From: Greg Kroah-Hartman Date: Tue, 26 Nov 2013 20:08:58 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.11.10~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=992e7fb5111e0cdf7283c55f8b256baf43e09f04;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: nfsd-make-sure-to-balance-get-put_write_access.patch nfsd-return-better-errors-to-exportfs.patch nfsd-split-up-nfsd_setattr.patch nfsv4-don-t-fail-on-missing-fattr-in-open-recover.patch nfsv4-don-t-reprocess-cached-open-claim_previous.patch nfsv4-fix-a-use-after-free-situation-in-_nfs4_proc_getlk.patch nfsv4-fix-null-dereference-in-open-recover.patch nfsv4-fix-state-reference-counting-in-_nfs4_opendata_reclaim_to_nfs4_state.patch --- diff --git a/queue-3.10/nfsd-make-sure-to-balance-get-put_write_access.patch b/queue-3.10/nfsd-make-sure-to-balance-get-put_write_access.patch new file mode 100644 index 00000000000..102447678bc --- /dev/null +++ b/queue-3.10/nfsd-make-sure-to-balance-get-put_write_access.patch @@ -0,0 +1,70 @@ +From 987da4791052fa298b7cfcde4dea9f6f2bbc786b Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Mon, 18 Nov 2013 05:07:47 -0800 +Subject: nfsd: make sure to balance get/put_write_access + +From: Christoph Hellwig + +commit 987da4791052fa298b7cfcde4dea9f6f2bbc786b upstream. + +Use a straight goto error label style in nfsd_setattr to make sure +we always do the put_write_access call after we got it earlier. + +Note that the we have been failing to do that in the case +nfsd_break_lease() returns an error, a bug introduced into 2.6.38 with +6a76bebefe15d9a08864f824d7f8d5beaf37c997 "nfsd4: break lease on nfsd +setattr". + +Signed-off-by: Christoph Hellwig +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/vfs.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -443,27 +443,28 @@ nfsd_setattr(struct svc_rqst *rqstp, str + + iap->ia_valid |= ATTR_CTIME; + +- err = nfserr_notsync; +- if (!check_guard || guardtime == inode->i_ctime.tv_sec) { +- host_err = nfsd_break_lease(inode); +- if (host_err) +- goto out_nfserr; +- fh_lock(fhp); +- +- host_err = notify_change(dentry, iap); +- err = nfserrno(host_err); +- fh_unlock(fhp); ++ if (check_guard && guardtime != inode->i_ctime.tv_sec) { ++ err = nfserr_notsync; ++ goto out_put_write_access; + } ++ ++ host_err = nfsd_break_lease(inode); ++ if (host_err) ++ goto out_put_write_access_nfserror; ++ ++ fh_lock(fhp); ++ host_err = notify_change(dentry, iap); ++ fh_unlock(fhp); ++ ++out_put_write_access_nfserror: ++ err = nfserrno(host_err); ++out_put_write_access: + if (size_change) + put_write_access(inode); + if (!err) + commit_metadata(fhp); + out: + return err; +- +-out_nfserr: +- err = nfserrno(host_err); +- goto out; + } + + #if defined(CONFIG_NFSD_V2_ACL) || \ diff --git a/queue-3.10/nfsd-return-better-errors-to-exportfs.patch b/queue-3.10/nfsd-return-better-errors-to-exportfs.patch new file mode 100644 index 00000000000..b5059e8f61a --- /dev/null +++ b/queue-3.10/nfsd-return-better-errors-to-exportfs.patch @@ -0,0 +1,61 @@ +From 427d6c6646d868fbd3094e7e2e1644d480cd9204 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 13 Sep 2013 11:08:45 -0400 +Subject: nfsd: return better errors to exportfs + +From: "J. Bruce Fields" + +commit 427d6c6646d868fbd3094e7e2e1644d480cd9204 upstream. + +Someone noticed exportfs happily accepted exports that would later be +rejected when mountd tried to give them to the kernel. Fix this. + +This is a regression from 4c1e1b34d5c800ad3ac9a7e2805b0bea70ad2278 +"nfsd: Store ex_anon_uid and ex_anon_gid as kuids and kgids". + +Cc: "Eric W. Biederman" +Reported-by: Yin.JianHong +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/export.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/fs/nfsd/export.c ++++ b/fs/nfsd/export.c +@@ -536,16 +536,12 @@ static int svc_export_parse(struct cache + if (err) + goto out3; + exp.ex_anon_uid= make_kuid(&init_user_ns, an_int); +- if (!uid_valid(exp.ex_anon_uid)) +- goto out3; + + /* anon gid */ + err = get_int(&mesg, &an_int); + if (err) + goto out3; + exp.ex_anon_gid= make_kgid(&init_user_ns, an_int); +- if (!gid_valid(exp.ex_anon_gid)) +- goto out3; + + /* fsid */ + err = get_int(&mesg, &an_int); +@@ -583,6 +579,17 @@ static int svc_export_parse(struct cache + exp.ex_uuid); + if (err) + goto out4; ++ /* ++ * For some reason exportfs has been passing down an ++ * invalid (-1) uid & gid on the "dummy" export which it ++ * uses to test export support. To make sure exportfs ++ * sees errors from check_export we therefore need to ++ * delay these checks till after check_export: ++ */ ++ if (!uid_valid(exp.ex_anon_uid)) ++ goto out4; ++ if (!gid_valid(exp.ex_anon_gid)) ++ goto out4; + } + + expp = svc_export_lookup(&exp); diff --git a/queue-3.10/nfsd-split-up-nfsd_setattr.patch b/queue-3.10/nfsd-split-up-nfsd_setattr.patch new file mode 100644 index 00000000000..2754fa66bb3 --- /dev/null +++ b/queue-3.10/nfsd-split-up-nfsd_setattr.patch @@ -0,0 +1,197 @@ +From 818e5a22e907fbae75e9c1fd78233baec9fa64b6 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Mon, 18 Nov 2013 05:07:30 -0800 +Subject: nfsd: split up nfsd_setattr + +From: Christoph Hellwig + +commit 818e5a22e907fbae75e9c1fd78233baec9fa64b6 upstream. + +Split out two helpers to make the code more readable and easier to verify +for correctness. + +Signed-off-by: Christoph Hellwig +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/vfs.c | 144 +++++++++++++++++++++++++++++++++------------------------- + 1 file changed, 84 insertions(+), 60 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -297,41 +297,12 @@ commit_metadata(struct svc_fh *fhp) + } + + /* +- * Set various file attributes. +- * N.B. After this call fhp needs an fh_put ++ * Go over the attributes and take care of the small differences between ++ * NFS semantics and what Linux expects. + */ +-__be32 +-nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, +- int check_guard, time_t guardtime) ++static void ++nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap) + { +- struct dentry *dentry; +- struct inode *inode; +- int accmode = NFSD_MAY_SATTR; +- umode_t ftype = 0; +- __be32 err; +- int host_err; +- int size_change = 0; +- +- if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE)) +- accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE; +- if (iap->ia_valid & ATTR_SIZE) +- ftype = S_IFREG; +- +- /* Get inode */ +- err = fh_verify(rqstp, fhp, ftype, accmode); +- if (err) +- goto out; +- +- dentry = fhp->fh_dentry; +- inode = dentry->d_inode; +- +- /* Ignore any mode updates on symlinks */ +- if (S_ISLNK(inode->i_mode)) +- iap->ia_valid &= ~ATTR_MODE; +- +- if (!iap->ia_valid) +- goto out; +- + /* + * NFSv2 does not differentiate between "set-[ac]time-to-now" + * which only requires access, and "set-[ac]time-to-X" which +@@ -341,8 +312,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str + * convert to "set to now" instead of "set to explicit time" + * + * We only call inode_change_ok as the last test as technically +- * it is not an interface that we should be using. It is only +- * valid if the filesystem does not define it's own i_op->setattr. ++ * it is not an interface that we should be using. + */ + #define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET) + #define MAX_TOUCH_TIME_ERROR (30*60) +@@ -368,30 +338,6 @@ nfsd_setattr(struct svc_rqst *rqstp, str + iap->ia_valid &= ~BOTH_TIME_SET; + } + } +- +- /* +- * The size case is special. +- * It changes the file as well as the attributes. +- */ +- if (iap->ia_valid & ATTR_SIZE) { +- if (iap->ia_size < inode->i_size) { +- err = nfsd_permission(rqstp, fhp->fh_export, dentry, +- NFSD_MAY_TRUNC|NFSD_MAY_OWNER_OVERRIDE); +- if (err) +- goto out; +- } +- +- host_err = get_write_access(inode); +- if (host_err) +- goto out_nfserr; +- +- size_change = 1; +- host_err = locks_verify_truncate(inode, NULL, iap->ia_size); +- if (host_err) { +- put_write_access(inode); +- goto out_nfserr; +- } +- } + + /* sanitize the mode change */ + if (iap->ia_valid & ATTR_MODE) { +@@ -414,8 +360,86 @@ nfsd_setattr(struct svc_rqst *rqstp, str + iap->ia_valid |= (ATTR_KILL_SUID | ATTR_KILL_SGID); + } + } ++} ++ ++static __be32 ++nfsd_get_write_access(struct svc_rqst *rqstp, struct svc_fh *fhp, ++ struct iattr *iap) ++{ ++ struct inode *inode = fhp->fh_dentry->d_inode; ++ int host_err; ++ ++ if (iap->ia_size < inode->i_size) { ++ __be32 err; ++ ++ err = nfsd_permission(rqstp, fhp->fh_export, fhp->fh_dentry, ++ NFSD_MAY_TRUNC | NFSD_MAY_OWNER_OVERRIDE); ++ if (err) ++ return err; ++ } ++ ++ host_err = get_write_access(inode); ++ if (host_err) ++ goto out_nfserrno; ++ ++ host_err = locks_verify_truncate(inode, NULL, iap->ia_size); ++ if (host_err) ++ goto out_put_write_access; ++ return 0; ++ ++out_put_write_access: ++ put_write_access(inode); ++out_nfserrno: ++ return nfserrno(host_err); ++} ++ ++/* ++ * Set various file attributes. After this call fhp needs an fh_put. ++ */ ++__be32 ++nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, ++ int check_guard, time_t guardtime) ++{ ++ struct dentry *dentry; ++ struct inode *inode; ++ int accmode = NFSD_MAY_SATTR; ++ umode_t ftype = 0; ++ __be32 err; ++ int host_err; ++ int size_change = 0; ++ ++ if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE)) ++ accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE; ++ if (iap->ia_valid & ATTR_SIZE) ++ ftype = S_IFREG; ++ ++ /* Get inode */ ++ err = fh_verify(rqstp, fhp, ftype, accmode); ++ if (err) ++ goto out; ++ ++ dentry = fhp->fh_dentry; ++ inode = dentry->d_inode; ++ ++ /* Ignore any mode updates on symlinks */ ++ if (S_ISLNK(inode->i_mode)) ++ iap->ia_valid &= ~ATTR_MODE; ++ ++ if (!iap->ia_valid) ++ goto out; ++ ++ nfsd_sanitize_attrs(inode, iap); + +- /* Change the attributes. */ ++ /* ++ * The size case is special, it changes the file in addition to the ++ * attributes. ++ */ ++ if (iap->ia_valid & ATTR_SIZE) { ++ err = nfsd_get_write_access(rqstp, fhp, iap); ++ if (err) ++ goto out; ++ size_change = 1; ++ } + + iap->ia_valid |= ATTR_CTIME; + diff --git a/queue-3.10/nfsv4-don-t-fail-on-missing-fattr-in-open-recover.patch b/queue-3.10/nfsv4-don-t-fail-on-missing-fattr-in-open-recover.patch new file mode 100644 index 00000000000..d279cd6dff6 --- /dev/null +++ b/queue-3.10/nfsv4-don-t-fail-on-missing-fattr-in-open-recover.patch @@ -0,0 +1,35 @@ +From a43ec98b72aae3e330f0673438f58316c3769b84 Mon Sep 17 00:00:00 2001 +From: Weston Andros Adamson +Date: Mon, 21 Oct 2013 13:10:11 -0400 +Subject: NFSv4: don't fail on missing fattr in open recover + +From: Weston Andros Adamson + +commit a43ec98b72aae3e330f0673438f58316c3769b84 upstream. + +This is an unneeded check that could cause the client to fail to recover +opens. + +Signed-off-by: Weston Andros Adamson +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1165,12 +1165,6 @@ _nfs4_opendata_reclaim_to_nfs4_state(str + goto err; + } + +- ret = -ESTALE; +- if (!(data->f_attr.valid & NFS_ATTR_FATTR_TYPE) || +- !(data->f_attr.valid & NFS_ATTR_FATTR_FILEID) || +- !(data->f_attr.valid & NFS_ATTR_FATTR_CHANGE)) +- goto err; +- + ret = -ENOMEM; + state = nfs4_get_open_state(inode, data->owner); + if (state == NULL) diff --git a/queue-3.10/nfsv4-don-t-reprocess-cached-open-claim_previous.patch b/queue-3.10/nfsv4-don-t-reprocess-cached-open-claim_previous.patch new file mode 100644 index 00000000000..700b0d77146 --- /dev/null +++ b/queue-3.10/nfsv4-don-t-reprocess-cached-open-claim_previous.patch @@ -0,0 +1,49 @@ +From d2bfda2e7aa036f90ccea610a657064b1e267913 Mon Sep 17 00:00:00 2001 +From: Weston Andros Adamson +Date: Mon, 21 Oct 2013 13:10:13 -0400 +Subject: NFSv4: don't reprocess cached open CLAIM_PREVIOUS + +From: Weston Andros Adamson + +commit d2bfda2e7aa036f90ccea610a657064b1e267913 upstream. + +Cached opens have already been handled by _nfs4_opendata_reclaim_to_nfs4_state +and can safely skip being reprocessed, but must still call update_open_stateid +to make sure that all active fmodes are recovered. + +Signed-off-by: Weston Andros Adamson +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1159,10 +1159,13 @@ _nfs4_opendata_reclaim_to_nfs4_state(str + struct nfs4_state *state = data->state; + int ret; + +- /* allow cached opens (!rpc_done && !rpc_status) */ +- if (!data->rpc_done && data->rpc_status) { +- ret = data->rpc_status; +- goto err; ++ if (!data->rpc_done) { ++ if (data->rpc_status) { ++ ret = data->rpc_status; ++ goto err; ++ } ++ /* cached opens have already been processed */ ++ goto update; + } + + ret = -ENOMEM; +@@ -1176,6 +1179,7 @@ _nfs4_opendata_reclaim_to_nfs4_state(str + + if (data->o_res.delegation_type != 0) + nfs4_opendata_check_deleg(data, state); ++update: + update_open_stateid(state, &data->o_res.stateid, NULL, + data->o_arg.fmode); + diff --git a/queue-3.10/nfsv4-fix-a-use-after-free-situation-in-_nfs4_proc_getlk.patch b/queue-3.10/nfsv4-fix-a-use-after-free-situation-in-_nfs4_proc_getlk.patch new file mode 100644 index 00000000000..9703ed15e8f --- /dev/null +++ b/queue-3.10/nfsv4-fix-a-use-after-free-situation-in-_nfs4_proc_getlk.patch @@ -0,0 +1,47 @@ +From a6f951ddbdfb7bd87d31a44f61abe202ed6ce57f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 1 Oct 2013 14:24:58 -0400 +Subject: NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk() + +From: Trond Myklebust + +commit a6f951ddbdfb7bd87d31a44f61abe202ed6ce57f upstream. + +In nfs4_proc_getlk(), when some error causes a retry of the call to +_nfs4_proc_getlk(), we can end up with Oopses of the form + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000134 + IP: [] _raw_spin_lock+0xe/0x30 + + Call Trace: + [] _atomic_dec_and_lock+0x4d/0x70 + [] nfs4_put_lock_state+0x32/0xb0 [nfsv4] + [] nfs4_fl_release_lock+0x15/0x20 [nfsv4] + [] _nfs4_proc_getlk.isra.40+0x146/0x170 [nfsv4] + [] nfs4_proc_lock+0x399/0x5a0 [nfsv4] + +The problem is that we don't clear the request->fl_ops after the first +try and so when we retry, nfs4_set_lock_state() exits early without +setting the lock stateid. +Regression introduced by commit 70cc6487a4e08b8698c0e2ec935fb48d10490162 +(locks: make ->lock release private data before returning in GETLK case) + +Reported-by: Weston Andros Adamson +Reported-by: Jorge Mora +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4572,6 +4572,7 @@ static int _nfs4_proc_getlk(struct nfs4_ + status = 0; + } + request->fl_ops->fl_release_private(request); ++ request->fl_ops = NULL; + out: + return status; + } diff --git a/queue-3.10/nfsv4-fix-null-dereference-in-open-recover.patch b/queue-3.10/nfsv4-fix-null-dereference-in-open-recover.patch new file mode 100644 index 00000000000..db6ac132d30 --- /dev/null +++ b/queue-3.10/nfsv4-fix-null-dereference-in-open-recover.patch @@ -0,0 +1,99 @@ +From f494a6071d31e3294a3b51ad7a3684f983953f9f Mon Sep 17 00:00:00 2001 +From: Weston Andros Adamson +Date: Mon, 21 Oct 2013 13:10:10 -0400 +Subject: NFSv4: fix NULL dereference in open recover + +From: Weston Andros Adamson + +commit f494a6071d31e3294a3b51ad7a3684f983953f9f upstream. + +_nfs4_opendata_reclaim_to_nfs4_state doesn't expect to see a cached +open CLAIM_PREVIOUS, but this can happen. An example is when there are +RDWR openers and RDONLY openers on a delegation stateid. The recovery +path will first try an open CLAIM_PREVIOUS for the RDWR openers, this +marks the delegation as not needing RECLAIM anymore, so the open +CLAIM_PREVIOUS for the RDONLY openers will not actually send an rpc. + +The NULL dereference is due to _nfs4_opendata_reclaim_to_nfs4_state +returning PTR_ERR(rpc_status) when !rpc_done. When the open is +cached, rpc_done == 0 and rpc_status == 0, thus +_nfs4_opendata_reclaim_to_nfs4_state returns NULL - this is unexpected +by callers of nfs4_opendata_to_nfs4_state(). + +This can be reproduced easily by opening the same file two times on an +NFSv4.0 mount with delegations enabled, once as RDWR and once as RDONLY then +sleeping for a long time. While the files are held open, kick off state +recovery and this NULL dereference will be hit every time. + +An example OOPS: + +[ 65.003602] BUG: unable to handle kernel NULL pointer dereference at 00000000 +00000030 +[ 65.005312] IP: [] __nfs4_close+0x1e/0x160 [nfsv4] +[ 65.006820] PGD 7b0ea067 PUD 791ff067 PMD 0 +[ 65.008075] Oops: 0000 [#1] SMP +[ 65.008802] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache +snd_ens1371 gameport nfsd snd_rawmidi snd_ac97_codec ac97_bus btusb snd_seq snd +_seq_device snd_pcm ppdev bluetooth auth_rpcgss coretemp snd_page_alloc crc32_pc +lmul crc32c_intel ghash_clmulni_intel microcode rfkill nfs_acl vmw_balloon serio +_raw snd_timer lockd parport_pc e1000 snd soundcore parport i2c_piix4 shpchp vmw +_vmci sunrpc ata_generic mperf pata_acpi mptspi vmwgfx ttm scsi_transport_spi dr +m mptscsih mptbase i2c_core +[ 65.018684] CPU: 0 PID: 473 Comm: 192.168.10.85-m Not tainted 3.11.2-201.fc19 +.x86_64 #1 +[ 65.020113] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop +Reference Platform, BIOS 6.00 07/31/2013 +[ 65.022012] task: ffff88003707e320 ti: ffff88007b906000 task.ti: ffff88007b906000 +[ 65.023414] RIP: 0010:[] [] __nfs4_close+0x1e/0x160 [nfsv4] +[ 65.025079] RSP: 0018:ffff88007b907d10 EFLAGS: 00010246 +[ 65.026042] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 65.027321] RDX: 0000000000000050 RSI: 0000000000000001 RDI: 0000000000000000 +[ 65.028691] RBP: ffff88007b907d38 R08: 0000000000016f60 R09: 0000000000000000 +[ 65.029990] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 +[ 65.031295] R13: 0000000000000050 R14: 0000000000000000 R15: 0000000000000001 +[ 65.032527] FS: 0000000000000000(0000) GS:ffff88007f600000(0000) knlGS:0000000000000000 +[ 65.033981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 65.035177] CR2: 0000000000000030 CR3: 000000007b27f000 CR4: 00000000000407f0 +[ 65.036568] Stack: +[ 65.037011] 0000000000000000 0000000000000001 ffff88007b907d90 ffff88007a880220 +[ 65.038472] ffff88007b768de8 ffff88007b907d48 ffffffffa037e4a5 ffff88007b907d80 +[ 65.039935] ffffffffa036a6c8 ffff880037020e40 ffff88007a880000 ffff880037020e40 +[ 65.041468] Call Trace: +[ 65.042050] [] nfs4_close_state+0x15/0x20 [nfsv4] +[ 65.043209] [] nfs4_open_recover_helper+0x148/0x1f0 [nfsv4] +[ 65.044529] [] nfs4_open_recover+0x116/0x150 [nfsv4] +[ 65.045730] [] nfs4_open_reclaim+0xad/0x150 [nfsv4] +[ 65.046905] [] nfs4_do_reclaim+0x149/0x5f0 [nfsv4] +[ 65.048071] [] nfs4_run_state_manager+0x3bc/0x670 [nfsv4] +[ 65.049436] [] ? nfs4_do_reclaim+0x5f0/0x5f0 [nfsv4] +[ 65.050686] [] ? nfs4_do_reclaim+0x5f0/0x5f0 [nfsv4] +[ 65.051943] [] kthread+0xc0/0xd0 +[ 65.052831] [] ? insert_kthread_work+0x40/0x40 +[ 65.054697] [] ret_from_fork+0x7c/0xb0 +[ 65.056396] [] ? insert_kthread_work+0x40/0x40 +[ 65.058208] Code: 5c 41 5d 5d c3 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 57 41 89 f7 41 56 41 89 ce 41 55 41 89 d5 41 54 53 48 89 fb <4c> 8b 67 30 f0 41 ff 44 24 44 49 8d 7c 24 40 e8 0e 0a 2d e1 44 +[ 65.065225] RIP [] __nfs4_close+0x1e/0x160 [nfsv4] +[ 65.067175] RSP +[ 65.068570] CR2: 0000000000000030 +[ 65.070098] ---[ end trace 0d1fe4f5c7dd6f8b ]--- + +Signed-off-by: Weston Andros Adamson +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1159,7 +1159,8 @@ _nfs4_opendata_reclaim_to_nfs4_state(str + struct nfs4_state *state = data->state; + int ret; + +- if (!data->rpc_done) { ++ /* allow cached opens (!rpc_done && !rpc_status) */ ++ if (!data->rpc_done && data->rpc_status) { + ret = data->rpc_status; + goto err; + } diff --git a/queue-3.10/nfsv4-fix-state-reference-counting-in-_nfs4_opendata_reclaim_to_nfs4_state.patch b/queue-3.10/nfsv4-fix-state-reference-counting-in-_nfs4_opendata_reclaim_to_nfs4_state.patch new file mode 100644 index 00000000000..089628f52e4 --- /dev/null +++ b/queue-3.10/nfsv4-fix-state-reference-counting-in-_nfs4_opendata_reclaim_to_nfs4_state.patch @@ -0,0 +1,45 @@ +From d49f042aeec99c5f87160bb52dd52088b1051311 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 28 Oct 2013 14:57:12 -0400 +Subject: NFSv4: Fix state reference counting in _nfs4_opendata_reclaim_to_nfs4_state + +From: Trond Myklebust + +commit d49f042aeec99c5f87160bb52dd52088b1051311 upstream. + +Currently, if the call to nfs_refresh_inode fails, then we end up leaking +a reference count, due to the call to nfs4_get_open_state. +While we're at it, replace nfs4_get_open_state with a simple call to +atomic_inc(); there is no need to do a full lookup of the struct nfs_state +since it is passed as an argument in the struct nfs4_opendata, and +is already assigned to the variable 'state'. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1168,11 +1168,6 @@ _nfs4_opendata_reclaim_to_nfs4_state(str + goto update; + } + +- ret = -ENOMEM; +- state = nfs4_get_open_state(inode, data->owner); +- if (state == NULL) +- goto err; +- + ret = nfs_refresh_inode(inode, &data->f_attr); + if (ret) + goto err; +@@ -1182,6 +1177,7 @@ _nfs4_opendata_reclaim_to_nfs4_state(str + update: + update_open_stateid(state, &data->o_res.stateid, NULL, + data->o_arg.fmode); ++ atomic_inc(&state->count); + + return state; + err: diff --git a/queue-3.10/series b/queue-3.10/series index 68e6ea097bb..f5568eafec2 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -45,3 +45,11 @@ alsa-hda-fix-unbalanced-runtime-pm-notification-at-resume.patch alsa-hda-fix-the-headphone-jack-detection-on-sony-vaio-tx.patch alsa-hda-add-headset-quirk-for-dell-inspiron-3135.patch alsa-hda-provide-missing-pin-configs-for-vaio-with-alc260.patch +nfsv4-fix-a-use-after-free-situation-in-_nfs4_proc_getlk.patch +nfsv4-fix-null-dereference-in-open-recover.patch +nfsv4-don-t-fail-on-missing-fattr-in-open-recover.patch +nfsv4-don-t-reprocess-cached-open-claim_previous.patch +nfsv4-fix-state-reference-counting-in-_nfs4_opendata_reclaim_to_nfs4_state.patch +nfsd-return-better-errors-to-exportfs.patch +nfsd-split-up-nfsd_setattr.patch +nfsd-make-sure-to-balance-get-put_write_access.patch