--- /dev/null
+From 46e4690bbd9a4f8d9e7c4f34e34b48f703ad47e0 Mon Sep 17 00:00:00 2001
+From: Tao Ma <boyu.mt@taobao.com>
+Date: Mon, 4 Apr 2011 16:00:49 -0400
+Subject: ext4: fix a double free in ext4_register_li_request
+
+From: Tao Ma <boyu.mt@taobao.com>
+
+commit 46e4690bbd9a4f8d9e7c4f34e34b48f703ad47e0 upstream.
+
+In ext4_register_li_request, we malloc a ext4_li_request and
+inserts it into ext4_li_info->li_request_list. In case of any
+error later, we free it in the end. But if we have some error
+in ext4_run_lazyinit_thread, the whole li_request_list will be
+dropped and freed in it. So we will double free this ext4_li_request.
+
+This patch just sets elr to NULL after it is inserted to the list
+so that the latter kfree won't double free it.
+
+Signed-off-by: Tao Ma <boyu.mt@taobao.com>
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext4/super.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2978,6 +2978,12 @@ static int ext4_register_li_request(stru
+ mutex_unlock(&ext4_li_info->li_list_mtx);
+
+ sbi->s_li_request = elr;
++ /*
++ * set elr to NULL here since it has been inserted to
++ * the request_list and the removal and free of it is
++ * handled by ext4_clear_request_list from now on.
++ */
++ elr = NULL;
+
+ if (!(ext4_li_info->li_state & EXT4_LAZYINIT_RUNNING)) {
+ ret = ext4_run_lazyinit_thread();
--- /dev/null
+From 5b41395fcc0265fc9f193aef9df39ce49d64677c Mon Sep 17 00:00:00 2001
+From: Yongqiang Yang <xiaoqiangnk@gmail.com>
+Date: Mon, 4 Apr 2011 15:40:24 -0400
+Subject: ext4: fix credits computing for indirect mapped files
+
+From: Yongqiang Yang <xiaoqiangnk@gmail.com>
+
+commit 5b41395fcc0265fc9f193aef9df39ce49d64677c upstream.
+
+When writing a contiguous set of blocks, two indirect blocks could be
+needed depending on how the blocks are aligned, so we need to increase
+the number of credits needed by one.
+
+[ Also fixed a another bug which could further underestimate the
+ number of journal credits needed by 1; the code was using integer
+ division instead of DIV_ROUND_UP() -- tytso]
+
+Signed-off-by: Yongqiang Yang <xiaoqiangnk@gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext4/inode.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5460,13 +5460,12 @@ static int ext4_indirect_trans_blocks(st
+ /* if nrblocks are contiguous */
+ if (chunk) {
+ /*
+- * With N contiguous data blocks, it need at most
+- * N/EXT4_ADDR_PER_BLOCK(inode->i_sb) indirect blocks
+- * 2 dindirect blocks
+- * 1 tindirect block
++ * With N contiguous data blocks, we need at most
++ * N/EXT4_ADDR_PER_BLOCK(inode->i_sb) + 1 indirect blocks,
++ * 2 dindirect blocks, and 1 tindirect block
+ */
+- indirects = nrblocks / EXT4_ADDR_PER_BLOCK(inode->i_sb);
+- return indirects + 3;
++ return DIV_ROUND_UP(nrblocks,
++ EXT4_ADDR_PER_BLOCK(inode->i_sb)) + 4;
+ }
+ /*
+ * if nrblocks are not contiguous, worse case, each block touch
--- /dev/null
+From 954032d2527f2fce7355ba70709b5e143d6b686f Mon Sep 17 00:00:00 2001
+From: J. Bruce Fields <bfields@redhat.com>
+Date: Thu, 24 Mar 2011 22:51:14 -0400
+Subject: nfsd: fix auth_domain reference leak on nlm operations
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 954032d2527f2fce7355ba70709b5e143d6b686f upstream.
+
+This was noticed by users who performed more than 2^32 lock operations
+and hence made this counter overflow (eventually leading to
+use-after-free's). Setting rq_client to NULL here means that it won't
+later get auth_domain_put() when it should be.
+
+Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth
+domain lookup into svcauth" which moved most of the rq_client handling
+to common svcauth code, but left behind this one line.
+
+Cc: Neil Brown <neilb@suse.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/lockd.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/nfsd/lockd.c
++++ b/fs/nfsd/lockd.c
+@@ -38,7 +38,6 @@ nlm_fopen(struct svc_rqst *rqstp, struct
+ exp_readlock();
+ nfserr = nfsd_open(rqstp, &fh, S_IFREG, NFSD_MAY_LOCK, filp);
+ fh_put(&fh);
+- rqstp->rq_client = NULL;
+ exp_readunlock();
+ /* We return nlm error codes as nlm doesn't know
+ * about nfsd, but nfsd does know about nlm..
squashfs-handle-corruption-of-directory-structure.patch
atm-solos-pci-don-t-include-frame-pseudo-header-on-transmit-hex-dump.patch
atm-solos-pci-don-t-flap-vcs-when-carrier-state-changes.patch
+ext4-fix-a-double-free-in-ext4_register_li_request.patch
+ext4-fix-credits-computing-for-indirect-mapped-files.patch
+nfsd-fix-auth_domain-reference-leak-on-nlm-operations.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
