From: Greg Kroah-Hartman Date: Wed, 11 Mar 2015 15:57:57 +0000 (+0100) Subject: 3.10-stable patches X-Git-Tag: v3.10.72~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cca31f782f924fce1e1171a7b641457cec2db3f0;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: autofs4-copy_dev_ioctl-keep-the-value-of-size-we-d-used-for-allocation.patch debugfs-leave-freeing-a-symlink-body-until-inode-eviction.patch procfs-fix-race-between-symlink-removals-and-traversals.patch sunrpc-fix-braino-in-poll.patch tty-fix-up-atime-mtime-mess-take-four.patch --- diff --git a/queue-3.10/autofs4-copy_dev_ioctl-keep-the-value-of-size-we-d-used-for-allocation.patch b/queue-3.10/autofs4-copy_dev_ioctl-keep-the-value-of-size-we-d-used-for-allocation.patch new file mode 100644 index 00000000000..ce2237336ba --- /dev/null +++ b/queue-3.10/autofs4-copy_dev_ioctl-keep-the-value-of-size-we-d-used-for-allocation.patch @@ -0,0 +1,41 @@ +From 0a280962dc6e117e0e4baa668453f753579265d9 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 21 Feb 2015 22:19:57 -0500 +Subject: autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation + +From: Al Viro + +commit 0a280962dc6e117e0e4baa668453f753579265d9 upstream. + +X-Coverup: just ask spender +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/autofs4/dev-ioctl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/autofs4/dev-ioctl.c ++++ b/fs/autofs4/dev-ioctl.c +@@ -95,7 +95,7 @@ static int check_dev_ioctl_version(int c + */ + static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *in) + { +- struct autofs_dev_ioctl tmp; ++ struct autofs_dev_ioctl tmp, *res; + + if (copy_from_user(&tmp, in, sizeof(tmp))) + return ERR_PTR(-EFAULT); +@@ -103,7 +103,11 @@ static struct autofs_dev_ioctl *copy_dev + if (tmp.size < sizeof(tmp)) + return ERR_PTR(-EINVAL); + +- return memdup_user(in, tmp.size); ++ res = memdup_user(in, tmp.size); ++ if (!IS_ERR(res)) ++ res->size = tmp.size; ++ ++ return res; + } + + static inline void free_dev_ioctl(struct autofs_dev_ioctl *param) diff --git a/queue-3.10/debugfs-leave-freeing-a-symlink-body-until-inode-eviction.patch b/queue-3.10/debugfs-leave-freeing-a-symlink-body-until-inode-eviction.patch new file mode 100644 index 00000000000..a9e656ce864 --- /dev/null +++ b/queue-3.10/debugfs-leave-freeing-a-symlink-body-until-inode-eviction.patch @@ -0,0 +1,77 @@ +From 0db59e59299f0b67450c5db21f7f316c8fb04e84 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 21 Feb 2015 22:05:11 -0500 +Subject: debugfs: leave freeing a symlink body until inode eviction + +From: Al Viro + +commit 0db59e59299f0b67450c5db21f7f316c8fb04e84 upstream. + +As it is, we have debugfs_remove() racing with symlink traversals. +Supply ->evict_inode() and do freeing there - inode will remain +pinned until we are done with the symlink body. + +And rip the idiocy with checking if dentry is positive right after +we'd verified debugfs_positive(), which is a stronger check... + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/debugfs/inode.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -245,10 +245,19 @@ static int debugfs_show_options(struct s + return 0; + } + ++static void debugfs_evict_inode(struct inode *inode) ++{ ++ truncate_inode_pages(&inode->i_data, 0); ++ clear_inode(inode); ++ if (S_ISLNK(inode->i_mode)) ++ kfree(inode->i_private); ++} ++ + static const struct super_operations debugfs_super_operations = { + .statfs = simple_statfs, + .remount_fs = debugfs_remount, + .show_options = debugfs_show_options, ++ .evict_inode = debugfs_evict_inode, + }; + + static int debug_fill_super(struct super_block *sb, void *data, int silent) +@@ -465,23 +474,14 @@ static int __debugfs_remove(struct dentr + int ret = 0; + + if (debugfs_positive(dentry)) { +- if (dentry->d_inode) { +- dget(dentry); +- switch (dentry->d_inode->i_mode & S_IFMT) { +- case S_IFDIR: +- ret = simple_rmdir(parent->d_inode, dentry); +- break; +- case S_IFLNK: +- kfree(dentry->d_inode->i_private); +- /* fall through */ +- default: +- simple_unlink(parent->d_inode, dentry); +- break; +- } +- if (!ret) +- d_delete(dentry); +- dput(dentry); +- } ++ dget(dentry); ++ if (S_ISDIR(dentry->d_inode->i_mode)) ++ ret = simple_rmdir(parent->d_inode, dentry); ++ else ++ simple_unlink(parent->d_inode, dentry); ++ if (!ret) ++ d_delete(dentry); ++ dput(dentry); + } + return ret; + } diff --git a/queue-3.10/procfs-fix-race-between-symlink-removals-and-traversals.patch b/queue-3.10/procfs-fix-race-between-symlink-removals-and-traversals.patch new file mode 100644 index 00000000000..035b7b82c58 --- /dev/null +++ b/queue-3.10/procfs-fix-race-between-symlink-removals-and-traversals.patch @@ -0,0 +1,95 @@ +From 7e0e953bb0cf649f93277ac8fb67ecbb7f7b04a9 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 21 Feb 2015 22:16:11 -0500 +Subject: procfs: fix race between symlink removals and traversals + +From: Al Viro + +commit 7e0e953bb0cf649f93277ac8fb67ecbb7f7b04a9 upstream. + +use_pde()/unuse_pde() in ->follow_link()/->put_link() resp. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/generic.c | 12 ------------ + fs/proc/inode.c | 21 +++++++++++++++++++++ + fs/proc/internal.h | 1 + + 3 files changed, 22 insertions(+), 12 deletions(-) + +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -19,7 +19,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -163,17 +162,6 @@ void proc_free_inum(unsigned int inum) + spin_unlock_irqrestore(&proc_inum_lock, flags); + } + +-static void *proc_follow_link(struct dentry *dentry, struct nameidata *nd) +-{ +- nd_set_link(nd, __PDE_DATA(dentry->d_inode)); +- return NULL; +-} +- +-static const struct inode_operations proc_link_inode_operations = { +- .readlink = generic_readlink, +- .follow_link = proc_follow_link, +-}; +- + /* + * As some entries in /proc are volatile, we want to + * get rid of unused dentries. This could be made +--- a/fs/proc/inode.c ++++ b/fs/proc/inode.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include + +@@ -373,6 +374,26 @@ static const struct file_operations proc + }; + #endif + ++static void *proc_follow_link(struct dentry *dentry, struct nameidata *nd) ++{ ++ struct proc_dir_entry *pde = PDE(dentry->d_inode); ++ if (unlikely(!use_pde(pde))) ++ return ERR_PTR(-EINVAL); ++ nd_set_link(nd, pde->data); ++ return pde; ++} ++ ++static void proc_put_link(struct dentry *dentry, struct nameidata *nd, void *p) ++{ ++ unuse_pde(p); ++} ++ ++const struct inode_operations proc_link_inode_operations = { ++ .readlink = generic_readlink, ++ .follow_link = proc_follow_link, ++ .put_link = proc_put_link, ++}; ++ + struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de) + { + struct inode *inode = new_inode_pseudo(sb); +--- a/fs/proc/internal.h ++++ b/fs/proc/internal.h +@@ -202,6 +202,7 @@ struct pde_opener { + int closing; + struct completion *c; + }; ++extern const struct inode_operations proc_link_inode_operations; + + extern const struct inode_operations proc_pid_link_inode_operations; + diff --git a/queue-3.10/series b/queue-3.10/series index 2f56b4162ee..e2988f55cf0 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -36,3 +36,8 @@ net-irda-fix-wait_until_sent-poll-timeout.patch usb-serial-fix-infinite-wait_until_sent-timeout.patch tty-fix-tty_wait_until_sent-on-64-bit-machines.patch usb-serial-fix-potential-use-after-free-after-failed-probe.patch +autofs4-copy_dev_ioctl-keep-the-value-of-size-we-d-used-for-allocation.patch +debugfs-leave-freeing-a-symlink-body-until-inode-eviction.patch +procfs-fix-race-between-symlink-removals-and-traversals.patch +sunrpc-fix-braino-in-poll.patch +tty-fix-up-atime-mtime-mess-take-four.patch diff --git a/queue-3.10/sunrpc-fix-braino-in-poll.patch b/queue-3.10/sunrpc-fix-braino-in-poll.patch new file mode 100644 index 00000000000..bd4833eed8d --- /dev/null +++ b/queue-3.10/sunrpc-fix-braino-in-poll.patch @@ -0,0 +1,33 @@ +From 1711fd9addf214823b993468567cab1f8254fc51 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 7 Mar 2015 21:08:46 +0000 +Subject: sunrpc: fix braino in ->poll() + +From: Al Viro + +commit 1711fd9addf214823b993468567cab1f8254fc51 upstream. + +POLL_OUT isn't what callers of ->poll() are expecting to see; it's +actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap +bit... + +Signed-off-by: Al Viro +Cc: Bruce Fields +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -930,7 +930,7 @@ static unsigned int cache_poll(struct fi + poll_wait(filp, &queue_wait, wait); + + /* alway allow write */ +- mask = POLL_OUT | POLLWRNORM; ++ mask = POLLOUT | POLLWRNORM; + + if (!rp) + return mask; diff --git a/queue-3.10/tty-fix-up-atime-mtime-mess-take-four.patch b/queue-3.10/tty-fix-up-atime-mtime-mess-take-four.patch new file mode 100644 index 00000000000..af170f13ff6 --- /dev/null +++ b/queue-3.10/tty-fix-up-atime-mtime-mess-take-four.patch @@ -0,0 +1,52 @@ +From f0bf0bd07943bfde8f5ac39a32664810a379c7d3 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 27 Feb 2015 18:40:31 +0100 +Subject: tty: fix up atime/mtime mess, take four + +From: Jiri Slaby + +commit f0bf0bd07943bfde8f5ac39a32664810a379c7d3 upstream. + +This problem was taken care of three times already in +* b0de59b5733d18b0d1974a060860a8b5c1b36a2e (TTY: do not update + atime/mtime on read/write), +* 37b7f3c76595e23257f61bd80b223de8658617ee (TTY: fix atime/mtime + regression), and +* b0b885657b6c8ef63a46bc9299b2a7715d19acde (tty: fix up atime/mtime + mess, take three) + +But it still misses one point. As John Paul correctly points out, we +do not care about setting date. If somebody ever changes wall +time backwards (by mistake for example), tty timestamps are never +updated until the original wall time passes. + +So check the absolute difference of times and if it large than "8 +seconds or so", always update the time. That means we will update +immediatelly when changing time. Ergo, CAP_SYS_TIME can foul the +check, but it was always that way. + +Thanks John for serving me this so nicely debugged. + +Signed-off-by: Jiri Slaby +Reported-by: John Paul Perry +Acked-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -992,8 +992,8 @@ EXPORT_SYMBOL(start_tty); + /* We limit tty time update visibility to every 8 seconds or so. */ + static void tty_update_time(struct timespec *time) + { +- unsigned long sec = get_seconds() & ~7; +- if ((long)(sec - time->tv_sec) > 0) ++ unsigned long sec = get_seconds(); ++ if (abs(sec - time->tv_sec) & ~7) + time->tv_sec = sec; + } +