--- /dev/null
+From f259613a1e4b44a0cf85a5dafd931be96ee7c9e5 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Thu, 13 Dec 2012 15:14:36 +1100
+Subject: NFS: avoid NULL dereference in nfs_destroy_server
+
+From: NeilBrown <neilb@suse.de>
+
+commit f259613a1e4b44a0cf85a5dafd931be96ee7c9e5 upstream.
+
+In rare circumstances, nfs_clone_server() of a v2 or v3 server can get
+an error between setting server->destory (to nfs_destroy_server), and
+calling nfs_start_lockd (which will set server->nlm_host).
+
+If this happens, nfs_clone_server will call nfs_free_server which
+will call nfs_destroy_server and thence nlmclnt_done(NULL). This
+causes the NULL to be dereferenced.
+
+So add a guard to only call nlmclnt_done() if ->nlm_host is not NULL.
+
+The other guards there are irrelevant as nlm_host can only be non-NULL
+if one of these flags are set - so remove those tests. (Thanks to Trond
+for this suggestion).
+
+This is suitable for any stable kernel since 2.6.25.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/client.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -673,8 +673,7 @@ static int nfs_create_rpc_client(struct
+ */
+ static void nfs_destroy_server(struct nfs_server *server)
+ {
+- if (!(server->flags & NFS_MOUNT_LOCAL_FLOCK) ||
+- !(server->flags & NFS_MOUNT_LOCAL_FCNTL))
++ if (server->nlm_host)
+ nlmclnt_done(server->nlm_host);
+ }
+
--- /dev/null
+From 1f018458b30b0d5c535c94e577aa0acbb92e1395 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri, 14 Dec 2012 16:38:46 -0500
+Subject: NFS: Fix calls to drop_nlink()
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 1f018458b30b0d5c535c94e577aa0acbb92e1395 upstream.
+
+It is almost always wrong for NFS to call drop_nlink() after removing a
+file. What we really want is to mark the inode's attributes for
+revalidation, and we want to ensure that the VFS drops it if we're
+reasonably sure that this is the final unlink().
+Do the former using the usual cache validity flags, and the latter
+by testing if inode->i_nlink == 1, and clearing it in that case.
+
+This also fixes the following warning reported by Neil Brown and
+Jeff Layton (among others).
+
+[634155.004438] WARNING:
+at /home/abuild/rpmbuild/BUILD/kernel-desktop-3.5.0/lin [634155.004442]
+Hardware name: Latitude E6510 [634155.004577] crc_itu_t crc32c_intel
+snd_hwdep snd_pcm snd_timer snd soundcor [634155.004609] Pid: 13402, comm:
+bash Tainted: G W 3.5.0-36-desktop # [634155.004611] Call Trace:
+[634155.004630] [<ffffffff8100444a>] dump_trace+0xaa/0x2b0
+[634155.004641] [<ffffffff815a23dc>] dump_stack+0x69/0x6f
+[634155.004653] [<ffffffff81041a0b>] warn_slowpath_common+0x7b/0xc0
+[634155.004662] [<ffffffff811832e4>] drop_nlink+0x34/0x40
+[634155.004687] [<ffffffffa05bb6c3>] nfs_dentry_iput+0x33/0x70 [nfs]
+[634155.004714] [<ffffffff8118049e>] dput+0x12e/0x230
+[634155.004726] [<ffffffff8116b230>] __fput+0x170/0x230
+[634155.004735] [<ffffffff81167c0f>] filp_close+0x5f/0x90
+[634155.004743] [<ffffffff81167cd7>] sys_close+0x97/0x100
+[634155.004754] [<ffffffff815c3b39>] system_call_fastpath+0x16/0x1b
+[634155.004767] [<00007f2a73a0d110>] 0x7f2a73a0d10f
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/dir.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1216,11 +1216,14 @@ static int nfs_dentry_delete(const struc
+
+ }
+
++/* Ensure that we revalidate inode->i_nlink */
+ static void nfs_drop_nlink(struct inode *inode)
+ {
+ spin_lock(&inode->i_lock);
+- if (inode->i_nlink > 0)
+- drop_nlink(inode);
++ /* drop the inode if we're reasonably sure this is the last link */
++ if (inode->i_nlink == 1)
++ clear_nlink(inode);
++ NFS_I(inode)->cache_validity |= NFS_INO_INVALID_ATTR;
+ spin_unlock(&inode->i_lock);
+ }
+
+@@ -1235,8 +1238,8 @@ static void nfs_dentry_iput(struct dentr
+ NFS_I(inode)->cache_validity |= NFS_INO_INVALID_DATA;
+
+ if (dentry->d_flags & DCACHE_NFSFS_RENAMED) {
+- drop_nlink(inode);
+ nfs_complete_unlink(dentry, inode);
++ nfs_drop_nlink(inode);
+ }
+ iput(inode);
+ }
+@@ -1788,10 +1791,8 @@ static int nfs_safe_remove(struct dentry
+ if (inode != NULL) {
+ nfs_inode_return_delegation(inode);
+ error = NFS_PROTO(dir)->remove(dir, &dentry->d_name);
+- /* The VFS may want to delete this inode */
+ if (error == 0)
+ nfs_drop_nlink(inode);
+- nfs_mark_for_revalidate(inode);
+ } else
+ error = NFS_PROTO(dir)->remove(dir, &dentry->d_name);
+ if (error == -ENOENT)
--- /dev/null
+From e25fbe380c4e3c09afa98bcdcd9d3921443adab8 Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang@gmail.com>
+Date: Fri, 4 Jan 2013 03:22:57 -0500
+Subject: nfs: fix null checking in nfs_get_option_str()
+
+From: Xi Wang <xi.wang@gmail.com>
+
+commit e25fbe380c4e3c09afa98bcdcd9d3921443adab8 upstream.
+
+The following null pointer check is broken.
+
+ *option = match_strdup(args);
+ return !option;
+
+The pointer `option' must be non-null, and thus `!option' is always false.
+Use `!*option' instead.
+
+The bug was introduced in commit c5cb09b6f8 ("Cleanup: Factor out some
+cut-and-paste code.").
+
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1052,7 +1052,7 @@ static int nfs_get_option_str(substring_
+ {
+ kfree(*option);
+ *option = match_strdup(args);
+- return !option;
++ return !*option;
+ }
+
+ static int nfs_get_option_ul(substring_t args[], unsigned long *option)
--- /dev/null
+From d5f50b0c290431c65377c4afa1c764e2c3fe5305 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 4 Dec 2012 18:25:10 -0500
+Subject: nfsd4: fix oops on unusual readlike compound
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit d5f50b0c290431c65377c4afa1c764e2c3fe5305 upstream.
+
+If the argument and reply together exceed the maximum payload size, then
+a reply with a read-like operation can overlow the rq_pages array.
+
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2682,11 +2682,16 @@ nfsd4_encode_read(struct nfsd4_compoundr
+ len = maxcount;
+ v = 0;
+ while (len > 0) {
+- pn = resp->rqstp->rq_resused++;
++ pn = resp->rqstp->rq_resused;
++ if (!resp->rqstp->rq_respages[pn]) { /* ran out of pages */
++ maxcount -= len;
++ break;
++ }
+ resp->rqstp->rq_vec[v].iov_base =
+ page_address(resp->rqstp->rq_respages[pn]);
+ resp->rqstp->rq_vec[v].iov_len =
+ len < PAGE_SIZE ? len : PAGE_SIZE;
++ resp->rqstp->rq_resused++;
+ v++;
+ len -= PAGE_SIZE;
+ }
+@@ -2734,6 +2739,8 @@ nfsd4_encode_readlink(struct nfsd4_compo
+ return nfserr;
+ if (resp->xbuf->page_len)
+ return nfserr_resource;
++ if (!resp->rqstp->rq_respages[resp->rqstp->rq_resused])
++ return nfserr_resource;
+
+ page = page_address(resp->rqstp->rq_respages[resp->rqstp->rq_resused++]);
+
+@@ -2783,6 +2790,8 @@ nfsd4_encode_readdir(struct nfsd4_compou
+ return nfserr;
+ if (resp->xbuf->page_len)
+ return nfserr_resource;
++ if (!resp->rqstp->rq_respages[resp->rqstp->rq_resused])
++ return nfserr_resource;
+
+ RESERVE_SPACE(8); /* verifier */
+ savep = p;
usb-gadget-phonet-free-requests-in-pn_bind-s-error-path.patch
usb-gadget-uvc-fix-error-path-in-uvc_function_bind.patch
acpi-scan-do-not-use-dummy-hid-for-system-bus-acpi-nodes.patch
+nfs-avoid-null-dereference-in-nfs_destroy_server.patch
+nfs-fix-calls-to-drop_nlink.patch
+nfsd4-fix-oops-on-unusual-readlike-compound.patch
+nfs-fix-null-checking-in-nfs_get_option_str.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
