--- /dev/null
+From 483d821108791092798f5d230686868112927044 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2015 17:42:09 +0200
+Subject: gpio: sysfs: fix memory leaks and device hotplug
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 483d821108791092798f5d230686868112927044 upstream.
+
+Unregister GPIOs requested through sysfs at chip remove to avoid leaking
+the associated memory and sysfs entries.
+
+The stale sysfs entries prevented the gpio numbers from being exported
+when the gpio range was later reused (e.g. at device reconnect).
+
+This also fixes the related module-reference leak.
+
+Note that kernfs makes sure that any on-going sysfs operations finish
+before the class devices are unregistered and that further accesses
+fail.
+
+The chip exported flag is used to prevent gpiod exports during removal.
+This also makes it harder to trigger, but does not fix, the related race
+between gpiochip_remove and export_store, which is really a race with
+gpiod_request that needs to be addressed separately.
+
+Also note that this would prevent the crashes (e.g. NULL-dereferences)
+at reconnect that affects pre-3.18 kernels, as well as use-after-free on
+operations on open attribute files on pre-3.14 kernels (prior to
+kernfs).
+
+Fixes: d8f388d8dc8d ("gpio: sysfs interface")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -800,6 +800,7 @@ static struct class gpio_class = {
+ */
+ int gpiod_export(struct gpio_desc *desc, bool direction_may_change)
+ {
++ struct gpio_chip *chip;
+ unsigned long flags;
+ int status;
+ const char *ioname = NULL;
+@@ -817,8 +818,16 @@ int gpiod_export(struct gpio_desc *desc,
+ return -EINVAL;
+ }
+
++ chip = desc->chip;
++
+ mutex_lock(&sysfs_lock);
+
++ /* check if chip is being removed */
++ if (!chip || !chip->exported) {
++ status = -ENODEV;
++ goto fail_unlock;
++ }
++
+ spin_lock_irqsave(&gpio_lock, flags);
+ if (!test_bit(FLAG_REQUESTED, &desc->flags) ||
+ test_bit(FLAG_EXPORT, &desc->flags)) {
+@@ -1057,12 +1066,15 @@ static void gpiochip_unexport(struct gpi
+ {
+ int status;
+ struct device *dev;
++ struct gpio_desc *desc;
++ unsigned int i;
+
+ mutex_lock(&sysfs_lock);
+ dev = class_find_device(&gpio_class, NULL, chip, match_export);
+ if (dev) {
+ put_device(dev);
+ device_unregister(dev);
++ /* prevent further gpiod exports */
+ chip->exported = false;
+ status = 0;
+ } else
+@@ -1071,6 +1083,13 @@ static void gpiochip_unexport(struct gpi
+
+ if (status)
+ chip_dbg(chip, "%s: status %d\n", __func__, status);
++
++ /* unregister gpiod class devices owned by sysfs */
++ for (i = 0; i < chip->ngpio; i++) {
++ desc = &chip->desc[i];
++ if (test_and_clear_bit(FLAG_SYSFS, &desc->flags))
++ gpiod_free(desc);
++ }
+ }
+
+ static int __init gpiolib_sysfs_init(void)
--- /dev/null
+From 7e96c1b0e0f495c5a7450dc4aa7c9a24ba4305bd Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Fri, 8 May 2015 16:36:50 -0500
+Subject: mnt: Fix fs_fully_visible to verify the root directory is visible
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit 7e96c1b0e0f495c5a7450dc4aa7c9a24ba4305bd upstream.
+
+This fixes a dumb bug in fs_fully_visible that allows proc or sys to
+be mounted if there is a bind mount of part of /proc/ or /sys/ visible.
+
+Reported-by: Eric Windisch <ewindisch@docker.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -3025,6 +3025,12 @@ bool fs_fully_visible(struct file_system
+ if (mnt->mnt.mnt_sb->s_type != type)
+ continue;
+
++ /* This mount is not fully visible if it's root directory
++ * is not the root directory of the filesystem.
++ */
++ if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
++ continue;
++
+ /* This mount is not fully visible if there are any child mounts
+ * that cover anything except for empty directories.
+ */
--- /dev/null
+From d8fd150fe3935e1692bf57c66691e17409ebb9c1 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Tue, 5 May 2015 16:24:00 -0700
+Subject: nilfs2: fix sanity check of btree level in nilfs_btree_root_broken()
+
+From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+
+commit d8fd150fe3935e1692bf57c66691e17409ebb9c1 upstream.
+
+The range check for b-tree level parameter in nilfs_btree_root_broken()
+is wrong; it accepts the case of "level == NILFS_BTREE_LEVEL_MAX" even
+though the level is limited to values in the range of 0 to
+(NILFS_BTREE_LEVEL_MAX - 1).
+
+Since the level parameter is read from storage device and used to index
+nilfs_btree_path array whose element count is NILFS_BTREE_LEVEL_MAX, it
+can cause memory overrun during btree operations if the boundary value
+is set to the level parameter on device.
+
+This fixes the broken sanity check and adds a comment to clarify that
+the upper bound NILFS_BTREE_LEVEL_MAX is exclusive.
+
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nilfs2/btree.c | 2 +-
+ include/linux/nilfs2_fs.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -388,7 +388,7 @@ static int nilfs_btree_root_broken(const
+ nchildren = nilfs_btree_node_get_nchildren(node);
+
+ if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
+- level > NILFS_BTREE_LEVEL_MAX ||
++ level >= NILFS_BTREE_LEVEL_MAX ||
+ nchildren < 0 ||
+ nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
+ pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n",
+--- a/include/linux/nilfs2_fs.h
++++ b/include/linux/nilfs2_fs.h
+@@ -458,7 +458,7 @@ struct nilfs_btree_node {
+ /* level */
+ #define NILFS_BTREE_LEVEL_DATA 0
+ #define NILFS_BTREE_LEVEL_NODE_MIN (NILFS_BTREE_LEVEL_DATA + 1)
+-#define NILFS_BTREE_LEVEL_MAX 14
++#define NILFS_BTREE_LEVEL_MAX 14 /* Max level (exclusive) */
+
+ /**
+ * struct nilfs_palloc_group_desc - block group descriptor
--- /dev/null
+From 285214409a9e5fceba2215461b4682b6069d8e77 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Date: Mon, 20 Apr 2015 14:01:11 -0600
+Subject: RDMA/CMA: Canonize IPv4 on IPV6 sockets properly
+
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+
+commit 285214409a9e5fceba2215461b4682b6069d8e77 upstream.
+
+When accepting a new IPv4 connect to an IPv6 socket, the CMA tries to
+canonize the address family to IPv4, but does not properly process
+the listening sockaddr to get the listening port, and does not properly
+set the address family of the canonized sockaddr.
+
+Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager")
+
+Reported-By: Yotam Kenneth <yotamke@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Tested-by: Haggai Eran <haggaie@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cma.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -859,19 +859,27 @@ static void cma_save_ib_info(struct rdma
+ memcpy(&ib->sib_addr, &path->dgid, 16);
+ }
+
++static __be16 ss_get_port(const struct sockaddr_storage *ss)
++{
++ if (ss->ss_family == AF_INET)
++ return ((struct sockaddr_in *)ss)->sin_port;
++ else if (ss->ss_family == AF_INET6)
++ return ((struct sockaddr_in6 *)ss)->sin6_port;
++ BUG();
++}
++
+ static void cma_save_ip4_info(struct rdma_cm_id *id, struct rdma_cm_id *listen_id,
+ struct cma_hdr *hdr)
+ {
+- struct sockaddr_in *listen4, *ip4;
++ struct sockaddr_in *ip4;
+
+- listen4 = (struct sockaddr_in *) &listen_id->route.addr.src_addr;
+ ip4 = (struct sockaddr_in *) &id->route.addr.src_addr;
+- ip4->sin_family = listen4->sin_family;
++ ip4->sin_family = AF_INET;
+ ip4->sin_addr.s_addr = hdr->dst_addr.ip4.addr;
+- ip4->sin_port = listen4->sin_port;
++ ip4->sin_port = ss_get_port(&listen_id->route.addr.src_addr);
+
+ ip4 = (struct sockaddr_in *) &id->route.addr.dst_addr;
+- ip4->sin_family = listen4->sin_family;
++ ip4->sin_family = AF_INET;
+ ip4->sin_addr.s_addr = hdr->src_addr.ip4.addr;
+ ip4->sin_port = hdr->port;
+ }
+@@ -879,16 +887,15 @@ static void cma_save_ip4_info(struct rdm
+ static void cma_save_ip6_info(struct rdma_cm_id *id, struct rdma_cm_id *listen_id,
+ struct cma_hdr *hdr)
+ {
+- struct sockaddr_in6 *listen6, *ip6;
++ struct sockaddr_in6 *ip6;
+
+- listen6 = (struct sockaddr_in6 *) &listen_id->route.addr.src_addr;
+ ip6 = (struct sockaddr_in6 *) &id->route.addr.src_addr;
+- ip6->sin6_family = listen6->sin6_family;
++ ip6->sin6_family = AF_INET6;
+ ip6->sin6_addr = hdr->dst_addr.ip6;
+- ip6->sin6_port = listen6->sin6_port;
++ ip6->sin6_port = ss_get_port(&listen_id->route.addr.src_addr);
+
+ ip6 = (struct sockaddr_in6 *) &id->route.addr.dst_addr;
+- ip6->sin6_family = listen6->sin6_family;
++ ip6->sin6_family = AF_INET6;
+ ip6->sin6_addr = hdr->src_addr.ip6;
+ ip6->sin6_port = hdr->port;
+ }
ocfs2-dlm-fix-race-between-purge-and-get-lock-resource.patch
+nilfs2-fix-sanity-check-of-btree-level-in-nilfs_btree_root_broken.patch
+rdma-cma-canonize-ipv4-on-ipv6-sockets-properly.patch
+gpio-sysfs-fix-memory-leaks-and-device-hotplug.patch
+mnt-fix-fs_fully_visible-to-verify-the-root-directory-is-visible.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
