Linux kernel source tree https://git.amat.us/linux/atom/fs/ceph?h=v3.2.36 2012-10-30T23:26:40Z 2012-10-30T23:26:40Z Hugh Dickins hughd@google.com 2012-10-08T03:32:51Z urn:sha1:ba3385bc8c513fd741f09ef75e53e0e6547b079e commit 35c2a7f4908d404c9124c2efc6ada4640ca4d5d5 upstream. Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(), u64 inum = fid->raw[2]; which is unhelpfully reported as at the end of shmem_alloc_inode(): BUG: unable to handle kernel paging request at ffff880061cd3000 IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Call Trace: [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0 [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0 [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10 [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6 Right, tmpfs is being stupid to access fid->raw[2] before validating that fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may fall at the end of a page, and the next page not be present. But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and could oops in the same way: add the missing fh_len checks to those. Reported-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: Hugh Dickins <hughd@google.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Sage Weil <sage@inktank.com> Cc: Steven Whitehouse <swhiteho@redhat.com> Cc: Christoph Hellwig <hch@infradead.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2011-12-29T16:05:14Z Sage Weil sage@newdream.net 2011-12-29T16:05:14Z urn:sha1:a4d46363ce96c8fd7534c6f79051c78b52464132 Ceph attempts to use the dcache to satisfy negative lookups and readdir when the entire directory contents are in cache. Disable this behavior until lingering bugs in this code are shaken out; we'll re-enable these hooks once things are fully stable. Signed-off-by: Sage Weil <sage@newdream.net> 2011-12-13T19:59:53Z Yehuda Sadeh yehuda@hq.newdream.net 2011-12-13T17:57:44Z urn:sha1:9d5a09e659f8414dd3713e2acbfaf8a9e9794aa1 one of the paths was missing spin_unlock Signed-off-by: Yehuda Sadeh <yehuda@hq.newdream.net> 2011-12-13T17:19:26Z Sage Weil sage@newdream.net 2011-12-13T17:19:26Z urn:sha1:6a82c47aa84ab22cb5969a44105cca5358879d21 Commit 06222e491e663dac939f04b125c9dc52126a75c4 got the if wrong so that it always evaluates as true. This is semantically harmless, but makes SEEK_CUR and SEEK_SET needlessly query the server. Rewrite the if to explicitly enumerate the cases we DO need a valid i_size to make this code less fragile. Reported-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Sage Weil <sage@newdream.net> 2011-12-07T18:46:44Z Sage Weil sage@newdream.net 2011-11-30T17:47:09Z urn:sha1:be655596b3de5873f994ddbe205751a5ffb4de39 We have been using i_lock to protect all kinds of data structures in the ceph_inode_info struct, including lists of inodes that we need to iterate over while avoiding races with inode destruction. That requires grabbing a reference to the inode with the list lock protected, but igrab() now takes i_lock to check the inode flags. Changing the list lock ordering would be a painful process. However, using a ceph-specific i_ceph_lock in the ceph inode instead of i_lock is a simple mechanical change and avoids the ordering constraints imposed by igrab(). Reported-by: Amon Ott <a.ott@m-privacy.de> Signed-off-by: Sage Weil <sage@newdream.net> 2011-12-02T17:27:54Z Sage Weil sage@newdream.net 2011-12-01T16:06:52Z urn:sha1:2151937d7ce491bfbe269a1ae742c6686904474c Fix typo. Reported-by: mowang da <whooya.xxl@gmail.com> Signed-off-by: Sage Weil <sage@newdream.net> 2011-11-11T17:50:17Z Sage Weil sage@newdream.net 2011-11-11T17:48:08Z urn:sha1:774ac21da76f5c3018428725074e27a3fd40b128 Set up d_fsdata on the root dentry. This fixes a NULL pointer dereference in ceph_d_prune on umount. It also means we can eventually strip out all of the conditional checks on d_fsdata because it is now set unconditionally (prior to setting up the d_ops). Fix the ceph_d_prune debug print while we're here. Signed-off-by: Sage Weil <sage@newdream.net> 2011-11-06T05:06:31Z Sage Weil sage@newdream.net 2011-11-06T05:06:31Z urn:sha1:15a2015fbc692e1c97d7ce12d96e077f5ae7ea6d If we queue a work item that calls iput(), make sure we ihold() before attempting to queue work. Otherwise our queued work might miraculously run before we notice the queue_work() succeeded and call ihold(), allowing the inode to be destroyed. That is, instead of if (queue_work(...)) ihold(); we need to do ihold(); if (!queue_work(...)) iput(); Reported-by: Amon Ott <a.ott@m-privacy.de> Signed-off-by: Sage Weil <sage@newdream.net> 2011-11-06T04:10:12Z H Hartley Sweeten hartleys@visionengravers.com 2011-09-23T18:53:30Z urn:sha1:0c6d4b4e22a513f8563a2e00c5ab08e9f8796272 Quiet the sparse noise: warning: symbol 'create_fs_client' was not declared. Should it be static? warning: symbol 'destroy_fs_client' was not declared. Should it be static? Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com> Cc: Sage Weil <sage@newdream.net> ceph-devel@vger.kernel.org Signed-off-by: Sage Weil <sage@newdream.net> 2011-11-06T04:10:11Z H Hartley Sweeten hartleys@visionengravers.com 2011-09-23T20:22:11Z urn:sha1:7fd7d101ff50af55d6d69f4705facc00c324024e Quiet the following sparse noise: warning: symbol 'get_nonsnap_parent' was not declared. Should it be static? warning: symbol 'done_closing_sessions' was not declared. Should it be static? Local functions don't need external visability. Make them static. Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com> Cc: Sage Weil <sage@newdream.net> Signed-off-by: Sage Weil <sage@newdream.net>