From: Greg Kroah-Hartman Date: Thu, 20 Oct 2016 15:53:06 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.7.10~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b6dbca89ac1a9e65294c953ee2aa7bc0bcecb177;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: crypto-ghash-generic-move-common-definitions-to-a-new-header-file.patch crypto-vmx-fix-memory-corruption-caused-by-p8_ghash.patch dlm-free-workqueues-after-the-connections.patch ext4-allow-dax-writeback-for-hole-punch.patch ext4-enforce-online-defrag-restriction-for-encrypted-files.patch ext4-fix-memory-leak-in-ext4_insert_range.patch ext4-reinforce-check-of-i_dtime-when-clearing-high-fields-of-uid-and-gid.patch ext4-release-bh-in-make_indexed_dir.patch scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch scsi-arcmsr-simplify-user_len-checking.patch scsi-ibmvfc-fix-i-o-hang-when-port-is-not-mapped.patch vfs-move-permission-checking-into-notify_change-for-utimes-null.patch --- diff --git a/queue-4.4/crypto-ghash-generic-move-common-definitions-to-a-new-header-file.patch b/queue-4.4/crypto-ghash-generic-move-common-definitions-to-a-new-header-file.patch new file mode 100644 index 00000000000..2944d88cc60 --- /dev/null +++ b/queue-4.4/crypto-ghash-generic-move-common-definitions-to-a-new-header-file.patch @@ -0,0 +1,76 @@ +From a397ba829d7f8aff4c90af3704573a28ccd61a59 Mon Sep 17 00:00:00 2001 +From: Marcelo Cerri +Date: Wed, 28 Sep 2016 13:42:09 -0300 +Subject: crypto: ghash-generic - move common definitions to a new header file + +From: Marcelo Cerri + +commit a397ba829d7f8aff4c90af3704573a28ccd61a59 upstream. + +Move common values and types used by ghash-generic to a new header file +so drivers can directly use ghash-generic as a fallback implementation. + +Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module") +Signed-off-by: Marcelo Cerri +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ghash-generic.c | 13 +------------ + include/crypto/ghash.h | 23 +++++++++++++++++++++++ + 2 files changed, 24 insertions(+), 12 deletions(-) + +--- a/crypto/ghash-generic.c ++++ b/crypto/ghash-generic.c +@@ -14,24 +14,13 @@ + + #include + #include ++#include + #include + #include + #include + #include + #include + +-#define GHASH_BLOCK_SIZE 16 +-#define GHASH_DIGEST_SIZE 16 +- +-struct ghash_ctx { +- struct gf128mul_4k *gf128; +-}; +- +-struct ghash_desc_ctx { +- u8 buffer[GHASH_BLOCK_SIZE]; +- u32 bytes; +-}; +- + static int ghash_init(struct shash_desc *desc) + { + struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); +--- /dev/null ++++ b/include/crypto/ghash.h +@@ -0,0 +1,23 @@ ++/* ++ * Common values for GHASH algorithms ++ */ ++ ++#ifndef __CRYPTO_GHASH_H__ ++#define __CRYPTO_GHASH_H__ ++ ++#include ++#include ++ ++#define GHASH_BLOCK_SIZE 16 ++#define GHASH_DIGEST_SIZE 16 ++ ++struct ghash_ctx { ++ struct gf128mul_4k *gf128; ++}; ++ ++struct ghash_desc_ctx { ++ u8 buffer[GHASH_BLOCK_SIZE]; ++ u32 bytes; ++}; ++ ++#endif diff --git a/queue-4.4/crypto-vmx-fix-memory-corruption-caused-by-p8_ghash.patch b/queue-4.4/crypto-vmx-fix-memory-corruption-caused-by-p8_ghash.patch new file mode 100644 index 00000000000..2bf48ee5bd1 --- /dev/null +++ b/queue-4.4/crypto-vmx-fix-memory-corruption-caused-by-p8_ghash.patch @@ -0,0 +1,103 @@ +From 80da44c29d997e28c4442825f35f4ac339813877 Mon Sep 17 00:00:00 2001 +From: Marcelo Cerri +Date: Wed, 28 Sep 2016 13:42:10 -0300 +Subject: crypto: vmx - Fix memory corruption caused by p8_ghash + +From: Marcelo Cerri + +commit 80da44c29d997e28c4442825f35f4ac339813877 upstream. + +This patch changes the p8_ghash driver to use ghash-generic as a fixed +fallback implementation. This allows the correct value of descsize to be +defined directly in its shash_alg structure and avoids problems with +incorrect buffer sizes when its state is exported or imported. + +Reported-by: Jan Stancek +Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module") +Signed-off-by: Marcelo Cerri +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/vmx/ghash.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +--- a/drivers/crypto/vmx/ghash.c ++++ b/drivers/crypto/vmx/ghash.c +@@ -26,16 +26,13 @@ + #include + #include + #include ++#include + #include + #include + #include + + #define IN_INTERRUPT in_interrupt() + +-#define GHASH_BLOCK_SIZE (16) +-#define GHASH_DIGEST_SIZE (16) +-#define GHASH_KEY_LEN (16) +- + void gcm_init_p8(u128 htable[16], const u64 Xi[2]); + void gcm_gmult_p8(u64 Xi[2], const u128 htable[16]); + void gcm_ghash_p8(u64 Xi[2], const u128 htable[16], +@@ -55,16 +52,11 @@ struct p8_ghash_desc_ctx { + + static int p8_ghash_init_tfm(struct crypto_tfm *tfm) + { +- const char *alg; ++ const char *alg = "ghash-generic"; + struct crypto_shash *fallback; + struct crypto_shash *shash_tfm = __crypto_shash_cast(tfm); + struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm); + +- if (!(alg = crypto_tfm_alg_name(tfm))) { +- printk(KERN_ERR "Failed to get algorithm name.\n"); +- return -ENOENT; +- } +- + fallback = crypto_alloc_shash(alg, 0, CRYPTO_ALG_NEED_FALLBACK); + if (IS_ERR(fallback)) { + printk(KERN_ERR +@@ -78,10 +70,18 @@ static int p8_ghash_init_tfm(struct cryp + crypto_shash_set_flags(fallback, + crypto_shash_get_flags((struct crypto_shash + *) tfm)); +- ctx->fallback = fallback; + +- shash_tfm->descsize = sizeof(struct p8_ghash_desc_ctx) +- + crypto_shash_descsize(fallback); ++ /* Check if the descsize defined in the algorithm is still enough. */ ++ if (shash_tfm->descsize < sizeof(struct p8_ghash_desc_ctx) ++ + crypto_shash_descsize(fallback)) { ++ printk(KERN_ERR ++ "Desc size of the fallback implementation (%s) does not match the expected value: %lu vs %u\n", ++ alg, ++ shash_tfm->descsize - sizeof(struct p8_ghash_desc_ctx), ++ crypto_shash_descsize(fallback)); ++ return -EINVAL; ++ } ++ ctx->fallback = fallback; + + return 0; + } +@@ -113,7 +113,7 @@ static int p8_ghash_setkey(struct crypto + { + struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(tfm)); + +- if (keylen != GHASH_KEY_LEN) ++ if (keylen != GHASH_BLOCK_SIZE) + return -EINVAL; + + preempt_disable(); +@@ -215,7 +215,8 @@ struct shash_alg p8_ghash_alg = { + .update = p8_ghash_update, + .final = p8_ghash_final, + .setkey = p8_ghash_setkey, +- .descsize = sizeof(struct p8_ghash_desc_ctx), ++ .descsize = sizeof(struct p8_ghash_desc_ctx) ++ + sizeof(struct ghash_desc_ctx), + .base = { + .cra_name = "ghash", + .cra_driver_name = "p8_ghash", diff --git a/queue-4.4/dlm-free-workqueues-after-the-connections.patch b/queue-4.4/dlm-free-workqueues-after-the-connections.patch new file mode 100644 index 00000000000..3077abe170d --- /dev/null +++ b/queue-4.4/dlm-free-workqueues-after-the-connections.patch @@ -0,0 +1,51 @@ +From 3a8db79889ce16930aff19b818f5b09651bb7644 Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner +Date: Sat, 8 Oct 2016 10:14:37 -0300 +Subject: dlm: free workqueues after the connections + +From: Marcelo Ricardo Leitner + +commit 3a8db79889ce16930aff19b818f5b09651bb7644 upstream. + +After backporting commit ee44b4bc054a ("dlm: use sctp 1-to-1 API") +series to a kernel with an older workqueue which didn't use RCU yet, it +was noticed that we are freeing the workqueues in dlm_lowcomms_stop() +too early as free_conn() will try to access that memory for canceling +the queued works if any. + +This issue was introduced by commit 0d737a8cfd83 as before it such +attempt to cancel the queued works wasn't performed, so the issue was +not present. + +This patch fixes it by simply inverting the free order. + +Fixes: 0d737a8cfd83 ("dlm: fix race while closing connections") +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dlm/lowcomms.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -1607,16 +1607,12 @@ void dlm_lowcomms_stop(void) + mutex_lock(&connections_lock); + dlm_allow_conn = 0; + foreach_conn(stop_conn); ++ clean_writequeues(); ++ foreach_conn(free_conn); + mutex_unlock(&connections_lock); + + work_stop(); + +- mutex_lock(&connections_lock); +- clean_writequeues(); +- +- foreach_conn(free_conn); +- +- mutex_unlock(&connections_lock); + kmem_cache_destroy(con_cache); + } + diff --git a/queue-4.4/ext4-allow-dax-writeback-for-hole-punch.patch b/queue-4.4/ext4-allow-dax-writeback-for-hole-punch.patch new file mode 100644 index 00000000000..89a22888264 --- /dev/null +++ b/queue-4.4/ext4-allow-dax-writeback-for-hole-punch.patch @@ -0,0 +1,43 @@ +From cca32b7eeb4ea24fa6596650e06279ad9130af98 Mon Sep 17 00:00:00 2001 +From: Ross Zwisler +Date: Thu, 22 Sep 2016 11:49:38 -0400 +Subject: ext4: allow DAX writeback for hole punch + +From: Ross Zwisler + +commit cca32b7eeb4ea24fa6596650e06279ad9130af98 upstream. + +Currently when doing a DAX hole punch with ext4 we fail to do a writeback. +This is because the logic around filemap_write_and_wait_range() in +ext4_punch_hole() only looks for dirty page cache pages in the radix tree, +not for dirty DAX exceptional entries. + +Signed-off-by: Ross Zwisler +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3645,7 +3645,7 @@ int ext4_update_disksize_before_punch(st + } + + /* +- * ext4_punch_hole: punches a hole in a file by releaseing the blocks ++ * ext4_punch_hole: punches a hole in a file by releasing the blocks + * associated with the given offset and length + * + * @inode: File inode +@@ -3674,7 +3674,7 @@ int ext4_punch_hole(struct inode *inode, + * Write out all dirty pages to avoid race conditions + * Then release them. + */ +- if (mapping->nrpages && mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) { ++ if (mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) { + ret = filemap_write_and_wait_range(mapping, offset, + offset + length - 1); + if (ret) diff --git a/queue-4.4/ext4-enforce-online-defrag-restriction-for-encrypted-files.patch b/queue-4.4/ext4-enforce-online-defrag-restriction-for-encrypted-files.patch new file mode 100644 index 00000000000..da76d8932d3 --- /dev/null +++ b/queue-4.4/ext4-enforce-online-defrag-restriction-for-encrypted-files.patch @@ -0,0 +1,42 @@ +From 14fbd4aa613bd5110556c281799ce36dc6f3ba97 Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Mon, 29 Aug 2016 15:45:11 -0400 +Subject: ext4: enforce online defrag restriction for encrypted files + +From: Eric Whitney + +commit 14fbd4aa613bd5110556c281799ce36dc6f3ba97 upstream. + +Online defragging of encrypted files is not currently implemented. +However, the move extent ioctl can still return successfully when +called. For example, this occurs when xfstest ext4/020 is run on an +encrypted file system, resulting in a corrupted test file and a +corresponding test failure. + +Until the proper functionality is implemented, fail the move extent +ioctl if either the original or donor file is encrypted. + +Signed-off-by: Eric Whitney +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/move_extent.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext4/move_extent.c ++++ b/fs/ext4/move_extent.c +@@ -598,6 +598,13 @@ ext4_move_extents(struct file *o_filp, s + return -EOPNOTSUPP; + } + ++ if (ext4_encrypted_inode(orig_inode) || ++ ext4_encrypted_inode(donor_inode)) { ++ ext4_msg(orig_inode->i_sb, KERN_ERR, ++ "Online defrag not supported for encrypted files"); ++ return -EOPNOTSUPP; ++ } ++ + /* Protect orig and donor inodes against a truncate */ + lock_two_nondirectories(orig_inode, donor_inode); + diff --git a/queue-4.4/ext4-fix-memory-leak-in-ext4_insert_range.patch b/queue-4.4/ext4-fix-memory-leak-in-ext4_insert_range.patch new file mode 100644 index 00000000000..51d60fcfae3 --- /dev/null +++ b/queue-4.4/ext4-fix-memory-leak-in-ext4_insert_range.patch @@ -0,0 +1,50 @@ +From edf15aa180d7b98fe16bd3eda42f9dd0e60dee20 Mon Sep 17 00:00:00 2001 +From: Fabian Frederick +Date: Thu, 15 Sep 2016 11:39:52 -0400 +Subject: ext4: fix memory leak in ext4_insert_range() + +From: Fabian Frederick + +commit edf15aa180d7b98fe16bd3eda42f9dd0e60dee20 upstream. + +Running xfstests generic/013 with kmemleak gives the following: + +unreferenced object 0xffff8801d3d27de0 (size 96): + comm "fsstress", pid 4941, jiffies 4294860168 (age 53.485s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x23/0x40 + [] __kmalloc+0xf5/0x1d0 + [] ext4_find_extent+0x1ec/0x2f0 + [] ext4_insert_range+0x34c/0x4a0 + [] ext4_fallocate+0x4e2/0x8b0 + [] vfs_fallocate+0x134/0x210 + [] SyS_fallocate+0x3f/0x60 + [] entry_SYSCALL_64_fastpath+0x13/0x8f + [] 0xffffffffffffffff + +Problem seems mitigated by dropping refs and freeing path +when there's no path[depth].p_ext + +Signed-off-by: Fabian Frederick +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5738,6 +5738,9 @@ int ext4_insert_range(struct inode *inod + up_write(&EXT4_I(inode)->i_data_sem); + goto out_stop; + } ++ } else { ++ ext4_ext_drop_refs(path); ++ kfree(path); + } + + ret = ext4_es_remove_extent(inode, offset_lblk, diff --git a/queue-4.4/ext4-reinforce-check-of-i_dtime-when-clearing-high-fields-of-uid-and-gid.patch b/queue-4.4/ext4-reinforce-check-of-i_dtime-when-clearing-high-fields-of-uid-and-gid.patch new file mode 100644 index 00000000000..7c5c1c1c5a5 --- /dev/null +++ b/queue-4.4/ext4-reinforce-check-of-i_dtime-when-clearing-high-fields-of-uid-and-gid.patch @@ -0,0 +1,53 @@ +From 93e3b4e6631d2a74a8cf7429138096862ff9f452 Mon Sep 17 00:00:00 2001 +From: Daeho Jeong +Date: Mon, 5 Sep 2016 22:56:10 -0400 +Subject: ext4: reinforce check of i_dtime when clearing high fields of uid and gid + +From: Daeho Jeong + +commit 93e3b4e6631d2a74a8cf7429138096862ff9f452 upstream. + +Now, ext4_do_update_inode() clears high 16-bit fields of uid/gid +of deleted and evicted inode to fix up interoperability with old +kernels. However, it checks only i_dtime of an inode to determine +whether the inode was deleted and evicted, and this is very risky, +because i_dtime can be used for the pointer maintaining orphan inode +list, too. We need to further check whether the i_dtime is being +used for the orphan inode list even if the i_dtime is not NULL. + +We found that high 16-bit fields of uid/gid of inode are unintentionally +and permanently cleared when the inode truncation is just triggered, +but not finished, and the inode metadata, whose high uid/gid bits are +cleared, is written on disk, and the sudden power-off follows that +in order. + +Signed-off-by: Daeho Jeong +Signed-off-by: Hobin Woo +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4549,14 +4549,14 @@ static int ext4_do_update_inode(handle_t + * Fix up interoperability with old kernels. Otherwise, old inodes get + * re-used with the upper 16 bits of the uid/gid intact + */ +- if (!ei->i_dtime) { ++ if (ei->i_dtime && list_empty(&ei->i_orphan)) { ++ raw_inode->i_uid_high = 0; ++ raw_inode->i_gid_high = 0; ++ } else { + raw_inode->i_uid_high = + cpu_to_le16(high_16_bits(i_uid)); + raw_inode->i_gid_high = + cpu_to_le16(high_16_bits(i_gid)); +- } else { +- raw_inode->i_uid_high = 0; +- raw_inode->i_gid_high = 0; + } + } else { + raw_inode->i_uid_low = cpu_to_le16(fs_high2lowuid(i_uid)); diff --git a/queue-4.4/ext4-release-bh-in-make_indexed_dir.patch b/queue-4.4/ext4-release-bh-in-make_indexed_dir.patch new file mode 100644 index 00000000000..d88a842e9ad --- /dev/null +++ b/queue-4.4/ext4-release-bh-in-make_indexed_dir.patch @@ -0,0 +1,64 @@ +From e81d44778d1d57bbaef9e24c4eac7c8a7a401d40 Mon Sep 17 00:00:00 2001 +From: gmail +Date: Fri, 30 Sep 2016 01:33:37 -0400 +Subject: ext4: release bh in make_indexed_dir + +From: gmail + +commit e81d44778d1d57bbaef9e24c4eac7c8a7a401d40 upstream. + +The commit 6050d47adcad: "ext4: bail out from make_indexed_dir() on +first error" could end up leaking bh2 in the error path. + +[ Also avoid renaming bh2 to bh, which just confuses things --tytso ] + +Signed-off-by: yangsheng +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/namei.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2017,33 +2017,31 @@ static int make_indexed_dir(handle_t *ha + frame->entries = entries; + frame->at = entries; + frame->bh = bh; +- bh = bh2; + + retval = ext4_handle_dirty_dx_node(handle, dir, frame->bh); + if (retval) + goto out_frames; +- retval = ext4_handle_dirty_dirent_node(handle, dir, bh); ++ retval = ext4_handle_dirty_dirent_node(handle, dir, bh2); + if (retval) + goto out_frames; + +- de = do_split(handle,dir, &bh, frame, &fname->hinfo); ++ de = do_split(handle,dir, &bh2, frame, &fname->hinfo); + if (IS_ERR(de)) { + retval = PTR_ERR(de); + goto out_frames; + } +- dx_release(frames); + +- retval = add_dirent_to_buf(handle, fname, dir, inode, de, bh); +- brelse(bh); +- return retval; ++ retval = add_dirent_to_buf(handle, fname, dir, inode, de, bh2); + out_frames: + /* + * Even if the block split failed, we have to properly write + * out all the changes we did so far. Otherwise we can end up + * with corrupted filesystem. + */ +- ext4_mark_inode_dirty(handle, dir); ++ if (retval) ++ ext4_mark_inode_dirty(handle, dir); + dx_release(frames); ++ brelse(bh2); + return retval; + } + diff --git a/queue-4.4/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch b/queue-4.4/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch new file mode 100644 index 00000000000..bd166427a97 --- /dev/null +++ b/queue-4.4/scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch @@ -0,0 +1,46 @@ +From 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 15 Sep 2016 16:44:56 +0300 +Subject: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() + +From: Dan Carpenter + +commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 upstream. + +We need to put an upper bound on "user_len" so the memcpy() doesn't +overflow. + +Reported-by: Marco Grassi +Signed-off-by: Dan Carpenter +Reviewed-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/arcmsr/arcmsr_hba.c ++++ b/drivers/scsi/arcmsr/arcmsr_hba.c +@@ -2297,7 +2297,8 @@ static int arcmsr_iop_message_xfer(struc + } + case ARCMSR_MESSAGE_WRITE_WQBUFFER: { + unsigned char *ver_addr; +- int32_t user_len, cnt2end; ++ uint32_t user_len; ++ int32_t cnt2end; + uint8_t *pQbuffer, *ptmpuserbuffer; + ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); + if (!ver_addr) { +@@ -2306,6 +2307,11 @@ static int arcmsr_iop_message_xfer(struc + } + ptmpuserbuffer = ver_addr; + user_len = pcmdmessagefld->cmdmessage.Length; ++ if (user_len > ARCMSR_API_DATA_BUFLEN) { ++ retvalue = ARCMSR_MESSAGE_FAIL; ++ kfree(ver_addr); ++ goto message_out; ++ } + memcpy(ptmpuserbuffer, + pcmdmessagefld->messagedatabuffer, user_len); + spin_lock_irqsave(&acb->wqbuffer_lock, flags); diff --git a/queue-4.4/scsi-arcmsr-simplify-user_len-checking.patch b/queue-4.4/scsi-arcmsr-simplify-user_len-checking.patch new file mode 100644 index 00000000000..b54b9476e69 --- /dev/null +++ b/queue-4.4/scsi-arcmsr-simplify-user_len-checking.patch @@ -0,0 +1,56 @@ +From 4bd173c30792791a6daca8c64793ec0a4ae8324f Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Fri, 23 Sep 2016 13:22:26 +0200 +Subject: scsi: arcmsr: Simplify user_len checking + +From: Borislav Petkov + +commit 4bd173c30792791a6daca8c64793ec0a4ae8324f upstream. + +Do the user_len check first and then the ver_addr allocation so that we +can save us the kfree() on the error path when user_len is > +ARCMSR_API_DATA_BUFLEN. + +Signed-off-by: Borislav Petkov +Cc: Marco Grassi +Cc: Dan Carpenter +Cc: Tomas Henzl +Cc: Martin K. Petersen +Reviewed-by: Johannes Thumshirn +Reviewed-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/arcmsr/arcmsr_hba.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/arcmsr/arcmsr_hba.c ++++ b/drivers/scsi/arcmsr/arcmsr_hba.c +@@ -2300,18 +2300,20 @@ static int arcmsr_iop_message_xfer(struc + uint32_t user_len; + int32_t cnt2end; + uint8_t *pQbuffer, *ptmpuserbuffer; +- ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); +- if (!ver_addr) { ++ ++ user_len = pcmdmessagefld->cmdmessage.Length; ++ if (user_len > ARCMSR_API_DATA_BUFLEN) { + retvalue = ARCMSR_MESSAGE_FAIL; + goto message_out; + } +- ptmpuserbuffer = ver_addr; +- user_len = pcmdmessagefld->cmdmessage.Length; +- if (user_len > ARCMSR_API_DATA_BUFLEN) { ++ ++ ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); ++ if (!ver_addr) { + retvalue = ARCMSR_MESSAGE_FAIL; +- kfree(ver_addr); + goto message_out; + } ++ ptmpuserbuffer = ver_addr; ++ + memcpy(ptmpuserbuffer, + pcmdmessagefld->messagedatabuffer, user_len); + spin_lock_irqsave(&acb->wqbuffer_lock, flags); diff --git a/queue-4.4/scsi-ibmvfc-fix-i-o-hang-when-port-is-not-mapped.patch b/queue-4.4/scsi-ibmvfc-fix-i-o-hang-when-port-is-not-mapped.patch new file mode 100644 index 00000000000..d8550322d76 --- /dev/null +++ b/queue-4.4/scsi-ibmvfc-fix-i-o-hang-when-port-is-not-mapped.patch @@ -0,0 +1,36 @@ +From 07d0e9a847401ffd2f09bd450d41644cd090e81d Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Mon, 19 Sep 2016 08:59:19 -0500 +Subject: scsi: ibmvfc: Fix I/O hang when port is not mapped + +From: Brian King + +commit 07d0e9a847401ffd2f09bd450d41644cd090e81d upstream. + +If a VFC port gets unmapped in the VIOS, it may not respond with a CRQ +init complete following H_REG_CRQ. If this occurs, we can end up having +called scsi_block_requests and not a resulting unblock until the init +complete happens, which may never occur, and we end up hanging I/O +requests. This patch ensures the host action stay set to +IBMVFC_HOST_ACTION_TGT_DEL so we move all rports into devloss state and +unblock unless we receive an init complete. + +Signed-off-by: Brian King +Acked-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -717,7 +717,6 @@ static int ibmvfc_reset_crq(struct ibmvf + spin_lock_irqsave(vhost->host->host_lock, flags); + vhost->state = IBMVFC_NO_CRQ; + vhost->logged_in = 0; +- ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_NONE); + + /* Clean out the queue */ + memset(crq->msgs, 0, PAGE_SIZE); diff --git a/queue-4.4/series b/queue-4.4/series index efc3af2190a..9ce2174e845 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -10,3 +10,15 @@ asoc-intel-atom-add-a-missing-star-in-a-memcpy-call.patch reiserfs-unlock-superblock-before-calling-reiserfs_quota_on_mount.patch reiserfs-switch-to-generic_-get-set-remove-xattr.patch async_pq_val-fix-dma-memory-leak.patch +scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch +scsi-arcmsr-simplify-user_len-checking.patch +scsi-ibmvfc-fix-i-o-hang-when-port-is-not-mapped.patch +ext4-enforce-online-defrag-restriction-for-encrypted-files.patch +ext4-reinforce-check-of-i_dtime-when-clearing-high-fields-of-uid-and-gid.patch +ext4-fix-memory-leak-in-ext4_insert_range.patch +ext4-allow-dax-writeback-for-hole-punch.patch +ext4-release-bh-in-make_indexed_dir.patch +crypto-ghash-generic-move-common-definitions-to-a-new-header-file.patch +crypto-vmx-fix-memory-corruption-caused-by-p8_ghash.patch +dlm-free-workqueues-after-the-connections.patch +vfs-move-permission-checking-into-notify_change-for-utimes-null.patch diff --git a/queue-4.4/vfs-move-permission-checking-into-notify_change-for-utimes-null.patch b/queue-4.4/vfs-move-permission-checking-into-notify_change-for-utimes-null.patch new file mode 100644 index 00000000000..bde19ead1fd --- /dev/null +++ b/queue-4.4/vfs-move-permission-checking-into-notify_change-for-utimes-null.patch @@ -0,0 +1,97 @@ +From f2b20f6ee842313a0d681dbbf7f87b70291a6a3b Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 16 Sep 2016 12:44:20 +0200 +Subject: vfs: move permission checking into notify_change() for utimes(NULL) + +From: Miklos Szeredi + +commit f2b20f6ee842313a0d681dbbf7f87b70291a6a3b upstream. + +This fixes a bug where the permission was not properly checked in +overlayfs. The testcase is ltp/utimensat01. + +It is also cleaner and safer to do the permission checking in the vfs +helper instead of the caller. + +This patch introduces an additional ia_valid flag ATTR_TOUCH (since +touch(1) is the most obvious user of utimes(NULL)) that is passed into +notify_change whenever the conditions for this special permission checking +mode are met. + +Reported-by: Aihua Zhang +Signed-off-by: Miklos Szeredi +Tested-by: Aihua Zhang +Signed-off-by: Greg Kroah-Hartman + +--- + fs/attr.c | 15 +++++++++++++++ + fs/utimes.c | 16 +--------------- + include/linux/fs.h | 1 + + 3 files changed, 17 insertions(+), 15 deletions(-) + +--- a/fs/attr.c ++++ b/fs/attr.c +@@ -202,6 +202,21 @@ int notify_change(struct dentry * dentry + return -EPERM; + } + ++ /* ++ * If utimes(2) and friends are called with times == NULL (or both ++ * times are UTIME_NOW), then we need to check for write permission ++ */ ++ if (ia_valid & ATTR_TOUCH) { ++ if (IS_IMMUTABLE(inode)) ++ return -EPERM; ++ ++ if (!inode_owner_or_capable(inode)) { ++ error = inode_permission(inode, MAY_WRITE); ++ if (error) ++ return error; ++ } ++ } ++ + if ((ia_valid & ATTR_MODE)) { + umode_t amode = attr->ia_mode; + /* Flag setting protected by i_mutex */ +--- a/fs/utimes.c ++++ b/fs/utimes.c +@@ -87,20 +87,7 @@ static int utimes_common(struct path *pa + */ + newattrs.ia_valid |= ATTR_TIMES_SET; + } else { +- /* +- * If times is NULL (or both times are UTIME_NOW), +- * then we need to check permissions, because +- * inode_change_ok() won't do it. +- */ +- error = -EACCES; +- if (IS_IMMUTABLE(inode)) +- goto mnt_drop_write_and_out; +- +- if (!inode_owner_or_capable(inode)) { +- error = inode_permission(inode, MAY_WRITE); +- if (error) +- goto mnt_drop_write_and_out; +- } ++ newattrs.ia_valid |= ATTR_TOUCH; + } + retry_deleg: + mutex_lock(&inode->i_mutex); +@@ -112,7 +99,6 @@ retry_deleg: + goto retry_deleg; + } + +-mnt_drop_write_and_out: + mnt_drop_write(path->mnt); + out: + return error; +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -226,6 +226,7 @@ typedef void (dax_iodone_t)(struct buffe + #define ATTR_KILL_PRIV (1 << 14) + #define ATTR_OPEN (1 << 15) /* Truncating from open(O_TRUNC) */ + #define ATTR_TIMES_SET (1 << 16) ++#define ATTR_TOUCH (1 << 17) + + /* + * Whiteout is represented by a char device. The following constants define the