<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/gfs2, branch linux-3.13.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>GFS2: Increase i_writecount during gfs2_setattr_chown</title>
<updated>2014-01-29T13:06:18+00:00</updated>
<author>
<name>Bob Peterson</name>
<email>rpeterso@redhat.com</email>
</author>
<published>2014-01-06T22:16:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1b8c5f8b4b57c574f6cf2047e80e1565b2a07f09'/>
<id>1b8c5f8b4b57c574f6cf2047e80e1565b2a07f09</id>
<content type='text'>
commit 62e96cf81988101fe9e086b2877307b6adda5197 upstream.

This patch calls get_write_access in function gfs2_setattr_chown,
which merely increases inode-&gt;i_writecount for the duration of the
function. That will ensure that any file closes won't delete the
inode's multi-block reservation while the function is running.
It also ensures that a multi-block reservation exists when needed
for quota change operations during the chown.

Signed-off-by: Bob Peterson &lt;rpeterso@redhat.com&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 62e96cf81988101fe9e086b2877307b6adda5197 upstream.

This patch calls get_write_access in function gfs2_setattr_chown,
which merely increases inode-&gt;i_writecount for the duration of the
function. That will ensure that any file closes won't delete the
inode's multi-block reservation while the function is running.
It also ensures that a multi-block reservation exists when needed
for quota change operations during the chown.

Signed-off-by: Bob Peterson &lt;rpeterso@redhat.com&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>GFS2: Fix unsafe dereference in dump_holder()</title>
<updated>2014-01-02T12:18:04+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@I-love.SAKURA.ne.jp</email>
</author>
<published>2014-01-02T10:52:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0b3a2c9968d453d5827e635a6f3d69129f70af66'/>
<id>0b3a2c9968d453d5827e635a6f3d69129f70af66</id>
<content type='text'>
GLOCK_BUG_ON() might call this function without RCU read lock. Make sure that
RCU read lock is held when using task_struct returned from pid_task().

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
GLOCK_BUG_ON() might call this function without RCU read lock. Make sure that
RCU read lock is held when using task_struct returned from pid_task().

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GFS2: Wait for async DIO in glock state changes</title>
<updated>2013-12-20T10:42:08+00:00</updated>
<author>
<name>Steven Whitehouse</name>
<email>swhiteho@redhat.com</email>
</author>
<published>2013-12-19T11:04:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=582d2f7aedfde9e1a01170deb003df510aa778d3'/>
<id>582d2f7aedfde9e1a01170deb003df510aa778d3</id>
<content type='text'>
We need to wait for any outstanding DIO to complete in a couple
of situations. Firstly, in case we are changing out of deferred
mode (in inode_go_sync) where GLF_DIRTY will not be set. That
call could be prefixed with a test for gl_state == LM_ST_DEFERRED
but it doesn't seem worth it bearing in mind that the test for
outstanding DIO is very quick anyway, in the usual case that there
is none.

The second case is in inode_go_lock which will catch the cases
where we have a cached EX lock, but where we grant deferred locks
against it so that there is no glock state transistion. We only
need to wait if the state is not deferred, since DIO is valid
anyway in that state.

Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We need to wait for any outstanding DIO to complete in a couple
of situations. Firstly, in case we are changing out of deferred
mode (in inode_go_sync) where GLF_DIRTY will not be set. That
call could be prefixed with a test for gl_state == LM_ST_DEFERRED
but it doesn't seem worth it bearing in mind that the test for
outstanding DIO is very quick anyway, in the usual case that there
is none.

The second case is in inode_go_lock which will catch the cases
where we have a cached EX lock, but where we grant deferred locks
against it so that there is no glock state transistion. We only
need to wait if the state is not deferred, since DIO is valid
anyway in that state.

Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GFS2: Fix incorrect invalidation for DIO/buffered I/O</title>
<updated>2013-12-20T10:41:21+00:00</updated>
<author>
<name>Steven Whitehouse</name>
<email>swhiteho@redhat.com</email>
</author>
<published>2013-12-18T14:14:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dfd11184d894cd0a92397b25cac18831a1a6a5bc'/>
<id>dfd11184d894cd0a92397b25cac18831a1a6a5bc</id>
<content type='text'>
In patch 209806aba9d540dde3db0a5ce72307f85f33468f we allowed
local deferred locks to be granted against a cached exclusive
lock. That opened up a corner case which this patch now
fixes.

The solution to the problem is to check whether we have cached
pages each time we do direct I/O and if so to unmap, flush
and invalidate those pages. Since the glock state machine
normally does that for us, mostly the code will be a no-op.

Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In patch 209806aba9d540dde3db0a5ce72307f85f33468f we allowed
local deferred locks to be granted against a cached exclusive
lock. That opened up a corner case which this patch now
fixes.

The solution to the problem is to check whether we have cached
pages each time we do direct I/O and if so to unmap, flush
and invalidate those pages. Since the glock state machine
normally does that for us, mostly the code will be a no-op.

Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GFS2: Fix slab memory leak in gfs2_bufdata</title>
<updated>2013-12-13T21:42:40+00:00</updated>
<author>
<name>Bob Peterson</name>
<email>rpeterso@redhat.com</email>
</author>
<published>2013-12-13T13:31:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=502be2a32f09f388e4ff34ef2e3ebcabbbb261da'/>
<id>502be2a32f09f388e4ff34ef2e3ebcabbbb261da</id>
<content type='text'>
This patch fixes a slab memory leak that sometimes can occur
for files with a very short lifespan. The problem occurs when
a dinode is deleted before it has gotten to the journal properly.
In the leak scenario, the bd object is pinned for journal
committment (queued to the metadata buffers queue: sd_log_le_buf)
but is subsequently unpinned and dequeued before it finds its way
to the ail or the revoke queue. In this rare circumstance, the bd
object needs to be freed from slab memory, or it is forgotten.
We have to be very careful how we do it, though, because
multiple processes can call gfs2_remove_from_journal. In order to
avoid double-frees, only the process that does the unpinning is
allowed to free the bd.

Signed-off-by: Bob Peterson &lt;rpeterso@redhat.com&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch fixes a slab memory leak that sometimes can occur
for files with a very short lifespan. The problem occurs when
a dinode is deleted before it has gotten to the journal properly.
In the leak scenario, the bd object is pinned for journal
committment (queued to the metadata buffers queue: sd_log_le_buf)
but is subsequently unpinned and dequeued before it finds its way
to the ail or the revoke queue. In this rare circumstance, the bd
object needs to be freed from slab memory, or it is forgotten.
We have to be very careful how we do it, though, because
multiple processes can call gfs2_remove_from_journal. In order to
avoid double-frees, only the process that does the unpinning is
allowed to free the bd.

Signed-off-by: Bob Peterson &lt;rpeterso@redhat.com&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GFS2: Fix use-after-free race when calling gfs2_remove_from_ail</title>
<updated>2013-12-13T21:42:23+00:00</updated>
<author>
<name>Bob Peterson</name>
<email>rpeterso@redhat.com</email>
</author>
<published>2013-12-10T17:06:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9290a9a7c0bcf5400e8dbfbf9707fa68ea3fb338'/>
<id>9290a9a7c0bcf5400e8dbfbf9707fa68ea3fb338</id>
<content type='text'>
Function gfs2_remove_from_ail drops the reference on the bh via
brelse. This patch fixes a race condition whereby bh is deferenced
after the brelse when setting bd-&gt;bd_blkno = bh-&gt;b_blocknr;
Under certain rare circumstances, bh might be gone or reused,
and bd-&gt;bd_blkno is set to whatever that memory happens to be,
which is often 0. Later, in gfs2_trans_add_unrevoke, that bd fails
the test "bd-&gt;bd_blkno &gt;= blkno" which causes it to never be freed.
The end result is that the bd is never freed from the bufdata cache,
which results in this error:
slab error in kmem_cache_destroy(): cache `gfs2_bufdata': Can't free all objects

Signed-off-by: Bob Peterson &lt;rpeterso@redhat.com&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Function gfs2_remove_from_ail drops the reference on the bh via
brelse. This patch fixes a race condition whereby bh is deferenced
after the brelse when setting bd-&gt;bd_blkno = bh-&gt;b_blocknr;
Under certain rare circumstances, bh might be gone or reused,
and bd-&gt;bd_blkno is set to whatever that memory happens to be,
which is often 0. Later, in gfs2_trans_add_unrevoke, that bd fails
the test "bd-&gt;bd_blkno &gt;= blkno" which causes it to never be freed.
The end result is that the bd is never freed from the bufdata cache,
which results in this error:
slab error in kmem_cache_destroy(): cache `gfs2_bufdata': Can't free all objects

Signed-off-by: Bob Peterson &lt;rpeterso@redhat.com&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GFS2: don't hold s_umount over blkdev_put</title>
<updated>2013-12-13T21:42:03+00:00</updated>
<author>
<name>Steven Whitehouse</name>
<email>swhiteho@redhat.com</email>
</author>
<published>2013-12-06T11:52:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dfe5b9ad83a63180f358b27d1018649a27b394a9'/>
<id>dfe5b9ad83a63180f358b27d1018649a27b394a9</id>
<content type='text'>
This is a GFS2 version of Tejun's patch:
4f331f01b9c43bf001d3ffee578a97a1e0633eac
vfs: don't hold s_umount over close_bdev_exclusive() call

In this case its blkdev_put itself that is the issue and this
patch uses the same solution of dropping and retaking s_umount.

Reported-by: Tejun Heo &lt;tj@kernel.org&gt;
Reported-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This is a GFS2 version of Tejun's patch:
4f331f01b9c43bf001d3ffee578a97a1e0633eac
vfs: don't hold s_umount over close_bdev_exclusive() call

In this case its blkdev_put itself that is the issue and this
patch uses the same solution of dropping and retaking s_umount.

Reported-by: Tejun Heo &lt;tj@kernel.org&gt;
Reported-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GFS2: Fix ref count bug relating to atomic_open</title>
<updated>2013-11-21T18:47:57+00:00</updated>
<author>
<name>Steven Whitehouse</name>
<email>swhiteho@redhat.com</email>
</author>
<published>2013-11-21T18:47:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ea0341e071527d5cec350917b01ab901af09d758'/>
<id>ea0341e071527d5cec350917b01ab901af09d758</id>
<content type='text'>
In the case that atomic_open calls finish_no_open() with
the dentry that was supplied to gfs2_atomic_open() an
extra reference count is required. This patch fixes that
issue preventing a bug trap triggering at umount time.

Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In the case that atomic_open calls finish_no_open() with
the dentry that was supplied to gfs2_atomic_open() an
extra reference count is required. This patch fixes that
issue preventing a bug trap triggering at umount time.

Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GFS2: fix potential NULL pointer dereference</title>
<updated>2013-11-21T09:55:45+00:00</updated>
<author>
<name>Michal Nazarewicz</name>
<email>mina86@mina86.com</email>
</author>
<published>2013-11-12T12:30:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e3c4269d139db7471ee560fb30948179e180b3d4'/>
<id>e3c4269d139db7471ee560fb30948179e180b3d4</id>
<content type='text'>
Commit [e66cf1610: GFS2: Use lockref for glocks] replaced call:
    atomic_read(&amp;gi-&gt;gl-&gt;gl_ref) == 0
with:
    __lockref_is_dead(&amp;gl-&gt;gl_lockref)
therefore changing how gl is accessed, from gi-&gt;gl to plan gl.
However, gl can be a NULL pointer, and so gi-&gt;gl needs to be
used instead (which is guaranteed not to be NULL because fo
the while loop checking that condition).

Signed-off-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit [e66cf1610: GFS2: Use lockref for glocks] replaced call:
    atomic_read(&amp;gi-&gt;gl-&gt;gl_ref) == 0
with:
    __lockref_is_dead(&amp;gl-&gt;gl_lockref)
therefore changing how gl is accessed, from gi-&gt;gl to plan gl.
However, gl can be a NULL pointer, and so gi-&gt;gl needs to be
used instead (which is guaranteed not to be NULL because fo
the while loop checking that condition).

Signed-off-by: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Signed-off-by: Steven Whitehouse &lt;swhiteho@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>gfs2: endianness misannotations</title>
<updated>2013-11-16T03:04:16+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2013-06-02T23:53:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=951b4bd553e35a291e6b5732ab0124619e81da05'/>
<id>951b4bd553e35a291e6b5732ab0124619e81da05</id>
<content type='text'>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
