From 83733f17e0773f3aa590efebe29b2357a30ab85c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 29 May 2021 15:55:56 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
	nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
---
 ...u-vt-d-fix-sysfs-leak-in-alloc_iommu.patch | 44 ++++++++++++++
 ...e-in-pnfs_mark_matching_lsegs_return.patch | 60 +++++++++++++++++++
 queue-4.14/series                             |  2 +
 3 files changed, 106 insertions(+)
 create mode 100644 queue-4.14/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
 create mode 100644 queue-4.14/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch

diff --git a/queue-4.14/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch b/queue-4.14/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
new file mode 100644
index 00000000000..a12a1160a30
--- /dev/null
+++ b/queue-4.14/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
@@ -0,0 +1,44 @@
+From 0ee74d5a48635c848c20f152d0d488bf84641304 Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eb@emlix.com>
+Date: Tue, 25 May 2021 15:08:02 +0800
+Subject: iommu/vt-d: Fix sysfs leak in alloc_iommu()
+
+From: Rolf Eike Beer <eb@emlix.com>
+
+commit 0ee74d5a48635c848c20f152d0d488bf84641304 upstream.
+
+iommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent
+errors.
+
+Fixes: 39ab9555c2411 ("iommu: Add sysfs bindings for struct iommu_device")
+Cc: stable@vger.kernel.org # 4.11.x
+Signed-off-by: Rolf Eike Beer <eb@emlix.com>
+Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/17411490.HIIP88n32C@mobilepool36.emlix.com
+Link: https://lore.kernel.org/r/20210525070802.361755-2-baolu.lu@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/dmar.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/dmar.c
++++ b/drivers/iommu/dmar.c
+@@ -1116,7 +1116,7 @@ static int alloc_iommu(struct dmar_drhd_
+ 
+ 		err = iommu_device_register(&iommu->iommu);
+ 		if (err)
+-			goto err_unmap;
++			goto err_sysfs;
+ 	}
+ 
+ 	drhd->iommu = iommu;
+@@ -1124,6 +1124,8 @@ static int alloc_iommu(struct dmar_drhd_
+ 
+ 	return 0;
+ 
++err_sysfs:
++	iommu_device_sysfs_remove(&iommu->iommu);
+ err_unmap:
+ 	unmap_iommu(iommu);
+ error_free_seq_id:
diff --git a/queue-4.14/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch b/queue-4.14/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
new file mode 100644
index 00000000000..cc2897ddae2
--- /dev/null
+++ b/queue-4.14/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
@@ -0,0 +1,60 @@
+From a421d218603ffa822a0b8045055c03eae394a7eb Mon Sep 17 00:00:00 2001
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Date: Wed, 19 May 2021 12:54:51 -0400
+Subject: NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+commit a421d218603ffa822a0b8045055c03eae394a7eb upstream.
+
+Commit de144ff4234f changes _pnfs_return_layout() to call
+pnfs_mark_matching_lsegs_return() passing NULL as the struct
+pnfs_layout_range argument. Unfortunately,
+pnfs_mark_matching_lsegs_return() doesn't check if we have a value here
+before dereferencing it, causing an oops.
+
+I'm able to hit this crash consistently when running connectathon basic
+tests on NFS v4.1/v4.2 against Ontap.
+
+Fixes: de144ff4234f ("NFSv4: Don't discard segments marked for return in _pnfs_return_layout()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pnfs.c |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1136,6 +1136,11 @@ _pnfs_return_layout(struct inode *ino)
+ {
+ 	struct pnfs_layout_hdr *lo = NULL;
+ 	struct nfs_inode *nfsi = NFS_I(ino);
++	struct pnfs_layout_range range = {
++		.iomode		= IOMODE_ANY,
++		.offset		= 0,
++		.length		= NFS4_MAX_UINT64,
++	};
+ 	LIST_HEAD(tmp_list);
+ 	nfs4_stateid stateid;
+ 	int status = 0;
+@@ -1162,16 +1167,10 @@ _pnfs_return_layout(struct inode *ino)
+ 	}
+ 	valid_layout = pnfs_layout_is_valid(lo);
+ 	pnfs_clear_layoutcommit(ino, &tmp_list);
+-	pnfs_mark_matching_lsegs_return(lo, &tmp_list, NULL, 0);
++	pnfs_mark_matching_lsegs_return(lo, &tmp_list, &range, 0);
+ 
+-	if (NFS_SERVER(ino)->pnfs_curr_ld->return_range) {
+-		struct pnfs_layout_range range = {
+-			.iomode		= IOMODE_ANY,
+-			.offset		= 0,
+-			.length		= NFS4_MAX_UINT64,
+-		};
++	if (NFS_SERVER(ino)->pnfs_curr_ld->return_range)
+ 		NFS_SERVER(ino)->pnfs_curr_ld->return_range(lo, &range);
+-	}
+ 
+ 	/* Don't send a LAYOUTRETURN if list was initially empty */
+ 	if (!test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags) ||
diff --git a/queue-4.14/series b/queue-4.14/series
index 4be7a90bb0d..f580fdda3f1 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -4,3 +4,5 @@ scripts-switch-explicitly-to-python-3.patch
 usb-dwc3-gadget-enable-suspend-events.patch
 netfilter-x_tables-use-correct-memory-barriers.patch
 nfc-nci-fix-memory-leak-in-nci_allocate_device.patch
+nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
+iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
-- 
2.47.3