From: Greg Kroah-Hartman Date: Wed, 17 May 2017 15:56:27 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.54~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86c11b925b637203ba7f49b34b44790aba08dcbe;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ceph-fix-memory-leak-in-__ceph_setxattr.patch cifs-add-misssing-sfm-mapping-for-doublequote.patch cifs-fix-cifs_ioc_get_mnt_info-oops.patch cifs-fix-mapping-of-sfm_space-and-sfm_period.patch ext4-evict-inline-data-when-writing-to-memory-map.patch fs-block_dev-always-invalidate-cleancache-in-invalidate_bdev.patch fs-xattr.c-zero-out-memory-copied-to-userspace-in-getxattr.patch ib-core-fix-sysfs-registration-error-flow.patch ib-core-for-multicast-functions-verify-that-lids-are-multicast-lids.patch ib-ipoib-ibx-failed-to-create-mcg-debug-file.patch ib-mlx4-fix-ib-device-initialization-error-flow.patch ib-mlx4-reduce-sriov-multicast-cleanup-warning-message-to-debug-level.patch padata-free-correct-variable.patch set-unicode-flag-on-cifs-echo-request-to-avoid-mac-error.patch smb3-work-around-mount-failure-when-using-smb3-dialect-to-macs.patch --- diff --git a/queue-4.4/ceph-fix-memory-leak-in-__ceph_setxattr.patch b/queue-4.4/ceph-fix-memory-leak-in-__ceph_setxattr.patch new file mode 100644 index 00000000000..3cb400106d7 --- /dev/null +++ b/queue-4.4/ceph-fix-memory-leak-in-__ceph_setxattr.patch @@ -0,0 +1,71 @@ +From eeca958dce0a9231d1969f86196653eb50fcc9b3 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 28 Apr 2017 11:14:04 +0100 +Subject: ceph: fix memory leak in __ceph_setxattr() + +From: Luis Henriques + +commit eeca958dce0a9231d1969f86196653eb50fcc9b3 upstream. + +The ceph_inode_xattr needs to be released when removing an xattr. Easily +reproducible running the 'generic/020' test from xfstests or simply by +doing: + + attr -s attr0 -V 0 /mnt/test && attr -r attr0 /mnt/test + +While there, also fix the error path. + +Here's the kmemleak splat: + +unreferenced object 0xffff88001f86fbc0 (size 64): + comm "attr", pid 244, jiffies 4294904246 (age 98.464s) + hex dump (first 32 bytes): + 40 fa 86 1f 00 88 ff ff 80 32 38 1f 00 88 ff ff @........28..... + 00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................ + backtrace: + [] kmemleak_alloc+0x49/0xa0 + [] kmem_cache_alloc+0x9b/0xf0 + [] __ceph_setxattr+0x17e/0x820 + [] ceph_set_xattr_handler+0x37/0x40 + [] __vfs_removexattr+0x4b/0x60 + [] vfs_removexattr+0x77/0xd0 + [] removexattr+0x41/0x60 + [] path_removexattr+0x75/0xa0 + [] SyS_lremovexattr+0xb/0x10 + [] entry_SYSCALL_64_fastpath+0x13/0x94 + [] 0xffffffffffffffff + +Signed-off-by: Luis Henriques +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/xattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -369,6 +369,7 @@ static int __set_xattr(struct ceph_inode + + if (update_xattr) { + int err = 0; ++ + if (xattr && (flags & XATTR_CREATE)) + err = -EEXIST; + else if (!xattr && (flags & XATTR_REPLACE)) +@@ -376,12 +377,14 @@ static int __set_xattr(struct ceph_inode + if (err) { + kfree(name); + kfree(val); ++ kfree(*newxattr); + return err; + } + if (update_xattr < 0) { + if (xattr) + __remove_xattr(ci, xattr); + kfree(name); ++ kfree(*newxattr); + return 0; + } + } diff --git a/queue-4.4/cifs-add-misssing-sfm-mapping-for-doublequote.patch b/queue-4.4/cifs-add-misssing-sfm-mapping-for-doublequote.patch new file mode 100644 index 00000000000..98675b14661 --- /dev/null +++ b/queue-4.4/cifs-add-misssing-sfm-mapping-for-doublequote.patch @@ -0,0 +1,54 @@ +From 85435d7a15294f9f7ef23469e6aaf7c5dfcc54f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= +Date: Fri, 5 May 2017 04:36:16 +0200 +Subject: CIFS: add misssing SFM mapping for doublequote + +From: Björn Jacke + +commit 85435d7a15294f9f7ef23469e6aaf7c5dfcc54f0 upstream. + +SFM is mapping doublequote to 0xF020 + +Without this patch creating files with doublequote fails to Windows/Mac + +Signed-off-by: Bjoern Jacke +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_unicode.c | 6 ++++++ + fs/cifs/cifs_unicode.h | 1 + + 2 files changed, 7 insertions(+) + +--- a/fs/cifs/cifs_unicode.c ++++ b/fs/cifs/cifs_unicode.c +@@ -83,6 +83,9 @@ convert_sfm_char(const __u16 src_char, c + case SFM_COLON: + *target = ':'; + break; ++ case SFM_DOUBLEQUOTE: ++ *target = '"'; ++ break; + case SFM_ASTERISK: + *target = '*'; + break; +@@ -418,6 +421,9 @@ static __le16 convert_to_sfm_char(char s + case ':': + dest_char = cpu_to_le16(SFM_COLON); + break; ++ case '"': ++ dest_char = cpu_to_le16(SFM_DOUBLEQUOTE); ++ break; + case '*': + dest_char = cpu_to_le16(SFM_ASTERISK); + break; +--- a/fs/cifs/cifs_unicode.h ++++ b/fs/cifs/cifs_unicode.h +@@ -57,6 +57,7 @@ + * not conflict (although almost does) with the mapping above. + */ + ++#define SFM_DOUBLEQUOTE ((__u16) 0xF020) + #define SFM_ASTERISK ((__u16) 0xF021) + #define SFM_QUESTION ((__u16) 0xF025) + #define SFM_COLON ((__u16) 0xF022) diff --git a/queue-4.4/cifs-fix-cifs_ioc_get_mnt_info-oops.patch b/queue-4.4/cifs-fix-cifs_ioc_get_mnt_info-oops.patch new file mode 100644 index 00000000000..1d99308f50e --- /dev/null +++ b/queue-4.4/cifs-fix-cifs_ioc_get_mnt_info-oops.patch @@ -0,0 +1,31 @@ +From d8a6e505d6bba2250852fbc1c1c86fe68aaf9af3 Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Thu, 4 May 2017 00:41:13 +0200 +Subject: cifs: fix CIFS_IOC_GET_MNT_INFO oops + +From: David Disseldorp + +commit d8a6e505d6bba2250852fbc1c1c86fe68aaf9af3 upstream. + +An open directory may have a NULL private_data pointer prior to readdir. + +Fixes: 0de1f4c6f6c0 ("Add way to query server fs info for smb3") +Signed-off-by: David Disseldorp +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/ioctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/ioctl.c ++++ b/fs/cifs/ioctl.c +@@ -272,6 +272,8 @@ long cifs_ioctl(struct file *filep, unsi + rc = -EOPNOTSUPP; + break; + case CIFS_IOC_GET_MNT_INFO: ++ if (pSMBFile == NULL) ++ break; + tcon = tlink_tcon(pSMBFile->tlink); + rc = smb_mnt_get_fsinfo(xid, tcon, (void __user *)arg); + break; diff --git a/queue-4.4/cifs-fix-mapping-of-sfm_space-and-sfm_period.patch b/queue-4.4/cifs-fix-mapping-of-sfm_space-and-sfm_period.patch new file mode 100644 index 00000000000..d31511315c2 --- /dev/null +++ b/queue-4.4/cifs-fix-mapping-of-sfm_space-and-sfm_period.patch @@ -0,0 +1,36 @@ +From b704e70b7cf48f9b67c07d585168e102dfa30bb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= +Date: Wed, 3 May 2017 23:47:44 +0200 +Subject: CIFS: fix mapping of SFM_SPACE and SFM_PERIOD + +From: Björn Jacke + +commit b704e70b7cf48f9b67c07d585168e102dfa30bb4 upstream. + +- trailing space maps to 0xF028 +- trailing period maps to 0xF029 + +This fix corrects the mapping of file names which have a trailing character +that would otherwise be illegal (period or space) but is allowed by POSIX. + +Signed-off-by: Bjoern Jacke +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_unicode.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifs_unicode.h ++++ b/fs/cifs/cifs_unicode.h +@@ -64,8 +64,8 @@ + #define SFM_LESSTHAN ((__u16) 0xF023) + #define SFM_PIPE ((__u16) 0xF027) + #define SFM_SLASH ((__u16) 0xF026) +-#define SFM_PERIOD ((__u16) 0xF028) +-#define SFM_SPACE ((__u16) 0xF029) ++#define SFM_SPACE ((__u16) 0xF028) ++#define SFM_PERIOD ((__u16) 0xF029) + + /* + * Mapping mechanism to use when one of the seven reserved characters is diff --git a/queue-4.4/ext4-evict-inline-data-when-writing-to-memory-map.patch b/queue-4.4/ext4-evict-inline-data-when-writing-to-memory-map.patch new file mode 100644 index 00000000000..b40e6af4c0a --- /dev/null +++ b/queue-4.4/ext4-evict-inline-data-when-writing-to-memory-map.patch @@ -0,0 +1,86 @@ +From 7b4cc9787fe35b3ee2dfb1c35e22eafc32e00c33 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 30 Apr 2017 00:10:50 -0400 +Subject: ext4: evict inline data when writing to memory map + +From: Eric Biggers + +commit 7b4cc9787fe35b3ee2dfb1c35e22eafc32e00c33 upstream. + +Currently the case of writing via mmap to a file with inline data is not +handled. This is maybe a rare case since it requires a writable memory +map of a very small file, but it is trivial to trigger with on +inline_data filesystem, and it causes the +'BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA));' in +ext4_writepages() to be hit: + + mkfs.ext4 -O inline_data /dev/vdb + mount /dev/vdb /mnt + xfs_io -f /mnt/file \ + -c 'pwrite 0 1' \ + -c 'mmap -w 0 1m' \ + -c 'mwrite 0 1' \ + -c 'fsync' + + kernel BUG at fs/ext4/inode.c:2723! + invalid opcode: 0000 [#1] SMP + CPU: 1 PID: 2532 Comm: xfs_io Not tainted 4.11.0-rc1-xfstests-00301-g071d9acf3d1f #633 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014 + task: ffff88003d3a8040 task.stack: ffffc90000300000 + RIP: 0010:ext4_writepages+0xc89/0xf8a + RSP: 0018:ffffc90000303ca0 EFLAGS: 00010283 + RAX: 0000028410000000 RBX: ffff8800383fa3b0 RCX: ffffffff812afcdc + RDX: 00000a9d00000246 RSI: ffffffff81e660e0 RDI: 0000000000000246 + RBP: ffffc90000303dc0 R08: 0000000000000002 R09: 869618e8f99b4fa5 + R10: 00000000852287a2 R11: 00000000a03b49f4 R12: ffff88003808e698 + R13: 0000000000000000 R14: 7fffffffffffffff R15: 7fffffffffffffff + FS: 00007fd3e53094c0(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fd3e4c51000 CR3: 000000003d554000 CR4: 00000000003406e0 + Call Trace: + ? _raw_spin_unlock+0x27/0x2a + ? kvm_clock_read+0x1e/0x20 + do_writepages+0x23/0x2c + ? do_writepages+0x23/0x2c + __filemap_fdatawrite_range+0x80/0x87 + filemap_write_and_wait_range+0x67/0x8c + ext4_sync_file+0x20e/0x472 + vfs_fsync_range+0x8e/0x9f + ? syscall_trace_enter+0x25b/0x2d0 + vfs_fsync+0x1c/0x1e + do_fsync+0x31/0x4a + SyS_fsync+0x10/0x14 + do_syscall_64+0x69/0x131 + entry_SYSCALL64_slow_path+0x25/0x25 + +We could try to be smart and keep the inline data in this case, or at +least support delayed allocation when allocating the block, but these +solutions would be more complicated and don't seem worthwhile given how +rare this case seems to be. So just fix the bug by calling +ext4_convert_inline_data() when we're asked to make a page writable, so +that any inline data gets evicted, with the block allocated immediately. + +Reported-by: Nick Alcock +Reviewed-by: Andreas Dilger +Signed-off-by: Eric Biggers +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5393,6 +5393,11 @@ int ext4_page_mkwrite(struct vm_area_str + file_update_time(vma->vm_file); + + down_read(&EXT4_I(inode)->i_mmap_sem); ++ ++ ret = ext4_convert_inline_data(inode); ++ if (ret) ++ goto out_ret; ++ + /* Delalloc case is easy... */ + if (test_opt(inode->i_sb, DELALLOC) && + !ext4_should_journal_data(inode) && diff --git a/queue-4.4/fs-block_dev-always-invalidate-cleancache-in-invalidate_bdev.patch b/queue-4.4/fs-block_dev-always-invalidate-cleancache-in-invalidate_bdev.patch new file mode 100644 index 00000000000..d3278aaf456 --- /dev/null +++ b/queue-4.4/fs-block_dev-always-invalidate-cleancache-in-invalidate_bdev.patch @@ -0,0 +1,55 @@ +From a5f6a6a9c72eac38a7fadd1a038532bc8516337c Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Wed, 3 May 2017 14:56:02 -0700 +Subject: fs/block_dev: always invalidate cleancache in invalidate_bdev() + +From: Andrey Ryabinin + +commit a5f6a6a9c72eac38a7fadd1a038532bc8516337c upstream. + +invalidate_bdev() calls cleancache_invalidate_inode() iff ->nrpages != 0 +which doen't make any sense. + +Make sure that invalidate_bdev() always calls cleancache_invalidate_inode() +regardless of mapping->nrpages value. + +Fixes: c515e1fd361c ("mm/fs: add hooks to support cleancache") +Link: http://lkml.kernel.org/r/20170424164135.22350-3-aryabinin@virtuozzo.com +Signed-off-by: Andrey Ryabinin +Reviewed-by: Jan Kara +Acked-by: Konrad Rzeszutek Wilk +Cc: Alexander Viro +Cc: Ross Zwisler +Cc: Jens Axboe +Cc: Johannes Weiner +Cc: Alexey Kuznetsov +Cc: Christoph Hellwig +Cc: Nikolay Borisov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/block_dev.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -88,12 +88,11 @@ void invalidate_bdev(struct block_device + { + struct address_space *mapping = bdev->bd_inode->i_mapping; + +- if (mapping->nrpages == 0) +- return; +- +- invalidate_bh_lrus(); +- lru_add_drain_all(); /* make sure all lru add caches are flushed */ +- invalidate_mapping_pages(mapping, 0, -1); ++ if (mapping->nrpages) { ++ invalidate_bh_lrus(); ++ lru_add_drain_all(); /* make sure all lru add caches are flushed */ ++ invalidate_mapping_pages(mapping, 0, -1); ++ } + /* 99% of the time, we don't need to flush the cleancache on the bdev. + * But, for the strange corners, lets be cautious + */ diff --git a/queue-4.4/fs-xattr.c-zero-out-memory-copied-to-userspace-in-getxattr.patch b/queue-4.4/fs-xattr.c-zero-out-memory-copied-to-userspace-in-getxattr.patch new file mode 100644 index 00000000000..f2caadae3e1 --- /dev/null +++ b/queue-4.4/fs-xattr.c-zero-out-memory-copied-to-userspace-in-getxattr.patch @@ -0,0 +1,40 @@ +From 81be3dee96346fbe08c31be5ef74f03f6b63cf68 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Mon, 8 May 2017 15:57:24 -0700 +Subject: fs/xattr.c: zero out memory copied to userspace in getxattr + +From: Michal Hocko + +commit 81be3dee96346fbe08c31be5ef74f03f6b63cf68 upstream. + +getxattr uses vmalloc to allocate memory if kzalloc fails. This is +filled by vfs_getxattr and then copied to the userspace. vmalloc, +however, doesn't zero out the memory so if the specific implementation +of the xattr handler is sloppy we can theoretically expose a kernel +memory. There is no real sign this is really the case but let's make +sure this will not happen and use vzalloc instead. + +Fixes: 779302e67835 ("fs/xattr.c:getxattr(): improve handling of allocation failures") +Link: http://lkml.kernel.org/r/20170306103327.2766-1-mhocko@kernel.org +Acked-by: Kees Cook +Reported-by: Vlastimil Babka +Signed-off-by: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -442,7 +442,7 @@ getxattr(struct dentry *d, const char __ + size = XATTR_SIZE_MAX; + kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); + if (!kvalue) { +- vvalue = vmalloc(size); ++ vvalue = vzalloc(size); + if (!vvalue) + return -ENOMEM; + kvalue = vvalue; diff --git a/queue-4.4/ib-core-fix-sysfs-registration-error-flow.patch b/queue-4.4/ib-core-fix-sysfs-registration-error-flow.patch new file mode 100644 index 00000000000..dbce91c923c --- /dev/null +++ b/queue-4.4/ib-core-fix-sysfs-registration-error-flow.patch @@ -0,0 +1,50 @@ +From b312be3d87e4c80872cbea869e569175c5eb0f9a Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Sun, 19 Mar 2017 10:55:57 +0200 +Subject: IB/core: Fix sysfs registration error flow + +From: Jack Morgenstein + +commit b312be3d87e4c80872cbea869e569175c5eb0f9a upstream. + +The kernel commit cited below restructured ib device management +so that the device kobject is initialized in ib_alloc_device. + +As part of the restructuring, the kobject is now initialized in +procedure ib_alloc_device, and is later added to the device hierarchy +in the ib_register_device call stack, in procedure +ib_device_register_sysfs (which calls device_add). + +However, in the ib_device_register_sysfs error flow, if an error +occurs following the call to device_add, the cleanup procedure +device_unregister is called. This call results in the device object +being deleted -- which results in various use-after-free crashes. + +The correct cleanup call is device_del -- which undoes device_add +without deleting the device object. + +The device object will then (correctly) be deleted in the +ib_register_device caller's error cleanup flow, when the caller invokes +ib_dealloc_device. + +Fixes: 55aeed06544f6 ("IB/core: Make ib_alloc_device init the kobject") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/sysfs.c ++++ b/drivers/infiniband/core/sysfs.c +@@ -863,7 +863,7 @@ err_put: + free_port_list_attributes(device); + + err_unregister: +- device_unregister(class_dev); ++ device_del(class_dev); + + err: + return ret; diff --git a/queue-4.4/ib-core-for-multicast-functions-verify-that-lids-are-multicast-lids.patch b/queue-4.4/ib-core-for-multicast-functions-verify-that-lids-are-multicast-lids.patch new file mode 100644 index 00000000000..7acb028be3d --- /dev/null +++ b/queue-4.4/ib-core-for-multicast-functions-verify-that-lids-are-multicast-lids.patch @@ -0,0 +1,53 @@ +From 8561eae60ff9417a50fa1fb2b83ae950dc5c1e21 Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Sun, 9 Apr 2017 10:15:51 -0700 +Subject: IB/core: For multicast functions, verify that LIDs are multicast LIDs + +From: Michael J. Ruhl + +commit 8561eae60ff9417a50fa1fb2b83ae950dc5c1e21 upstream. + +The Infiniband spec defines "A multicast address is defined by a +MGID and a MLID" (section 10.5). Currently the MLID value is not +validated. + +Add check to verify that the MLID value is in the correct address +range. + +Fixes: 0c33aeedb2cf ("[IB] Add checks to multicast attach and detach") +Reviewed-by: Ira Weiny +Reviewed-by: Dasaratharaman Chandramouli +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Reviewed-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/verbs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -1372,7 +1372,9 @@ int ib_attach_mcast(struct ib_qp *qp, un + + if (!qp->device->attach_mcast) + return -ENOSYS; +- if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD) ++ if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD || ++ lid < be16_to_cpu(IB_MULTICAST_LID_BASE) || ++ lid == be16_to_cpu(IB_LID_PERMISSIVE)) + return -EINVAL; + + ret = qp->device->attach_mcast(qp, gid, lid); +@@ -1388,7 +1390,9 @@ int ib_detach_mcast(struct ib_qp *qp, un + + if (!qp->device->detach_mcast) + return -ENOSYS; +- if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD) ++ if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD || ++ lid < be16_to_cpu(IB_MULTICAST_LID_BASE) || ++ lid == be16_to_cpu(IB_LID_PERMISSIVE)) + return -EINVAL; + + ret = qp->device->detach_mcast(qp, gid, lid); diff --git a/queue-4.4/ib-ipoib-ibx-failed-to-create-mcg-debug-file.patch b/queue-4.4/ib-ipoib-ibx-failed-to-create-mcg-debug-file.patch new file mode 100644 index 00000000000..0b37b2561b5 --- /dev/null +++ b/queue-4.4/ib-ipoib-ibx-failed-to-create-mcg-debug-file.patch @@ -0,0 +1,157 @@ +From 771a52584096c45e4565e8aabb596eece9d73d61 Mon Sep 17 00:00:00 2001 +From: Shamir Rabinovitch +Date: Wed, 29 Mar 2017 06:21:59 -0400 +Subject: IB/IPoIB: ibX: failed to create mcg debug file + +From: Shamir Rabinovitch + +commit 771a52584096c45e4565e8aabb596eece9d73d61 upstream. + +When udev renames the netdev devices, ipoib debugfs entries does not +get renamed. As a result, if subsequent probe of ipoib device reuse the +name then creating a debugfs entry for the new device would fail. + +Also, moved ipoib_create_debug_files and ipoib_delete_debug_files as part +of ipoib event handling in order to avoid any race condition between these. + +Fixes: 1732b0ef3b3a ([IPoIB] add path record information in debugfs) +Signed-off-by: Vijay Kumar +Signed-off-by: Shamir Rabinovitch +Reviewed-by: Mark Bloch +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/ipoib/ipoib_fs.c | 3 ++ + drivers/infiniband/ulp/ipoib/ipoib_main.c | 44 ++++++++++++++++++++++++++---- + drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 3 -- + 3 files changed, 42 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c +@@ -281,8 +281,11 @@ void ipoib_delete_debug_files(struct net + { + struct ipoib_dev_priv *priv = netdev_priv(dev); + ++ WARN_ONCE(!priv->mcg_dentry, "null mcg debug file\n"); ++ WARN_ONCE(!priv->path_dentry, "null path debug file\n"); + debugfs_remove(priv->mcg_dentry); + debugfs_remove(priv->path_dentry); ++ priv->mcg_dentry = priv->path_dentry = NULL; + } + + int ipoib_register_debugfs(void) +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -106,6 +106,33 @@ static struct ib_client ipoib_client = { + .get_net_dev_by_params = ipoib_get_net_dev_by_params, + }; + ++#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG ++static int ipoib_netdev_event(struct notifier_block *this, ++ unsigned long event, void *ptr) ++{ ++ struct netdev_notifier_info *ni = ptr; ++ struct net_device *dev = ni->dev; ++ ++ if (dev->netdev_ops->ndo_open != ipoib_open) ++ return NOTIFY_DONE; ++ ++ switch (event) { ++ case NETDEV_REGISTER: ++ ipoib_create_debug_files(dev); ++ break; ++ case NETDEV_CHANGENAME: ++ ipoib_delete_debug_files(dev); ++ ipoib_create_debug_files(dev); ++ break; ++ case NETDEV_UNREGISTER: ++ ipoib_delete_debug_files(dev); ++ break; ++ } ++ ++ return NOTIFY_DONE; ++} ++#endif ++ + int ipoib_open(struct net_device *dev) + { + struct ipoib_dev_priv *priv = netdev_priv(dev); +@@ -1595,8 +1622,6 @@ void ipoib_dev_cleanup(struct net_device + + ASSERT_RTNL(); + +- ipoib_delete_debug_files(dev); +- + /* Delete any child interfaces first */ + list_for_each_entry_safe(cpriv, tcpriv, &priv->child_intfs, list) { + /* Stop GC on child */ +@@ -1908,8 +1933,6 @@ static struct net_device *ipoib_add_port + goto register_failed; + } + +- ipoib_create_debug_files(priv->dev); +- + if (ipoib_cm_add_mode_attr(priv->dev)) + goto sysfs_failed; + if (ipoib_add_pkey_attr(priv->dev)) +@@ -1924,7 +1947,6 @@ static struct net_device *ipoib_add_port + return priv->dev; + + sysfs_failed: +- ipoib_delete_debug_files(priv->dev); + unregister_netdev(priv->dev); + + register_failed: +@@ -2006,6 +2028,12 @@ static void ipoib_remove_one(struct ib_d + kfree(dev_list); + } + ++#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG ++static struct notifier_block ipoib_netdev_notifier = { ++ .notifier_call = ipoib_netdev_event, ++}; ++#endif ++ + static int __init ipoib_init_module(void) + { + int ret; +@@ -2057,6 +2085,9 @@ static int __init ipoib_init_module(void + if (ret) + goto err_client; + ++#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG ++ register_netdevice_notifier(&ipoib_netdev_notifier); ++#endif + return 0; + + err_client: +@@ -2074,6 +2105,9 @@ err_fs: + + static void __exit ipoib_cleanup_module(void) + { ++#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG ++ unregister_netdevice_notifier(&ipoib_netdev_notifier); ++#endif + ipoib_netlink_fini(); + ib_unregister_client(&ipoib_client); + ib_sa_unregister_client(&ipoib_sa_client); +--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +@@ -85,8 +85,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr + goto register_failed; + } + +- ipoib_create_debug_files(priv->dev); +- + /* RTNL childs don't need proprietary sysfs entries */ + if (type == IPOIB_LEGACY_CHILD) { + if (ipoib_cm_add_mode_attr(priv->dev)) +@@ -107,7 +105,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr + + sysfs_failed: + result = -ENOMEM; +- ipoib_delete_debug_files(priv->dev); + unregister_netdevice(priv->dev); + + register_failed: diff --git a/queue-4.4/ib-mlx4-fix-ib-device-initialization-error-flow.patch b/queue-4.4/ib-mlx4-fix-ib-device-initialization-error-flow.patch new file mode 100644 index 00000000000..75631296716 --- /dev/null +++ b/queue-4.4/ib-mlx4-fix-ib-device-initialization-error-flow.patch @@ -0,0 +1,34 @@ +From 99e68909d5aba1861897fe7afc3306c3c81b6de0 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Tue, 21 Mar 2017 12:57:05 +0200 +Subject: IB/mlx4: Fix ib device initialization error flow + +From: Jack Morgenstein + +commit 99e68909d5aba1861897fe7afc3306c3c81b6de0 upstream. + +In mlx4_ib_add, procedure mlx4_ib_alloc_eqs is called to allocate EQs. + +However, in the mlx4_ib_add error flow, procedure mlx4_ib_free_eqs is not +called to free the allocated EQs. + +Fixes: e605b743f33d ("IB/mlx4: Increase the number of vectors (EQs) available for ULPs") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -2491,6 +2491,7 @@ err_counter: + mlx4_ib_delete_counters_table(ibdev, &ibdev->counters_table[i]); + + err_map: ++ mlx4_ib_free_eqs(dev, ibdev); + iounmap(ibdev->uar_map); + + err_uar: diff --git a/queue-4.4/ib-mlx4-reduce-sriov-multicast-cleanup-warning-message-to-debug-level.patch b/queue-4.4/ib-mlx4-reduce-sriov-multicast-cleanup-warning-message-to-debug-level.patch new file mode 100644 index 00000000000..1f0a674f8bd --- /dev/null +++ b/queue-4.4/ib-mlx4-reduce-sriov-multicast-cleanup-warning-message-to-debug-level.patch @@ -0,0 +1,97 @@ +From fb7a91746af18b2ebf596778b38a709cdbc488d3 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Tue, 21 Mar 2017 12:57:06 +0200 +Subject: IB/mlx4: Reduce SRIOV multicast cleanup warning message to debug level + +From: Jack Morgenstein + +commit fb7a91746af18b2ebf596778b38a709cdbc488d3 upstream. + +A warning message during SRIOV multicast cleanup should have actually been +a debug level message. The condition generating the warning does no harm +and can fill the message log. + +In some cases, during testing, some tests were so intense as to swamp the +message log with these warning messages, causing a stall in the console +message log output task. This stall caused an NMI to be sent to all CPUs +(so that they all dumped their stacks into the message log). +Aside from the message flood causing an NMI, the tests all passed. + +Once the message flood which caused the NMI is removed (by reducing the +warning message to debug level), the NMI no longer occurs. + +Sample message log (console log) output illustrating the flood and +resultant NMI (snippets with comments and modified with ... instead +of hex digits, to satisfy checkpatch.pl): + + _mlx4_ib_mcg_port_cleanup: ... WARNING: group refcount 1!!!... + *** About 4000 almost identical lines in less than one second *** + _mlx4_ib_mcg_port_cleanup: ... WARNING: group refcount 1!!!... + INFO: rcu_sched detected stalls on CPUs/tasks: { 17} (...) + *** { 17} above indicates that CPU 17 was the one that stalled *** + sending NMI to all CPUs: + ... + NMI backtrace for cpu 17 + CPU: 17 PID: 45909 Comm: kworker/17:2 + Hardware name: HP ProLiant DL360p Gen8, BIOS P71 09/08/2013 + Workqueue: events fb_flashcursor + task: ffff880478...... ti: ffff88064e...... task.ti: ffff88064e...... + RIP: 0010:[ffffffff81......] [ffffffff81......] io_serial_in+0x15/0x20 + RSP: 0018:ffff88064e257cb0 EFLAGS: 00000002 + RAX: 0000000000...... RBX: ffffffff81...... RCX: 0000000000...... + RDX: 0000000000...... RSI: 0000000000...... RDI: ffffffff81...... + RBP: ffff88064e...... R08: ffffffff81...... R09: 0000000000...... + R10: 0000000000...... R11: ffff88064e...... R12: 0000000000...... + R13: 0000000000...... R14: ffffffff81...... R15: 0000000000...... + FS: 0000000000......(0000) GS:ffff8804af......(0000) knlGS:000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080...... + CR2: 00007f2a2f...... CR3: 0000000001...... CR4: 0000000000...... + DR0: 0000000000...... DR1: 0000000000...... DR2: 0000000000...... + DR3: 0000000000...... DR6: 00000000ff...... DR7: 0000000000...... + Stack: + ffff88064e...... ffffffff81...... ffffffff81...... 0000000000...... + ffffffff81...... ffff88064e...... ffffffff81...... ffffffff81...... + ffffffff81...... ffff88064e...... ffffffff81...... 0000000000...... + Call Trace: +[] wait_for_xmitr+0x3b/0xa0 +[] serial8250_console_putchar+0x1c/0x30 +[] ? serial8250_console_write+0x140/0x140 +[] uart_console_write+0x3a/0x80 +[] serial8250_console_write+0xae/0x140 +[] call_console_drivers.constprop.15+0x91/0xf0 +[] console_unlock+0x3bf/0x400 +[] fb_flashcursor+0x5d/0x140 +[] ? bit_clear+0x120/0x120 +[] process_one_work+0x17b/0x470 +[] worker_thread+0x11b/0x400 +[] ? rescuer_thread+0x400/0x400 +[] kthread+0xcf/0xe0 +[] ? kthread_create_on_node+0x140/0x140 +[] ret_from_fork+0x58/0x90 +[] ? kthread_create_on_node+0x140/0x140 +Code: 48 89 e5 d3 e6 48 63 f6 48 03 77 10 8b 06 5d c3 66 0f 1f 44 00 00 66 66 66 6 + +As indicated in the stack trace above, the console output task got swamped. + +Fixes: b9c5d6a64358 ("IB/mlx4: Add multicast group (MCG) paravirtualization for SR-IOV") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/mcg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/mcg.c ++++ b/drivers/infiniband/hw/mlx4/mcg.c +@@ -1105,7 +1105,8 @@ static void _mlx4_ib_mcg_port_cleanup(st + while ((p = rb_first(&ctx->mcg_table)) != NULL) { + group = rb_entry(p, struct mcast_group, node); + if (atomic_read(&group->refcount)) +- mcg_warn_group(group, "group refcount %d!!! (pointer %p)\n", atomic_read(&group->refcount), group); ++ mcg_debug_group(group, "group refcount %d!!! (pointer %p)\n", ++ atomic_read(&group->refcount), group); + + force_clean_group(group); + } diff --git a/queue-4.4/padata-free-correct-variable.patch b/queue-4.4/padata-free-correct-variable.patch new file mode 100644 index 00000000000..36e557934f6 --- /dev/null +++ b/queue-4.4/padata-free-correct-variable.patch @@ -0,0 +1,32 @@ +From 07a77929ba672d93642a56dc2255dd21e6e2290b Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Fri, 7 Apr 2017 02:33:30 +0200 +Subject: padata: free correct variable + +From: Jason A. Donenfeld + +commit 07a77929ba672d93642a56dc2255dd21e6e2290b upstream. + +The author meant to free the variable that was just allocated, instead +of the one that failed to be allocated, but made a simple typo. This +patch rectifies that. + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/padata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -357,7 +357,7 @@ static int padata_setup_cpumasks(struct + + cpumask_and(pd->cpumask.pcpu, pcpumask, cpu_online_mask); + if (!alloc_cpumask_var(&pd->cpumask.cbcpu, GFP_KERNEL)) { +- free_cpumask_var(pd->cpumask.cbcpu); ++ free_cpumask_var(pd->cpumask.pcpu); + return -ENOMEM; + } + diff --git a/queue-4.4/series b/queue-4.4/series index f422c1f4a54..9640eda0fdf 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -26,3 +26,18 @@ block-fix-blk_integrity_register-to-use-template-s-interval_exp-if-not-0.patch crypto-algif_aead-require-setkey-before-accept-2.patch dm-era-save-spacemap-metadata-root-after-the-pre-commit.patch vfio-type1-remove-locked-page-accounting-workqueue.patch +ib-core-fix-sysfs-registration-error-flow.patch +ib-core-for-multicast-functions-verify-that-lids-are-multicast-lids.patch +ib-ipoib-ibx-failed-to-create-mcg-debug-file.patch +ib-mlx4-fix-ib-device-initialization-error-flow.patch +ib-mlx4-reduce-sriov-multicast-cleanup-warning-message-to-debug-level.patch +ext4-evict-inline-data-when-writing-to-memory-map.patch +fs-xattr.c-zero-out-memory-copied-to-userspace-in-getxattr.patch +ceph-fix-memory-leak-in-__ceph_setxattr.patch +fs-block_dev-always-invalidate-cleancache-in-invalidate_bdev.patch +set-unicode-flag-on-cifs-echo-request-to-avoid-mac-error.patch +smb3-work-around-mount-failure-when-using-smb3-dialect-to-macs.patch +cifs-fix-mapping-of-sfm_space-and-sfm_period.patch +cifs-fix-cifs_ioc_get_mnt_info-oops.patch +cifs-add-misssing-sfm-mapping-for-doublequote.patch +padata-free-correct-variable.patch diff --git a/queue-4.4/set-unicode-flag-on-cifs-echo-request-to-avoid-mac-error.patch b/queue-4.4/set-unicode-flag-on-cifs-echo-request-to-avoid-mac-error.patch new file mode 100644 index 00000000000..56250fdefc1 --- /dev/null +++ b/queue-4.4/set-unicode-flag-on-cifs-echo-request-to-avoid-mac-error.patch @@ -0,0 +1,34 @@ +From 26c9cb668c7fbf9830516b75d8bee70b699ed449 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 2 May 2017 13:35:20 -0500 +Subject: Set unicode flag on cifs echo request to avoid Mac error + +From: Steve French + +commit 26c9cb668c7fbf9830516b75d8bee70b699ed449 upstream. + +Mac requires the unicode flag to be set for cifs, even for the smb +echo request (which doesn't have strings). + +Without this Mac rejects the periodic echo requests (when mounting +with cifs) that we use to check if server is down + +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifssmb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -717,6 +717,9 @@ CIFSSMBEcho(struct TCP_Server_Info *serv + if (rc) + return rc; + ++ if (server->capabilities & CAP_UNICODE) ++ smb->hdr.Flags2 |= SMBFLG2_UNICODE; ++ + /* set up echo request */ + smb->hdr.Tid = 0xffff; + smb->hdr.WordCount = 1; diff --git a/queue-4.4/smb3-work-around-mount-failure-when-using-smb3-dialect-to-macs.patch b/queue-4.4/smb3-work-around-mount-failure-when-using-smb3-dialect-to-macs.patch new file mode 100644 index 00000000000..1f0f760ca89 --- /dev/null +++ b/queue-4.4/smb3-work-around-mount-failure-when-using-smb3-dialect-to-macs.patch @@ -0,0 +1,55 @@ +From 7db0a6efdc3e990cdfd4b24820d010e9eb7890ad Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 3 May 2017 21:12:20 -0500 +Subject: SMB3: Work around mount failure when using SMB3 dialect to Macs + +From: Steve French + +commit 7db0a6efdc3e990cdfd4b24820d010e9eb7890ad upstream. + +Macs send the maximum buffer size in response on ioctl to validate +negotiate security information, which causes us to fail the mount +as the response buffer is larger than the expected response. + +Changed ioctl response processing to allow for padding of validate +negotiate ioctl response and limit the maximum response size to +maximum buffer size. + +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -564,8 +564,12 @@ int smb3_validate_negotiate(const unsign + } + + if (rsplen != sizeof(struct validate_negotiate_info_rsp)) { +- cifs_dbg(VFS, "invalid size of protocol negotiate response\n"); +- return -EIO; ++ cifs_dbg(VFS, "invalid protocol negotiate response size: %d\n", ++ rsplen); ++ ++ /* relax check since Mac returns max bufsize allowed on ioctl */ ++ if (rsplen > CIFSMaxBufSize) ++ return -EIO; + } + + /* check validate negotiate info response matches what we got earlier */ +@@ -1518,8 +1522,12 @@ SMB2_ioctl(const unsigned int xid, struc + * than one credit. Windows typically sets this smaller, but for some + * ioctls it may be useful to allow server to send more. No point + * limiting what the server can send as long as fits in one credit ++ * Unfortunately - we can not handle more than CIFS_MAX_MSG_SIZE ++ * (by default, note that it can be overridden to make max larger) ++ * in responses (except for read responses which can be bigger. ++ * We may want to bump this limit up + */ +- req->MaxOutputResponse = cpu_to_le32(0xFF00); /* < 64K uses 1 credit */ ++ req->MaxOutputResponse = cpu_to_le32(CIFSMaxBufSize); + + if (is_fsctl) + req->Flags = cpu_to_le32(SMB2_0_IOCTL_IS_FSCTL);