1. 11 7月, 2016 1 次提交
  2. 06 7月, 2016 4 次提交
    • C
      ext2: fix filesystem deadlock while reading corrupted xattr block · ff0031d8
      Carlos Maiolino 提交于
      This bug can be reproducible with fsfuzzer, although, I couldn't reproduce it
      100% of my tries, it is quite easily reproducible.
      
      During the deletion of an inode, ext2_xattr_delete_inode() does not check if the
      block pointed by EXT2_I(inode)->i_file_acl is a valid data block, this might
      lead to a deadlock, when i_file_acl == 1, and the filesystem block size is 1024.
      
      In that situation, ext2_xattr_delete_inode, will load the superblock's buffer
      head (instead of a valid i_file_acl block), and then lock that buffer head,
      which, ext2_sync_super will also try to lock, making the filesystem deadlock in
      the following stack trace:
      
      root     17180  0.0  0.0 113660   660 pts/0    D+   07:08   0:00 rmdir
      /media/test/dir1
      
      [<ffffffff8125da9f>] __sync_dirty_buffer+0xaf/0x100
      [<ffffffff8125db03>] sync_dirty_buffer+0x13/0x20
      [<ffffffffa03f0d57>] ext2_sync_super+0xb7/0xc0 [ext2]
      [<ffffffffa03f10b9>] ext2_error+0x119/0x130 [ext2]
      [<ffffffffa03e9d93>] ext2_free_blocks+0x83/0x350 [ext2]
      [<ffffffffa03f3d03>] ext2_xattr_delete_inode+0x173/0x190 [ext2]
      [<ffffffffa03ee9e9>] ext2_evict_inode+0xc9/0x130 [ext2]
      [<ffffffff8123fd23>] evict+0xb3/0x180
      [<ffffffff81240008>] iput+0x1b8/0x240
      [<ffffffff8123c4ac>] d_delete+0x11c/0x150
      [<ffffffff8122fa7e>] vfs_rmdir+0xfe/0x120
      [<ffffffff812340ee>] do_rmdir+0x17e/0x1f0
      [<ffffffff81234dd6>] SyS_rmdir+0x16/0x20
      [<ffffffff81838cf2>] entry_SYSCALL_64_fastpath+0x1a/0xa4
      [<ffffffffffffffff>] 0xffffffffffffffff
      
      Fix this by using the same approach ext4 uses to test data blocks validity,
      implementing ext2_data_block_valid.
      
      An another possibility when the superblock is very corrupted, is that i_file_acl
      is 1, block_count is 1 and first_data_block is 0. For such situations, we might
      have i_file_acl pointing to a 'valid' block, but still step over the superblock.
      The approach I used was to also test if the superblock is not in the range
      described by ext2_data_block_valid() arguments
      Signed-off-by: NCarlos Maiolino <cmaiolino@redhat.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      ff0031d8
    • W
      ext4: fix project quota accounting without quota limits enabled · 079788d0
      Wang Shilong 提交于
      We should always transfer quota accounting, regardless of whether
      quota limits are enabled.
      
      Steps to reproduce:
        # mkfs.ext4 /dev/sda4 -O quota,project
        # mount /dev/sda4 /mnt/test
        # cp /bin/bash /mnt/test
        # chattr -p 123 /mnt/test/bash
        # quota -v -P 123
      Signed-off-by: NWang Shilong <wshilong@ddn.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      079788d0
    • T
      ext4: validate s_reserved_gdt_blocks on mount · 5b9554dc
      Theodore Ts'o 提交于
      If s_reserved_gdt_blocks is extremely large, it's possible for
      ext4_init_block_bitmap(), which is called when ext4 sets up an
      uninitialized block bitmap, to corrupt random kernel memory.  Add the
      same checks which e2fsck has --- it must never be larger than
      blocksize / sizeof(__u32) --- and then add a backup check in
      ext4_init_block_bitmap() in case the superblock gets modified after
      the file system is mounted.
      Reported-by: NVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      5b9554dc
    • Y
      ext4: remove unused page_idx · de9e9181
      yalin wang 提交于
      Signed-off-by: Nyalin wang <yalin.wang2010@gmail.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NJan Kara <jack@suse.com>
      de9e9181
  3. 04 7月, 2016 5 次提交
  4. 30 6月, 2016 5 次提交
    • V
      ext4: check for extents that wrap around · f70749ca
      Vegard Nossum 提交于
      An extent with lblock = 4294967295 and len = 1 will pass the
      ext4_valid_extent() test:
      
      	ext4_lblk_t last = lblock + len - 1;
      
      	if (len == 0 || lblock > last)
      		return 0;
      
      since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
      the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
      
      We can simplify it by removing the - 1 altogether and changing the test
      to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
      lblock and it fails, and if len > 0 then lblock + len > lblock in order
      to pass (i.e. it doesn't overflow).
      
      Fixes: 5946d089 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
      Fixes: 2f974865 ("ext4: check for zero length extent explicitly")
      Cc: Eryu Guan <guaneryu@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NPhil Turnbull <phil.turnbull@oracle.com>
      Signed-off-by: NVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      f70749ca
    • A
      jbd2: make journal y2038 safe · abcfb5d9
      Arnd Bergmann 提交于
      The jbd2 journal stores the commit time in 64-bit seconds and 32-bit
      nanoseconds, which avoids an overflow in 2038, but it gets the numbers
      from current_kernel_time(), which uses 'long' seconds on 32-bit
      architectures.
      
      This simply changes the code to call current_kernel_time64() so
      we use 64-bit seconds consistently.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Cc: stable@vger.kernel.org
      abcfb5d9
    • J
      jbd2: track more dependencies on transaction commit · 1eaa566d
      Jan Kara 提交于
      So far we were tracking only dependency on transaction commit due to
      starting a new handle (which may require commit to start a new
      transaction). Now add tracking also for other cases where we wait for
      transaction commit. This way lockdep can catch deadlocks e. g. because we
      call jbd2_journal_stop() for a synchronous handle with some locks held
      which rank below transaction start.
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      1eaa566d
    • J
      jbd2: move lockdep tracking to journal_s · ab714aff
      Jan Kara 提交于
      Currently lockdep map is tracked in each journal handle. To be able to
      expand lockdep support to cover also other cases where we depend on
      transaction commit and where handle is not available, move lockdep map
      into struct journal_s. Since this makes the lockdep map shared for all
      handles, we have to use rwsem_acquire_read() for acquisitions now.
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      ab714aff
    • J
      jbd2: move lockdep instrumentation for jbd2 handles · 7a4b188f
      Jan Kara 提交于
      The transaction the handle references is free to commit once we've
      decremented t_updates counter. Move the lockdep instrumentation to that
      place. Currently it was a bit later which did not really matter but
      subsequent improvements to lockdep instrumentation would cause false
      positives with it.
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      7a4b188f
  5. 27 6月, 2016 2 次提交
  6. 29 5月, 2016 9 次提交
    • G
      hash_string: Fix zero-length case for !DCACHE_WORD_ACCESS · e0ab7af9
      George Spelvin 提交于
      The self-test was updated to cover zero-length strings; the function
      needs to be updated, too.
      Reported-by: NGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: NGeorge Spelvin <linux@sciencehorizons.net>
      Fixes: fcfd2fbf ("fs/namei.c: Add hashlen_string() function")
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e0ab7af9
    • G
      Rename other copy of hash_string to hashlen_string · f2a031b6
      George Spelvin 提交于
      The original name was simply hash_string(), but that conflicted with a
      function with that name in drivers/base/power/trace.c, and I decided
      that calling it "hashlen_" was better anyway.
      
      But you have to do it in two places.
      
      [ This caused build errors for architectures that don't define
        CONFIG_DCACHE_WORD_ACCESS   - Linus ]
      Signed-off-by: NGeorge Spelvin <linux@sciencehorizons.net>
      Reported-by: NGuenter Roeck <linux@roeck-us.net>
      Fixes: fcfd2fbf ("fs/namei.c: Add hashlen_string() function")
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f2a031b6
    • M
      hpfs: implement the show_options method · 037369b8
      Mikulas Patocka 提交于
      The HPFS filesystem used generic_show_options to produce string that is
      displayed in /proc/mounts.  However, there is a problem that the options
      may disappear after remount.  If we mount the filesystem with option1
      and then remount it with option2, /proc/mounts should show both option1
      and option2, however it only shows option2 because the whole option
      string is replaced with replace_mount_options in hpfs_remount_fs.
      
      To fix this bug, implement the hpfs_show_options function that prints
      options that are currently selected.
      Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      037369b8
    • M
      affs: fix remount failure when there are no options changed · 01d6e087
      Mikulas Patocka 提交于
      Commit c8f33d0b ("affs: kstrdup() memory handling") checks if the
      kstrdup function returns NULL due to out-of-memory condition.
      
      However, if we are remounting a filesystem with no change to
      filesystem-specific options, the parameter data is NULL.  In this case,
      kstrdup returns NULL (because it was passed NULL parameter), although no
      out of memory condition exists.  The mount syscall then fails with
      ENOMEM.
      
      This patch fixes the bug.  We fail with ENOMEM only if data is non-NULL.
      
      The patch also changes the call to replace_mount_options - if we didn't
      pass any filesystem-specific options, we don't call
      replace_mount_options (thus we don't erase existing reported options).
      
      Fixes: c8f33d0b ("affs: kstrdup() memory handling")
      Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org	# v4.1+
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      01d6e087
    • M
      hpfs: fix remount failure when there are no options changed · 44d51706
      Mikulas Patocka 提交于
      Commit ce657611 ("hpfs: kstrdup() out of memory handling") checks if
      the kstrdup function returns NULL due to out-of-memory condition.
      
      However, if we are remounting a filesystem with no change to
      filesystem-specific options, the parameter data is NULL.  In this case,
      kstrdup returns NULL (because it was passed NULL parameter), although no
      out of memory condition exists.  The mount syscall then fails with
      ENOMEM.
      
      This patch fixes the bug.  We fail with ENOMEM only if data is non-NULL.
      
      The patch also changes the call to replace_mount_options - if we didn't
      pass any filesystem-specific options, we don't call
      replace_mount_options (thus we don't erase existing reported options).
      
      Fixes: ce657611 ("hpfs: kstrdup() out of memory handling")
      Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      44d51706
    • G
      fs: fix binfmt_aout.c build error · d66492bc
      Guenter Roeck 提交于
      Various builds (such as i386:allmodconfig) fail with
      
        fs/binfmt_aout.c:133:2: error: expected identifier or '(' before 'return'
        fs/binfmt_aout.c:134:1: error: expected identifier or '(' before '}' token
      
      [ Oops. My bad, I had stupidly thought that "allmodconfig" covered this
        on x86-64 too, but it obviously doesn't.  Egg on my face.  - Linus ]
      
      Fixes: 5d22fc25 ("mm: remove more IS_ERR_VALUE abuses")
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d66492bc
    • G
      <linux/hash.h>: Add support for architecture-specific functions · 468a9428
      George Spelvin 提交于
      This is just the infrastructure; there are no users yet.
      
      This is modelled on CONFIG_ARCH_RANDOM; a CONFIG_ symbol declares
      the existence of <asm/hash.h>.
      
      That file may define its own versions of various functions, and define
      HAVE_* symbols (no CONFIG_ prefix!) to suppress the generic ones.
      
      Included is a self-test (in lib/test_hash.c) that verifies the basics.
      It is NOT in general required that the arch-specific functions compute
      the same thing as the generic, but if a HAVE_* symbol is defined with
      the value 1, then equality is tested.
      Signed-off-by: NGeorge Spelvin <linux@sciencehorizons.net>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Greg Ungerer <gerg@linux-m68k.org>
      Cc: Andreas Schwab <schwab@linux-m68k.org>
      Cc: Philippe De Muyter <phdm@macq.eu>
      Cc: linux-m68k@lists.linux-m68k.org
      Cc: Alistair Francis <alistai@xilinx.com>
      Cc: Michal Simek <michal.simek@xilinx.com>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Cc: uclinux-h8-devel@lists.sourceforge.jp
      468a9428
    • G
      fs/namei.c: Improve dcache hash function · 2a18da7a
      George Spelvin 提交于
      Patch 0fed3ac8 improved the hash mixing, but the function is slower
      than necessary; there's a 7-instruction dependency chain (10 on x86)
      each loop iteration.
      
      Word-at-a-time access is a very tight loop (which is good, because
      link_path_walk() is one of the hottest code paths in the entire kernel),
      and the hash mixing function must not have a longer latency to avoid
      slowing it down.
      
      There do not appear to be any published fast hash functions that:
      1) Operate on the input a word at a time, and
      2) Don't need to know the length of the input beforehand, and
      3) Have a single iterated mixing function, not needing conditional
         branches or unrolling to distinguish different loop iterations.
      
      One of the algorithms which comes closest is Yann Collet's xxHash, but
      that's two dependent multiplies per word, which is too much.
      
      The key insights in this design are:
      
      1) Barring expensive ops like multiplies, to diffuse one input bit
         across 64 bits of hash state takes at least log2(64) = 6 sequentially
         dependent instructions.  That is more cycles than we'd like.
      2) An operation like "hash ^= hash << 13" requires a second temporary
         register anyway, and on a 2-operand machine like x86, it's three
         instructions.
      3) A better use of a second register is to hold a two-word hash state.
         With careful design, no temporaries are needed at all, so it doesn't
         increase register pressure.  And this gets rid of register copying
         on 2-operand machines, so the code is smaller and faster.
      4) Using two words of state weakens the requirement for one-round mixing;
         we now have two rounds of mixing before cancellation is possible.
      5) A two-word hash state also allows operations on both halves to be
         done in parallel, so on a superscalar processor we get more mixing
         in fewer cycles.
      
      I ended up using a mixing function inspired by the ChaCha and Speck
      round functions.  It is 6 simple instructions and 3 cycles per iteration
      (assuming multiply by 9 can be done by an "lea" instruction):
      
      		x ^= *input++;
      	y ^= x;	x = ROL(x, K1);
      	x += y;	y = ROL(y, K2);
      	y *= 9;
      
      Not only is this reversible, two consecutive rounds are reversible:
      if you are given the initial and final states, but not the intermediate
      state, it is possible to compute both input words.  This means that at
      least 3 words of input are required to create a collision.
      
      (It also has the property, used by hash_name() to avoid a branch, that
      it hashes all-zero to all-zero.)
      
      The rotate constants K1 and K2 were found by experiment.  The search took
      a sample of random initial states (I used 1023) and considered the effect
      of flipping each of the 64 input bits on each of the 128 output bits two
      rounds later.  Each of the 8192 pairs can be considered a biased coin, and
      adding up the Shannon entropy of all of them produces a score.
      
      The best-scoring shifts also did well in other tests (flipping bits in y,
      trying 3 or 4 rounds of mixing, flipping all 64*63/2 pairs of input bits),
      so the choice was made with the additional constraint that the sum of the
      shifts is odd and not too close to the word size.
      
      The final state is then folded into a 32-bit hash value by a less carefully
      optimized multiply-based scheme.  This also has to be fast, as pathname
      components tend to be short (the most common case is one iteration!), but
      there's some room for latency, as there is a fair bit of intervening logic
      before the hash value is used for anything.
      
      (Performance verified with "bonnie++ -s 0 -n 1536:-2" on tmpfs.  I need
      a better benchmark; the numbers seem to show a slight dip in performance
      between 4.6.0 and this patch, but they're too noisy to quote.)
      
      Special thanks to Bruce fields for diligent testing which uncovered a
      nasty fencepost error in an earlier version of this patch.
      
      [checkpatch.pl formatting complaints noted and respectfully disagreed with.]
      Signed-off-by: NGeorge Spelvin <linux@sciencehorizons.net>
      Tested-by: NJ. Bruce Fields <bfields@redhat.com>
      2a18da7a
    • G
      fs/namei.c: Add hashlen_string() function · fcfd2fbf
      George Spelvin 提交于
      We'd like to make more use of the highly-optimized dcache hash functions
      throughout the kernel, rather than have every subsystem create its own,
      and a function that hashes basic null-terminated strings is required
      for that.
      
      (The name is to emphasize that it returns both hash and length.)
      
      It's actually useful in the dcache itself, specifically d_alloc_name().
      Other uses in the next patch.
      
      full_name_hash() is also tweaked to make it more generally useful:
      1) Take a "char *" rather than "unsigned char *" argument, to
         be consistent with hash_name().
      2) Handle zero-length inputs.  If we want more callers, we don't want
         to make them worry about corner cases.
      Signed-off-by: NGeorge Spelvin <linux@sciencehorizons.net>
      fcfd2fbf
  7. 28 5月, 2016 13 次提交
    • L
      nfs: fix anonymous member initializer build failure with older compilers · e0714ec4
      Linus Torvalds 提交于
      Older versions of gcc don't understand named initializers inside a
      anonymous structure or union member.  It can be worked around by adding
      the bracin gin the initializer for the anonymous member.
      
      Without this, gcc 4.4.4 will fail the build with
      
          CC      fs/nfs/nfs4state.o
        fs/nfs/nfs4state.c:69: error: unknown field ‘data’ specified in initializer
        fs/nfs/nfs4state.c:69: warning: missing braces around initializer
        fs/nfs/nfs4state.c:69: warning: (near initialization for ‘zero_stateid.<anonymous>.data’)
        make[2]: *** [fs/nfs/nfs4state.o] Error 1
      
      introduced in commit 93b717fd ("NFSv4: Label stateids with the type")
      Reported-and-tested-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Anna Schumaker <Anna.Schumaker@netapp.com>
      Cc: Trond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e0714ec4
    • A
      switch ->setxattr() to passing dentry and inode separately · 3767e255
      Al Viro 提交于
      smack ->d_instantiate() uses ->setxattr(), so to be able to call it before
      we'd hashed the new dentry and attached it to inode, we need ->setxattr()
      instances getting the inode as an explicit argument rather than obtaining
      it from dentry.
      
      Similar change for ->getxattr() had been done in commit ce23e640.  Unlike
      ->getxattr() (which is used by both selinux and smack instances of
      ->d_instantiate()) ->setxattr() is used only by smack one and unfortunately
      it got missed back then.
      Reported-by: NSeung-Woo Kim <sw0312.kim@samsung.com>
      Tested-by: NCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      3767e255
    • L
      mm: remove more IS_ERR_VALUE abuses · 5d22fc25
      Linus Torvalds 提交于
      The do_brk() and vm_brk() return value was "unsigned long" and returned
      the starting address on success, and an error value on failure.  The
      reasons are entirely historical, and go back to it basically behaving
      like the mmap() interface does.
      
      However, nobody actually wanted that interface, and it causes totally
      pointless IS_ERR_VALUE() confusion.
      
      What every single caller actually wants is just the simpler integer
      return of zero for success and negative error number on failure.
      
      So just convert to that much clearer and more common calling convention,
      and get rid of all the IS_ERR_VALUE() uses wrt vm_brk().
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5d22fc25
    • A
      remove lots of IS_ERR_VALUE abuses · 287980e4
      Arnd Bergmann 提交于
      Most users of IS_ERR_VALUE() in the kernel are wrong, as they
      pass an 'int' into a function that takes an 'unsigned long'
      argument. This happens to work because the type is sign-extended
      on 64-bit architectures before it gets converted into an
      unsigned type.
      
      However, anything that passes an 'unsigned short' or 'unsigned int'
      argument into IS_ERR_VALUE() is guaranteed to be broken, as are
      8-bit integers and types that are wider than 'unsigned long'.
      
      Andrzej Hajda has already fixed a lot of the worst abusers that
      were causing actual bugs, but it would be nice to prevent any
      users that are not passing 'unsigned long' arguments.
      
      This patch changes all users of IS_ERR_VALUE() that I could find
      on 32-bit ARM randconfig builds and x86 allmodconfig. For the
      moment, this doesn't change the definition of IS_ERR_VALUE()
      because there are probably still architecture specific users
      elsewhere.
      
      Almost all the warnings I got are for files that are better off
      using 'if (err)' or 'if (err < 0)'.
      The only legitimate user I could find that we get a warning for
      is the (32-bit only) freescale fman driver, so I did not remove
      the IS_ERR_VALUE() there but changed the type to 'unsigned long'.
      For 9pfs, I just worked around one user whose calling conventions
      are so obscure that I did not dare change the behavior.
      
      I was using this definition for testing:
      
       #define IS_ERR_VALUE(x) ((unsigned long*)NULL == (typeof (x)*)NULL && \
             unlikely((unsigned long long)(x) >= (unsigned long long)(typeof(x))-MAX_ERRNO))
      
      which ends up making all 16-bit or wider types work correctly with
      the most plausible interpretation of what IS_ERR_VALUE() was supposed
      to return according to its users, but also causes a compile-time
      warning for any users that do not pass an 'unsigned long' argument.
      
      I suggested this approach earlier this year, but back then we ended
      up deciding to just fix the users that are obviously broken. After
      the initial warning that caused me to get involved in the discussion
      (fs/gfs2/dir.c) showed up again in the mainline kernel, Linus
      asked me to send the whole thing again.
      
      [ Updated the 9p parts as per Al Viro  - Linus ]
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Cc: Andrzej Hajda <a.hajda@samsung.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Link: https://lkml.org/lkml/2016/1/7/363
      Link: https://lkml.org/lkml/2016/5/27/486
      Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> # For nvmem part
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      287980e4
    • E
      direct-io: fix direct write stale data exposure from concurrent buffered read · 9ecd10b7
      Eryu Guan 提交于
      Currently direct writes inside i_size on a DIO_SKIP_HOLES filesystem are
      not allowed to allocate blocks(get_more_blocks() sets 'create' to 0
      before calling get_block() callback), if it's a sparse file, direct
      writes fall back to buffered writes to avoid stale data exposure from
      concurrent buffered read.  But there're two cases that can result in
      stale data exposure are not correctly detected.
      
      1. The detection for "writing inside i_size" is not sufficient,
         writes can be treated as "extending writes" wrongly.  For example,
         direct write 1FSB (file system block) to a 1FSB sparse file on
         ext2/3/4, starting from offset 0, in this case it's writing inside
         i_size, but 'create' is non-zero, because 'block_in_file' and
         '(i_size_read(inode) >> blkbits' are both zero.
      
      2. Direct writes starting from or beyong i_size (not inside i_size)
         also could trigger block allocation and expose stale data.  For
         example, consider a sparse file with i_size of 2k, and a write to
         offset 2k or 3k into the file, with a filesystem block size of 4k.
         (Thanks to Jeff Moyer for pointing this case out in his review.)
      
      The first problem can be demostrated by running ltp-aiodio test ADSP045
      many times.  When testing on extN filesystems, I see test failures
      occasionally, buffered read could read non-zero (stale) data.
      
      ADSP045: dio_sparse -a 4k -w 4k -s 2k -n 1
      
      dio_sparse    0  TINFO  :  Dirtying free blocks
      dio_sparse    0  TINFO  :  Starting I/O tests
      non zero buffer at buf[0] => 0xffffffaa,ffffffaa,ffffffaa,ffffffaa
      non-zero read at offset 0
      dio_sparse    0  TINFO  :  Killing childrens(s)
      dio_sparse    1  TFAIL  :  dio_sparse.c:191: 1 children(s) exited abnormally
      
      The second problem can also be reproduced easily by a hacked dio_sparse
      program, which accepts an option to specify the write offset.
      
      What we should really do is to disable block allocation for writes that
      could result in filling holes inside i_size.
      
      Link: http://lkml.kernel.org/r/1463156728-13357-1-git-send-email-guaneryu@gmail.comReviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NEryu Guan <guaneryu@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      9ecd10b7
    • J
      ocfs2: bump up o2cb network protocol version · 38b52efd
      Junxiao Bi 提交于
      Two new messages are added to support negotiating hb timeout.  Stop
      nodes frmo talking an old version to mount as they will cause the
      negotiation to fail.
      
      Link: http://lkml.kernel.org/r/1464231615-27939-1-git-send-email-junxiao.bi@oracle.comSigned-off-by: NJunxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: NMark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      38b52efd
    • J
      ocfs2: o2hb: fix hb hung time · 6633ca57
      Junxiao Bi 提交于
      hr_last_timeout_start should be set as the last time where hb is
      still OK.  When hb write timeout, hung time will be (jiffies -
      hr_last_timeout_start).
      Signed-off-by: NJunxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: NRyan Ding <ryan.ding@oracle.com>
      Reviewed-by: NMark Fasheh <mfasheh@suse.de>
      Cc: Gang He <ghe@suse.com>
      Cc: rwxybh <rwxybh@126.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      6633ca57
    • J
      ocfs2: o2hb: don't negotiate if last hb fail · 88dbe98d
      Junxiao Bi 提交于
      Sometimes io error is returned when storage is down for a while.  Like
      for iscsi device, stroage is made offline when session timeout, and this
      will make all io return -EIO.  For this case, nodes shouldn't do
      negotiate timeout but should fence self.  So let nodes fence self when
      o2hb_do_disk_heartbeat return an error, this is the same behavior with
      o2hb without negotiate timer.
      Signed-off-by: NJunxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: NRyan Ding <ryan.ding@oracle.com>
      Reviewed-by: NMark Fasheh <mfasheh@suse.de>
      Cc: Gang He <ghe@suse.com>
      Cc: rwxybh <rwxybh@126.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      88dbe98d
    • J
      ocfs2: o2hb: add some user/debug log · 1bd12902
      Junxiao Bi 提交于
      Signed-off-by: NJunxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: NRyan Ding <ryan.ding@oracle.com>
      Reviewed-by: NMark Fasheh <mfasheh@suse.de>
      Cc: Gang He <ghe@suse.com>
      Cc: rwxybh <rwxybh@126.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      1bd12902
    • J
      ocfs2: o2hb: add NEGOTIATE_APPROVE message · e76f8237
      Junxiao Bi 提交于
      This message is used to re-queue write timeout timer and negotiate timer
      when all nodes suffer a write hung to storage, this makes node not fence
      self if storage down.
      Signed-off-by: NJunxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: NRyan Ding <ryan.ding@oracle.com>
      Reviewed-by: NMark Fasheh <mfasheh@suse.de>
      Cc: Gang He <ghe@suse.com>
      Cc: rwxybh <rwxybh@126.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e76f8237
    • J
      ocfs2: o2hb: add NEGO_TIMEOUT message · 34069b88
      Junxiao Bi 提交于
      This message is sent to master node when non-master nodes's negotiate
      timer expired.  Master node records these nodes in a bitmap which is
      used to do write timeout timer re-queue decision.
      Signed-off-by: NJunxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: NRyan Ding <ryan.ding@oracle.com>
      Reviewed-by: NMark Fasheh <mfasheh@suse.de>
      Cc: Gang He <ghe@suse.com>
      Cc: rwxybh <rwxybh@126.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      34069b88
    • J
      ocfs2: o2hb: add negotiate timer · e0cbb798
      Junxiao Bi 提交于
      This series of patches is to fix the issue that when storage down, all
      nodes will fence self due to write timeout.
      
      With this patch set, all nodes will keep going until storage back
      online, except if the following issue happens, then all nodes will do as
      before to fence self.
      
      1. io error got
      2. network between nodes down
      3. nodes panic
      
      This patch (of 6):
      
      When storage down, all nodes will fence self due to write timeout.  The
      negotiate timer is designed to avoid this, with it node will wait until
      storage up again.
      
      Negotiate timer working in the following way:
      
      1. The timer expires before write timeout timer, its timeout is half
         of write timeout now.  It is re-queued along with write timeout timer.
         If expires, it will send NEGO_TIMEOUT message to master node(node with
         lowest node number).  This message does nothing but marks a bit in a
         bitmap recording which nodes are negotiating timeout on master node.
      
      2. If storage down, nodes will send this message to master node, then
         when master node finds its bitmap including all online nodes, it sends
         NEGO_APPROVL message to all nodes one by one, this message will
         re-queue write timeout timer and negotiate timer.  For any node doesn't
         receive this message or meets some issue when handling this message, it
         will be fenced.  If storage up at any time, o2hb_thread will run and
         re-queue all the timer, nothing will be affected by these two steps.
      Signed-off-by: NJunxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: NRyan Ding <ryan.ding@oracle.com>
      Reviewed-by: NMark Fasheh <mfasheh@suse.de>
      Cc: Gang He <ghe@suse.com>
      Cc: rwxybh <rwxybh@126.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e0cbb798
    • A
      switch xattr_handler->set() to passing dentry and inode separately · 59301226
      Al Viro 提交于
      preparation for similar switch in ->setxattr() (see the next commit for
      rationale).
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      59301226
  8. 27 5月, 2016 1 次提交