From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:41080 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750866AbbEBNDw (ORCPT ); Sat, 2 May 2015 09:03:52 -0400 Subject: Patch "NFS: fix BUG() crash in notify_change() with patch to chown_common()" has been added to the 3.14-stable tree To: aweits@rit.edu, etmsys@rit.edu, gregkh@linuxfoundation.org, viro@zeniv.linux.org.uk Cc: , From: Date: Sat, 02 May 2015 15:03:27 +0200 Message-ID: <143057180747132@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled NFS: fix BUG() crash in notify_change() with patch to chown_common() to the 3.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: nfs-fix-bug-crash-in-notify_change-with-patch-to-chown_common.patch and it can be found in the queue-3.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From c1b8940b42bb6487b10f2267a96b486276ce9ff7 Mon Sep 17 00:00:00 2001 From: Andrew Elble Date: Mon, 23 Feb 2015 08:51:24 -0500 Subject: NFS: fix BUG() crash in notify_change() with patch to chown_common() From: Andrew Elble commit c1b8940b42bb6487b10f2267a96b486276ce9ff7 upstream. We have observed a BUG() crash in fs/attr.c:notify_change(). The crash occurs during an rsync into a filesystem that is exported via NFS. 1.) fs/attr.c:notify_change() modifies the caller's version of attr. 2.) 6de0ec00ba8d ("VFS: make notify_change pass ATTR_KILL_S*ID to setattr operations") introduced a BUG() restriction such that "no function will ever call notify_change() with both ATTR_MODE and ATTR_KILL_S*ID set". Under some circumstances though, it will have assisted in setting the caller's version of attr to this very combination. 3.) 27ac0ffeac80 ("locks: break delegations on any attribute modification") introduced code to handle breaking delegations. This can result in notify_change() being re-called. attr _must_ be explicitly reset to avoid triggering the BUG() established in #2. 4.) The path that that triggers this is via fs/open.c:chmod_common(). The combination of attr flags set here and in the first call to notify_change() along with a later failed break_deleg_wait() results in notify_change() being called again via retry_deleg without resetting attr. Solution is to move retry_deleg in chmod_common() a bit further up to ensure attr is completely reset. There are other places where this seemingly could occur, such as fs/utimes.c:utimes_common(), but the attr flags are not initially set in such a way to trigger this. Fixes: 27ac0ffeac80 ("locks: break delegations on any attribute modification") Reported-by: Eric Meddaugh Tested-by: Eric Meddaugh Signed-off-by: Andrew Elble Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman --- fs/open.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/open.c +++ b/fs/open.c @@ -539,6 +539,7 @@ static int chown_common(struct path *pat uid = make_kuid(current_user_ns(), user); gid = make_kgid(current_user_ns(), group); +retry_deleg: newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { if (!uid_valid(uid)) @@ -555,7 +556,6 @@ static int chown_common(struct path *pat if (!S_ISDIR(inode->i_mode)) newattrs.ia_valid |= ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV; -retry_deleg: mutex_lock(&inode->i_mutex); error = security_path_chown(path, uid, gid); if (!error) Patches currently in stable-queue which might be from aweits@rit.edu are queue-3.14/nfs-fix-bug-crash-in-notify_change-with-patch-to-chown_common.patch