Commit febbc555 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'nfsd-6.14-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux 

Pull nfsd fixes from Chuck Lever:
 "Fixes for new bugs:
   - A fix for CB_GETATTR reply decoding was not quite correct
   - Fix the NFSD connection limiting logic
   - Fix a bug in the new session table resizing logic

  Bugs that pre-date v6.14:
   - Support for courteous clients (5.19) introduced a shutdown hang
   - Fix a crash in the filecache laundrette (6.9)
   - Fix a zero-day crash in NFSD's NFSv3 ACL implementation"

* tag 'nfsd-6.14-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
  NFSD: Fix CB_GETATTR status fix
  NFSD: fix hang in nfsd4_shutdown_callback
  nfsd: fix __fh_verify for localio
  nfsd: fix uninitialised slot info when a request is retried
  nfsd: validate the nfsd_serv pointer before calling svc_wake_up
  nfsd: clear acl_access/acl_default after releasing them
parents 58c9bf33 4990d098

fs/nfsd/filecache.c

+10 −1
Original line number Diff line number Diff line
@@ -446,11 +446,20 @@ nfsd_file_dispose_list_delayed(struct list_head *dispose) 
						struct nfsd_file, nf_gc);

		struct nfsd_net *nn = net_generic(nf->nf_net, nfsd_net_id);

		struct nfsd_fcache_disposal *l = nn->fcache_disposal;

		struct svc_serv *serv;



		spin_lock(&l->lock);

		list_move_tail(&nf->nf_gc, &l->freeme);

		spin_unlock(&l->lock);

		svc_wake_up(nn->nfsd_serv);



		/*

		 * The filecache laundrette is shut down after the

		 * nn->nfsd_serv pointer is cleared, but before the

		 * svc_serv is freed.

		 */

		serv = nn->nfsd_serv;

		if (serv)

			svc_wake_up(serv);

	}

}

fs/nfsd/nfs2acl.c

+2 −0
Original line number Diff line number Diff line
@@ -84,6 +84,8 @@ static __be32 nfsacld_proc_getacl(struct svc_rqst *rqstp) 
fail:

	posix_acl_release(resp->acl_access);

	posix_acl_release(resp->acl_default);

	resp->acl_access = NULL;

	resp->acl_default = NULL;

	goto out;

}

fs/nfsd/nfs3acl.c

+2 −0
Original line number Diff line number Diff line
@@ -76,6 +76,8 @@ static __be32 nfsd3_proc_getacl(struct svc_rqst *rqstp) 
fail:

	posix_acl_release(resp->acl_access);

	posix_acl_release(resp->acl_default);

	resp->acl_access = NULL;

	resp->acl_default = NULL;

	goto out;

}

fs/nfsd/nfs4callback.c

+6 −3
Original line number Diff line number Diff line
@@ -679,7 +679,7 @@ static int nfs4_xdr_dec_cb_getattr(struct rpc_rqst *rqstp, 
		return status;



	status = decode_cb_op_status(xdr, OP_CB_GETATTR, &cb->cb_status);

	if (unlikely(status || cb->cb_seq_status))

	if (unlikely(status || cb->cb_status))

		return status;

	if (xdr_stream_decode_uint32_array(xdr, bitmap, 3) < 0)

		return -NFSERR_BAD_XDR;
@@ -1583,8 +1583,11 @@ nfsd4_run_cb_work(struct work_struct *work) 
		nfsd4_process_cb_update(cb);



	clnt = clp->cl_cb_client;

	if (!clnt) {

		/* Callback channel broken, or client killed; give up: */

	if (!clnt || clp->cl_state == NFSD4_COURTESY) {

		/*

		 * Callback channel broken, client killed or

		 * nfs4_client in courtesy state; give up.

		 */

		nfsd41_destroy_cb(cb);

		return;

	}

fs/nfsd/nfs4state.c

+2 −1
Original line number Diff line number Diff line
@@ -4459,10 +4459,11 @@ nfsd4_sequence(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, 
			}

		} while (slot && --cnt > 0);

	}



out:

	seq->maxslots = max(session->se_target_maxslots, seq->maxslots);

	seq->target_maxslots = session->se_target_maxslots;



out:

	switch (clp->cl_cb_state) {

	case NFSD4_CB_DOWN:

		seq->status_flags = SEQ4_STATUS_CB_PATH_DOWN;