<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs, branch v4.9.5</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.</title>
<updated>2017-01-19T19:18:05+00:00</updated>
<author>
<name>NeilBrown</name>
<email>neilb@suse.com</email>
</author>
<published>2016-12-19T00:19:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=396b25173370fc1afa3bc91a315d5597c2b10734'/>
<id>396b25173370fc1afa3bc91a315d5597c2b10734</id>
<content type='text'>
commit cfd278c280f997cf2fe4662e0acab0fe465f637b upstream.

Various places assume that if nfs4_fl_prepare_ds() turns a non-NULL 'ds',
then ds-&gt;ds_clp will also be non-NULL.

This is not necessasrily true in the case when the process received a fatal signal
while nfs4_pnfs_ds_connect is waiting in nfs4_wait_ds_connect().
In that case -&gt;ds_clp may not be set, and the devid may not recently have been marked
unavailable.

So add a test for ds_clp == NULL and return NULL in that case.

Fixes: c23266d532b4 ("NFS4.1 Fix data server connection race")
Signed-off-by: NeilBrown &lt;neilb@suse.com&gt;
Acked-by: Olga Kornievskaia &lt;aglo@umich.edu&gt;
Acked-by: Adamson, Andy &lt;William.Adamson@netapp.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cfd278c280f997cf2fe4662e0acab0fe465f637b upstream.

Various places assume that if nfs4_fl_prepare_ds() turns a non-NULL 'ds',
then ds-&gt;ds_clp will also be non-NULL.

This is not necessasrily true in the case when the process received a fatal signal
while nfs4_pnfs_ds_connect is waiting in nfs4_wait_ds_connect().
In that case -&gt;ds_clp may not be set, and the devid may not recently have been marked
unavailable.

So add a test for ds_clp == NULL and return NULL in that case.

Fixes: c23266d532b4 ("NFS4.1 Fix data server connection race")
Signed-off-by: NeilBrown &lt;neilb@suse.com&gt;
Acked-by: Olga Kornievskaia &lt;aglo@umich.edu&gt;
Acked-by: Adamson, Andy &lt;William.Adamson@netapp.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>NFS: Fix a performance regression in readdir</title>
<updated>2017-01-19T19:18:05+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2016-11-19T15:54:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e331f2f2b1fbb5157dfb4f0a977bc8c3737e5927'/>
<id>e331f2f2b1fbb5157dfb4f0a977bc8c3737e5927</id>
<content type='text'>
commit 79f687a3de9e3ba2518b4ea33f38ca6cbe9133eb upstream.

Ben Coddington reports that commit 311324ad1713, by adding the function
nfs_dir_mapping_need_revalidate() that checks page cache validity on
each call to nfs_readdir() causes a performance regression when
the directory is being modified.

If the directory is changing while we're iterating through the directory,
POSIX does not require us to invalidate the page cache unless the user
calls rewinddir(). However, we still do want to ensure that we use
readdirplus in order to avoid a load of stat() calls when the user
is doing an 'ls -l' workload.

The fix should be to invalidate the page cache immediately when we're
setting the NFS_INO_ADVISE_RDPLUS bit.

Reported-by: Benjamin Coddington &lt;bcodding@redhat.com&gt;
Fixes: 311324ad1713 ("NFS: Be more aggressive in using readdirplus...")
Reviewed-by: Benjamin Coddington &lt;bcodding@redhat.com&gt;
Tested-by: Benjamin Coddington &lt;bcodding@redhat.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 79f687a3de9e3ba2518b4ea33f38ca6cbe9133eb upstream.

Ben Coddington reports that commit 311324ad1713, by adding the function
nfs_dir_mapping_need_revalidate() that checks page cache validity on
each call to nfs_readdir() causes a performance regression when
the directory is being modified.

If the directory is changing while we're iterating through the directory,
POSIX does not require us to invalidate the page cache unless the user
calls rewinddir(). However, we still do want to ensure that we use
readdirplus in order to avoid a load of stat() calls when the user
is doing an 'ls -l' workload.

The fix should be to invalidate the page cache immediately when we're
setting the NFS_INO_ADVISE_RDPLUS bit.

Reported-by: Benjamin Coddington &lt;bcodding@redhat.com&gt;
Fixes: 311324ad1713 ("NFS: Be more aggressive in using readdirplus...")
Reviewed-by: Benjamin Coddington &lt;bcodding@redhat.com&gt;
Tested-by: Benjamin Coddington &lt;bcodding@redhat.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>pNFS: Fix race in pnfs_wait_on_layoutreturn</title>
<updated>2017-01-19T19:18:05+00:00</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2016-11-18T20:21:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4c4d4bec6c904fc050847f977b13052be5745ae1'/>
<id>4c4d4bec6c904fc050847f977b13052be5745ae1</id>
<content type='text'>
commit ee284e35d8c71bf5d4d807eaff6f67a17134b359 upstream.

We must put the task to sleep while holding the inode-&gt;i_lock in order
to ensure atomicity with the test for NFS_LAYOUT_RETURN.

Fixes: 500d701f336b ("NFS41: make close wait for layoutreturn")
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ee284e35d8c71bf5d4d807eaff6f67a17134b359 upstream.

We must put the task to sleep while holding the inode-&gt;i_lock in order
to ensure atomicity with the test for NFS_LAYOUT_RETURN.

Fixes: 500d701f336b ("NFS41: make close wait for layoutreturn")
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>NFS: fix typo in parameter description</title>
<updated>2017-01-19T19:18:05+00:00</updated>
<author>
<name>Wei Yongjun</name>
<email>weiyongjun1@huawei.com</email>
</author>
<published>2016-10-28T14:37:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=633b570376991e0447c63d925990ecc02896b25e'/>
<id>633b570376991e0447c63d925990ecc02896b25e</id>
<content type='text'>
commit f36ab161bebe464d33b998294eff29b17a9c8918 upstream.

Fix typo in parameter description.

Fixes: 5405fc44c337 ("NFSv4.x: Add kernel parameter to control the
callback server")
Signed-off-by: Wei Yongjun &lt;weiyongjun1@huawei.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f36ab161bebe464d33b998294eff29b17a9c8918 upstream.

Fix typo in parameter description.

Fixes: 5405fc44c337 ("NFSv4.x: Add kernel parameter to control the
callback server")
Signed-off-by: Wei Yongjun &lt;weiyongjun1@huawei.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>btrfs: fix error handling when run_delayed_extent_op fails</title>
<updated>2017-01-19T19:18:05+00:00</updated>
<author>
<name>Jeff Mahoney</name>
<email>jeffm@suse.com</email>
</author>
<published>2016-12-20T18:28:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7a1dcd92fd396cd66f60b51fb102171d8dee460d'/>
<id>7a1dcd92fd396cd66f60b51fb102171d8dee460d</id>
<content type='text'>
commit aa7c8da35d1905d80e840d075f07d26ec90144b5 upstream.

In __btrfs_run_delayed_refs, the error path when run_delayed_extent_op
fails sets locked_ref-&gt;processing = 0 but doesn't re-increment
delayed_refs-&gt;num_heads_ready.  As a result, we end up triggering
the WARN_ON in btrfs_select_ref_head.

Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads)
Reported-by: Jon Nelson &lt;jnelson-suse@jamponi.net&gt;
Signed-off-by: Jeff Mahoney &lt;jeffm@suse.com&gt;
Reviewed-by: Liu Bo &lt;bo.li.liu@oracle.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit aa7c8da35d1905d80e840d075f07d26ec90144b5 upstream.

In __btrfs_run_delayed_refs, the error path when run_delayed_extent_op
fails sets locked_ref-&gt;processing = 0 but doesn't re-increment
delayed_refs-&gt;num_heads_ready.  As a result, we end up triggering
the WARN_ON in btrfs_select_ref_head.

Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads)
Reported-by: Jon Nelson &lt;jnelson-suse@jamponi.net&gt;
Signed-off-by: Jeff Mahoney &lt;jeffm@suse.com&gt;
Reviewed-by: Liu Bo &lt;bo.li.liu@oracle.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>btrfs: fix locking when we put back a delayed ref that's too new</title>
<updated>2017-01-19T19:18:05+00:00</updated>
<author>
<name>Jeff Mahoney</name>
<email>jeffm@suse.com</email>
</author>
<published>2016-12-20T18:28:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=003e3163fcc76bfdf27c27ef4f5c776bfa925067'/>
<id>003e3163fcc76bfdf27c27ef4f5c776bfa925067</id>
<content type='text'>
commit d0280996437081dd12ed1e982ac8aeaa62835ec4 upstream.

In __btrfs_run_delayed_refs, when we put back a delayed ref that's too
new, we have already dropped the lock on locked_ref when we set
-&gt;processing = 0.

This patch keeps the lock to cover that assignment.

Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads)
Signed-off-by: Jeff Mahoney &lt;jeffm@suse.com&gt;
Reviewed-by: Liu Bo &lt;bo.li.liu@oracle.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d0280996437081dd12ed1e982ac8aeaa62835ec4 upstream.

In __btrfs_run_delayed_refs, when we put back a delayed ref that's too
new, we have already dropped the lock on locked_ref when we set
-&gt;processing = 0.

This patch keeps the lock to cover that assignment.

Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads)
Signed-off-by: Jeff Mahoney &lt;jeffm@suse.com&gt;
Reviewed-by: Liu Bo &lt;bo.li.liu@oracle.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>sysctl: Drop reference added by grab_header in proc_sys_readdir</title>
<updated>2017-01-19T19:18:04+00:00</updated>
<author>
<name>Zhou Chengming</name>
<email>zhouchengming1@huawei.com</email>
</author>
<published>2017-01-06T01:32:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=00cf64fbaa1e99d0420f2934f301c671ba298342'/>
<id>00cf64fbaa1e99d0420f2934f301c671ba298342</id>
<content type='text'>
commit 93362fa47fe98b62e4a34ab408c4a418432e7939 upstream.

Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
added by grab_header when return from !dir_emit_dots path.
It can cause any path called unregister_sysctl_table will
wait forever.

The calltrace of CVE-2016-9191:

[ 5535.960522] Call Trace:
[ 5535.963265]  [&lt;ffffffff817cdaaf&gt;] schedule+0x3f/0xa0
[ 5535.968817]  [&lt;ffffffff817d33fb&gt;] schedule_timeout+0x3db/0x6f0
[ 5535.975346]  [&lt;ffffffff817cf055&gt;] ? wait_for_completion+0x45/0x130
[ 5535.982256]  [&lt;ffffffff817cf0d3&gt;] wait_for_completion+0xc3/0x130
[ 5535.988972]  [&lt;ffffffff810d1fd0&gt;] ? wake_up_q+0x80/0x80
[ 5535.994804]  [&lt;ffffffff8130de64&gt;] drop_sysctl_table+0xc4/0xe0
[ 5536.001227]  [&lt;ffffffff8130de17&gt;] drop_sysctl_table+0x77/0xe0
[ 5536.007648]  [&lt;ffffffff8130decd&gt;] unregister_sysctl_table+0x4d/0xa0
[ 5536.014654]  [&lt;ffffffff8130deff&gt;] unregister_sysctl_table+0x7f/0xa0
[ 5536.021657]  [&lt;ffffffff810f57f5&gt;] unregister_sched_domain_sysctl+0x15/0x40
[ 5536.029344]  [&lt;ffffffff810d7704&gt;] partition_sched_domains+0x44/0x450
[ 5536.036447]  [&lt;ffffffff817d0761&gt;] ? __mutex_unlock_slowpath+0x111/0x1f0
[ 5536.043844]  [&lt;ffffffff81167684&gt;] rebuild_sched_domains_locked+0x64/0xb0
[ 5536.051336]  [&lt;ffffffff8116789d&gt;] update_flag+0x11d/0x210
[ 5536.057373]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.064186]  [&lt;ffffffff81167acb&gt;] ? cpuset_css_offline+0x1b/0x60
[ 5536.070899]  [&lt;ffffffff810fce3d&gt;] ? trace_hardirqs_on+0xd/0x10
[ 5536.077420]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.084234]  [&lt;ffffffff8115a9f5&gt;] ? css_killed_work_fn+0x25/0x220
[ 5536.091049]  [&lt;ffffffff81167ae5&gt;] cpuset_css_offline+0x35/0x60
[ 5536.097571]  [&lt;ffffffff8115aa2c&gt;] css_killed_work_fn+0x5c/0x220
[ 5536.104207]  [&lt;ffffffff810bc83f&gt;] process_one_work+0x1df/0x710
[ 5536.110736]  [&lt;ffffffff810bc7c0&gt;] ? process_one_work+0x160/0x710
[ 5536.117461]  [&lt;ffffffff810bce9b&gt;] worker_thread+0x12b/0x4a0
[ 5536.123697]  [&lt;ffffffff810bcd70&gt;] ? process_one_work+0x710/0x710
[ 5536.130426]  [&lt;ffffffff810c3f7e&gt;] kthread+0xfe/0x120
[ 5536.135991]  [&lt;ffffffff817d4baf&gt;] ret_from_fork+0x1f/0x40
[ 5536.142041]  [&lt;ffffffff810c3e80&gt;] ? kthread_create_on_node+0x230/0x230

One cgroup maintainer mentioned that "cgroup is trying to offline
a cpuset css, which takes place under cgroup_mutex.  The offlining
ends up trying to drain active usages of a sysctl table which apprently
is not happening."
The real reason is that proc_sys_readdir doesn't drop reference added
by grab_header when return from !dir_emit_dots path. So this cpuset
offline path will wait here forever.

See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13

Fixes: f0c3b5093add ("[readdir] convert procfs")
Reported-by: CAI Qian &lt;caiqian@redhat.com&gt;
Tested-by: Yang Shukui &lt;yangshukui@huawei.com&gt;
Signed-off-by: Zhou Chengming &lt;zhouchengming1@huawei.com&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 93362fa47fe98b62e4a34ab408c4a418432e7939 upstream.

Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
added by grab_header when return from !dir_emit_dots path.
It can cause any path called unregister_sysctl_table will
wait forever.

The calltrace of CVE-2016-9191:

[ 5535.960522] Call Trace:
[ 5535.963265]  [&lt;ffffffff817cdaaf&gt;] schedule+0x3f/0xa0
[ 5535.968817]  [&lt;ffffffff817d33fb&gt;] schedule_timeout+0x3db/0x6f0
[ 5535.975346]  [&lt;ffffffff817cf055&gt;] ? wait_for_completion+0x45/0x130
[ 5535.982256]  [&lt;ffffffff817cf0d3&gt;] wait_for_completion+0xc3/0x130
[ 5535.988972]  [&lt;ffffffff810d1fd0&gt;] ? wake_up_q+0x80/0x80
[ 5535.994804]  [&lt;ffffffff8130de64&gt;] drop_sysctl_table+0xc4/0xe0
[ 5536.001227]  [&lt;ffffffff8130de17&gt;] drop_sysctl_table+0x77/0xe0
[ 5536.007648]  [&lt;ffffffff8130decd&gt;] unregister_sysctl_table+0x4d/0xa0
[ 5536.014654]  [&lt;ffffffff8130deff&gt;] unregister_sysctl_table+0x7f/0xa0
[ 5536.021657]  [&lt;ffffffff810f57f5&gt;] unregister_sched_domain_sysctl+0x15/0x40
[ 5536.029344]  [&lt;ffffffff810d7704&gt;] partition_sched_domains+0x44/0x450
[ 5536.036447]  [&lt;ffffffff817d0761&gt;] ? __mutex_unlock_slowpath+0x111/0x1f0
[ 5536.043844]  [&lt;ffffffff81167684&gt;] rebuild_sched_domains_locked+0x64/0xb0
[ 5536.051336]  [&lt;ffffffff8116789d&gt;] update_flag+0x11d/0x210
[ 5536.057373]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.064186]  [&lt;ffffffff81167acb&gt;] ? cpuset_css_offline+0x1b/0x60
[ 5536.070899]  [&lt;ffffffff810fce3d&gt;] ? trace_hardirqs_on+0xd/0x10
[ 5536.077420]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.084234]  [&lt;ffffffff8115a9f5&gt;] ? css_killed_work_fn+0x25/0x220
[ 5536.091049]  [&lt;ffffffff81167ae5&gt;] cpuset_css_offline+0x35/0x60
[ 5536.097571]  [&lt;ffffffff8115aa2c&gt;] css_killed_work_fn+0x5c/0x220
[ 5536.104207]  [&lt;ffffffff810bc83f&gt;] process_one_work+0x1df/0x710
[ 5536.110736]  [&lt;ffffffff810bc7c0&gt;] ? process_one_work+0x160/0x710
[ 5536.117461]  [&lt;ffffffff810bce9b&gt;] worker_thread+0x12b/0x4a0
[ 5536.123697]  [&lt;ffffffff810bcd70&gt;] ? process_one_work+0x710/0x710
[ 5536.130426]  [&lt;ffffffff810c3f7e&gt;] kthread+0xfe/0x120
[ 5536.135991]  [&lt;ffffffff817d4baf&gt;] ret_from_fork+0x1f/0x40
[ 5536.142041]  [&lt;ffffffff810c3e80&gt;] ? kthread_create_on_node+0x230/0x230

One cgroup maintainer mentioned that "cgroup is trying to offline
a cpuset css, which takes place under cgroup_mutex.  The offlining
ends up trying to drain active usages of a sysctl table which apprently
is not happening."
The real reason is that proc_sys_readdir doesn't drop reference added
by grab_header when return from !dir_emit_dots path. So this cpuset
offline path will wait here forever.

See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13

Fixes: f0c3b5093add ("[readdir] convert procfs")
Reported-by: CAI Qian &lt;caiqian@redhat.com&gt;
Tested-by: Yang Shukui &lt;yangshukui@huawei.com&gt;
Signed-off-by: Zhou Chengming &lt;zhouchengming1@huawei.com&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mnt: Protect the mountpoint hashtable with mount_lock</title>
<updated>2017-01-19T19:18:03+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2017-01-03T01:18:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1a62a0f76556f39d6d67789bb981b28230aaa338'/>
<id>1a62a0f76556f39d6d67789bb981b28230aaa338</id>
<content type='text'>
commit 3895dbf8985f656675b5bde610723a29cbce3fa7 upstream.

Protecting the mountpoint hashtable with namespace_sem was sufficient
until a call to umount_mnt was added to mntput_no_expire.  At which
point it became possible for multiple calls of put_mountpoint on
the same hash chain to happen on the same time.

Kristen Johansen &lt;kjlx@templeofstupid.com&gt; reported:
&gt; This can cause a panic when simultaneous callers of put_mountpoint
&gt; attempt to free the same mountpoint.  This occurs because some callers
&gt; hold the mount_hash_lock, while others hold the namespace lock.  Some
&gt; even hold both.
&gt;
&gt; In this submitter's case, the panic manifested itself as a GP fault in
&gt; put_mountpoint() when it called hlist_del() and attempted to dereference
&gt; a m_hash.pprev that had been poisioned by another thread.

Al Viro observed that the simple fix is to switch from using the namespace_sem
to the mount_lock to protect the mountpoint hash table.

I have taken Al's suggested patch moved put_mountpoint in pivot_root
(instead of taking mount_lock an additional time), and have replaced
new_mountpoint with get_mountpoint a function that does the hash table
lookup and addition under the mount_lock.   The introduction of get_mounptoint
ensures that only the mount_lock is needed to manipulate the mountpoint
hashtable.

d_set_mounted is modified to only set DCACHE_MOUNTED if it is not
already set.  This allows get_mountpoint to use the setting of
DCACHE_MOUNTED to ensure adding a struct mountpoint for a dentry
happens exactly once.

Fixes: ce07d891a089 ("mnt: Honor MNT_LOCKED when detaching mounts")
Reported-by: Krister Johansen &lt;kjlx@templeofstupid.com&gt;
Suggested-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3895dbf8985f656675b5bde610723a29cbce3fa7 upstream.

Protecting the mountpoint hashtable with namespace_sem was sufficient
until a call to umount_mnt was added to mntput_no_expire.  At which
point it became possible for multiple calls of put_mountpoint on
the same hash chain to happen on the same time.

Kristen Johansen &lt;kjlx@templeofstupid.com&gt; reported:
&gt; This can cause a panic when simultaneous callers of put_mountpoint
&gt; attempt to free the same mountpoint.  This occurs because some callers
&gt; hold the mount_hash_lock, while others hold the namespace lock.  Some
&gt; even hold both.
&gt;
&gt; In this submitter's case, the panic manifested itself as a GP fault in
&gt; put_mountpoint() when it called hlist_del() and attempted to dereference
&gt; a m_hash.pprev that had been poisioned by another thread.

Al Viro observed that the simple fix is to switch from using the namespace_sem
to the mount_lock to protect the mountpoint hash table.

I have taken Al's suggested patch moved put_mountpoint in pivot_root
(instead of taking mount_lock an additional time), and have replaced
new_mountpoint with get_mountpoint a function that does the hash table
lookup and addition under the mount_lock.   The introduction of get_mounptoint
ensures that only the mount_lock is needed to manipulate the mountpoint
hashtable.

d_set_mounted is modified to only set DCACHE_MOUNTED if it is not
already set.  This allows get_mountpoint to use the setting of
DCACHE_MOUNTED to ensure adding a struct mountpoint for a dentry
happens exactly once.

Fixes: ce07d891a089 ("mnt: Honor MNT_LOCKED when detaching mounts")
Reported-by: Krister Johansen &lt;kjlx@templeofstupid.com&gt;
Suggested-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>btrfs: fix crash when tracepoint arguments are freed by wq callbacks</title>
<updated>2017-01-19T19:18:02+00:00</updated>
<author>
<name>David Sterba</name>
<email>dsterba@suse.com</email>
</author>
<published>2017-01-06T13:12:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=28dad9aa9b367b81f99a36a06d16e89e649133ce'/>
<id>28dad9aa9b367b81f99a36a06d16e89e649133ce</id>
<content type='text'>
commit ac0c7cf8be00f269f82964cf7b144ca3edc5dbc4 upstream.

Enabling btrfs tracepoints leads to instant crash, as reported. The wq
callbacks could free the memory and the tracepoints started to
dereference the members to get to fs_info.

The proposed fix https://marc.info/?l=linux-btrfs&amp;m=148172436722606&amp;w=2
removed the tracepoints but we could preserve them by passing only the
required data in a safe way.

Fixes: bc074524e123 ("btrfs: prefix fsid to all trace events")
Reported-by: Sebastian Andrzej Siewior &lt;bigeasy@linutronix.de&gt;
Reviewed-by: Qu Wenruo &lt;quwenruo@cn.fujitsu.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ac0c7cf8be00f269f82964cf7b144ca3edc5dbc4 upstream.

Enabling btrfs tracepoints leads to instant crash, as reported. The wq
callbacks could free the memory and the tracepoints started to
dereference the members to get to fs_info.

The proposed fix https://marc.info/?l=linux-btrfs&amp;m=148172436722606&amp;w=2
removed the tracepoints but we could preserve them by passing only the
required data in a safe way.

Fixes: bc074524e123 ("btrfs: prefix fsid to all trace events")
Reported-by: Sebastian Andrzej Siewior &lt;bigeasy@linutronix.de&gt;
Reviewed-by: Qu Wenruo &lt;quwenruo@cn.fujitsu.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>xfs: Timely free truncated dirty pages</title>
<updated>2017-01-19T19:18:00+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2017-01-11T18:20:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6ba35da690f30af09706095b914d8031902fd3e5'/>
<id>6ba35da690f30af09706095b914d8031902fd3e5</id>
<content type='text'>
commit 0a417b8dc1f10b03e8f558b8a831f07ec4c23795 upstream.

Commit 99579ccec4e2 "xfs: skip dirty pages in -&gt;releasepage()" started
to skip dirty pages in xfs_vm_releasepage() which also has the effect
that if a dirty page is truncated, it does not get freed by
block_invalidatepage() and is lingering in LRU list waiting for reclaim.
So a simple loop like:

while true; do
	dd if=/dev/zero of=file bs=1M count=100
	rm file
done

will keep using more and more memory until we hit low watermarks and
start pagecache reclaim which will eventually reclaim also the truncate
pages. Keeping these truncated (and thus never usable) pages in memory
is just a waste of memory, is unnecessarily stressing page cache
reclaim, and reportedly also leads to anonymous mmap(2) returning ENOMEM
prematurely.

So instead of just skipping dirty pages in xfs_vm_releasepage(), return
to old behavior of skipping them only if they have delalloc or unwritten
buffers and fix the spurious warnings by warning only if the page is
clean.

CC: Brian Foster &lt;bfoster@redhat.com&gt;
CC: Vlastimil Babka &lt;vbabka@suse.cz&gt;
Reported-by: Petr Tůma &lt;petr.tuma@d3s.mff.cuni.cz&gt;
Fixes: 99579ccec4e271c3d4d4e7c946058766812afdab
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Reviewed-by: Brian Foster &lt;bfoster@redhat.com&gt;
Signed-off-by: Darrick J. Wong &lt;darrick.wong@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0a417b8dc1f10b03e8f558b8a831f07ec4c23795 upstream.

Commit 99579ccec4e2 "xfs: skip dirty pages in -&gt;releasepage()" started
to skip dirty pages in xfs_vm_releasepage() which also has the effect
that if a dirty page is truncated, it does not get freed by
block_invalidatepage() and is lingering in LRU list waiting for reclaim.
So a simple loop like:

while true; do
	dd if=/dev/zero of=file bs=1M count=100
	rm file
done

will keep using more and more memory until we hit low watermarks and
start pagecache reclaim which will eventually reclaim also the truncate
pages. Keeping these truncated (and thus never usable) pages in memory
is just a waste of memory, is unnecessarily stressing page cache
reclaim, and reportedly also leads to anonymous mmap(2) returning ENOMEM
prematurely.

So instead of just skipping dirty pages in xfs_vm_releasepage(), return
to old behavior of skipping them only if they have delalloc or unwritten
buffers and fix the spurious warnings by warning only if the page is
clean.

CC: Brian Foster &lt;bfoster@redhat.com&gt;
CC: Vlastimil Babka &lt;vbabka@suse.cz&gt;
Reported-by: Petr Tůma &lt;petr.tuma@d3s.mff.cuni.cz&gt;
Fixes: 99579ccec4e271c3d4d4e7c946058766812afdab
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Reviewed-by: Brian Foster &lt;bfoster@redhat.com&gt;
Signed-off-by: Darrick J. Wong &lt;darrick.wong@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
