<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs, branch v3.3.7</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Avoid reading past buffer when calling GETACL</title>
<updated>2012-05-21T17:46:24+00:00</updated>
<author>
<name>Sachin Prabhu</name>
<email>sprabhu@redhat.com</email>
</author>
<published>2012-04-17T13:35:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=22594eea7aea374c0680f70fd89eeb1fc47ae635'/>
<id>22594eea7aea374c0680f70fd89eeb1fc47ae635</id>
<content type='text'>
commit 5a00689930ab975fdd1b37b034475017e460cf2a upstream.

Bug noticed in commit
bf118a342f10dafe44b14451a1392c3254629a1f

When calling GETACL, if the size of the bitmap array, the length
attribute and the acl returned by the server is greater than the
allocated buffer(args.acl_len), we can Oops with a General Protection
fault at _copy_from_pages() when we attempt to read past the pages
allocated.

This patch allocates an extra PAGE for the bitmap and checks to see that
the bitmap + attribute_length + ACLs don't exceed the buffer space
allocated to it.

Signed-off-by: Sachin Prabhu &lt;sprabhu@redhat.com&gt;
Reported-by: Jian Li &lt;jiali@redhat.com&gt;
[Trond: Fixed a size_t vs unsigned int printk() warning]
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5a00689930ab975fdd1b37b034475017e460cf2a upstream.

Bug noticed in commit
bf118a342f10dafe44b14451a1392c3254629a1f

When calling GETACL, if the size of the bitmap array, the length
attribute and the acl returned by the server is greater than the
allocated buffer(args.acl_len), we can Oops with a General Protection
fault at _copy_from_pages() when we attempt to read past the pages
allocated.

This patch allocates an extra PAGE for the bitmap and checks to see that
the bitmap + attribute_length + ACLs don't exceed the buffer space
allocated to it.

Signed-off-by: Sachin Prabhu &lt;sprabhu@redhat.com&gt;
Reported-by: Jian Li &lt;jiali@redhat.com&gt;
[Trond: Fixed a size_t vs unsigned int printk() warning]
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Avoid beyond bounds copy while caching ACL</title>
<updated>2012-05-21T17:46:24+00:00</updated>
<author>
<name>Sachin Prabhu</name>
<email>sprabhu@redhat.com</email>
</author>
<published>2012-04-17T13:36:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4262cd1f4b734ea5fa05c37043c89106f38b2daa'/>
<id>4262cd1f4b734ea5fa05c37043c89106f38b2daa</id>
<content type='text'>
commit 5794d21ef4639f0e33440927bb903f9598c21e92 upstream.

When attempting to cache ACLs returned from the server, if the bitmap
size + the ACL size is greater than a PAGE_SIZE but the ACL size itself
is smaller than a PAGE_SIZE, we can read past the buffer page boundary.

Signed-off-by: Sachin Prabhu &lt;sprabhu@redhat.com&gt;
Reported-by: Jian Li &lt;jiali@redhat.com&gt;
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5794d21ef4639f0e33440927bb903f9598c21e92 upstream.

When attempting to cache ACLs returned from the server, if the bitmap
size + the ACL size is greater than a PAGE_SIZE but the ACL size itself
is smaller than a PAGE_SIZE, we can read past the buffer page boundary.

Signed-off-by: Sachin Prabhu &lt;sprabhu@redhat.com&gt;
Reported-by: Jian Li &lt;jiali@redhat.com&gt;
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: fix revalidation test in cifs_llseek()</title>
<updated>2012-05-21T17:46:22+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2012-04-30T14:36:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4c7a674cc364f699fa5b6a6176c6cff4f586e607'/>
<id>4c7a674cc364f699fa5b6a6176c6cff4f586e607</id>
<content type='text'>
commit 48a5730e5b71201e226ff06e245bf308feba5f10 upstream.

This test is always true so it means we revalidate the length every
time, which generates more network traffic.  When it is SEEK_SET or
SEEK_CUR, then we don't need to revalidate.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 48a5730e5b71201e226ff06e245bf308feba5f10 upstream.

This test is always true so it means we revalidate the length every
time, which generates more network traffic.  When it is SEEK_SET or
SEEK_CUR, then we don't need to revalidate.

Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: avoid deadlock on sync-mounted FS w/o journal</title>
<updated>2012-05-21T17:46:22+00:00</updated>
<author>
<name>Eric Sandeen</name>
<email>sandeen@redhat.com</email>
</author>
<published>2012-02-21T04:06:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=277ff221e8b2a9d4397c247313883d1160c0403e'/>
<id>277ff221e8b2a9d4397c247313883d1160c0403e</id>
<content type='text'>
commit c1bb05a657fb3d8c6179a4ef7980261fae4521d7 upstream.

Processes hang forever on a sync-mounted ext2 file system that
is mounted with the ext4 module (default in Fedora 16).

I can reproduce this reliably by mounting an ext2 partition with
"-o sync" and opening a new file an that partition with vim. vim
will hang in "D" state forever.  The same happens on ext4 without
a journal.

I am attaching a small patch here that solves this issue for me.
In the sync mounted case without a journal,
ext4_handle_dirty_metadata() may call sync_dirty_buffer(), which
can't be called with buffer lock held.

Also move mb_cache_entry_release inside lock to avoid race
fixed previously by 8a2bfdcb ext[34]: EA block reference count racing fix
Note too that ext2 fixed this same problem in 2006 with
b2f49033 [PATCH] fix deadlock in ext2

Signed-off-by: Martin.Wilck@ts.fujitsu.com
[sandeen@redhat.com: move mb_cache_entry_release before unlock, edit commit msg]
Signed-off-by: Eric Sandeen &lt;sandeen@redhat.com&gt;
Signed-off-by: "Theodore Ts'o" &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c1bb05a657fb3d8c6179a4ef7980261fae4521d7 upstream.

Processes hang forever on a sync-mounted ext2 file system that
is mounted with the ext4 module (default in Fedora 16).

I can reproduce this reliably by mounting an ext2 partition with
"-o sync" and opening a new file an that partition with vim. vim
will hang in "D" state forever.  The same happens on ext4 without
a journal.

I am attaching a small patch here that solves this issue for me.
In the sync mounted case without a journal,
ext4_handle_dirty_metadata() may call sync_dirty_buffer(), which
can't be called with buffer lock held.

Also move mb_cache_entry_release inside lock to avoid race
fixed previously by 8a2bfdcb ext[34]: EA block reference count racing fix
Note too that ext2 fixed this same problem in 2006 with
b2f49033 [PATCH] fix deadlock in ext2

Signed-off-by: Martin.Wilck@ts.fujitsu.com
[sandeen@redhat.com: move mb_cache_entry_release before unlock, edit commit msg]
Signed-off-by: Eric Sandeen &lt;sandeen@redhat.com&gt;
Signed-off-by: "Theodore Ts'o" &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>jffs2: Fix lock acquisition order bug in gc path</title>
<updated>2012-05-21T17:46:20+00:00</updated>
<author>
<name>Josh Cartwright</name>
<email>joshc@linux.com</email>
</author>
<published>2012-03-29T23:34:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=66a02109c4a5891a43b437e0de677de759ea2310'/>
<id>66a02109c4a5891a43b437e0de677de759ea2310</id>
<content type='text'>
commit 226bb7df3d22bcf4a1c0fe8206c80cc427498eae upstream.

The locking policy is such that the erase_complete_block spinlock is
nested within the alloc_sem mutex.  This fixes a case in which the
acquisition order was erroneously reversed.  This issue was caught by
the following lockdep splat:

   =======================================================
   [ INFO: possible circular locking dependency detected ]
   3.0.5 #1
   -------------------------------------------------------
   jffs2_gcd_mtd6/299 is trying to acquire lock:
    (&amp;c-&gt;alloc_sem){+.+.+.}, at: [&lt;c01f7714&gt;] jffs2_garbage_collect_pass+0x314/0x890

   but task is already holding lock:
    (&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock){+.+...}, at: [&lt;c01f7708&gt;] jffs2_garbage_collect_pass+0x308/0x890

   which lock already depends on the new lock.

   the existing dependency chain (in reverse order) is:

   -&gt; #1 (&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock){+.+...}:
          [&lt;c008bec4&gt;] validate_chain+0xe6c/0x10bc
          [&lt;c008c660&gt;] __lock_acquire+0x54c/0xba4
          [&lt;c008d240&gt;] lock_acquire+0xa4/0x114
          [&lt;c046780c&gt;] _raw_spin_lock+0x3c/0x4c
          [&lt;c01f744c&gt;] jffs2_garbage_collect_pass+0x4c/0x890
          [&lt;c01f937c&gt;] jffs2_garbage_collect_thread+0x1b4/0x1cc
          [&lt;c0071a68&gt;] kthread+0x98/0xa0
          [&lt;c000f264&gt;] kernel_thread_exit+0x0/0x8

   -&gt; #0 (&amp;c-&gt;alloc_sem){+.+.+.}:
          [&lt;c008ad2c&gt;] print_circular_bug+0x70/0x2c4
          [&lt;c008c08c&gt;] validate_chain+0x1034/0x10bc
          [&lt;c008c660&gt;] __lock_acquire+0x54c/0xba4
          [&lt;c008d240&gt;] lock_acquire+0xa4/0x114
          [&lt;c0466628&gt;] mutex_lock_nested+0x74/0x33c
          [&lt;c01f7714&gt;] jffs2_garbage_collect_pass+0x314/0x890
          [&lt;c01f937c&gt;] jffs2_garbage_collect_thread+0x1b4/0x1cc
          [&lt;c0071a68&gt;] kthread+0x98/0xa0
          [&lt;c000f264&gt;] kernel_thread_exit+0x0/0x8

   other info that might help us debug this:

    Possible unsafe locking scenario:

          CPU0                    CPU1
          ----                    ----
     lock(&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock);
                                  lock(&amp;c-&gt;alloc_sem);
                                  lock(&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock);
     lock(&amp;c-&gt;alloc_sem);

    *** DEADLOCK ***

   1 lock held by jffs2_gcd_mtd6/299:
    #0:  (&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock){+.+...}, at: [&lt;c01f7708&gt;] jffs2_garbage_collect_pass+0x308/0x890

   stack backtrace:
   [&lt;c00155dc&gt;] (unwind_backtrace+0x0/0x100) from [&lt;c0463dc0&gt;] (dump_stack+0x20/0x24)
   [&lt;c0463dc0&gt;] (dump_stack+0x20/0x24) from [&lt;c008ae84&gt;] (print_circular_bug+0x1c8/0x2c4)
   [&lt;c008ae84&gt;] (print_circular_bug+0x1c8/0x2c4) from [&lt;c008c08c&gt;] (validate_chain+0x1034/0x10bc)
   [&lt;c008c08c&gt;] (validate_chain+0x1034/0x10bc) from [&lt;c008c660&gt;] (__lock_acquire+0x54c/0xba4)
   [&lt;c008c660&gt;] (__lock_acquire+0x54c/0xba4) from [&lt;c008d240&gt;] (lock_acquire+0xa4/0x114)
   [&lt;c008d240&gt;] (lock_acquire+0xa4/0x114) from [&lt;c0466628&gt;] (mutex_lock_nested+0x74/0x33c)
   [&lt;c0466628&gt;] (mutex_lock_nested+0x74/0x33c) from [&lt;c01f7714&gt;] (jffs2_garbage_collect_pass+0x314/0x890)
   [&lt;c01f7714&gt;] (jffs2_garbage_collect_pass+0x314/0x890) from [&lt;c01f937c&gt;] (jffs2_garbage_collect_thread+0x1b4/0x1cc)
   [&lt;c01f937c&gt;] (jffs2_garbage_collect_thread+0x1b4/0x1cc) from [&lt;c0071a68&gt;] (kthread+0x98/0xa0)
   [&lt;c0071a68&gt;] (kthread+0x98/0xa0) from [&lt;c000f264&gt;] (kernel_thread_exit+0x0/0x8)

This was introduce in '81cfc9f jffs2: Fix serious write stall due to erase'.

Signed-off-by: Josh Cartwright &lt;joshc@linux.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 226bb7df3d22bcf4a1c0fe8206c80cc427498eae upstream.

The locking policy is such that the erase_complete_block spinlock is
nested within the alloc_sem mutex.  This fixes a case in which the
acquisition order was erroneously reversed.  This issue was caught by
the following lockdep splat:

   =======================================================
   [ INFO: possible circular locking dependency detected ]
   3.0.5 #1
   -------------------------------------------------------
   jffs2_gcd_mtd6/299 is trying to acquire lock:
    (&amp;c-&gt;alloc_sem){+.+.+.}, at: [&lt;c01f7714&gt;] jffs2_garbage_collect_pass+0x314/0x890

   but task is already holding lock:
    (&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock){+.+...}, at: [&lt;c01f7708&gt;] jffs2_garbage_collect_pass+0x308/0x890

   which lock already depends on the new lock.

   the existing dependency chain (in reverse order) is:

   -&gt; #1 (&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock){+.+...}:
          [&lt;c008bec4&gt;] validate_chain+0xe6c/0x10bc
          [&lt;c008c660&gt;] __lock_acquire+0x54c/0xba4
          [&lt;c008d240&gt;] lock_acquire+0xa4/0x114
          [&lt;c046780c&gt;] _raw_spin_lock+0x3c/0x4c
          [&lt;c01f744c&gt;] jffs2_garbage_collect_pass+0x4c/0x890
          [&lt;c01f937c&gt;] jffs2_garbage_collect_thread+0x1b4/0x1cc
          [&lt;c0071a68&gt;] kthread+0x98/0xa0
          [&lt;c000f264&gt;] kernel_thread_exit+0x0/0x8

   -&gt; #0 (&amp;c-&gt;alloc_sem){+.+.+.}:
          [&lt;c008ad2c&gt;] print_circular_bug+0x70/0x2c4
          [&lt;c008c08c&gt;] validate_chain+0x1034/0x10bc
          [&lt;c008c660&gt;] __lock_acquire+0x54c/0xba4
          [&lt;c008d240&gt;] lock_acquire+0xa4/0x114
          [&lt;c0466628&gt;] mutex_lock_nested+0x74/0x33c
          [&lt;c01f7714&gt;] jffs2_garbage_collect_pass+0x314/0x890
          [&lt;c01f937c&gt;] jffs2_garbage_collect_thread+0x1b4/0x1cc
          [&lt;c0071a68&gt;] kthread+0x98/0xa0
          [&lt;c000f264&gt;] kernel_thread_exit+0x0/0x8

   other info that might help us debug this:

    Possible unsafe locking scenario:

          CPU0                    CPU1
          ----                    ----
     lock(&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock);
                                  lock(&amp;c-&gt;alloc_sem);
                                  lock(&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock);
     lock(&amp;c-&gt;alloc_sem);

    *** DEADLOCK ***

   1 lock held by jffs2_gcd_mtd6/299:
    #0:  (&amp;(&amp;c-&gt;erase_completion_lock)-&gt;rlock){+.+...}, at: [&lt;c01f7708&gt;] jffs2_garbage_collect_pass+0x308/0x890

   stack backtrace:
   [&lt;c00155dc&gt;] (unwind_backtrace+0x0/0x100) from [&lt;c0463dc0&gt;] (dump_stack+0x20/0x24)
   [&lt;c0463dc0&gt;] (dump_stack+0x20/0x24) from [&lt;c008ae84&gt;] (print_circular_bug+0x1c8/0x2c4)
   [&lt;c008ae84&gt;] (print_circular_bug+0x1c8/0x2c4) from [&lt;c008c08c&gt;] (validate_chain+0x1034/0x10bc)
   [&lt;c008c08c&gt;] (validate_chain+0x1034/0x10bc) from [&lt;c008c660&gt;] (__lock_acquire+0x54c/0xba4)
   [&lt;c008c660&gt;] (__lock_acquire+0x54c/0xba4) from [&lt;c008d240&gt;] (lock_acquire+0xa4/0x114)
   [&lt;c008d240&gt;] (lock_acquire+0xa4/0x114) from [&lt;c0466628&gt;] (mutex_lock_nested+0x74/0x33c)
   [&lt;c0466628&gt;] (mutex_lock_nested+0x74/0x33c) from [&lt;c01f7714&gt;] (jffs2_garbage_collect_pass+0x314/0x890)
   [&lt;c01f7714&gt;] (jffs2_garbage_collect_pass+0x314/0x890) from [&lt;c01f937c&gt;] (jffs2_garbage_collect_thread+0x1b4/0x1cc)
   [&lt;c01f937c&gt;] (jffs2_garbage_collect_thread+0x1b4/0x1cc) from [&lt;c0071a68&gt;] (kthread+0x98/0xa0)
   [&lt;c0071a68&gt;] (kthread+0x98/0xa0) from [&lt;c000f264&gt;] (kernel_thread_exit+0x0/0x8)

This was introduce in '81cfc9f jffs2: Fix serious write stall due to erase'.

Signed-off-by: Josh Cartwright &lt;joshc@linux.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>nfsd: don't fail unchecked creates of non-special files</title>
<updated>2012-05-12T16:32:21+00:00</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2012-04-09T22:06:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=502fd05d816f4a74a1a7bb45896ba35a33f8da10'/>
<id>502fd05d816f4a74a1a7bb45896ba35a33f8da10</id>
<content type='text'>
commit 9dc4e6c4d1182d34604ea40fef641775f5b15456 upstream.

Allow a v3 unchecked open of a non-regular file succeed as if it were a
lookup; typically a client in such a case will want to fall back on a
local open, so succeeding and giving it the filehandle is more useful
than failing with nfserr_exist, which makes it appear that nothing at
all exists by that name.

Similarly for v4, on an open-create, return the same errors we would on
an attempt to open a non-regular file, instead of returning
nfserr_exist.

This fixes a problem found doing a v4 open of a symlink with
O_RDONLY|O_CREAT, which resulted in the current client returning EEXIST.

Thanks also to Trond for analysis.

Reported-by: Orion Poplawski &lt;orion@cora.nwra.com&gt;
Tested-by: Orion Poplawski &lt;orion@cora.nwra.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
[bwh: Backported to 3.2 and 3.3: use &amp;resfh, not resfh]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9dc4e6c4d1182d34604ea40fef641775f5b15456 upstream.

Allow a v3 unchecked open of a non-regular file succeed as if it were a
lookup; typically a client in such a case will want to fall back on a
local open, so succeeding and giving it the filehandle is more useful
than failing with nfserr_exist, which makes it appear that nothing at
all exists by that name.

Similarly for v4, on an open-create, return the same errors we would on
an attempt to open a non-regular file, instead of returning
nfserr_exist.

This fixes a problem found doing a v4 open of a symlink with
O_RDONLY|O_CREAT, which resulted in the current client returning EEXIST.

Thanks also to Trond for analysis.

Reported-by: Orion Poplawski &lt;orion@cora.nwra.com&gt;
Tested-by: Orion Poplawski &lt;orion@cora.nwra.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
[bwh: Backported to 3.2 and 3.3: use &amp;resfh, not resfh]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>hugepages: fix use after free bug in "quota" handling</title>
<updated>2012-05-12T16:32:21+00:00</updated>
<author>
<name>David Gibson</name>
<email>david@gibson.dropbear.id.au</email>
</author>
<published>2012-03-21T23:34:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c6e143d5d46c8c84247c5ca9202c4d677a6162a7'/>
<id>c6e143d5d46c8c84247c5ca9202c4d677a6162a7</id>
<content type='text'>
commit 90481622d75715bfcb68501280a917dbfe516029 upstream.

hugetlbfs_{get,put}_quota() are badly named.  They don't interact with the
general quota handling code, and they don't much resemble its behaviour.
Rather than being about maintaining limits on on-disk block usage by
particular users, they are instead about maintaining limits on in-memory
page usage (including anonymous MAP_PRIVATE copied-on-write pages)
associated with a particular hugetlbfs filesystem instance.

Worse, they work by having callbacks to the hugetlbfs filesystem code from
the low-level page handling code, in particular from free_huge_page().
This is a layering violation of itself, but more importantly, if the
kernel does a get_user_pages() on hugepages (which can happen from KVM
amongst others), then the free_huge_page() can be delayed until after the
associated inode has already been freed.  If an unmount occurs at the
wrong time, even the hugetlbfs superblock where the "quota" limits are
stored may have been freed.

Andrew Barry proposed a patch to fix this by having hugepages, instead of
storing a pointer to their address_space and reaching the superblock from
there, had the hugepages store pointers directly to the superblock,
bumping the reference count as appropriate to avoid it being freed.
Andrew Morton rejected that version, however, on the grounds that it made
the existing layering violation worse.

This is a reworked version of Andrew's patch, which removes the extra, and
some of the existing, layering violation.  It works by introducing the
concept of a hugepage "subpool" at the lower hugepage mm layer - that is a
finite logical pool of hugepages to allocate from.  hugetlbfs now creates
a subpool for each filesystem instance with a page limit set, and a
pointer to the subpool gets added to each allocated hugepage, instead of
the address_space pointer used now.  The subpool has its own lifetime and
is only freed once all pages in it _and_ all other references to it (i.e.
superblocks) are gone.

subpools are optional - a NULL subpool pointer is taken by the code to
mean that no subpool limits are in effect.

Previous discussion of this bug found in:  "Fix refcounting in hugetlbfs
quota handling.". See:  https://lkml.org/lkml/2011/8/11/28 or
http://marc.info/?l=linux-mm&amp;m=126928970510627&amp;w=1

v2: Fixed a bug spotted by Hillf Danton, and removed the extra parameter to
alloc_huge_page() - since it already takes the vma, it is not necessary.

Signed-off-by: Andrew Barry &lt;abarry@cray.com&gt;
Signed-off-by: David Gibson &lt;david@gibson.dropbear.id.au&gt;
Cc: Hugh Dickins &lt;hughd@google.com&gt;
Cc: Mel Gorman &lt;mgorman@suse.de&gt;
Cc: Minchan Kim &lt;minchan.kim@gmail.com&gt;
Cc: Hillf Danton &lt;dhillf@gmail.com&gt;
Cc: Paul Mackerras &lt;paulus@samba.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 90481622d75715bfcb68501280a917dbfe516029 upstream.

hugetlbfs_{get,put}_quota() are badly named.  They don't interact with the
general quota handling code, and they don't much resemble its behaviour.
Rather than being about maintaining limits on on-disk block usage by
particular users, they are instead about maintaining limits on in-memory
page usage (including anonymous MAP_PRIVATE copied-on-write pages)
associated with a particular hugetlbfs filesystem instance.

Worse, they work by having callbacks to the hugetlbfs filesystem code from
the low-level page handling code, in particular from free_huge_page().
This is a layering violation of itself, but more importantly, if the
kernel does a get_user_pages() on hugepages (which can happen from KVM
amongst others), then the free_huge_page() can be delayed until after the
associated inode has already been freed.  If an unmount occurs at the
wrong time, even the hugetlbfs superblock where the "quota" limits are
stored may have been freed.

Andrew Barry proposed a patch to fix this by having hugepages, instead of
storing a pointer to their address_space and reaching the superblock from
there, had the hugepages store pointers directly to the superblock,
bumping the reference count as appropriate to avoid it being freed.
Andrew Morton rejected that version, however, on the grounds that it made
the existing layering violation worse.

This is a reworked version of Andrew's patch, which removes the extra, and
some of the existing, layering violation.  It works by introducing the
concept of a hugepage "subpool" at the lower hugepage mm layer - that is a
finite logical pool of hugepages to allocate from.  hugetlbfs now creates
a subpool for each filesystem instance with a page limit set, and a
pointer to the subpool gets added to each allocated hugepage, instead of
the address_space pointer used now.  The subpool has its own lifetime and
is only freed once all pages in it _and_ all other references to it (i.e.
superblocks) are gone.

subpools are optional - a NULL subpool pointer is taken by the code to
mean that no subpool limits are in effect.

Previous discussion of this bug found in:  "Fix refcounting in hugetlbfs
quota handling.". See:  https://lkml.org/lkml/2011/8/11/28 or
http://marc.info/?l=linux-mm&amp;m=126928970510627&amp;w=1

v2: Fixed a bug spotted by Hillf Danton, and removed the extra parameter to
alloc_huge_page() - since it already takes the vma, it is not necessary.

Signed-off-by: Andrew Barry &lt;abarry@cray.com&gt;
Signed-off-by: David Gibson &lt;david@gibson.dropbear.id.au&gt;
Cc: Hugh Dickins &lt;hughd@google.com&gt;
Cc: Mel Gorman &lt;mgorman@suse.de&gt;
Cc: Minchan Kim &lt;minchan.kim@gmail.com&gt;
Cc: Hillf Danton &lt;dhillf@gmail.com&gt;
Cc: Paul Mackerras &lt;paulus@samba.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>fs/cifs: fix parsing of dfs referrals</title>
<updated>2012-05-12T16:32:04+00:00</updated>
<author>
<name>Stefan Metzmacher</name>
<email>metze@samba.org</email>
</author>
<published>2012-05-03T22:19:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=800aaea4c2da2c2022c48a10c2e80ab68c6eb790'/>
<id>800aaea4c2da2c2022c48a10c2e80ab68c6eb790</id>
<content type='text'>
commit d8f2799b105a24bb0bbd3380a0d56e6348484058 upstream.

The problem was that the first referral was parsed more than once
and so the caller tried the same referrals multiple times.

The problem was introduced partly by commit
066ce6899484d9026acd6ba3a8dbbedb33d7ae1b,
where 'ref += le16_to_cpu(ref-&gt;Size);' got lost,
but that was also wrong...

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Tested-by: Björn Jacke &lt;bj@sernet.de&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d8f2799b105a24bb0bbd3380a0d56e6348484058 upstream.

The problem was that the first referral was parsed more than once
and so the caller tried the same referrals multiple times.

The problem was introduced partly by commit
066ce6899484d9026acd6ba3a8dbbedb33d7ae1b,
where 'ref += le16_to_cpu(ref-&gt;Size);' got lost,
but that was also wrong...

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Tested-by: Björn Jacke &lt;bj@sernet.de&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>hfsplus: Fix potential buffer overflows</title>
<updated>2012-05-07T15:53:38+00:00</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@linuxfoundation.org</email>
</author>
<published>2012-05-04T19:09:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9af2cbfa4d8279d29a7881079c9270f43e61ade7'/>
<id>9af2cbfa4d8279d29a7881079c9270f43e61ade7</id>
<content type='text'>
commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream.

Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
potential buffer overflows in the hfs filesystem.  But as Timo Warns
pointed out, these changes also need to be made on the hfsplus
filesystem as well.

Reported-by: Timo Warns &lt;warns@pre-sense.de&gt;
Acked-by: WANG Cong &lt;amwang@redhat.com&gt;
Cc: Alexey Khoroshilov &lt;khoroshilov@ispras.ru&gt;
Cc: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Cc: Sage Weil &lt;sage@newdream.net&gt;
Cc: Eugene Teo &lt;eteo@redhat.com&gt;
Cc: Roman Zippel &lt;zippel@linux-m68k.org&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Cc: Dave Anderson &lt;anderson@redhat.com&gt;
Cc: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream.

Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
potential buffer overflows in the hfs filesystem.  But as Timo Warns
pointed out, these changes also need to be made on the hfsplus
filesystem as well.

Reported-by: Timo Warns &lt;warns@pre-sense.de&gt;
Acked-by: WANG Cong &lt;amwang@redhat.com&gt;
Cc: Alexey Khoroshilov &lt;khoroshilov@ispras.ru&gt;
Cc: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Cc: Sage Weil &lt;sage@newdream.net&gt;
Cc: Eugene Teo &lt;eteo@redhat.com&gt;
Cc: Roman Zippel &lt;zippel@linux-m68k.org&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Cc: Dave Anderson &lt;anderson@redhat.com&gt;
Cc: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>exit_signal: simplify the "we have changed execution domain" logic</title>
<updated>2012-05-07T15:53:35+00:00</updated>
<author>
<name>Oleg Nesterov</name>
<email>oleg@redhat.com</email>
</author>
<published>2012-03-19T16:03:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f799aa1565fc056504ba7473a09e8f0dee3a20b7'/>
<id>f799aa1565fc056504ba7473a09e8f0dee3a20b7</id>
<content type='text'>
commit e636825346b36a07ccfc8e30946d52855e21f681 upstream.

exit_notify() checks "tsk-&gt;self_exec_id != tsk-&gt;parent_exec_id"
to handle the "we have changed execution domain" case.

We can change do_thread() to always set -&gt;exit_signal = SIGCHLD
and remove this check to simplify the code.

We could change setup_new_exec() instead, this looks more logical
because it increments -&gt;self_exec_id. But note that de_thread()
already resets -&gt;exit_signal if it changes the leader, let's keep
both changes close to each other.

Note that we change -&gt;exit_signal lockless, this changes the rules.
Thereafter -&gt;exit_signal is not stable under tasklist but this is
fine, the only possible change is OLDSIG -&gt; SIGCHLD. This can race
with eligible_child() but the race is harmless. We can race with
reparent_leader() which changes our -&gt;exit_signal in parallel, but
it does the same change to SIGCHLD.

The noticeable user-visible change is that the execing task is not
"visible" to do_wait()-&gt;eligible_child(__WCLONE) right after exec.
To me this looks more logical, and this is consistent with mt case.

Signed-off-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e636825346b36a07ccfc8e30946d52855e21f681 upstream.

exit_notify() checks "tsk-&gt;self_exec_id != tsk-&gt;parent_exec_id"
to handle the "we have changed execution domain" case.

We can change do_thread() to always set -&gt;exit_signal = SIGCHLD
and remove this check to simplify the code.

We could change setup_new_exec() instead, this looks more logical
because it increments -&gt;self_exec_id. But note that de_thread()
already resets -&gt;exit_signal if it changes the leader, let's keep
both changes close to each other.

Note that we change -&gt;exit_signal lockless, this changes the rules.
Thereafter -&gt;exit_signal is not stable under tasklist but this is
fine, the only possible change is OLDSIG -&gt; SIGCHLD. This can race
with eligible_child() but the race is harmless. We can race with
reparent_leader() which changes our -&gt;exit_signal in parallel, but
it does the same change to SIGCHLD.

The noticeable user-visible change is that the execing task is not
"visible" to do_wait()-&gt;eligible_child(__WCLONE) right after exec.
To me this looks more logical, and this is consistent with mt case.

Signed-off-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
