--- /dev/null
+From 3064639423c48d6e0eb9ecc27c512a58e38c6c57 Mon Sep 17 00:00:00 2001
+From: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Wed, 26 Feb 2014 16:50:01 +0300
+Subject: nfsd: check passed socket's net matches NFSd superblock's one
+
+From: Stanislav Kinsbursky <skinsbursky@parallels.com>
+
+commit 3064639423c48d6e0eb9ecc27c512a58e38c6c57 upstream.
+
+There could be a case, when NFSd file system is mounted in network, different
+to socket's one, like below:
+
+"ip netns exec" creates new network and mount namespace, which duplicates NFSd
+mount point, created in init_net context. And thus NFS server stop in nested
+network context leads to RPCBIND client destruction in init_net.
+Then, on NFSd start in nested network context, rpc.nfsd process creates socket
+in nested net and passes it into "write_ports", which leads to RPCBIND sockets
+creation in init_net context because of the same reason (NFSd monut point was
+created in init_net context). An attempt to register passed socket in nested
+net leads to panic, because no RPCBIND client present in nexted network
+namespace.
+
+This patch add check that passed socket's net matches NFSd superblock's one.
+And returns -EINVAL error to user psace otherwise.
+
+v2: Put socket on exit.
+
+Reported-by: Weng Meiling <wengmeiling.weng@huawei.com>
+Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfsctl.c | 5 +++++
+ include/linux/sunrpc/svcsock.h | 1 +
+ net/sunrpc/svcsock.c | 16 ++++++++++++++++
+ 3 files changed, 22 insertions(+)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -699,6 +699,11 @@ static ssize_t __write_ports_addfd(char
+ if (err != 0 || fd < 0)
+ return -EINVAL;
+
++ if (svc_alien_sock(net, fd)) {
++ printk(KERN_ERR "%s: socket net is different to NFSd's one\n", __func__);
++ return -EINVAL;
++ }
++
+ err = nfsd_create_serv(net);
+ if (err != 0)
+ return err;
+--- a/include/linux/sunrpc/svcsock.h
++++ b/include/linux/sunrpc/svcsock.h
+@@ -56,6 +56,7 @@ int svc_recv(struct svc_rqst *, long);
+ int svc_send(struct svc_rqst *);
+ void svc_drop(struct svc_rqst *);
+ void svc_sock_update_bufs(struct svc_serv *serv);
++bool svc_alien_sock(struct net *net, int fd);
+ int svc_addsock(struct svc_serv *serv, const int fd,
+ char *name_return, const size_t len);
+ void svc_init_xprt_sock(void);
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -1397,6 +1397,22 @@ static struct svc_sock *svc_setup_socket
+ return svsk;
+ }
+
++bool svc_alien_sock(struct net *net, int fd)
++{
++ int err;
++ struct socket *sock = sockfd_lookup(fd, &err);
++ bool ret = false;
++
++ if (!sock)
++ goto out;
++ if (sock_net(sock->sk) != net)
++ ret = true;
++ sockfd_put(sock);
++out:
++ return ret;
++}
++EXPORT_SYMBOL_GPL(svc_alien_sock);
++
+ /**
+ * svc_addsock - add a listener socket to an RPC service
+ * @serv: pointer to RPC service to which to add a new listener
--- /dev/null
+From 9f67f189939eccaa54f3d2c9cf10788abaf2d584 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 24 Feb 2014 14:59:47 -0500
+Subject: nfsd: notify_change needs elevated write count
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 9f67f189939eccaa54f3d2c9cf10788abaf2d584 upstream.
+
+Looks like this bug has been here since these write counts were
+introduced, not sure why it was just noticed now.
+
+Thanks also to Jan Kara for pointing out the problem.
+
+Reported-by: Matthew Rahtz <mrahtz@rapitasystems.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/vfs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -404,6 +404,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ umode_t ftype = 0;
+ __be32 err;
+ int host_err;
++ bool get_write_count;
+ int size_change = 0;
+
+ if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE))
+@@ -411,10 +412,18 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ if (iap->ia_valid & ATTR_SIZE)
+ ftype = S_IFREG;
+
++ /* Callers that do fh_verify should do the fh_want_write: */
++ get_write_count = !fhp->fh_dentry;
++
+ /* Get inode */
+ err = fh_verify(rqstp, fhp, ftype, accmode);
+ if (err)
+ goto out;
++ if (get_write_count) {
++ host_err = fh_want_write(fhp);
++ if (host_err)
++ return nfserrno(host_err);
++ }
+
+ dentry = fhp->fh_dentry;
+ inode = dentry->d_inode;
--- /dev/null
+From 3758cf7e14b753838fe754ede3862af10b35fdac Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 15 Apr 2014 08:51:48 -0400
+Subject: nfsd: set timeparms.to_maxval in setup_callback_client
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 3758cf7e14b753838fe754ede3862af10b35fdac upstream.
+
+...otherwise the logic in the timeout handling doesn't work correctly.
+
+Spotted-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4callback.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -637,9 +637,11 @@ static struct rpc_cred *get_backchannel_
+
+ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *conn, struct nfsd4_session *ses)
+ {
++ int maxtime = max_cb_time(clp->net);
+ struct rpc_timeout timeparms = {
+- .to_initval = max_cb_time(clp->net),
++ .to_initval = maxtime,
+ .to_retries = 0,
++ .to_maxval = maxtime,
+ };
+ struct rpc_create_args args = {
+ .net = clp->net,
--- /dev/null
+From 2b9056359889c78ea5decb5b654a512c2e8a945c Mon Sep 17 00:00:00 2001
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Wed, 26 Mar 2014 22:09:30 +0800
+Subject: NFSD: Traverse unconfirmed client through hash-table
+
+From: Kinglong Mee <kinglongmee@gmail.com>
+
+commit 2b9056359889c78ea5decb5b654a512c2e8a945c upstream.
+
+When stopping nfsd, I got BUG messages, and soft lockup messages,
+The problem is cuased by double rb_erase() in nfs4_state_destroy_net()
+and destroy_client().
+
+This patch just let nfsd traversing unconfirmed client through
+hash-table instead of rbtree.
+
+[ 2325.021995] BUG: unable to handle kernel NULL pointer dereference at
+ (null)
+[ 2325.022809] IP: [<ffffffff8133c18c>] rb_erase+0x14c/0x390
+[ 2325.022982] PGD 7a91b067 PUD 7a33d067 PMD 0
+[ 2325.022982] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
+[ 2325.022982] Modules linked in: nfsd(OF) cfg80211 rfkill bridge stp
+llc snd_intel8x0 snd_ac97_codec ac97_bus auth_rpcgss nfs_acl serio_raw
+e1000 i2c_piix4 ppdev snd_pcm snd_timer lockd pcspkr joydev parport_pc
+snd parport i2c_core soundcore microcode sunrpc ata_generic pata_acpi
+[last unloaded: nfsd]
+[ 2325.022982] CPU: 1 PID: 2123 Comm: nfsd Tainted: GF O
+3.14.0-rc8+ #2
+[ 2325.022982] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
+VirtualBox 12/01/2006
+[ 2325.022982] task: ffff88007b384800 ti: ffff8800797f6000 task.ti:
+ffff8800797f6000
+[ 2325.022982] RIP: 0010:[<ffffffff8133c18c>] [<ffffffff8133c18c>]
+rb_erase+0x14c/0x390
+[ 2325.022982] RSP: 0018:ffff8800797f7d98 EFLAGS: 00010246
+[ 2325.022982] RAX: ffff880079c1f010 RBX: ffff880079f4c828 RCX:
+0000000000000000
+[ 2325.022982] RDX: 0000000000000000 RSI: ffff880079bcb070 RDI:
+ffff880079f4c810
+[ 2325.022982] RBP: ffff8800797f7d98 R08: 0000000000000000 R09:
+ffff88007964fc70
+[ 2325.022982] R10: 0000000000000000 R11: 0000000000000400 R12:
+ffff880079f4c800
+[ 2325.022982] R13: ffff880079bcb000 R14: ffff8800797f7da8 R15:
+ffff880079f4c860
+[ 2325.022982] FS: 0000000000000000(0000) GS:ffff88007f900000(0000)
+knlGS:0000000000000000
+[ 2325.022982] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 2325.022982] CR2: 0000000000000000 CR3: 000000007a3ef000 CR4:
+00000000000006e0
+[ 2325.022982] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
+0000000000000000
+[ 2325.022982] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
+0000000000000400
+[ 2325.022982] Stack:
+[ 2325.022982] ffff8800797f7de0 ffffffffa0191c6e ffff8800797f7da8
+ffff8800797f7da8
+[ 2325.022982] ffff880079f4c810 ffff880079bcb000 ffffffff81cc26c0
+ffff880079c1f010
+[ 2325.022982] ffff880079bcb070 ffff8800797f7e28 ffffffffa01977f2
+ffff8800797f7df0
+[ 2325.022982] Call Trace:
+[ 2325.022982] [<ffffffffa0191c6e>] destroy_client+0x32e/0x3b0 [nfsd]
+[ 2325.022982] [<ffffffffa01977f2>] nfs4_state_shutdown_net+0x1a2/0x220
+[nfsd]
+[ 2325.022982] [<ffffffffa01700b8>] nfsd_shutdown_net+0x38/0x70 [nfsd]
+[ 2325.022982] [<ffffffffa017013e>] nfsd_last_thread+0x4e/0x80 [nfsd]
+[ 2325.022982] [<ffffffffa001f1eb>] svc_shutdown_net+0x2b/0x30 [sunrpc]
+[ 2325.022982] [<ffffffffa017064b>] nfsd_destroy+0x5b/0x80 [nfsd]
+[ 2325.022982] [<ffffffffa0170773>] nfsd+0x103/0x130 [nfsd]
+[ 2325.022982] [<ffffffffa0170670>] ? nfsd_destroy+0x80/0x80 [nfsd]
+[ 2325.022982] [<ffffffff810a8232>] kthread+0xd2/0xf0
+[ 2325.022982] [<ffffffff810a8160>] ? insert_kthread_work+0x40/0x40
+[ 2325.022982] [<ffffffff816c493c>] ret_from_fork+0x7c/0xb0
+[ 2325.022982] [<ffffffff810a8160>] ? insert_kthread_work+0x40/0x40
+[ 2325.022982] Code: 48 83 e1 fc 48 89 10 0f 84 02 01 00 00 48 3b 41 10
+0f 84 08 01 00 00 48 89 51 08 48 89 fa e9 74 ff ff ff 0f 1f 40 00 48 8b
+50 10 <f6> 02 01 0f 84 93 00 00 00 48 8b 7a 10 48 85 ff 74 05 f6 07 01
+[ 2325.022982] RIP [<ffffffff8133c18c>] rb_erase+0x14c/0x390
+[ 2325.022982] RSP <ffff8800797f7d98>
+[ 2325.022982] CR2: 0000000000000000
+[ 2325.022982] ---[ end trace 28c27ed011655e57 ]---
+
+[ 228.064071] BUG: soft lockup - CPU#0 stuck for 22s! [nfsd:558]
+[ 228.064428] Modules linked in: ip6t_rpfilter ip6t_REJECT cfg80211
+xt_conntrack rfkill ebtable_nat ebtable_broute bridge stp llc
+ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
+nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw
+ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4
+nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security
+iptable_raw nfsd(OF) auth_rpcgss nfs_acl lockd snd_intel8x0
+snd_ac97_codec ac97_bus joydev snd_pcm snd_timer e1000 sunrpc snd ppdev
+parport_pc serio_raw pcspkr i2c_piix4 microcode parport soundcore
+i2c_core ata_generic pata_acpi
+[ 228.064539] CPU: 0 PID: 558 Comm: nfsd Tainted: GF O
+3.14.0-rc8+ #2
+[ 228.064539] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
+VirtualBox 12/01/2006
+[ 228.064539] task: ffff880076adec00 ti: ffff880074616000 task.ti:
+ffff880074616000
+[ 228.064539] RIP: 0010:[<ffffffff8133ba17>] [<ffffffff8133ba17>]
+rb_next+0x27/0x50
+[ 228.064539] RSP: 0018:ffff880074617de0 EFLAGS: 00000282
+[ 228.064539] RAX: ffff880074478010 RBX: ffff88007446f860 RCX:
+0000000000000014
+[ 228.064539] RDX: ffff880074478010 RSI: 0000000000000000 RDI:
+ffff880074478010
+[ 228.064539] RBP: ffff880074617de0 R08: 0000000000000000 R09:
+0000000000000012
+[ 228.064539] R10: 0000000000000001 R11: ffffffffffffffec R12:
+ffffea0001d11a00
+[ 228.064539] R13: ffff88007f401400 R14: ffff88007446f800 R15:
+ffff880074617d50
+[ 228.064539] FS: 0000000000000000(0000) GS:ffff88007f800000(0000)
+knlGS:0000000000000000
+[ 228.064539] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 228.064539] CR2: 00007fe9ac6ec000 CR3: 000000007a5d6000 CR4:
+00000000000006f0
+[ 228.064539] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
+0000000000000000
+[ 228.064539] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
+0000000000000400
+[ 228.064539] Stack:
+[ 228.064539] ffff880074617e28 ffffffffa01ab7db ffff880074617df0
+ffff880074617df0
+[ 228.064539] ffff880079273000 ffffffff81cc26c0 ffffffff81cc26c0
+0000000000000000
+[ 228.064539] 0000000000000000 ffff880074617e48 ffffffffa01840b8
+ffffffff81cc26c0
+[ 228.064539] Call Trace:
+[ 228.064539] [<ffffffffa01ab7db>] nfs4_state_shutdown_net+0x18b/0x220
+[nfsd]
+[ 228.064539] [<ffffffffa01840b8>] nfsd_shutdown_net+0x38/0x70 [nfsd]
+[ 228.064539] [<ffffffffa018413e>] nfsd_last_thread+0x4e/0x80 [nfsd]
+[ 228.064539] [<ffffffffa00aa1eb>] svc_shutdown_net+0x2b/0x30 [sunrpc]
+[ 228.064539] [<ffffffffa018464b>] nfsd_destroy+0x5b/0x80 [nfsd]
+[ 228.064539] [<ffffffffa0184773>] nfsd+0x103/0x130 [nfsd]
+[ 228.064539] [<ffffffffa0184670>] ? nfsd_destroy+0x80/0x80 [nfsd]
+[ 228.064539] [<ffffffff810a8232>] kthread+0xd2/0xf0
+[ 228.064539] [<ffffffff810a8160>] ? insert_kthread_work+0x40/0x40
+[ 228.064539] [<ffffffff816c493c>] ret_from_fork+0x7c/0xb0
+[ 228.064539] [<ffffffff810a8160>] ? insert_kthread_work+0x40/0x40
+[ 228.064539] Code: 1f 44 00 00 55 48 8b 17 48 89 e5 48 39 d7 74 3b 48
+8b 47 08 48 85 c0 75 0e eb 25 66 0f 1f 84 00 00 00 00 00 48 89 d0 48 8b
+50 10 <48> 85 d2 75 f4 5d c3 66 90 48 3b 78 08 75 f6 48 8b 10 48 89 c7
+
+Fixes: ac55fdc408039 (nfsd: move the confirmed and unconfirmed hlists...)
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -5062,7 +5062,6 @@ nfs4_state_destroy_net(struct net *net)
+ int i;
+ struct nfs4_client *clp = NULL;
+ struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+- struct rb_node *node, *tmp;
+
+ for (i = 0; i < CLIENT_HASH_SIZE; i++) {
+ while (!list_empty(&nn->conf_id_hashtbl[i])) {
+@@ -5071,13 +5070,11 @@ nfs4_state_destroy_net(struct net *net)
+ }
+ }
+
+- node = rb_first(&nn->unconf_name_tree);
+- while (node != NULL) {
+- tmp = node;
+- node = rb_next(tmp);
+- clp = rb_entry(tmp, struct nfs4_client, cl_namenode);
+- rb_erase(tmp, &nn->unconf_name_tree);
+- destroy_client(clp);
++ for (i = 0; i < CLIENT_HASH_SIZE; i++) {
++ while (!list_empty(&nn->unconf_id_hashtbl[i])) {
++ clp = list_entry(nn->unconf_id_hashtbl[i].next, struct nfs4_client, cl_idhash);
++ destroy_client(clp);
++ }
+ }
+
+ kfree(nn->sessionid_hashtbl);
--- /dev/null
+From 18df11d0eacf67bbcd8dda755b568bbbd7264735 Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zheng.z.yan@intel.com>
+Date: Mon, 10 Mar 2014 12:52:07 +0800
+Subject: nfsd4: fix memory leak in nfsd4_encode_fattr()
+
+From: "Yan, Zheng" <zheng.z.yan@intel.com>
+
+commit 18df11d0eacf67bbcd8dda755b568bbbd7264735 upstream.
+
+fh_put() does not free the temporary file handle.
+
+Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2501,8 +2501,10 @@ out:
+ security_release_secctx(context, contextlen);
+ #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */
+ kfree(acl);
+- if (tempfh)
++ if (tempfh) {
+ fh_put(tempfh);
++ kfree(tempfh);
++ }
+ return status;
+ out_nfserr:
+ status = nfserrno(err);
--- /dev/null
+From 480efaee085235bb848f1063f959bf144103c342 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 10 Mar 2014 14:17:55 -0400
+Subject: nfsd4: fix setclientid encode size
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 480efaee085235bb848f1063f959bf144103c342 upstream.
+
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1529,7 +1529,8 @@ static inline u32 nfsd4_setattr_rsize(st
+
+ static inline u32 nfsd4_setclientid_rsize(struct svc_rqst *rqstp, struct nfsd4_op *op)
+ {
+- return (op_encode_hdr_size + 2 + 1024) * sizeof(__be32);
++ return (op_encode_hdr_size + 2 + XDR_QUADLEN(NFS4_VERIFIER_SIZE)) *
++ sizeof(__be32);
+ }
+
+ static inline u32 nfsd4_write_rsize(struct svc_rqst *rqstp, struct nfsd4_op *op)
nfsd4-buffer-length-check-for-suppattr_exclcreat.patch
nfsd4-fix-test_stateid-error-reply-encoding.patch
nfsd4-leave-reply-buffer-space-for-failed-setattr.patch
+nfsd-notify_change-needs-elevated-write-count.patch
+nfsd-check-passed-socket-s-net-matches-nfsd-superblock-s-one.patch
+nfsd4-fix-memory-leak-in-nfsd4_encode_fattr.patch
+nfsd4-fix-setclientid-encode-size.patch
+nfsd-traverse-unconfirmed-client-through-hash-table.patch
+nfsd-set-timeparms.to_maxval-in-setup_callback_client.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
