3.16.5-200.fc20.gnu

4 files changed, 105 insertions, 100 deletions

diff --git a/freed-ora/current/f20/GFS2-Make-rename-not-save-dirent-location.patch b/freed-ora/current/f20/GFS2-Make-rename-not-save-dirent-location.patch
new file mode 100644
index 000000000..adb4e6d73
--- /dev/null
+++ b/freed-ora/current/f20/GFS2-Make-rename-not-save-dirent-location.patch
@@ -0,0 +1,90 @@
+From: Bob Peterson <rpeterso@redhat.com>
+Date: Mon, 29 Sep 2014 08:52:04 -0400
+Subject: [PATCH] GFS2: Make rename not save dirent location
+
+This patch fixes a regression in the patch "GFS2: Remember directory
+insert point", commit 2b47dad866d04f14c328f888ba5406057b8c7d33.
+The problem had to do with the rename function: The function found
+space for the new dirent, and remembered that location. But then the
+old dirent was removed, which often moved the eligible location for
+the renamed dirent. Putting the new dirent at the saved location
+caused file system corruption.
+
+This patch adds a new "save_loc" variable to struct gfs2_diradd.
+If 1, the dirent location is saved. If 0, the dirent location is not
+saved and the buffer_head is released as per previous behavior.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
+---
+ fs/gfs2/dir.c   | 9 +++++++--
+ fs/gfs2/dir.h   | 1 +
+ fs/gfs2/inode.c | 6 +++---
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c
+index 1a349f9a9685..5d4261ff5d23 100644
+--- a/fs/gfs2/dir.c
++++ b/fs/gfs2/dir.c
+@@ -2100,8 +2100,13 @@ int gfs2_diradd_alloc_required(struct inode *inode, const struct qstr *name,
+ 	}
+ 	if (IS_ERR(dent))
+ 		return PTR_ERR(dent);
+-	da->bh = bh;
+-	da->dent = dent;
++
++	if (da->save_loc) {
++		da->bh = bh;
++		da->dent = dent;
++	} else {
++		brelse(bh);
++	}
+ 	return 0;
+ }
+ 
+diff --git a/fs/gfs2/dir.h b/fs/gfs2/dir.h
+index 126c65dda028..e1b309c24dab 100644
+--- a/fs/gfs2/dir.h
++++ b/fs/gfs2/dir.h
+@@ -23,6 +23,7 @@ struct gfs2_diradd {
+ 	unsigned nr_blocks;
+ 	struct gfs2_dirent *dent;
+ 	struct buffer_head *bh;
++	int save_loc;
+ };
+ 
+ extern struct inode *gfs2_dir_search(struct inode *dir,
+diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
+index fc8ac2ee0667..7d2723ce067e 100644
+--- a/fs/gfs2/inode.c
++++ b/fs/gfs2/inode.c
+@@ -600,7 +600,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
+ 	int error, free_vfs_inode = 0;
+ 	u32 aflags = 0;
+ 	unsigned blocks = 1;
+-	struct gfs2_diradd da = { .bh = NULL, };
++	struct gfs2_diradd da = { .bh = NULL, .save_loc = 1, };
+ 
+ 	if (!name->len || name->len > GFS2_FNAMESIZE)
+ 		return -ENAMETOOLONG;
+@@ -899,7 +899,7 @@ static int gfs2_link(struct dentry *old_dentry, struct inode *dir,
+ 	struct gfs2_inode *ip = GFS2_I(inode);
+ 	struct gfs2_holder ghs[2];
+ 	struct buffer_head *dibh;
+-	struct gfs2_diradd da = { .bh = NULL, };
++	struct gfs2_diradd da = { .bh = NULL, .save_loc = 1, };
+ 	int error;
+ 
+ 	if (S_ISDIR(inode->i_mode))
+@@ -1337,7 +1337,7 @@ static int gfs2_rename(struct inode *odir, struct dentry *odentry,
+ 	struct gfs2_rgrpd *nrgd;
+ 	unsigned int num_gh;
+ 	int dir_rename = 0;
+-	struct gfs2_diradd da = { .nr_blocks = 0, };
++	struct gfs2_diradd da = { .nr_blocks = 0, .save_loc = 0, };
+ 	unsigned int x;
+ 	int error;
+ 
+-- 
+1.9.3
+
diff --git a/freed-ora/current/f20/kernel.spec b/freed-ora/current/f20/kernel.spec
index 81aedbea9..cf2e63f45 100644
--- a/freed-ora/current/f20/kernel.spec
+++ b/freed-ora/current/f20/kernel.spec
@@ -112,7 +112,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 4
+%define stable_update 5
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -778,15 +778,14 @@ Patch26021: i8042-Also-store-the-aux-firmware-id-in-multi-plexed.patch
 Patch26022: psmouse-Add-psmouse_matches_pnp_id-helper-function.patch
 Patch26023: psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
 
-#CVE-2014-6410 rhbz 1141809 1141810
-Patch26026: udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
-
 #rhbz 1143812
 Patch26027: HID-i2c-hid-call-the-hid-driver-s-suspend-and-resume.patch
 
 #rhbz 1123584
 Patch26028: HID-rmi-check-sanity-of-incoming-report.patch
 
+Patch26030: GFS2-Make-rename-not-save-dirent-location.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 
@@ -1533,15 +1532,14 @@ ApplyPatch i8042-Also-store-the-aux-firmware-id-in-multi-plexed.patch
 ApplyPatch psmouse-Add-psmouse_matches_pnp_id-helper-function.patch
 ApplyPatch psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
 
-#CVE-2014-6410 rhbz 1141809 1141810
-ApplyPatch udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
-
 #rhbz 1143812
 ApplyPatch HID-i2c-hid-call-the-hid-driver-s-suspend-and-resume.patch
 
 #rhbz 1123584
 ApplyPatch HID-rmi-check-sanity-of-incoming-report.patch
 
+ApplyPatch GFS2-Make-rename-not-save-dirent-location.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2371,6 +2369,15 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Thu Oct  9 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 3.16.5-gnu.
+
+* Thu Oct 09 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.16.5-200
+- Linux v3.16.5
+
+* Tue Oct 07 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- Add patch to fix GFS2 regression (from Bob Peterson)
+
 * Mon Oct  6 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 3.16.4-gnu.
 
diff --git a/freed-ora/current/f20/sources b/freed-ora/current/f20/sources
index a65e26eb7..c8a023765 100644
--- a/freed-ora/current/f20/sources
+++ b/freed-ora/current/f20/sources
@@ -1,3 +1,3 @@
 71e2d15b48e14db5a464424878362b42  linux-libre-3.16-gnu.tar.xz
 49868ce6467b35cd9ffea1120d129462  perf-man-3.16.tar.gz
-38298e5acfdf188e264cc2984e50410c  patch-3.16.4.xz
+e0f930caadf77bf95ea4c9569dfbfaed  patch-3.16.5.xz
diff --git a/freed-ora/current/f20/udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch b/freed-ora/current/f20/udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
deleted file mode 100644
index a8839661b..000000000
--- a/freed-ora/current/f20/udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From a45318b5ff8c505afcbf04a1c5fa7dbe426d9588 Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Thu, 4 Sep 2014 14:06:55 +0200
-Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs
-
-We did not implement any bound on number of indirect ICBs we follow when
-loading inode. Thus corrupted medium could cause kernel to go into an
-infinite loop, possibly causing a stack overflow.
-
-Fix the possible stack overflow by removing recursion from
-__udf_read_inode() and limit number of indirect ICBs we follow to avoid
-infinite loops.
-
-Bugzilla: 1141810
-Upstream-status: 3.17
-
-Signed-off-by: Jan Kara <jack@suse.cz>
----
- fs/udf/inode.c | 35 +++++++++++++++++++++--------------
- 1 file changed, 21 insertions(+), 14 deletions(-)
-
-diff --git a/fs/udf/inode.c b/fs/udf/inode.c
-index 236cd48184c2..a932f7740b51 100644
---- a/fs/udf/inode.c
-+++ b/fs/udf/inode.c
-@@ -1271,13 +1271,22 @@ update_time:
- 	return 0;
- }
- 
-+/*
-+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
-+ * arbitrary - just that we hopefully don't limit any real use of rewritten
-+ * inode on write-once media but avoid looping for too long on corrupted media.
-+ */
-+#define UDF_MAX_ICB_NESTING 1024
-+
- static void __udf_read_inode(struct inode *inode)
- {
- 	struct buffer_head *bh = NULL;
- 	struct fileEntry *fe;
- 	uint16_t ident;
- 	struct udf_inode_info *iinfo = UDF_I(inode);
-+	unsigned int indirections = 0;
- 
-+reread:
- 	/*
- 	 * Set defaults, but the inode is still incomplete!
- 	 * Note: get_new_inode() sets the following on a new inode:
-@@ -1314,28 +1323,26 @@ static void __udf_read_inode(struct inode *inode)
- 		ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
- 					&ident);
- 		if (ident == TAG_IDENT_IE && ibh) {
--			struct buffer_head *nbh = NULL;
- 			struct kernel_lb_addr loc;
- 			struct indirectEntry *ie;
- 
- 			ie = (struct indirectEntry *)ibh->b_data;
- 			loc = lelb_to_cpu(ie->indirectICB.extLocation);
- 
--			if (ie->indirectICB.extLength &&
--				(nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
--							&ident))) {
--				if (ident == TAG_IDENT_FE ||
--					ident == TAG_IDENT_EFE) {
--					memcpy(&iinfo->i_location,
--						&loc,
--						sizeof(struct kernel_lb_addr));
--					brelse(bh);
--					brelse(ibh);
--					brelse(nbh);
--					__udf_read_inode(inode);
-+			if (ie->indirectICB.extLength) {
-+				brelse(bh);
-+				brelse(ibh);
-+				memcpy(&iinfo->i_location, &loc,
-+				       sizeof(struct kernel_lb_addr));
-+				if (++indirections > UDF_MAX_ICB_NESTING) {
-+					udf_err(inode->i_sb,
-+						"too many ICBs in ICB hierarchy"
-+						" (max %d supported)\n",
-+						UDF_MAX_ICB_NESTING);
-+					make_bad_inode(inode);
- 					return;
- 				}
--				brelse(nbh);
-+				goto reread;
- 			}
- 		}
- 		brelse(ibh);
--- 
-2.1.0
-