<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/fs, branch v3.10.48</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/fs?h=v3.10.48</id>
<link rel='self' href='https://git.amat.us/linux/atom/fs?h=v3.10.48'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2014-07-09T18:14:02Z</updated>
<entry>
<title>nfsd: fix rare symlink decoding bug</title>
<updated>2014-07-09T18:14:02Z</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2014-06-19T20:44:48Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=9c252e3881a4b8dae3555b826cb6cf915fd00d09'/>
<id>urn:sha1:9c252e3881a4b8dae3555b826cb6cf915fd00d09</id>
<content type='text'>
commit 76f47128f9b33af1e96819746550d789054c9664 upstream.

An NFS operation that creates a new symlink includes the symlink data,
which is xdr-encoded as a length followed by the data plus 0 to 3 bytes
of zero-padding as required to reach a 4-byte boundary.

The vfs, on the other hand, wants null-terminated data.

The simple way to handle this would be by copying the data into a newly
allocated buffer with space for the final null.

The current nfsd_symlink code tries to be more clever by skipping that
step in the (likely) case where the byte following the string is already
0.

But that assumes that the byte following the string is ours to look at.
In fact, it might be the first byte of a page that we can't read, or of
some object that another task might modify.

Worse, the NFSv4 code tries to fix the problem by actually writing to
that byte.

In the NFSv2/v3 cases this actually appears to be safe:

	- nfs3svc_decode_symlinkargs explicitly null-terminates the data
	  (after first checking its length and copying it to a new
	  page).
	- NFSv2 limits symlinks to 1k.  The buffer holding the rpc
	  request is always at least a page, and the link data (and
	  previous fields) have maximum lengths that prevent the request
	  from reaching the end of a page.

In the NFSv4 case the CREATE op is potentially just one part of a long
compound so can end up on the end of a page if you're unlucky.

The minimal fix here is to copy and null-terminate in the NFSv4 case.
The nfsd_symlink() interface here seems too fragile, though.  It should
really either do the copy itself every time or just require a
null-terminated string.

Reported-by: Jeff Layton &lt;jlayton@primarydata.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>ext4: Fix hole punching for files with indirect blocks</title>
<updated>2014-07-09T18:14:01Z</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2014-06-26T16:30:54Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=82252eaccd7b7880ee5449331924cf4547250574'/>
<id>urn:sha1:82252eaccd7b7880ee5449331924cf4547250574</id>
<content type='text'>
commit a93cd4cf86466caa49cfe64607bea7f0bde3f916 upstream.

Hole punching code for files with indirect blocks wrongly computed
number of blocks which need to be cleared when traversing the indirect
block tree. That could result in punching more blocks than actually
requested and thus effectively cause a data loss. For example:

fallocate -n -p 10240000 4096

will punch the range 10240000 - 12632064 instead of the range 1024000 -
10244096. Fix the calculation.

Fixes: 8bad6fc813a3a5300f51369c39d315679fd88c72
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>ext4: Fix buffer double free in ext4_alloc_branch()</title>
<updated>2014-07-09T18:14:01Z</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2014-06-16T03:46:28Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ead37447d6eda0cb1104c8262c2b595164ccfe4b'/>
<id>urn:sha1:ead37447d6eda0cb1104c8262c2b595164ccfe4b</id>
<content type='text'>
commit c5c7b8ddfbf8cb3b2291e515a34ab1b8982f5a2d upstream.

Error recovery in ext4_alloc_branch() calls ext4_forget() even for
buffer corresponding to indirect block it did not allocate. This leads
to brelse() being called twice for that buffer (once from ext4_forget()
and once from cleanup in ext4_ind_map_blocks()) leading to buffer use
count misaccounting. Eventually (but often much later because there
are other users of the buffer) we will see messages like:
VFS: brelse: Trying to free free buffer

Another manifestation of this problem is an error:
JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh);
inconsistent data on disk

The fix is easy - don't forget buffer we did not allocate. Also add an
explanatory comment because the indexing at ext4_alloc_branch() is
somewhat subtle.

Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>CIFS: fix mount failure with broken pathnames when smb3 mount with mapchars option</title>
<updated>2014-07-09T18:14:01Z</updated>
<author>
<name>Steve French</name>
<email>smfrench@gmail.com</email>
</author>
<published>2014-06-23T01:38:49Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=780ae119ce653644a8ecbcb9a98cfbfc68f2e46b'/>
<id>urn:sha1:780ae119ce653644a8ecbcb9a98cfbfc68f2e46b</id>
<content type='text'>
commit ce36d9ab3bab06b7b5522f5c8b68fac231b76ffb upstream.

When we SMB3 mounted with mapchars (to allow reserved characters : \ / &gt; &lt; * ?
via the Unicode Windows to POSIX remap range) empty paths
(eg when we open "" to query the root of the SMB3 directory on mount) were not
null terminated so we sent garbarge as a path name on empty paths which caused
SMB2/SMB2.1/SMB3 mounts to fail when mapchars was specified.  mapchars is
particularly important since Unix Extensions for SMB3 are not supported (yet)

Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Reviewed-by: David Disseldorp &lt;ddiss@suse.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>reiserfs: call truncate_setsize under tailpack mutex</title>
<updated>2014-07-07T01:54:15Z</updated>
<author>
<name>Jeff Mahoney</name>
<email>jeffm@suse.com</email>
</author>
<published>2014-05-21T17:28:07Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=4660efb843558ced86491e8582da9b671280952c'/>
<id>urn:sha1:4660efb843558ced86491e8582da9b671280952c</id>
<content type='text'>
commit 22e7478ddbcb670e33fab72d0bbe7c394c3a2c84 upstream.

Prior to commit 0e4f6a791b1e (Fix reiserfs_file_release()), reiserfs
truncates serialized on i_mutex. They mostly still do, with the exception
of reiserfs_file_release. That blocks out other writers via the tailpack
mutex and the inode openers counter adjusted in reiserfs_file_open.

However, NFS will call reiserfs_setattr without having called -&gt;open, so
we end up with a race when nfs is calling -&gt;setattr while another
process is releasing the file. Ultimately, it triggers the
BUG_ON(inode-&gt;i_size != new_file_size) check in maybe_indirect_to_direct.

The solution is to pull the lock into reiserfs_setattr to encompass the
truncate_setsize call as well.

Signed-off-by: Jeff Mahoney &lt;jeffm@suse.com&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>nfsd: don't halt scanning the DRC LRU list when there's an RC_INPROG entry</title>
<updated>2014-07-07T01:54:14Z</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@primarydata.com</email>
</author>
<published>2014-06-05T13:45:00Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=548e6c6e202cb03f5bf5d79392fa4dcf1c1534cf'/>
<id>urn:sha1:548e6c6e202cb03f5bf5d79392fa4dcf1c1534cf</id>
<content type='text'>
commit 1b19453d1c6abcfa7c312ba6c9f11a277568fc94 upstream.

Currently, the DRC cache pruner will stop scanning the list when it
hits an entry that is RC_INPROG. It's possible however for a call to
take a *very* long time. In that case, we don't want it to block other
entries from being pruned if they are expired or we need to trim the
cache to get back under the limit.

Fix the DRC cache pruner to just ignore RC_INPROG entries.

Signed-off-by: Jeff Layton &lt;jlayton@primarydata.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>nfsd: don't try to reuse an expired DRC entry off the list</title>
<updated>2014-07-07T01:54:14Z</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@redhat.com</email>
</author>
<published>2013-12-05T11:00:51Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=03e9dd7847298ea8328b914de8f4777e238cdb77'/>
<id>urn:sha1:03e9dd7847298ea8328b914de8f4777e238cdb77</id>
<content type='text'>
commit a0ef5e19684f0447da9ff0654a12019c484f57ca upstream.

Currently when we are processing a request, we try to scrape an expired
or over-limit entry off the list in preference to allocating a new one
from the slab.

This is unnecessarily complicated. Just use the slab layer.

Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>NFS: Don't declare inode uptodate unless all attributes were checked</title>
<updated>2014-07-07T01:54:14Z</updated>
<author>
<name>Trond Myklebust</name>
<email>trond.myklebust@primarydata.com</email>
</author>
<published>2014-04-15T14:07:57Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=4b331d38a2add7b27ea44d26d9146ad1aabcbaab'/>
<id>urn:sha1:4b331d38a2add7b27ea44d26d9146ad1aabcbaab</id>
<content type='text'>
commit 43b6535e717d2f656f71d9bd16022136b781c934 upstream.

Fix a bug, whereby nfs_update_inode() was declaring the inode to be
up to date despite not having checked all the attributes.
The bug occurs because the temporary variable in which we cache
the validity information is 'sanitised' before reapplying to
nfsi-&gt;cache_validity.

Reported-by: Kinglong Mee &lt;kinglongmee@gmail.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>nfsd: getattr for FATTR4_WORD0_FILES_AVAIL needs the statfs buffer</title>
<updated>2014-07-07T01:54:14Z</updated>
<author>
<name>Christoph Hellwig</name>
<email>hch@lst.de</email>
</author>
<published>2014-05-28T08:46:13Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=32cf2fba27303e95f944f6452e42648297fc8b51'/>
<id>urn:sha1:32cf2fba27303e95f944f6452e42648297fc8b51</id>
<content type='text'>
commit 12337901d654415d9f764b5f5ba50052e9700f37 upstream.

Note nobody's ever noticed because the typical client probably never
requests FILES_AVAIL without also requesting something else on the list.

Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>nfsd4: fix FREE_STATEID lockowner leak</title>
<updated>2014-07-07T01:54:14Z</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2014-05-27T15:14:26Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=1dd6ffc6284cd2d81b667e58684701cf7d1c3d12'/>
<id>urn:sha1:1dd6ffc6284cd2d81b667e58684701cf7d1c3d12</id>
<content type='text'>
commit 48385408b45523d9a432c66292d47ef43efcbb94 upstream.

27b11428b7de ("nfsd4: remove lockowner when removing lock stateid")
introduced a memory leak.

Reported-by: Jeff Layton &lt;jeff.layton@primarydata.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
</feed>
