<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs, branch v3.16.35</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()</title>
<updated>2016-04-30T22:06:11+00:00</updated>
<author>
<name>Eryu Guan</name>
<email>guaneryu@gmail.com</email>
</author>
<published>2016-03-13T02:40:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=144593c372d1ce9d6e140f1df99ef1a24478d550'/>
<id>144593c372d1ce9d6e140f1df99ef1a24478d550</id>
<content type='text'>
commit 5e1021f2b6dff1a86a468a1424d59faae2bc63c1 upstream.

ext4_reserve_inode_write() in ext4_mark_inode_dirty() could fail on
error (e.g. EIO) and iloc.bh can be NULL in this case. But the error is
ignored in the following "if" condition and ext4_expand_extra_isize()
might be called with NULL iloc.bh set, which triggers NULL pointer
dereference.

This is uncovered by commit 8b4953e13f4c ("ext4: reserve code points for
the project quota feature"), which enlarges the ext4_inode size, and
run the following script on new kernel but with old mke2fs:

  #/bin/bash
  mnt=/mnt/ext4
  devname=ext4-error
  dev=/dev/mapper/$devname
  fsimg=/home/fs.img

  trap cleanup 0 1 2 3 9 15

  cleanup()
  {
          umount $mnt &gt;/dev/null 2&gt;&amp;1
          dmsetup remove $devname
          losetup -d $backend_dev
          rm -f $fsimg
          exit 0
  }

  rm -f $fsimg
  fallocate -l 1g $fsimg
  backend_dev=`losetup -f --show $fsimg`
  devsize=`blockdev --getsz $backend_dev`

  good_tab="0 $devsize linear $backend_dev 0"
  error_tab="0 $devsize error $backend_dev 0"

  dmsetup create $devname --table "$good_tab"

  mkfs -t ext4 $dev
  mount -t ext4 -o errors=continue,strictatime $dev $mnt

  dmsetup load $devname --table "$error_tab" &amp;&amp; dmsetup resume $devname
  echo 3 &gt; /proc/sys/vm/drop_caches
  ls -l $mnt
  exit 0

[ Patch changed to simplify the function a tiny bit. -- Ted ]

Signed-off-by: Eryu Guan &lt;guaneryu@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5e1021f2b6dff1a86a468a1424d59faae2bc63c1 upstream.

ext4_reserve_inode_write() in ext4_mark_inode_dirty() could fail on
error (e.g. EIO) and iloc.bh can be NULL in this case. But the error is
ignored in the following "if" condition and ext4_expand_extra_isize()
might be called with NULL iloc.bh set, which triggers NULL pointer
dereference.

This is uncovered by commit 8b4953e13f4c ("ext4: reserve code points for
the project quota feature"), which enlarges the ext4_inode size, and
run the following script on new kernel but with old mke2fs:

  #/bin/bash
  mnt=/mnt/ext4
  devname=ext4-error
  dev=/dev/mapper/$devname
  fsimg=/home/fs.img

  trap cleanup 0 1 2 3 9 15

  cleanup()
  {
          umount $mnt &gt;/dev/null 2&gt;&amp;1
          dmsetup remove $devname
          losetup -d $backend_dev
          rm -f $fsimg
          exit 0
  }

  rm -f $fsimg
  fallocate -l 1g $fsimg
  backend_dev=`losetup -f --show $fsimg`
  devsize=`blockdev --getsz $backend_dev`

  good_tab="0 $devsize linear $backend_dev 0"
  error_tab="0 $devsize error $backend_dev 0"

  dmsetup create $devname --table "$good_tab"

  mkfs -t ext4 $dev
  mount -t ext4 -o errors=continue,strictatime $dev $mnt

  dmsetup load $devname --table "$error_tab" &amp;&amp; dmsetup resume $devname
  echo 3 &gt; /proc/sys/vm/drop_caches
  ls -l $mnt
  exit 0

[ Patch changed to simplify the function a tiny bit. -- Ted ]

Signed-off-by: Eryu Guan &lt;guaneryu@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Btrfs: fix file/data loss caused by fsync after rename and new inode</title>
<updated>2016-04-30T22:06:08+00:00</updated>
<author>
<name>Filipe Manana</name>
<email>fdmanana@suse.com</email>
</author>
<published>2016-03-30T22:37:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bb91d38dc08e373454cc79556bb36f4996d7b2bc'/>
<id>bb91d38dc08e373454cc79556bb36f4996d7b2bc</id>
<content type='text'>
commit 56f23fdbb600e6087db7b009775b95ce07cc3195 upstream.

If we rename an inode A (be it a file or a directory), create a new
inode B with the old name of inode A and under the same parent directory,
fsync inode B and then power fail, at log tree replay time we end up
removing inode A completely. If inode A is a directory then all its files
are gone too.

Example scenarios where this happens:
This is reproducible with the following steps, taken from a couple of
test cases written for fstests which are going to be submitted upstream
soon:

   # Scenario 1

   mkfs.btrfs -f /dev/sdc
   mount /dev/sdc /mnt
   mkdir -p /mnt/a/x
   echo "hello" &gt; /mnt/a/x/foo
   echo "world" &gt; /mnt/a/x/bar
   sync
   mv /mnt/a/x /mnt/a/y
   mkdir /mnt/a/x
   xfs_io -c fsync /mnt/a/x
   &lt;power failure happens&gt;

   The next time the fs is mounted, log tree replay happens and
   the directory "y" does not exist nor do the files "foo" and
   "bar" exist anywhere (neither in "y" nor in "x", nor the root
   nor anywhere).

   # Scenario 2

   mkfs.btrfs -f /dev/sdc
   mount /dev/sdc /mnt
   mkdir /mnt/a
   echo "hello" &gt; /mnt/a/foo
   sync
   mv /mnt/a/foo /mnt/a/bar
   echo "world" &gt; /mnt/a/foo
   xfs_io -c fsync /mnt/a/foo
   &lt;power failure happens&gt;

   The next time the fs is mounted, log tree replay happens and the
   file "bar" does not exists anymore. A file with the name "foo"
   exists and it matches the second file we created.

Another related problem that does not involve file/data loss is when a
new inode is created with the name of a deleted snapshot and we fsync it:

   mkfs.btrfs -f /dev/sdc
   mount /dev/sdc /mnt
   mkdir /mnt/testdir
   btrfs subvolume snapshot /mnt /mnt/testdir/snap
   btrfs subvolume delete /mnt/testdir/snap
   rmdir /mnt/testdir
   mkdir /mnt/testdir
   xfs_io -c fsync /mnt/testdir # or fsync some file inside /mnt/testdir
   &lt;power failure&gt;

   The next time the fs is mounted the log replay procedure fails because
   it attempts to delete the snapshot entry (which has dir item key type
   of BTRFS_ROOT_ITEM_KEY) as if it were a regular (non-root) entry,
   resulting in the following error that causes mount to fail:

   [52174.510532] BTRFS info (device dm-0): failed to delete reference to snap, inode 257 parent 257
   [52174.512570] ------------[ cut here ]------------
   [52174.513278] WARNING: CPU: 12 PID: 28024 at fs/btrfs/inode.c:3986 __btrfs_unlink_inode+0x178/0x351 [btrfs]()
   [52174.514681] BTRFS: Transaction aborted (error -2)
   [52174.515630] Modules linked in: btrfs dm_flakey dm_mod overlay crc32c_generic ppdev xor raid6_pq acpi_cpufreq parport_pc tpm_tis sg parport tpm evdev i2c_piix4 proc
   [52174.521568] CPU: 12 PID: 28024 Comm: mount Tainted: G        W       4.5.0-rc6-btrfs-next-27+ #1
   [52174.522805] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
   [52174.524053]  0000000000000000 ffff8801df2a7710 ffffffff81264e93 ffff8801df2a7758
   [52174.524053]  0000000000000009 ffff8801df2a7748 ffffffff81051618 ffffffffa03591cd
   [52174.524053]  00000000fffffffe ffff88015e6e5000 ffff88016dbc3c88 ffff88016dbc3c88
   [52174.524053] Call Trace:
   [52174.524053]  [&lt;ffffffff81264e93&gt;] dump_stack+0x67/0x90
   [52174.524053]  [&lt;ffffffff81051618&gt;] warn_slowpath_common+0x99/0xb2
   [52174.524053]  [&lt;ffffffffa03591cd&gt;] ? __btrfs_unlink_inode+0x178/0x351 [btrfs]
   [52174.524053]  [&lt;ffffffff81051679&gt;] warn_slowpath_fmt+0x48/0x50
   [52174.524053]  [&lt;ffffffffa03591cd&gt;] __btrfs_unlink_inode+0x178/0x351 [btrfs]
   [52174.524053]  [&lt;ffffffff8118f5e9&gt;] ? iput+0xb0/0x284
   [52174.524053]  [&lt;ffffffffa0359fe8&gt;] btrfs_unlink_inode+0x1c/0x3d [btrfs]
   [52174.524053]  [&lt;ffffffffa038631e&gt;] check_item_in_log+0x1fe/0x29b [btrfs]
   [52174.524053]  [&lt;ffffffffa0386522&gt;] replay_dir_deletes+0x167/0x1cf [btrfs]
   [52174.524053]  [&lt;ffffffffa038739e&gt;] fixup_inode_link_count+0x289/0x2aa [btrfs]
   [52174.524053]  [&lt;ffffffffa038748a&gt;] fixup_inode_link_counts+0xcb/0x105 [btrfs]
   [52174.524053]  [&lt;ffffffffa038a5ec&gt;] btrfs_recover_log_trees+0x258/0x32c [btrfs]
   [52174.524053]  [&lt;ffffffffa03885b2&gt;] ? replay_one_extent+0x511/0x511 [btrfs]
   [52174.524053]  [&lt;ffffffffa034f288&gt;] open_ctree+0x1dd4/0x21b9 [btrfs]
   [52174.524053]  [&lt;ffffffffa032b753&gt;] btrfs_mount+0x97e/0xaed [btrfs]
   [52174.524053]  [&lt;ffffffff8108e1b7&gt;] ? trace_hardirqs_on+0xd/0xf
   [52174.524053]  [&lt;ffffffff8117bafa&gt;] mount_fs+0x67/0x131
   [52174.524053]  [&lt;ffffffff81193003&gt;] vfs_kern_mount+0x6c/0xde
   [52174.524053]  [&lt;ffffffffa032af81&gt;] btrfs_mount+0x1ac/0xaed [btrfs]
   [52174.524053]  [&lt;ffffffff8108e1b7&gt;] ? trace_hardirqs_on+0xd/0xf
   [52174.524053]  [&lt;ffffffff8108c262&gt;] ? lockdep_init_map+0xb9/0x1b3
   [52174.524053]  [&lt;ffffffff8117bafa&gt;] mount_fs+0x67/0x131
   [52174.524053]  [&lt;ffffffff81193003&gt;] vfs_kern_mount+0x6c/0xde
   [52174.524053]  [&lt;ffffffff8119590f&gt;] do_mount+0x8a6/0x9e8
   [52174.524053]  [&lt;ffffffff811358dd&gt;] ? strndup_user+0x3f/0x59
   [52174.524053]  [&lt;ffffffff81195c65&gt;] SyS_mount+0x77/0x9f
   [52174.524053]  [&lt;ffffffff814935d7&gt;] entry_SYSCALL_64_fastpath+0x12/0x6b
   [52174.561288] ---[ end trace 6b53049efb1a3ea6 ]---

Fix this by forcing a transaction commit when such cases happen.
This means we check in the commit root of the subvolume tree if there
was any other inode with the same reference when the inode we are
fsync'ing is a new inode (created in the current transaction).

Test cases for fstests, covering all the scenarios given above, were
submitted upstream for fstests:

  * fstests: generic test for fsync after renaming directory
    https://patchwork.kernel.org/patch/8694281/

  * fstests: generic test for fsync after renaming file
    https://patchwork.kernel.org/patch/8694301/

  * fstests: add btrfs test for fsync after snapshot deletion
    https://patchwork.kernel.org/patch/8670671/

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 56f23fdbb600e6087db7b009775b95ce07cc3195 upstream.

If we rename an inode A (be it a file or a directory), create a new
inode B with the old name of inode A and under the same parent directory,
fsync inode B and then power fail, at log tree replay time we end up
removing inode A completely. If inode A is a directory then all its files
are gone too.

Example scenarios where this happens:
This is reproducible with the following steps, taken from a couple of
test cases written for fstests which are going to be submitted upstream
soon:

   # Scenario 1

   mkfs.btrfs -f /dev/sdc
   mount /dev/sdc /mnt
   mkdir -p /mnt/a/x
   echo "hello" &gt; /mnt/a/x/foo
   echo "world" &gt; /mnt/a/x/bar
   sync
   mv /mnt/a/x /mnt/a/y
   mkdir /mnt/a/x
   xfs_io -c fsync /mnt/a/x
   &lt;power failure happens&gt;

   The next time the fs is mounted, log tree replay happens and
   the directory "y" does not exist nor do the files "foo" and
   "bar" exist anywhere (neither in "y" nor in "x", nor the root
   nor anywhere).

   # Scenario 2

   mkfs.btrfs -f /dev/sdc
   mount /dev/sdc /mnt
   mkdir /mnt/a
   echo "hello" &gt; /mnt/a/foo
   sync
   mv /mnt/a/foo /mnt/a/bar
   echo "world" &gt; /mnt/a/foo
   xfs_io -c fsync /mnt/a/foo
   &lt;power failure happens&gt;

   The next time the fs is mounted, log tree replay happens and the
   file "bar" does not exists anymore. A file with the name "foo"
   exists and it matches the second file we created.

Another related problem that does not involve file/data loss is when a
new inode is created with the name of a deleted snapshot and we fsync it:

   mkfs.btrfs -f /dev/sdc
   mount /dev/sdc /mnt
   mkdir /mnt/testdir
   btrfs subvolume snapshot /mnt /mnt/testdir/snap
   btrfs subvolume delete /mnt/testdir/snap
   rmdir /mnt/testdir
   mkdir /mnt/testdir
   xfs_io -c fsync /mnt/testdir # or fsync some file inside /mnt/testdir
   &lt;power failure&gt;

   The next time the fs is mounted the log replay procedure fails because
   it attempts to delete the snapshot entry (which has dir item key type
   of BTRFS_ROOT_ITEM_KEY) as if it were a regular (non-root) entry,
   resulting in the following error that causes mount to fail:

   [52174.510532] BTRFS info (device dm-0): failed to delete reference to snap, inode 257 parent 257
   [52174.512570] ------------[ cut here ]------------
   [52174.513278] WARNING: CPU: 12 PID: 28024 at fs/btrfs/inode.c:3986 __btrfs_unlink_inode+0x178/0x351 [btrfs]()
   [52174.514681] BTRFS: Transaction aborted (error -2)
   [52174.515630] Modules linked in: btrfs dm_flakey dm_mod overlay crc32c_generic ppdev xor raid6_pq acpi_cpufreq parport_pc tpm_tis sg parport tpm evdev i2c_piix4 proc
   [52174.521568] CPU: 12 PID: 28024 Comm: mount Tainted: G        W       4.5.0-rc6-btrfs-next-27+ #1
   [52174.522805] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
   [52174.524053]  0000000000000000 ffff8801df2a7710 ffffffff81264e93 ffff8801df2a7758
   [52174.524053]  0000000000000009 ffff8801df2a7748 ffffffff81051618 ffffffffa03591cd
   [52174.524053]  00000000fffffffe ffff88015e6e5000 ffff88016dbc3c88 ffff88016dbc3c88
   [52174.524053] Call Trace:
   [52174.524053]  [&lt;ffffffff81264e93&gt;] dump_stack+0x67/0x90
   [52174.524053]  [&lt;ffffffff81051618&gt;] warn_slowpath_common+0x99/0xb2
   [52174.524053]  [&lt;ffffffffa03591cd&gt;] ? __btrfs_unlink_inode+0x178/0x351 [btrfs]
   [52174.524053]  [&lt;ffffffff81051679&gt;] warn_slowpath_fmt+0x48/0x50
   [52174.524053]  [&lt;ffffffffa03591cd&gt;] __btrfs_unlink_inode+0x178/0x351 [btrfs]
   [52174.524053]  [&lt;ffffffff8118f5e9&gt;] ? iput+0xb0/0x284
   [52174.524053]  [&lt;ffffffffa0359fe8&gt;] btrfs_unlink_inode+0x1c/0x3d [btrfs]
   [52174.524053]  [&lt;ffffffffa038631e&gt;] check_item_in_log+0x1fe/0x29b [btrfs]
   [52174.524053]  [&lt;ffffffffa0386522&gt;] replay_dir_deletes+0x167/0x1cf [btrfs]
   [52174.524053]  [&lt;ffffffffa038739e&gt;] fixup_inode_link_count+0x289/0x2aa [btrfs]
   [52174.524053]  [&lt;ffffffffa038748a&gt;] fixup_inode_link_counts+0xcb/0x105 [btrfs]
   [52174.524053]  [&lt;ffffffffa038a5ec&gt;] btrfs_recover_log_trees+0x258/0x32c [btrfs]
   [52174.524053]  [&lt;ffffffffa03885b2&gt;] ? replay_one_extent+0x511/0x511 [btrfs]
   [52174.524053]  [&lt;ffffffffa034f288&gt;] open_ctree+0x1dd4/0x21b9 [btrfs]
   [52174.524053]  [&lt;ffffffffa032b753&gt;] btrfs_mount+0x97e/0xaed [btrfs]
   [52174.524053]  [&lt;ffffffff8108e1b7&gt;] ? trace_hardirqs_on+0xd/0xf
   [52174.524053]  [&lt;ffffffff8117bafa&gt;] mount_fs+0x67/0x131
   [52174.524053]  [&lt;ffffffff81193003&gt;] vfs_kern_mount+0x6c/0xde
   [52174.524053]  [&lt;ffffffffa032af81&gt;] btrfs_mount+0x1ac/0xaed [btrfs]
   [52174.524053]  [&lt;ffffffff8108e1b7&gt;] ? trace_hardirqs_on+0xd/0xf
   [52174.524053]  [&lt;ffffffff8108c262&gt;] ? lockdep_init_map+0xb9/0x1b3
   [52174.524053]  [&lt;ffffffff8117bafa&gt;] mount_fs+0x67/0x131
   [52174.524053]  [&lt;ffffffff81193003&gt;] vfs_kern_mount+0x6c/0xde
   [52174.524053]  [&lt;ffffffff8119590f&gt;] do_mount+0x8a6/0x9e8
   [52174.524053]  [&lt;ffffffff811358dd&gt;] ? strndup_user+0x3f/0x59
   [52174.524053]  [&lt;ffffffff81195c65&gt;] SyS_mount+0x77/0x9f
   [52174.524053]  [&lt;ffffffff814935d7&gt;] entry_SYSCALL_64_fastpath+0x12/0x6b
   [52174.561288] ---[ end trace 6b53049efb1a3ea6 ]---

Fix this by forcing a transaction commit when such cases happen.
This means we check in the commit root of the subvolume tree if there
was any other inode with the same reference when the inode we are
fsync'ing is a new inode (created in the current transaction).

Test cases for fstests, covering all the scenarios given above, were
submitted upstream for fstests:

  * fstests: generic test for fsync after renaming directory
    https://patchwork.kernel.org/patch/8694281/

  * fstests: generic test for fsync after renaming file
    https://patchwork.kernel.org/patch/8694301/

  * fstests: add btrfs test for fsync after snapshot deletion
    https://patchwork.kernel.org/patch/8670671/

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: add lockdep annotations for i_data_sem</title>
<updated>2016-04-30T22:06:07+00:00</updated>
<author>
<name>Theodore Ts'o</name>
<email>tytso@mit.edu</email>
</author>
<published>2016-04-01T05:31:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f08b6c731b6b9da1e67d91f613a50ee8c7281fae'/>
<id>f08b6c731b6b9da1e67d91f613a50ee8c7281fae</id>
<content type='text'>
commit daf647d2dd58cec59570d7698a45b98e580f2076 upstream.

With the internal Quota feature, mke2fs creates empty quota inodes and
quota usage tracking is enabled as soon as the file system is mounted.
Since quotacheck is no longer preallocating all of the blocks in the
quota inode that are likely needed to be written to, we are now seeing
a lockdep false positive caused by needing to allocate a quota block
from inside ext4_map_blocks(), while holding i_data_sem for a data
inode.  This results in this complaint:

  Possible unsafe locking scenario:

        CPU0                    CPU1
        ----                    ----
   lock(&amp;ei-&gt;i_data_sem);
                                lock(&amp;s-&gt;s_dquot.dqio_mutex);
                                lock(&amp;ei-&gt;i_data_sem);
   lock(&amp;s-&gt;s_dquot.dqio_mutex);

Google-Bug-Id: 27907753

Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit daf647d2dd58cec59570d7698a45b98e580f2076 upstream.

With the internal Quota feature, mke2fs creates empty quota inodes and
quota usage tracking is enabled as soon as the file system is mounted.
Since quotacheck is no longer preallocating all of the blocks in the
quota inode that are likely needed to be written to, we are now seeing
a lockdep false positive caused by needing to allocate a quota block
from inside ext4_map_blocks(), while holding i_data_sem for a data
inode.  This results in this complaint:

  Possible unsafe locking scenario:

        CPU0                    CPU1
        ----                    ----
   lock(&amp;ei-&gt;i_data_sem);
                                lock(&amp;s-&gt;s_dquot.dqio_mutex);
                                lock(&amp;ei-&gt;i_data_sem);
   lock(&amp;s-&gt;s_dquot.dqio_mutex);

Google-Bug-Id: 27907753

Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list</title>
<updated>2016-04-30T22:06:05+00:00</updated>
<author>
<name>Joseph Qi</name>
<email>joseph.qi@huawei.com</email>
</author>
<published>2016-03-25T21:21:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cea90036ff868ed701b9d12a4148f8bf4313de6d'/>
<id>cea90036ff868ed701b9d12a4148f8bf4313de6d</id>
<content type='text'>
commit be12b299a83fc807bbaccd2bcb8ec50cbb0cb55c upstream.

When master handles convert request, it queues ast first and then
returns status.  This may happen that the ast is sent before the request
status because the above two messages are sent by two threads.  And
right after the ast is sent, if master down, it may trigger BUG in
dlm_move_lockres_to_recovery_list in the requested node because ast
handler moves it to grant list without clear lock-&gt;convert_pending.  So
remove BUG_ON statement and check if the ast is processed in
dlmconvert_remote.

Signed-off-by: Joseph Qi &lt;joseph.qi@huawei.com&gt;
Reported-by: Yiwen Jiang &lt;jiangyiwen@huawei.com&gt;
Cc: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Cc: Mark Fasheh &lt;mfasheh@suse.de&gt;
Cc: Joel Becker &lt;jlbec@evilplan.org&gt;
Cc: Tariq Saeed &lt;tariq.x.saeed@oracle.com&gt;
Cc: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit be12b299a83fc807bbaccd2bcb8ec50cbb0cb55c upstream.

When master handles convert request, it queues ast first and then
returns status.  This may happen that the ast is sent before the request
status because the above two messages are sent by two threads.  And
right after the ast is sent, if master down, it may trigger BUG in
dlm_move_lockres_to_recovery_list in the requested node because ast
handler moves it to grant list without clear lock-&gt;convert_pending.  So
remove BUG_ON statement and check if the ast is processed in
dlmconvert_remote.

Signed-off-by: Joseph Qi &lt;joseph.qi@huawei.com&gt;
Reported-by: Yiwen Jiang &lt;jiangyiwen@huawei.com&gt;
Cc: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Cc: Mark Fasheh &lt;mfasheh@suse.de&gt;
Cc: Joel Becker &lt;jlbec@evilplan.org&gt;
Cc: Tariq Saeed &lt;tariq.x.saeed@oracle.com&gt;
Cc: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ocfs2/dlm: fix race between convert and recovery</title>
<updated>2016-04-30T22:06:05+00:00</updated>
<author>
<name>Joseph Qi</name>
<email>joseph.qi@huawei.com</email>
</author>
<published>2016-03-25T21:21:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6af67abae2cb5b2c59d211321067c61ab0b946ea'/>
<id>6af67abae2cb5b2c59d211321067c61ab0b946ea</id>
<content type='text'>
commit ac7cf246dfdbec3d8fed296c7bf30e16f5099dac upstream.

There is a race window between dlmconvert_remote and
dlm_move_lockres_to_recovery_list, which will cause a lock with
OCFS2_LOCK_BUSY in grant list, thus system hangs.

dlmconvert_remote
{
        spin_lock(&amp;res-&gt;spinlock);
        list_move_tail(&amp;lock-&gt;list, &amp;res-&gt;converting);
        lock-&gt;convert_pending = 1;
        spin_unlock(&amp;res-&gt;spinlock);

        status = dlm_send_remote_convert_request();
        &gt;&gt;&gt;&gt;&gt;&gt; race window, master has queued ast and return DLM_NORMAL,
               and then down before sending ast.
               this node detects master down and calls
               dlm_move_lockres_to_recovery_list, which will revert the
               lock to grant list.
               Then OCFS2_LOCK_BUSY won't be cleared as new master won't
               send ast any more because it thinks already be authorized.

        spin_lock(&amp;res-&gt;spinlock);
        lock-&gt;convert_pending = 0;
        if (status != DLM_NORMAL)
                dlm_revert_pending_convert(res, lock);
        spin_unlock(&amp;res-&gt;spinlock);
}

In this case, check if res-&gt;state has DLM_LOCK_RES_RECOVERING bit set
(res is still in recovering) or res master changed (new master has
finished recovery), reset the status to DLM_RECOVERING, then it will
retry convert.

Signed-off-by: Joseph Qi &lt;joseph.qi@huawei.com&gt;
Reported-by: Yiwen Jiang &lt;jiangyiwen@huawei.com&gt;
Reviewed-by: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Cc: Mark Fasheh &lt;mfasheh@suse.de&gt;
Cc: Joel Becker &lt;jlbec@evilplan.org&gt;
Cc: Tariq Saeed &lt;tariq.x.saeed@oracle.com&gt;
Cc: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ac7cf246dfdbec3d8fed296c7bf30e16f5099dac upstream.

There is a race window between dlmconvert_remote and
dlm_move_lockres_to_recovery_list, which will cause a lock with
OCFS2_LOCK_BUSY in grant list, thus system hangs.

dlmconvert_remote
{
        spin_lock(&amp;res-&gt;spinlock);
        list_move_tail(&amp;lock-&gt;list, &amp;res-&gt;converting);
        lock-&gt;convert_pending = 1;
        spin_unlock(&amp;res-&gt;spinlock);

        status = dlm_send_remote_convert_request();
        &gt;&gt;&gt;&gt;&gt;&gt; race window, master has queued ast and return DLM_NORMAL,
               and then down before sending ast.
               this node detects master down and calls
               dlm_move_lockres_to_recovery_list, which will revert the
               lock to grant list.
               Then OCFS2_LOCK_BUSY won't be cleared as new master won't
               send ast any more because it thinks already be authorized.

        spin_lock(&amp;res-&gt;spinlock);
        lock-&gt;convert_pending = 0;
        if (status != DLM_NORMAL)
                dlm_revert_pending_convert(res, lock);
        spin_unlock(&amp;res-&gt;spinlock);
}

In this case, check if res-&gt;state has DLM_LOCK_RES_RECOVERING bit set
(res is still in recovering) or res master changed (new master has
finished recovery), reset the status to DLM_RECOVERING, then it will
retry convert.

Signed-off-by: Joseph Qi &lt;joseph.qi@huawei.com&gt;
Reported-by: Yiwen Jiang &lt;jiangyiwen@huawei.com&gt;
Reviewed-by: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Cc: Mark Fasheh &lt;mfasheh@suse.de&gt;
Cc: Joel Becker &lt;jlbec@evilplan.org&gt;
Cc: Tariq Saeed &lt;tariq.x.saeed@oracle.com&gt;
Cc: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fs/coredump: prevent fsuid=0 dumps into user-controlled directories</title>
<updated>2016-04-30T22:06:04+00:00</updated>
<author>
<name>Jann Horn</name>
<email>jann@thejh.net</email>
</author>
<published>2016-03-22T21:25:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b80e0e86f8fba542671d479e44138cece6d23700'/>
<id>b80e0e86f8fba542671d479e44138cece6d23700</id>
<content type='text'>
commit 378c6520e7d29280f400ef2ceaf155c86f05a71a upstream.

This commit fixes the following security hole affecting systems where
all of the following conditions are fulfilled:

 - The fs.suid_dumpable sysctl is set to 2.
 - The kernel.core_pattern sysctl's value starts with "/". (Systems
   where kernel.core_pattern starts with "|/" are not affected.)
 - Unprivileged user namespace creation is permitted. (This is
   true on Linux &gt;=3.8, but some distributions disallow it by
   default using a distro patch.)

Under these conditions, if a program executes under secure exec rules,
causing it to run with the SUID_DUMP_ROOT flag, then unshares its user
namespace, changes its root directory and crashes, the coredump will be
written using fsuid=0 and a path derived from kernel.core_pattern - but
this path is interpreted relative to the root directory of the process,
allowing the attacker to control where a coredump will be written with
root privileges.

To fix the security issue, always interpret core_pattern for dumps that
are written under SUID_DUMP_ROOT relative to the root directory of init.

Signed-off-by: Jann Horn &lt;jann@thejh.net&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Cc: Andy Lutomirski &lt;luto@kernel.org&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 378c6520e7d29280f400ef2ceaf155c86f05a71a upstream.

This commit fixes the following security hole affecting systems where
all of the following conditions are fulfilled:

 - The fs.suid_dumpable sysctl is set to 2.
 - The kernel.core_pattern sysctl's value starts with "/". (Systems
   where kernel.core_pattern starts with "|/" are not affected.)
 - Unprivileged user namespace creation is permitted. (This is
   true on Linux &gt;=3.8, but some distributions disallow it by
   default using a distro patch.)

Under these conditions, if a program executes under secure exec rules,
causing it to run with the SUID_DUMP_ROOT flag, then unshares its user
namespace, changes its root directory and crashes, the coredump will be
written using fsuid=0 and a path derived from kernel.core_pattern - but
this path is interpreted relative to the root directory of the process,
allowing the attacker to control where a coredump will be written with
root privileges.

To fix the security issue, always interpret core_pattern for dumps that
are written under SUID_DUMP_ROOT relative to the root directory of init.

Signed-off-by: Jann Horn &lt;jann@thejh.net&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Cc: Andy Lutomirski &lt;luto@kernel.org&gt;
Cc: Oleg Nesterov &lt;oleg@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>splice: handle zero nr_pages in splice_to_pipe()</title>
<updated>2016-04-30T22:06:02+00:00</updated>
<author>
<name>Rabin Vincent</name>
<email>rabin@rab.in</email>
</author>
<published>2016-03-10T20:19:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f482167d6698f3c6162752a6d39228730cbe86c0'/>
<id>f482167d6698f3c6162752a6d39228730cbe86c0</id>
<content type='text'>
commit d6785d9152147596f60234157da2b02540c3e60f upstream.

Running the following command:

 busybox cat /sys/kernel/debug/tracing/trace_pipe &gt; /dev/null

with any tracing enabled pretty very quickly leads to various NULL
pointer dereferences and VM BUG_ON()s, such as these:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
 IP: [&lt;ffffffff8119df6c&gt;] generic_pipe_buf_release+0xc/0x40
 Call Trace:
  [&lt;ffffffff811c48a3&gt;] splice_direct_to_actor+0x143/0x1e0
  [&lt;ffffffff811c42e0&gt;] ? generic_pipe_buf_nosteal+0x10/0x10
  [&lt;ffffffff811c49cf&gt;] do_splice_direct+0x8f/0xb0
  [&lt;ffffffff81196869&gt;] do_sendfile+0x199/0x380
  [&lt;ffffffff81197600&gt;] SyS_sendfile64+0x90/0xa0
  [&lt;ffffffff8192cbee&gt;] entry_SYSCALL_64_fastpath+0x12/0x6d

 page dumped because: VM_BUG_ON_PAGE(atomic_read(&amp;page-&gt;_count) == 0)
 kernel BUG at include/linux/mm.h:367!
 invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
 RIP: [&lt;ffffffff8119df9c&gt;] generic_pipe_buf_release+0x3c/0x40
 Call Trace:
  [&lt;ffffffff811c48a3&gt;] splice_direct_to_actor+0x143/0x1e0
  [&lt;ffffffff811c42e0&gt;] ? generic_pipe_buf_nosteal+0x10/0x10
  [&lt;ffffffff811c49cf&gt;] do_splice_direct+0x8f/0xb0
  [&lt;ffffffff81196869&gt;] do_sendfile+0x199/0x380
  [&lt;ffffffff81197600&gt;] SyS_sendfile64+0x90/0xa0
  [&lt;ffffffff8192cd1e&gt;] tracesys_phase2+0x84/0x89

(busybox's cat uses sendfile(2), unlike the coreutils version)

This is because tracing_splice_read_pipe() can call splice_to_pipe()
with spd-&gt;nr_pages == 0.  spd_pages underflows in splice_to_pipe() and
we fill the page pointers and the other fields of the pipe_buffers with
garbage.

All other callers of splice_to_pipe() avoid calling it when nr_pages ==
0, and we could make tracing_splice_read_pipe() do that too, but it
seems reasonable to have splice_to_page() handle this condition
gracefully.

Signed-off-by: Rabin Vincent &lt;rabin@rab.in&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d6785d9152147596f60234157da2b02540c3e60f upstream.

Running the following command:

 busybox cat /sys/kernel/debug/tracing/trace_pipe &gt; /dev/null

with any tracing enabled pretty very quickly leads to various NULL
pointer dereferences and VM BUG_ON()s, such as these:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
 IP: [&lt;ffffffff8119df6c&gt;] generic_pipe_buf_release+0xc/0x40
 Call Trace:
  [&lt;ffffffff811c48a3&gt;] splice_direct_to_actor+0x143/0x1e0
  [&lt;ffffffff811c42e0&gt;] ? generic_pipe_buf_nosteal+0x10/0x10
  [&lt;ffffffff811c49cf&gt;] do_splice_direct+0x8f/0xb0
  [&lt;ffffffff81196869&gt;] do_sendfile+0x199/0x380
  [&lt;ffffffff81197600&gt;] SyS_sendfile64+0x90/0xa0
  [&lt;ffffffff8192cbee&gt;] entry_SYSCALL_64_fastpath+0x12/0x6d

 page dumped because: VM_BUG_ON_PAGE(atomic_read(&amp;page-&gt;_count) == 0)
 kernel BUG at include/linux/mm.h:367!
 invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
 RIP: [&lt;ffffffff8119df9c&gt;] generic_pipe_buf_release+0x3c/0x40
 Call Trace:
  [&lt;ffffffff811c48a3&gt;] splice_direct_to_actor+0x143/0x1e0
  [&lt;ffffffff811c42e0&gt;] ? generic_pipe_buf_nosteal+0x10/0x10
  [&lt;ffffffff811c49cf&gt;] do_splice_direct+0x8f/0xb0
  [&lt;ffffffff81196869&gt;] do_sendfile+0x199/0x380
  [&lt;ffffffff81197600&gt;] SyS_sendfile64+0x90/0xa0
  [&lt;ffffffff8192cd1e&gt;] tracesys_phase2+0x84/0x89

(busybox's cat uses sendfile(2), unlike the coreutils version)

This is because tracing_splice_read_pipe() can call splice_to_pipe()
with spd-&gt;nr_pages == 0.  spd_pages underflows in splice_to_pipe() and
we fill the page pointers and the other fields of the pipe_buffers with
garbage.

All other callers of splice_to_pipe() avoid calling it when nr_pages ==
0, and we could make tracing_splice_read_pipe() do that too, but it
seems reasonable to have splice_to_page() handle this condition
gracefully.

Signed-off-by: Rabin Vincent &lt;rabin@rab.in&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vfs: show_vfsstat: do not ignore errors from show_devname method</title>
<updated>2016-04-30T22:06:01+00:00</updated>
<author>
<name>Dmitry V. Levin</name>
<email>ldv@altlinux.org</email>
</author>
<published>2015-03-19T11:10:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=31a055ab230e77270be39fb4204f1d244953a3c7'/>
<id>31a055ab230e77270be39fb4204f1d244953a3c7</id>
<content type='text'>
commit 5f8d498d4364f544fee17125787a47553db02afa upstream.

Explicitly check show_devname method return code and bail out in case
of an error.  This fixes regression introduced by commit 9d4d65748a5c.

Signed-off-by: Dmitry V. Levin &lt;ldv@altlinux.org&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
[bwh: Backported to 3.16: add the 'out' label]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5f8d498d4364f544fee17125787a47553db02afa upstream.

Explicitly check show_devname method return code and bail out in case
of an error.  This fixes regression introduced by commit 9d4d65748a5c.

Signed-off-by: Dmitry V. Levin &lt;ldv@altlinux.org&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
[bwh: Backported to 3.16: add the 'out' label]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>nfsd: fix deadlock secinfo+readdir compound</title>
<updated>2016-04-30T22:06:00+00:00</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2016-03-03T00:36:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a34207e99ce196675d059f1b01baa50850fe7832'/>
<id>a34207e99ce196675d059f1b01baa50850fe7832</id>
<content type='text'>
commit 2f6fc056e899bd0144a08da5cacaecbe8997cd74 upstream.

nfsd_lookup_dentry exits with the parent filehandle locked.  fh_put also
unlocks if necessary (nfsd filehandle locking is probably too lenient),
so it gets unlocked eventually, but if the following op in the compound
needs to lock it again, we can deadlock.

A fuzzer ran into this; normal clients don't send a secinfo followed by
a readdir in the same compound.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2f6fc056e899bd0144a08da5cacaecbe8997cd74 upstream.

nfsd_lookup_dentry exits with the parent filehandle locked.  fh_put also
unlocks if necessary (nfsd filehandle locking is probably too lenient),
so it gets unlocked eventually, but if the following op in the compound
needs to lock it again, we can deadlock.

A fuzzer ran into this; normal clients don't send a secinfo followed by
a readdir in the same compound.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: do not use iocb after it may have been freed</title>
<updated>2016-04-30T22:05:58+00:00</updated>
<author>
<name>Robert Doebbelin</name>
<email>robert@quobyte.com</email>
</author>
<published>2016-03-07T08:50:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9277aac3687ed46aaf14b8a0593319cdb6db675b'/>
<id>9277aac3687ed46aaf14b8a0593319cdb6db675b</id>
<content type='text'>
commit 7cabc61e01a0a8b663bd2b4c982aa53048218734 upstream.

There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an
iocb that could have been freed if async io has already completed.  The fix
in this case is simple and obvious: cache the result before starting io.

It was discovered by KASan:

kernel: ==================================================================
kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390

Signed-off-by: Robert Doebbelin &lt;robert@quobyte.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Fixes: bcba24ccdc82 ("fuse: enable asynchronous processing direct IO")
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7cabc61e01a0a8b663bd2b4c982aa53048218734 upstream.

There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an
iocb that could have been freed if async io has already completed.  The fix
in this case is simple and obvious: cache the result before starting io.

It was discovered by KASan:

kernel: ==================================================================
kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390

Signed-off-by: Robert Doebbelin &lt;robert@quobyte.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Fixes: bcba24ccdc82 ("fuse: enable asynchronous processing direct IO")
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
