From: Greg Kroah-Hartman Date: Fri, 6 Nov 2015 06:38:56 +0000 (-0800) Subject: 4.2-stable patches X-Git-Tag: v3.10.93~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=427d2434f18d5dee16d3f13f47f353c196e2a067;p=thirdparty%2Fkernel%2Fstable-queue.git 4.2-stable patches added patches: ovl-fix-dentry-reference-leak.patch ovl-fix-open-in-stacked-overlay.patch ovl-free-lower_mnt-array-in-ovl_put_super.patch ovl-free-stack-of-paths-in-ovl_fill_super.patch ovl-use-o_largefile-in-ovl_copy_up.patch pci-prevent-out-of-bounds-access-in-numa_node-override.patch --- diff --git a/queue-4.2/ovl-fix-dentry-reference-leak.patch b/queue-4.2/ovl-fix-dentry-reference-leak.patch new file mode 100644 index 00000000000..3d47a02c261 --- /dev/null +++ b/queue-4.2/ovl-fix-dentry-reference-leak.patch @@ -0,0 +1,52 @@ +From ab79efab0a0ba01a74df782eb7fa44b044dae8b5 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 18 Sep 2015 11:45:22 +0100 +Subject: ovl: fix dentry reference leak + +From: David Howells + +commit ab79efab0a0ba01a74df782eb7fa44b044dae8b5 upstream. + +In ovl_copy_up_locked(), newdentry is leaked if the function exits through +out_cleanup as this just to out after calling ovl_cleanup() - which doesn't +actually release the ref on newdentry. + +The out_cleanup segment should instead exit through out2 as certainly +newdentry leaks - and possibly upper does also, though this isn't caught +given the catch of newdentry. + +Without this fix, something like the following is seen: + + BUG: Dentry ffff880023e9eb20{i=f861,n=#ffff880023e82d90} still in use (1) [unmount of tmpfs tmpfs] + BUG: Dentry ffff880023ece640{i=0,n=bigfile} still in use (1) [unmount of tmpfs tmpfs] + +when unmounting the upper layer after an error occurred in copyup. + +An error can be induced by creating a big file in a lower layer with +something like: + + dd if=/dev/zero of=/lower/a/bigfile bs=65536 count=1 seek=$((0xf000)) + +to create a large file (4.1G). Overlay an upper layer that is too small +(on tmpfs might do) and then induce a copy up by opening it writably. + +Reported-by: Ulrich Obergfell +Signed-off-by: David Howells +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/copy_up.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -267,7 +267,7 @@ out: + + out_cleanup: + ovl_cleanup(wdir, newdentry); +- goto out; ++ goto out2; + } + + /* diff --git a/queue-4.2/ovl-fix-open-in-stacked-overlay.patch b/queue-4.2/ovl-fix-open-in-stacked-overlay.patch new file mode 100644 index 00000000000..adc0b6bf10a --- /dev/null +++ b/queue-4.2/ovl-fix-open-in-stacked-overlay.patch @@ -0,0 +1,38 @@ +From 1c8a47df36d72ace8cf78eb6c228aa0f8027d3c2 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 12 Oct 2015 15:56:20 +0200 +Subject: ovl: fix open in stacked overlay + +From: Miklos Szeredi + +commit 1c8a47df36d72ace8cf78eb6c228aa0f8027d3c2 upstream. + +If two overlayfs filesystems are stacked on top of each other, then we need +recursion in ovl_d_select_inode(). + +I guess d_backing_inode() is supposed to do that. But currently it doesn't +and that functionality is open coded in vfs_open(). This is now copied +into ovl_d_select_inode() to fix this regression. + +Reported-by: Alban Crequy +Signed-off-by: Miklos Szeredi +Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay...") +Cc: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -363,6 +363,9 @@ struct inode *ovl_d_select_inode(struct + ovl_path_upper(dentry, &realpath); + } + ++ if (realpath.dentry->d_flags & DCACHE_OP_SELECT_INODE) ++ return realpath.dentry->d_op->d_select_inode(realpath.dentry, file_flags); ++ + return d_backing_inode(realpath.dentry); + } + diff --git a/queue-4.2/ovl-free-lower_mnt-array-in-ovl_put_super.patch b/queue-4.2/ovl-free-lower_mnt-array-in-ovl_put_super.patch new file mode 100644 index 00000000000..9bc923ab8ef --- /dev/null +++ b/queue-4.2/ovl-free-lower_mnt-array-in-ovl_put_super.patch @@ -0,0 +1,50 @@ +From 5ffdbe8bf1e485026e1c7e4714d2841553cf0b40 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Mon, 24 Aug 2015 15:57:19 +0300 +Subject: ovl: free lower_mnt array in ovl_put_super + +From: Konstantin Khlebnikov + +commit 5ffdbe8bf1e485026e1c7e4714d2841553cf0b40 upstream. + +This fixes memory leak after umount. + +Kmemleak report: + +unreferenced object 0xffff8800ba791010 (size 8): + comm "mount", pid 2394, jiffies 4294996294 (age 53.920s) + hex dump (first 8 bytes): + 20 1c 13 02 00 88 ff ff ....... + backtrace: + [] create_object+0x124/0x2c0 + [] kmemleak_alloc+0x7b/0xc0 + [] __kmalloc+0x106/0x340 + [] ovl_fill_super+0x55c/0x9b0 [overlay] + [] mount_nodev+0x54/0xa0 + [] ovl_mount+0x18/0x20 [overlay] + [] mount_fs+0x43/0x170 + [] vfs_kern_mount+0x74/0x170 + [] do_mount+0x22d/0xdf0 + [] SyS_mount+0x7b/0xc0 + [] entry_SYSCALL_64_fastpath+0x12/0x76 + [] 0xffffffffffffffff + +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Miklos Szeredi +Fixes: dd662667e6d3 ("ovl: add mutli-layer infrastructure") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -544,6 +544,7 @@ static void ovl_put_super(struct super_b + mntput(ufs->upper_mnt); + for (i = 0; i < ufs->numlower; i++) + mntput(ufs->lower_mnt[i]); ++ kfree(ufs->lower_mnt); + + kfree(ufs->config.lowerdir); + kfree(ufs->config.upperdir); diff --git a/queue-4.2/ovl-free-stack-of-paths-in-ovl_fill_super.patch b/queue-4.2/ovl-free-stack-of-paths-in-ovl_fill_super.patch new file mode 100644 index 00000000000..b4dfe321a29 --- /dev/null +++ b/queue-4.2/ovl-free-stack-of-paths-in-ovl_fill_super.patch @@ -0,0 +1,50 @@ +From 0f95502ad84874b3c05fc7cdd9d4d9d5cddf7859 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Mon, 24 Aug 2015 15:57:18 +0300 +Subject: ovl: free stack of paths in ovl_fill_super + +From: Konstantin Khlebnikov + +commit 0f95502ad84874b3c05fc7cdd9d4d9d5cddf7859 upstream. + +This fixes small memory leak after mount. + +Kmemleak report: + +unreferenced object 0xffff88003683fe00 (size 16): + comm "mount", pid 2029, jiffies 4294909563 (age 33.380s) + hex dump (first 16 bytes): + 20 27 1f bb 00 88 ff ff 40 4b 0f 36 02 88 ff ff '......@K.6.... + backtrace: + [] create_object+0x124/0x2c0 + [] kmemleak_alloc+0x7b/0xc0 + [] __kmalloc+0x106/0x340 + [] ovl_fill_super+0x389/0x9a0 [overlay] + [] mount_nodev+0x54/0xa0 + [] ovl_mount+0x18/0x20 [overlay] + [] mount_fs+0x43/0x170 + [] vfs_kern_mount+0x74/0x170 + [] do_mount+0x22d/0xdf0 + [] SyS_mount+0x7b/0xc0 + [] entry_SYSCALL_64_fastpath+0x12/0x76 + [] 0xffffffffffffffff + +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Miklos Szeredi +Fixes: a78d9f0d5d5c ("ovl: support multiple lower layers") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -1048,6 +1048,7 @@ static int ovl_fill_super(struct super_b + oe->lowerstack[i].dentry = stack[i].dentry; + oe->lowerstack[i].mnt = ufs->lower_mnt[i]; + } ++ kfree(stack); + + root_dentry->d_fsdata = oe; + diff --git a/queue-4.2/ovl-use-o_largefile-in-ovl_copy_up.patch b/queue-4.2/ovl-use-o_largefile-in-ovl_copy_up.patch new file mode 100644 index 00000000000..1b241e519d7 --- /dev/null +++ b/queue-4.2/ovl-use-o_largefile-in-ovl_copy_up.patch @@ -0,0 +1,41 @@ +From 0480334fa60488d12ae101a02d7d9e1a3d03d7dd Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 18 Sep 2015 11:45:12 +0100 +Subject: ovl: use O_LARGEFILE in ovl_copy_up() + +From: David Howells + +commit 0480334fa60488d12ae101a02d7d9e1a3d03d7dd upstream. + +Open the lower file with O_LARGEFILE in ovl_copy_up(). + +Pass O_LARGEFILE unconditionally in ovl_copy_up_data() as it's purely for +catching 32-bit userspace dealing with a file large enough that it'll be +mishandled if the application isn't aware that there might be an integer +overflow. Inside the kernel, there shouldn't be any problems. + +Reported-by: Ulrich Obergfell +Signed-off-by: David Howells +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/copy_up.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -81,11 +81,11 @@ static int ovl_copy_up_data(struct path + if (len == 0) + return 0; + +- old_file = ovl_path_open(old, O_RDONLY); ++ old_file = ovl_path_open(old, O_LARGEFILE | O_RDONLY); + if (IS_ERR(old_file)) + return PTR_ERR(old_file); + +- new_file = ovl_path_open(new, O_WRONLY); ++ new_file = ovl_path_open(new, O_LARGEFILE | O_WRONLY); + if (IS_ERR(new_file)) { + error = PTR_ERR(new_file); + goto out_fput; diff --git a/queue-4.2/pci-prevent-out-of-bounds-access-in-numa_node-override.patch b/queue-4.2/pci-prevent-out-of-bounds-access-in-numa_node-override.patch new file mode 100644 index 00000000000..55c287d634e --- /dev/null +++ b/queue-4.2/pci-prevent-out-of-bounds-access-in-numa_node-override.patch @@ -0,0 +1,33 @@ +From 1266963170f576d4d08e6310b6963e26d3ff9d1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2015 11:03:28 -0500 +Subject: PCI: Prevent out of bounds access in numa_node override + +From: Sasha Levin + +commit 1266963170f576d4d08e6310b6963e26d3ff9d1e upstream. + +63692df103e9 ("PCI: Allow numa_node override via sysfs") didn't check that +the numa node provided by userspace is valid. Passing a node number too +high would attempt to access invalid memory and trigger a kernel panic. + +Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs") +Signed-off-by: Sasha Levin +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct de + if (ret) + return ret; + +- if (!node_online(node)) ++ if (node >= MAX_NUMNODES || !node_online(node)) + return -EINVAL; + + add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); diff --git a/queue-4.2/series b/queue-4.2/series index 80044336fcc..24503f66090 100644 --- a/queue-4.2/series +++ b/queue-4.2/series @@ -77,3 +77,9 @@ xhci-handle-no-ping-response-error-properly.patch xhci-add-spurious-wakeup-quirk-for-lynxpoint-lp-controllers.patch xen-blkfront-check-for-null-drvdata-in-blkback_changed-xenbusstateclosing.patch module-fix-locking-in-symbol_put_addr.patch +pci-prevent-out-of-bounds-access-in-numa_node-override.patch +ovl-free-stack-of-paths-in-ovl_fill_super.patch +ovl-free-lower_mnt-array-in-ovl_put_super.patch +ovl-use-o_largefile-in-ovl_copy_up.patch +ovl-fix-dentry-reference-leak.patch +ovl-fix-open-in-stacked-overlay.patch