<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/fs, branch v3.1.5</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/fs?h=v3.1.5</id>
<link rel='self' href='https://git.amat.us/linux/atom/fs?h=v3.1.5'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2011-12-09T16:54:30Z</updated>
<entry>
<title>xfs: use doalloc flag in xfs_qm_dqattach_one()</title>
<updated>2011-12-09T16:54:30Z</updated>
<author>
<name>Mitsuo Hayasaka</name>
<email>mitsuo.hayasaka.hu@hitachi.com</email>
</author>
<published>2011-12-01T23:27:44Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=5635019b754fa0ccfc2275369b05142a8a2dbde4'/>
<id>urn:sha1:5635019b754fa0ccfc2275369b05142a8a2dbde4</id>
<content type='text'>
commit db3e74b582915d66e10b0c73a62763418f54c340 upstream.

The doalloc arg in xfs_qm_dqattach_one() is a flag that indicates
whether a new area to handle quota information will be allocated
if needed. Originally, it was passed to xfs_qm_dqget(), but has
been removed by the following commit (probably by mistake):

	commit 8e9b6e7fa4544ea8a0e030c8987b918509c8ff47
	Author: Christoph Hellwig &lt;hch@lst.de&gt;
	Date:   Sun Feb 8 21:51:42 2009 +0100

	xfs: remove the unused XFS_QMOPT_DQLOCK flag

As the result, xfs_qm_dqget() called from xfs_qm_dqattach_one()
never allocates the new area even if it is needed.

This patch gives the doalloc arg to xfs_qm_dqget() in
xfs_qm_dqattach_one() to fix this problem.

Signed-off-by: Mitsuo Hayasaka &lt;mitsuo.hayasaka.hu@hitachi.com&gt;
Cc: Alex Elder &lt;aelder@sgi.com&gt;
Cc: Christoph Hellwig &lt;hch@infradead.org&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Ben Myers &lt;bpm@sgi.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>xfs: Fix possible memory corruption in xfs_readlink</title>
<updated>2011-12-09T16:54:30Z</updated>
<author>
<name>Carlos Maiolino</name>
<email>cmaiolino@redhat.com</email>
</author>
<published>2011-12-01T23:27:43Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=c38aeb8cd119fddc37d7cd648d6c43e782711247'/>
<id>urn:sha1:c38aeb8cd119fddc37d7cd648d6c43e782711247</id>
<content type='text'>
commit b52a360b2aa1c59ba9970fb0f52bbb093fcc7a24 upstream.

Fixes a possible memory corruption when the link is larger than
MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
S_ISLNK assert, since the inode mode is checked previously in
xfs_readlink_by_handle() and via VFS.

Updated to address concerns raised by Ben Hutchings about the loose
attention paid to 32- vs 64-bit values, and the lack of handling a
potentially negative pathlen value:
 - Changed type of "pathlen" to be xfs_fsize_t, to match that of
   ip-&gt;i_d.di_size
 - Added checking for a negative pathlen to the too-long pathlen
   test, and generalized the message that gets reported in that case
   to reflect the change
As a result, if a negative pathlen were encountered, this function
would return EFSCORRUPTED (and would fail an assertion for a debug
build)--just as would a too-long pathlen.

Signed-off-by: Alex Elder &lt;aelder@sgi.com&gt;
Signed-off-by: Carlos Maiolino &lt;cmaiolino@redhat.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Ben Myers &lt;bpm@sgi.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>xfs: fix buffer flushing during unmount</title>
<updated>2011-12-09T16:54:30Z</updated>
<author>
<name>Christoph Hellwig</name>
<email>hch@infradead.org</email>
</author>
<published>2011-12-01T23:27:42Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=7f9fae139e1b34b0ecb0ff8ab051c4497d68db2c'/>
<id>urn:sha1:7f9fae139e1b34b0ecb0ff8ab051c4497d68db2c</id>
<content type='text'>
commit 87c7bec7fc3377b3873eb3a0f4b603981ea16ebb upstream.

The code to flush buffers in the umount code is a bit iffy: we first
flush all delwri buffers out, but then might be able to queue up a
new one when logging the sb counts.  On a normal shutdown that one
would get flushed out when doing the synchronous superblock write in
xfs_unmountfs_writesb, but we skip that one if the filesystem has
been shut down.

Fix this by moving the delwri list flushing until just before unmounting
the log, and while we're at it also remove the superflous delwri list
and buffer lru flusing for the rt and log device that can never have
cached or delwri buffers.

Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reported-by: Amit Sahrawat &lt;amit.sahrawat83@gmail.com&gt;
Tested-by: Amit Sahrawat &lt;amit.sahrawat83@gmail.com&gt;
Signed-off-by: Alex Elder &lt;aelder@sgi.com&gt;
Cc: Ben Myers &lt;bpm@sgi.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>xfs: Return -EIO when xfs_vn_getattr() failed</title>
<updated>2011-12-09T16:54:30Z</updated>
<author>
<name>Mitsuo Hayasaka</name>
<email>mitsuo.hayasaka.hu@hitachi.com</email>
</author>
<published>2011-12-01T23:27:41Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=b4dd4c13166d1aab0c2cd8033f1cc1211f6f1678'/>
<id>urn:sha1:b4dd4c13166d1aab0c2cd8033f1cc1211f6f1678</id>
<content type='text'>
commit ed32201e65e15f3e6955cb84cbb544b08f81e5a5 upstream.

An attribute of inode can be fetched via xfs_vn_getattr() in XFS.
Currently it returns EIO, not negative value, when it failed.  As a
result, the system call returns not negative value even though an
error occured. The stat(2), ls and mv commands cannot handle this
error and do not work correctly.

This patch fixes this bug, and returns -EIO, not EIO when an error
is detected in xfs_vn_getattr().

Signed-off-by: Mitsuo Hayasaka &lt;mitsuo.hayasaka.hu@hitachi.com&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Alex Elder &lt;aelder@sgi.com&gt;
Cc: Ben Myers &lt;bpm@sgi.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>xfs: avoid direct I/O write vs buffered I/O race</title>
<updated>2011-12-09T16:54:29Z</updated>
<author>
<name>Christoph Hellwig</name>
<email>hch@infradead.org</email>
</author>
<published>2011-12-01T23:27:40Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6a426248da83e544995fc8a494630285260ec4ee'/>
<id>urn:sha1:6a426248da83e544995fc8a494630285260ec4ee</id>
<content type='text'>
commit c58cb165bd44de8aaee9755a144136ae743be116 upstream.

Currently a buffered reader or writer can add pages to the pagecache
while we are waiting for the iolock in xfs_file_dio_aio_write.  Prevent
this by re-checking mapping-&gt;nrpages after we got the iolock, and if
nessecary upgrade the lock to exclusive mode.  To simplify this a bit
only take the ilock inside of xfs_file_aio_write_checks.

Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Reviewed-by: Dave Chinner &lt;dchinner@redhat.com&gt;
Signed-off-by: Alex Elder &lt;aelder@sgi.com&gt;
Cc: Ben Myers &lt;bpm@sgi.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>xfs: don't serialise direct IO reads on page cache checks</title>
<updated>2011-12-09T16:54:29Z</updated>
<author>
<name>Dave Chinner</name>
<email>dchinner@redhat.com</email>
</author>
<published>2011-12-01T23:27:39Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=686da49e5aa50117d8d824c579c3fd9e0318fbc6'/>
<id>urn:sha1:686da49e5aa50117d8d824c579c3fd9e0318fbc6</id>
<content type='text'>
commit 0c38a2512df272b14ef4238b476a2e4f70da1479 upstream.

There is no need to grab the i_mutex of the IO lock in exclusive
mode if we don't need to invalidate the page cache. Taking these
locks on every direct IO effective serialises them as taking the IO
lock in exclusive mode has to wait for all shared holders to drop
the lock. That only happens when IO is complete, so effective it
prevents dispatch of concurrent direct IO reads to the same inode.

Fix this by taking the IO lock shared to check the page cache state,
and only then drop it and take the IO lock exclusively if there is
work to be done. Hence for the normal direct IO case, no exclusive
locking will occur.

Signed-off-by: Dave Chinner &lt;dchinner@redhat.com&gt;
Tested-by: Joern Engel &lt;joern@logfs.org&gt;
Reviewed-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: Alex Elder &lt;aelder@sgi.com&gt;
Cc: Ben Myers &lt;bpm@sgi.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>ext4: fix racy use-after-free in ext4_end_io_dio()</title>
<updated>2011-12-09T16:54:18Z</updated>
<author>
<name>Tejun Heo</name>
<email>tj@kernel.org</email>
</author>
<published>2011-11-25T00:22:24Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=01da30a885baa667801facc2a54c80346ab6c414'/>
<id>urn:sha1:01da30a885baa667801facc2a54c80346ab6c414</id>
<content type='text'>
commit 4c81f045c0bd2cbb78cc6446a4cd98038fe11a2e upstream.

ext4_end_io_dio() queues io_end-&gt;work and then clears iocb-&gt;private;
however, io_end-&gt;work calls aio_complete() which frees the iocb
object.  If that slab object gets reallocated, then ext4_end_io_dio()
can end up clearing someone else's iocb-&gt;private, this use-after-free
can cause a leak of a struct ext4_io_end_t structure.

Detected and tested with slab poisoning.

[ Note: Can also reproduce using 12 fio's against 12 file systems with the
  following configuration file:

  [global]
  direct=1
  ioengine=libaio
  iodepth=1
  bs=4k
  ba=4k
  size=128m

  [create]
  filename=${TESTDIR}
  rw=write

  -- tytso ]

Google-Bug-Id: 5354697
Signed-off-by: Tejun Heo &lt;tj@kernel.org&gt;
Signed-off-by: "Theodore Ts'o" &lt;tytso@mit.edu&gt;
Reported-by: Kent Overstreet &lt;koverstreet@google.com&gt;
Tested-by: Kent Overstreet &lt;koverstreet@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>eCryptfs: Extend array bounds for all filename chars</title>
<updated>2011-12-09T16:54:05Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2011-11-23T17:31:24Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=722daca8514aacaf7ed1311f2cc8e518af675049'/>
<id>urn:sha1:722daca8514aacaf7ed1311f2cc8e518af675049</id>
<content type='text'>
commit 0f751e641a71157aa584c2a2e22fda52b52b8a56 upstream.

From mhalcrow's original commit message:

    Characters with ASCII values greater than the size of
    filename_rev_map[] are valid filename characters.
    ecryptfs_decode_from_filename() will access kernel memory beyond
    that array, and ecryptfs_parse_tag_70_packet() will then decrypt
    those characters. The attacker, using the FNEK of the crafted file,
    can then re-encrypt the characters to reveal the kernel memory past
    the end of the filename_rev_map[] array. I expect low security
    impact since this array is statically allocated in the text area,
    and the amount of memory past the array that is accessible is
    limited by the largest possible ASCII filename character.

This patch solves the issue reported by mhalcrow but with an
implementation suggested by Linus to simply extend the length of
filename_rev_map[] to 256. Characters greater than 0x7A are mapped to
0x00, which is how invalid characters less than 0x7A were previously
being handled.

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Reported-by: Michael Halcrow &lt;mhalcrow@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>eCryptfs: Flush file in vma close</title>
<updated>2011-12-09T16:54:04Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2011-11-21T23:31:29Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=19c8acbc4a4d444d72d256a7541b040cebddc78b'/>
<id>urn:sha1:19c8acbc4a4d444d72d256a7541b040cebddc78b</id>
<content type='text'>
commit 32001d6fe9ac6b0423e674a3093aa56740849f3b upstream.

Dirty pages weren't being written back when an mmap'ed eCryptfs file was
closed before the mapping was unmapped. Since f_ops-&gt;flush() is not
called by the munmap() path, the lower file was simply being released.
This patch flushes the eCryptfs file in the vm_ops-&gt;close() path.

https://launchpad.net/bugs/870326

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>eCryptfs: Prevent file create race condition</title>
<updated>2011-12-09T16:54:04Z</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@canonical.com</email>
</author>
<published>2011-11-21T23:31:02Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d1d274cd1ce2eb979c66233a36a7a92abfc0f18f'/>
<id>urn:sha1:d1d274cd1ce2eb979c66233a36a7a92abfc0f18f</id>
<content type='text'>
commit b59db43ad4434519feb338eacb01d77eb50825c5 upstream.

The file creation path prematurely called d_instantiate() and
unlock_new_inode() before the eCryptfs inode info was fully
allocated and initialized and before the eCryptfs metadata was written
to the lower file.

This could result in race conditions in subsequent file and inode
operations leading to unexpected error conditions or a null pointer
dereference while attempting to use the unallocated memory.

https://launchpad.net/bugs/813146

Signed-off-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
</feed>
