From 29fbd594e5393ca88206a1008372b5ab983b09b6 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 12 Jun 2017 16:20:51 +0100
Subject: [PATCH] NFSv4.x/callback: Create the callback service through
 svc_create_pooled (Closes: #862357)

---
 debian/changelog                              |  2 +
 ...-create-the-callback-service-through.patch | 78 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 81 insertions(+)
 create mode 100644 debian/patches/bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch

diff --git a/debian/changelog b/debian/changelog
index d247037fe..c230b2749 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ linux (4.9.30-2) UNRELEASED; urgency=medium
   * [armhf] udeb: Add axp20x_usb_power to kernel-image; add i2c-modules
     package including i2c-mv64xxx and i2c-rk3x (thanks to Karsten Merker)
     (Closes: #856111)
+  * NFSv4.x/callback: Create the callback service through svc_create_pooled
+    (Closes: #862357)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Wed, 07 Jun 2017 18:11:03 +0100
 
diff --git a/debian/patches/bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch b/debian/patches/bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch
new file mode 100644
index 000000000..977b97b1a
--- /dev/null
+++ b/debian/patches/bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch
@@ -0,0 +1,78 @@
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Thu, 27 Apr 2017 11:13:38 +0800
+Subject: NFSv4.x/callback: Create the callback service through
+ svc_create_pooled
+Origin: https://git.kernel.org/linus/df807fffaabde625fa9adb82e3e5b88cdaa5709a
+Bug-Debian: https://bugs.debian.org/862357
+
+As the comments for svc_set_num_threads() said,
+" Destroying threads relies on the service threads filling in
+rqstp->rq_task, which only the nfs ones do.  Assumes the serv
+has been created using svc_create_pooled()."
+
+If creating service through svc_create(), the svc_pool_map_put()
+will be called in svc_destroy(), but the pool map isn't used.
+So that, the reference of pool map will be drop, the next using
+of pool map will get a zero npools.
+
+[  137.992130] divide error: 0000 [#1] SMP
+[  137.992148] Modules linked in: nfsd(E) nfsv4 nfs fscache fuse tun bridge stp llc ip_set nfnetlink vmw_vsock_vmci_transport vsock snd_seq_midi snd_seq_midi_event vmw_balloon coretemp crct10dif_pclmul crc32_pclmul ppdev ghash_clmulni_intel intel_rapl_perf joydev snd_ens1371 gameport snd_ac97_codec ac97_bus snd_seq snd_pcm snd_rawmidi snd_timer snd_seq_device snd soundcore parport_pc parport nfit acpi_cpufreq tpm_tis tpm_tis_core tpm vmw_vmci i2c_piix4 shpchp auth_rpcgss nfs_acl lockd(E) grace sunrpc(E) xfs libcrc32c vmwgfx drm_kms_helper ttm crc32c_intel drm e1000 mptspi scsi_transport_spi serio_raw mptscsih mptbase ata_generic pata_acpi [last unloaded: nfsd]
+[  137.992336] CPU: 0 PID: 4514 Comm: rpc.nfsd Tainted: G            E   4.11.0-rc8+ #536
+[  137.992777] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
+[  137.993757] task: ffff955984101d00 task.stack: ffff9873c2604000
+[  137.994231] RIP: 0010:svc_pool_for_cpu+0x2b/0x80 [sunrpc]
+[  137.994768] RSP: 0018:ffff9873c2607c18 EFLAGS: 00010246
+[  137.995227] RAX: 0000000000000000 RBX: ffff95598376f000 RCX: 0000000000000002
+[  137.995673] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9559944aec00
+[  137.996156] RBP: ffff9873c2607c18 R08: ffff9559944aec28 R09: 0000000000000000
+[  137.996609] R10: 0000000001080002 R11: 0000000000000000 R12: ffff95598376f010
+[  137.997063] R13: ffff95598376f018 R14: ffff9559944aec28 R15: ffff9559944aec00
+[  137.997584] FS:  00007f755529eb40(0000) GS:ffff9559bb600000(0000) knlGS:0000000000000000
+[  137.998048] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  137.998548] CR2: 000055f3aecd9660 CR3: 0000000084290000 CR4: 00000000001406f0
+[  137.999052] Call Trace:
+[  137.999517]  svc_xprt_do_enqueue+0xef/0x260 [sunrpc]
+[  138.000028]  svc_xprt_received+0x47/0x90 [sunrpc]
+[  138.000487]  svc_add_new_perm_xprt+0x76/0x90 [sunrpc]
+[  138.000981]  svc_addsock+0x14b/0x200 [sunrpc]
+[  138.001424]  ? recalc_sigpending+0x1b/0x50
+[  138.001860]  ? __getnstimeofday64+0x41/0xd0
+[  138.002346]  ? do_gettimeofday+0x29/0x90
+[  138.002779]  write_ports+0x255/0x2c0 [nfsd]
+[  138.003202]  ? _copy_from_user+0x4e/0x80
+[  138.003676]  ? write_recoverydir+0x100/0x100 [nfsd]
+[  138.004098]  nfsctl_transaction_write+0x48/0x80 [nfsd]
+[  138.004544]  __vfs_write+0x37/0x160
+[  138.004982]  ? selinux_file_permission+0xd7/0x110
+[  138.005401]  ? security_file_permission+0x3b/0xc0
+[  138.005865]  vfs_write+0xb5/0x1a0
+[  138.006267]  SyS_write+0x55/0xc0
+[  138.006654]  entry_SYSCALL_64_fastpath+0x1a/0xa9
+[  138.007071] RIP: 0033:0x7f7554b9dc30
+[  138.007437] RSP: 002b:00007ffc9f92c788 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[  138.007807] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f7554b9dc30
+[  138.008168] RDX: 0000000000000002 RSI: 00005640cd536640 RDI: 0000000000000003
+[  138.008573] RBP: 00007ffc9f92c780 R08: 0000000000000001 R09: 0000000000000002
+[  138.008918] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000004
+[  138.009254] R13: 00005640cdbf77a0 R14: 00005640cdbf7720 R15: 00007ffc9f92c238
+[  138.009610] Code: 0f 1f 44 00 00 48 8b 87 98 00 00 00 55 48 89 e5 48 83 78 08 00 74 10 8b 05 07 42 02 00 83 f8 01 74 40 83 f8 02 74 19 31 c0 31 d2 <f7> b7 88 00 00 00 5d 89 d0 48 c1 e0 07 48 03 87 90 00 00 00 c3
+[  138.010664] RIP: svc_pool_for_cpu+0x2b/0x80 [sunrpc] RSP: ffff9873c2607c18
+[  138.011061] ---[ end trace b3468224cafa7d11 ]---
+
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+---
+ fs/nfs/callback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/callback.c
++++ b/fs/nfs/callback.c
+@@ -287,7 +287,7 @@ static struct svc_serv *nfs_callback_cre
+ 		printk(KERN_WARNING "nfs_callback_create_svc: no kthread, %d users??\n",
+ 			cb_info->users);
+ 
+-	serv = svc_create(&nfs4_callback_program, NFS4_CALLBACK_BUFSIZE, sv_ops);
++	serv = svc_create_pooled(&nfs4_callback_program, NFS4_CALLBACK_BUFSIZE, sv_ops);
+ 	if (!serv) {
+ 		printk(KERN_ERR "nfs_callback_create_svc: create service failed\n");
+ 		return ERR_PTR(-ENOMEM);
diff --git a/debian/patches/series b/debian/patches/series
index 8e7cdde04..4fc5fe3e9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -111,6 +111,7 @@ bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
 bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
 bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
 bugfix/all/nfsv4-fix-callback-server-shutdown.patch
+bugfix/all/nfsv4.x-callback-create-the-callback-service-through.patch
 bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
 bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
 bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch