From 69fa7a1a8aa48856bba9d235ad1a52573184156d Mon Sep 17 00:00:00 2001
From: Laura Abbott <labbott@redhat.com>
Date: Sun, 21 Apr 2019 17:15:20 -0700
Subject: Linux v5.0.9 Fix NFS server crash (rhbz 1701077)

---
 ...-fsnotify_mark-refcount-leak-in-inotify_u.patch |  45 ---------
 kernel.spec                                        |  12 ++-
 ...s-blocked-on-file_lock-before-deleting-it.patch | 108 +++++++++++++++++++++
 sources                                            |   2 +-
 4 files changed, 117 insertions(+), 50 deletions(-)
 delete mode 100644 0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
 create mode 100644 nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch

diff --git a/0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch b/0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
deleted file mode 100644
index e0c6f73a3..000000000
--- a/0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 62c9d2674b31d4c8a674bee86b7edc6da2803aea Mon Sep 17 00:00:00 2001
-From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
-Date: Sat, 2 Mar 2019 09:17:32 +0800
-Subject: [PATCH] inotify: Fix fsnotify_mark refcount leak in
- inotify_update_existing_watch()
-
-Commit 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for
-inotify_add_watch()") forgot to call fsnotify_put_mark() with
-IN_MASK_CREATE after fsnotify_find_mark()
-
-Fixes: 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for inotify_add_watch()")
-Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
-Signed-off-by: Jan Kara <jack@suse.cz>
----
- fs/notify/inotify/inotify_user.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
-index e2901fbb9f76..7b53598c8804 100644
---- a/fs/notify/inotify/inotify_user.c
-+++ b/fs/notify/inotify/inotify_user.c
-@@ -519,8 +519,10 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
- 	fsn_mark = fsnotify_find_mark(&inode->i_fsnotify_marks, group);
- 	if (!fsn_mark)
- 		return -ENOENT;
--	else if (create)
--		return -EEXIST;
-+	else if (create) {
-+		ret = -EEXIST;
-+		goto out;
-+	}
-
- 	i_mark = container_of(fsn_mark, struct inotify_inode_mark, fsn_mark);
-
-@@ -548,6 +550,7 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
- 	/* return the wd */
- 	ret = i_mark->wd;
-
-+out:
- 	/* match the get from fsnotify_find_mark() */
- 	fsnotify_put_mark(fsn_mark);
-
--- 
-2.20.1
-
diff --git a/kernel.spec b/kernel.spec
index a740b32af..3d7daccc4 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 8
+%define stable_update 9
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -619,15 +619,15 @@ Patch513: 0001-virt-vbox-Implement-passing-requestor-info-to-the-ho.patch
 # rhbz 1683382
 Patch515: nfsv4.1-avoid-false-retries.patch
 
-# CVE-2019-9857 rhbz 1694758 1694759
-Patch516: 0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
-
 # CVE-2019-3882 rhbz 1689426 1695571
 Patch517: vfio-type1-limit-dma-mappings-per-container.patch
 
 # CVE-2019-9500 rhbz 1701224 1701226
 Patch518: 0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
 
+# rhbz 1701077
+Patch519: nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1915,6 +1915,10 @@ fi
 #
 #
 %changelog
+* Mon Apr 22 2019 Laura Abbott <labbott@redhat.com> - 5.0.9-100
+- Linux v5.0.9
+- Fix NFS server crash (rhbz 1701077)
+
 * Thu Apr 18 2019 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2019-9500 (rhbz 1701224 1701226)
 
diff --git a/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch b/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch
new file mode 100644
index 000000000..0b4cfbe16
--- /dev/null
+++ b/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch
@@ -0,0 +1,108 @@
+From patchwork Sat Apr 20 10:15:48 2019
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Jeff Layton <jlayton@kernel.org>
+X-Patchwork-Id: 10910147
+Return-Path: <linux-nfs-owner@kernel.org>
+Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
+ [172.30.200.125])
+	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0C1AE14DB
+	for <patchwork-linux-nfs@patchwork.kernel.org>;
+ Sat, 20 Apr 2019 10:15:53 +0000 (UTC)
+Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E858821FAC
+	for <patchwork-linux-nfs@patchwork.kernel.org>;
+ Sat, 20 Apr 2019 10:15:52 +0000 (UTC)
+Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
+	id D5EA228818; Sat, 20 Apr 2019 10:15:52 +0000 (UTC)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
+	pdx-wl-mail.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
+	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham
+	version=3.3.1
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BF69021FAC
+	for <patchwork-linux-nfs@patchwork.kernel.org>;
+ Sat, 20 Apr 2019 10:15:51 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1726082AbfDTKPu (ORCPT
+        <rfc822;patchwork-linux-nfs@patchwork.kernel.org>);
+        Sat, 20 Apr 2019 06:15:50 -0400
+Received: from mail.kernel.org ([198.145.29.99]:36092 "EHLO mail.kernel.org"
+        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+        id S1725920AbfDTKPu (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
+        Sat, 20 Apr 2019 06:15:50 -0400
+Received: from tleilax.poochiereds.net (cpe-71-70-156-158.nc.res.rr.com
+ [71.70.156.158])
+        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
+        (No client certificate requested)
+        by mail.kernel.org (Postfix) with ESMTPSA id 649D32087B;
+        Sat, 20 Apr 2019 10:15:49 +0000 (UTC)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
+        s=default; t=1555755349;
+        bh=Sqynm2vSbQ1pAh/3FcXrwFTMrJUwFTkrxoodJHFBfA0=;
+        h=From:To:Cc:Subject:Date:From;
+        b=TFlYii+F3H67zOX8b/mENa/XRCx1SjMI2/gLtscPnA5l6T0dG8aC/E+FJLvMeNLHo
+         pu2zlPSdszk+MBMfWQrfUpKGCP7CPqfyk7F1rXRIr6kNYp2tE2gKYyIWvCkVPE45iX
+         LngnHXERmf/R52j7gg2ENj+yjuOh07AifhxH1J00=
+From: Jeff Layton <jlayton@kernel.org>
+To: bfields@fieldses.org
+Cc: slawek1211@gmail.com, neilb@suse.com, linux-nfs@vger.kernel.org
+Subject: [PATCH] nfsd: wake waiters blocked on file_lock before deleting it
+Date: Sat, 20 Apr 2019 06:15:48 -0400
+Message-Id: <20190420101548.8552-1-jlayton@kernel.org>
+X-Mailer: git-send-email 2.20.1
+MIME-Version: 1.0
+Sender: linux-nfs-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-nfs.vger.kernel.org>
+X-Mailing-List: linux-nfs@vger.kernel.org
+X-Virus-Scanned: ClamAV using ClamSMTP
+
+After a blocked nfsd file_lock request is deleted, knfsd will send a
+callback to the client and then free the request. Commit 16306a61d3b7
+("fs/locks: always delete_block after waiting.") changed it such that
+locks_delete_block is always called on a request after it is awoken,
+but that patch missed fixing up blocked nfsd request handling.
+
+Call locks_delete_block on the block to wake up any locks still blocked
+on the nfsd lock request before sending the callback.
+
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=203363
+Fixes: 16306a61d3b7 ("fs/locks: always delete_block after waiting.")
+Reported-by: Slawomir Pryczek <slawek1211@gmail.com>
+Cc: Neil Brown <neilb@suse.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 6a45fb00c5fc..1960e8fd9ad1 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -298,6 +298,14 @@ remove_blocked_locks(struct nfs4_lockowner *lo)
+ 	}
+ }
+ 
++static void
++nfsd4_cb_notify_lock_prepare(struct nfsd4_callback *cb)
++{
++	struct nfsd4_blocked_lock	*nbl = container_of(cb,
++						struct nfsd4_blocked_lock, nbl_cb);
++	locks_delete_block(&nbl->nbl_lock);
++}
++
+ static int
+ nfsd4_cb_notify_lock_done(struct nfsd4_callback *cb, struct rpc_task *task)
+ {
+@@ -325,6 +333,7 @@ nfsd4_cb_notify_lock_release(struct nfsd4_callback *cb)
+ }
+ 
+ static const struct nfsd4_callback_ops nfsd4_cb_notify_lock_ops = {
++	.prepare	= nfsd4_cb_notify_lock_prepare,
+ 	.done		= nfsd4_cb_notify_lock_done,
+ 	.release	= nfsd4_cb_notify_lock_release,
+ };
diff --git a/sources b/sources
index 8df4b4207..e981227ba 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-5.0.tar.xz) = 3fbab70c7b03b1a10e9fa14d1e2e1f550faba4f5792b7699ca006951da74ab86e7d7f19c6a67849ab99343186e7d6f2752cd910d76222213b93c1eab90abf1b0
-SHA512 (patch-5.0.8.xz) = b6b4be8f85e879a21d98bff1515be6432f71d13f894125398e55a5a2acf55d9fb2fe9a0081f257418290edb48219e048de786ccc916c48cc3d3a32d3009478b0
+SHA512 (patch-5.0.9.xz) = 5f7ee13f7c5926ff4438f9c026a5a1dfd7301aedf445d2bb6eb4244ba0eb79586612e6f0353e1f45888d1978608ac4c7839e42d8f995c043f052f5801e53b9a6
-- 
cgit