From: Greg Kroah-Hartman Date: Thu, 5 Aug 2010 23:01:56 +0000 (-0700) Subject: .27 patches X-Git-Tag: v2.6.27.50~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d764a1ab8129793acd6d7835dd78fdc8a4b5e95e;p=thirdparty%2Fkernel%2Fstable-queue.git .27 patches --- diff --git a/queue-2.6.27/gfs2-rename-causes-kernel-oops.patch b/queue-2.6.27/gfs2-rename-causes-kernel-oops.patch new file mode 100644 index 00000000000..f3bc21a72ff --- /dev/null +++ b/queue-2.6.27/gfs2-rename-causes-kernel-oops.patch @@ -0,0 +1,67 @@ +From 728a756b8fcd22d80e2dbba8117a8a3aafd3f203 Mon Sep 17 00:00:00 2001 +From: Bob Peterson +Date: Wed, 14 Jul 2010 18:12:26 -0400 +Subject: GFS2: rename causes kernel Oops + +From: Bob Peterson + +commit 728a756b8fcd22d80e2dbba8117a8a3aafd3f203 upstream. + +This patch fixes a kernel Oops in the GFS2 rename code. + +The problem was in the way the gfs2 directory code was trying +to re-use sentinel directory entries. + +In the failing case, gfs2's rename function was renaming a +file to another name that had the same non-trivial length. +The file being renamed happened to be the first directory +entry on the leaf block. + +First, the rename code (gfs2_rename in ops_inode.c) found the +original directory entry and decided it could do its job by +simply replacing the directory entry with another. Therefore +it determined correctly that no block allocations were needed. + +Next, the rename code deleted the old directory entry prior to +replacing it with the new name. Therefore, the soon-to-be +replaced directory entry was temporarily made into a directory +entry "sentinel" or a place holder at the start of a leaf block. + +Lastly, it went to re-add the replacement directory entry in +that leaf block. However, when gfs2_dirent_find_space was +looking for space in the leaf block, it used the wrong value +for the sentinel. That threw off its calculations so later +it decides it can't really re-use the sentinel and therefore +must allocate a new leaf block. But because it previously decided +to re-use the directory entry, it didn't waste the time to +grab a new block allocation for the inode. Therefore, the +inode's i_alloc pointer was still NULL and it crashes trying to +reference it. + +In the case of sentinel directory entries, the entire dirent is +reused, not just the "free space" portion of it, and therefore +the function gfs2_dirent_find_space should use the value 0 +rather than GFS2_DIRENT_SIZE(0) for the actual dirent size. + +Fixing this calculation enables the reproducer programs to work +properly. + +Signed-off-by: Bob Peterson +Signed-off-by: Steven Whitehouse +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/dir.c ++++ b/fs/gfs2/dir.c +@@ -393,7 +393,7 @@ static int gfs2_dirent_find_space(const + unsigned totlen = be16_to_cpu(dent->de_rec_len); + + if (gfs2_dirent_sentinel(dent)) +- actual = GFS2_DIRENT_SIZE(0); ++ actual = 0; + if (totlen - actual >= required) + return 1; + return 0; diff --git a/queue-2.6.27/scsi-enclosure-fix-error-path-actually-return-err_ptr-on-error.patch b/queue-2.6.27/scsi-enclosure-fix-error-path-actually-return-err_ptr-on-error.patch new file mode 100644 index 00000000000..4000103e64c --- /dev/null +++ b/queue-2.6.27/scsi-enclosure-fix-error-path-actually-return-err_ptr-on-error.patch @@ -0,0 +1,35 @@ +From a91c1be21704113b023919826c6d531da46656ef Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Fri, 12 Mar 2010 16:14:42 -0600 +Subject: SCSI: enclosure: fix error path - actually return ERR_PTR() on error + +From: James Bottomley + +commit a91c1be21704113b023919826c6d531da46656ef upstream. + +we also need to clean up and free the cdev. + +Reported-by: Jani Nikula +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/enclosure.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/misc/enclosure.c ++++ b/drivers/misc/enclosure.c +@@ -264,8 +264,11 @@ enclosure_component_register(struct encl + cdev->groups = enclosure_groups; + + err = device_register(cdev); +- if (err) +- ERR_PTR(err); ++ if (err) { ++ ecomp->number = -1; ++ put_device(cdev); ++ return ERR_PTR(err); ++ } + + return ecomp; + } diff --git a/queue-2.6.27/series b/queue-2.6.27/series index cdd7ef041b6..62cbf08e9c5 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -1,2 +1,4 @@ parisc-led.c-fix-potential-stack-overflow-in-led_proc_write.patch xfs-prevent-swapext-from-operating-on-write-only-files.patch +scsi-enclosure-fix-error-path-actually-return-err_ptr-on-error.patch +gfs2-rename-causes-kernel-oops.patch