From: Greg Kroah-Hartman Date: Fri, 31 Jul 2015 19:37:47 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v4.1.4~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77fe97a04ff3a9f86e559876ac73dcb75d2dd368;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: 9p-don-t-leave-a-half-initialized-inode-sitting-around.patch 9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch fixing-infinite-open-loop-in-4.0-stateid-recovery.patch hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch nfs-increase-size-of-exchange_id-name-string-buffer.patch qla2xxx-mark-port-lost-when-we-receive-an-rscn-for-it.patch rbd-use-gfp_noio-in-rbd_obj_request_create.patch sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch --- diff --git a/queue-3.10/9p-don-t-leave-a-half-initialized-inode-sitting-around.patch b/queue-3.10/9p-don-t-leave-a-half-initialized-inode-sitting-around.patch new file mode 100644 index 00000000000..f27017e1f08 --- /dev/null +++ b/queue-3.10/9p-don-t-leave-a-half-initialized-inode-sitting-around.patch @@ -0,0 +1,41 @@ +From 0a73d0a204a4a04a1e110539c5a524ae51f91d6d Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 12 Jul 2015 10:34:29 -0400 +Subject: 9p: don't leave a half-initialized inode sitting around + +From: Al Viro + +commit 0a73d0a204a4a04a1e110539c5a524ae51f91d6d upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/vfs_inode.c | 3 +-- + fs/9p/vfs_inode_dotl.c | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -537,8 +537,7 @@ static struct inode *v9fs_qid_iget(struc + unlock_new_inode(inode); + return inode; + error: +- unlock_new_inode(inode); +- iput(inode); ++ iget_failed(inode); + return ERR_PTR(retval); + + } +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -151,8 +151,7 @@ static struct inode *v9fs_qid_iget_dotl( + unlock_new_inode(inode); + return inode; + error: +- unlock_new_inode(inode); +- iput(inode); ++ iget_failed(inode); + return ERR_PTR(retval); + + } diff --git a/queue-3.10/9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch b/queue-3.10/9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch new file mode 100644 index 00000000000..9cdbf6a23c6 --- /dev/null +++ b/queue-3.10/9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch @@ -0,0 +1,34 @@ +From a84b69cb6e0a41e86bc593904faa6def3b957343 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 4 Jul 2015 16:04:19 -0400 +Subject: 9p: forgetting to cancel request on interrupted zero-copy RPC + +From: Al Viro + +commit a84b69cb6e0a41e86bc593904faa6def3b957343 upstream. + +If we'd already sent a request and decide to abort it, we *must* +issue TFLUSH properly and not just blindly reuse the tag, or +we'll get seriously screwed when response eventually arrives +and we confuse it for response to later request that had reused +the same tag. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -828,7 +828,8 @@ static struct p9_req_t *p9_client_zc_rpc + if (err < 0) { + if (err == -EIO) + c->status = Disconnected; +- goto reterr; ++ if (err != -ERESTARTSYS) ++ goto reterr; + } + if (req->status == REQ_STATUS_ERROR) { + p9_debug(P9_DEBUG_ERROR, "req_status error %d\n", req->t_err); diff --git a/queue-3.10/agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch b/queue-3.10/agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch new file mode 100644 index 00000000000..e1bbc3e09a1 --- /dev/null +++ b/queue-3.10/agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch @@ -0,0 +1,44 @@ +From 8b572a4200828b4e75cc22ed2f494b58d5372d65 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Sun, 28 Jun 2015 14:18:16 +0100 +Subject: agp/intel: Fix typo in needs_ilk_vtd_wa() + +From: Chris Wilson + +commit 8b572a4200828b4e75cc22ed2f494b58d5372d65 upstream. + +In needs_ilk_vtd_wa(), we pass in the GPU device but compared it against +the ids for the mobile GPU and the mobile host bridge. That latter is +impossible and so likely was just a typo for the desktop GPU device id +(which is also buggy). + +Fixes commit da88a5f7f7d434e2cde1b3e19d952e6d84533662 +Author: Chris Wilson +Date: Wed Feb 13 09:31:53 2013 +0000 + + drm/i915: Disable WC PTE updates to w/a buggy IOMMU on ILK + +Reported-by: Ting-Wei Lan +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91127 +References: https://bugzilla.freedesktop.org/show_bug.cgi?id=60391 +Signed-off-by: Chris Wilson +Cc: Daniel Vetter +Reviewed-by: Daniel Vetter +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/agp/intel-gtt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/agp/intel-gtt.c ++++ b/drivers/char/agp/intel-gtt.c +@@ -583,7 +583,7 @@ static inline int needs_ilk_vtd_wa(void) + /* Query intel_iommu to see if we need the workaround. Presumably that + * was loaded first. + */ +- if ((gpu_devid == PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB || ++ if ((gpu_devid == PCI_DEVICE_ID_INTEL_IRONLAKE_D_IG || + gpu_devid == PCI_DEVICE_ID_INTEL_IRONLAKE_M_IG) && + intel_iommu_gfx_mapped) + return 1; diff --git a/queue-3.10/fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch b/queue-3.10/fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch new file mode 100644 index 00000000000..0beed731272 --- /dev/null +++ b/queue-3.10/fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch @@ -0,0 +1,61 @@ +From 6f957724b94cb19f5c1c97efd01dd4df8ced323c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 9 Jul 2015 11:20:01 -0700 +Subject: Fix firmware loader uevent buffer NULL pointer dereference + +From: Linus Torvalds + +commit 6f957724b94cb19f5c1c97efd01dd4df8ced323c upstream. + +The firmware class uevent function accessed the "fw_priv->buf" buffer +without the proper locking and testing for NULL. This is an old bug +(looks like it goes back to 2012 and commit 1244691c73b2: "firmware +loader: introduce firmware_buf"), but for some reason it's triggering +only now in 4.2-rc1. + +Shuah Khan is trying to bisect what it is that causes this to trigger +more easily, but in the meantime let's just fix the bug since others are +hitting it too (at least Ingo reports having seen it as well). + +Reported-and-tested-by: Shuah Khan +Acked-by: Ming Lei +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/firmware_class.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -513,10 +513,8 @@ static void fw_dev_release(struct device + module_put(THIS_MODULE); + } + +-static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env) ++static int do_firmware_uevent(struct firmware_priv *fw_priv, struct kobj_uevent_env *env) + { +- struct firmware_priv *fw_priv = to_firmware_priv(dev); +- + if (add_uevent_var(env, "FIRMWARE=%s", fw_priv->buf->fw_id)) + return -ENOMEM; + if (add_uevent_var(env, "TIMEOUT=%i", loading_timeout)) +@@ -527,6 +525,18 @@ static int firmware_uevent(struct device + return 0; + } + ++static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env) ++{ ++ struct firmware_priv *fw_priv = to_firmware_priv(dev); ++ int err = 0; ++ ++ mutex_lock(&fw_lock); ++ if (fw_priv->buf) ++ err = do_firmware_uevent(fw_priv, env); ++ mutex_unlock(&fw_lock); ++ return err; ++} ++ + static struct class firmware_class = { + .name = "firmware", + .class_attrs = firmware_class_attrs, diff --git a/queue-3.10/fixing-infinite-open-loop-in-4.0-stateid-recovery.patch b/queue-3.10/fixing-infinite-open-loop-in-4.0-stateid-recovery.patch new file mode 100644 index 00000000000..ee9d06ffd0d --- /dev/null +++ b/queue-3.10/fixing-infinite-open-loop-in-4.0-stateid-recovery.patch @@ -0,0 +1,40 @@ +From e8d975e73e5fa05f983fbf2723120edcf68e0b38 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Fri, 15 May 2015 11:45:31 -0400 +Subject: fixing infinite OPEN loop in 4.0 stateid recovery + +From: Olga Kornievskaia + +commit e8d975e73e5fa05f983fbf2723120edcf68e0b38 upstream. + +Problem: When an operation like WRITE receives a BAD_STATEID, even though +recovery code clears the RECLAIM_NOGRACE recovery flag before recovering +the open state, because of clearing delegation state for the associated +inode, nfs_inode_find_state_and_recover() gets called and it makes the +same state with RECLAIM_NOGRACE flag again. As a results, when we restart +looking over the open states, we end up in the infinite loop instead of +breaking out in the next test of state flags. + +Solution: unset the RECLAIM_NOGRACE set because of +calling of nfs_inode_find_state_and_recover() after returning from calling +recover_open() function. + +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4state.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1452,6 +1452,8 @@ restart: + } + spin_unlock(&state->state_lock); + nfs4_put_open_state(state); ++ clear_bit(NFS4CLNT_RECLAIM_NOGRACE, ++ &state->flags); + spin_lock(&sp->so_lock); + goto restart; + } diff --git a/queue-3.10/hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch b/queue-3.10/hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch new file mode 100644 index 00000000000..8f69da6bafd --- /dev/null +++ b/queue-3.10/hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch @@ -0,0 +1,48 @@ +From a28e4b2b18ccb90df402da3f21e1a83c9d4f8ec1 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Thu, 26 Mar 2015 20:47:10 -0700 +Subject: hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead + +From: Joe Perches + +commit a28e4b2b18ccb90df402da3f21e1a83c9d4f8ec1 upstream. + +Removing unnecessary static buffers is good. +Use the vsprintf %pV extension instead. + +Signed-off-by: Joe Perches +Signed-off-by: Mikulas Patocka +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hpfs/super.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/fs/hpfs/super.c ++++ b/fs/hpfs/super.c +@@ -52,17 +52,20 @@ static void unmark_dirty(struct super_bl + } + + /* Filesystem error... */ +-static char err_buf[1024]; +- + void hpfs_error(struct super_block *s, const char *fmt, ...) + { ++ struct va_format vaf; + va_list args; + + va_start(args, fmt); +- vsnprintf(err_buf, sizeof(err_buf), fmt, args); ++ ++ vaf.fmt = fmt; ++ vaf.va = &args; ++ ++ pr_err("filesystem error: %pV", &vaf); ++ + va_end(args); + +- printk("HPFS: filesystem error: %s", err_buf); + if (!hpfs_sb(s)->sb_was_error) { + if (hpfs_sb(s)->sb_err == 2) { + printk("; crashing the system because you wanted it\n"); diff --git a/queue-3.10/mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch b/queue-3.10/mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch new file mode 100644 index 00000000000..58b8101d464 --- /dev/null +++ b/queue-3.10/mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch @@ -0,0 +1,40 @@ +From ed9244e6c534612d2b5ae47feab2f55a0d4b4ced Mon Sep 17 00:00:00 2001 +From: Nicholas Mc Guire +Date: Thu, 7 May 2015 14:47:50 +0200 +Subject: MIPS: KVM: Do not sign extend on unsigned MMIO load + +From: Nicholas Mc Guire + +commit ed9244e6c534612d2b5ae47feab2f55a0d4b4ced upstream. + +Fix possible unintended sign extension in unsigned MMIO loads by casting +to uint16_t in the case of mmio_needed != 2. + +Signed-off-by: Nicholas Mc Guire +Reviewed-by: James Hogan +Tested-by: James Hogan +Cc: Gleb Natapov +Cc: Paolo Bonzini +Cc: kvm@vger.kernel.org +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/9985/ +Signed-off-by: Ralf Baechle +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/kvm_mips_emul.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kvm/kvm_mips_emul.c ++++ b/arch/mips/kvm/kvm_mips_emul.c +@@ -1626,7 +1626,7 @@ kvm_mips_complete_mmio_load(struct kvm_v + if (vcpu->mmio_needed == 2) + *gpr = *(int16_t *) run->mmio.data; + else +- *gpr = *(int16_t *) run->mmio.data; ++ *gpr = *(uint16_t *)run->mmio.data; + + break; + case 1: diff --git a/queue-3.10/nfs-increase-size-of-exchange_id-name-string-buffer.patch b/queue-3.10/nfs-increase-size-of-exchange_id-name-string-buffer.patch new file mode 100644 index 00000000000..1c6cf1381d6 --- /dev/null +++ b/queue-3.10/nfs-increase-size-of-exchange_id-name-string-buffer.patch @@ -0,0 +1,32 @@ +From 764ad8ba8cd4c6f836fca9378f8c5121aece0842 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 9 Jun 2015 19:43:56 -0400 +Subject: nfs: increase size of EXCHANGE_ID name string buffer + +From: Jeff Layton + +commit 764ad8ba8cd4c6f836fca9378f8c5121aece0842 upstream. + +The current buffer is much too small if you have a relatively long +hostname. Bring it up to the size of the one that SETCLIENTID has. + +Reported-by: Michael Skralivetsky +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nfs_xdr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -1094,7 +1094,7 @@ struct pnfs_ds_commit_info { + struct pnfs_commit_bucket *buckets; + }; + +-#define NFS4_EXCHANGE_ID_LEN (48) ++#define NFS4_EXCHANGE_ID_LEN (127) + struct nfs41_exchange_id_args { + struct nfs_client *client; + nfs4_verifier *verifier; diff --git a/queue-3.10/qla2xxx-mark-port-lost-when-we-receive-an-rscn-for-it.patch b/queue-3.10/qla2xxx-mark-port-lost-when-we-receive-an-rscn-for-it.patch new file mode 100644 index 00000000000..ec395bffdb7 --- /dev/null +++ b/queue-3.10/qla2xxx-mark-port-lost-when-we-receive-an-rscn-for-it.patch @@ -0,0 +1,53 @@ +From ef86cb2059a14b4024c7320999ee58e938873032 Mon Sep 17 00:00:00 2001 +From: Chad Dupuis +Date: Thu, 25 Sep 2014 05:17:01 -0400 +Subject: qla2xxx: Mark port lost when we receive an RSCN for it. + +From: Chad Dupuis + +commit ef86cb2059a14b4024c7320999ee58e938873032 upstream. + +Signed-off-by: Chad Dupuis +Signed-off-by: Saurav Kashyap +Signed-off-by: Christoph Hellwig +Cc: Himanshu Madhani +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_isr.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -523,8 +523,9 @@ qla2x00_async_event(scsi_qla_host_t *vha + struct device_reg_2xxx __iomem *reg = &ha->iobase->isp; + struct device_reg_24xx __iomem *reg24 = &ha->iobase->isp24; + struct device_reg_82xx __iomem *reg82 = &ha->iobase->isp82; +- uint32_t rscn_entry, host_pid; ++ uint32_t rscn_entry, host_pid, tmp_pid; + unsigned long flags; ++ fc_port_t *fcport = NULL; + + /* Setup to process RIO completion. */ + handle_cnt = 0; +@@ -918,6 +919,20 @@ skip_rio: + if (qla2x00_is_a_vp_did(vha, rscn_entry)) + break; + ++ /* ++ * Search for the rport related to this RSCN entry and mark it ++ * as lost. ++ */ ++ list_for_each_entry(fcport, &vha->vp_fcports, list) { ++ if (atomic_read(&fcport->state) != FCS_ONLINE) ++ continue; ++ tmp_pid = fcport->d_id.b24; ++ if (fcport->d_id.b24 == rscn_entry) { ++ qla2x00_mark_device_lost(vha, fcport, 0, 0); ++ break; ++ } ++ } ++ + atomic_set(&vha->loop_down_timer, 0); + vha->flags.management_server_logged_in = 0; + diff --git a/queue-3.10/rbd-use-gfp_noio-in-rbd_obj_request_create.patch b/queue-3.10/rbd-use-gfp_noio-in-rbd_obj_request_create.patch new file mode 100644 index 00000000000..9be635d6544 --- /dev/null +++ b/queue-3.10/rbd-use-gfp_noio-in-rbd_obj_request_create.patch @@ -0,0 +1,42 @@ +From 5a60e87603c4c533492c515b7f62578189b03c9c Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Wed, 24 Jun 2015 17:24:33 +0300 +Subject: rbd: use GFP_NOIO in rbd_obj_request_create() + +From: Ilya Dryomov + +commit 5a60e87603c4c533492c515b7f62578189b03c9c upstream. + +rbd_obj_request_create() is called on the main I/O path, so we need to +use GFP_NOIO to make sure allocation doesn't blow back on us. Not all +callers need this, but I'm still hardcoding the flag inside rather than +making it a parameter because a) this is going to stable, and b) those +callers shouldn't really use rbd_obj_request_create() and will be fixed +in the future. + +More memory allocation fixes will follow. + +Signed-off-by: Ilya Dryomov +Reviewed-by: Alex Elder +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/rbd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -1851,11 +1851,11 @@ static struct rbd_obj_request *rbd_obj_r + rbd_assert(obj_request_type_valid(type)); + + size = strlen(object_name) + 1; +- name = kmalloc(size, GFP_KERNEL); ++ name = kmalloc(size, GFP_NOIO); + if (!name) + return NULL; + +- obj_request = kmem_cache_zalloc(rbd_obj_request_cache, GFP_KERNEL); ++ obj_request = kmem_cache_zalloc(rbd_obj_request_cache, GFP_NOIO); + if (!obj_request) { + kfree(name); + return NULL; diff --git a/queue-3.10/series b/queue-3.10/series index 613ee941fbf..4a0bd086a18 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -76,3 +76,14 @@ mac80211-prevent-possible-crypto-tx-tailroom-corruption.patch usb-usbfs-allow-urbs-to-be-reaped-after-disconnection.patch watchdog-omap-assert-the-counter-being-stopped-before-reprogramming.patch nfs-fix-size-of-nfsacl-setacl-operations.patch +fixing-infinite-open-loop-in-4.0-stateid-recovery.patch +nfs-increase-size-of-exchange_id-name-string-buffer.patch +sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch +9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch +9p-don-t-leave-a-half-initialized-inode-sitting-around.patch +rbd-use-gfp_noio-in-rbd_obj_request_create.patch +agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch +hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch +fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch +qla2xxx-mark-port-lost-when-we-receive-an-rscn-for-it.patch +mips-kvm-do-not-sign-extend-on-unsigned-mmio-load.patch diff --git a/queue-3.10/sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch b/queue-3.10/sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch new file mode 100644 index 00000000000..b497d3413f6 --- /dev/null +++ b/queue-3.10/sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch @@ -0,0 +1,31 @@ +From 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 1 Jun 2015 15:10:25 -0400 +Subject: SUNRPC: Fix a memory leak in the backchannel code + +From: Trond Myklebust + +commit 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd upstream. + +req->rq_private_buf isn't initialised when xprt_setup_backchannel calls +xprt_free_allocation. + +Fixes: fb7a0b9addbdb ("nfs41: New backchannel helper routines") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/backchannel_rqst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/backchannel_rqst.c ++++ b/net/sunrpc/backchannel_rqst.c +@@ -60,7 +60,7 @@ static void xprt_free_allocation(struct + + dprintk("RPC: free allocations for req= %p\n", req); + WARN_ON_ONCE(test_bit(RPC_BC_PA_IN_USE, &req->rq_bc_pa_state)); +- xbufp = &req->rq_private_buf; ++ xbufp = &req->rq_rcv_buf; + free_page((unsigned long)xbufp->head[0].iov_base); + xbufp = &req->rq_snd_buf; + free_page((unsigned long)xbufp->head[0].iov_base);