From: Greg Kroah-Hartman Date: Mon, 11 Apr 2011 23:26:53 +0000 (-0700) Subject: .38 patches X-Git-Tag: v2.6.38.3~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=31ae589df59714edaf66adecf708d642f24e62ff;p=thirdparty%2Fkernel%2Fstable-queue.git .38 patches --- diff --git a/queue-2.6.38/ext4-fix-a-double-free-in-ext4_register_li_request.patch b/queue-2.6.38/ext4-fix-a-double-free-in-ext4_register_li_request.patch new file mode 100644 index 00000000000..906740d761c --- /dev/null +++ b/queue-2.6.38/ext4-fix-a-double-free-in-ext4_register_li_request.patch @@ -0,0 +1,42 @@ +From 46e4690bbd9a4f8d9e7c4f34e34b48f703ad47e0 Mon Sep 17 00:00:00 2001 +From: Tao Ma +Date: Mon, 4 Apr 2011 16:00:49 -0400 +Subject: ext4: fix a double free in ext4_register_li_request + +From: Tao Ma + +commit 46e4690bbd9a4f8d9e7c4f34e34b48f703ad47e0 upstream. + +In ext4_register_li_request, we malloc a ext4_li_request and +inserts it into ext4_li_info->li_request_list. In case of any +error later, we free it in the end. But if we have some error +in ext4_run_lazyinit_thread, the whole li_request_list will be +dropped and freed in it. So we will double free this ext4_li_request. + +This patch just sets elr to NULL after it is inserted to the list +so that the latter kfree won't double free it. + +Signed-off-by: Tao Ma +Reviewed-by: Lukas Czerner +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2978,6 +2978,12 @@ static int ext4_register_li_request(stru + mutex_unlock(&ext4_li_info->li_list_mtx); + + sbi->s_li_request = elr; ++ /* ++ * set elr to NULL here since it has been inserted to ++ * the request_list and the removal and free of it is ++ * handled by ext4_clear_request_list from now on. ++ */ ++ elr = NULL; + + if (!(ext4_li_info->li_state & EXT4_LAZYINIT_RUNNING)) { + ret = ext4_run_lazyinit_thread(); diff --git a/queue-2.6.38/ext4-fix-credits-computing-for-indirect-mapped-files.patch b/queue-2.6.38/ext4-fix-credits-computing-for-indirect-mapped-files.patch new file mode 100644 index 00000000000..a039e6b5483 --- /dev/null +++ b/queue-2.6.38/ext4-fix-credits-computing-for-indirect-mapped-files.patch @@ -0,0 +1,46 @@ +From 5b41395fcc0265fc9f193aef9df39ce49d64677c Mon Sep 17 00:00:00 2001 +From: Yongqiang Yang +Date: Mon, 4 Apr 2011 15:40:24 -0400 +Subject: ext4: fix credits computing for indirect mapped files + +From: Yongqiang Yang + +commit 5b41395fcc0265fc9f193aef9df39ce49d64677c upstream. + +When writing a contiguous set of blocks, two indirect blocks could be +needed depending on how the blocks are aligned, so we need to increase +the number of credits needed by one. + +[ Also fixed a another bug which could further underestimate the + number of journal credits needed by 1; the code was using integer + division instead of DIV_ROUND_UP() -- tytso] + +Signed-off-by: Yongqiang Yang +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5460,13 +5460,12 @@ static int ext4_indirect_trans_blocks(st + /* if nrblocks are contiguous */ + if (chunk) { + /* +- * With N contiguous data blocks, it need at most +- * N/EXT4_ADDR_PER_BLOCK(inode->i_sb) indirect blocks +- * 2 dindirect blocks +- * 1 tindirect block ++ * With N contiguous data blocks, we need at most ++ * N/EXT4_ADDR_PER_BLOCK(inode->i_sb) + 1 indirect blocks, ++ * 2 dindirect blocks, and 1 tindirect block + */ +- indirects = nrblocks / EXT4_ADDR_PER_BLOCK(inode->i_sb); +- return indirects + 3; ++ return DIV_ROUND_UP(nrblocks, ++ EXT4_ADDR_PER_BLOCK(inode->i_sb)) + 4; + } + /* + * if nrblocks are not contiguous, worse case, each block touch diff --git a/queue-2.6.38/nfsd-fix-auth_domain-reference-leak-on-nlm-operations.patch b/queue-2.6.38/nfsd-fix-auth_domain-reference-leak-on-nlm-operations.patch new file mode 100644 index 00000000000..5dfdaf26413 --- /dev/null +++ b/queue-2.6.38/nfsd-fix-auth_domain-reference-leak-on-nlm-operations.patch @@ -0,0 +1,36 @@ +From 954032d2527f2fce7355ba70709b5e143d6b686f Mon Sep 17 00:00:00 2001 +From: J. Bruce Fields +Date: Thu, 24 Mar 2011 22:51:14 -0400 +Subject: nfsd: fix auth_domain reference leak on nlm operations + +From: J. Bruce Fields + +commit 954032d2527f2fce7355ba70709b5e143d6b686f upstream. + +This was noticed by users who performed more than 2^32 lock operations +and hence made this counter overflow (eventually leading to +use-after-free's). Setting rq_client to NULL here means that it won't +later get auth_domain_put() when it should be. + +Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth +domain lookup into svcauth" which moved most of the rq_client handling +to common svcauth code, but left behind this one line. + +Cc: Neil Brown +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/lockd.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/nfsd/lockd.c ++++ b/fs/nfsd/lockd.c +@@ -38,7 +38,6 @@ nlm_fopen(struct svc_rqst *rqstp, struct + exp_readlock(); + nfserr = nfsd_open(rqstp, &fh, S_IFREG, NFSD_MAY_LOCK, filp); + fh_put(&fh); +- rqstp->rq_client = NULL; + exp_readunlock(); + /* We return nlm error codes as nlm doesn't know + * about nfsd, but nfsd does know about nlm.. diff --git a/queue-2.6.38/series b/queue-2.6.38/series index 3c5ef8f03a5..b6975364f19 100644 --- a/queue-2.6.38/series +++ b/queue-2.6.38/series @@ -99,3 +99,6 @@ squashfs-use-vmalloc-rather-than-kmalloc-for-zlib-workspace.patch squashfs-handle-corruption-of-directory-structure.patch atm-solos-pci-don-t-include-frame-pseudo-header-on-transmit-hex-dump.patch atm-solos-pci-don-t-flap-vcs-when-carrier-state-changes.patch +ext4-fix-a-double-free-in-ext4_register_li_request.patch +ext4-fix-credits-computing-for-indirect-mapped-files.patch +nfsd-fix-auth_domain-reference-leak-on-nlm-operations.patch