We can't have nfs_wb_page() truncate the page from the mapping if there's
an error on the context without returning that error, because we may be in
nfs_updatepage() holding the page and trying to update the request. Not
having any error returned means we'll proceed to create a new request and
dereference the truncated page->mapping.
If we're going to remove the page, always return the error that signaled us
to do so in nfs_page_async_flush().
Fixes: c373fff7bd25 ("NFSv4: Don't special case "launder"")
Cc: stable@xxxxxxxxxxxxxxx # v4.11
Signed-off-by: Benjamin Coddington <bcodding@xxxxxxxxxx>
---
fs/nfs/write.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index 5a0bbf917a32..c274339176cc 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -622,9 +622,11 @@ static int nfs_page_async_flush(struct nfs_pageio_descriptor *pgio,
WARN_ON_ONCE(test_bit(PG_CLEAN, &req->wb_flags));
ret = 0;
- /* If there is a fatal error that covers this write, just exit */
- if (nfs_error_is_fatal_on_server(req->wb_context->error))
+ /* If there is a fatal on server error on this context, just exit */
+ if (nfs_error_is_fatal_on_server(req->wb_context->error)) {
+ ret = req->wb_context->error;
goto out_launder;
+ }
if (!nfs_pageio_add_request(pgio, req)) {
ret = pgio->pg_error;
--
2.14.3
