4.9-stable patches

added patches:
	nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch

diff --git a/queue-4.9/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch b/queue-4.9/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
new file mode 100644 (file)
index 0000000..f08d140
--- /dev/null
+++ b/queue-4.9/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
@@ -0,0 +1,60 @@
+From a421d218603ffa822a0b8045055c03eae394a7eb Mon Sep 17 00:00:00 2001
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Date: Wed, 19 May 2021 12:54:51 -0400
+Subject: NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+commit a421d218603ffa822a0b8045055c03eae394a7eb upstream.
+
+Commit de144ff4234f changes _pnfs_return_layout() to call
+pnfs_mark_matching_lsegs_return() passing NULL as the struct
+pnfs_layout_range argument. Unfortunately,
+pnfs_mark_matching_lsegs_return() doesn't check if we have a value here
+before dereferencing it, causing an oops.
+
+I'm able to hit this crash consistently when running connectathon basic
+tests on NFS v4.1/v4.2 against Ontap.
+
+Fixes: de144ff4234f ("NFSv4: Don't discard segments marked for return in _pnfs_return_layout()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pnfs.c |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1070,6 +1070,11 @@ _pnfs_return_layout(struct inode *ino)
+ {
+       struct pnfs_layout_hdr *lo = NULL;
+       struct nfs_inode *nfsi = NFS_I(ino);
++      struct pnfs_layout_range range = {
++              .iomode         = IOMODE_ANY,
++              .offset         = 0,
++              .length         = NFS4_MAX_UINT64,
++      };
+       LIST_HEAD(tmp_list);
+       nfs4_stateid stateid;
+       int status = 0, empty;
+@@ -1088,16 +1093,10 @@ _pnfs_return_layout(struct inode *ino)
+       pnfs_get_layout_hdr(lo);
+       empty = list_empty(&lo->plh_segs);
+       pnfs_clear_layoutcommit(ino, &tmp_list);
+-      pnfs_mark_matching_lsegs_return(lo, &tmp_list, NULL, 0);
++      pnfs_mark_matching_lsegs_return(lo, &tmp_list, &range, 0);
+ 
+-      if (NFS_SERVER(ino)->pnfs_curr_ld->return_range) {
+-              struct pnfs_layout_range range = {
+-                      .iomode         = IOMODE_ANY,
+-                      .offset         = 0,
+-                      .length         = NFS4_MAX_UINT64,
+-              };
++      if (NFS_SERVER(ino)->pnfs_curr_ld->return_range)
+               NFS_SERVER(ino)->pnfs_curr_ld->return_range(lo, &range);
+-      }
+ 
+       /* Don't send a LAYOUTRETURN if list was initially empty */
+       if (empty) {

diff --git a/queue-4.9/series b/queue-4.9/series
index c40e129a7731b22939fc177cf8db9d936e8e7c3b..5f3d9506a5deb02caef96200fa9a4434e1bf04f4 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -3,3 +3,4 @@ tweewide-fix-most-shebang-lines.patch
 scripts-switch-explicitly-to-python-3.patch
 netfilter-x_tables-use-correct-memory-barriers.patch
 nfc-nci-fix-memory-leak-in-nci_allocate_device.patch
+nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch