1. 15 4月, 2015 8 次提交
  2. 09 4月, 2015 3 次提交
  3. 07 4月, 2015 2 次提交
    • A
      ioctx_alloc(): fix vma (and file) leak on failure · deeb8525
      Al Viro 提交于
      If we fail past the aio_setup_ring(), we need to destroy the
      mapping.  We don't need to care about anybody having found ctx,
      or added requests to it, since the last failure exit is exactly
      the failure to make ctx visible to lookups.
      
      Reproducer (based on one by Joe Mario <jmario@redhat.com>):
      
      void count(char *p)
      {
      	char s[80];
      	printf("%s: ", p);
      	fflush(stdout);
      	sprintf(s, "/bin/cat /proc/%d/maps|/bin/fgrep -c '/[aio] (deleted)'", getpid());
      	system(s);
      }
      
      int main()
      {
      	io_context_t *ctx;
      	int created, limit, i, destroyed;
      	FILE *f;
      
      	count("before");
      	if ((f = fopen("/proc/sys/fs/aio-max-nr", "r")) == NULL)
      		perror("opening aio-max-nr");
      	else if (fscanf(f, "%d", &limit) != 1)
      		fprintf(stderr, "can't parse aio-max-nr\n");
      	else if ((ctx = calloc(limit, sizeof(io_context_t))) == NULL)
      		perror("allocating aio_context_t array");
      	else {
      		for (i = 0, created = 0; i < limit; i++) {
      			if (io_setup(1000, ctx + created) == 0)
      				created++;
      		}
      		for (i = 0, destroyed = 0; i < created; i++)
      			if (io_destroy(ctx[i]) == 0)
      				destroyed++;
      		printf("created %d, failed %d, destroyed %d\n",
      			created, limit - created, destroyed);
      		count("after");
      	}
      }
      Found-by: NJoe Mario <jmario@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      deeb8525
    • A
      fix mremap() vs. ioctx_kill() race · b2edffdd
      Al Viro 提交于
      teach ->mremap() method to return an error and have it fail for
      aio mappings in process of being killed
      
      Note that in case of ->mremap() failure we need to undo move_page_tables()
      we'd already done; we could call ->mremap() first, but then the failure of
      move_page_tables() would require undoing whatever _successful_ ->mremap()
      has done, which would be a lot more headache in general.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b2edffdd
  4. 03 4月, 2015 1 次提交
  5. 01 4月, 2015 8 次提交
  6. 31 3月, 2015 1 次提交
  7. 27 3月, 2015 1 次提交
  8. 26 3月, 2015 7 次提交
  9. 25 3月, 2015 2 次提交
  10. 22 3月, 2015 1 次提交
  11. 21 3月, 2015 6 次提交
    • D
      cifs: fix use-after-free bug in find_writable_file · e1e9bda2
      David Disseldorp 提交于
      Under intermittent network outages, find_writable_file() is susceptible
      to the following race condition, which results in a user-after-free in
      the cifs_writepages code-path:
      
      Thread 1                                        Thread 2
      ========                                        ========
      
      inv_file = NULL
      refind = 0
      spin_lock(&cifs_file_list_lock)
      
      // invalidHandle found on openFileList
      
      inv_file = open_file
      // inv_file->count currently 1
      
      cifsFileInfo_get(inv_file)
      // inv_file->count = 2
      
      spin_unlock(&cifs_file_list_lock);
      
      cifs_reopen_file()                            cifs_close()
      // fails (rc != 0)                            ->cifsFileInfo_put()
                                             spin_lock(&cifs_file_list_lock)
                                             // inv_file->count = 1
                                             spin_unlock(&cifs_file_list_lock)
      
      spin_lock(&cifs_file_list_lock);
      list_move_tail(&inv_file->flist,
            &cifs_inode->openFileList);
      spin_unlock(&cifs_file_list_lock);
      
      cifsFileInfo_put(inv_file);
      ->spin_lock(&cifs_file_list_lock)
      
        // inv_file->count = 0
        list_del(&cifs_file->flist);
        // cleanup!!
        kfree(cifs_file);
      
        spin_unlock(&cifs_file_list_lock);
      
      spin_lock(&cifs_file_list_lock);
      ++refind;
      // refind = 1
      goto refind_writable;
      
      At this point we loop back through with an invalid inv_file pointer
      and a refind value of 1. On second pass, inv_file is not overwritten on
      openFileList traversal, and is subsequently dereferenced.
      Signed-off-by: NDavid Disseldorp <ddiss@suse.de>
      Reviewed-by: NJeff Layton <jlayton@samba.org>
      CC: <stable@vger.kernel.org>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      e1e9bda2
    • S
      cifs: smb2_clone_range() - exit on unhandled error · 2477bc58
      Sachin Prabhu 提交于
      While attempting to clone a file on a samba server, we receive a
      STATUS_INVALID_DEVICE_REQUEST. This is mapped to -EOPNOTSUPP which
      isn't handled in smb2_clone_range(). We end up looping in the while loop
      making same call to the samba server over and over again.
      
      The proposed fix is to exit and return the error value when encountered
      with an unhandled error.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NSachin Prabhu <sprabhu@redhat.com>
      Signed-off-by: NSteve French <steve.french@primarydata.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      2477bc58
    • K
      NFSD: Put exports after nfsd4_layout_verify fail · a1420384
      Kinglong Mee 提交于
      Fix commit 9cf514cc (nfsd: implement pNFS operations).
      Signed-off-by: NKinglong Mee <kinglongmee@gmail.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      a1420384
    • K
      NFSD: Error out when register_shrinker() fail · a68465c9
      Kinglong Mee 提交于
      If register_shrinker() failed, nfsd will cause a NULL pointer access as,
      
      [ 9250.875465] nfsd: last server has exited, flushing export cache
      [ 9251.427270] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [ 9251.427393] IP: [<ffffffff8136fc29>] __list_del_entry+0x29/0xd0
      [ 9251.427579] PGD 13e4d067 PUD 13e4c067 PMD 0
      [ 9251.427633] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
      [ 9251.427706] Modules linked in: ip6t_rpfilter ip6t_REJECT bnep bluetooth xt_conntrack cfg80211 rfkill ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw btrfs xfs microcode ppdev serio_raw pcspkr xor libcrc32c raid6_pq e1000 parport_pc parport i2c_piix4 i2c_core nfsd(OE-) auth_rpcgss nfs_acl lockd sunrpc(E) ata_generic pata_acpi
      [ 9251.428240] CPU: 0 PID: 1557 Comm: rmmod Tainted: G           OE 3.16.0-rc2+ #22
      [ 9251.428366] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
      [ 9251.428496] task: ffff880000849540 ti: ffff8800136f4000 task.ti: ffff8800136f4000
      [ 9251.428593] RIP: 0010:[<ffffffff8136fc29>]  [<ffffffff8136fc29>] __list_del_entry+0x29/0xd0
      [ 9251.428696] RSP: 0018:ffff8800136f7ea0  EFLAGS: 00010207
      [ 9251.428751] RAX: 0000000000000000 RBX: ffffffffa0116d48 RCX: dead000000200200
      [ 9251.428814] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffa0116d48
      [ 9251.428876] RBP: ffff8800136f7ea0 R08: ffff8800136f4000 R09: 0000000000000001
      [ 9251.428939] R10: 8080808080808080 R11: 0000000000000000 R12: ffffffffa011a5a0
      [ 9251.429002] R13: 0000000000000800 R14: 0000000000000000 R15: 00000000018ac090
      [ 9251.429064] FS:  00007fb9acef0740(0000) GS:ffff88003fa00000(0000) knlGS:0000000000000000
      [ 9251.429164] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 9251.429221] CR2: 0000000000000000 CR3: 0000000031a17000 CR4: 00000000001407f0
      [ 9251.429306] Stack:
      [ 9251.429410]  ffff8800136f7eb8 ffffffff8136fcdd ffffffffa0116d20 ffff8800136f7ed0
      [ 9251.429511]  ffffffff8118a0f2 0000000000000000 ffff8800136f7ee0 ffffffffa00eb765
      [ 9251.429610]  ffff8800136f7ef0 ffffffffa010e93c ffff8800136f7f78 ffffffff81104ac2
      [ 9251.429709] Call Trace:
      [ 9251.429755]  [<ffffffff8136fcdd>] list_del+0xd/0x30
      [ 9251.429896]  [<ffffffff8118a0f2>] unregister_shrinker+0x22/0x40
      [ 9251.430037]  [<ffffffffa00eb765>] nfsd_reply_cache_shutdown+0x15/0x90 [nfsd]
      [ 9251.430106]  [<ffffffffa010e93c>] exit_nfsd+0x9/0x6cd [nfsd]
      [ 9251.430192]  [<ffffffff81104ac2>] SyS_delete_module+0x162/0x200
      [ 9251.430280]  [<ffffffff81013b69>] ? do_notify_resume+0x59/0x90
      [ 9251.430395]  [<ffffffff816f2369>] system_call_fastpath+0x16/0x1b
      [ 9251.430457] Code: 00 00 55 48 8b 17 48 b9 00 01 10 00 00 00 ad de 48 8b 47 08 48 89 e5 48 39 ca 74 29 48 b9 00 02 20 00 00 00 ad de 48 39 c8 74 7a <4c> 8b 00 4c 39 c7 75 53 4c 8b 42 08 4c 39 c7 75 2b 48 89 42 08
      [ 9251.430691] RIP  [<ffffffff8136fc29>] __list_del_entry+0x29/0xd0
      [ 9251.430755]  RSP <ffff8800136f7ea0>
      [ 9251.430805] CR2: 0000000000000000
      [ 9251.431033] ---[ end trace 080f3050d082b4ea ]---
      Signed-off-by: NKinglong Mee <kinglongmee@gmail.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      a68465c9
    • K
      NFSD: Take care the return value from nfsd4_decode_stateid · db59c0ef
      Kinglong Mee 提交于
      Return status after nfsd4_decode_stateid failed.
      Signed-off-by: NKinglong Mee <kinglongmee@gmail.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      db59c0ef
    • K
      NFSD: Check layout type when returning client layouts · 6f8f28ec
      Kinglong Mee 提交于
      According to RFC5661:
      " When lr_returntype is LAYOUTRETURN4_FSID, the current filehandle is used
         to identify the file system and all layouts matching the client ID,
         the fsid of the file system, lora_layout_type, and lora_iomode are
         returned.  When lr_returntype is LAYOUTRETURN4_ALL, all layouts
         matching the client ID, lora_layout_type, and lora_iomode are
         returned and the current filehandle is not used. "
      
      When returning client layouts, always check layout type.
      Signed-off-by: NKinglong Mee <kinglongmee@gmail.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      6f8f28ec