<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs, branch v4.6.1</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>hpfs: implement the show_options method</title>
<updated>2016-06-01T19:18:05+00:00</updated>
<author>
<name>Mikulas Patocka</name>
<email>mikulas@twibright.com</email>
</author>
<published>2016-05-24T20:49:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=359e08c67b1a21a1da16e8c7bbc525d5e63c2192'/>
<id>359e08c67b1a21a1da16e8c7bbc525d5e63c2192</id>
<content type='text'>
commit 037369b872940cd923835a0a589763180c4a36bc upstream.

The HPFS filesystem used generic_show_options to produce string that is
displayed in /proc/mounts.  However, there is a problem that the options
may disappear after remount.  If we mount the filesystem with option1
and then remount it with option2, /proc/mounts should show both option1
and option2, however it only shows option2 because the whole option
string is replaced with replace_mount_options in hpfs_remount_fs.

To fix this bug, implement the hpfs_show_options function that prints
options that are currently selected.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 037369b872940cd923835a0a589763180c4a36bc upstream.

The HPFS filesystem used generic_show_options to produce string that is
displayed in /proc/mounts.  However, there is a problem that the options
may disappear after remount.  If we mount the filesystem with option1
and then remount it with option2, /proc/mounts should show both option1
and option2, however it only shows option2 because the whole option
string is replaced with replace_mount_options in hpfs_remount_fs.

To fix this bug, implement the hpfs_show_options function that prints
options that are currently selected.

Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>hpfs: fix remount failure when there are no options changed</title>
<updated>2016-06-01T19:18:05+00:00</updated>
<author>
<name>Mikulas Patocka</name>
<email>mikulas@twibright.com</email>
</author>
<published>2016-05-24T20:47:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=afe77793b7f016a7e346d828458d873f6afe8905'/>
<id>afe77793b7f016a7e346d828458d873f6afe8905</id>
<content type='text'>
commit 44d51706b4685f965cd32acde3fe0fcc1e6198e8 upstream.

Commit ce657611baf9 ("hpfs: kstrdup() out of memory handling") checks if
the kstrdup function returns NULL due to out-of-memory condition.

However, if we are remounting a filesystem with no change to
filesystem-specific options, the parameter data is NULL.  In this case,
kstrdup returns NULL (because it was passed NULL parameter), although no
out of memory condition exists.  The mount syscall then fails with
ENOMEM.

This patch fixes the bug.  We fail with ENOMEM only if data is non-NULL.

The patch also changes the call to replace_mount_options - if we didn't
pass any filesystem-specific options, we don't call
replace_mount_options (thus we don't erase existing reported options).

Fixes: ce657611baf9 ("hpfs: kstrdup() out of memory handling")
Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 44d51706b4685f965cd32acde3fe0fcc1e6198e8 upstream.

Commit ce657611baf9 ("hpfs: kstrdup() out of memory handling") checks if
the kstrdup function returns NULL due to out-of-memory condition.

However, if we are remounting a filesystem with no change to
filesystem-specific options, the parameter data is NULL.  In this case,
kstrdup returns NULL (because it was passed NULL parameter), although no
out of memory condition exists.  The mount syscall then fails with
ENOMEM.

This patch fixes the bug.  We fail with ENOMEM only if data is non-NULL.

The patch also changes the call to replace_mount_options - if we didn't
pass any filesystem-specific options, we don't call
replace_mount_options (thus we don't erase existing reported options).

Fixes: ce657611baf9 ("hpfs: kstrdup() out of memory handling")
Signed-off-by: Mikulas Patocka &lt;mpatocka@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Btrfs: fix handling of faults from btrfs_copy_from_user</title>
<updated>2016-06-01T19:18:05+00:00</updated>
<author>
<name>Chris Mason</name>
<email>clm@fb.com</email>
</author>
<published>2016-05-16T16:21:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4704fa547224fd49041c26f7fca3710a47fc449f'/>
<id>4704fa547224fd49041c26f7fca3710a47fc449f</id>
<content type='text'>
commit 56244ef151c3cd11f505020ab0b3f45454363bcc upstream.

When btrfs_copy_from_user isn't able to copy all of the pages, we need
to adjust our accounting to reflect the work that was actually done.

Commit 2e78c927d79 changed around the decisions a little and we ended up
skipping the accounting adjustments some of the time.  This commit makes
sure that when we don't copy anything at all, we still hop into
the adjustments, and switches to release_bytes instead of write_bytes,
since write_bytes isn't aligned.

The accounting errors led to warnings during btrfs_destroy_inode:

[   70.847532] WARNING: CPU: 10 PID: 514 at fs/btrfs/inode.c:9350 btrfs_destroy_inode+0x2b3/0x2c0
[   70.847536] Modules linked in: i2c_piix4 virtio_net i2c_core input_leds button led_class serio_raw acpi_cpufreq sch_fq_codel autofs4 virtio_blk
[   70.847538] CPU: 10 PID: 514 Comm: umount Tainted: G        W 4.6.0-rc6_00062_g2997da1-dirty #23
[   70.847539] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.0-1.fc24 04/01/2014
[   70.847542]  0000000000000000 ffff880ff5cafab8 ffffffff8149d5e9 0000000000000202
[   70.847543]  0000000000000000 0000000000000000 0000000000000000 ffff880ff5cafb08
[   70.847547]  ffffffff8107bdfd ffff880ff5cafaf8 000024868120013d ffff880ff5cafb28
[   70.847547] Call Trace:
[   70.847550]  [&lt;ffffffff8149d5e9&gt;] dump_stack+0x51/0x78
[   70.847551]  [&lt;ffffffff8107bdfd&gt;] __warn+0xfd/0x120
[   70.847553]  [&lt;ffffffff8107be3d&gt;] warn_slowpath_null+0x1d/0x20
[   70.847555]  [&lt;ffffffff8139c9e3&gt;] btrfs_destroy_inode+0x2b3/0x2c0
[   70.847556]  [&lt;ffffffff812003a1&gt;] ? __destroy_inode+0x71/0x140
[   70.847558]  [&lt;ffffffff812004b3&gt;] destroy_inode+0x43/0x70
[   70.847559]  [&lt;ffffffff810b7b5f&gt;] ? wake_up_bit+0x2f/0x40
[   70.847560]  [&lt;ffffffff81200c68&gt;] evict+0x148/0x1d0
[   70.847562]  [&lt;ffffffff81398ade&gt;] ? start_transaction+0x3de/0x460
[   70.847564]  [&lt;ffffffff81200d49&gt;] dispose_list+0x59/0x80
[   70.847565]  [&lt;ffffffff81201ba0&gt;] evict_inodes+0x180/0x190
[   70.847566]  [&lt;ffffffff812191ff&gt;] ? __sync_filesystem+0x3f/0x50
[   70.847568]  [&lt;ffffffff811e95f8&gt;] generic_shutdown_super+0x48/0x100
[   70.847569]  [&lt;ffffffff810b75c0&gt;] ? woken_wake_function+0x20/0x20
[   70.847571]  [&lt;ffffffff811e9796&gt;] kill_anon_super+0x16/0x30
[   70.847573]  [&lt;ffffffff81365cde&gt;] btrfs_kill_super+0x1e/0x130
[   70.847574]  [&lt;ffffffff811e99be&gt;] deactivate_locked_super+0x4e/0x90
[   70.847576]  [&lt;ffffffff811e9e61&gt;] deactivate_super+0x51/0x70
[   70.847577]  [&lt;ffffffff8120536f&gt;] cleanup_mnt+0x3f/0x80
[   70.847579]  [&lt;ffffffff81205402&gt;] __cleanup_mnt+0x12/0x20
[   70.847581]  [&lt;ffffffff81098358&gt;] task_work_run+0x68/0xa0
[   70.847582]  [&lt;ffffffff810022b6&gt;] exit_to_usermode_loop+0xd6/0xe0
[   70.847583]  [&lt;ffffffff81002e1d&gt;] do_syscall_64+0xbd/0x170
[   70.847586]  [&lt;ffffffff817d4dbc&gt;] entry_SYSCALL64_slow_path+0x25/0x25

This is the test program I used to force short returns from
btrfs_copy_from_user

void *dontneed(void *arg)
{
	char *p = arg;
	int ret;

	while(1) {
		ret = madvise(p, BUFSIZE/4, MADV_DONTNEED);
		if (ret) {
			perror("madvise");
			exit(1);
		}
	}
}

int main(int ac, char **av) {
	int ret;
	int fd;
	char *filename;
	unsigned long offset;
	char *buf;
	int i;
	pthread_t tid;

	if (ac != 2) {
		fprintf(stderr, "usage: dammitdave filename\n");
		exit(1);
	}

	buf = mmap(NULL, BUFSIZE, PROT_READ|PROT_WRITE,
		   MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
	if (buf == MAP_FAILED) {
		perror("mmap");
		exit(1);
	}
	memset(buf, 'a', BUFSIZE);
	filename = av[1];

	ret = pthread_create(&amp;tid, NULL, dontneed, buf);
	if (ret) {
		fprintf(stderr, "error %d from pthread_create\n", ret);
		exit(1);
	}

	ret = pthread_detach(tid);
	if (ret) {
		fprintf(stderr, "pthread detach failed %d\n", ret);
		exit(1);
	}

	while (1) {
		fd = open(filename, O_RDWR | O_CREAT, 0600);
		if (fd &lt; 0) {
			perror("open");
			exit(1);
		}

		for (i = 0; i &lt; ROUNDS; i++) {
			int this_write = BUFSIZE;

			offset = rand() % MAXSIZE;
			ret = pwrite(fd, buf, this_write, offset);
			if (ret &lt; 0) {
				perror("pwrite");
				exit(1);
			} else if (ret != this_write) {
				fprintf(stderr, "short write to %s offset %lu ret %d\n",
					filename, offset, ret);
				exit(1);
			}
			if (i == ROUNDS - 1) {
				ret = sync_file_range(fd, offset, 4096,
				    SYNC_FILE_RANGE_WRITE);
				if (ret &lt; 0) {
					perror("sync_file_range");
					exit(1);
				}
			}
		}
		ret = ftruncate(fd, 0);
		if (ret &lt; 0) {
			perror("ftruncate");
			exit(1);
		}
		ret = close(fd);
		if (ret) {
			perror("close");
			exit(1);
		}
		ret = unlink(filename);
		if (ret) {
			perror("unlink");
			exit(1);
		}

	}
	return 0;
}

Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
Reported-by: Dave Jones &lt;dsj@fb.com&gt;
Fixes: 2e78c927d79333f299a8ac81c2fd2952caeef335
Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 56244ef151c3cd11f505020ab0b3f45454363bcc upstream.

When btrfs_copy_from_user isn't able to copy all of the pages, we need
to adjust our accounting to reflect the work that was actually done.

Commit 2e78c927d79 changed around the decisions a little and we ended up
skipping the accounting adjustments some of the time.  This commit makes
sure that when we don't copy anything at all, we still hop into
the adjustments, and switches to release_bytes instead of write_bytes,
since write_bytes isn't aligned.

The accounting errors led to warnings during btrfs_destroy_inode:

[   70.847532] WARNING: CPU: 10 PID: 514 at fs/btrfs/inode.c:9350 btrfs_destroy_inode+0x2b3/0x2c0
[   70.847536] Modules linked in: i2c_piix4 virtio_net i2c_core input_leds button led_class serio_raw acpi_cpufreq sch_fq_codel autofs4 virtio_blk
[   70.847538] CPU: 10 PID: 514 Comm: umount Tainted: G        W 4.6.0-rc6_00062_g2997da1-dirty #23
[   70.847539] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.0-1.fc24 04/01/2014
[   70.847542]  0000000000000000 ffff880ff5cafab8 ffffffff8149d5e9 0000000000000202
[   70.847543]  0000000000000000 0000000000000000 0000000000000000 ffff880ff5cafb08
[   70.847547]  ffffffff8107bdfd ffff880ff5cafaf8 000024868120013d ffff880ff5cafb28
[   70.847547] Call Trace:
[   70.847550]  [&lt;ffffffff8149d5e9&gt;] dump_stack+0x51/0x78
[   70.847551]  [&lt;ffffffff8107bdfd&gt;] __warn+0xfd/0x120
[   70.847553]  [&lt;ffffffff8107be3d&gt;] warn_slowpath_null+0x1d/0x20
[   70.847555]  [&lt;ffffffff8139c9e3&gt;] btrfs_destroy_inode+0x2b3/0x2c0
[   70.847556]  [&lt;ffffffff812003a1&gt;] ? __destroy_inode+0x71/0x140
[   70.847558]  [&lt;ffffffff812004b3&gt;] destroy_inode+0x43/0x70
[   70.847559]  [&lt;ffffffff810b7b5f&gt;] ? wake_up_bit+0x2f/0x40
[   70.847560]  [&lt;ffffffff81200c68&gt;] evict+0x148/0x1d0
[   70.847562]  [&lt;ffffffff81398ade&gt;] ? start_transaction+0x3de/0x460
[   70.847564]  [&lt;ffffffff81200d49&gt;] dispose_list+0x59/0x80
[   70.847565]  [&lt;ffffffff81201ba0&gt;] evict_inodes+0x180/0x190
[   70.847566]  [&lt;ffffffff812191ff&gt;] ? __sync_filesystem+0x3f/0x50
[   70.847568]  [&lt;ffffffff811e95f8&gt;] generic_shutdown_super+0x48/0x100
[   70.847569]  [&lt;ffffffff810b75c0&gt;] ? woken_wake_function+0x20/0x20
[   70.847571]  [&lt;ffffffff811e9796&gt;] kill_anon_super+0x16/0x30
[   70.847573]  [&lt;ffffffff81365cde&gt;] btrfs_kill_super+0x1e/0x130
[   70.847574]  [&lt;ffffffff811e99be&gt;] deactivate_locked_super+0x4e/0x90
[   70.847576]  [&lt;ffffffff811e9e61&gt;] deactivate_super+0x51/0x70
[   70.847577]  [&lt;ffffffff8120536f&gt;] cleanup_mnt+0x3f/0x80
[   70.847579]  [&lt;ffffffff81205402&gt;] __cleanup_mnt+0x12/0x20
[   70.847581]  [&lt;ffffffff81098358&gt;] task_work_run+0x68/0xa0
[   70.847582]  [&lt;ffffffff810022b6&gt;] exit_to_usermode_loop+0xd6/0xe0
[   70.847583]  [&lt;ffffffff81002e1d&gt;] do_syscall_64+0xbd/0x170
[   70.847586]  [&lt;ffffffff817d4dbc&gt;] entry_SYSCALL64_slow_path+0x25/0x25

This is the test program I used to force short returns from
btrfs_copy_from_user

void *dontneed(void *arg)
{
	char *p = arg;
	int ret;

	while(1) {
		ret = madvise(p, BUFSIZE/4, MADV_DONTNEED);
		if (ret) {
			perror("madvise");
			exit(1);
		}
	}
}

int main(int ac, char **av) {
	int ret;
	int fd;
	char *filename;
	unsigned long offset;
	char *buf;
	int i;
	pthread_t tid;

	if (ac != 2) {
		fprintf(stderr, "usage: dammitdave filename\n");
		exit(1);
	}

	buf = mmap(NULL, BUFSIZE, PROT_READ|PROT_WRITE,
		   MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
	if (buf == MAP_FAILED) {
		perror("mmap");
		exit(1);
	}
	memset(buf, 'a', BUFSIZE);
	filename = av[1];

	ret = pthread_create(&amp;tid, NULL, dontneed, buf);
	if (ret) {
		fprintf(stderr, "error %d from pthread_create\n", ret);
		exit(1);
	}

	ret = pthread_detach(tid);
	if (ret) {
		fprintf(stderr, "pthread detach failed %d\n", ret);
		exit(1);
	}

	while (1) {
		fd = open(filename, O_RDWR | O_CREAT, 0600);
		if (fd &lt; 0) {
			perror("open");
			exit(1);
		}

		for (i = 0; i &lt; ROUNDS; i++) {
			int this_write = BUFSIZE;

			offset = rand() % MAXSIZE;
			ret = pwrite(fd, buf, this_write, offset);
			if (ret &lt; 0) {
				perror("pwrite");
				exit(1);
			} else if (ret != this_write) {
				fprintf(stderr, "short write to %s offset %lu ret %d\n",
					filename, offset, ret);
				exit(1);
			}
			if (i == ROUNDS - 1) {
				ret = sync_file_range(fd, offset, 4096,
				    SYNC_FILE_RANGE_WRITE);
				if (ret &lt; 0) {
					perror("sync_file_range");
					exit(1);
				}
			}
		}
		ret = ftruncate(fd, 0);
		if (ret &lt; 0) {
			perror("ftruncate");
			exit(1);
		}
		ret = close(fd);
		if (ret) {
			perror("close");
			exit(1);
		}
		ret = unlink(filename);
		if (ret) {
			perror("unlink");
			exit(1);
		}

	}
	return 0;
}

Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
Reported-by: Dave Jones &lt;dsj@fb.com&gt;
Fixes: 2e78c927d79333f299a8ac81c2fd2952caeef335
Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl</title>
<updated>2016-06-01T19:18:05+00:00</updated>
<author>
<name>Luke Dashjr</name>
<email>luke@dashjr.org</email>
</author>
<published>2015-10-29T08:22:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b82bec5eabf12739a955ff03a954a7cb7bf57d57'/>
<id>b82bec5eabf12739a955ff03a954a7cb7bf57d57</id>
<content type='text'>
commit 4c63c2454eff996c5e27991221106eb511f7db38 upstream.

32-bit ioctl uses these rather than the regular FS_IOC_* versions. They can
be handled in btrfs using the same code. Without this, 32-bit {ch,ls}attr
fail.

Signed-off-by: Luke Dashjr &lt;luke-jr+git@utopios.org&gt;
Reviewed-by: Josef Bacik &lt;jbacik@fb.com&gt;
Reviewed-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4c63c2454eff996c5e27991221106eb511f7db38 upstream.

32-bit ioctl uses these rather than the regular FS_IOC_* versions. They can
be handled in btrfs using the same code. Without this, 32-bit {ch,ls}attr
fail.

Signed-off-by: Luke Dashjr &lt;luke-jr+git@utopios.org&gt;
Reviewed-by: Josef Bacik &lt;jbacik@fb.com&gt;
Reviewed-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Fixing oops in callback path</title>
<updated>2016-06-01T19:18:04+00:00</updated>
<author>
<name>Olga Kornievskaia</name>
<email>kolga@netapp.com</email>
</author>
<published>2016-05-10T20:57:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8fa0eca935e64b83c18e6aee4aafc313ae5bd9c9'/>
<id>8fa0eca935e64b83c18e6aee4aafc313ae5bd9c9</id>
<content type='text'>
commit c2985d001d2fb77357aeae675545893b61c50044 upstream.

Commit 80f9642724af5 ("NFSv4.x: Enforce the ca_maxreponsesize_cached
on the back channel") causes an oops when it receives a callback with
cachethis=yes.

[  109.667378] BUG: unable to handle kernel NULL pointer dereference at 00000000000002c8
[  109.669476] IP: [&lt;ffffffffa08a3e68&gt;] nfs4_callback_compound+0x4f8/0x690 [nfsv4]
[  109.671216] PGD 0
[  109.671736] Oops: 0000 [#1] SMP
[  109.705427] CPU: 1 PID: 3579 Comm: nfsv4.1-svc Not tainted 4.5.0-rc1+ #1
[  109.706987] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
[  109.709468] task: ffff8800b4408000 ti: ffff88008448c000 task.ti: ffff88008448c000
[  109.711207] RIP: 0010:[&lt;ffffffffa08a3e68&gt;]  [&lt;ffffffffa08a3e68&gt;] nfs4_callback_compound+0x4f8/0x690 [nfsv4]
[  109.713521] RSP: 0018:ffff88008448fca0  EFLAGS: 00010286
[  109.714762] RAX: ffff880081ee202c RBX: ffff8800b7b5b600 RCX: 0000000000000001
[  109.716427] RDX: 0000000000000008 RSI: 0000000000000008 RDI: 0000000000000000
[  109.718091] RBP: ffff88008448fda8 R08: 0000000000000000 R09: 000000000b000000
[  109.719757] R10: ffff880137786000 R11: ffff8800b7b5b600 R12: 0000000001000000
[  109.721415] R13: 0000000000000002 R14: 0000000053270000 R15: 000000000000000b
[  109.723061] FS:  0000000000000000(0000) GS:ffff880139640000(0000) knlGS:0000000000000000
[  109.724931] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  109.726278] CR2: 00000000000002c8 CR3: 0000000034d50000 CR4: 00000000001406e0
[  109.727972] Stack:
[  109.728465]  ffff880081ee202c ffff880081ee201c 000000008448fcc0 ffff8800baccb800
[  109.730349]  ffff8800baccc800 ffffffffa08d0380 0000000000000000 0000000000000000
[  109.732211]  ffff8800b7b5b600 0000000000000001 ffffffff81d073c0 ffff880081ee3090
[  109.734056] Call Trace:
[  109.734657]  [&lt;ffffffffa03795d4&gt;] svc_process_common+0x5c4/0x6c0 [sunrpc]
[  109.736267]  [&lt;ffffffffa0379a4c&gt;] bc_svc_process+0x1fc/0x360 [sunrpc]
[  109.737775]  [&lt;ffffffffa08a2c2c&gt;] nfs41_callback_svc+0x10c/0x1d0 [nfsv4]
[  109.739335]  [&lt;ffffffff810cb380&gt;] ? prepare_to_wait_event+0xf0/0xf0
[  109.740799]  [&lt;ffffffffa08a2b20&gt;] ? nfs4_callback_svc+0x50/0x50 [nfsv4]
[  109.742349]  [&lt;ffffffff810a6998&gt;] kthread+0xd8/0xf0
[  109.743495]  [&lt;ffffffff810a68c0&gt;] ? kthread_park+0x60/0x60
[  109.744776]  [&lt;ffffffff816abc4f&gt;] ret_from_fork+0x3f/0x70
[  109.746037]  [&lt;ffffffff810a68c0&gt;] ? kthread_park+0x60/0x60
[  109.747324] Code: cc 45 31 f6 48 8b 85 00 ff ff ff 44 89 30 48 8b 85 f8 fe ff ff 44 89 20 48 8b 9d 38 ff ff ff 48 8b bd 30 ff ff ff 48 85 db 74 4c &lt;4c&gt; 8b af c8 02 00 00 4d 8d a5 08 02 00 00 49 81 c5 98 02 00 00
[  109.754361] RIP  [&lt;ffffffffa08a3e68&gt;] nfs4_callback_compound+0x4f8/0x690 [nfsv4]
[  109.756123]  RSP &lt;ffff88008448fca0&gt;
[  109.756951] CR2: 00000000000002c8
[  109.757738] ---[ end trace 2b8555511ab5dfb4 ]---
[  109.758819] Kernel panic - not syncing: Fatal exception
[  109.760126] Kernel Offset: disabled
[  118.938934] ---[ end Kernel panic - not syncing: Fatal exception

It doesn't unlock the table nor does it set the cps-&gt;clp pointer which
is later needed by nfs4_cb_free_slot().

Fixes: 80f9642724af5 ("NFSv4.x: Enforce the ca_maxresponsesize_cached ...")
Signed-off-by: Olga Kornievskaia &lt;kolga@netapp.com&gt;
Signed-off-by: Anna Schumaker &lt;Anna.Schumaker@Netapp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c2985d001d2fb77357aeae675545893b61c50044 upstream.

Commit 80f9642724af5 ("NFSv4.x: Enforce the ca_maxreponsesize_cached
on the back channel") causes an oops when it receives a callback with
cachethis=yes.

[  109.667378] BUG: unable to handle kernel NULL pointer dereference at 00000000000002c8
[  109.669476] IP: [&lt;ffffffffa08a3e68&gt;] nfs4_callback_compound+0x4f8/0x690 [nfsv4]
[  109.671216] PGD 0
[  109.671736] Oops: 0000 [#1] SMP
[  109.705427] CPU: 1 PID: 3579 Comm: nfsv4.1-svc Not tainted 4.5.0-rc1+ #1
[  109.706987] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
[  109.709468] task: ffff8800b4408000 ti: ffff88008448c000 task.ti: ffff88008448c000
[  109.711207] RIP: 0010:[&lt;ffffffffa08a3e68&gt;]  [&lt;ffffffffa08a3e68&gt;] nfs4_callback_compound+0x4f8/0x690 [nfsv4]
[  109.713521] RSP: 0018:ffff88008448fca0  EFLAGS: 00010286
[  109.714762] RAX: ffff880081ee202c RBX: ffff8800b7b5b600 RCX: 0000000000000001
[  109.716427] RDX: 0000000000000008 RSI: 0000000000000008 RDI: 0000000000000000
[  109.718091] RBP: ffff88008448fda8 R08: 0000000000000000 R09: 000000000b000000
[  109.719757] R10: ffff880137786000 R11: ffff8800b7b5b600 R12: 0000000001000000
[  109.721415] R13: 0000000000000002 R14: 0000000053270000 R15: 000000000000000b
[  109.723061] FS:  0000000000000000(0000) GS:ffff880139640000(0000) knlGS:0000000000000000
[  109.724931] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  109.726278] CR2: 00000000000002c8 CR3: 0000000034d50000 CR4: 00000000001406e0
[  109.727972] Stack:
[  109.728465]  ffff880081ee202c ffff880081ee201c 000000008448fcc0 ffff8800baccb800
[  109.730349]  ffff8800baccc800 ffffffffa08d0380 0000000000000000 0000000000000000
[  109.732211]  ffff8800b7b5b600 0000000000000001 ffffffff81d073c0 ffff880081ee3090
[  109.734056] Call Trace:
[  109.734657]  [&lt;ffffffffa03795d4&gt;] svc_process_common+0x5c4/0x6c0 [sunrpc]
[  109.736267]  [&lt;ffffffffa0379a4c&gt;] bc_svc_process+0x1fc/0x360 [sunrpc]
[  109.737775]  [&lt;ffffffffa08a2c2c&gt;] nfs41_callback_svc+0x10c/0x1d0 [nfsv4]
[  109.739335]  [&lt;ffffffff810cb380&gt;] ? prepare_to_wait_event+0xf0/0xf0
[  109.740799]  [&lt;ffffffffa08a2b20&gt;] ? nfs4_callback_svc+0x50/0x50 [nfsv4]
[  109.742349]  [&lt;ffffffff810a6998&gt;] kthread+0xd8/0xf0
[  109.743495]  [&lt;ffffffff810a68c0&gt;] ? kthread_park+0x60/0x60
[  109.744776]  [&lt;ffffffff816abc4f&gt;] ret_from_fork+0x3f/0x70
[  109.746037]  [&lt;ffffffff810a68c0&gt;] ? kthread_park+0x60/0x60
[  109.747324] Code: cc 45 31 f6 48 8b 85 00 ff ff ff 44 89 30 48 8b 85 f8 fe ff ff 44 89 20 48 8b 9d 38 ff ff ff 48 8b bd 30 ff ff ff 48 85 db 74 4c &lt;4c&gt; 8b af c8 02 00 00 4d 8d a5 08 02 00 00 49 81 c5 98 02 00 00
[  109.754361] RIP  [&lt;ffffffffa08a3e68&gt;] nfs4_callback_compound+0x4f8/0x690 [nfsv4]
[  109.756123]  RSP &lt;ffff88008448fca0&gt;
[  109.756951] CR2: 00000000000002c8
[  109.757738] ---[ end trace 2b8555511ab5dfb4 ]---
[  109.758819] Kernel panic - not syncing: Fatal exception
[  109.760126] Kernel Offset: disabled
[  118.938934] ---[ end Kernel panic - not syncing: Fatal exception

It doesn't unlock the table nor does it set the cps-&gt;clp pointer which
is later needed by nfs4_cb_free_slot().

Fixes: 80f9642724af5 ("NFSv4.x: Enforce the ca_maxresponsesize_cached ...")
Signed-off-by: Olga Kornievskaia &lt;kolga@netapp.com&gt;
Signed-off-by: Anna Schumaker &lt;Anna.Schumaker@Netapp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>fscrypto/f2fs: allow fs-specific key prefix for fs encryption</title>
<updated>2016-06-01T19:17:59+00:00</updated>
<author>
<name>Jaegeuk Kim</name>
<email>jaegeuk@kernel.org</email>
</author>
<published>2016-05-05T05:05:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ea27481a427ee75cb77088b785ae8591eb74870c'/>
<id>ea27481a427ee75cb77088b785ae8591eb74870c</id>
<content type='text'>
commit b5a7aef1ef436ec005fef0efe31a676ec5f4ab31 upstream.

This patch allows fscrypto to handle a second key prefix given by filesystem.
The main reason is to provide backward compatibility, since previously f2fs
used "f2fs:" as a crypto prefix instead of "fscrypt:".
Later, ext4 should also provide key_prefix() to give "ext4:".

One concern decribed by Ted would be kinda double check overhead of prefixes.
In x86, for example, validate_user_key consumes 8 ms after boot-up, which turns
out derive_key_aes() consumed most of the time to load specific crypto module.
After such the cold miss, it shows almost zero latencies, which treats as a
negligible overhead.
Note that request_key() detects wrong prefix in prior to derive_key_aes() even.

Cc: Ted Tso &lt;tytso@mit.edu&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b5a7aef1ef436ec005fef0efe31a676ec5f4ab31 upstream.

This patch allows fscrypto to handle a second key prefix given by filesystem.
The main reason is to provide backward compatibility, since previously f2fs
used "f2fs:" as a crypto prefix instead of "fscrypt:".
Later, ext4 should also provide key_prefix() to give "ext4:".

One concern decribed by Ted would be kinda double check overhead of prefixes.
In x86, for example, validate_user_key consumes 8 ms after boot-up, which turns
out derive_key_aes() consumed most of the time to load specific crypto module.
After such the cold miss, it shows almost zero latencies, which treats as a
negligible overhead.
Note that request_key() detects wrong prefix in prior to derive_key_aes() even.

Cc: Ted Tso &lt;tytso@mit.edu&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication</title>
<updated>2016-06-01T19:17:58+00:00</updated>
<author>
<name>Stefan Metzmacher</name>
<email>metze@samba.org</email>
</author>
<published>2016-05-03T08:52:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1030183a090a8e61b8776ffbfef1cf7c83f2f47e'/>
<id>1030183a090a8e61b8776ffbfef1cf7c83f2f47e</id>
<content type='text'>
commit 1a967d6c9b39c226be1b45f13acd4d8a5ab3dc44 upstream.

Only server which map unknown users to guest will allow
access using a non-null NTLMv2_Response.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1a967d6c9b39c226be1b45f13acd4d8a5ab3dc44 upstream.

Only server which map unknown users to guest will allow
access using a non-null NTLMv2_Response.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication</title>
<updated>2016-06-01T19:17:58+00:00</updated>
<author>
<name>Stefan Metzmacher</name>
<email>metze@samba.org</email>
</author>
<published>2016-05-03T08:52:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=86006a0c7a5e577eed7e73591dd6b513be8834c8'/>
<id>86006a0c7a5e577eed7e73591dd6b513be8834c8</id>
<content type='text'>
commit 777f69b8d26bf35ade4a76b08f203c11e048365d upstream.

Only server which map unknown users to guest will allow
access using a non-null NTChallengeResponse.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 777f69b8d26bf35ade4a76b08f203c11e048365d upstream.

Only server which map unknown users to guest will allow
access using a non-null NTChallengeResponse.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>fs/cifs: correctly to anonymous authentication for the LANMAN authentication</title>
<updated>2016-06-01T19:17:58+00:00</updated>
<author>
<name>Stefan Metzmacher</name>
<email>metze@samba.org</email>
</author>
<published>2016-05-03T08:52:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e92b6159427fe8b06630273140c74f7437d7f73c'/>
<id>e92b6159427fe8b06630273140c74f7437d7f73c</id>
<content type='text'>
commit fa8f3a354bb775ec586e4475bcb07f7dece97e0c upstream.

Only server which map unknown users to guest will allow
access using a non-null LMChallengeResponse.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit fa8f3a354bb775ec586e4475bcb07f7dece97e0c upstream.

Only server which map unknown users to guest will allow
access using a non-null LMChallengeResponse.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>fs/cifs: correctly to anonymous authentication via NTLMSSP</title>
<updated>2016-06-01T19:17:58+00:00</updated>
<author>
<name>Stefan Metzmacher</name>
<email>metze@samba.org</email>
</author>
<published>2016-05-03T08:52:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=32afd0e6d6c714eb74b4831c5d098f733f261f42'/>
<id>32afd0e6d6c714eb74b4831c5d098f733f261f42</id>
<content type='text'>
commit cfda35d98298131bf38fbad3ce4cd5ecb3cf18db upstream.

See [MS-NLMP] 3.2.5.1.2 Server Receives an AUTHENTICATE_MESSAGE from the Client:

   ...
   Set NullSession to FALSE
   If (AUTHENTICATE_MESSAGE.UserNameLen == 0 AND
      AUTHENTICATE_MESSAGE.NtChallengeResponse.Length == 0 AND
      (AUTHENTICATE_MESSAGE.LmChallengeResponse == Z(1)
       OR
       AUTHENTICATE_MESSAGE.LmChallengeResponse.Length == 0))
       -- Special case: client requested anonymous authentication
       Set NullSession to TRUE
   ...

Only server which map unknown users to guest will allow
access using a non-null NTChallengeResponse.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cfda35d98298131bf38fbad3ce4cd5ecb3cf18db upstream.

See [MS-NLMP] 3.2.5.1.2 Server Receives an AUTHENTICATE_MESSAGE from the Client:

   ...
   Set NullSession to FALSE
   If (AUTHENTICATE_MESSAGE.UserNameLen == 0 AND
      AUTHENTICATE_MESSAGE.NtChallengeResponse.Length == 0 AND
      (AUTHENTICATE_MESSAGE.LmChallengeResponse == Z(1)
       OR
       AUTHENTICATE_MESSAGE.LmChallengeResponse.Length == 0))
       -- Special case: client requested anonymous authentication
       Set NullSession to TRUE
   ...

Only server which map unknown users to guest will allow
access using a non-null NTChallengeResponse.

For Samba it's the "map to guest = bad user" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
