1. 22 May, 2014 6 commits
  2. 21 May, 2014 4 commits
    • J. Bruce Fields's avatar
      nfsd4: fix delegation cleanup on error · cbf7a75b
      J. Bruce Fields authored
      We're not cleaning up everything we need to on error.  In particular,
      we're not removing our lease.  Among other problems this can cause the
      struct nfs4_file used as fl_owner to be referenced after it has been
      destroyed.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      cbf7a75b
    • Kinglong Mee's avatar
      NFSD: Don't clear SUID/SGID after root writing data · 368fe39b
      Kinglong Mee authored
      We're clearing the SUID/SGID bits on write by hand in nfsd_vfs_write,
      even though the subsequent vfs_writev() call will end up doing this for
      us (through file system write methods eventually calling
      file_remove_suid(), e.g., from __generic_file_aio_write).
      
      So, remove the redundant nfsd code.
      
      The only change in behavior is when the write is by root, in which case
      we previously cleared SUID/SGID, but will now leave it alone.  The new
      behavior is the behavior of every filesystem we've checked.
      
      It seems better to be consistent with local filesystem behavior.  And
      the security advantage seems limited as root could always restore these
      bits by hand if it wanted.
      
      SUID/SGID is not cleared after writing data with (root, local ext4),
         File: ‘test’
         Size: 0               Blocks: 0          IO Block: 4096   regular
      empty file
      Device: 803h/2051d      Inode: 1200137     Links: 1
      Access: (4777/-rwsrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
      Context: unconfined_u:object_r:admin_home_t:s0
      Access: 2014-04-18 21:36:31.016029014 +0800
      Modify: 2014-04-18 21:36:31.016029014 +0800
      Change: 2014-04-18 21:36:31.026030285 +0800
        Birth: -
         File: ‘test’
         Size: 5               Blocks: 8          IO Block: 4096   regular file
      Device: 803h/2051d      Inode: 1200137     Links: 1
      Access: (4777/-rwsrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
      Context: unconfined_u:object_r:admin_home_t:s0
      Access: 2014-04-18 21:36:31.016029014 +0800
      Modify: 2014-04-18 21:36:31.040032065 +0800
      Change: 2014-04-18 21:36:31.040032065 +0800
        Birth: -
      
      With no_root_squash, (root, remote ext4), SUID/SGID are cleared,
         File: ‘test’
         Size: 0               Blocks: 0          IO Block: 262144 regular
      empty file
      Device: 24h/36d Inode: 786439      Links: 1
      Access: (4777/-rwsrwxrwx)  Uid: ( 1000/    test)   Gid: ( 1000/    test)
      Context: system_u:object_r:nfs_t:s0
      Access: 2014-04-18 21:45:32.155805097 +0800
      Modify: 2014-04-18 21:45:32.155805097 +0800
      Change: 2014-04-18 21:45:32.168806749 +0800
        Birth: -
         File: ‘test’
         Size: 5               Blocks: 8          IO Block: 262144 regular file
      Device: 24h/36d Inode: 786439      Links: 1
      Access: (0777/-rwxrwxrwx)  Uid: ( 1000/    test)   Gid: ( 1000/    test)
      Context: system_u:object_r:nfs_t:s0
      Access: 2014-04-18 21:45:32.155805097 +0800
      Modify: 2014-04-18 21:45:32.184808783 +0800
      Change: 2014-04-18 21:45:32.184808783 +0800
        Birth: -
      Signed-off-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      368fe39b
    • J. Bruce Fields's avatar
      nfsd4: warn on finding lockowner without stateid's · 27b11428
      J. Bruce Fields authored
      The current code assumes a one-to-one lockowner<->lock stateid
      correspondance.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      27b11428
    • J. Bruce Fields's avatar
      nfsd4: remove lockowner when removing lock stateid · a1b8ff4c
      J. Bruce Fields authored
      The nfsv4 state code has always assumed a one-to-one correspondance
      between lock stateid's and lockowners even if it appears not to in some
      places.
      
      We may actually change that, but for now when FREE_STATEID releases a
      lock stateid it also needs to release the parent lockowner.
      
      Symptoms were a subsequent LOCK crashing in find_lockowner_str when it
      calls same_lockowner_ino on a lockowner that unexpectedly has an empty
      so_stateids list.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      a1b8ff4c
  3. 15 May, 2014 1 commit
  4. 08 May, 2014 7 commits
    • Kinglong Mee's avatar
      9fa1959e
    • Kinglong Mee's avatar
    • Kinglong Mee's avatar
      ecca063b
    • J. Bruce Fields's avatar
      Merge 3.15 bugfix for 3.16 · dd15073a
      J. Bruce Fields authored
      dd15073a
    • Christoph Hellwig's avatar
      nfsd: clean up fh_auth usage · 5409e46f
      Christoph Hellwig authored
      Use fh_fsid when reffering to the fsid part of the filehandle.  The
      variable length auth field envisioned in nfsfh wasn't ever implemented.
      Also clean up some lose ends around this and document the file handle
      format better.
      
      Btw, why do we even export nfsfh.h to userspace?  The file handle very
      much is kernel private, and nothing in nfs-utils include the header
      either.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      5409e46f
    • Kinglong Mee's avatar
      NFSD: cleanup unneeded including linux/export.h · ecc7455d
      Kinglong Mee authored
      commit 4ac7249e have remove all EXPORT_SYMBOL,
      linux/export.h is not needed, just clean it.
      Signed-off-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      ecc7455d
    • Kinglong Mee's avatar
      NFSD: Call ->set_acl with a NULL ACL structure if no entries · aa07c713
      Kinglong Mee authored
      After setting ACL for directory, I got two problems that caused
      by the cached zero-length default posix acl.
      
      This patch make sure nfsd4_set_nfs4_acl calls ->set_acl
      with a NULL ACL structure if there are no entries.
      
      Thanks for Christoph Hellwig's advice.
      
      First problem:
      ............ hang ...........
      
      Second problem:
      [ 1610.167668] ------------[ cut here ]------------
      [ 1610.168320] kernel BUG at /root/nfs/linux/fs/nfsd/nfs4acl.c:239!
      [ 1610.168320] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
      [ 1610.168320] Modules linked in: nfsv4(OE) nfs(OE) nfsd(OE)
      rpcsec_gss_krb5 fscache ip6t_rpfilter ip6t_REJECT cfg80211 xt_conntrack
      rfkill ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables
      ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6
      ip6table_mangle ip6table_security ip6table_raw ip6table_filter
      ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4
      nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw
      auth_rpcgss nfs_acl snd_intel8x0 ppdev lockd snd_ac97_codec ac97_bus
      snd_pcm snd_timer e1000 pcspkr parport_pc snd parport serio_raw joydev
      i2c_piix4 sunrpc(OE) microcode soundcore i2c_core ata_generic pata_acpi
      [last unloaded: nfsd]
      [ 1610.168320] CPU: 0 PID: 27397 Comm: nfsd Tainted: G           OE
      3.15.0-rc1+ #15
      [ 1610.168320] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
      VirtualBox 12/01/2006
      [ 1610.168320] task: ffff88005ab653d0 ti: ffff88005a944000 task.ti:
      ffff88005a944000
      [ 1610.168320] RIP: 0010:[<ffffffffa034d5ed>]  [<ffffffffa034d5ed>]
      _posix_to_nfsv4_one+0x3cd/0x3d0 [nfsd]
      [ 1610.168320] RSP: 0018:ffff88005a945b00  EFLAGS: 00010293
      [ 1610.168320] RAX: 0000000000000001 RBX: ffff88006700bac0 RCX:
      0000000000000000
      [ 1610.168320] RDX: 0000000000000000 RSI: ffff880067c83f00 RDI:
      ffff880068233300
      [ 1610.168320] RBP: ffff88005a945b48 R08: ffffffff81c64830 R09:
      0000000000000000
      [ 1610.168320] R10: ffff88004ea85be0 R11: 000000000000f475 R12:
      ffff880068233300
      [ 1610.168320] R13: 0000000000000003 R14: 0000000000000002 R15:
      ffff880068233300
      [ 1610.168320] FS:  0000000000000000(0000) GS:ffff880077800000(0000)
      knlGS:0000000000000000
      [ 1610.168320] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [ 1610.168320] CR2: 00007f5bcbd3b0b9 CR3: 0000000001c0f000 CR4:
      00000000000006f0
      [ 1610.168320] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
      0000000000000000
      [ 1610.168320] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
      0000000000000400
      [ 1610.168320] Stack:
      [ 1610.168320]  ffffffff00000000 0000000b67c83500 000000076700bac0
      0000000000000000
      [ 1610.168320]  ffff88006700bac0 ffff880068233300 ffff88005a945c08
      0000000000000002
      [ 1610.168320]  0000000000000000 ffff88005a945b88 ffffffffa034e2d5
      000000065a945b68
      [ 1610.168320] Call Trace:
      [ 1610.168320]  [<ffffffffa034e2d5>] nfsd4_get_nfs4_acl+0x95/0x150 [nfsd]
      [ 1610.168320]  [<ffffffffa03400d6>] nfsd4_encode_fattr+0x646/0x1e70 [nfsd]
      [ 1610.168320]  [<ffffffff816a6e6e>] ? kmemleak_alloc+0x4e/0xb0
      [ 1610.168320]  [<ffffffffa0327962>] ?
      nfsd_setuser_and_check_port+0x52/0x80 [nfsd]
      [ 1610.168320]  [<ffffffff812cd4bb>] ? selinux_cred_prepare+0x1b/0x30
      [ 1610.168320]  [<ffffffffa0341caa>] nfsd4_encode_getattr+0x5a/0x60 [nfsd]
      [ 1610.168320]  [<ffffffffa0341e07>] nfsd4_encode_operation+0x67/0x110
      [nfsd]
      [ 1610.168320]  [<ffffffffa033844d>] nfsd4_proc_compound+0x21d/0x810 [nfsd]
      [ 1610.168320]  [<ffffffffa0324d9b>] nfsd_dispatch+0xbb/0x200 [nfsd]
      [ 1610.168320]  [<ffffffffa00850cd>] svc_process_common+0x46d/0x6d0 [sunrpc]
      [ 1610.168320]  [<ffffffffa0085433>] svc_process+0x103/0x170 [sunrpc]
      [ 1610.168320]  [<ffffffffa032472f>] nfsd+0xbf/0x130 [nfsd]
      [ 1610.168320]  [<ffffffffa0324670>] ? nfsd_destroy+0x80/0x80 [nfsd]
      [ 1610.168320]  [<ffffffff810a5202>] kthread+0xd2/0xf0
      [ 1610.168320]  [<ffffffff810a5130>] ? insert_kthread_work+0x40/0x40
      [ 1610.168320]  [<ffffffff816c1ebc>] ret_from_fork+0x7c/0xb0
      [ 1610.168320]  [<ffffffff810a5130>] ? insert_kthread_work+0x40/0x40
      [ 1610.168320] Code: 78 02 e9 e7 fc ff ff 31 c0 31 d2 31 c9 66 89 45 ce
      41 8b 04 24 66 89 55 d0 66 89 4d d2 48 8d 04 80 49 8d 5c 84 04 e9 37 fd
      ff ff <0f> 0b 90 0f 1f 44 00 00 55 8b 56 08 c7 07 00 00 00 00 8b 46 0c
      [ 1610.168320] RIP  [<ffffffffa034d5ed>] _posix_to_nfsv4_one+0x3cd/0x3d0
      [nfsd]
      [ 1610.168320]  RSP <ffff88005a945b00>
      [ 1610.257313] ---[ end trace 838254e3e352285b ]---
      Signed-off-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      aa07c713
  5. 07 May, 2014 1 commit
  6. 06 May, 2014 9 commits
  7. 18 Apr, 2014 3 commits
  8. 13 Apr, 2014 9 commits
    • Linus Torvalds's avatar
      Linux 3.15-rc1 · c9eaa447
      Linus Torvalds authored
      c9eaa447
    • Geert Uytterhoeven's avatar
      mm: Initialize error in shmem_file_aio_read() · f7c1d074
      Geert Uytterhoeven authored
      Some versions of gcc even warn about it:
      
        mm/shmem.c: In function ‘shmem_file_aio_read’:
        mm/shmem.c:1414: warning: ‘error’ may be used uninitialized in this function
      
      If the loop is aborted during the first iteration by one of the two
      first break statements, error will be uninitialized.
      
      Introduced by commit 6e58e79d ("introduce copy_page_to_iter, kill
      loop over iovec in generic_file_aio_read()").
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f7c1d074
    • Geert Uytterhoeven's avatar
      cifs: Use min_t() when comparing "size_t" and "unsigned long" · e686bd8d
      Geert Uytterhoeven authored
      On 32 bit, size_t is "unsigned int", not "unsigned long", causing the
      following warning when comparing with PAGE_SIZE, which is always "unsigned
      long":
      
        fs/cifs/file.c: In function ‘cifs_readdata_to_iov’:
        fs/cifs/file.c:2757: warning: comparison of distinct pointer types lacks a cast
      
      Introduced by commit 7f25bba8 ("cifs_iovec_read: keep iov_iter
      between the calls of cifs_readdata_to_iov()"), which changed the
      signedness of "remaining" and the code from min_t() to min().
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e686bd8d
    • Linus Torvalds's avatar
      Merge branch 'slab/next' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/linux · bf3a3407
      Linus Torvalds authored
      Pull slab changes from Pekka Enberg:
       "The biggest change is byte-sized freelist indices which reduces slab
        freelist memory usage:
      
          https://lkml.org/lkml/2013/12/2/64"
      
      * 'slab/next' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/linux:
        mm: slab/slub: use page->list consistently instead of page->lru
        mm/slab.c: cleanup outdated comments and unify variables naming
        slab: fix wrongly used macro
        slub: fix high order page allocation problem with __GFP_NOFAIL
        slab: Make allocations with GFP_ZERO slightly more efficient
        slab: make more slab management structure off the slab
        slab: introduce byte sized index for the freelist of a slab
        slab: restrict the number of objects in a slab
        slab: introduce helper functions to get/set free object
        slab: factor out calculate nr objects in cache_estimate
      bf3a3407
    • Linus Torvalds's avatar
      Merge branch 'misc' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild · 321d03c8
      Linus Torvalds authored
      Pull misc kbuild changes from Michal Marek:
       "Here is the non-critical part of kbuild:
         - One bogus coccinelle check removed, one check fixed not to suggest
           the obsolete PTR_RET macro
         - scripts/tags.sh does not index the generated *.mod.c files
         - new objdiff tool to list differences between two versions of an
           object file
         - A fix for scripts/bootgraph.pl"
      
      * 'misc' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
        scripts/coccinelle: Use PTR_ERR_OR_ZERO
        scripts/bootgraph.pl: Add graphic header
        scripts: objdiff: detect object code changes between two commits
        Coccicheck: Remove memcpy to struct assignment test
        scripts/tags.sh: Ignore *.mod.c
      321d03c8
    • Mikulas Patocka's avatar
      sym53c8xx_2: Set DID_REQUEUE return code when aborting squeue · fd1232b2
      Mikulas Patocka authored
      This patch fixes I/O errors with the sym53c8xx_2 driver when the disk
      returns QUEUE FULL status.
      
      When the controller encounters an error (including QUEUE FULL or BUSY
      status), it aborts all not yet submitted requests in the function
      sym_dequeue_from_squeue.
      
      This function aborts them with DID_SOFT_ERROR.
      
      If the disk has full tag queue, the request that caused the overflow is
      aborted with QUEUE FULL status (and the scsi midlayer properly retries
      it until it is accepted by the disk), but the sym53c8xx_2 driver aborts
      the following requests with DID_SOFT_ERROR --- for them, the midlayer
      does just a few retries and then signals the error up to sd.
      
      The result is that disk returning QUEUE FULL causes request failures.
      
      The error was reproduced on 53c895 with COMPAQ BD03685A24 disk
      (rebranded ST336607LC) with command queue 48 or 64 tags.  The disk has
      64 tags, but under some access patterns it return QUEUE FULL when there
      are less than 64 pending tags.  The SCSI specification allows returning
      QUEUE FULL anytime and it is up to the host to retry.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: Matthew Wilcox <matthew@wil.cx>
      Cc: James Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fd1232b2
    • Paul Mackerras's avatar
      powerpc: Don't try to set LPCR unless we're in hypervisor mode · 18aa0da3
      Paul Mackerras authored
      Commit 8f619b54 ("powerpc/ppc64: Do not turn AIL (reloc-on
      interrupts) too early") added code to set the AIL bit in the LPCR
      without checking whether the kernel is running in hypervisor mode.  The
      result is that when the kernel is running as a guest (i.e., under
      PowerKVM or PowerVM), the processor takes a privileged instruction
      interrupt at that point, causing a panic.  The visible result is that
      the kernel hangs after printing "returning from prom_init".
      
      This fixes it by checking for hypervisor mode being available before
      setting LPCR.  If we are not in hypervisor mode, we enable relocation-on
      interrupts later in pSeries_setup_arch using the H_SET_MODE hcall.
      Signed-off-by: default avatarPaul Mackerras <paulus@samba.org>
      Acked-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      18aa0da3
    • Davidlohr Bueso's avatar
      futex: update documentation for ordering guarantees · d7e8af1a
      Davidlohr Bueso authored
      Commits 11d4616b ("futex: revert back to the explicit waiter
      counting code") and 69cd9eba ("futex: avoid race between requeue and
      wake") changed some of the finer details of how we think about futexes.
      One was a late fix and the other a consequence of overlooking the whole
      requeuing logic.
      
      The first change caused our documentation to be incorrect, and the
      second made us aware that we need to explicitly add more details to it.
      Signed-off-by: default avatarDavidlohr Bueso <davidlohr@hp.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d7e8af1a
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 454fd351
      Linus Torvalds authored
      Pull yet more networking updates from David Miller:
      
       1) Various fixes to the new Redpine Signals wireless driver, from
          Fariya Fatima.
      
       2) L2TP PPP connect code takes PMTU from the wrong socket, fix from
          Dmitry Petukhov.
      
       3) UFO and TSO packets differ in whether they include the protocol
          header in gso_size, account for that in skb_gso_transport_seglen().
         From Florian Westphal.
      
       4) If VLAN untagging fails, we double free the SKB in the bridging
          output path.  From Toshiaki Makita.
      
       5) Several call sites of sk->sk_data_ready() were referencing an SKB
          just added to the socket receive queue in order to calculate the
          second argument via skb->len.  This is dangerous because the moment
          the skb is added to the receive queue it can be consumed in another
          context and freed up.
      
          It turns out also that none of the sk->sk_data_ready()
          implementations even care about this second argument.
      
          So just kill it off and thus fix all these use-after-free bugs as a
          side effect.
      
       6) Fix inverted test in tcp_v6_send_response(), from Lorenzo Colitti.
      
       7) pktgen needs to do locking properly for LLTX devices, from Daniel
          Borkmann.
      
       8) xen-netfront driver initializes TX array entries in RX loop :-) From
          Vincenzo Maffione.
      
       9) After refactoring, some tunnel drivers allow a tunnel to be
          configured on top itself.  Fix from Nicolas Dichtel.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (46 commits)
        vti: don't allow to add the same tunnel twice
        gre: don't allow to add the same tunnel twice
        drivers: net: xen-netfront: fix array initialization bug
        pktgen: be friendly to LLTX devices
        r8152: check RTL8152_UNPLUG
        net: sun4i-emac: add promiscuous support
        net/apne: replace IS_ERR and PTR_ERR with PTR_ERR_OR_ZERO
        net: ipv6: Fix oif in TCP SYN+ACK route lookup.
        drivers: net: cpsw: enable interrupts after napi enable and clearing previous interrupts
        drivers: net: cpsw: discard all packets received when interface is down
        net: Fix use after free by removing length arg from sk_data_ready callbacks.
        Drivers: net: hyperv: Address UDP checksum issues
        Drivers: net: hyperv: Negotiate suitable ndis version for offload support
        Drivers: net: hyperv: Allocate memory for all possible per-pecket information
        bridge: Fix double free and memory leak around br_allowed_ingress
        bonding: Remove debug_fs files when module init fails
        i40evf: program RSS LUT correctly
        i40evf: remove open-coded skb_cow_head
        ixgb: remove open-coded skb_cow_head
        igbvf: remove open-coded skb_cow_head
        ...
      454fd351