--- /dev/null
+From cde93be45a8a90d8c264c776fab63487b5038a65 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 15 Aug 2015 13:36:12 -0500
+Subject: dcache: Handle escaped paths in prepend_path
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
+
+A rename can result in a dentry that by walking up d_parent
+will never reach it's mnt_root. For lack of a better term
+I call this an escaped path.
+
+prepend_path is called by four different functions __d_path,
+d_absolute_path, d_path, and getcwd.
+
+__d_path only wants to see paths are connected to the root it passes
+in. So __d_path needs prepend_path to return an error.
+
+d_absolute_path similarly wants to see paths that are connected to
+some root. Escaped paths are not connected to any mnt_root so
+d_absolute_path needs prepend_path to return an error greater
+than 1. So escaped paths will be treated like paths on lazily
+unmounted mounts.
+
+getcwd needs to prepend "(unreachable)" so getcwd also needs
+prepend_path to return an error.
+
+d_path is the interesting hold out. d_path just wants to print
+something, and does not care about the weird cases. Which raises
+the question what should be printed?
+
+Given that <escaped_path>/<anything> should result in -ENOENT I
+believe it is desirable for escaped paths to be printed as empty
+paths. As there are not really any meaninful path components when
+considered from the perspective of a mount tree.
+
+So tweak prepend_path to return an empty path with an new error
+code of 3 when it encounters an escaped path.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2926,6 +2926,13 @@ restart:
+
+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
+ struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
++ /* Escaped? */
++ if (dentry != vfsmnt->mnt_root) {
++ bptr = *buffer;
++ blen = *buflen;
++ error = 3;
++ break;
++ }
+ /* Global root? */
+ if (mnt != parent) {
+ dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
--- /dev/null
+From 43934ece2ea72c1dd279c0b0478c1a036d5d77ee Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Mon, 14 Sep 2015 12:18:55 +0200
+Subject: mmc: core: Don't return an error for CD/WP GPIOs when GPIOLIB is unset
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 43934ece2ea72c1dd279c0b0478c1a036d5d77ee upstream.
+
+When CONFIG_GPIOLIB is unset, its stubs will return -ENOSYS. That means
+when the mmc core parses DT for CD/WP GPIOs via mmc_of_parse(), -ENOSYS
+becomes propagated to the caller. Typically this means that the mmc host
+driver fails to probe.
+
+As the CD/WP GPIOs are already treated as optional, let's extend that to
+cover the case when CONFIG_GPIOLIB is unset.
+
+Reported-by: Michal Simek <michal.simek@xilinx.com>
+Fixes: 16b23787fc70 ("mmc: sdhci-of-arasan: Call OF parsing for MMC")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Tested-by: Michal Simek <michal.simek@xilinx.com>
+Acked-by: Venu Byravarasu <vbyravarasu@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/host.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/core/host.c
++++ b/drivers/mmc/core/host.c
+@@ -457,7 +457,7 @@ int mmc_of_parse(struct mmc_host *host)
+ 0, &cd_gpio_invert);
+ if (!ret)
+ dev_info(host->parent, "Got CD GPIO\n");
+- else if (ret != -ENOENT)
++ else if (ret != -ENOENT && ret != -ENOSYS)
+ return ret;
+
+ /*
+@@ -481,7 +481,7 @@ int mmc_of_parse(struct mmc_host *host)
+ ret = mmc_gpiod_request_ro(host, "wp", 0, false, 0, &ro_gpio_invert);
+ if (!ret)
+ dev_info(host->parent, "Got WP GPIO\n");
+- else if (ret != -ENOENT)
++ else if (ret != -ENOENT && ret != -ENOSYS)
+ return ret;
+
+ if (of_property_read_bool(np, "disable-wp"))
--- /dev/null
+From 031277d4d33d33f0174fbb569ca8f68238175617 Mon Sep 17 00:00:00 2001
+From: Chaotian Jing <chaotian.jing@mediatek.com>
+Date: Wed, 30 Sep 2015 17:37:18 +0800
+Subject: mmc: core: fix dead loop of mmc_retune
+
+From: Chaotian Jing <chaotian.jing@mediatek.com>
+
+commit 031277d4d33d33f0174fbb569ca8f68238175617 upstream.
+
+When get a CRC error, start the mmc_retune, it will issue CMD19/CMD21
+to do tune, assume there were 10 clock phase need to try, phase 0 to
+phase 6 is ok, phase 7 to phase 9 is NG, we try it from 0 to 9, so
+the last CMD19/CMD21 will get CRC error, host->need_retune was set and
+cause mmc_retune was called, then dead loop of mmc_retune
+
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: bd11e8bd03ca ("mmc: core: Flag re-tuning is needed on CRC errors")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -134,9 +134,11 @@ void mmc_request_done(struct mmc_host *h
+ int err = cmd->error;
+
+ /* Flag re-tuning needed on CRC errors */
+- if (err == -EILSEQ || (mrq->sbc && mrq->sbc->error == -EILSEQ) ||
++ if ((cmd->opcode != MMC_SEND_TUNING_BLOCK &&
++ cmd->opcode != MMC_SEND_TUNING_BLOCK_HS200) &&
++ (err == -EILSEQ || (mrq->sbc && mrq->sbc->error == -EILSEQ) ||
+ (mrq->data && mrq->data->error == -EILSEQ) ||
+- (mrq->stop && mrq->stop->error == -EILSEQ))
++ (mrq->stop && mrq->stop->error == -EILSEQ)))
+ mmc_retune_needed(host);
+
+ if (err && cmd->retries && mmc_host_is_spi(host)) {
ubi-return-enospc-if-no-enough-space-available.patch
net-via-kconfig-generic_pci_iomap-required-if-pci-not-selected.patch
iscsi-target-avoid-ofmarker-ifmarker-negotiation.patch
+mmc-core-don-t-return-an-error-for-cd-wp-gpios-when-gpiolib-is-unset.patch
+mmc-core-fix-dead-loop-of-mmc_retune.patch
+dcache-handle-escaped-paths-in-prepend_path.patch
+vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch
--- /dev/null
+From 397d425dc26da728396e66d392d5dcb8dac30c37 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 15 Aug 2015 20:27:13 -0500
+Subject: vfs: Test for and handle paths that are unreachable from their mnt_root
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream.
+
+In rare cases a directory can be renamed out from under a bind mount.
+In those cases without special handling it becomes possible to walk up
+the directory tree to the root dentry of the filesystem and down
+from the root dentry to every other file or directory on the filesystem.
+
+Like division by zero .. from an unconnected path can not be given
+a useful semantic as there is no predicting at which path component
+the code will realize it is unconnected. We certainly can not match
+the current behavior as the current behavior is a security hole.
+
+Therefore when encounting .. when following an unconnected path
+return -ENOENT.
+
+- Add a function path_connected to verify path->dentry is reachable
+ from path->mnt.mnt_root. AKA to validate that rename did not do
+ something nasty to the bind mount.
+
+ To avoid races path_connected must be called after following a path
+ component to it's next path component.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -560,6 +560,24 @@ static int __nd_alloc_stack(struct namei
+ return 0;
+ }
+
++/**
++ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
++ * @path: nameidate to verify
++ *
++ * Rename can sometimes move a file or directory outside of a bind
++ * mount, path_connected allows those cases to be detected.
++ */
++static bool path_connected(const struct path *path)
++{
++ struct vfsmount *mnt = path->mnt;
++
++ /* Only bind mounts can have disconnected paths */
++ if (mnt->mnt_root == mnt->mnt_sb->s_root)
++ return true;
++
++ return is_subdir(path->dentry, mnt->mnt_root);
++}
++
+ static inline int nd_alloc_stack(struct nameidata *nd)
+ {
+ if (likely(nd->depth != EMBEDDED_LEVELS))
+@@ -1296,6 +1314,8 @@ static int follow_dotdot_rcu(struct name
+ return -ECHILD;
+ nd->path.dentry = parent;
+ nd->seq = seq;
++ if (unlikely(!path_connected(&nd->path)))
++ return -ENOENT;
+ break;
+ } else {
+ struct mount *mnt = real_mount(nd->path.mnt);
+@@ -1396,7 +1416,7 @@ static void follow_mount(struct path *pa
+ }
+ }
+
+-static void follow_dotdot(struct nameidata *nd)
++static int follow_dotdot(struct nameidata *nd)
+ {
+ if (!nd->root.mnt)
+ set_root(nd);
+@@ -1412,6 +1432,8 @@ static void follow_dotdot(struct nameida
+ /* rare case of legitimate dget_parent()... */
+ nd->path.dentry = dget_parent(nd->path.dentry);
+ dput(old);
++ if (unlikely(!path_connected(&nd->path)))
++ return -ENOENT;
+ break;
+ }
+ if (!follow_up(&nd->path))
+@@ -1419,6 +1441,7 @@ static void follow_dotdot(struct nameida
+ }
+ follow_mount(&nd->path);
+ nd->inode = nd->path.dentry->d_inode;
++ return 0;
+ }
+
+ /*
+@@ -1634,7 +1657,7 @@ static inline int handle_dots(struct nam
+ if (nd->flags & LOOKUP_RCU) {
+ return follow_dotdot_rcu(nd);
+ } else
+- follow_dotdot(nd);
++ return follow_dotdot(nd);
+ }
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
