- 10 Jan, 2012 1 commit
-
-
Xi Wang authored
Commit 503358ae ("ext4: avoid divide by zero when trying to mount a corrupted file system") fixes CVE-2009-4307 by performing a sanity check on s_log_groups_per_flex, since it can be set to a bogus value by an attacker. sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex; groups_per_flex = 1 << sbi->s_log_groups_per_flex; if (groups_per_flex < 2) { ... } This patch fixes two potential issues in the previous commit. 1) The sanity check might only work on architectures like PowerPC. On x86, 5 bits are used for the shifting amount. That means, given a large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36 is essentially 1 << 4 = 16, rather than 0. This will bypass the check, leaving s_log_groups_per_flex and groups_per_flex inconsistent. 2) The sanity check relies on undefined behavior, i.e., oversized shift. A standard-confirming C compiler could rewrite the check in unexpected ways. Consider the following equivalent form, assuming groups_per_flex is unsigned for simplicity. groups_per_flex = 1 << sbi->s_log_groups_per_flex; if (groups_per_flex == 0 || groups_per_flex == 1) { We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will completely optimize away the check groups_per_flex == 0, leaving the patched code as vulnerable as the original. GCC keeps the check, but there is no guarantee that future versions will do the same. Signed-off-by:
Xi Wang <xi.wang@gmail.com> Signed-off-by:
"Theodore Ts'o" <tytso@mit.edu> Cc: stable@vger.kernel.org
-
- 05 Jan, 2012 5 commits
-
-
Eric Sandeen authored
A couple more functions can reasonably be made static if desired. Signed-off-by:
Eric Sandeen <sandeen@redhat.com> Signed-off-by:
-
Djalal Harouni authored
The ext4_initxattrs symbol is used only in this file, so it should be declared static. Signed-off-by:
Djalal Harouni <tixxdz@opendz.org> Signed-off-by:
-
Jan Kara authored
Toshiyuki Okajima found out that when running for ((i=0; i < 100000; i++)); do if ((i%2 == 0)); then chattr +j /mnt/file else chattr -j /mnt/file fi echo "0" >> /mnt/file done process sometimes hangs indefinitely in jbd2_journal_lock_updates(). Toshiyuki identified that the following race happens: jbd2_journal_lock_updates() |jbd2_journal_stop() ---------------------------------------+--------------------------------------- write_lock(&journal->j_state_lock) | . ++journal->j_barrier_count | . spin_lock(&tran->t_handle_lock) | . atomic_read(&tran->t_updates) //not 0 | | atomic_dec_and_test(&tran->t_updates) | // t_updates = 0 | wake_up(&journal->j_wait_updates) prepare_to_wait() | // no process is woken up. spin_unlock(&tran->t_handle_lock) | write_unlock(&journal->j_state_lock) | schedule() // never return | We fix the problem by first calling prepare_to_wait() and only after that checking t_updates in jbd2_journal_lock_updates(). Reported-and-analyzed-by:Toshiyuki Okajima <toshi.okajima@jp.fujitsu.com> Signed-off-by:
Jan Kara <jack@suse.cz> Signed-off-by:
-
Theodore Ts'o authored
Reserve the ext4 features flags EXT4_FEATURE_RO_COMPAT_METADATA_CSUM, EXT4_FEATURE_INCOMPAT_INLINEDATA, and EXT4_FEATURE_INCOMPAT_LARGEDIR. Signed-off-by: -
Ben Hutchings authored
Currently the value reported for max_batch_time is really the value of min_batch_time. Reported-by:
Russell Coker <russell@coker.com.au> Signed-off-by:
Ben Hutchings <ben@decadent.org.uk>
-
- 04 Jan, 2012 13 commits
-
-
Djalal Harouni authored
Online resize ioctls 'EXT4_IOC_GROUP_EXTEND' and 'EXT4_IOC_GROUP_ADD' call ext4_resize_begin() to check permissions and to set the EXT4_RESIZING bit lock, they do their work and they must finish with ext4_resize_end() which calls clear_bit_unlock() to unlock and to avoid -EBUSY errors for the next resize operations. This patch adds the missing ext4_resize_end() calls on error paths. Patch tested. Cc: stable@vger.kernel.org Signed-off-by:
-
Yongqiang Yang authored
This patch lets ext4_group_add() call ext4_flex_group_add(). Signed-off-by:
Yongqiang Yang <xiaoqiangnk@gmail.com> Signed-off-by:
-
Yongqiang Yang authored
ext4_group_extend_no_check() is moved out from ext4_group_extend(), this patch lets ext4_group_extend() call ext4_group_extentd_no_check() instead. Signed-off-by:
-
Yongqiang Yang authored
This patch adds new online resize interface, whose input argument is a 64-bit integer indicating how many blocks there are in the resized fs. In new resize impelmentation, all work like allocating group tables are done by kernel side, so the new resize interface can support flex_bg feature and prepares ground for suppoting resize with features like bigalloc and exclude bitmap. Besides these, user-space tools just passes in the new number of blocks. We delay initializing the bitmaps and inode tables of added groups if possible and add multi groups (a flex groups) each time, so new resize is very fast like mkfs. Signed-off-by:
-
Yongqiang Yang authored
This patch adds a new function named ext4_flex_group_add() which adds a flex group to a fs. The function is used by 64bit-resize interface. Signed-off-by:
-
Yongqiang Yang authored
This patch adds a new function named ext4_allocates_group_table() which allocates block bitmaps, inode bitmaps and inode tables for a flex groups and is used by resize code. Signed-off-by:
-
Yongqiang Yang authored
The 64bit resizer adds a flex group each time, so verify_reserved_gdb can not use s_groups_count directly, it should use the number of group decriptors before the added group. Signed-off-by:
-
Yongqiang Yang authored
This patch adds a function named ext4_update_super() which updates super block so the newly created block groups are visible to the file system. This code is copied from ext4_group_add(). The function will be used by new resize implementation. Signed-off-by:
-
Yongqiang Yang authored
This patch adds a function named ext4_setup_new_descs which sets up the block group descriptors of a flex bg. Signed-off-by:
-
Yongqiang Yang authored
This patch adds a function named setup_new_flex_group_blocks() which sets up group blocks of a flex bg. Signed-off-by:
-
Yongqiang Yang authored
This patch adds a structure which will be used by 64bit-resize interface. Two functions which allocate and destroy the structure respectively are added. Signed-off-by:
-
Yongqiang Yang authored
This patch adds a function named ext4_add_new_descs() which adds one or more new group descriptors to a fs and whose code is copied from ext4_group_add(). The function will be used by new resize implementation. Signed-off-by:
-
Yongqiang Yang authored
This patch added a function named ext4_group_extend_no_check() whose code is copied from ext4_group_extend(). ext4_group_extend_no_check() assumes the parameter is valid and has been checked by caller. Signed-off-by:
-
- 29 Dec, 2011 4 commits
-
-
Akinobu Mita authored
ext4_{set,clear}_bit() is defined as __test_and_{set,clear}_bit_le() for ext4. Only two ext4_{set,clear}_bit() calls check the return value. The rest of calls ignore the return value and they can be replaced with __{set,clear}_bit_le(). This changes ext4_{set,clear}_bit() from __test_and_{set,clear}_bit_le() to __{set,clear}_bit_le() and introduces ext4_test_and_{set,clear}_bit() for the two places where old bit needs to be returned. This ext4_{set,clear}_bit() change is considered safe, because if someone uses these macros without noticing the change, new ext4_{set,clear}_bit don't have return value and causes compiler errors where the return value is used. This also removes unused ext4_find_first_zero_bit(). Signed-off-by:Akinobu Mita <akinobu.mita@gmail.com> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Zheng Liu authored
The functions ext4_block_truncate_page() and ext4_block_zero_page_range() are no longer used, so remove them. Signed-off-by:
Zheng Liu <wenqing.lz@taobao.com> Signed-off-by:
-
Theodore Ts'o authored
Signed-off-by: -
Zheng Liu authored
Fix ext4_debug format in ext4_ext_handle_uninitialized_extents() and ext4_end_io_dio(). Signed-off-by:
-
- 28 Dec, 2011 3 commits
-
-
Yongqiang Yang authored
Currently, we clear revoked flag only when a block is reused. However, this can tigger a false journal error. Consider a situation when a block is used as a meta block and is deleted(revoked) in ordered mode, then the block is allocated as a data block to a file. At this moment, user changes the file's journal mode from ordered to journaled and truncates the file. The block will be considered re-revoked by journal because it has revoked flag still pending from the last transaction and an assertion triggers. We fix the problem by keeping the revoked status more uptodate - we clear revoked flag when switching revoke tables to reflect there is no revoked buffers in current transaction any more. Signed-off-by:
-
Yongqiang Yang authored
It's necessary to flush the journal when switching away from data=journal mode. This is because there are no revoke records when data blocks are journalled, but revoke records are required in the other journal modes. However, it is not necessary to flush the journal when switching into data=journal mode, and flushing the journal is expensive. So let's avoid it in that case. Signed-off-by:
-
Yongqiang Yang authored
delalloc blocks should be allocated before changing journal mode, otherwise they can not be allocated and even more truncate on delalloc blocks could triggre BUG by flushing delalloc buffers. Signed-off-by:
-
- 21 Dec, 2011 1 commit
-
-
Theodore Ts'o authored
In the code to support EXT4_IOC_MOVE_EXT, ext4_ioctl calls file_remove_suid() after the call to ext4_move_extents() if any extents has been moved. There are at least three things wrong with this. First, file_remove_suid() should be called with i_mutex down, which is not here. Second, it should be called before the donor file has been modified, to avoid a potential race condition. Third, and most importantly, it's pointless, because ext4_file_extents() already checks if the donor file has the setuid or setgid bit set, and will return an error in that case. So the first two objections don't really matter, since file_remove_suid() will never need to modify the inode in any case. Signed-off-by:
-
- 19 Dec, 2011 1 commit
-
-
Robin Dong authored
We found performance regression when using bigalloc with "nodelalloc" (1MB cluster size): 1. mke2fs -C 1048576 -O ^has_journal,bigalloc /dev/sda 2. mount -o nodelalloc /dev/sda /test/ 3. time dd if=/dev/zero of=/test/io bs=1048576 count=1024 The "dd" will cost about 2 seconds to finish, but if we mke2fs without "bigalloc", "dd" will only cost less than 1 second. The reason is: when using ext4 with "nodelalloc", it will call ext4_find_delalloc_cluster() nearly everytime it call ext4_ext_map_blocks(), and ext4_find_delalloc_range() will also scan all pages in cluster because no buffer is "delayed". A cluster has 256 pages (1MB cluster), so it will scan 256 * 256k pags when creating a 1G file. That severely hurts the performance. Therefore, we return immediately from ext4_find_delalloc_range() in nodelalloc mode, since by definition there can't be any delalloc pages. Signed-off-by:
Robin Dong <sanbai@taobao.com> Signed-off-by:
-
- 18 Dec, 2011 4 commits
-
-
Curt Wohlgemuth authored
In get_implied_cluster_alloc(), rr_cluster_end was being defined and set, but was never used. Removed this. Signed-off-by:
Curt Wohlgemuth <curtw@google.com> Signed-off-by:
-
Jan Kara authored
When insert_inode_locked() fails in ext4_new_inode() it most likely means inode bitmap got corrupted and we allocated again inode which is already in use. Also doing unlock_new_inode() during error recovery is wrong since the inode does not have I_NEW set. Fix the problem by jumping to fail: (instead of fail_drop:) which declares filesystem error and does not call unlock_new_inode(). Signed-off-by:
-
Zheng Liu authored
Signed-off-by:
-
Yongqiang Yang authored
pa_inode in group_pa is set NULL in ext4_mb_new_group_pa, so pa_inode should be not referenced. Reported-by:
Wu Fengguang <fengguang.wu@intel.com> Signed-off-by:
-
- 17 Dec, 2011 1 commit
-
-
Linus Torvalds authored
-
- 16 Dec, 2011 7 commits
-
-
Linus Torvalds authored
This reverts commit eb1711bb. It blows up the i915 seqno tracking, resulting in the BUG_ON(seqno == 0); in i915_wait_request() triggering, which will cause lock-ups. See for example https://bugs.launchpad.net/ubuntu/+source/linux/+bug/903010 https://lkml.org/lkml/2011/12/14/395Reported-requested-and-tested-by:
Dirk Hohndel <dirk@hohndel.org> Reported-by:
Richard Eames <Richard.Eames@flinders.edu.au> Reported-by:
Rocko Requin <rockorequin@hotmail.com> Acked-by:
Daniel Vetter <daniel.vetter@ffwll.ch> Cc: Dave Airlie <airlied@redhat.com> Cc: Chris Wilson <chris@chris-wilson.co.uk> Cc: Keith Packard <keithp@keithp.com> Cc: Eric Anholt <eric@anholt.net> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparcLinus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc: sparc32: Be less strict in matching %lo part of relocation. sbus: convert drivers/sbus/char/* to use module_platform_driver() bbc_i2c: Remove unneeded err variable sparc: Use kmemdup rather than duplicating its implementation
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: ipv6: Check dest prefix length on original route not copied one in rt6_alloc_cow(). sch_gred: should not use GFP_KERNEL while holding a spinlock ipip, sit: copy parms.name after register_netdevice ipv6: Fix for adding multicast route for loopback device automatically. ssb: fix init regression with SoCs rtl8192{ce,cu,de,se}: avoid problems because of possible ERFOFF -> ERFSLEEP transition mac80211: fix another race in aggregation start fsl_pq_mdio: Clean up tbi address configuration ppp: fix pptp double release_sock in pptp_bind() net/fec: fix the use of pdev->id ath9k: fix check for antenna diversity support batman-adv: delete global entry in case of roaming batman-adv: in case of roaming mark the client with TT_CLIENT_ROAM Bluetooth: Correct version check in hci_setup btusb: fix a memory leak in btusb_send_frame() Bluetooth: bnep: Fix module reference Bluetooth: cmtp: Fix module reference Bluetooth: btmrvl: support Marvell Bluetooth device SD8797
-
Linus Torvalds authored
Merge branches 'for-linus' and 'for-linus-3.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: Btrfs: unplug every once and a while Btrfs: deal with NULL srv_rsv in the delalloc inode reservation code Btrfs: only set cache_generation if we setup the block group Btrfs: don't panic if orphan item already exists Btrfs: fix leaked space in truncate Btrfs: fix how we do delalloc reservations and how we free reservations on error Btrfs: deal with enospc from dirtying inodes properly Btrfs: fix num_workers_starting bug and other bugs in async thread BTRFS: Establish i_ops before calling d_instantiate Btrfs: add a cond_resched() into the worker loop Btrfs: fix ctime update of on-disk inode btrfs: keep orphans for subvolume deletion Btrfs: fix inaccurate available space on raid0 profile Btrfs: fix wrong disk space information of the files Btrfs: fix wrong i_size when truncating a file to a larger size Btrfs: fix btrfs_end_bio to deal with write errors to a single mirror * 'for-linus-3.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: btrfs: lower the dirty balance poll interval
-
git://people.freedesktop.org/~keithp/linuxLinus Torvalds authored
* 'drm-intel-fixes' of git://people.freedesktop.org/~keithp/linux: drm/i915/dp: Dither down to 6bpc if it makes the mode fit drm/i915: enable semaphores on per-device defaults drm/i915: don't set unpin_work if vblank_get fails drm/i915: By default, enable RC6 on IVB and SNB when reasonable iommu: Export intel_iommu_enabled to signal when iommu is in use drm/i915/sdvo: Include LVDS panels for the IS_DIGITAL check drm/i915: prevent division by zero when asking for chipset power drm/i915: add PCH info to i915_capabilities drm/i915: set the right SDVO transcoder for CPT drm/i915: no-lvds quirk for ASUS AT5NM10T-I drm/i915: Treat pre-gen4 backlight duty cycle value consistently drm/i915: Hook up Ivybridge eDP drm/i915: add multi-threaded forcewake support
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: HDA: Use LPIB Position fix for Intel SCH Poulsbo ALSA: hda: fix mute led polarity for HP laptops with buggy BIOS ALSA: HDA: Set position fix to LPIB for an Atom/Poulsbo based device ASoC: Fix hx4700 error handling to free gpios if snd_soc_register_card fails ASoC: WM8958: correctly show firmware magic on mismatch ASoC: mxs: Add appropriate MODULE_ALIAS() ASoC: mxs: Add missing MODULE_LICENSE("GPL") ASoC: Fix WM8996 24.576MHz clock operation ASoC: Include linux/module.h for smdk2443_wm9710 ASoC: Fix a typo in jive_wm8750 ASoC: Fix build dependency for SND_SOC_JZ4740_CODEC ASoC: Include linux/io.h for jz4740 codec
-
git://git.secretlab.ca/git/linux-2.6Linus Torvalds authored
* 'gpio/merge' of git://git.secretlab.ca/git/linux-2.6: gpio: Fix DA9052 GPIO build errors. gpio: mpc8xxx: don't allow input-only pins to be output for MPC5121 gpio-ml-ioh: Add the irq_disable/irq_enable hooks for ml-ioh irq chip gpio-ml-ioh: fix a bug in the interrupt handler gpio: pl061: drop extra check for NULL platform_data
-
