "set-[ac]time-to-X" which
+@@ -341,8 +312,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ * convert to "set to now" instead of "set to explicit time"
+ *
+ * We only call inode_change_ok as the last test as technically
+- * it is not an interface that we should be using. It is only
+- * valid if the filesystem does not define it's own i_op->setattr.
++ * it is not an interface that we should be using.
+ */
+ #define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
+ #define MAX_TOUCH_TIME_ERROR (30*60)
+@@ -368,30 +338,6 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ iap->ia_valid &= ~BOTH_TIME_SET;
+ }
+ }
+-
+- /*
+- * The size case is special.
+- * It changes the file as well as the attributes.
+- */
+- if (iap->ia_valid & ATTR_SIZE) {
+- if (iap->ia_size < inode->i_size) {
+- err = nfsd_permission(rqstp, fhp->fh_export, dentry,
+- NFSD_MAY_TRUNC|NFSD_MAY_OWNER_OVERRIDE);
+- if (err)
+- goto out;
+- }
+-
+- host_err = get_write_access(inode);
+- if (host_err)
+- goto out_nfserr;
+-
+- size_change = 1;
+- host_err = locks_verify_truncate(inode, NULL, iap->ia_size);
+- if (host_err) {
+- put_write_access(inode);
+- goto out_nfserr;
+- }
+- }
+
+ /* sanitize the mode change */
+ if (iap->ia_valid & ATTR_MODE) {
+@@ -414,8 +360,86 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ iap->ia_valid |= (ATTR_KILL_SUID | ATTR_KILL_SGID);
+ }
+ }
++}
++
++static __be32
++nfsd_get_write_access(struct svc_rqst *rqstp, struct svc_fh *fhp,
++ struct iattr *iap)
++{
++ struct inode *inode = fhp->fh_dentry->d_inode;
++ int host_err;
++
++ if (iap->ia_size < inode->i_size) {
++ __be32 err;
++
++ err = nfsd_permission(rqstp, fhp->fh_export, fhp->fh_dentry,
++ NFSD_MAY_TRUNC | NFSD_MAY_OWNER_OVERRIDE);
++ if (err)
++ return err;
++ }
++
++ host_err = get_write_access(inode);
++ if (host_err)
++ goto out_nfserrno;
++
++ host_err = locks_verify_truncate(inode, NULL, iap->ia_size);
++ if (host_err)
++ goto out_put_write_access;
++ return 0;
++
++out_put_write_access:
++ put_write_access(inode);
++out_nfserrno:
++ return nfserrno(host_err);
++}
++
++/*
++ * Set various file attributes. After this call fhp needs an fh_put.
++ */
++__be32
++nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
++ int check_guard, time_t guardtime)
++{
++ struct dentry *dentry;
++ struct inode *inode;
++ int accmode = NFSD_MAY_SATTR;
++ umode_t ftype = 0;
++ __be32 err;
++ int host_err;
++ int size_change = 0;
++
++ if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE))
++ accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE;
++ if (iap->ia_valid & ATTR_SIZE)
++ ftype = S_IFREG;
++
++ /* Get inode */
++ err = fh_verify(rqstp, fhp, ftype, accmode);
++ if (err)
++ goto out;
++
++ dentry = fhp->fh_dentry;
++ inode = dentry->d_inode;
++
++ /* Ignore any mode updates on symlinks */
++ if (S_ISLNK(inode->i_mode))
++ iap->ia_valid &= ~ATTR_MODE;
++
++ if (!iap->ia_valid)
++ goto out;
++
++ nfsd_sanitize_attrs(inode, iap);
+
+- /* Change the attributes. */
++ /*
++ * The size case is special, it changes the file in addition to the
++ * attributes.
++ */
++ if (iap->ia_valid & ATTR_SIZE) {
++ err = nfsd_get_write_access(rqstp, fhp, iap);
++ if (err)
++ goto out;
++ size_change = 1;
++ }
+
+ iap->ia_valid |= ATTR_CTIME;
+
--- /dev/null
+From a43ec98b72aae3e330f0673438f58316c3769b84 Mon Sep 17 00:00:00 2001
+From: Weston Andros Adamson <dros@netapp.com>
+Date: Mon, 21 Oct 2013 13:10:11 -0400
+Subject: NFSv4: don't fail on missing fattr in open recover
+
+From: Weston Andros Adamson <dros@netapp.com>
+
+commit a43ec98b72aae3e330f0673438f58316c3769b84 upstream.
+
+This is an unneeded check that could cause the client to fail to recover
+opens.
+
+Signed-off-by: Weston Andros Adamson <dros@netapp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1165,12 +1165,6 @@ _nfs4_opendata_reclaim_to_nfs4_state(str
+ goto err;
+ }
+
+- ret = -ESTALE;
+- if (!(data->f_attr.valid & NFS_ATTR_FATTR_TYPE) ||
+- !(data->f_attr.valid & NFS_ATTR_FATTR_FILEID) ||
+- !(data->f_attr.valid & NFS_ATTR_FATTR_CHANGE))
+- goto err;
+-
+ ret = -ENOMEM;
+ state = nfs4_get_open_state(inode, data->owner);
+ if (state == NULL)
--- /dev/null
+From d2bfda2e7aa036f90ccea610a657064b1e267913 Mon Sep 17 00:00:00 2001
+From: Weston Andros Adamson <dros@netapp.com>
+Date: Mon, 21 Oct 2013 13:10:13 -0400
+Subject: NFSv4: don't reprocess cached open CLAIM_PREVIOUS
+
+From: Weston Andros Adamson <dros@netapp.com>
+
+commit d2bfda2e7aa036f90ccea610a657064b1e267913 upstream.
+
+Cached opens have already been handled by _nfs4_opendata_reclaim_to_nfs4_state
+and can safely skip being reprocessed, but must still call update_open_stateid
+to make sure that all active fmodes are recovered.
+
+Signed-off-by: Weston Andros Adamson <dros@netapp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1159,10 +1159,13 @@ _nfs4_opendata_reclaim_to_nfs4_state(str
+ struct nfs4_state *state = data->state;
+ int ret;
+
+- /* allow cached opens (!rpc_done && !rpc_status) */
+- if (!data->rpc_done && data->rpc_status) {
+- ret = data->rpc_status;
+- goto err;
++ if (!data->rpc_done) {
++ if (data->rpc_status) {
++ ret = data->rpc_status;
++ goto err;
++ }
++ /* cached opens have already been processed */
++ goto update;
+ }
+
+ ret = -ENOMEM;
+@@ -1176,6 +1179,7 @@ _nfs4_opendata_reclaim_to_nfs4_state(str
+
+ if (data->o_res.delegation_type != 0)
+ nfs4_opendata_check_deleg(data, state);
++update:
+ update_open_stateid(state, &data->o_res.stateid, NULL,
+ data->o_arg.fmode);
+
--- /dev/null
+From a6f951ddbdfb7bd87d31a44f61abe202ed6ce57f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Tue, 1 Oct 2013 14:24:58 -0400
+Subject: NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk()
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit a6f951ddbdfb7bd87d31a44f61abe202ed6ce57f upstream.
+
+In nfs4_proc_getlk(), when some error causes a retry of the call to
+_nfs4_proc_getlk(), we can end up with Oopses of the form
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000134
+ IP: [<ffffffff8165270e>] _raw_spin_lock+0xe/0x30
+<snip>
+ Call Trace:
+ [<ffffffff812f287d>] _atomic_dec_and_lock+0x4d/0x70
+ [<ffffffffa053c4f2>] nfs4_put_lock_state+0x32/0xb0 [nfsv4]
+ [<ffffffffa053c585>] nfs4_fl_release_lock+0x15/0x20 [nfsv4]
+ [<ffffffffa0522c06>] _nfs4_proc_getlk.isra.40+0x146/0x170 [nfsv4]
+ [<ffffffffa052ad99>] nfs4_proc_lock+0x399/0x5a0 [nfsv4]
+
+The problem is that we don't clear the request->fl_ops after the first
+try and so when we retry, nfs4_set_lock_state() exits early without
+setting the lock stateid.
+Regression introduced by commit 70cc6487a4e08b8698c0e2ec935fb48d10490162
+(locks: make ->lock release private data before returning in GETLK case)
+
+Reported-by: Weston Andros Adamson <dros@netapp.com>
+Reported-by: Jorge Mora <mora@netapp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4572,6 +4572,7 @@ static int _nfs4_proc_getlk(struct nfs4_
+ status = 0;
+ }
+ request->fl_ops->fl_release_private(request);
++ request->fl_ops = NULL;
+ out:
+ return status;
+ }
--- /dev/null
+From f494a6071d31e3294a3b51ad7a3684f983953f9f Mon Sep 17 00:00:00 2001
+From: Weston Andros Adamson <dros@netapp.com>
+Date: Mon, 21 Oct 2013 13:10:10 -0400
+Subject: NFSv4: fix NULL dereference in open recover
+
+From: Weston Andros Adamson <dros@netapp.com>
+
+commit f494a6071d31e3294a3b51ad7a3684f983953f9f upstream.
+
+_nfs4_opendata_reclaim_to_nfs4_state doesn't expect to see a cached
+open CLAIM_PREVIOUS, but this can happen. An example is when there are
+RDWR openers and RDONLY openers on a delegation stateid. The recovery
+path will first try an open CLAIM_PREVIOUS for the RDWR openers, this
+marks the delegation as not needing RECLAIM anymore, so the open
+CLAIM_PREVIOUS for the RDONLY openers will not actually send an rpc.
+
+The NULL dereference is due to _nfs4_opendata_reclaim_to_nfs4_state
+returning PTR_ERR(rpc_status) when !rpc_done. When the open is
+cached, rpc_done == 0 and rpc_status == 0, thus
+_nfs4_opendata_reclaim_to_nfs4_state returns NULL - this is unexpected
+by callers of nfs4_opendata_to_nfs4_state().
+
+This can be reproduced easily by opening the same file two times on an
+NFSv4.0 mount with delegations enabled, once as RDWR and once as RDONLY then
+sleeping for a long time. While the files are held open, kick off state
+recovery and this NULL dereference will be hit every time.
+
+An example OOPS:
+
+[ 65.003602] BUG: unable to handle kernel NULL pointer dereference at 00000000
+00000030
+[ 65.005312] IP: [<ffffffffa037d6ee>] __nfs4_close+0x1e/0x160 [nfsv4]
+[ 65.006820] PGD 7b0ea067 PUD 791ff067 PMD 0
+[ 65.008075] Oops: 0000 [#1] SMP
+[ 65.008802] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache
+snd_ens1371 gameport nfsd snd_rawmidi snd_ac97_codec ac97_bus btusb snd_seq snd
+_seq_device snd_pcm ppdev bluetooth auth_rpcgss coretemp snd_page_alloc crc32_pc
+lmul crc32c_intel ghash_clmulni_intel microcode rfkill nfs_acl vmw_balloon serio
+_raw snd_timer lockd parport_pc e1000 snd soundcore parport i2c_piix4 shpchp vmw
+_vmci sunrpc ata_generic mperf pata_acpi mptspi vmwgfx ttm scsi_transport_spi dr
+m mptscsih mptbase i2c_core
+[ 65.018684] CPU: 0 PID: 473 Comm: 192.168.10.85-m Not tainted 3.11.2-201.fc19
+.x86_64 #1
+[ 65.020113] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
+Reference Platform, BIOS 6.00 07/31/2013
+[ 65.022012] task: ffff88003707e320 ti: ffff88007b906000 task.ti: ffff88007b906000
+[ 65.023414] RIP: 0010:[<ffffffffa037d6ee>] [<ffffffffa037d6ee>] __nfs4_close+0x1e/0x160 [nfsv4]
+[ 65.025079] RSP: 0018:ffff88007b907d10 EFLAGS: 00010246
+[ 65.026042] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+[ 65.027321] RDX: 0000000000000050 RSI: 0000000000000001 RDI: 0000000000000000
+[ 65.028691] RBP: ffff88007b907d38 R08: 0000000000016f60 R09: 0000000000000000
+[ 65.029990] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
+[ 65.031295] R13: 0000000000000050 R14: 0000000000000000 R15: 0000000000000001
+[ 65.032527] FS: 0000000000000000(0000) GS:ffff88007f600000(0000) knlGS:0000000000000000
+[ 65.033981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 65.035177] CR2: 0000000000000030 CR3: 000000007b27f000 CR4: 00000000000407f0
+[ 65.036568] Stack:
+[ 65.037011] 0000000000000000 0000000000000001 ffff88007b907d90 ffff88007a880220
+[ 65.038472] ffff88007b768de8 ffff88007b907d48 ffffffffa037e4a5 ffff88007b907d80
+[ 65.039935] ffffffffa036a6c8 ffff880037020e40 ffff88007a880000 ffff880037020e40
+[ 65.041468] Call Trace:
+[ 65.042050] [<ffffffffa037e4a5>] nfs4_close_state+0x15/0x20 [nfsv4]
+[ 65.043209] [<ffffffffa036a6c8>] nfs4_open_recover_helper+0x148/0x1f0 [nfsv4]
+[ 65.044529] [<ffffffffa036a886>] nfs4_open_recover+0x116/0x150 [nfsv4]
+[ 65.045730] [<ffffffffa036d98d>] nfs4_open_reclaim+0xad/0x150 [nfsv4]
+[ 65.046905] [<ffffffffa037d979>] nfs4_do_reclaim+0x149/0x5f0 [nfsv4]
+[ 65.048071] [<ffffffffa037e1dc>] nfs4_run_state_manager+0x3bc/0x670 [nfsv4]
+[ 65.049436] [<ffffffffa037de20>] ? nfs4_do_reclaim+0x5f0/0x5f0 [nfsv4]
+[ 65.050686] [<ffffffffa037de20>] ? nfs4_do_reclaim+0x5f0/0x5f0 [nfsv4]
+[ 65.051943] [<ffffffff81088640>] kthread+0xc0/0xd0
+[ 65.052831] [<ffffffff81088580>] ? insert_kthread_work+0x40/0x40
+[ 65.054697] [<ffffffff8165686c>] ret_from_fork+0x7c/0xb0
+[ 65.056396] [<ffffffff81088580>] ? insert_kthread_work+0x40/0x40
+[ 65.058208] Code: 5c 41 5d 5d c3 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 57 41 89 f7 41 56 41 89 ce 41 55 41 89 d5 41 54 53 48 89 fb <4c> 8b 67 30 f0 41 ff 44 24 44 49 8d 7c 24 40 e8 0e 0a 2d e1 44
+[ 65.065225] RIP [<ffffffffa037d6ee>] __nfs4_close+0x1e/0x160 [nfsv4]
+[ 65.067175] RSP <ffff88007b907d10>
+[ 65.068570] CR2: 0000000000000030
+[ 65.070098] ---[ end trace 0d1fe4f5c7dd6f8b ]---
+
+Signed-off-by: Weston Andros Adamson <dros@netapp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1159,7 +1159,8 @@ _nfs4_opendata_reclaim_to_nfs4_state(str
+ struct nfs4_state *state = data->state;
+ int ret;
+
+- if (!data->rpc_done) {
++ /* allow cached opens (!rpc_done && !rpc_status) */
++ if (!data->rpc_done && data->rpc_status) {
+ ret = data->rpc_status;
+ goto err;
+ }
--- /dev/null
+From d49f042aeec99c5f87160bb52dd52088b1051311 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Mon, 28 Oct 2013 14:57:12 -0400
+Subject: NFSv4: Fix state reference counting in _nfs4_opendata_reclaim_to_nfs4_state
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit d49f042aeec99c5f87160bb52dd52088b1051311 upstream.
+
+Currently, if the call to nfs_refresh_inode fails, then we end up leaking
+a reference count, due to the call to nfs4_get_open_state.
+While we're at it, replace nfs4_get_open_state with a simple call to
+atomic_inc(); there is no need to do a full lookup of the struct nfs_state
+since it is passed as an argument in the struct nfs4_opendata, and
+is already assigned to the variable 'state'.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1168,11 +1168,6 @@ _nfs4_opendata_reclaim_to_nfs4_state(str
+ goto update;
+ }
+
+- ret = -ENOMEM;
+- state = nfs4_get_open_state(inode, data->owner);
+- if (state == NULL)
+- goto err;
+-
+ ret = nfs_refresh_inode(inode, &data->f_attr);
+ if (ret)
+ goto err;
+@@ -1182,6 +1177,7 @@ _nfs4_opendata_reclaim_to_nfs4_state(str
+ update:
+ update_open_stateid(state, &data->o_res.stateid, NULL,
+ data->o_arg.fmode);
++ atomic_inc(&state->count);
+
+ return state;
+ err:
alsa-hda-fix-the-headphone-jack-detection-on-sony-vaio-tx.patch
alsa-hda-add-headset-quirk-for-dell-inspiron-3135.patch
alsa-hda-provide-missing-pin-configs-for-vaio-with-alc260.patch
+nfsv4-fix-a-use-after-free-situation-in-_nfs4_proc_getlk.patch
+nfsv4-fix-null-dereference-in-open-recover.patch
+nfsv4-don-t-fail-on-missing-fattr-in-open-recover.patch
+nfsv4-don-t-reprocess-cached-open-claim_previous.patch
+nfsv4-fix-state-reference-counting-in-_nfs4_opendata_reclaim_to_nfs4_state.patch
+nfsd-return-better-errors-to-exportfs.patch
+nfsd-split-up-nfsd_setattr.patch
+nfsd-make-sure-to-balance-get-put_write_access.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
