From 1724a9954b1ac98ec3fca34c109275e1eb877783 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 11 Jun 2014 16:22:22 -0400 Subject: [PATCH] Fix NFS NULL pointer deref with ipv6 (rhbz 1099761) --- ...te-net-in-mount-data-when-remounting.patch | 39 +++++++++++++++++++ kernel.spec | 7 ++++ 2 files changed, 46 insertions(+) create mode 100644 NFS-populate-net-in-mount-data-when-remounting.patch diff --git a/NFS-populate-net-in-mount-data-when-remounting.patch b/NFS-populate-net-in-mount-data-when-remounting.patch new file mode 100644 index 000000000..223b50030 --- /dev/null +++ b/NFS-populate-net-in-mount-data-when-remounting.patch @@ -0,0 +1,39 @@ +Bugzilla: 1099761 +Upstream-status: 3.16 and CC'd for stable + +From a914722f333b3359d2f4f12919380a334176bb89 Mon Sep 17 00:00:00 2001 +From: Mateusz Guzik +Date: Tue, 10 Jun 2014 12:44:12 +0200 +Subject: [PATCH] NFS: populate ->net in mount data when remounting + +Otherwise the kernel oopses when remounting with IPv6 server because +net is dereferenced in dev_get_by_name. + +Use net ns of current thread so that dev_get_by_name does not operate on +foreign ns. Changing the address is prohibited anyway so this should not +affect anything. + +Signed-off-by: Mateusz Guzik +Cc: linux-nfs@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # 3.4+ +Signed-off-by: Trond Myklebust +--- + fs/nfs/super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 1a6d7ac9d9d2..084af1060d79 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2260,6 +2260,7 @@ nfs_remount(struct super_block *sb, int *flags, char *raw_data) + data->nfs_server.addrlen = nfss->nfs_client->cl_addrlen; + data->version = nfsvers; + data->minorversion = nfss->nfs_client->cl_minorversion; ++ data->net = current->nsproxy->net_ns; + memcpy(&data->nfs_server.address, &nfss->nfs_client->cl_addr, + data->nfs_server.addrlen); + +-- +1.9.3 + diff --git a/kernel.spec b/kernel.spec index 065160aec..7e3d89806 100644 --- a/kernel.spec +++ b/kernel.spec @@ -728,6 +728,9 @@ Patch25096: drm-i915-set-backlight-duty-cycle-after-backlight-enable-for-gen4.pa #rhbz 1064516 Patch25098: e1000e-Failure-to-write-SHRA-turns-on-PROMISC-mode.patch +#rhbz 1099761 +Patch25099: NFS-populate-net-in-mount-data-when-remounting.patch + # END OF PATCH DEFINITIONS %endif @@ -1424,6 +1427,9 @@ ApplyPatch drm-i915-set-backlight-duty-cycle-after-backlight-enable-for-gen4.pat #rhbz 1064516 ApplyPatch e1000e-Failure-to-write-SHRA-turns-on-PROMISC-mode.patch +#rhbz 1099761 +ApplyPatch NFS-populate-net-in-mount-data-when-remounting.patch + # END OF PATCH APPLICATIONS %endif @@ -2237,6 +2243,7 @@ fi # || || %changelog * Wed Jun 11 2014 Josh Boyer +- Fix NFS NULL pointer deref with ipv6 (rhbz 1099761) - Fix promisc mode on certain e1000e cards (rhbz 1064516) - Fix i915 backlight issue on gen4 (rhbz 1094066)