<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/9p, branch linux-3.16.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>9p: use inode-&gt;i_lock to protect i_size_write() under 32-bit</title>
<updated>2019-07-09T21:04:10+00:00</updated>
<author>
<name>Hou Tao</name>
<email>houtao1@huawei.com</email>
</author>
<published>2019-01-24T06:35:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8463eed58e131d0cc4db4c9f84fb8454e09e48dd'/>
<id>8463eed58e131d0cc4db4c9f84fb8454e09e48dd</id>
<content type='text'>
commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream.

Use inode-&gt;i_lock to protect i_size_write(), else i_size_read() in
generic_fillattr() may loop infinitely in read_seqcount_begin() when
multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl()
simultaneously under 32-bit SMP environment, and a soft lockup will be
triggered as show below:

  watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217]
  Modules linked in:
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  PC is at generic_fillattr+0x104/0x108
  LR is at 0xec497f00
  pc : [&lt;802b8898&gt;]    lr : [&lt;ec497f00&gt;]    psr: 200c0013
  sp : ec497e20  ip : ed608030  fp : ec497e3c
  r10: 00000000  r9 : ec497f00  r8 : ed608030
  r7 : ec497ebc  r6 : ec497f00  r5 : ee5c1550  r4 : ee005780
  r3 : 0000052d  r2 : 00000000  r1 : ec497f00  r0 : ed608030
  Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
  Control: 10c5387d  Table: ac48006a  DAC: 00000051
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  Backtrace:
  [&lt;8010d974&gt;] (dump_backtrace) from [&lt;8010dc88&gt;] (show_stack+0x20/0x24)
  [&lt;8010dc68&gt;] (show_stack) from [&lt;80a1d194&gt;] (dump_stack+0xb0/0xdc)
  [&lt;80a1d0e4&gt;] (dump_stack) from [&lt;80109f34&gt;] (show_regs+0x1c/0x20)
  [&lt;80109f18&gt;] (show_regs) from [&lt;801d0a80&gt;] (watchdog_timer_fn+0x280/0x2f8)
  [&lt;801d0800&gt;] (watchdog_timer_fn) from [&lt;80198658&gt;] (__hrtimer_run_queues+0x18c/0x380)
  [&lt;801984cc&gt;] (__hrtimer_run_queues) from [&lt;80198e60&gt;] (hrtimer_run_queues+0xb8/0xf0)
  [&lt;80198da8&gt;] (hrtimer_run_queues) from [&lt;801973e8&gt;] (run_local_timers+0x28/0x64)
  [&lt;801973c0&gt;] (run_local_timers) from [&lt;80197460&gt;] (update_process_times+0x3c/0x6c)
  [&lt;80197424&gt;] (update_process_times) from [&lt;801ab2b8&gt;] (tick_nohz_handler+0xe0/0x1bc)
  [&lt;801ab1d8&gt;] (tick_nohz_handler) from [&lt;80843050&gt;] (arch_timer_handler_virt+0x38/0x48)
  [&lt;80843018&gt;] (arch_timer_handler_virt) from [&lt;80180a64&gt;] (handle_percpu_devid_irq+0x8c/0x240)
  [&lt;801809d8&gt;] (handle_percpu_devid_irq) from [&lt;8017ac20&gt;] (generic_handle_irq+0x34/0x44)
  [&lt;8017abec&gt;] (generic_handle_irq) from [&lt;8017b344&gt;] (__handle_domain_irq+0x6c/0xc4)
  [&lt;8017b2d8&gt;] (__handle_domain_irq) from [&lt;801022e0&gt;] (gic_handle_irq+0x4c/0x88)
  [&lt;80102294&gt;] (gic_handle_irq) from [&lt;80101a30&gt;] (__irq_svc+0x70/0x98)
  [&lt;802b8794&gt;] (generic_fillattr) from [&lt;8056b284&gt;] (v9fs_vfs_getattr_dotl+0x74/0xa4)
  [&lt;8056b210&gt;] (v9fs_vfs_getattr_dotl) from [&lt;802b8904&gt;] (vfs_getattr_nosec+0x68/0x7c)
  [&lt;802b889c&gt;] (vfs_getattr_nosec) from [&lt;802b895c&gt;] (vfs_getattr+0x44/0x48)
  [&lt;802b8918&gt;] (vfs_getattr) from [&lt;802b8a74&gt;] (vfs_statx+0x9c/0xec)
  [&lt;802b89d8&gt;] (vfs_statx) from [&lt;802b9428&gt;] (sys_lstat64+0x48/0x78)
  [&lt;802b93e0&gt;] (sys_lstat64) from [&lt;80101000&gt;] (ret_fast_syscall+0x0/0x28)

[dominique.martinet@cea.fr: updated comment to not refer to a function
in another subsystem]
Link: http://lkml.kernel.org/r/20190124063514.8571-2-houtao1@huawei.com
Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode-&gt;i_size directly.")
Reported-by: Xing Gaopeng &lt;xingaopeng@huawei.com&gt;
Signed-off-by: Hou Tao &lt;houtao1@huawei.com&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream.

Use inode-&gt;i_lock to protect i_size_write(), else i_size_read() in
generic_fillattr() may loop infinitely in read_seqcount_begin() when
multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl()
simultaneously under 32-bit SMP environment, and a soft lockup will be
triggered as show below:

  watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217]
  Modules linked in:
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  PC is at generic_fillattr+0x104/0x108
  LR is at 0xec497f00
  pc : [&lt;802b8898&gt;]    lr : [&lt;ec497f00&gt;]    psr: 200c0013
  sp : ec497e20  ip : ed608030  fp : ec497e3c
  r10: 00000000  r9 : ec497f00  r8 : ed608030
  r7 : ec497ebc  r6 : ec497f00  r5 : ee5c1550  r4 : ee005780
  r3 : 0000052d  r2 : 00000000  r1 : ec497f00  r0 : ed608030
  Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
  Control: 10c5387d  Table: ac48006a  DAC: 00000051
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  Backtrace:
  [&lt;8010d974&gt;] (dump_backtrace) from [&lt;8010dc88&gt;] (show_stack+0x20/0x24)
  [&lt;8010dc68&gt;] (show_stack) from [&lt;80a1d194&gt;] (dump_stack+0xb0/0xdc)
  [&lt;80a1d0e4&gt;] (dump_stack) from [&lt;80109f34&gt;] (show_regs+0x1c/0x20)
  [&lt;80109f18&gt;] (show_regs) from [&lt;801d0a80&gt;] (watchdog_timer_fn+0x280/0x2f8)
  [&lt;801d0800&gt;] (watchdog_timer_fn) from [&lt;80198658&gt;] (__hrtimer_run_queues+0x18c/0x380)
  [&lt;801984cc&gt;] (__hrtimer_run_queues) from [&lt;80198e60&gt;] (hrtimer_run_queues+0xb8/0xf0)
  [&lt;80198da8&gt;] (hrtimer_run_queues) from [&lt;801973e8&gt;] (run_local_timers+0x28/0x64)
  [&lt;801973c0&gt;] (run_local_timers) from [&lt;80197460&gt;] (update_process_times+0x3c/0x6c)
  [&lt;80197424&gt;] (update_process_times) from [&lt;801ab2b8&gt;] (tick_nohz_handler+0xe0/0x1bc)
  [&lt;801ab1d8&gt;] (tick_nohz_handler) from [&lt;80843050&gt;] (arch_timer_handler_virt+0x38/0x48)
  [&lt;80843018&gt;] (arch_timer_handler_virt) from [&lt;80180a64&gt;] (handle_percpu_devid_irq+0x8c/0x240)
  [&lt;801809d8&gt;] (handle_percpu_devid_irq) from [&lt;8017ac20&gt;] (generic_handle_irq+0x34/0x44)
  [&lt;8017abec&gt;] (generic_handle_irq) from [&lt;8017b344&gt;] (__handle_domain_irq+0x6c/0xc4)
  [&lt;8017b2d8&gt;] (__handle_domain_irq) from [&lt;801022e0&gt;] (gic_handle_irq+0x4c/0x88)
  [&lt;80102294&gt;] (gic_handle_irq) from [&lt;80101a30&gt;] (__irq_svc+0x70/0x98)
  [&lt;802b8794&gt;] (generic_fillattr) from [&lt;8056b284&gt;] (v9fs_vfs_getattr_dotl+0x74/0xa4)
  [&lt;8056b210&gt;] (v9fs_vfs_getattr_dotl) from [&lt;802b8904&gt;] (vfs_getattr_nosec+0x68/0x7c)
  [&lt;802b889c&gt;] (vfs_getattr_nosec) from [&lt;802b895c&gt;] (vfs_getattr+0x44/0x48)
  [&lt;802b8918&gt;] (vfs_getattr) from [&lt;802b8a74&gt;] (vfs_statx+0x9c/0xec)
  [&lt;802b89d8&gt;] (vfs_statx) from [&lt;802b9428&gt;] (sys_lstat64+0x48/0x78)
  [&lt;802b93e0&gt;] (sys_lstat64) from [&lt;80101000&gt;] (ret_fast_syscall+0x0/0x28)

[dominique.martinet@cea.fr: updated comment to not refer to a function
in another subsystem]
Link: http://lkml.kernel.org/r/20190124063514.8571-2-houtao1@huawei.com
Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode-&gt;i_size directly.")
Reported-by: Xing Gaopeng &lt;xingaopeng@huawei.com&gt;
Signed-off-by: Hou Tao &lt;houtao1@huawei.com&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed</title>
<updated>2018-12-16T22:08:43+00:00</updated>
<author>
<name>piaojun</name>
<email>piaojun@huawei.com</email>
</author>
<published>2018-07-25T03:13:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bd531ebf1538b1387cc93545ca647e54a1ff66bc'/>
<id>bd531ebf1538b1387cc93545ca647e54a1ff66bc</id>
<content type='text'>
commit 3111784bee81591ea2815011688d28b65df03627 upstream.

In my testing, v9fs_fid_xattr_set will return successfully even if the
backend ext4 filesystem has no space to store xattr key-value. That will
cause inconsistent behavior between front end and back end. The reason is
that lsetxattr will be triggered by p9_client_clunk, and unfortunately we
did not catch the error. This patch will catch the error to notify upper
caller.

p9_client_clunk (in 9p)
  p9_client_rpc(clnt, P9_TCLUNK, "d", fid-&gt;fid);
    v9fs_clunk (in qemu)
      put_fid
        free_fid
          v9fs_xattr_fid_clunk
            v9fs_co_lsetxattr
              s-&gt;ops-&gt;lsetxattr
                ext4_xattr_user_set (in host ext4 filesystem)

Link: http://lkml.kernel.org/r/5B57EACC.2060900@huawei.com
Signed-off-by: Jun Piao &lt;piaojun@huawei.com&gt;
Cc: Eric Van Hensbergen &lt;ericvh@gmail.com&gt;
Cc: Ron Minnich &lt;rminnich@sandia.gov&gt;
Cc: Latchesar Ionkov &lt;lucho@ionkov.net&gt;
Cc: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3111784bee81591ea2815011688d28b65df03627 upstream.

In my testing, v9fs_fid_xattr_set will return successfully even if the
backend ext4 filesystem has no space to store xattr key-value. That will
cause inconsistent behavior between front end and back end. The reason is
that lsetxattr will be triggered by p9_client_clunk, and unfortunately we
did not catch the error. This patch will catch the error to notify upper
caller.

p9_client_clunk (in 9p)
  p9_client_rpc(clnt, P9_TCLUNK, "d", fid-&gt;fid);
    v9fs_clunk (in qemu)
      put_fid
        free_fid
          v9fs_xattr_fid_clunk
            v9fs_co_lsetxattr
              s-&gt;ops-&gt;lsetxattr
                ext4_xattr_user_set (in host ext4 filesystem)

Link: http://lkml.kernel.org/r/5B57EACC.2060900@huawei.com
Signed-off-by: Jun Piao &lt;piaojun@huawei.com&gt;
Cc: Eric Van Hensbergen &lt;ericvh@gmail.com&gt;
Cc: Ron Minnich &lt;rminnich@sandia.gov&gt;
Cc: Latchesar Ionkov &lt;lucho@ionkov.net&gt;
Cc: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Dominique Martinet &lt;dominique.martinet@cea.fr&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mm: drop vm_ops-&gt;remap_pages and generic_file_remap_pages() stub</title>
<updated>2018-10-03T03:09:51+00:00</updated>
<author>
<name>Kirill A. Shutemov</name>
<email>kirill.shutemov@linux.intel.com</email>
</author>
<published>2015-02-10T22:09:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ae347f225e91a960c61f7470a3b21bcb4ea5fcfa'/>
<id>ae347f225e91a960c61f7470a3b21bcb4ea5fcfa</id>
<content type='text'>
commit d83a08db5ba6072caa658745881f4baa9bad6a08 upstream.

Nobody uses it anymore.

[akpm@linux-foundation.org: fix filemap_xip.c]
Signed-off-by: Kirill A. Shutemov &lt;kirill.shutemov@linux.intel.com&gt;
Cc: Wu Fengguang &lt;fengguang.wu@intel.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
[bwh: Backported to 3.16:
 - Deleted code is slightly different
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d83a08db5ba6072caa658745881f4baa9bad6a08 upstream.

Nobody uses it anymore.

[akpm@linux-foundation.org: fix filemap_xip.c]
Signed-off-by: Kirill A. Shutemov &lt;kirill.shutemov@linux.intel.com&gt;
Cc: Wu Fengguang &lt;fengguang.wu@intel.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
[bwh: Backported to 3.16:
 - Deleted code is slightly different
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs/9p: Compare qid.path in v9fs_test_inode</title>
<updated>2018-02-13T18:42:09+00:00</updated>
<author>
<name>Tuomas Tynkkynen</name>
<email>tuomas@tuxera.com</email>
</author>
<published>2017-09-06T14:59:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d05531b619ded445ae3ec1182ddff26a6596318d'/>
<id>d05531b619ded445ae3ec1182ddff26a6596318d</id>
<content type='text'>
commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream.

Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details
and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked()
instead of iget_locked(). However, the test() callback is not checking
fid.path at all, which means that a lookup in the inode cache can now
accidentally locate a completely wrong inode from the same inode hash
bucket if the other fields (qid.type and qid.version) match.

Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.")
Reviewed-by: Latchesar Ionkov &lt;lucho@ionkov.net&gt;
Signed-off-by: Tuomas Tynkkynen &lt;tuomas@tuxera.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream.

Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details
and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked()
instead of iget_locked(). However, the test() callback is not checking
fid.path at all, which means that a lookup in the inode cache can now
accidentally locate a completely wrong inode from the same inode hash
bucket if the other fields (qid.type and qid.version) match.

Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.")
Reviewed-by: Latchesar Ionkov &lt;lucho@ionkov.net&gt;
Signed-off-by: Tuomas Tynkkynen &lt;tuomas@tuxera.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs: Give dentry to inode_change_ok() instead of inode</title>
<updated>2017-02-23T03:53:52+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2016-05-26T14:55:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=50b070e8224f7bf86622ede1abee9fa3d3dc2f10'/>
<id>50b070e8224f7bf86622ede1abee9fa3d3dc2f10</id>
<content type='text'>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Revert "fs: Give dentry to inode_change_ok() instead of inode"</title>
<updated>2017-02-23T03:53:52+00:00</updated>
<author>
<name>Ben Hutchings</name>
<email>ben@decadent.org.uk</email>
</author>
<published>2016-11-30T23:13:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1c608c2d1aefca2bf63497663e17cfb49e6b022c'/>
<id>1c608c2d1aefca2bf63497663e17cfb49e6b022c</id>
<content type='text'>
This reverts commit be9df699432235753c3824b0f5a27d46de7fdc9e, which was
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.  The backport
breaks fuse and makes a mess of xfs, which can be improved by picking
further upstream commits as I should have done in the first place.

Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This reverts commit be9df699432235753c3824b0f5a27d46de7fdc9e, which was
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.  The backport
breaks fuse and makes a mess of xfs, which can be improved by picking
further upstream commits as I should have done in the first place.

Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>posix_acl: Clear SGID bit when setting file permissions</title>
<updated>2016-11-20T01:17:38+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2016-09-19T15:39:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f2ba3e2310b3967720b83126db8684c69ce41894'/>
<id>f2ba3e2310b3967720b83126db8684c69ce41894</id>
<content type='text'>
commit 073931017b49d9458aa351605b43a7e34598caef upstream.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

References: CVE-2016-7097
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Andreas Gruenbacher &lt;agruenba@redhat.com&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs
 - Adjust context
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 073931017b49d9458aa351605b43a7e34598caef upstream.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

References: CVE-2016-7097
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Andreas Gruenbacher &lt;agruenba@redhat.com&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs
 - Adjust context
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs: Give dentry to inode_change_ok() instead of inode</title>
<updated>2016-11-20T01:17:38+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2016-05-26T14:55:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=be9df699432235753c3824b0f5a27d46de7fdc9e'/>
<id>be9df699432235753c3824b0f5a27d46de7fdc9e</id>
<content type='text'>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In fuse, pass dentry to fuse_do_setattr()
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - In xfs, pass dentry to xfs_setattr_nonsize() and xfs_setattr_size()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In fuse, pass dentry to fuse_do_setattr()
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - In xfs, pass dentry to xfs_setattr_nonsize() and xfs_setattr_size()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>9p: -&gt;evict_inode() should kick out -&gt;i_data, not -&gt;i_mapping</title>
<updated>2016-01-11T10:50:20+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2015-12-08T08:07:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=19d1f4320ed477ece0a2f522c0dc69f71bf7c101'/>
<id>19d1f4320ed477ece0a2f522c0dc69f71bf7c101</id>
<content type='text'>
commit 4ad78628445d26e5e9487b2e8f23274ad7b0f5d3 upstream.

For block devices the pagecache is associated with the inode
on bdevfs, not with the aliasing ones on the mountable filesystems.
The latter have its own -&gt;i_data empty and -&gt;i_mapping pointing
to the (unique per major/minor) bdevfs inode.  That guarantees
cache coherence between all block device inodes with the same
device number.

Eviction of an alias inode has no business trying to evict the
pages belonging to bdevfs one; moreover, -&gt;i_mapping is only
safe to access when the thing is opened.  At the time of
-&gt;evict_inode() the victim is definitely *not* opened.  We are
about to kill the address space embedded into struct inode
(inode-&gt;i_data) and that's what we need to empty of any pages.

9p instance tries to empty inode-&gt;i_mapping instead, which is
both unsafe and bogus - if we have several device nodes with
the same device number in different places, closing one of them
should not try to empty the (shared) page cache.

Fortunately, other instances in the tree are OK; they are
evicting from &amp;inode-&gt;i_data instead, as 9p one should.

Reported-by: "Suzuki K. Poulose" &lt;Suzuki.Poulose@arm.com&gt;
Tested-by: "Suzuki K. Poulose" &lt;Suzuki.Poulose@arm.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4ad78628445d26e5e9487b2e8f23274ad7b0f5d3 upstream.

For block devices the pagecache is associated with the inode
on bdevfs, not with the aliasing ones on the mountable filesystems.
The latter have its own -&gt;i_data empty and -&gt;i_mapping pointing
to the (unique per major/minor) bdevfs inode.  That guarantees
cache coherence between all block device inodes with the same
device number.

Eviction of an alias inode has no business trying to evict the
pages belonging to bdevfs one; moreover, -&gt;i_mapping is only
safe to access when the thing is opened.  At the time of
-&gt;evict_inode() the victim is definitely *not* opened.  We are
about to kill the address space embedded into struct inode
(inode-&gt;i_data) and that's what we need to empty of any pages.

9p instance tries to empty inode-&gt;i_mapping instead, which is
both unsafe and bogus - if we have several device nodes with
the same device number in different places, closing one of them
should not try to empty the (shared) page cache.

Fortunately, other instances in the tree are OK; they are
evicting from &amp;inode-&gt;i_data instead, as 9p one should.

Reported-by: "Suzuki K. Poulose" &lt;Suzuki.Poulose@arm.com&gt;
Tested-by: "Suzuki K. Poulose" &lt;Suzuki.Poulose@arm.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>9p: don't leave a half-initialized inode sitting around</title>
<updated>2015-08-10T08:54:03+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2015-07-12T14:34:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=33d240967e88e16d77e437f423631bc4a3873f9b'/>
<id>33d240967e88e16d77e437f423631bc4a3873f9b</id>
<content type='text'>
commit 0a73d0a204a4a04a1e110539c5a524ae51f91d6d upstream.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0a73d0a204a4a04a1e110539c5a524ae51f91d6d upstream.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
