<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/fs, branch v3.2.44</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/fs?h=v3.2.44</id>
<link rel='self' href='https://git.amat.us/linux/atom/fs?h=v3.2.44'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2013-04-25T19:25:49Z</updated>
<entry>
<title>hfsplus: fix potential overflow in hfsplus_file_truncate()</title>
<updated>2013-04-25T19:25:49Z</updated>
<author>
<name>Vyacheslav Dubeyko</name>
<email>slava@dubeyko.com</email>
</author>
<published>2013-04-17T22:58:33Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=9e6b1d64d2ba4a33cc9d64c2c6104d02b65200e8'/>
<id>urn:sha1:9e6b1d64d2ba4a33cc9d64c2c6104d02b65200e8</id>
<content type='text'>
commit 12f267a20aecf8b84a2a9069b9011f1661c779b4 upstream.

Change a u32 to loff_t hfsplus_file_truncate().

Signed-off-by: Vyacheslav Dubeyko &lt;slava@dubeyko.com&gt;
Cc: Christoph Hellwig &lt;hch@infradead.org&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Hin-Tak Leung &lt;htl10@users.sourceforge.net&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>Btrfs: fix race between mmap writes and compression</title>
<updated>2013-04-25T19:25:44Z</updated>
<author>
<name>Chris Mason</name>
<email>chris.mason@fusionio.com</email>
</author>
<published>2013-03-26T17:07:00Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=e6742b3695b04303938c572261dd0b0e7e38396c'/>
<id>urn:sha1:e6742b3695b04303938c572261dd0b0e7e38396c</id>
<content type='text'>
commit 4adaa611020fa6ac65b0ac8db78276af4ec04e63 upstream.

Btrfs uses page_mkwrite to ensure stable pages during
crc calculations and mmap workloads.  We call clear_page_dirty_for_io
before we do any crcs, and this forces any application with the file
mapped to wait for the crc to finish before it is allowed to change
the file.

With compression on, the clear_page_dirty_for_io step is happening after
we've compressed the pages.  This means the applications might be
changing the pages while we are compressing them, and some of those
modifications might not hit the disk.

This commit adds the clear_page_dirty_for_io before compression starts
and makes sure to redirty the page if we have to fallback to
uncompressed IO as well.

Signed-off-by: Chris Mason &lt;chris.mason@fusionio.com&gt;
Reported-by: Alexandre Oliva &lt;oliva@gnu.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>vfs: Revert spurious fix to spinning prevention in prune_icache_sb</title>
<updated>2013-04-25T19:25:39Z</updated>
<author>
<name>Suleiman Souhlal</name>
<email>suleiman@google.com</email>
</author>
<published>2013-04-13T23:03:06Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=5ef143d96cf46e05a1bb7af5b2d4c3f6533c8b62'/>
<id>urn:sha1:5ef143d96cf46e05a1bb7af5b2d4c3f6533c8b62</id>
<content type='text'>
commit 5b55d708335a9e3e4f61f2dadf7511502205ccd1 upstream.

Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").

This commit doesn't look right: since we are looking at the tail of the
list (sb-&gt;s_inode_lru.prev) if we want to skip an inode, we should put
it back at the head of the list instead of the tail, otherwise we will
keep spinning on it.

Discovered when investigating why prune_icache_sb came top in perf
reports of a swapping load.

Signed-off-by: Suleiman Souhlal &lt;suleiman@google.com&gt;
Signed-off-by: Hugh Dickins &lt;hughd@google.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>Btrfs: make sure nbytes are right after log replay</title>
<updated>2013-04-25T19:25:38Z</updated>
<author>
<name>Josef Bacik</name>
<email>jbacik@fusionio.com</email>
</author>
<published>2013-04-05T20:50:09Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=595b57bbaf350dceda50bb2021153ab0bf7632b2'/>
<id>urn:sha1:595b57bbaf350dceda50bb2021153ab0bf7632b2</id>
<content type='text'>
commit 4bc4bee4595662d8bff92180d5c32e3313a704b0 upstream.

While trying to track down a tree log replay bug I noticed that fsck was always
complaining about nbytes not being right for our fsynced file.  That is because
the new fsync stuff doesn't wait for ordered extents to complete, so the inodes
nbytes are not necessarily updated properly when we log it.  So to fix this we
need to set nbytes to whatever it is on the inode that is on disk, so when we
replay the extents we can just add the bytes that are being added as we replay
the extent.  This makes it work for the case that we have the wrong nbytes or
the case that we logged everything and nbytes is actually correct.  With this
I'm no longer getting nbytes errors out of btrfsck.

Signed-off-by: Josef Bacik &lt;jbacik@fusionio.com&gt;
Signed-off-by: Chris Mason &lt;chris.mason@fusionio.com&gt;
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>loop: prevent bdev freeing while device in use</title>
<updated>2013-04-10T02:20:09Z</updated>
<author>
<name>Anatol Pomozov</name>
<email>anatol.pomozov@gmail.com</email>
</author>
<published>2013-04-01T16:47:56Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=be279f777b6e4dc45ab02d7d89274e2302777093'/>
<id>urn:sha1:be279f777b6e4dc45ab02d7d89274e2302777093</id>
<content type='text'>
commit c1681bf8a7b1b98edee8b862a42c19c4e53205fd upstream.

struct block_device lifecycle is defined by its inode (see fs/block_dev.c) -
block_device allocated first time we access /dev/loopXX and deallocated on
bdev_destroy_inode. When we create the device "losetup /dev/loopXX afile"
we want that block_device stay alive until we destroy the loop device
with "losetup -d".

But because we do not hold /dev/loopXX inode its counter goes 0, and
inode/bdev can be destroyed at any moment. Usually it happens at memory
pressure or when user drops inode cache (like in the test below). When later in
loop_clr_fd() we want to use bdev we have use-after-free error with following
stack:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000280
  bd_set_size+0x10/0xa0
  loop_clr_fd+0x1f8/0x420 [loop]
  lo_ioctl+0x200/0x7e0 [loop]
  lo_compat_ioctl+0x47/0xe0 [loop]
  compat_blkdev_ioctl+0x341/0x1290
  do_filp_open+0x42/0xa0
  compat_sys_ioctl+0xc1/0xf20
  do_sys_open+0x16e/0x1d0
  sysenter_dispatch+0x7/0x1a

To prevent use-after-free we need to grab the device in loop_set_fd()
and put it later in loop_clr_fd().

The issue is reprodusible on current Linus head and v3.3. Here is the test:

  dd if=/dev/zero of=loop.file bs=1M count=1
  while [ true ]; do
    losetup /dev/loop0 loop.file
    echo 2 &gt; /proc/sys/vm/drop_caches
    losetup -d /dev/loop0
  done

[ Doing bdgrab/bput in loop_set_fd/loop_clr_fd is safe, because every
  time we call loop_set_fd() we check that loop_device-&gt;lo_state is
  Lo_unbound and set it to Lo_bound If somebody will try to set_fd again
  it will get EBUSY.  And if we try to loop_clr_fd() on unbound loop
  device we'll get ENXIO.

  loop_set_fd/loop_clr_fd (and any other loop ioctl) is called under
  loop_device-&gt;lo_ctl_mutex. ]

Signed-off-by: Anatol Pomozov &lt;anatol.pomozov@gmail.com&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>NFS: nfs_getaclargs.acl_len is a size_t</title>
<updated>2013-04-10T02:20:09Z</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2012-07-11T20:30:32Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=1bf2642f4cb2a773cd1d41b9558acf5af81738b7'/>
<id>urn:sha1:1bf2642f4cb2a773cd1d41b9558acf5af81738b7</id>
<content type='text'>
commit 56d08fef2369d5ca9ad2e1fc697f5379fd8af751 upstream.

Squelch compiler warnings:

fs/nfs/nfs4proc.c: In function ‘__nfs4_get_acl_uncached’:
fs/nfs/nfs4proc.c:3811:14: warning: comparison between signed and
	unsigned integer expressions [-Wsign-compare]
fs/nfs/nfs4proc.c:3818:15: warning: comparison between signed and
	unsigned integer expressions [-Wsign-compare]

Introduced by commit bf118a34 "NFSv4: include bitmap in nfsv4 get
acl data", Dec 7, 2011.

Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>udf: Fix bitmap overflow on large filesystems with small block size</title>
<updated>2013-04-10T02:20:09Z</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2013-02-05T12:59:56Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=1b117cc2a4cd1adbbeb6a30ac73e50c68bc807e6'/>
<id>urn:sha1:1b117cc2a4cd1adbbeb6a30ac73e50c68bc807e6</id>
<content type='text'>
commit 89b1f39eb4189de745fae554b0d614d87c8d5c63 upstream.

For large UDF filesystems with 512-byte blocks the number of necessary
bitmap blocks is larger than 2^16 so s_nr_groups in udf_bitmap overflows
(the number will overflow for filesystems larger than 128 GB with
512-byte blocks). That results in ENOSPC errors despite the filesystem
has plenty of free space.

Fix the problem by changing s_nr_groups' type to 'int'. That is enough
even for filesystems 2^32 blocks (UDF maximum) and 512-byte blocksize.

Reported-and-tested-by: v10lator@myway.de
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>reiserfs: Fix warning and inode leak when deleting inode with xattrs</title>
<updated>2013-04-10T02:20:05Z</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2013-03-29T14:39:16Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=9d4fee47534112e0e39e91268a89c8cb35c5a69d'/>
<id>urn:sha1:9d4fee47534112e0e39e91268a89c8cb35c5a69d</id>
<content type='text'>
commit 35e5cbc0af240778e61113286c019837e06aeec6 upstream.

After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
started failing to delete xattrs from inode. This was due to a buggy
test for '.' and '..' in fill_with_dentries() which resulted in passing
'.' and '..' entries to lookup_one_len() in some cases. That returned
error and so we failed to iterate over all xattrs of and inode.

Fix the test in fill_with_dentries() along the lines of the one in
lookup_one_len().

Reported-by: Pawel Zawora &lt;pzawora@gmail.com&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>Btrfs: limit the global reserve to 512mb</title>
<updated>2013-04-10T02:20:05Z</updated>
<author>
<name>Josef Bacik</name>
<email>jbacik@fusionio.com</email>
</author>
<published>2013-03-26T19:31:45Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=135fbd7c066572e0f6b2af2c68bcdfabfc418f5d'/>
<id>urn:sha1:135fbd7c066572e0f6b2af2c68bcdfabfc418f5d</id>
<content type='text'>
commit fdf30d1c1b386e1b73116cc7e0fb14e962b763b0 upstream.

A user reported a problem where he was getting early ENOSPC with hundreds of
gigs of free data space and 6 gigs of free metadata space.  This is because the
global block reserve was taking up the entire free metadata space.  This is
ridiculous, we have infrastructure in place to throttle if we start using too
much of the global reserve, so instead of letting it get this huge just limit it
to 512mb so that users can still get work done.  This allowed the user to
complete his rsync without issues.  Thanks

Reported-and-tested-by: Stefan Priebe &lt;s.priebe@profihost.ag&gt;
Signed-off-by: Josef Bacik &lt;jbacik@fusionio.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>Nest rename_lock inside vfsmount_lock</title>
<updated>2013-04-10T02:20:03Z</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2013-03-26T22:25:57Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=a0a551fcc3199a6e9fb6c0236daff99bbe278905'/>
<id>urn:sha1:a0a551fcc3199a6e9fb6c0236daff99bbe278905</id>
<content type='text'>
commit 7ea600b5314529f9d1b9d6d3c41cb26fce6a7a4a upstream.

... lest we get livelocks between path_is_under() and d_path() and friends.

The thing is, wrt fairness lglocks are more similar to rwsems than to rwlocks;
it is possible to have thread B spin on attempt to take lock shared while thread
A is already holding it shared, if B is on lower-numbered CPU than A and there's
a thread C spinning on attempt to take the same lock exclusive.

As the result, we need consistent ordering between vfsmount_lock (lglock) and
rename_lock (seq_lock), even though everything that takes both is going to take
vfsmount_lock only shared.

Spotted-by: Brad Spengler &lt;spender@grsecurity.net&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
[bwh: Backported to 3.2:
 - Adjust context
 - s/&amp;vfsmount_lock/vfsmount_lock/]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
</feed>
