<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs, branch v3.12.57</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>efi: Make efivarfs entries immutable by default</title>
<updated>2016-03-14T22:10:35+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2016-02-08T19:48:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9a4e72fd30356aa8d017c1dcc6a29d11a41093b7'/>
<id>9a4e72fd30356aa8d017c1dcc6a29d11a41093b7</id>
<content type='text'>
commit ed8b0de5a33d2a2557dce7f9429dca8cb5bc5879 upstream.

"rm -rf" is bricking some peoples' laptops because of variables being
used to store non-reinitializable firmware driver data that's required
to POST the hardware.

These are 100% bugs, and they need to be fixed, but in the mean time it
shouldn't be easy to *accidentally* brick machines.

We have to have delete working, and picking which variables do and don't
work for deletion is quite intractable, so instead make everything
immutable by default (except for a whitelist), and make tools that
aren't quite so broad-spectrum unset the immutable flag.

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
Tested-by: Lee, Chun-Yi &lt;jlee@suse.com&gt;
Acked-by: Matthew Garrett &lt;mjg59@coreos.com&gt;
Signed-off-by: Matt Fleming &lt;matt@codeblueprint.co.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ed8b0de5a33d2a2557dce7f9429dca8cb5bc5879 upstream.

"rm -rf" is bricking some peoples' laptops because of variables being
used to store non-reinitializable firmware driver data that's required
to POST the hardware.

These are 100% bugs, and they need to be fixed, but in the mean time it
shouldn't be easy to *accidentally* brick machines.

We have to have delete working, and picking which variables do and don't
work for deletion is quite intractable, so instead make everything
immutable by default (except for a whitelist), and make tools that
aren't quite so broad-spectrum unset the immutable flag.

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
Tested-by: Lee, Chun-Yi &lt;jlee@suse.com&gt;
Acked-by: Matthew Garrett &lt;mjg59@coreos.com&gt;
Signed-off-by: Matt Fleming &lt;matt@codeblueprint.co.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version</title>
<updated>2016-03-14T22:10:33+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2016-02-08T19:48:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bbe4e68df61a0445530f871a54344baf8de7a3c4'/>
<id>bbe4e68df61a0445530f871a54344baf8de7a3c4</id>
<content type='text'>
commit e0d64e6a880e64545ad7d55786aa84ab76bac475 upstream.

Translate EFI's UCS-2 variable names to UTF-8 instead of just assuming
all variable names fit in ASCII.

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
Acked-by: Matthew Garrett &lt;mjg59@coreos.com&gt;
Tested-by: Lee, Chun-Yi &lt;jlee@suse.com&gt;
Signed-off-by: Matt Fleming &lt;matt@codeblueprint.co.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e0d64e6a880e64545ad7d55786aa84ab76bac475 upstream.

Translate EFI's UCS-2 variable names to UTF-8 instead of just assuming
all variable names fit in ASCII.

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
Acked-by: Matthew Garrett &lt;mjg59@coreos.com&gt;
Tested-by: Lee, Chun-Yi &lt;jlee@suse.com&gt;
Signed-off-by: Matt Fleming &lt;matt@codeblueprint.co.uk&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Fix directory hardlinks from deleted directories</title>
<updated>2016-03-07T15:05:25+00:00</updated>
<author>
<name>David Woodhouse</name>
<email>David.Woodhouse@intel.com</email>
</author>
<published>2016-02-01T14:04:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b114d10a8707955b444a98f8c78aabfc0f4ccdcd'/>
<id>b114d10a8707955b444a98f8c78aabfc0f4ccdcd</id>
<content type='text'>
commit be629c62a603e5935f8177fd8a19e014100a259e upstream.

When a directory is deleted, we don't take too much care about killing off
all the dirents that belong to it — on the basis that on remount, the scan
will conclude that the directory is dead anyway.

This doesn't work though, when the deleted directory contained a child
directory which was moved *out*. In the early stages of the fs build
we can then end up with an apparent hard link, with the child directory
appearing both in its true location, and as a child of the original
directory which are this stage of the mount process we don't *yet* know
is defunct.

To resolve this, take out the early special-casing of the "directories
shall not have hard links" rule in jffs2_build_inode_pass1(), and let the
normal nlink processing happen for directories as well as other inodes.

Then later in the build process we can set ic-&gt;pino_nlink to the parent
inode#, as is required for directories during normal operaton, instead
of the nlink. And complain only *then* about hard links which are still
in evidence even after killing off all the unreachable paths.

Reported-by: Liu Song &lt;liu.song11@zte.com.cn&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit be629c62a603e5935f8177fd8a19e014100a259e upstream.

When a directory is deleted, we don't take too much care about killing off
all the dirents that belong to it — on the basis that on remount, the scan
will conclude that the directory is dead anyway.

This doesn't work though, when the deleted directory contained a child
directory which was moved *out*. In the early stages of the fs build
we can then end up with an apparent hard link, with the child directory
appearing both in its true location, and as a child of the original
directory which are this stage of the mount process we don't *yet* know
is defunct.

To resolve this, take out the early special-casing of the "directories
shall not have hard links" rule in jffs2_build_inode_pass1(), and let the
normal nlink processing happen for directories as well as other inodes.

Then later in the build process we can set ic-&gt;pino_nlink to the parent
inode#, as is required for directories during normal operaton, instead
of the nlink. And complain only *then* about hard links which are still
in evidence even after killing off all the unreachable paths.

Reported-by: Liu Song &lt;liu.song11@zte.com.cn&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: Fix page lock / f-&gt;sem deadlock</title>
<updated>2016-03-07T15:05:24+00:00</updated>
<author>
<name>David Woodhouse</name>
<email>David.Woodhouse@intel.com</email>
</author>
<published>2016-02-01T12:37:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d65e96441a3fa29813f447f69621932f774561b9'/>
<id>d65e96441a3fa29813f447f69621932f774561b9</id>
<content type='text'>
commit 49e91e7079febe59a20ca885a87dd1c54240d0f1 upstream.

With this fix, all code paths should now be obtaining the page lock before
f-&gt;sem.

Reported-by: Szabó Tamás &lt;sztomi89@gmail.com&gt;
Tested-by: Thomas Betker &lt;thomas.betker@rohde-schwarz.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 49e91e7079febe59a20ca885a87dd1c54240d0f1 upstream.

With this fix, all code paths should now be obtaining the page lock before
f-&gt;sem.

Reported-by: Szabó Tamás &lt;sztomi89@gmail.com&gt;
Tested-by: Thomas Betker &lt;thomas.betker@rohde-schwarz.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin"</title>
<updated>2016-03-07T15:05:24+00:00</updated>
<author>
<name>Thomas Betker</name>
<email>thomas.betker@rohde-schwarz.com</email>
</author>
<published>2015-11-10T21:18:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1ed7bb8bb842261389701c3ee3dc4b59259b5a0e'/>
<id>1ed7bb8bb842261389701c3ee3dc4b59259b5a0e</id>
<content type='text'>
commit 157078f64b8a9cd7011b6b900b2f2498df850748 upstream.

This reverts commit 5ffd3412ae55
("jffs2: Fix lock acquisition order bug in jffs2_write_begin").

The commit modified jffs2_write_begin() to remove a deadlock with
jffs2_garbage_collect_live(), but this introduced new deadlocks found
by multiple users. page_lock() actually has to be called before
mutex_lock(&amp;c-&gt;alloc_sem) or mutex_lock(&amp;f-&gt;sem) because
jffs2_write_end() and jffs2_readpage() are called with the page locked,
and they acquire c-&gt;alloc_sem and f-&gt;sem, resp.

In other words, the lock order in jffs2_write_begin() was correct, and
it is the jffs2_garbage_collect_live() path that has to be changed.

Revert the commit to get rid of the new deadlocks, and to clear the way
for a better fix of the original deadlock.

Reported-by: Deng Chao &lt;deng.chao1@zte.com.cn&gt;
Reported-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Reported-by: wangzaiwei &lt;wangzaiwei@top-vision.cn&gt;
Signed-off-by: Thomas Betker &lt;thomas.betker@rohde-schwarz.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 157078f64b8a9cd7011b6b900b2f2498df850748 upstream.

This reverts commit 5ffd3412ae55
("jffs2: Fix lock acquisition order bug in jffs2_write_begin").

The commit modified jffs2_write_begin() to remove a deadlock with
jffs2_garbage_collect_live(), but this introduced new deadlocks found
by multiple users. page_lock() actually has to be called before
mutex_lock(&amp;c-&gt;alloc_sem) or mutex_lock(&amp;f-&gt;sem) because
jffs2_write_end() and jffs2_readpage() are called with the page locked,
and they acquire c-&gt;alloc_sem and f-&gt;sem, resp.

In other words, the lock order in jffs2_write_begin() was correct, and
it is the jffs2_garbage_collect_live() path that has to be changed.

Revert the commit to get rid of the new deadlocks, and to clear the way
for a better fix of the original deadlock.

Reported-by: Deng Chao &lt;deng.chao1@zte.com.cn&gt;
Reported-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Reported-by: wangzaiwei &lt;wangzaiwei@top-vision.cn&gt;
Signed-off-by: Thomas Betker &lt;thomas.betker@rohde-schwarz.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>CIFS: Fix SMB2+ interim response processing for read requests</title>
<updated>2016-03-07T15:05:22+00:00</updated>
<author>
<name>Pavel Shilovsky</name>
<email>pshilovsky@samba.org</email>
</author>
<published>2016-02-27T08:58:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9a5d07a53043fbd30f679526f8a4d8220dca5aab'/>
<id>9a5d07a53043fbd30f679526f8a4d8220dca5aab</id>
<content type='text'>
commit 6cc3b24235929b54acd5ecc987ef11a425bd209e upstream.

For interim responses we only need to parse a header and update
a number credits. Now it is done for all SMB2+ command except
SMB2_READ which is wrong. Fix this by adding such processing.

Signed-off-by: Pavel Shilovsky &lt;pshilovsky@samba.org&gt;
Tested-by: Shirish Pargaonkar &lt;shirishpargaonkar@gmail.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6cc3b24235929b54acd5ecc987ef11a425bd209e upstream.

For interim responses we only need to parse a header and update
a number credits. Now it is done for all SMB2+ command except
SMB2_READ which is wrong. Fix this by adding such processing.

Signed-off-by: Pavel Shilovsky &lt;pshilovsky@samba.org&gt;
Tested-by: Shirish Pargaonkar &lt;shirishpargaonkar@gmail.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: fix out-of-bounds access in lease parsing</title>
<updated>2016-03-07T15:05:22+00:00</updated>
<author>
<name>Justin Maggard</name>
<email>jmaggard10@gmail.com</email>
</author>
<published>2016-02-09T23:52:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=18bb5d79a23da04c48c706f85294468c917d7974'/>
<id>18bb5d79a23da04c48c706f85294468c917d7974</id>
<content type='text'>
commit deb7deff2f00bdbbcb3d560dad2a89ef37df837d upstream.

When opening a file, SMB2_open() attempts to parse the lease state from the
SMB2 CREATE Response.  However, the parsing code was not careful to ensure
that the create contexts are not empty or invalid, which can lead to out-
of-bounds memory access.  This can be seen easily by trying
to read a file from a OSX 10.11 SMB3 server.  Here is sample crash output:

BUG: unable to handle kernel paging request at ffff8800a1a77cc6
IP: [&lt;ffffffff8828a734&gt;] SMB2_open+0x804/0x960
PGD 8f77067 PUD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 3 PID: 2876 Comm: cp Not tainted 4.5.0-rc3.x86_64.1+ #14
Hardware name: NETGEAR ReadyNAS 314          /ReadyNAS 314          , BIOS 4.6.5 10/11/2012
task: ffff880073cdc080 ti: ffff88005b31c000 task.ti: ffff88005b31c000
RIP: 0010:[&lt;ffffffff8828a734&gt;]  [&lt;ffffffff8828a734&gt;] SMB2_open+0x804/0x960
RSP: 0018:ffff88005b31fa08  EFLAGS: 00010282
RAX: 0000000000000015 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff88007eb8c8b0
RBP: ffff88005b31fad8 R08: 666666203d206363 R09: 6131613030383866
R10: 3030383866666666 R11: 00000000000002b0 R12: ffff8800660fd800
R13: ffff8800a1a77cc2 R14: 00000000424d53fe R15: ffff88005f5a28c0
FS:  00007f7c8a2897c0(0000) GS:ffff88007eb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff8800a1a77cc6 CR3: 000000005b281000 CR4: 00000000000006e0
Stack:
 ffff88005b31fa70 ffffffff88278789 00000000000001d3 ffff88005f5a2a80
 ffffffff00000003 ffff88005d029d00 ffff88006fde05a0 0000000000000000
 ffff88005b31fc78 ffff88006fde0780 ffff88005b31fb2f 0000000100000fe0
Call Trace:
 [&lt;ffffffff88278789&gt;] ? cifsConvertToUTF16+0x159/0x2d0
 [&lt;ffffffff8828cf68&gt;] smb2_open_file+0x98/0x210
 [&lt;ffffffff8811e80c&gt;] ? __kmalloc+0x1c/0xe0
 [&lt;ffffffff882685f4&gt;] cifs_open+0x2a4/0x720
 [&lt;ffffffff88122cef&gt;] do_dentry_open+0x1ff/0x310
 [&lt;ffffffff88268350&gt;] ? cifsFileInfo_get+0x30/0x30
 [&lt;ffffffff88123d92&gt;] vfs_open+0x52/0x60
 [&lt;ffffffff88131dd0&gt;] path_openat+0x170/0xf70
 [&lt;ffffffff88097d48&gt;] ? remove_wait_queue+0x48/0x50
 [&lt;ffffffff88133a29&gt;] do_filp_open+0x79/0xd0
 [&lt;ffffffff8813f2ca&gt;] ? __alloc_fd+0x3a/0x170
 [&lt;ffffffff881240c4&gt;] do_sys_open+0x114/0x1e0
 [&lt;ffffffff881241a9&gt;] SyS_open+0x19/0x20
 [&lt;ffffffff8896e257&gt;] entry_SYSCALL_64_fastpath+0x12/0x6a
Code: 4d 8d 6c 07 04 31 c0 4c 89 ee e8 47 6f e5 ff 31 c9 41 89 ce 44 89 f1 48 c7 c7 28 b1 bd 88 31 c0 49 01 cd 4c 89 ee e8 2b 6f e5 ff &lt;45&gt; 0f b7 75 04 48 c7 c7 31 b1 bd 88 31 c0 4d 01 ee 4c 89 f6 e8
RIP  [&lt;ffffffff8828a734&gt;] SMB2_open+0x804/0x960
 RSP &lt;ffff88005b31fa08&gt;
CR2: ffff8800a1a77cc6
---[ end trace d9f69ba64feee469 ]---

Signed-off-by: Justin Maggard &lt;jmaggard@netgear.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit deb7deff2f00bdbbcb3d560dad2a89ef37df837d upstream.

When opening a file, SMB2_open() attempts to parse the lease state from the
SMB2 CREATE Response.  However, the parsing code was not careful to ensure
that the create contexts are not empty or invalid, which can lead to out-
of-bounds memory access.  This can be seen easily by trying
to read a file from a OSX 10.11 SMB3 server.  Here is sample crash output:

BUG: unable to handle kernel paging request at ffff8800a1a77cc6
IP: [&lt;ffffffff8828a734&gt;] SMB2_open+0x804/0x960
PGD 8f77067 PUD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 3 PID: 2876 Comm: cp Not tainted 4.5.0-rc3.x86_64.1+ #14
Hardware name: NETGEAR ReadyNAS 314          /ReadyNAS 314          , BIOS 4.6.5 10/11/2012
task: ffff880073cdc080 ti: ffff88005b31c000 task.ti: ffff88005b31c000
RIP: 0010:[&lt;ffffffff8828a734&gt;]  [&lt;ffffffff8828a734&gt;] SMB2_open+0x804/0x960
RSP: 0018:ffff88005b31fa08  EFLAGS: 00010282
RAX: 0000000000000015 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff88007eb8c8b0
RBP: ffff88005b31fad8 R08: 666666203d206363 R09: 6131613030383866
R10: 3030383866666666 R11: 00000000000002b0 R12: ffff8800660fd800
R13: ffff8800a1a77cc2 R14: 00000000424d53fe R15: ffff88005f5a28c0
FS:  00007f7c8a2897c0(0000) GS:ffff88007eb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff8800a1a77cc6 CR3: 000000005b281000 CR4: 00000000000006e0
Stack:
 ffff88005b31fa70 ffffffff88278789 00000000000001d3 ffff88005f5a2a80
 ffffffff00000003 ffff88005d029d00 ffff88006fde05a0 0000000000000000
 ffff88005b31fc78 ffff88006fde0780 ffff88005b31fb2f 0000000100000fe0
Call Trace:
 [&lt;ffffffff88278789&gt;] ? cifsConvertToUTF16+0x159/0x2d0
 [&lt;ffffffff8828cf68&gt;] smb2_open_file+0x98/0x210
 [&lt;ffffffff8811e80c&gt;] ? __kmalloc+0x1c/0xe0
 [&lt;ffffffff882685f4&gt;] cifs_open+0x2a4/0x720
 [&lt;ffffffff88122cef&gt;] do_dentry_open+0x1ff/0x310
 [&lt;ffffffff88268350&gt;] ? cifsFileInfo_get+0x30/0x30
 [&lt;ffffffff88123d92&gt;] vfs_open+0x52/0x60
 [&lt;ffffffff88131dd0&gt;] path_openat+0x170/0xf70
 [&lt;ffffffff88097d48&gt;] ? remove_wait_queue+0x48/0x50
 [&lt;ffffffff88133a29&gt;] do_filp_open+0x79/0xd0
 [&lt;ffffffff8813f2ca&gt;] ? __alloc_fd+0x3a/0x170
 [&lt;ffffffff881240c4&gt;] do_sys_open+0x114/0x1e0
 [&lt;ffffffff881241a9&gt;] SyS_open+0x19/0x20
 [&lt;ffffffff8896e257&gt;] entry_SYSCALL_64_fastpath+0x12/0x6a
Code: 4d 8d 6c 07 04 31 c0 4c 89 ee e8 47 6f e5 ff 31 c9 41 89 ce 44 89 f1 48 c7 c7 28 b1 bd 88 31 c0 49 01 cd 4c 89 ee e8 2b 6f e5 ff &lt;45&gt; 0f b7 75 04 48 c7 c7 31 b1 bd 88 31 c0 4d 01 ee 4c 89 f6 e8
RIP  [&lt;ffffffff8828a734&gt;] SMB2_open+0x804/0x960
 RSP &lt;ffff88005b31fa08&gt;
CR2: ffff8800a1a77cc6
---[ end trace d9f69ba64feee469 ]---

Signed-off-by: Justin Maggard &lt;jmaggard@netgear.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>nfsd: fix problem with setting ACL on directories</title>
<updated>2016-03-07T09:38:40+00:00</updated>
<author>
<name>NeilBrown</name>
<email>neilb@suse.com</email>
</author>
<published>2016-03-07T09:19:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=377b71e18f20d69b0df301ce7040554f40ba9651'/>
<id>377b71e18f20d69b0df301ce7040554f40ba9651</id>
<content type='text'>
This is a regression of 3.12 stable commit
ba1816b40a87a3f3c4ca9cd54a593a10d87bd391 (nfsd: fix NFS regression).

If a non-inherited ACL is set on a directory, nfsd will try to set the Posix
default ACL to NULL.  This gets converted to "" by generic_setxattr().
As "" is not a valid posix acl attribute value, this results in an error.

So instead of setting the xattr to NULL, remove it.

Fixes: ba1816b40a ("nfsd: fix NFS regression")
Signed-off-by: NeilBrown &lt;neilb@suse.com&gt;
Cc: Sergio Gelato &lt;Sergio.Gelato@astro.su.se&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This is a regression of 3.12 stable commit
ba1816b40a87a3f3c4ca9cd54a593a10d87bd391 (nfsd: fix NFS regression).

If a non-inherited ACL is set on a directory, nfsd will try to set the Posix
default ACL to NULL.  This gets converted to "" by generic_setxattr().
As "" is not a valid posix acl attribute value, this results in an error.

So instead of setting the xattr to NULL, remove it.

Fixes: ba1816b40a ("nfsd: fix NFS regression")
Signed-off-by: NeilBrown &lt;neilb@suse.com&gt;
Cc: Sergio Gelato &lt;Sergio.Gelato@astro.su.se&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bio: return EINTR if copying to user space got interrupted</title>
<updated>2016-03-04T08:48:15+00:00</updated>
<author>
<name>Hannes Reinecke</name>
<email>hare@suse.de</email>
</author>
<published>2016-02-12T08:39:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7b1db06ff530bd1fa18e492ba61c5f7dc4e181a4'/>
<id>7b1db06ff530bd1fa18e492ba61c5f7dc4e181a4</id>
<content type='text'>
commit 2d99b55d378c996b9692a0c93dd25f4ed5d58934 upstream.

Commit 35dc248383bbab0a7203fca4d722875bc81ef091 introduced a check for
current-&gt;mm to see if we have a user space context and only copies data
if we do. Now if an IO gets interrupted by a signal data isn't copied
into user space any more (as we don't have a user space context) but
user space isn't notified about it.

This patch modifies the behaviour to return -EINTR from bio_uncopy_user()
to notify userland that a signal has interrupted the syscall, otherwise
it could lead to a situation where the caller may get a buffer with
no data returned.

This can be reproduced by issuing SG_IO ioctl()s in one thread while
constantly sending signals to it.

[js] backport to 3.12

Fixes: 35dc248 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Signed-off-by: Hannes Reinecke &lt;hare@suse.de&gt;
Signed-off-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2d99b55d378c996b9692a0c93dd25f4ed5d58934 upstream.

Commit 35dc248383bbab0a7203fca4d722875bc81ef091 introduced a check for
current-&gt;mm to see if we have a user space context and only copies data
if we do. Now if an IO gets interrupted by a signal data isn't copied
into user space any more (as we don't have a user space context) but
user space isn't notified about it.

This patch modifies the behaviour to return -EINTR from bio_uncopy_user()
to notify userland that a signal has interrupted the syscall, otherwise
it could lead to a situation where the caller may get a buffer with
no data returned.

This can be reproduced by issuing SG_IO ioctl()s in one thread while
constantly sending signals to it.

[js] backport to 3.12

Fixes: 35dc248 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Signed-off-by: Hannes Reinecke &lt;hare@suse.de&gt;
Signed-off-by: Jens Axboe &lt;axboe@fb.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>locks: fix unlock when fcntl_setlk races with a close</title>
<updated>2016-03-03T12:19:34+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jeff.layton@primarydata.com</email>
</author>
<published>2016-01-07T21:38:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2da2c15ffb7ed572f0d504cb1bd97fd66f3d9186'/>
<id>2da2c15ffb7ed572f0d504cb1bd97fd66f3d9186</id>
<content type='text'>
commit 7f3697e24dc3820b10f445a4a7d914fc356012d1 upstream.

Dmitry reported that he was able to reproduce the WARN_ON_ONCE that
fires in locks_free_lock_context when the flc_posix list isn't empty.

The problem turns out to be that we're basically rebuilding the
file_lock from scratch in fcntl_setlk when we discover that the setlk
has raced with a close. If the l_whence field is SEEK_CUR or SEEK_END,
then we may end up with fl_start and fl_end values that differ from
when the lock was initially set, if the file position or length of the
file has changed in the interim.

Fix this by just reusing the same lock request structure, and simply
override fl_type value with F_UNLCK as appropriate. That ensures that
we really are unlocking the lock that was initially set.

While we're there, make sure that we do pop a WARN_ON_ONCE if the
removal ever fails. Also return -EBADF in this event, since that's
what we would have returned if the close had happened earlier.

Cc: Alexander Viro &lt;viro@zeniv.linux.org.uk&gt;
Fixes: c293621bbf67 (stale POSIX lock handling)
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Jeff Layton &lt;jeff.layton@primarydata.com&gt;
Acked-by: "J. Bruce Fields" &lt;bfields@fieldses.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7f3697e24dc3820b10f445a4a7d914fc356012d1 upstream.

Dmitry reported that he was able to reproduce the WARN_ON_ONCE that
fires in locks_free_lock_context when the flc_posix list isn't empty.

The problem turns out to be that we're basically rebuilding the
file_lock from scratch in fcntl_setlk when we discover that the setlk
has raced with a close. If the l_whence field is SEEK_CUR or SEEK_END,
then we may end up with fl_start and fl_end values that differ from
when the lock was initially set, if the file position or length of the
file has changed in the interim.

Fix this by just reusing the same lock request structure, and simply
override fl_type value with F_UNLCK as appropriate. That ensures that
we really are unlocking the lock that was initially set.

While we're there, make sure that we do pop a WARN_ON_ONCE if the
removal ever fails. Also return -EBADF in this event, since that's
what we would have returned if the close had happened earlier.

Cc: Alexander Viro &lt;viro@zeniv.linux.org.uk&gt;
Fixes: c293621bbf67 (stale POSIX lock handling)
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: Jeff Layton &lt;jeff.layton@primarydata.com&gt;
Acked-by: "J. Bruce Fields" &lt;bfields@fieldses.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
</feed>
