--- /dev/null
+From ab79efab0a0ba01a74df782eb7fa44b044dae8b5 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 18 Sep 2015 11:45:22 +0100
+Subject: ovl: fix dentry reference leak
+
+From: David Howells <dhowells@redhat.com>
+
+commit ab79efab0a0ba01a74df782eb7fa44b044dae8b5 upstream.
+
+In ovl_copy_up_locked(), newdentry is leaked if the function exits through
+out_cleanup as this just to out after calling ovl_cleanup() - which doesn't
+actually release the ref on newdentry.
+
+The out_cleanup segment should instead exit through out2 as certainly
+newdentry leaks - and possibly upper does also, though this isn't caught
+given the catch of newdentry.
+
+Without this fix, something like the following is seen:
+
+ BUG: Dentry ffff880023e9eb20{i=f861,n=#ffff880023e82d90} still in use (1) [unmount of tmpfs tmpfs]
+ BUG: Dentry ffff880023ece640{i=0,n=bigfile} still in use (1) [unmount of tmpfs tmpfs]
+
+when unmounting the upper layer after an error occurred in copyup.
+
+An error can be induced by creating a big file in a lower layer with
+something like:
+
+ dd if=/dev/zero of=/lower/a/bigfile bs=65536 count=1 seek=$((0xf000))
+
+to create a large file (4.1G). Overlay an upper layer that is too small
+(on tmpfs might do) and then induce a copy up by opening it writably.
+
+Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/copy_up.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -267,7 +267,7 @@ out:
+
+ out_cleanup:
+ ovl_cleanup(wdir, newdentry);
+- goto out;
++ goto out2;
+ }
+
+ /*
--- /dev/null
+From 1c8a47df36d72ace8cf78eb6c228aa0f8027d3c2 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <miklos@szeredi.hu>
+Date: Mon, 12 Oct 2015 15:56:20 +0200
+Subject: ovl: fix open in stacked overlay
+
+From: Miklos Szeredi <miklos@szeredi.hu>
+
+commit 1c8a47df36d72ace8cf78eb6c228aa0f8027d3c2 upstream.
+
+If two overlayfs filesystems are stacked on top of each other, then we need
+recursion in ovl_d_select_inode().
+
+I guess d_backing_inode() is supposed to do that. But currently it doesn't
+and that functionality is open coded in vfs_open(). This is now copied
+into ovl_d_select_inode() to fix this regression.
+
+Reported-by: Alban Crequy <alban.crequy@gmail.com>
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay...")
+Cc: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -363,6 +363,9 @@ struct inode *ovl_d_select_inode(struct
+ ovl_path_upper(dentry, &realpath);
+ }
+
++ if (realpath.dentry->d_flags & DCACHE_OP_SELECT_INODE)
++ return realpath.dentry->d_op->d_select_inode(realpath.dentry, file_flags);
++
+ return d_backing_inode(realpath.dentry);
+ }
+
--- /dev/null
+From 5ffdbe8bf1e485026e1c7e4714d2841553cf0b40 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Mon, 24 Aug 2015 15:57:19 +0300
+Subject: ovl: free lower_mnt array in ovl_put_super
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit 5ffdbe8bf1e485026e1c7e4714d2841553cf0b40 upstream.
+
+This fixes memory leak after umount.
+
+Kmemleak report:
+
+unreferenced object 0xffff8800ba791010 (size 8):
+ comm "mount", pid 2394, jiffies 4294996294 (age 53.920s)
+ hex dump (first 8 bytes):
+ 20 1c 13 02 00 88 ff ff .......
+ backtrace:
+ [<ffffffff811f8cd4>] create_object+0x124/0x2c0
+ [<ffffffff817a059b>] kmemleak_alloc+0x7b/0xc0
+ [<ffffffff811dffe6>] __kmalloc+0x106/0x340
+ [<ffffffffa0152bfc>] ovl_fill_super+0x55c/0x9b0 [overlay]
+ [<ffffffff81200ac4>] mount_nodev+0x54/0xa0
+ [<ffffffffa0152118>] ovl_mount+0x18/0x20 [overlay]
+ [<ffffffff81201ab3>] mount_fs+0x43/0x170
+ [<ffffffff81220d34>] vfs_kern_mount+0x74/0x170
+ [<ffffffff812233ad>] do_mount+0x22d/0xdf0
+ [<ffffffff812242cb>] SyS_mount+0x7b/0xc0
+ [<ffffffff817b6bee>] entry_SYSCALL_64_fastpath+0x12/0x76
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+Fixes: dd662667e6d3 ("ovl: add mutli-layer infrastructure")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -544,6 +544,7 @@ static void ovl_put_super(struct super_b
+ mntput(ufs->upper_mnt);
+ for (i = 0; i < ufs->numlower; i++)
+ mntput(ufs->lower_mnt[i]);
++ kfree(ufs->lower_mnt);
+
+ kfree(ufs->config.lowerdir);
+ kfree(ufs->config.upperdir);
--- /dev/null
+From 0f95502ad84874b3c05fc7cdd9d4d9d5cddf7859 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Mon, 24 Aug 2015 15:57:18 +0300
+Subject: ovl: free stack of paths in ovl_fill_super
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit 0f95502ad84874b3c05fc7cdd9d4d9d5cddf7859 upstream.
+
+This fixes small memory leak after mount.
+
+Kmemleak report:
+
+unreferenced object 0xffff88003683fe00 (size 16):
+ comm "mount", pid 2029, jiffies 4294909563 (age 33.380s)
+ hex dump (first 16 bytes):
+ 20 27 1f bb 00 88 ff ff 40 4b 0f 36 02 88 ff ff '......@K.6....
+ backtrace:
+ [<ffffffff811f8cd4>] create_object+0x124/0x2c0
+ [<ffffffff817a059b>] kmemleak_alloc+0x7b/0xc0
+ [<ffffffff811dffe6>] __kmalloc+0x106/0x340
+ [<ffffffffa01b7a29>] ovl_fill_super+0x389/0x9a0 [overlay]
+ [<ffffffff81200ac4>] mount_nodev+0x54/0xa0
+ [<ffffffffa01b7118>] ovl_mount+0x18/0x20 [overlay]
+ [<ffffffff81201ab3>] mount_fs+0x43/0x170
+ [<ffffffff81220d34>] vfs_kern_mount+0x74/0x170
+ [<ffffffff812233ad>] do_mount+0x22d/0xdf0
+ [<ffffffff812242cb>] SyS_mount+0x7b/0xc0
+ [<ffffffff817b6bee>] entry_SYSCALL_64_fastpath+0x12/0x76
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+Fixes: a78d9f0d5d5c ("ovl: support multiple lower layers")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1048,6 +1048,7 @@ static int ovl_fill_super(struct super_b
+ oe->lowerstack[i].dentry = stack[i].dentry;
+ oe->lowerstack[i].mnt = ufs->lower_mnt[i];
+ }
++ kfree(stack);
+
+ root_dentry->d_fsdata = oe;
+
--- /dev/null
+From 0480334fa60488d12ae101a02d7d9e1a3d03d7dd Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Fri, 18 Sep 2015 11:45:12 +0100
+Subject: ovl: use O_LARGEFILE in ovl_copy_up()
+
+From: David Howells <dhowells@redhat.com>
+
+commit 0480334fa60488d12ae101a02d7d9e1a3d03d7dd upstream.
+
+Open the lower file with O_LARGEFILE in ovl_copy_up().
+
+Pass O_LARGEFILE unconditionally in ovl_copy_up_data() as it's purely for
+catching 32-bit userspace dealing with a file large enough that it'll be
+mishandled if the application isn't aware that there might be an integer
+overflow. Inside the kernel, there shouldn't be any problems.
+
+Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/copy_up.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -81,11 +81,11 @@ static int ovl_copy_up_data(struct path
+ if (len == 0)
+ return 0;
+
+- old_file = ovl_path_open(old, O_RDONLY);
++ old_file = ovl_path_open(old, O_LARGEFILE | O_RDONLY);
+ if (IS_ERR(old_file))
+ return PTR_ERR(old_file);
+
+- new_file = ovl_path_open(new, O_WRONLY);
++ new_file = ovl_path_open(new, O_LARGEFILE | O_WRONLY);
+ if (IS_ERR(new_file)) {
+ error = PTR_ERR(new_file);
+ goto out_fput;
--- /dev/null
+From 1266963170f576d4d08e6310b6963e26d3ff9d1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Wed, 7 Oct 2015 11:03:28 -0500
+Subject: PCI: Prevent out of bounds access in numa_node override
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit 1266963170f576d4d08e6310b6963e26d3ff9d1e upstream.
+
+63692df103e9 ("PCI: Allow numa_node override via sysfs") didn't check that
+the numa node provided by userspace is valid. Passing a node number too
+high would attempt to access invalid memory and trigger a kernel panic.
+
+Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs")
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct de
+ if (ret)
+ return ret;
+
+- if (!node_online(node))
++ if (node >= MAX_NUMNODES || !node_online(node))
+ return -EINVAL;
+
+ add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
xhci-add-spurious-wakeup-quirk-for-lynxpoint-lp-controllers.patch
xen-blkfront-check-for-null-drvdata-in-blkback_changed-xenbusstateclosing.patch
module-fix-locking-in-symbol_put_addr.patch
+pci-prevent-out-of-bounds-access-in-numa_node-override.patch
+ovl-free-stack-of-paths-in-ovl_fill_super.patch
+ovl-free-lower_mnt-array-in-ovl_put_super.patch
+ovl-use-o_largefile-in-ovl_copy_up.patch
+ovl-fix-dentry-reference-leak.patch
+ovl-fix-open-in-stacked-overlay.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
