<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/sunrpc, branch v3.18.22</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>SUNRPC: Fix a memory leak in the backchannel code</title>
<updated>2015-07-04T03:02:23+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2015-06-01T19:10:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=30548c7e5eb7e1e65016f3540f8eb0aa5ac235dd'/>
<id>30548c7e5eb7e1e65016f3540f8eb0aa5ac235dd</id>
<content type='text'>
[ Upstream commit 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd ]

req-&gt;rq_private_buf isn't initialised when xprt_setup_backchannel calls
xprt_free_allocation.

Fixes: fb7a0b9addbdb ("nfs41: New backchannel helper routines")
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd ]

req-&gt;rq_private_buf isn't initialised when xprt_setup_backchannel calls
xprt_free_allocation.

Fixes: fb7a0b9addbdb ("nfs41: New backchannel helper routines")
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xprtrdma: Prevent infinite loop in rpcrdma_ep_create()</title>
<updated>2015-06-28T17:39:21+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2015-03-30T18:34:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=20cf09ef6745cb91f63cffecce67ab69703a130c'/>
<id>20cf09ef6745cb91f63cffecce67ab69703a130c</id>
<content type='text'>
[ Upstream commit 41f97028969e4c88efa5fcf58bc6125210413a6d ]

If a provider advertizes a zero max_fast_reg_page_list_len, FRWR
depth detection loops forever. Instead of just failing the mount,
try other memory registration modes.

Fixes: 0fc6c4e7bb28 ("xprtrdma: mind the device's max fast . . .")
Reported-by: Devesh Sharma &lt;Devesh.Sharma@Emulex.Com&gt;
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Tested-by: Devesh Sharma &lt;Devesh.Sharma@Emulex.Com&gt;
Tested-by: Meghana Cheripady &lt;Meghana.Cheripady@Emulex.Com&gt;
Tested-by: Veeresh U. Kokatnur &lt;veereshuk@chelsio.com&gt;
Signed-off-by: Anna Schumaker &lt;Anna.Schumaker@Netapp.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 41f97028969e4c88efa5fcf58bc6125210413a6d ]

If a provider advertizes a zero max_fast_reg_page_list_len, FRWR
depth detection loops forever. Instead of just failing the mount,
try other memory registration modes.

Fixes: 0fc6c4e7bb28 ("xprtrdma: mind the device's max fast . . .")
Reported-by: Devesh Sharma &lt;Devesh.Sharma@Emulex.Com&gt;
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Tested-by: Devesh Sharma &lt;Devesh.Sharma@Emulex.Com&gt;
Tested-by: Meghana Cheripady &lt;Meghana.Cheripady@Emulex.Com&gt;
Tested-by: Veeresh U. Kokatnur &lt;veereshuk@chelsio.com&gt;
Signed-off-by: Anna Schumaker &lt;Anna.Schumaker@Netapp.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xprtrdma: Take struct ib_device_attr off the stack</title>
<updated>2015-06-28T17:39:21+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2015-01-21T16:03:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1b681a5e195f9a75e32b043dc561af3ec68e35da'/>
<id>1b681a5e195f9a75e32b043dc561af3ec68e35da</id>
<content type='text'>
[ Upstream commit 7bc7972cdd1f137552ca979caa11c8acbe119ae8 ]

Device attributes are large, and are used in more than one place.
Stash a copy in dynamically allocated memory.

Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Reviewed-by: Steve Wise &lt;swise@opengridcomputing.com&gt;
Signed-off-by: Anna Schumaker &lt;Anna.Schumaker@Netapp.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 7bc7972cdd1f137552ca979caa11c8acbe119ae8 ]

Device attributes are large, and are used in more than one place.
Stash a copy in dynamically allocated memory.

Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Reviewed-by: Steve Wise &lt;swise@opengridcomputing.com&gt;
Signed-off-by: Anna Schumaker &lt;Anna.Schumaker@Netapp.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures</title>
<updated>2015-06-10T17:42:36+00:00</updated>
<author>
<name>Scott Mayhew</name>
<email>smayhew@redhat.com</email>
</author>
<published>2015-04-28T20:29:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=74caa044f694e2034394893a3d993f9b90b3e895'/>
<id>74caa044f694e2034394893a3d993f9b90b3e895</id>
<content type='text'>
[ Upstream commit 9507271d960a1911a51683888837d75c171cd91f ]

In an environment where the KDC is running Active Directory, the
exported composite name field returned in the context could be large
enough to span a page boundary.  Attaching a scratch buffer to the
decoding xdr_stream helps deal with those cases.

The case where we saw this was actually due to behavior that's been
fixed in newer gss-proxy versions, but we're fixing it here too.

Signed-off-by: Scott Mayhew &lt;smayhew@redhat.com&gt;
Cc: stable@vger.kernel.org
Reviewed-by: Simo Sorce &lt;simo@redhat.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 9507271d960a1911a51683888837d75c171cd91f ]

In an environment where the KDC is running Active Directory, the
exported composite name field returned in the context could be large
enough to span a page boundary.  Attaching a scratch buffer to the
decoding xdr_stream helps deal with those cases.

The case where we saw this was actually due to behavior that's been
fixed in newer gss-proxy versions, but we're fixing it here too.

Signed-off-by: Scott Mayhew &lt;smayhew@redhat.com&gt;
Cc: stable@vger.kernel.org
Reviewed-by: Simo Sorce &lt;simo@redhat.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: Always manipulate rpc_rqst::rq_bc_pa_list under xprt-&gt;bc_pa_lock</title>
<updated>2015-03-14T19:37:27+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2015-02-13T18:08:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8ed378b1711f05f26c4ebce1c81eda7cf6e89f44'/>
<id>8ed378b1711f05f26c4ebce1c81eda7cf6e89f44</id>
<content type='text'>
commit 813b00d63f6ca1ed40a2f4f9c034d59bc424025e upstream.

Other code that accesses rq_bc_pa_list holds xprt-&gt;bc_pa_lock.
xprt_complete_bc_request() should do the same.

Fixes: 2ea24497a1b3 ("SUNRPC: RPC callbacks may be split . . .")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 813b00d63f6ca1ed40a2f4f9c034d59bc424025e upstream.

Other code that accesses rq_bc_pa_list holds xprt-&gt;bc_pa_lock.
xprt_complete_bc_request() should do the same.

Fixes: 2ea24497a1b3 ("SUNRPC: RPC callbacks may be split . . .")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sunrpc: fix braino in -&gt;poll()</title>
<updated>2015-03-14T19:37:27+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@ZenIV.linux.org.uk</email>
</author>
<published>2015-03-07T21:08:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ca261c91b5dd6c4b0d9ab9b6c9286a19b15fc680'/>
<id>ca261c91b5dd6c4b0d9ab9b6c9286a19b15fc680</id>
<content type='text'>
commit 1711fd9addf214823b993468567cab1f8254fc51 upstream.

POLL_OUT isn't what callers of -&gt;poll() are expecting to see; it's
actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap
bit...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Bruce Fields &lt;bfields@fieldses.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1711fd9addf214823b993468567cab1f8254fc51 upstream.

POLL_OUT isn't what callers of -&gt;poll() are expecting to see; it's
actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap
bit...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Bruce Fields &lt;bfields@fieldses.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: NULL utsname dereference on NFS umount during namespace cleanup</title>
<updated>2015-03-06T22:52:58+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2015-01-30T23:12:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bcc9c506f2ba6f8602825b628d97bad1d4e5dd79'/>
<id>bcc9c506f2ba6f8602825b628d97bad1d4e5dd79</id>
<content type='text'>
commit 03a9a42a1a7e5b3e7919ddfacc1d1cc81882a955 upstream.

Fix an Oopsable condition when nsm_mon_unmon is called as part of the
namespace cleanup, which now apparently happens after the utsname
has been freed.

Link: http://lkml.kernel.org/r/20150125220604.090121ae@neptune.home
Reported-by: Bruno Prémont &lt;bonbons@linux-vserver.org&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 03a9a42a1a7e5b3e7919ddfacc1d1cc81882a955 upstream.

Fix an Oopsable condition when nsm_mon_unmon is called as part of the
namespace cleanup, which now apparently happens after the utsname
has been freed.

Link: http://lkml.kernel.org/r/20150125220604.090121ae@neptune.home
Reported-by: Bruno Prémont &lt;bonbons@linux-vserver.org&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>rpc: fix xdr_truncate_encode to handle buffer ending on page boundary</title>
<updated>2015-01-16T14:59:55+00:00</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2014-12-22T21:14:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9e80aeb7c7244c29b2c28049cd2149d3ab10a56a'/>
<id>9e80aeb7c7244c29b2c28049cd2149d3ab10a56a</id>
<content type='text'>
commit 49a068f82a1d30eb585d7804b05948376be6cf9a upstream.

A struct xdr_stream at a page boundary might point to the end of one
page or the beginning of the next, but xdr_truncate_encode isn't
prepared to handle the former.

This can cause corruption of NFSv4 READDIR replies in the case that a
readdir entry that would have exceeded the client's dircount/maxcount
limit would have ended exactly on a 4k page boundary.  You're more
likely to hit this case on large directories.

Other xdr_truncate_encode callers are probably also affected.

Reported-by: Holger Hoffstätte &lt;holger.hoffstaette@googlemail.com&gt;
Tested-by: Holger Hoffstätte &lt;holger.hoffstaette@googlemail.com&gt;
Fixes: 3e19ce762b53 "rpc: xdr_truncate_encode"
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 49a068f82a1d30eb585d7804b05948376be6cf9a upstream.

A struct xdr_stream at a page boundary might point to the end of one
page or the beginning of the next, but xdr_truncate_encode isn't
prepared to handle the former.

This can cause corruption of NFSv4 READDIR replies in the case that a
readdir entry that would have exceeded the client's dircount/maxcount
limit would have ended exactly on a 4k page boundary.  You're more
likely to hit this case on large directories.

Other xdr_truncate_encode callers are probably also affected.

Reported-by: Holger Hoffstätte &lt;holger.hoffstaette@googlemail.com&gt;
Tested-by: Holger Hoffstätte &lt;holger.hoffstaette@googlemail.com&gt;
Fixes: 3e19ce762b53 "rpc: xdr_truncate_encode"
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>SUNRPC: Fix locking around callback channel reply receive</title>
<updated>2014-11-19T17:03:20+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2014-11-12T23:04:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=093a1468b6edb0e568be7311b8d2228d205702db'/>
<id>093a1468b6edb0e568be7311b8d2228d205702db</id>
<content type='text'>
Both xprt_lookup_rqst() and xprt_complete_rqst() require that you
take the transport lock in order to avoid races with xprt_transmit().

Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton &lt;jlayton@primarydata.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Both xprt_lookup_rqst() and xprt_complete_rqst() require that you
take the transport lock in order to avoid races with xprt_transmit().

Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton &lt;jlayton@primarydata.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sunrpc: fix sleeping under rcu_read_lock in gss_stringify_acceptor</title>
<updated>2014-11-13T18:15:49+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@primarydata.com</email>
</author>
<published>2014-11-13T12:30:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b3ecba096729f521312d1863ad22530695527aed'/>
<id>b3ecba096729f521312d1863ad22530695527aed</id>
<content type='text'>
Bruce reported that he was seeing the following BUG pop:

    BUG: sleeping function called from invalid context at mm/slab.c:2846
    in_atomic(): 0, irqs_disabled(): 0, pid: 4539, name: mount.nfs
    2 locks held by mount.nfs/4539:
    #0:  (nfs_clid_init_mutex){+.+.+.}, at: [&lt;ffffffffa01c0a9a&gt;] nfs4_discover_server_trunking+0x4a/0x2f0 [nfsv4]
    #1:  (rcu_read_lock){......}, at: [&lt;ffffffffa00e3185&gt;] gss_stringify_acceptor+0x5/0xb0 [auth_rpcgss]
    Preemption disabled at:[&lt;ffffffff81a4f082&gt;] printk+0x4d/0x4f

    CPU: 3 PID: 4539 Comm: mount.nfs Not tainted 3.18.0-rc1-00013-g5b095e9 #3393
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    ffff880021499390 ffff8800381476a8 ffffffff81a534cf 0000000000000001
    0000000000000000 ffff8800381476c8 ffffffff81097854 00000000000000d0
    0000000000000018 ffff880038147718 ffffffff8118e4f3 0000000020479f00
    Call Trace:
    [&lt;ffffffff81a534cf&gt;] dump_stack+0x4f/0x7c
    [&lt;ffffffff81097854&gt;] __might_sleep+0x114/0x180
    [&lt;ffffffff8118e4f3&gt;] __kmalloc+0x1a3/0x280
    [&lt;ffffffffa00e31d8&gt;] gss_stringify_acceptor+0x58/0xb0 [auth_rpcgss]
    [&lt;ffffffffa00e3185&gt;] ? gss_stringify_acceptor+0x5/0xb0 [auth_rpcgss]
    [&lt;ffffffffa006b438&gt;] rpcauth_stringify_acceptor+0x18/0x30 [sunrpc]
    [&lt;ffffffffa01b0469&gt;] nfs4_proc_setclientid+0x199/0x380 [nfsv4]
    [&lt;ffffffffa01b04d0&gt;] ? nfs4_proc_setclientid+0x200/0x380 [nfsv4]
    [&lt;ffffffffa01bdf1a&gt;] nfs40_discover_server_trunking+0xda/0x150 [nfsv4]
    [&lt;ffffffffa01bde45&gt;] ? nfs40_discover_server_trunking+0x5/0x150 [nfsv4]
    [&lt;ffffffffa01c0acf&gt;] nfs4_discover_server_trunking+0x7f/0x2f0 [nfsv4]
    [&lt;ffffffffa01c8e24&gt;] nfs4_init_client+0x104/0x2f0 [nfsv4]
    [&lt;ffffffffa01539b4&gt;] nfs_get_client+0x314/0x3f0 [nfs]
    [&lt;ffffffffa0153780&gt;] ? nfs_get_client+0xe0/0x3f0 [nfs]
    [&lt;ffffffffa01c83aa&gt;] nfs4_set_client+0x8a/0x110 [nfsv4]
    [&lt;ffffffffa0069708&gt;] ? __rpc_init_priority_wait_queue+0xa8/0xf0 [sunrpc]
    [&lt;ffffffffa01c9b2f&gt;] nfs4_create_server+0x12f/0x390 [nfsv4]
    [&lt;ffffffffa01c1472&gt;] nfs4_remote_mount+0x32/0x60 [nfsv4]
    [&lt;ffffffff81196489&gt;] mount_fs+0x39/0x1b0
    [&lt;ffffffff81166145&gt;] ? __alloc_percpu+0x15/0x20
    [&lt;ffffffff811b276b&gt;] vfs_kern_mount+0x6b/0x150
    [&lt;ffffffffa01c1396&gt;] nfs_do_root_mount+0x86/0xc0 [nfsv4]
    [&lt;ffffffffa01c1784&gt;] nfs4_try_mount+0x44/0xc0 [nfsv4]
    [&lt;ffffffffa01549b7&gt;] ? get_nfs_version+0x27/0x90 [nfs]
    [&lt;ffffffffa0161a2d&gt;] nfs_fs_mount+0x47d/0xd60 [nfs]
    [&lt;ffffffff81a59c5e&gt;] ? mutex_unlock+0xe/0x10
    [&lt;ffffffffa01606a0&gt;] ? nfs_remount+0x430/0x430 [nfs]
    [&lt;ffffffffa01609c0&gt;] ? nfs_clone_super+0x140/0x140 [nfs]
    [&lt;ffffffff81196489&gt;] mount_fs+0x39/0x1b0
    [&lt;ffffffff81166145&gt;] ? __alloc_percpu+0x15/0x20
    [&lt;ffffffff811b276b&gt;] vfs_kern_mount+0x6b/0x150
    [&lt;ffffffff811b5830&gt;] do_mount+0x210/0xbe0
    [&lt;ffffffff811b54ca&gt;] ? copy_mount_options+0x3a/0x160
    [&lt;ffffffff811b651f&gt;] SyS_mount+0x6f/0xb0
    [&lt;ffffffff81a5c852&gt;] system_call_fastpath+0x12/0x17

Sleeping under the rcu_read_lock is bad. This patch fixes it by dropping
the rcu_read_lock before doing the allocation and then reacquiring it
and redoing the dereference before doing the copy. If we find that the
string has somehow grown in the meantime, we'll reallocate and try again.

Cc: &lt;stable@vger.kernel.org&gt; # v3.17+
Reported-by: "J. Bruce Fields" &lt;bfields@fieldses.org&gt;
Signed-off-by: Jeff Layton &lt;jlayton@primarydata.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Bruce reported that he was seeing the following BUG pop:

    BUG: sleeping function called from invalid context at mm/slab.c:2846
    in_atomic(): 0, irqs_disabled(): 0, pid: 4539, name: mount.nfs
    2 locks held by mount.nfs/4539:
    #0:  (nfs_clid_init_mutex){+.+.+.}, at: [&lt;ffffffffa01c0a9a&gt;] nfs4_discover_server_trunking+0x4a/0x2f0 [nfsv4]
    #1:  (rcu_read_lock){......}, at: [&lt;ffffffffa00e3185&gt;] gss_stringify_acceptor+0x5/0xb0 [auth_rpcgss]
    Preemption disabled at:[&lt;ffffffff81a4f082&gt;] printk+0x4d/0x4f

    CPU: 3 PID: 4539 Comm: mount.nfs Not tainted 3.18.0-rc1-00013-g5b095e9 #3393
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    ffff880021499390 ffff8800381476a8 ffffffff81a534cf 0000000000000001
    0000000000000000 ffff8800381476c8 ffffffff81097854 00000000000000d0
    0000000000000018 ffff880038147718 ffffffff8118e4f3 0000000020479f00
    Call Trace:
    [&lt;ffffffff81a534cf&gt;] dump_stack+0x4f/0x7c
    [&lt;ffffffff81097854&gt;] __might_sleep+0x114/0x180
    [&lt;ffffffff8118e4f3&gt;] __kmalloc+0x1a3/0x280
    [&lt;ffffffffa00e31d8&gt;] gss_stringify_acceptor+0x58/0xb0 [auth_rpcgss]
    [&lt;ffffffffa00e3185&gt;] ? gss_stringify_acceptor+0x5/0xb0 [auth_rpcgss]
    [&lt;ffffffffa006b438&gt;] rpcauth_stringify_acceptor+0x18/0x30 [sunrpc]
    [&lt;ffffffffa01b0469&gt;] nfs4_proc_setclientid+0x199/0x380 [nfsv4]
    [&lt;ffffffffa01b04d0&gt;] ? nfs4_proc_setclientid+0x200/0x380 [nfsv4]
    [&lt;ffffffffa01bdf1a&gt;] nfs40_discover_server_trunking+0xda/0x150 [nfsv4]
    [&lt;ffffffffa01bde45&gt;] ? nfs40_discover_server_trunking+0x5/0x150 [nfsv4]
    [&lt;ffffffffa01c0acf&gt;] nfs4_discover_server_trunking+0x7f/0x2f0 [nfsv4]
    [&lt;ffffffffa01c8e24&gt;] nfs4_init_client+0x104/0x2f0 [nfsv4]
    [&lt;ffffffffa01539b4&gt;] nfs_get_client+0x314/0x3f0 [nfs]
    [&lt;ffffffffa0153780&gt;] ? nfs_get_client+0xe0/0x3f0 [nfs]
    [&lt;ffffffffa01c83aa&gt;] nfs4_set_client+0x8a/0x110 [nfsv4]
    [&lt;ffffffffa0069708&gt;] ? __rpc_init_priority_wait_queue+0xa8/0xf0 [sunrpc]
    [&lt;ffffffffa01c9b2f&gt;] nfs4_create_server+0x12f/0x390 [nfsv4]
    [&lt;ffffffffa01c1472&gt;] nfs4_remote_mount+0x32/0x60 [nfsv4]
    [&lt;ffffffff81196489&gt;] mount_fs+0x39/0x1b0
    [&lt;ffffffff81166145&gt;] ? __alloc_percpu+0x15/0x20
    [&lt;ffffffff811b276b&gt;] vfs_kern_mount+0x6b/0x150
    [&lt;ffffffffa01c1396&gt;] nfs_do_root_mount+0x86/0xc0 [nfsv4]
    [&lt;ffffffffa01c1784&gt;] nfs4_try_mount+0x44/0xc0 [nfsv4]
    [&lt;ffffffffa01549b7&gt;] ? get_nfs_version+0x27/0x90 [nfs]
    [&lt;ffffffffa0161a2d&gt;] nfs_fs_mount+0x47d/0xd60 [nfs]
    [&lt;ffffffff81a59c5e&gt;] ? mutex_unlock+0xe/0x10
    [&lt;ffffffffa01606a0&gt;] ? nfs_remount+0x430/0x430 [nfs]
    [&lt;ffffffffa01609c0&gt;] ? nfs_clone_super+0x140/0x140 [nfs]
    [&lt;ffffffff81196489&gt;] mount_fs+0x39/0x1b0
    [&lt;ffffffff81166145&gt;] ? __alloc_percpu+0x15/0x20
    [&lt;ffffffff811b276b&gt;] vfs_kern_mount+0x6b/0x150
    [&lt;ffffffff811b5830&gt;] do_mount+0x210/0xbe0
    [&lt;ffffffff811b54ca&gt;] ? copy_mount_options+0x3a/0x160
    [&lt;ffffffff811b651f&gt;] SyS_mount+0x6f/0xb0
    [&lt;ffffffff81a5c852&gt;] system_call_fastpath+0x12/0x17

Sleeping under the rcu_read_lock is bad. This patch fixes it by dropping
the rcu_read_lock before doing the allocation and then reacquiring it
and redoing the dereference before doing the copy. If we find that the
string has somehow grown in the meantime, we'll reallocate and try again.

Cc: &lt;stable@vger.kernel.org&gt; # v3.17+
Reported-by: "J. Bruce Fields" &lt;bfields@fieldses.org&gt;
Signed-off-by: Jeff Layton &lt;jlayton@primarydata.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
