rpms/kernel/FC-6 linux-2.6-dm_crypt_fix_avoid_cloned_bio_ref_after_free.patch, NONE, 1.1 linux-2.6-dm_crypt_fix_call_to_clone_init.patch, NONE, 1.1 linux-2.6-dm_crypt_fix_remove_first_clone.patch, NONE, 1.1 linux-2.6-sysfs_fix_condition_in_drop_dentry.patch, NONE, 1.1 linux-2.6-udf-2.6.22-rc2-1-udf_data_corruption.patch, NONE, 1.1 linux-2.6-udf-2.6.22-rc4-1-udf_block_leak.patch, NONE, 1.1 kernel-2.6.spec, 1.2959, 1.2960

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Jun 13 19:03:38 UTC 2007


Author: cebbert

Update of /cvs/dist/rpms/kernel/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv935

Modified Files:
	kernel-2.6.spec 
Added Files:
	linux-2.6-dm_crypt_fix_avoid_cloned_bio_ref_after_free.patch 
	linux-2.6-dm_crypt_fix_call_to_clone_init.patch 
	linux-2.6-dm_crypt_fix_remove_first_clone.patch 
	linux-2.6-sysfs_fix_condition_in_drop_dentry.patch 
	linux-2.6-udf-2.6.22-rc2-1-udf_data_corruption.patch 
	linux-2.6-udf-2.6.22-rc4-1-udf_block_leak.patch 
Log Message:
* Wed Jun 13 2007 Chuck Ebbert <cebbert at redhat.com>		1.2960
- sysfs: fix check in dentry drop code
- kcryptd: 3 patches from 2.6.22 (BZ #243809)
- UDF: 2 fixes from 2.6.22 for Fedora backport of that code


linux-2.6-dm_crypt_fix_avoid_cloned_bio_ref_after_free.patch:
 dm-crypt.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletion(-)

--- NEW FILE linux-2.6-dm_crypt_fix_avoid_cloned_bio_ref_after_free.patch ---
Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=98221eb757de03d9aa6262b1eded2be708640ccc
Commit:     98221eb757de03d9aa6262b1eded2be708640ccc
Parent:     027581f3515b5ec2218847dab578afa439a9d6b9
Author:     Olaf Kirch <olaf.kirch at oracle.com>
AuthorDate: Wed May 9 02:32:52 2007 -0700
Committer:  Linus Torvalds <torvalds at woody.linux-foundation.org>
CommitDate: Wed May 9 12:30:46 2007 -0700

    dm crypt: fix avoid cloned bio ref after free
    
    Do not access the bio after generic_make_request
    
    We should never access a bio after generic_make_request - there's no guarantee
    it still exists.
    
    Signed-off-by: Olaf Kirch <olaf.kirch at oracle.com>
    Signed-off-by: Alasdair G Kergon <agk at redhat.com>
    Cc: Jens Axboe <jens.axboe at oracle.com>
    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---
 drivers/md/dm-crypt.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index db43936..1dc2c62 100644
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -655,9 +655,12 @@ static void process_write(struct crypt_io *io)
 
 		generic_make_request(clone);
 
+		/* Do not reference clone after this - it
+		 * may be gone already. */
+
 		/* out of memory -> run queues */
 		if (remaining)
-			congestion_wait(bio_data_dir(clone), HZ/100);
+			congestion_wait(WRITE, HZ/100);
 	}
 }
 

linux-2.6-dm_crypt_fix_call_to_clone_init.patch:
 dm-crypt.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

--- NEW FILE linux-2.6-dm_crypt_fix_call_to_clone_init.patch ---
Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=027581f3515b5ec2218847dab578afa439a9d6b9
Commit:     027581f3515b5ec2218847dab578afa439a9d6b9
Parent:     9c89f8be1a7d14aad9d2c3f7d90d7d88f82c61e2
Author:     Olaf Kirch <olaf.kirch at oracle.com>
AuthorDate: Wed May 9 02:32:52 2007 -0700
Committer:  Linus Torvalds <torvalds at woody.linux-foundation.org>
CommitDate: Wed May 9 12:30:46 2007 -0700

    dm crypt: fix call to clone_init
    
    Call clone_init early
    
    We need to call clone_init as early as possible - at least before call
    bio_put(clone) in any error path.  Otherwise, the destructor will try to
    dereference bi_private, which may still be NULL.
    
    Signed-off-by: Olaf Kirch <olaf.kirch at oracle.com>
    Signed-off-by: Alasdair G Kergon <agk at redhat.com>
    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---
 drivers/md/dm-crypt.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index 8527827..db43936 100644
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -107,6 +107,8 @@ struct crypt_config {
 
 static struct kmem_cache *_crypt_io_pool;
 
+static void clone_init(struct crypt_io *, struct bio *);
+
 /*
  * Different IV generation algorithms:
  *
@@ -379,9 +381,10 @@ static int crypt_convert(struct crypt_config *cc,
  * May return a smaller bio when running out of pages
  */
 static struct bio *
-crypt_alloc_buffer(struct crypt_config *cc, unsigned int size,
+crypt_alloc_buffer(struct crypt_io *io, unsigned int size,
                    struct bio *base_bio, unsigned int *bio_vec_idx)
 {
+	struct crypt_config *cc = io->target->private;
 	struct bio *clone;
 	unsigned int nr_iovecs = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
 	gfp_t gfp_mask = GFP_NOIO | __GFP_HIGHMEM;
@@ -396,7 +399,7 @@ crypt_alloc_buffer(struct crypt_config *cc, unsigned int size,
 	if (!clone)
 		return NULL;
 
-	clone->bi_destructor = dm_crypt_bio_destructor;
+	clone_init(io, clone);
 
 	/* if the last bio was not complete, continue where that one ended */
 	clone->bi_idx = *bio_vec_idx;
@@ -562,6 +565,7 @@ static void clone_init(struct crypt_io *io, struct bio *clone)
 	clone->bi_end_io  = crypt_endio;
 	clone->bi_bdev    = cc->dev->bdev;
 	clone->bi_rw      = io->base_bio->bi_rw;
+	clone->bi_destructor = dm_crypt_bio_destructor;
 }
 
 static void process_read(struct crypt_io *io)
@@ -585,7 +589,6 @@ static void process_read(struct crypt_io *io)
 	}
 
 	clone_init(io, clone);
-	clone->bi_destructor = dm_crypt_bio_destructor;
 	clone->bi_idx = 0;
 	clone->bi_vcnt = bio_segments(base_bio);
 	clone->bi_size = base_bio->bi_size;
@@ -615,7 +618,7 @@ static void process_write(struct crypt_io *io)
 	 * so repeat the whole process until all the data can be handled.
 	 */
 	while (remaining) {
-		clone = crypt_alloc_buffer(cc, base_bio->bi_size,
+		clone = crypt_alloc_buffer(io, base_bio->bi_size,
 					   io->first_clone, &bvec_idx);
 		if (unlikely(!clone)) {
 			dec_pending(io, -ENOMEM);
@@ -631,7 +634,6 @@ static void process_write(struct crypt_io *io)
 			return;
 		}
 
-		clone_init(io, clone);
 		clone->bi_sector = cc->start + sector;
 
 		if (!io->first_clone) {

linux-2.6-dm_crypt_fix_remove_first_clone.patch:
 dm-crypt.c |   34 ++++++----------------------------
 1 files changed, 6 insertions(+), 28 deletions(-)

--- NEW FILE linux-2.6-dm_crypt_fix_remove_first_clone.patch ---
Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2f9941b6c55d70103c1bc3f2c7676acd9f20bf8a
Commit:     2f9941b6c55d70103c1bc3f2c7676acd9f20bf8a
Parent:     98221eb757de03d9aa6262b1eded2be708640ccc
Author:     Olaf Kirch <olaf.kirch at oracle.com>
AuthorDate: Wed May 9 02:32:53 2007 -0700
Committer:  Linus Torvalds <torvalds at woody.linux-foundation.org>
CommitDate: Wed May 9 12:30:46 2007 -0700

    dm crypt: fix remove first_clone
    
    Get rid of first_clone in dm-crypt
    
    This gets rid of first_clone, which is not really needed.  Apparently, cloned
    bios used to share their bvec some time way in the past - this is no longer
    the case.  Contrarily, this even hurts us if we try to create a clone off
    first_clone after it has completed, and crypt_endio has destroyed its bvec.
    
    Signed-off-by: Olaf Kirch <olaf.kirch at oracle.com>
    Signed-off-by: Alasdair G Kergon <agk at redhat.com>
    Cc: Jens Axboe <jens.axboe at oracle.com>
    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---
 drivers/md/dm-crypt.c |   34 ++++++----------------------------
 1 files changed, 6 insertions(+), 28 deletions(-)

diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index 1dc2c62..339b575 100644
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -33,7 +33,6 @@
 struct crypt_io {
 	struct dm_target *target;
 	struct bio *base_bio;
-	struct bio *first_clone;
 	struct work_struct work;
 	atomic_t pending;
 	int error;
@@ -380,9 +379,8 @@ static int crypt_convert(struct crypt_config *cc,
  * This should never violate the device limitations
  * May return a smaller bio when running out of pages
  */
-static struct bio *
-crypt_alloc_buffer(struct crypt_io *io, unsigned int size,
-                   struct bio *base_bio, unsigned int *bio_vec_idx)
+static struct bio *crypt_alloc_buffer(struct crypt_io *io, unsigned int size,
+				      unsigned int *bio_vec_idx)
 {
 	struct crypt_config *cc = io->target->private;
 	struct bio *clone;
@@ -390,12 +388,7 @@ crypt_alloc_buffer(struct crypt_io *io, unsigned int size,
 	gfp_t gfp_mask = GFP_NOIO | __GFP_HIGHMEM;
 	unsigned int i;
 
-	if (base_bio) {
-		clone = bio_alloc_bioset(GFP_NOIO, base_bio->bi_max_vecs, cc->bs);
-		__bio_clone(clone, base_bio);
-	} else
-		clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, cc->bs);
-
+	clone = bio_alloc_bioset(GFP_NOIO, nr_iovecs, cc->bs);
 	if (!clone)
 		return NULL;
 
@@ -498,9 +491,6 @@ static void dec_pending(struct crypt_io *io, int error)
 	if (!atomic_dec_and_test(&io->pending))
 		return;
 
-	if (io->first_clone)
-		bio_put(io->first_clone);
-
 	bio_endio(io->base_bio, io->base_bio->bi_size, io->error);
 
 	mempool_free(io, cc->io_pool);
@@ -618,8 +608,7 @@ static void process_write(struct crypt_io *io)
 	 * so repeat the whole process until all the data can be handled.
 	 */
 	while (remaining) {
-		clone = crypt_alloc_buffer(io, base_bio->bi_size,
-					   io->first_clone, &bvec_idx);
+		clone = crypt_alloc_buffer(io, base_bio->bi_size, &bvec_idx);
 		if (unlikely(!clone)) {
 			dec_pending(io, -ENOMEM);
 			return;
@@ -635,21 +624,11 @@ static void process_write(struct crypt_io *io)
 		}
 
 		clone->bi_sector = cc->start + sector;
-
-		if (!io->first_clone) {
-			/*
-			 * hold a reference to the first clone, because it
-			 * holds the bio_vec array and that can't be freed
-			 * before all other clones are released
-			 */
-			bio_get(clone);
-			io->first_clone = clone;
-		}
-
 		remaining -= clone->bi_size;
 		sector += bio_sectors(clone);
 
-		/* prevent bio_put of first_clone */
+		/* Grab another reference to the io struct
+		 * before we kick off the request */
 		if (remaining)
 			atomic_inc(&io->pending);
 
@@ -965,7 +944,6 @@ static int crypt_map(struct dm_target *ti, struct bio *bio,
 	io = mempool_alloc(cc->io_pool, GFP_NOIO);
 	io->target = ti;
 	io->base_bio = bio;
-	io->first_clone = NULL;
 	io->error = io->post_process = 0;
 	atomic_set(&io->pending, 0);
 	kcryptd_queue_io(io);

linux-2.6-sysfs_fix_condition_in_drop_dentry.patch:
 inode.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE linux-2.6-sysfs_fix_condition_in_drop_dentry.patch ---
From: Tejun Heo <htejun at gmail.com>

The condition check doesn't make much sense as it basically always
succeeds.  This causes NULL dereferencing on certain cases.  It seems
that parentheses are put in the wrong place.  Fix it.

Signed-off-by: Tejun Heo <htejun at gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

[trivial backport to 2.6.20 by cebbert at redhat.com]

---
 fs/sysfs/inode.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.20.noarch.orig/fs/sysfs/inode.c
+++ linux-2.6.20.noarch/fs/sysfs/inode.c
@@ -221,7 +221,7 @@ void sysfs_drop_dentry(struct sysfs_dire
 	if (dentry) {
 		spin_lock(&dcache_lock);
 		spin_lock(&dentry->d_lock);
-		if (!(d_unhashed(dentry) && dentry->d_inode)) {
+		if (!d_unhashed(dentry) && dentry->d_inode) {
 			dget_locked(dentry);
 			__d_drop(dentry);
 			spin_unlock(&dentry->d_lock);

linux-2.6-udf-2.6.22-rc2-1-udf_data_corruption.patch:
 inode.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

--- NEW FILE linux-2.6-udf-2.6.22-rc2-1-udf_data_corruption.patch ---
update_next_aext() could possibly rewrite values in elen and eloc, possibly
leading to data corruption when rewriting a file. Use temporary variables
instead. Also advance cur_epos as it can also point to an indirect extent
pointer.

Signed-off-by: Jan Kara <jack at suse.cz>

diff -rupX /home/jack/.kerndiffexclude linux-2.6.22-rc2/fs/udf/inode.c linux-2.6.22-rc2-1-udf_data_corruption/fs/udf/inode.c
--- linux-2.6.22-rc2/fs/udf/inode.c	2007-05-24 18:00:05.000000000 +0200
+++ linux-2.6.22-rc2-1-udf_data_corruption/fs/udf/inode.c	2007-05-24 18:16:36.000000000 +0200
@@ -460,8 +460,8 @@ static struct buffer_head * inode_getblk
 	kernel_long_ad laarr[EXTENT_MERGE_SIZE];
 	struct extent_position prev_epos, cur_epos, next_epos;
 	int count = 0, startnum = 0, endnum = 0;
-	uint32_t elen = 0;
-	kernel_lb_addr eloc;
+	uint32_t elen = 0, tmpelen;
+	kernel_lb_addr eloc, tmpeloc;
 	int c = 1;
 	loff_t lbcount = 0, b_off = 0;
 	uint32_t newblocknum, newblock;
@@ -520,8 +520,12 @@ static struct buffer_head * inode_getblk
 
 	b_off -= lbcount;
 	offset = b_off >> inode->i_sb->s_blocksize_bits;
-	/* Move into indirect extent if we are at a pointer to it */
-	udf_next_aext(inode, &prev_epos, &eloc, &elen, 0);
+	/*
+	 * Move prev_epos and cur_epos into indirect extent if we are at
+	 * the pointer to it
+	 */
+	udf_next_aext(inode, &prev_epos, &tmpeloc, &tmpelen, 0);
+	udf_next_aext(inode, &cur_epos, &tmpeloc, &tmpelen, 0);
 
 	/* if the extent is allocated and recorded, return the block
        if the extent is not a multiple of the blocksize, round up */

linux-2.6-udf-2.6.22-rc4-1-udf_block_leak.patch:
 inode.c    |   11 ++++++++-
 truncate.c |   73 +++++++++++++++++++++++++++++++++++++++++++++++++++----------
 udfdecl.h  |    1 
 3 files changed, 73 insertions(+), 12 deletions(-)

--- NEW FILE linux-2.6-udf-2.6.22-rc4-1-udf_block_leak.patch ---
We have to take care that when we call udf_discard_prealloc() from udf_clear_inode()
we have to write inode ourselves afterwards (otherwise, some changes might be lost
leading to leakage of blocks, use of free blocks or improperly aligned extents).
Also udf_discard_prealloc() does two different things - it removes preallocated
blocks and truncates the last extent to exactly match i_size. We move the latter
functionality to udf_truncate_tail_extent(), call udf_discard_prealloc() when last
reference to a file is dropped and call udf_truncate_tail_extent() when inode
is being removed from inode cache (udf_clear_inode() call). We cannot call
udf_truncate_tail_extent() earlier as subsequent open+write would find the last
block of the file mapped and happily write to the end of it, although the last
extent says it's shorter.

Signed-off-by: Jan Kara <jack at suse.cz>

diff -rupX /home/jack/.kerndiffexclude linux-2.6.22-rc2-1-udf_data_corruption/fs/udf/inode.c linux-2.6.22-rc2-2-udf_block_leak/fs/udf/inode.c
--- linux-2.6.22-rc2-1-udf_data_corruption/fs/udf/inode.c	2007-05-24 18:16:36.000000000 +0200
+++ linux-2.6.22-rc2-2-udf_block_leak/fs/udf/inode.c	2007-06-07 16:38:37.000000000 +0200
@@ -100,14 +100,23 @@ no_delete:
 	clear_inode(inode);
 }
 
+/*
+ * If we are going to release inode from memory, we discard preallocation and
+ * truncate last inode extent to proper length. We could use drop_inode() but it's
+ * called under inode_lock and thus we cannot mark inode dirty there. We use
+ * clear_inode() but we have to make sure to write inode as it's not written
+ * automatically.
+ */
 void udf_clear_inode(struct inode *inode)
 {
 	if (!(inode->i_sb->s_flags & MS_RDONLY)) {
 		lock_kernel();
+		/* Discard preallocation for directories, symlinks, etc. */
 		udf_discard_prealloc(inode);
+		udf_truncate_tail_extent(inode);
 		unlock_kernel();
+		write_inode_now(inode, 1);
 	}
-
 	kfree(UDF_I_DATA(inode));
 	UDF_I_DATA(inode) = NULL;
 }
diff -rupX /home/jack/.kerndiffexclude linux-2.6.22-rc2-1-udf_data_corruption/fs/udf/truncate.c linux-2.6.22-rc2-2-udf_block_leak/fs/udf/truncate.c
--- linux-2.6.22-rc2-1-udf_data_corruption/fs/udf/truncate.c	2007-05-24 18:00:05.000000000 +0200
+++ linux-2.6.22-rc2-2-udf_block_leak/fs/udf/truncate.c	2007-06-06 14:33:29.000000000 +0200
@@ -61,7 +61,11 @@ static void extent_trunc(struct inode * 
 	}
 }
 
-void udf_discard_prealloc(struct inode * inode)
+/*
+ * Truncate the last extent to match i_size. This function assumes
+ * that preallocation extent is already truncated.
+ */
+void udf_truncate_tail_extent(struct inode *inode)
 {
 	struct extent_position epos = { NULL, 0, {0, 0}};
 	kernel_lb_addr eloc;
@@ -71,7 +75,10 @@ void udf_discard_prealloc(struct inode *
 	int adsize;
 
 	if (UDF_I_ALLOCTYPE(inode) == ICBTAG_FLAG_AD_IN_ICB ||
-		inode->i_size == UDF_I_LENEXTENTS(inode))
+	    inode->i_size == UDF_I_LENEXTENTS(inode))
+		return;
+	/* Are we going to delete the file anyway? */
+	if (inode->i_nlink == 0)
 		return;
 
 	if (UDF_I_ALLOCTYPE(inode) == ICBTAG_FLAG_AD_SHORT)
@@ -79,25 +86,69 @@ void udf_discard_prealloc(struct inode *
 	else if (UDF_I_ALLOCTYPE(inode) == ICBTAG_FLAG_AD_LONG)
 		adsize = sizeof(long_ad);
 	else
-		adsize = 0;
-
-	epos.block = UDF_I_LOCATION(inode);
+		BUG();
 
 	/* Find the last extent in the file */
 	while ((netype = udf_next_aext(inode, &epos, &eloc, &elen, 1)) != -1)
 	{
 		etype = netype;
 		lbcount += elen;
-		if (lbcount > inode->i_size && lbcount - elen < inode->i_size)
-		{
-			WARN_ON(lbcount - inode->i_size >= inode->i_sb->s_blocksize);
+		if (lbcount > inode->i_size) {
+			if (lbcount - inode->i_size >= inode->i_sb->s_blocksize)
+				printk(KERN_WARNING
+				       "udf_truncate_tail_extent(): Too long "
+				       "extent after EOF in inode %u: i_size: "
+				       "%Ld lbcount: %Ld extent %u+%u\n",
+				       (unsigned)inode->i_ino,
+				       (long long)inode->i_size,
+				       (long long)lbcount,
+				       (unsigned)eloc.logicalBlockNum,
+				       (unsigned)elen);
 			nelen = elen - (lbcount - inode->i_size);
 			epos.offset -= adsize;
 			extent_trunc(inode, &epos, eloc, etype, elen, nelen);
 			epos.offset += adsize;
-			lbcount = inode->i_size;
+			if (udf_next_aext(inode, &epos, &eloc, &elen, 1) != -1)
+				printk(KERN_ERR "udf_truncate_tail_extent(): "
+				       "Extent after EOF in inode %u.\n",
+				       (unsigned)inode->i_ino);
+			break;
 		}
 	}
+	/* This inode entry is in-memory only and thus we don't have to mark
+	 * the inode dirty */
+	UDF_I_LENEXTENTS(inode) = inode->i_size;
+	brelse(epos.bh);
+}
+
+void udf_discard_prealloc(struct inode * inode)
+{
+	struct extent_position epos = { NULL, 0, {0, 0}};
+	kernel_lb_addr eloc;
+	uint32_t elen;
+	uint64_t lbcount = 0;
+	int8_t etype = -1, netype;
+	int adsize;
+
+	if (UDF_I_ALLOCTYPE(inode) == ICBTAG_FLAG_AD_IN_ICB ||
+		inode->i_size == UDF_I_LENEXTENTS(inode))
+		return;
+
+	if (UDF_I_ALLOCTYPE(inode) == ICBTAG_FLAG_AD_SHORT)
+		adsize = sizeof(short_ad); 
+	else if (UDF_I_ALLOCTYPE(inode) == ICBTAG_FLAG_AD_LONG)
+		adsize = sizeof(long_ad);
+	else
+		adsize = 0;
+
+	epos.block = UDF_I_LOCATION(inode);
+
+	/* Find the last extent in the file */
+	while ((netype = udf_next_aext(inode, &epos, &eloc, &elen, 1)) != -1)
+	{
+		etype = netype;
+		lbcount += elen;
+	}
 	if (etype == (EXT_NOT_RECORDED_ALLOCATED >> 30)) {
 		epos.offset -= adsize;
 		lbcount -= elen;
@@ -118,9 +169,9 @@ void udf_discard_prealloc(struct inode *
 			mark_buffer_dirty_inode(epos.bh, inode);
 		}
 	}
+	/* This inode entry is in-memory only and thus we don't have to mark
+	 * the inode dirty */
 	UDF_I_LENEXTENTS(inode) = lbcount;
-
-	WARN_ON(lbcount != inode->i_size);
 	brelse(epos.bh);
 }
 
diff -rupX /home/jack/.kerndiffexclude linux-2.6.22-rc2-1-udf_data_corruption/fs/udf/udfdecl.h linux-2.6.22-rc2-2-udf_block_leak/fs/udf/udfdecl.h
--- linux-2.6.22-rc2-1-udf_data_corruption/fs/udf/udfdecl.h	2007-05-24 18:00:05.000000000 +0200
+++ linux-2.6.22-rc2-2-udf_block_leak/fs/udf/udfdecl.h	2007-06-07 16:32:54.000000000 +0200
@@ -146,6 +146,7 @@ extern void udf_free_inode(struct inode 
 extern struct inode * udf_new_inode (struct inode *, int, int *);
 
 /* truncate.c */
+extern void udf_truncate_tail_extent(struct inode *);
 extern void udf_discard_prealloc(struct inode *);
 extern void udf_truncate_extents(struct inode *);
 


Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-6/kernel-2.6.spec,v
retrieving revision 1.2959
retrieving revision 1.2960
diff -u -r1.2959 -r1.2960
--- kernel-2.6.spec	12 Jun 2007 22:10:40 -0000	1.2959
+++ kernel-2.6.spec	13 Jun 2007 19:03:35 -0000	1.2960
@@ -525,6 +525,11 @@
 
 # Device mapper / MD layer
 
+# UDF from 2.6.22
+Patch1550: linux-2.6-mm-udf-fixes.patch
+Patch1551: linux-2.6-udf-2.6.22-rc2-1-udf_data_corruption.patch
+Patch1552: linux-2.6-udf-2.6.22-rc4-1-udf_block_leak.patch
+
 # Misc bits.
 Patch1600: linux-2.6-module_version.patch
 Patch1601: linux-2.6-sha_alignment.patch
@@ -566,8 +571,11 @@
 Patch1806: linux-2.6-20.5t-dvb-bt8xx-autoload.patch
 Patch1808: linux-2.6-20.5z-mmap_dont_spam_logs.patch
 Patch1811: linux-2.6-20_bluetooth_broadcom_quirk.patch
-Patch1812: linux-2.6-mm-udf-fixes.patch
 Patch1813: linux-2.6-proposed-i82875p-edac-fix.patch
+# more dm_crypt fixes (BZ #243809)
+Patch1814: linux-2.6-dm_crypt_fix_call_to_clone_init.patch
+Patch1815: linux-2.6-dm_crypt_fix_avoid_cloned_bio_ref_after_free.patch
+Patch1816: linux-2.6-dm_crypt_fix_remove_first_clone.patch
 
 # more post 2.6.20.6
 Patch1821: linux-2.6-20.7a-fib_rules_fix_return_value.patch
@@ -589,6 +597,9 @@
 Patch1844: linux-2.6-20.12c-snd-resume-stac-fix.patch
 Patch1846: linux-2.6-20.12c-x86_64-off-by-two.patch
 
+# trivial sysfs fix from 2.6.22
+Patch1847: linux-2.6-sysfs_fix_condition_in_drop_dentry.patch
+
 # SELinux/audit patches.
 Patch1890: linux-2.6-selinux-mprotect-checks.patch
 
@@ -1276,6 +1287,11 @@
 
 # Device mapper / MD layer
 
+# UDF from 2.6.22
+%patch1550 -p1
+%patch1551 -p1
+%patch1552 -p1
+
 # Misc fixes
 # Add missing MODULE_VERSION tags to some modules.
 %patch1600 -p1
@@ -1340,10 +1356,12 @@
 %patch1808 -p1
 # bluetooth quirk (sent to maintainer, ignored)
 %patch1811 -p1
-# UDF fixes from -mm
-%patch1812 -p1
 # i82875 edac unhide pci device
 %patch1813 -p1
+# more dm_crypt
+%patch1814 -p1
+%patch1815 -p1
+%patch1816 -p1
 
 # more post 2.6.20.6 fixes
 %patch1821 -p1
@@ -1364,6 +1382,8 @@
 %patch1844 -p1
 %patch1846 -p1
 
+%patch1847 -p1
+
 # Fix the SELinux mprotect checks on executable mappings
 %patch1890 -p1
 
@@ -2380,6 +2400,11 @@
 %endif
 
 %changelog
+* Wed Jun 13 2007 Chuck Ebbert <cebbert at redhat.com>		1.2960
+- sysfs: fix check in dentry drop code
+- kcryptd: 3 patches from 2.6.22 (BZ #243809)
+- UDF: 2 fixes from 2.6.22 for Fedora backport of that code
+
 * Tue Jun 12 2007 Chuck Ebbert <cebbert at redhat.com>		1.2959
 - 2.6.20.14
 - GFS2 update




More information about the fedora-cvs-commits mailing list