From: Greg Kroah-Hartman Date: Wed, 5 Jun 2013 04:47:34 +0000 (-0700) Subject: 3.9-stable patches X-Git-Tag: v3.0.81~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a0001834df17f1d446de54201c85a10288486f2a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.9-stable patches added patches: powerpc-pseries-always-enable-config_hotplug_cpu-on-pseries-smp.patch reiserfs-fix-deadlock-with-nfs-racing-on-create-lookup.patch reiserfs-fix-problems-with-chowning-setuid-file-w-xattrs.patch reiserfs-fix-spurious-multiple-fill-in-reiserfs_readdir_dentry.patch --- diff --git a/queue-3.9/powerpc-pseries-always-enable-config_hotplug_cpu-on-pseries-smp.patch b/queue-3.9/powerpc-pseries-always-enable-config_hotplug_cpu-on-pseries-smp.patch new file mode 100644 index 00000000000..3fca707ae9f --- /dev/null +++ b/queue-3.9/powerpc-pseries-always-enable-config_hotplug_cpu-on-pseries-smp.patch @@ -0,0 +1,50 @@ +From f274ef8747d3be649bba8708696fb31cb00fa75a Mon Sep 17 00:00:00 2001 +From: "Srivatsa S. Bhat" +Date: Tue, 21 May 2013 09:32:48 +0000 +Subject: powerpc/pseries: Always enable CONFIG_HOTPLUG_CPU on PSERIES SMP + +From: "Srivatsa S. Bhat" + +commit f274ef8747d3be649bba8708696fb31cb00fa75a upstream. + +Adam Lackorzynski reported the following build failure on +!CONFIG_HOTPLUG_CPU configuration: + + CC arch/powerpc/kernel/rtas.o +arch/powerpc/kernel/rtas.c: In function ‘rtas_cpu_state_change_mask’: +arch/powerpc/kernel/rtas.c:843:4: error: implicit declaration of function ‘cpu_down’ [-Werror=implicit-function-declaration] +cc1: all warnings being treated as errors +make[1]: *** [arch/powerpc/kernel/rtas.o] Error 1 +make: *** [arch/powerpc/kernel] Error 2 + +The build fails because cpu_down() is defined only under CONFIG_HOTPLUG_CPU. + +Looking further, the mobility code in pseries is one of the call-sites which +uses rtas_ibm_suspend_me(), which in turn calls rtas_cpu_state_change_mask(). +And the mobility code is unconditionally compiled-in (it does not fall under +any Kconfig option). And commit 120496ac (powerpc: Bring all threads online +prior to migration/hibernation) which introduced this build regression is +critical for the proper functioning of the migration code. So it appears +that the only solution to this problem is to enable CONFIG_HOTPLUG_CPU if +SMP is enabled on PPC_PSERIES platforms. So make that change in the Kconfig. + +Reported-by: Adam Lackorzynski +Signed-off-by: Srivatsa S. Bhat +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/platforms/pseries/Kconfig ++++ b/arch/powerpc/platforms/pseries/Kconfig +@@ -18,6 +18,8 @@ config PPC_PSERIES + select PPC_PCI_CHOICE if EXPERT + select ZLIB_DEFLATE + select PPC_DOORBELL ++ select HOTPLUG if SMP ++ select HOTPLUG_CPU if SMP + default y + + config PPC_SPLPAR diff --git a/queue-3.9/reiserfs-fix-deadlock-with-nfs-racing-on-create-lookup.patch b/queue-3.9/reiserfs-fix-deadlock-with-nfs-racing-on-create-lookup.patch new file mode 100644 index 00000000000..1738227705a --- /dev/null +++ b/queue-3.9/reiserfs-fix-deadlock-with-nfs-racing-on-create-lookup.patch @@ -0,0 +1,60 @@ +From a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Fri, 31 May 2013 15:51:17 -0400 +Subject: reiserfs: fix deadlock with nfs racing on create/lookup + +From: Jeff Mahoney + +commit a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc upstream. + +Reiserfs is currently able to be deadlocked by having two NFS clients +where one has removed and recreated a file and another is accessing the +file with an open file handle. + +If one client deletes and recreates a file with timing such that the +recreated file obtains the same [dirid, objectid] pair as the original +file while another client accesses the file via file handle, the create +and lookup can race and deadlock if the lookup manages to create the +in-memory inode first. + +The create thread, in insert_inode_locked4, will hold the write lock +while waiting on the other inode to be unlocked. The lookup thread, +anywhere in the iget path, will release and reacquire the write lock while +it schedules. If it needs to reacquire the lock while the create thread +has it, it will never be able to make forward progress because it needs +to reacquire the lock before ultimately unlocking the inode. + +This patch drops the write lock across the insert_inode_locked4 call so +that the ordering of inode_wait -> write lock is retained. Since this +would have been the case before the BKL push-down, this is safe. + +Signed-off-by: Jeff Mahoney +Signed-off-by: Jan Kara +Signed-off-by: Jonghwan Choi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/reiserfs/inode.c ++++ b/fs/reiserfs/inode.c +@@ -1810,11 +1810,16 @@ int reiserfs_new_inode(struct reiserfs_t + TYPE_STAT_DATA, SD_SIZE, MAX_US_INT); + memcpy(INODE_PKEY(inode), &(ih.ih_key), KEY_SIZE); + args.dirid = le32_to_cpu(ih.ih_key.k_dir_id); +- if (insert_inode_locked4(inode, args.objectid, +- reiserfs_find_actor, &args) < 0) { ++ ++ reiserfs_write_unlock(inode->i_sb); ++ err = insert_inode_locked4(inode, args.objectid, ++ reiserfs_find_actor, &args); ++ reiserfs_write_lock(inode->i_sb); ++ if (err) { + err = -EINVAL; + goto out_bad_inode; + } ++ + if (old_format_only(sb)) + /* not a perfect generation count, as object ids can be reused, but + ** this is as good as reiserfs can do right now. diff --git a/queue-3.9/reiserfs-fix-problems-with-chowning-setuid-file-w-xattrs.patch b/queue-3.9/reiserfs-fix-problems-with-chowning-setuid-file-w-xattrs.patch new file mode 100644 index 00000000000..aa0f551e0b8 --- /dev/null +++ b/queue-3.9/reiserfs-fix-problems-with-chowning-setuid-file-w-xattrs.patch @@ -0,0 +1,70 @@ +From 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Fri, 31 May 2013 15:54:17 -0400 +Subject: reiserfs: fix problems with chowning setuid file w/ xattrs + +From: Jeff Mahoney + +commit 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b upstream. + +reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr +and uses it to iterate over all the attrs associated with a file to change +ownership of xattrs (and transfer quota associated with the xattr files). + +When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode +are passed to all the xattrs as well. This means that the xattr directory +will have S_IFREG added to its mode bits. + +This has been prevented in practice by a missing IS_PRIVATE check +in reiserfs_acl_chmod, which caused a double-lock to occur while holding +the write lock. Since the file system was completely locked up, the +writeout of the corrupted mode never happened. + +This patch temporarily clears everything but ATTR_UID|ATTR_GID for the +calls to reiserfs_setattr and adds the missing IS_PRIVATE check. + +Signed-off-by: Jeff Mahoney +Signed-off-by: Jan Kara +Signed-off-by: Jonghwan Choi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/xattr.c | 14 +++++++++++++- + fs/reiserfs/xattr_acl.c | 3 +++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +--- a/fs/reiserfs/xattr.c ++++ b/fs/reiserfs/xattr.c +@@ -318,7 +318,19 @@ static int delete_one_xattr(struct dentr + static int chown_one_xattr(struct dentry *dentry, void *data) + { + struct iattr *attrs = data; +- return reiserfs_setattr(dentry, attrs); ++ int ia_valid = attrs->ia_valid; ++ int err; ++ ++ /* ++ * We only want the ownership bits. Otherwise, we'll do ++ * things like change a directory to a regular file if ++ * ATTR_MODE is set. ++ */ ++ attrs->ia_valid &= (ATTR_UID|ATTR_GID); ++ err = reiserfs_setattr(dentry, attrs); ++ attrs->ia_valid = ia_valid; ++ ++ return err; + } + + /* No i_mutex, but the inode is unconnected. */ +--- a/fs/reiserfs/xattr_acl.c ++++ b/fs/reiserfs/xattr_acl.c +@@ -443,6 +443,9 @@ int reiserfs_acl_chmod(struct inode *ino + int depth; + int error; + ++ if (IS_PRIVATE(inode)) ++ return 0; ++ + if (S_ISLNK(inode->i_mode)) + return -EOPNOTSUPP; + diff --git a/queue-3.9/reiserfs-fix-spurious-multiple-fill-in-reiserfs_readdir_dentry.patch b/queue-3.9/reiserfs-fix-spurious-multiple-fill-in-reiserfs_readdir_dentry.patch new file mode 100644 index 00000000000..43ed04b40eb --- /dev/null +++ b/queue-3.9/reiserfs-fix-spurious-multiple-fill-in-reiserfs_readdir_dentry.patch @@ -0,0 +1,49 @@ +From 0bdc7acba56a7ca4232f15f37b16f7ec079385ab Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Fri, 31 May 2013 15:07:52 -0400 +Subject: reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry + +From: Jeff Mahoney + +commit 0bdc7acba56a7ca4232f15f37b16f7ec079385ab upstream. + +After sleeping for filldir(), we check to see if the file system has +changed and research. The next_pos pointer is updated but its value +isn't pushed into the key used for the search itself. As a result, +the search returns the same item that the last cycle of the loop did +and filldir() is called multiple times with the same data. + +The end result is that the buffer can contain the same name multiple +times. This can be returned to userspace or used internally in the +xattr code where it can manifest with the following warning: + +jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) + +reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over +the xattr names and ends up trying to unlink the same name twice. The +second attempt fails with -ENOENT and the error is returned. At some +point I'll need to add support into reiserfsck to remove the orphaned +directories left behind when this occurs. + +The fix is to push the value into the key before researching. + +Signed-off-by: Jeff Mahoney +Signed-off-by: Jan Kara +Signed-off-by: Jonghwan Choi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/reiserfs/dir.c ++++ b/fs/reiserfs/dir.c +@@ -204,6 +204,8 @@ int reiserfs_readdir_dentry(struct dentr + next_pos = deh_offset(deh) + 1; + + if (item_moved(&tmp_ih, &path_to_entry)) { ++ set_cpu_key_k_offset(&pos_key, ++ next_pos); + goto research; + } + } /* for */ diff --git a/queue-3.9/series b/queue-3.9/series index ef538bbac89..3d2bcab8147 100644 --- a/queue-3.9/series +++ b/queue-3.9/series @@ -91,3 +91,7 @@ nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch kvm-emulate-multibyte-nop.patch kvm-fix-sil-dil-bpl-spl-in-the-mod-rm-fields.patch regulator-palmas-fix-enable_reg-to-point-to-the-correct-reg-for-smps10.patch +powerpc-pseries-always-enable-config_hotplug_cpu-on-pseries-smp.patch +reiserfs-fix-deadlock-with-nfs-racing-on-create-lookup.patch +reiserfs-fix-problems-with-chowning-setuid-file-w-xattrs.patch +reiserfs-fix-spurious-multiple-fill-in-reiserfs_readdir_dentry.patch