<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/ceph, branch v3.16.52</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ceph: fix memory leak in __ceph_setxattr()</title>
<updated>2017-08-26T01:14:46+00:00</updated>
<author>
<name>Luis Henriques</name>
<email>lhenriques@suse.com</email>
</author>
<published>2017-04-28T10:14:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3c42d664ecdf13818fa57db42184e1210e5613e7'/>
<id>3c42d664ecdf13818fa57db42184e1210e5613e7</id>
<content type='text'>
commit eeca958dce0a9231d1969f86196653eb50fcc9b3 upstream.

The ceph_inode_xattr needs to be released when removing an xattr.  Easily
reproducible running the 'generic/020' test from xfstests or simply by
doing:

  attr -s attr0 -V 0 /mnt/test &amp;&amp; attr -r attr0 /mnt/test

While there, also fix the error path.

Here's the kmemleak splat:

unreferenced object 0xffff88001f86fbc0 (size 64):
  comm "attr", pid 244, jiffies 4294904246 (age 98.464s)
  hex dump (first 32 bytes):
    40 fa 86 1f 00 88 ff ff 80 32 38 1f 00 88 ff ff  @........28.....
    00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de  ................
  backtrace:
    [&lt;ffffffff81560199&gt;] kmemleak_alloc+0x49/0xa0
    [&lt;ffffffff810f3e5b&gt;] kmem_cache_alloc+0x9b/0xf0
    [&lt;ffffffff812b157e&gt;] __ceph_setxattr+0x17e/0x820
    [&lt;ffffffff812b1c57&gt;] ceph_set_xattr_handler+0x37/0x40
    [&lt;ffffffff8111fb4b&gt;] __vfs_removexattr+0x4b/0x60
    [&lt;ffffffff8111fd37&gt;] vfs_removexattr+0x77/0xd0
    [&lt;ffffffff8111fdd1&gt;] removexattr+0x41/0x60
    [&lt;ffffffff8111fe65&gt;] path_removexattr+0x75/0xa0
    [&lt;ffffffff81120aeb&gt;] SyS_lremovexattr+0xb/0x10
    [&lt;ffffffff81564b20&gt;] entry_SYSCALL_64_fastpath+0x13/0x94
    [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

Signed-off-by: Luis Henriques &lt;lhenriques@suse.com&gt;
Reviewed-by: "Yan, Zheng" &lt;zyan@redhat.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit eeca958dce0a9231d1969f86196653eb50fcc9b3 upstream.

The ceph_inode_xattr needs to be released when removing an xattr.  Easily
reproducible running the 'generic/020' test from xfstests or simply by
doing:

  attr -s attr0 -V 0 /mnt/test &amp;&amp; attr -r attr0 /mnt/test

While there, also fix the error path.

Here's the kmemleak splat:

unreferenced object 0xffff88001f86fbc0 (size 64):
  comm "attr", pid 244, jiffies 4294904246 (age 98.464s)
  hex dump (first 32 bytes):
    40 fa 86 1f 00 88 ff ff 80 32 38 1f 00 88 ff ff  @........28.....
    00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de  ................
  backtrace:
    [&lt;ffffffff81560199&gt;] kmemleak_alloc+0x49/0xa0
    [&lt;ffffffff810f3e5b&gt;] kmem_cache_alloc+0x9b/0xf0
    [&lt;ffffffff812b157e&gt;] __ceph_setxattr+0x17e/0x820
    [&lt;ffffffff812b1c57&gt;] ceph_set_xattr_handler+0x37/0x40
    [&lt;ffffffff8111fb4b&gt;] __vfs_removexattr+0x4b/0x60
    [&lt;ffffffff8111fd37&gt;] vfs_removexattr+0x77/0xd0
    [&lt;ffffffff8111fdd1&gt;] removexattr+0x41/0x60
    [&lt;ffffffff8111fe65&gt;] path_removexattr+0x75/0xa0
    [&lt;ffffffff81120aeb&gt;] SyS_lremovexattr+0xb/0x10
    [&lt;ffffffff81564b20&gt;] entry_SYSCALL_64_fastpath+0x13/0x94
    [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

Signed-off-by: Luis Henriques &lt;lhenriques@suse.com&gt;
Reviewed-by: "Yan, Zheng" &lt;zyan@redhat.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ceph: fix recursion between ceph_set_acl() and __ceph_setattr()</title>
<updated>2017-07-18T17:40:39+00:00</updated>
<author>
<name>Yan, Zheng</name>
<email>zyan@redhat.com</email>
</author>
<published>2017-04-19T02:01:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=51bd778ac81c5a822053853ad3efc169f9421cd8'/>
<id>51bd778ac81c5a822053853ad3efc169f9421cd8</id>
<content type='text'>
commit 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 upstream.

ceph_set_acl() calls __ceph_setattr() if the setacl operation needs
to modify inode's i_mode. __ceph_setattr() updates inode's i_mode,
then calls posix_acl_chmod().

The problem is that __ceph_setattr() calls posix_acl_chmod() before
sending the setattr request. The get_acl() call in posix_acl_chmod()
can trigger a getxattr request. The reply of the getxattr request
can restore inode's i_mode to its old value. The set_acl() call in
posix_acl_chmod() sees old value of inode's i_mode, so it calls
__ceph_setattr() again.

Link: http://tracker.ceph.com/issues/19688
Reported-by: Jerry Lee &lt;leisurelysw24@gmail.com&gt;
Signed-off-by: "Yan, Zheng" &lt;zyan@redhat.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Tested-by: Luis Henriques &lt;lhenriques@suse.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
[bwh: Backported to 3.16: All the changes are made in ceph_setattr() as
 there is no __ceph_setattr() function.]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 upstream.

ceph_set_acl() calls __ceph_setattr() if the setacl operation needs
to modify inode's i_mode. __ceph_setattr() updates inode's i_mode,
then calls posix_acl_chmod().

The problem is that __ceph_setattr() calls posix_acl_chmod() before
sending the setattr request. The get_acl() call in posix_acl_chmod()
can trigger a getxattr request. The reply of the getxattr request
can restore inode's i_mode to its old value. The set_acl() call in
posix_acl_chmod() sees old value of inode's i_mode, so it calls
__ceph_setattr() again.

Link: http://tracker.ceph.com/issues/19688
Reported-by: Jerry Lee &lt;leisurelysw24@gmail.com&gt;
Signed-off-by: "Yan, Zheng" &lt;zyan@redhat.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Tested-by: Luis Henriques &lt;lhenriques@suse.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
[bwh: Backported to 3.16: All the changes are made in ceph_setattr() as
 there is no __ceph_setattr() function.]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ceph: fix bad endianness handling in parse_reply_info_extra</title>
<updated>2017-03-16T02:27:01+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@redhat.com</email>
</author>
<published>2017-01-12T19:42:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=09fb90120f98ce0f6692e36ae09b4f2c7ad34ad9'/>
<id>09fb90120f98ce0f6692e36ae09b4f2c7ad34ad9</id>
<content type='text'>
commit 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 upstream.

sparse says:

    fs/ceph/mds_client.c:291:23: warning: restricted __le32 degrades to integer
    fs/ceph/mds_client.c:293:28: warning: restricted __le32 degrades to integer
    fs/ceph/mds_client.c:294:28: warning: restricted __le32 degrades to integer
    fs/ceph/mds_client.c:296:28: warning: restricted __le32 degrades to integer

The op value is __le32, so we need to convert it before comparing it.

Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 upstream.

sparse says:

    fs/ceph/mds_client.c:291:23: warning: restricted __le32 degrades to integer
    fs/ceph/mds_client.c:293:28: warning: restricted __le32 degrades to integer
    fs/ceph/mds_client.c:294:28: warning: restricted __le32 degrades to integer
    fs/ceph/mds_client.c:296:28: warning: restricted __le32 degrades to integer

The op value is __le32, so we need to convert it before comparing it.

Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs: Give dentry to inode_change_ok() instead of inode</title>
<updated>2017-02-23T03:53:52+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2016-05-26T14:55:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=50b070e8224f7bf86622ede1abee9fa3d3dc2f10'/>
<id>50b070e8224f7bf86622ede1abee9fa3d3dc2f10</id>
<content type='text'>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Revert "fs: Give dentry to inode_change_ok() instead of inode"</title>
<updated>2017-02-23T03:53:52+00:00</updated>
<author>
<name>Ben Hutchings</name>
<email>ben@decadent.org.uk</email>
</author>
<published>2016-11-30T23:13:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1c608c2d1aefca2bf63497663e17cfb49e6b022c'/>
<id>1c608c2d1aefca2bf63497663e17cfb49e6b022c</id>
<content type='text'>
This reverts commit be9df699432235753c3824b0f5a27d46de7fdc9e, which was
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.  The backport
breaks fuse and makes a mess of xfs, which can be improved by picking
further upstream commits as I should have done in the first place.

Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This reverts commit be9df699432235753c3824b0f5a27d46de7fdc9e, which was
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.  The backport
breaks fuse and makes a mess of xfs, which can be improved by picking
further upstream commits as I should have done in the first place.

Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>posix_acl: Clear SGID bit when setting file permissions</title>
<updated>2016-11-20T01:17:38+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2016-09-19T15:39:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f2ba3e2310b3967720b83126db8684c69ce41894'/>
<id>f2ba3e2310b3967720b83126db8684c69ce41894</id>
<content type='text'>
commit 073931017b49d9458aa351605b43a7e34598caef upstream.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

References: CVE-2016-7097
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Andreas Gruenbacher &lt;agruenba@redhat.com&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs
 - Adjust context
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 073931017b49d9458aa351605b43a7e34598caef upstream.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

References: CVE-2016-7097
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Andreas Gruenbacher &lt;agruenba@redhat.com&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs
 - Adjust context
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs: Give dentry to inode_change_ok() instead of inode</title>
<updated>2016-11-20T01:17:38+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2016-05-26T14:55:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=be9df699432235753c3824b0f5a27d46de7fdc9e'/>
<id>be9df699432235753c3824b0f5a27d46de7fdc9e</id>
<content type='text'>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In fuse, pass dentry to fuse_do_setattr()
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - In xfs, pass dentry to xfs_setattr_nonsize() and xfs_setattr_size()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In fuse, pass dentry to fuse_do_setattr()
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - In xfs, pass dentry to xfs_setattr_nonsize() and xfs_setattr_size()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ceph: Correctly return NXIO errors from ceph_llseek</title>
<updated>2016-11-20T01:16:59+00:00</updated>
<author>
<name>Phil Turnbull</name>
<email>phil.turnbull@oracle.com</email>
</author>
<published>2016-07-21T17:43:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c9b756501037d100305f6ac28efc23830103b55c'/>
<id>c9b756501037d100305f6ac28efc23830103b55c</id>
<content type='text'>
commit 955818cd5b6c4b58ea574ace4573e7afa4c19c1e upstream.

ceph_llseek does not correctly return NXIO errors because the 'out' path
always returns 'offset'.

Fixes: 06222e491e66 ("fs: handle SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek")
Signed-off-by: Phil Turnbull &lt;phil.turnbull@oracle.com&gt;
Signed-off-by: Yan, Zheng &lt;zyan@redhat.com&gt;
[bwh: Backported to 3.16; adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 955818cd5b6c4b58ea574ace4573e7afa4c19c1e upstream.

ceph_llseek does not correctly return NXIO errors because the 'out' path
always returns 'offset'.

Fixes: 06222e491e66 ("fs: handle SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek")
Signed-off-by: Phil Turnbull &lt;phil.turnbull@oracle.com&gt;
Signed-off-by: Yan, Zheng &lt;zyan@redhat.com&gt;
[bwh: Backported to 3.16; adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libceph: make authorizer destruction independent of ceph_auth_client</title>
<updated>2016-06-15T20:29:27+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2016-04-11T17:34:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5d740c28a3dc8ffb877d7ebcf2f07dd716aa47da'/>
<id>5d740c28a3dc8ffb877d7ebcf2f07dd716aa47da</id>
<content type='text'>
commit 6c1ea260f89709e0021d2c59f8fd2a104b5b1123 upstream.

Starting the kernel client with cephx disabled and then enabling cephx
and restarting userspace daemons can result in a crash:

    [262671.478162] BUG: unable to handle kernel paging request at ffffebe000000000
    [262671.531460] IP: [&lt;ffffffff811cd04a&gt;] kfree+0x5a/0x130
    [262671.584334] PGD 0
    [262671.635847] Oops: 0000 [#1] SMP
    [262672.055841] CPU: 22 PID: 2961272 Comm: kworker/22:2 Not tainted 4.2.0-34-generic #39~14.04.1-Ubuntu
    [262672.162338] Hardware name: Dell Inc. PowerEdge R720/068CDY, BIOS 2.4.3 07/09/2014
    [262672.268937] Workqueue: ceph-msgr con_work [libceph]
    [262672.322290] task: ffff88081c2d0dc0 ti: ffff880149ae8000 task.ti: ffff880149ae8000
    [262672.428330] RIP: 0010:[&lt;ffffffff811cd04a&gt;]  [&lt;ffffffff811cd04a&gt;] kfree+0x5a/0x130
    [262672.535880] RSP: 0018:ffff880149aeba58  EFLAGS: 00010286
    [262672.589486] RAX: 000001e000000000 RBX: 0000000000000012 RCX: ffff8807e7461018
    [262672.695980] RDX: 000077ff80000000 RSI: ffff88081af2be04 RDI: 0000000000000012
    [262672.803668] RBP: ffff880149aeba78 R08: 0000000000000000 R09: 0000000000000000
    [262672.912299] R10: ffffebe000000000 R11: ffff880819a60e78 R12: ffff8800aec8df40
    [262673.021769] R13: ffffffffc035f70f R14: ffff8807e5b138e0 R15: ffff880da9785840
    [262673.131722] FS:  0000000000000000(0000) GS:ffff88081fac0000(0000) knlGS:0000000000000000
    [262673.245377] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [262673.303281] CR2: ffffebe000000000 CR3: 0000000001c0d000 CR4: 00000000001406e0
    [262673.417556] Stack:
    [262673.472943]  ffff880149aeba88 ffff88081af2be04 ffff8800aec8df40 ffff88081af2be04
    [262673.583767]  ffff880149aeba98 ffffffffc035f70f ffff880149aebac8 ffff8800aec8df00
    [262673.694546]  ffff880149aebac8 ffffffffc035c89e ffff8807e5b138e0 ffff8805b047f800
    [262673.805230] Call Trace:
    [262673.859116]  [&lt;ffffffffc035f70f&gt;] ceph_x_destroy_authorizer+0x1f/0x50 [libceph]
    [262673.968705]  [&lt;ffffffffc035c89e&gt;] ceph_auth_destroy_authorizer+0x3e/0x60 [libceph]
    [262674.078852]  [&lt;ffffffffc0352805&gt;] put_osd+0x45/0x80 [libceph]
    [262674.134249]  [&lt;ffffffffc035290e&gt;] remove_osd+0xae/0x140 [libceph]
    [262674.189124]  [&lt;ffffffffc0352aa3&gt;] __reset_osd+0x103/0x150 [libceph]
    [262674.243749]  [&lt;ffffffffc0354703&gt;] kick_requests+0x223/0x460 [libceph]
    [262674.297485]  [&lt;ffffffffc03559e2&gt;] ceph_osdc_handle_map+0x282/0x5e0 [libceph]
    [262674.350813]  [&lt;ffffffffc035022e&gt;] dispatch+0x4e/0x720 [libceph]
    [262674.403312]  [&lt;ffffffffc034bd91&gt;] try_read+0x3d1/0x1090 [libceph]
    [262674.454712]  [&lt;ffffffff810ab7c2&gt;] ? dequeue_entity+0x152/0x690
    [262674.505096]  [&lt;ffffffffc034cb1b&gt;] con_work+0xcb/0x1300 [libceph]
    [262674.555104]  [&lt;ffffffff8108fb3e&gt;] process_one_work+0x14e/0x3d0
    [262674.604072]  [&lt;ffffffff810901ea&gt;] worker_thread+0x11a/0x470
    [262674.652187]  [&lt;ffffffff810900d0&gt;] ? rescuer_thread+0x310/0x310
    [262674.699022]  [&lt;ffffffff810957a2&gt;] kthread+0xd2/0xf0
    [262674.744494]  [&lt;ffffffff810956d0&gt;] ? kthread_create_on_node+0x1c0/0x1c0
    [262674.789543]  [&lt;ffffffff817bd81f&gt;] ret_from_fork+0x3f/0x70
    [262674.834094]  [&lt;ffffffff810956d0&gt;] ? kthread_create_on_node+0x1c0/0x1c0

What happens is the following:

    (1) new MON session is established
    (2) old "none" ac is destroyed
    (3) new "cephx" ac is constructed
    ...
    (4) old OSD session (w/ "none" authorizer) is put
          ceph_auth_destroy_authorizer(ac, osd-&gt;o_auth.authorizer)

osd-&gt;o_auth.authorizer in the "none" case is just a bare pointer into
ac, which contains a single static copy for all services.  By the time
we get to (4), "none" ac, freed in (2), is long gone.  On top of that,
a new vtable installed in (3) points us at ceph_x_destroy_authorizer(),
so we end up trying to destroy a "none" authorizer with a "cephx"
destructor operating on invalid memory!

To fix this, decouple authorizer destruction from ac and do away with
a single static "none" authorizer by making a copy for each OSD or MDS
session.  Authorizers themselves are independent of ac and so there is
no reason for destroy_authorizer() to be an ac op.  Make it an op on
the authorizer itself by turning ceph_authorizer into a real struct.

Fixes: http://tracker.ceph.com/issues/15447

Reported-by: Alan Zhang &lt;alan.zhang@linux.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
[bwh: Backported to 3.16:
 - Implementation of ceph_x_destroy_authorizer() is different
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6c1ea260f89709e0021d2c59f8fd2a104b5b1123 upstream.

Starting the kernel client with cephx disabled and then enabling cephx
and restarting userspace daemons can result in a crash:

    [262671.478162] BUG: unable to handle kernel paging request at ffffebe000000000
    [262671.531460] IP: [&lt;ffffffff811cd04a&gt;] kfree+0x5a/0x130
    [262671.584334] PGD 0
    [262671.635847] Oops: 0000 [#1] SMP
    [262672.055841] CPU: 22 PID: 2961272 Comm: kworker/22:2 Not tainted 4.2.0-34-generic #39~14.04.1-Ubuntu
    [262672.162338] Hardware name: Dell Inc. PowerEdge R720/068CDY, BIOS 2.4.3 07/09/2014
    [262672.268937] Workqueue: ceph-msgr con_work [libceph]
    [262672.322290] task: ffff88081c2d0dc0 ti: ffff880149ae8000 task.ti: ffff880149ae8000
    [262672.428330] RIP: 0010:[&lt;ffffffff811cd04a&gt;]  [&lt;ffffffff811cd04a&gt;] kfree+0x5a/0x130
    [262672.535880] RSP: 0018:ffff880149aeba58  EFLAGS: 00010286
    [262672.589486] RAX: 000001e000000000 RBX: 0000000000000012 RCX: ffff8807e7461018
    [262672.695980] RDX: 000077ff80000000 RSI: ffff88081af2be04 RDI: 0000000000000012
    [262672.803668] RBP: ffff880149aeba78 R08: 0000000000000000 R09: 0000000000000000
    [262672.912299] R10: ffffebe000000000 R11: ffff880819a60e78 R12: ffff8800aec8df40
    [262673.021769] R13: ffffffffc035f70f R14: ffff8807e5b138e0 R15: ffff880da9785840
    [262673.131722] FS:  0000000000000000(0000) GS:ffff88081fac0000(0000) knlGS:0000000000000000
    [262673.245377] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [262673.303281] CR2: ffffebe000000000 CR3: 0000000001c0d000 CR4: 00000000001406e0
    [262673.417556] Stack:
    [262673.472943]  ffff880149aeba88 ffff88081af2be04 ffff8800aec8df40 ffff88081af2be04
    [262673.583767]  ffff880149aeba98 ffffffffc035f70f ffff880149aebac8 ffff8800aec8df00
    [262673.694546]  ffff880149aebac8 ffffffffc035c89e ffff8807e5b138e0 ffff8805b047f800
    [262673.805230] Call Trace:
    [262673.859116]  [&lt;ffffffffc035f70f&gt;] ceph_x_destroy_authorizer+0x1f/0x50 [libceph]
    [262673.968705]  [&lt;ffffffffc035c89e&gt;] ceph_auth_destroy_authorizer+0x3e/0x60 [libceph]
    [262674.078852]  [&lt;ffffffffc0352805&gt;] put_osd+0x45/0x80 [libceph]
    [262674.134249]  [&lt;ffffffffc035290e&gt;] remove_osd+0xae/0x140 [libceph]
    [262674.189124]  [&lt;ffffffffc0352aa3&gt;] __reset_osd+0x103/0x150 [libceph]
    [262674.243749]  [&lt;ffffffffc0354703&gt;] kick_requests+0x223/0x460 [libceph]
    [262674.297485]  [&lt;ffffffffc03559e2&gt;] ceph_osdc_handle_map+0x282/0x5e0 [libceph]
    [262674.350813]  [&lt;ffffffffc035022e&gt;] dispatch+0x4e/0x720 [libceph]
    [262674.403312]  [&lt;ffffffffc034bd91&gt;] try_read+0x3d1/0x1090 [libceph]
    [262674.454712]  [&lt;ffffffff810ab7c2&gt;] ? dequeue_entity+0x152/0x690
    [262674.505096]  [&lt;ffffffffc034cb1b&gt;] con_work+0xcb/0x1300 [libceph]
    [262674.555104]  [&lt;ffffffff8108fb3e&gt;] process_one_work+0x14e/0x3d0
    [262674.604072]  [&lt;ffffffff810901ea&gt;] worker_thread+0x11a/0x470
    [262674.652187]  [&lt;ffffffff810900d0&gt;] ? rescuer_thread+0x310/0x310
    [262674.699022]  [&lt;ffffffff810957a2&gt;] kthread+0xd2/0xf0
    [262674.744494]  [&lt;ffffffff810956d0&gt;] ? kthread_create_on_node+0x1c0/0x1c0
    [262674.789543]  [&lt;ffffffff817bd81f&gt;] ret_from_fork+0x3f/0x70
    [262674.834094]  [&lt;ffffffff810956d0&gt;] ? kthread_create_on_node+0x1c0/0x1c0

What happens is the following:

    (1) new MON session is established
    (2) old "none" ac is destroyed
    (3) new "cephx" ac is constructed
    ...
    (4) old OSD session (w/ "none" authorizer) is put
          ceph_auth_destroy_authorizer(ac, osd-&gt;o_auth.authorizer)

osd-&gt;o_auth.authorizer in the "none" case is just a bare pointer into
ac, which contains a single static copy for all services.  By the time
we get to (4), "none" ac, freed in (2), is long gone.  On top of that,
a new vtable installed in (3) points us at ceph_x_destroy_authorizer(),
so we end up trying to destroy a "none" authorizer with a "cephx"
destructor operating on invalid memory!

To fix this, decouple authorizer destruction from ac and do away with
a single static "none" authorizer by making a copy for each OSD or MDS
session.  Authorizers themselves are independent of ac and so there is
no reason for destroy_authorizer() to be an ac op.  Make it an op on
the authorizer itself by turning ceph_authorizer into a real struct.

Fixes: http://tracker.ceph.com/issues/15447

Reported-by: Alan Zhang &lt;alan.zhang@linux.com&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Sage Weil &lt;sage@redhat.com&gt;
[bwh: Backported to 3.16:
 - Implementation of ceph_x_destroy_authorizer() is different
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ceph: fix request time stamp encoding</title>
<updated>2016-04-11T08:51:43+00:00</updated>
<author>
<name>Yan, Zheng</name>
<email>zyan@redhat.com</email>
</author>
<published>2016-04-01T17:38:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3ffac7f4aaf5d20791fd2d9b7a31f44dc97414dc'/>
<id>3ffac7f4aaf5d20791fd2d9b7a31f44dc97414dc</id>
<content type='text'>
commit 1f041a89b4f22cf2e701514f4b8f73a8b1e06a3e upstream.

struct timespec uses 'long' to present second and nanosecond. 'long'
is 64 bits on 64bits machine. ceph MDS expects time stamp to be
encoded as struct ceph_timespec, which uses 'u32' to present second
and nanosecond.

Signed-off-by: Yan, Zheng &lt;zyan@redhat.com&gt;
BugLink: http://tracker.ceph.com/issues/15302
BugLink: http://bugs.launchpad.net/bugs/1564950
[ kamal: backport to 3.16-stable: no time stamp in __prepare_send_request() ]
Signed-off-by: Kamal Mostafa &lt;kamal@canonical.com&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1f041a89b4f22cf2e701514f4b8f73a8b1e06a3e upstream.

struct timespec uses 'long' to present second and nanosecond. 'long'
is 64 bits on 64bits machine. ceph MDS expects time stamp to be
encoded as struct ceph_timespec, which uses 'u32' to present second
and nanosecond.

Signed-off-by: Yan, Zheng &lt;zyan@redhat.com&gt;
BugLink: http://tracker.ceph.com/issues/15302
BugLink: http://bugs.launchpad.net/bugs/1564950
[ kamal: backport to 3.16-stable: no time stamp in __prepare_send_request() ]
Signed-off-by: Kamal Mostafa &lt;kamal@canonical.com&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
