From: Greg Kroah-Hartman Date: Fri, 12 Feb 2016 21:00:13 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v4.4.2~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8fa5171fda411540b4e7df475c2b5feae947cb34;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: fat-fix-fake_offset-handling-on-error-path.patch kernel-signal.c-unexport-sigsuspend.patch ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch ocfs2-fix-sgid-not-inherited-issue.patch proc-actually-make-proc_fd_permission-thread-friendly.patch remoteproc-avoid-stack-overflow-in-debugfs-file.patch sh64-fix-__nr_fgetxattr.patch --- diff --git a/queue-3.14/fat-fix-fake_offset-handling-on-error-path.patch b/queue-3.14/fat-fix-fake_offset-handling-on-error-path.patch new file mode 100644 index 00000000000..7a4fa2d5b16 --- /dev/null +++ b/queue-3.14/fat-fix-fake_offset-handling-on-error-path.patch @@ -0,0 +1,80 @@ +From 928a477102c4fc6739883415b66987207e3502f4 Mon Sep 17 00:00:00 2001 +From: OGAWA Hirofumi +Date: Fri, 20 Nov 2015 15:57:15 -0800 +Subject: fat: fix fake_offset handling on error path + +From: OGAWA Hirofumi + +commit 928a477102c4fc6739883415b66987207e3502f4 upstream. + +For the root directory, . and .. are faked (using dir_emit_dots()) and +ctx->pos is reset from 2 to 0. + +A corrupted root directory could cause fat_get_entry() to fail, but +->iterate() (fat_readdir()) reports progress to the VFS (with ctx->pos +rewound to 0), so any following calls to ->iterate() continue to return +the same entries again and again. + +The result is that userspace will never see the end of the directory, +causing e.g. 'ls' to hang in a getdents() loop. + +[hirofumi@mail.parknet.co.jp: cleanup and make sure to correct fake_offset] +Reported-by: Vegard Nossum +Tested-by: Vegard Nossum +Signed-off-by: Richard Weinberger +Signed-off-by: OGAWA Hirofumi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fat/dir.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/fs/fat/dir.c ++++ b/fs/fat/dir.c +@@ -614,9 +614,9 @@ parse_record: + int status = fat_parse_long(inode, &cpos, &bh, &de, + &unicode, &nr_slots); + if (status < 0) { +- ctx->pos = cpos; ++ bh = NULL; + ret = status; +- goto out; ++ goto end_of_dir; + } else if (status == PARSE_INVALID) + goto record_end; + else if (status == PARSE_NOT_LONGNAME) +@@ -658,8 +658,9 @@ parse_record: + fill_len = short_len; + + start_filldir: +- if (!fake_offset) +- ctx->pos = cpos - (nr_slots + 1) * sizeof(struct msdos_dir_entry); ++ ctx->pos = cpos - (nr_slots + 1) * sizeof(struct msdos_dir_entry); ++ if (fake_offset && ctx->pos < 2) ++ ctx->pos = 2; + + if (!memcmp(de->name, MSDOS_DOT, MSDOS_NAME)) { + if (!dir_emit_dot(file, ctx)) +@@ -685,14 +686,19 @@ record_end: + fake_offset = 0; + ctx->pos = cpos; + goto get_new; ++ + end_of_dir: +- ctx->pos = cpos; ++ if (fake_offset && cpos < 2) ++ ctx->pos = 2; ++ else ++ ctx->pos = cpos; + fill_failed: + brelse(bh); + if (unicode) + __putname(unicode); + out: + mutex_unlock(&sbi->s_lock); ++ + return ret; + } + diff --git a/queue-3.14/kernel-signal.c-unexport-sigsuspend.patch b/queue-3.14/kernel-signal.c-unexport-sigsuspend.patch new file mode 100644 index 00000000000..7d9c358e4e7 --- /dev/null +++ b/queue-3.14/kernel-signal.c-unexport-sigsuspend.patch @@ -0,0 +1,64 @@ +From 9d8a765211335cfdad464b90fb19f546af5706ae Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Fri, 20 Nov 2015 15:57:21 -0800 +Subject: kernel/signal.c: unexport sigsuspend() + +From: Richard Weinberger + +commit 9d8a765211335cfdad464b90fb19f546af5706ae upstream. + +sigsuspend() is nowhere used except in signal.c itself, so we can mark it +static do not pollute the global namespace. + +But this patch is more than a boring cleanup patch, it fixes a real issue +on UserModeLinux. UML has a special console driver to display ttys using +xterm, or other terminal emulators, on the host side. Vegard reported +that sometimes UML is unable to spawn a xterm and he's facing the +following warning: + + WARNING: CPU: 0 PID: 908 at include/linux/thread_info.h:128 sigsuspend+0xab/0xc0() + +It turned out that this warning makes absolutely no sense as the UML +xterm code calls sigsuspend() on the host side, at least it tries. But +as the kernel itself offers a sigsuspend() symbol the linker choose this +one instead of the glibc wrapper. Interestingly this code used to work +since ever but always blocked signals on the wrong side. Some recent +kernel change made the WARN_ON() trigger and uncovered the bug. + +It is a wonderful example of how much works by chance on computers. :-) + +Fixes: 68f3f16d9ad0f1 ("new helper: sigsuspend()") +Signed-off-by: Richard Weinberger +Reported-by: Vegard Nossum +Tested-by: Vegard Nossum +Acked-by: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/signal.h | 1 - + kernel/signal.c | 2 +- + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- a/include/linux/signal.h ++++ b/include/linux/signal.h +@@ -247,7 +247,6 @@ extern int sigprocmask(int, sigset_t *, + extern void set_current_blocked(sigset_t *); + extern void __set_current_blocked(const sigset_t *); + extern int show_unhandled_signals; +-extern int sigsuspend(sigset_t *); + + struct sigaction { + #ifndef __ARCH_HAS_IRIX_SIGACTION +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -3550,7 +3550,7 @@ SYSCALL_DEFINE0(pause) + + #endif + +-int sigsuspend(sigset_t *set) ++static int sigsuspend(sigset_t *set) + { + current->saved_sigmask = current->blocked; + set_current_blocked(set); diff --git a/queue-3.14/ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch b/queue-3.14/ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch new file mode 100644 index 00000000000..23effbcfd35 --- /dev/null +++ b/queue-3.14/ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch @@ -0,0 +1,38 @@ +From c95a51807b730e4681e2ecbdfd669ca52601959e Mon Sep 17 00:00:00 2001 +From: xuejiufei +Date: Fri, 5 Feb 2016 15:36:47 -0800 +Subject: ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery cleanup + +From: xuejiufei + +commit c95a51807b730e4681e2ecbdfd669ca52601959e upstream. + +When recovery master down, dlm_do_local_recovery_cleanup() only remove +the $RECOVERY lock owned by dead node, but do not clear the refmap bit. +Which will make umount thread falling in dead loop migrating $RECOVERY +to the dead node. + +Signed-off-by: xuejiufei +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlm/dlmrecovery.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -2332,6 +2332,8 @@ static void dlm_do_local_recovery_cleanu + break; + } + } ++ dlm_lockres_clear_refmap_bit(dlm, res, ++ dead_node); + spin_unlock(&res->spinlock); + continue; + } diff --git a/queue-3.14/ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch b/queue-3.14/ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch new file mode 100644 index 00000000000..e9cf729bbcb --- /dev/null +++ b/queue-3.14/ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch @@ -0,0 +1,97 @@ +From bef5502de074b6f6fa647b94b73155d675694420 Mon Sep 17 00:00:00 2001 +From: xuejiufei +Date: Thu, 14 Jan 2016 15:17:38 -0800 +Subject: ocfs2/dlm: ignore cleaning the migration mle that is inuse + +From: xuejiufei + +commit bef5502de074b6f6fa647b94b73155d675694420 upstream. + +We have found that migration source will trigger a BUG that the refcount +of mle is already zero before put when the target is down during +migration. The situation is as follows: + +dlm_migrate_lockres + dlm_add_migration_mle + dlm_mark_lockres_migrating + dlm_get_mle_inuse + <<<<<< Now the refcount of the mle is 2. + dlm_send_one_lockres and wait for the target to become the + new master. + <<<<<< o2hb detect the target down and clean the migration + mle. Now the refcount is 1. + +dlm_migrate_lockres woken, and put the mle twice when found the target +goes down which trigger the BUG with the following message: + + "ERROR: bad mle: ". + +Signed-off-by: Jiufei Xue +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlm/dlmmaster.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +--- a/fs/ocfs2/dlm/dlmmaster.c ++++ b/fs/ocfs2/dlm/dlmmaster.c +@@ -2459,6 +2459,11 @@ static int dlm_migrate_lockres(struct dl + spin_lock(&dlm->master_lock); + ret = dlm_add_migration_mle(dlm, res, mle, &oldmle, name, + namelen, target, dlm->node_num); ++ /* get an extra reference on the mle. ++ * otherwise the assert_master from the new ++ * master will destroy this. ++ */ ++ dlm_get_mle_inuse(mle); + spin_unlock(&dlm->master_lock); + spin_unlock(&dlm->spinlock); + +@@ -2494,6 +2499,7 @@ fail: + if (mle_added) { + dlm_mle_detach_hb_events(dlm, mle); + dlm_put_mle(mle); ++ dlm_put_mle_inuse(mle); + } else if (mle) { + kmem_cache_free(dlm_mle_cache, mle); + mle = NULL; +@@ -2511,17 +2517,6 @@ fail: + * ensure that all assert_master work is flushed. */ + flush_workqueue(dlm->dlm_worker); + +- /* get an extra reference on the mle. +- * otherwise the assert_master from the new +- * master will destroy this. +- * also, make sure that all callers of dlm_get_mle +- * take both dlm->spinlock and dlm->master_lock */ +- spin_lock(&dlm->spinlock); +- spin_lock(&dlm->master_lock); +- dlm_get_mle_inuse(mle); +- spin_unlock(&dlm->master_lock); +- spin_unlock(&dlm->spinlock); +- + /* notify new node and send all lock state */ + /* call send_one_lockres with migration flag. + * this serves as notice to the target node that a +@@ -3246,6 +3241,15 @@ top: + mle->new_master != dead_node) + continue; + ++ if (mle->new_master == dead_node && mle->inuse) { ++ mlog(ML_NOTICE, "%s: target %u died during " ++ "migration from %u, the MLE is " ++ "still keep used, ignore it!\n", ++ dlm->name, dead_node, ++ mle->master); ++ continue; ++ } ++ + /* If we have reached this point, this mle needs to be + * removed from the list and freed. */ + dlm_clean_migration_mle(dlm, mle); diff --git a/queue-3.14/ocfs2-fix-sgid-not-inherited-issue.patch b/queue-3.14/ocfs2-fix-sgid-not-inherited-issue.patch new file mode 100644 index 00000000000..39294861d58 --- /dev/null +++ b/queue-3.14/ocfs2-fix-sgid-not-inherited-issue.patch @@ -0,0 +1,44 @@ +From 854ee2e944b4daf795e32562a7d2f9e90ab5a6a8 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Fri, 11 Dec 2015 13:41:03 -0800 +Subject: ocfs2: fix SGID not inherited issue + +From: Junxiao Bi + +commit 854ee2e944b4daf795e32562a7d2f9e90ab5a6a8 upstream. + +Commit 8f1eb48758aa ("ocfs2: fix umask ignored issue") introduced an +issue, SGID of sub dir was not inherited from its parents dir. It is +because SGID is set into "inode->i_mode" in ocfs2_get_init_inode(), but +is overwritten by "mode" which don't have SGID set later. + +Fixes: 8f1eb48758aa ("ocfs2: fix umask ignored issue") +Signed-off-by: Junxiao Bi +Cc: Mark Fasheh +Cc: Joel Becker +Acked-by: Srinivas Eeda +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/namei.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -340,13 +340,11 @@ static int ocfs2_mknod(struct inode *dir + goto leave; + } + +- status = posix_acl_create(dir, &mode, &default_acl, &acl); ++ status = posix_acl_create(dir, &inode->i_mode, &default_acl, &acl); + if (status) { + mlog_errno(status); + goto leave; + } +- /* update inode->i_mode after mask with "umask". */ +- inode->i_mode = mode; + + handle = ocfs2_start_trans(osb, ocfs2_mknod_credits(osb->sb, + S_ISDIR(mode), diff --git a/queue-3.14/proc-actually-make-proc_fd_permission-thread-friendly.patch b/queue-3.14/proc-actually-make-proc_fd_permission-thread-friendly.patch new file mode 100644 index 00000000000..bcdceb7c2b5 --- /dev/null +++ b/queue-3.14/proc-actually-make-proc_fd_permission-thread-friendly.patch @@ -0,0 +1,53 @@ +From 54708d2858e79a2bdda10bf8a20c80eb96c20613 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 6 Nov 2015 16:30:06 -0800 +Subject: proc: actually make proc_fd_permission() thread-friendly + +From: Oleg Nesterov + +commit 54708d2858e79a2bdda10bf8a20c80eb96c20613 upstream. + +The commit 96d0df79f264 ("proc: make proc_fd_permission() thread-friendly") +fixed the access to /proc/self/fd from sub-threads, but introduced another +problem: a sub-thread can't access /proc//fd/ or /proc/thread-self/fd +if generic_permission() fails. + +Change proc_fd_permission() to check same_thread_group(pid_task(), current). + +Fixes: 96d0df79f264 ("proc: make proc_fd_permission() thread-friendly") +Reported-by: "Jin, Yihua" +Signed-off-by: Oleg Nesterov +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/fd.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/proc/fd.c ++++ b/fs/proc/fd.c +@@ -283,11 +283,19 @@ static struct dentry *proc_lookupfd(stru + */ + int proc_fd_permission(struct inode *inode, int mask) + { +- int rv = generic_permission(inode, mask); ++ struct task_struct *p; ++ int rv; ++ ++ rv = generic_permission(inode, mask); + if (rv == 0) +- return 0; +- if (task_tgid(current) == proc_pid(inode)) ++ return rv; ++ ++ rcu_read_lock(); ++ p = pid_task(proc_pid(inode), PIDTYPE_PID); ++ if (p && same_thread_group(p, current)) + rv = 0; ++ rcu_read_unlock(); ++ + return rv; + } + diff --git a/queue-3.14/remoteproc-avoid-stack-overflow-in-debugfs-file.patch b/queue-3.14/remoteproc-avoid-stack-overflow-in-debugfs-file.patch new file mode 100644 index 00000000000..694732e8e39 --- /dev/null +++ b/queue-3.14/remoteproc-avoid-stack-overflow-in-debugfs-file.patch @@ -0,0 +1,40 @@ +From 92792e48e2ae6051af30468a87994b5432da2f06 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 20 Nov 2015 18:26:07 +0100 +Subject: remoteproc: avoid stack overflow in debugfs file + +From: Arnd Bergmann + +commit 92792e48e2ae6051af30468a87994b5432da2f06 upstream. + +Recent gcc versions warn about reading from a negative offset of +an on-stack array: + +drivers/remoteproc/remoteproc_debugfs.c: In function 'rproc_recovery_write': +drivers/remoteproc/remoteproc_debugfs.c:167:9: warning: 'buf[4294967295u]' may be used uninitialized in this function [-Wmaybe-uninitialized] + +I don't see anything in sys_write() that prevents us from +being called with a zero 'count' argument, so we should +add an extra check in rproc_recovery_write() to prevent the +access and avoid the warning. + +Signed-off-by: Arnd Bergmann +Fixes: 2e37abb89a2e ("remoteproc: create a 'recovery' debugfs entry") +Signed-off-by: Ohad Ben-Cohen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/remoteproc_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/remoteproc/remoteproc_debugfs.c ++++ b/drivers/remoteproc/remoteproc_debugfs.c +@@ -156,7 +156,7 @@ rproc_recovery_write(struct file *filp, + char buf[10]; + int ret; + +- if (count > sizeof(buf)) ++ if (count < 1 || count > sizeof(buf)) + return count; + + ret = copy_from_user(buf, user_buf, count); diff --git a/queue-3.14/series b/queue-3.14/series index 1cd87e6454f..e81a4579c24 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -4,3 +4,11 @@ crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch hid-usbhid-fix-recursive-deadlock.patch +proc-actually-make-proc_fd_permission-thread-friendly.patch +remoteproc-avoid-stack-overflow-in-debugfs-file.patch +fat-fix-fake_offset-handling-on-error-path.patch +kernel-signal.c-unexport-sigsuspend.patch +ocfs2-fix-sgid-not-inherited-issue.patch +ocfs2-dlm-ignore-cleaning-the-migration-mle-that-is-inuse.patch +ocfs2-dlm-clear-refmap-bit-of-recovery-lock-while-doing-local-recovery-cleanup.patch +sh64-fix-__nr_fgetxattr.patch diff --git a/queue-3.14/sh64-fix-__nr_fgetxattr.patch b/queue-3.14/sh64-fix-__nr_fgetxattr.patch new file mode 100644 index 00000000000..b2d552c69df --- /dev/null +++ b/queue-3.14/sh64-fix-__nr_fgetxattr.patch @@ -0,0 +1,37 @@ +From 2d33fa1059da4c8e816627a688d950b613ec0474 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Fri, 11 Dec 2015 13:41:06 -0800 +Subject: sh64: fix __NR_fgetxattr + +From: Dmitry V. Levin + +commit 2d33fa1059da4c8e816627a688d950b613ec0474 upstream. + +According to arch/sh/kernel/syscalls_64.S and common sense, __NR_fgetxattr +has to be defined to 259, but it doesn't. Instead, it's defined to 269, +which is of course used by another syscall, __NR_sched_setaffinity in this +case. + +This bug was found by strace test suite. + +Signed-off-by: Dmitry V. Levin +Acked-by: Geert Uytterhoeven +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/include/uapi/asm/unistd_64.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sh/include/uapi/asm/unistd_64.h ++++ b/arch/sh/include/uapi/asm/unistd_64.h +@@ -278,7 +278,7 @@ + #define __NR_fsetxattr 256 + #define __NR_getxattr 257 + #define __NR_lgetxattr 258 +-#define __NR_fgetxattr 269 ++#define __NR_fgetxattr 259 + #define __NR_listxattr 260 + #define __NR_llistxattr 261 + #define __NR_flistxattr 262