From: Greg Kroah-Hartman Date: Mon, 12 Sep 2016 13:06:53 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v4.7.4~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d1db69fb8057add3b5b00533b27c62f64ef38143;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: bcache-reserve_prio-is-too-small-by-one-when-prio_buckets-is-a-power-of-two.patch bdev-fix-null-pointer-dereference.patch irqchip-mips-gic-cleanup-chip-and-handler-setup.patch irqchip-mips-gic-implement-activate-op-for-device-domain.patch mei-me-disable-driver-on-spt-sps-firmware.patch ovl-don-t-copy-up-opaqueness.patch ovl-fix-workdir-creation.patch ovl-listxattr-use-strnlen.patch ovl-proper-cleanup-of-workdir.patch ovl-remove-posix_acl_default-from-workdir.patch ubifs-fix-assertion-in-layout_in_gaps.patch ubifs-fix-xattr-generic-handler-usage.patch vhost-scsi-fix-reuse-of-vq-iov-in-response.patch x86-apic-do-not-init-irq-remapping-if-ioapic-is-disabled.patch --- diff --git a/queue-4.7/bcache-reserve_prio-is-too-small-by-one-when-prio_buckets-is-a-power-of-two.patch b/queue-4.7/bcache-reserve_prio-is-too-small-by-one-when-prio_buckets-is-a-power-of-two.patch new file mode 100644 index 00000000000..11cb689586f --- /dev/null +++ b/queue-4.7/bcache-reserve_prio-is-too-small-by-one-when-prio_buckets-is-a-power-of-two.patch @@ -0,0 +1,70 @@ +From acc9cf8c66c66b2cbbdb4a375537edee72be64df Mon Sep 17 00:00:00 2001 +From: Kent Overstreet +Date: Wed, 17 Aug 2016 18:21:24 -0700 +Subject: bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two. + +From: Kent Overstreet + +commit acc9cf8c66c66b2cbbdb4a375537edee72be64df upstream. + +This patch fixes a cachedev registration-time allocation deadlock. +This can deadlock on boot if your initrd auto-registeres bcache devices: + +Allocator thread: +[ 720.727614] INFO: task bcache_allocato:3833 blocked for more than 120 seconds. +[ 720.732361] [] schedule+0x37/0x90 +[ 720.732963] [] bch_bucket_alloc+0x188/0x360 [bcache] +[ 720.733538] [] ? prepare_to_wait_event+0xf0/0xf0 +[ 720.734137] [] bch_prio_write+0x19d/0x340 [bcache] +[ 720.734715] [] bch_allocator_thread+0x3ff/0x470 [bcache] +[ 720.735311] [] ? __schedule+0x2dc/0x950 +[ 720.735884] [] ? invalidate_buckets+0x980/0x980 [bcache] + +Registration thread: +[ 720.710403] INFO: task bash:3531 blocked for more than 120 seconds. +[ 720.715226] [] schedule+0x37/0x90 +[ 720.715805] [] __bch_btree_map_nodes+0x12d/0x150 [bcache] +[ 720.716409] [] ? bch_btree_insert_check_key+0x1c0/0x1c0 [bcache] +[ 720.717008] [] bch_btree_insert+0xf4/0x170 [bcache] +[ 720.717586] [] ? prepare_to_wait_event+0xf0/0xf0 +[ 720.718191] [] bch_journal_replay+0x14a/0x290 [bcache] +[ 720.718766] [] ? ttwu_do_activate.constprop.94+0x5d/0x70 +[ 720.719369] [] ? try_to_wake_up+0x1d4/0x350 +[ 720.719968] [] run_cache_set+0x580/0x8e0 [bcache] +[ 720.720553] [] register_bcache+0xe2e/0x13b0 [bcache] +[ 720.721153] [] kobj_attr_store+0xf/0x20 +[ 720.721730] [] sysfs_kf_write+0x3d/0x50 +[ 720.722327] [] kernfs_fop_write+0x12a/0x180 +[ 720.722904] [] __vfs_write+0x37/0x110 +[ 720.723503] [] ? __sb_start_write+0x58/0x110 +[ 720.724100] [] ? security_file_permission+0x23/0xa0 +[ 720.724675] [] vfs_write+0xa9/0x1b0 +[ 720.725275] [] ? do_audit_syscall_entry+0x6c/0x70 +[ 720.725849] [] SyS_write+0x55/0xd0 +[ 720.726451] [] ? do_page_fault+0x30/0x80 +[ 720.727045] [] system_call_fastpath+0x12/0x71 + +The fifo code in upstream bcache can't use the last element in the buffer, +which was the cause of the bug: if you asked for a power of two size, +it'd give you a fifo that could hold one less than what you asked for +rather than allocating a buffer twice as big. + +Signed-off-by: Kent Overstreet +Tested-by: Eric Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1818,7 +1818,7 @@ static int cache_alloc(struct cache_sb * + free = roundup_pow_of_two(ca->sb.nbuckets) >> 10; + + if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) || +- !init_fifo(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) || ++ !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) || + !init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) || + !init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) || + !init_fifo(&ca->free_inc, free << 2, GFP_KERNEL) || diff --git a/queue-4.7/bdev-fix-null-pointer-dereference.patch b/queue-4.7/bdev-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..a152af74d99 --- /dev/null +++ b/queue-4.7/bdev-fix-null-pointer-dereference.patch @@ -0,0 +1,78 @@ +From e9e5e3fae8da7e237049e00e0bfc9e32fd808fe8 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Mon, 22 Aug 2016 12:47:43 +0200 +Subject: bdev: fix NULL pointer dereference + +From: Vegard Nossum + +commit e9e5e3fae8da7e237049e00e0bfc9e32fd808fe8 upstream. + +I got this: + + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] PREEMPT SMP KASAN + Dumping ftrace buffer: + (ftrace buffer empty) + CPU: 0 PID: 5505 Comm: syz-executor Not tainted 4.8.0-rc2+ #161 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 + task: ffff880113415940 task.stack: ffff880118350000 + RIP: 0010:[] [] bd_mount+0x52/0xa0 + RSP: 0018:ffff880118357ca0 EFLAGS: 00010207 + RAX: dffffc0000000000 RBX: ffffffffffffffff RCX: ffffc90000bb6000 + RDX: 0000000000000018 RSI: ffffffff846d6b20 RDI: 00000000000000c7 + RBP: ffff880118357cb0 R08: ffff880115967c68 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801188211e8 + R13: ffffffff847baa20 R14: ffff8801139cb000 R15: 0000000000000080 + FS: 00007fa3ff6c0700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fc1d8cc7e78 CR3: 0000000109f20000 CR4: 00000000000006f0 + DR0: 000000000000001e DR1: 000000000000001e DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 + Stack: + ffff880112cfd6c0 ffff8801188211e8 ffff880118357cf0 ffffffff8167f207 + ffffffff816d7a1e ffff880112a413c0 ffffffff847baa20 ffff8801188211e8 + 0000000000000080 ffff880112cfd6c0 ffff880118357d38 ffffffff816dce0a + Call Trace: + [] mount_fs+0x97/0x2e0 + [] ? alloc_vfsmnt+0x55e/0x760 + [] vfs_kern_mount+0x7a/0x300 + [] ? _raw_read_unlock+0x2c/0x50 + [] do_mount+0x3d7/0x2730 + [] ? trace_do_page_fault+0x1f4/0x3a0 + [] ? copy_mount_string+0x40/0x40 + [] ? memset+0x31/0x40 + [] ? copy_mount_options+0x1ee/0x320 + [] SyS_mount+0xb2/0x120 + [] ? copy_mnt_ns+0x970/0x970 + [] do_syscall_64+0x1c4/0x4e0 + [] entry_SYSCALL64_slow_path+0x25/0x25 + Code: 83 e8 63 1b fc ff 48 85 c0 48 89 c3 74 4c e8 56 35 d1 ff 48 8d bb c8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 36 4c 8b a3 c8 00 00 00 48 b8 00 00 00 00 00 fc + RIP [] bd_mount+0x52/0xa0 + RSP + ---[ end trace 13690ad962168b98 ]--- + +mount_pseudo() returns ERR_PTR(), not NULL, on error. + +Fixes: 3684aa7099e0 ("block-dev: enable writeback cgroup support") +Cc: Shaohua Li +Cc: Tejun Heo +Cc: Jens Axboe +Signed-off-by: Vegard Nossum +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/block_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -659,7 +659,7 @@ static struct dentry *bd_mount(struct fi + { + struct dentry *dent; + dent = mount_pseudo(fs_type, "bdev:", &bdev_sops, NULL, BDEVFS_MAGIC); +- if (dent) ++ if (!IS_ERR(dent)) + dent->d_sb->s_iflags |= SB_I_CGROUPWB; + return dent; + } diff --git a/queue-4.7/irqchip-mips-gic-cleanup-chip-and-handler-setup.patch b/queue-4.7/irqchip-mips-gic-cleanup-chip-and-handler-setup.patch new file mode 100644 index 00000000000..28762862466 --- /dev/null +++ b/queue-4.7/irqchip-mips-gic-cleanup-chip-and-handler-setup.patch @@ -0,0 +1,74 @@ +From 6a33fa2b87513fee44cb8f0cd17b1acd6316bc6b Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 19 Aug 2016 18:07:14 +0100 +Subject: irqchip/mips-gic: Cleanup chip and handler setup + +From: Paul Burton + +commit 6a33fa2b87513fee44cb8f0cd17b1acd6316bc6b upstream. + +gic_shared_irq_domain_map() is called from gic_irq_domain_alloc() where +the wrong chip has been set, and is then overwritten. Tidy this up by +setting the correct chip the first time, and setting the +handle_level_irq handler from gic_irq_domain_alloc() too. + +gic_shared_irq_domain_map() is also called from gic_irq_domain_map(), +which now calls irq_set_chip_and_handler() to retain its previous +behaviour. + +This patch prepares for a follow-on which will call +gic_shared_irq_domain_map() from a callback where the lock on the struct +irq_desc is held, which without this change would cause the call to +irq_set_chip_and_handler() to lead to a deadlock. + +Fixes: c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain") +Signed-off-by: Paul Burton +Cc: linux-mips@linux-mips.org +Cc: Jason Cooper +Cc: Marc Zyngier +Link: http://lkml.kernel.org/r/20160819170715.27820-1-paul.burton@imgtec.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-mips-gic.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/irqchip/irq-mips-gic.c ++++ b/drivers/irqchip/irq-mips-gic.c +@@ -713,9 +713,6 @@ static int gic_shared_irq_domain_map(str + unsigned long flags; + int i; + +- irq_set_chip_and_handler(virq, &gic_level_irq_controller, +- handle_level_irq); +- + spin_lock_irqsave(&gic_lock, flags); + gic_map_to_pin(intr, gic_cpu_pin); + gic_map_to_vpe(intr, mips_cm_vp_id(vpe)); +@@ -732,6 +729,10 @@ static int gic_irq_domain_map(struct irq + { + if (GIC_HWIRQ_TO_LOCAL(hw) < GIC_NUM_LOCAL_INTRS) + return gic_local_irq_domain_map(d, virq, hw); ++ ++ irq_set_chip_and_handler(virq, &gic_level_irq_controller, ++ handle_level_irq); ++ + return gic_shared_irq_domain_map(d, virq, hw, 0); + } + +@@ -771,11 +772,13 @@ static int gic_irq_domain_alloc(struct i + hwirq = GIC_SHARED_TO_HWIRQ(base_hwirq + i); + + ret = irq_domain_set_hwirq_and_chip(d, virq + i, hwirq, +- &gic_edge_irq_controller, ++ &gic_level_irq_controller, + NULL); + if (ret) + goto error; + ++ irq_set_handler(virq + i, handle_level_irq); ++ + ret = gic_shared_irq_domain_map(d, virq + i, hwirq, cpu); + if (ret) + goto error; diff --git a/queue-4.7/irqchip-mips-gic-implement-activate-op-for-device-domain.patch b/queue-4.7/irqchip-mips-gic-implement-activate-op-for-device-domain.patch new file mode 100644 index 00000000000..4142d11d805 --- /dev/null +++ b/queue-4.7/irqchip-mips-gic-implement-activate-op-for-device-domain.patch @@ -0,0 +1,58 @@ +From 2564970a381651865364974ea414384b569cb9c0 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 19 Aug 2016 18:07:15 +0100 +Subject: irqchip/mips-gic: Implement activate op for device domain + +From: Paul Burton + +commit 2564970a381651865364974ea414384b569cb9c0 upstream. + +If an IRQ is setup using __setup_irq(), which is used by the +request_irq() family of functions, and we are using an SMP kernel then +the affinity of the IRQ will be set via setup_affinity() immediately +after the IRQ is enabled. This call to gic_set_affinity() will lead to +the interrupt being mapped to a VPE. However there are other ways to use +IRQs which don't cause affinity to be set, for example if it is used to +chain to another IRQ controller with irq_set_chained_handler_and_data(). +The irq_set_chained_handler_and_data() code path will enable the IRQ, +but will not trigger a call to gic_set_affinity() and in this case +nothing will map the interrupt to a VPE, meaning that the interrupt is +never received. + +Fix this by implementing the activate operation for the GIC device IRQ +domain, using gic_shared_irq_domain_map() to map the interrupt to the +correct pin of cpu 0. + +Fixes: c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain") +Signed-off-by: Paul Burton +Cc: linux-mips@linux-mips.org +Cc: Jason Cooper +Cc: Marc Zyngier +Link: http://lkml.kernel.org/r/20160819170715.27820-2-paul.burton@imgtec.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-mips-gic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/irqchip/irq-mips-gic.c ++++ b/drivers/irqchip/irq-mips-gic.c +@@ -893,10 +893,17 @@ void gic_dev_domain_free(struct irq_doma + return; + } + ++static void gic_dev_domain_activate(struct irq_domain *domain, ++ struct irq_data *d) ++{ ++ gic_shared_irq_domain_map(domain, d->irq, d->hwirq, 0); ++} ++ + static struct irq_domain_ops gic_dev_domain_ops = { + .xlate = gic_dev_domain_xlate, + .alloc = gic_dev_domain_alloc, + .free = gic_dev_domain_free, ++ .activate = gic_dev_domain_activate, + }; + + static int gic_ipi_domain_xlate(struct irq_domain *d, struct device_node *ctrlr, diff --git a/queue-4.7/mei-me-disable-driver-on-spt-sps-firmware.patch b/queue-4.7/mei-me-disable-driver-on-spt-sps-firmware.patch new file mode 100644 index 00000000000..795502a792e --- /dev/null +++ b/queue-4.7/mei-me-disable-driver-on-spt-sps-firmware.patch @@ -0,0 +1,55 @@ +From 8c57cac1457f3125a5d13dc03635c0708c61bff0 Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Wed, 20 Jul 2016 10:24:02 +0300 +Subject: mei: me: disable driver on SPT SPS firmware + +From: Tomas Winkler + +commit 8c57cac1457f3125a5d13dc03635c0708c61bff0 upstream. + +Sunrise Point PCH with SPS Firmware doesn't expose working +MEI interface, we need to quirk it out. +The SPS Firmware is identifiable only on the first PCI function +of the device. + +Tested-by: Sujith Pandel +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hw-me.c | 10 ++++++++-- + drivers/misc/mei/pci-me.c | 4 ++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/misc/mei/hw-me.c ++++ b/drivers/misc/mei/hw-me.c +@@ -1263,8 +1263,14 @@ static bool mei_me_fw_type_nm(struct pci + static bool mei_me_fw_type_sps(struct pci_dev *pdev) + { + u32 reg; +- /* Read ME FW Status check for SPS Firmware */ +- pci_read_config_dword(pdev, PCI_CFG_HFS_1, ®); ++ unsigned int devfn; ++ ++ /* ++ * Read ME FW Status register to check for SPS Firmware ++ * The SPS FW is only signaled in pci function 0 ++ */ ++ devfn = PCI_DEVFN(PCI_SLOT(pdev->devfn), 0); ++ pci_bus_read_config_dword(pdev->bus, devfn, PCI_CFG_HFS_1, ®); + trace_mei_pci_cfg_read(&pdev->dev, "PCI_CFG_HFS_1", PCI_CFG_HFS_1, reg); + /* if bits [19:16] = 15, running SPS Firmware */ + return (reg & 0xf0000) == 0xf0000; +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -85,8 +85,8 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_SPT, mei_me_pch8_cfg)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_2, mei_me_pch8_cfg)}, +- {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H, mei_me_pch8_cfg)}, +- {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H_2, mei_me_pch8_cfg)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H, mei_me_pch8_sps_cfg)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H_2, mei_me_pch8_sps_cfg)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_BXT_M, mei_me_pch8_cfg)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_APL_I, mei_me_pch8_cfg)}, diff --git a/queue-4.7/ovl-don-t-copy-up-opaqueness.patch b/queue-4.7/ovl-don-t-copy-up-opaqueness.patch new file mode 100644 index 00000000000..60dc73eb909 --- /dev/null +++ b/queue-4.7/ovl-don-t-copy-up-opaqueness.patch @@ -0,0 +1,78 @@ +From 0956254a2d5b9e2141385514553aeef694dfe3b5 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 8 Aug 2016 15:08:49 +0200 +Subject: ovl: don't copy up opaqueness + +From: Miklos Szeredi + +commit 0956254a2d5b9e2141385514553aeef694dfe3b5 upstream. + +When a copy up of a directory occurs which has the opaque xattr set, the +xattr remains in the upper directory. The immediate behavior with overlayfs +is that the upper directory is not treated as opaque, however after a +remount the opaque flag is used and upper directory is treated as opaque. +This causes files created in the lower layer to be hidden when using +multiple lower directories. + +Fix by not copying up the opaque flag. + +To reproduce: + + ----8<---------8<---------8<---------8<---------8<---------8<---- +mkdir -p l/d/s u v w mnt +mount -t overlay overlay -olowerdir=l,upperdir=u,workdir=w mnt +rm -rf mnt/d/ +mkdir -p mnt/d/n +umount mnt +mount -t overlay overlay -olowerdir=u:l,upperdir=v,workdir=w mnt +touch mnt/d/foo +umount mnt +mount -t overlay overlay -olowerdir=u:l,upperdir=v,workdir=w mnt +ls mnt/d + ----8<---------8<---------8<---------8<---------8<---------8<---- + +output should be: "foo n" + +Reported-by: Derek McGowan +Link: https://bugzilla.kernel.org/show_bug.cgi?id=151291 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/copy_up.c | 2 ++ + fs/overlayfs/inode.c | 2 +- + fs/overlayfs/overlayfs.h | 1 + + 3 files changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -80,6 +80,8 @@ int ovl_copy_xattr(struct dentry *old, s + } + + for (name = buf; name < (buf + list_size); name += strlen(name) + 1) { ++ if (ovl_is_private_xattr(name)) ++ continue; + retry: + size = vfs_getxattr(old, name, value, value_size); + if (size == -ERANGE) +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -231,7 +231,7 @@ static int ovl_readlink(struct dentry *d + } + + +-static bool ovl_is_private_xattr(const char *name) ++bool ovl_is_private_xattr(const char *name) + { + return strncmp(name, OVL_XATTR_PRE_NAME, OVL_XATTR_PRE_LEN) == 0; + } +--- a/fs/overlayfs/overlayfs.h ++++ b/fs/overlayfs/overlayfs.h +@@ -182,6 +182,7 @@ ssize_t ovl_getxattr(struct dentry *dent + ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size); + int ovl_removexattr(struct dentry *dentry, const char *name); + struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags); ++bool ovl_is_private_xattr(const char *name); + + struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, + struct ovl_entry *oe); diff --git a/queue-4.7/ovl-fix-workdir-creation.patch b/queue-4.7/ovl-fix-workdir-creation.patch new file mode 100644 index 00000000000..96ab72e0ded --- /dev/null +++ b/queue-4.7/ovl-fix-workdir-creation.patch @@ -0,0 +1,40 @@ +From e1ff3dd1ae52cef5b5373c8cc4ad949c2c25a71c Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 5 Sep 2016 13:55:20 +0200 +Subject: ovl: fix workdir creation + +From: Miklos Szeredi + +commit e1ff3dd1ae52cef5b5373c8cc4ad949c2c25a71c upstream. + +Workdir creation fails in latest kernel. + +Fix by allowing EOPNOTSUPP as a valid return value from +vfs_removexattr(XATTR_NAME_POSIX_ACL_*). Upper filesystem may not support +ACL and still be perfectly able to support overlayfs. + +Reported-by: Martin Ziegler +Signed-off-by: Miklos Szeredi +Fixes: c11b9fdd6a61 ("ovl: remove posix_acl_default from workdir") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -819,11 +819,11 @@ retry: + goto out_dput; + + err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_DEFAULT); +- if (err && err != -ENODATA) ++ if (err && err != -ENODATA && err != -EOPNOTSUPP) + goto out_dput; + + err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_ACCESS); +- if (err && err != -ENODATA) ++ if (err && err != -ENODATA && err != -EOPNOTSUPP) + goto out_dput; + + /* Clear any inherited mode bits */ diff --git a/queue-4.7/ovl-listxattr-use-strnlen.patch b/queue-4.7/ovl-listxattr-use-strnlen.patch new file mode 100644 index 00000000000..06d9707360b --- /dev/null +++ b/queue-4.7/ovl-listxattr-use-strnlen.patch @@ -0,0 +1,57 @@ +From 7cb35119d067191ce9ebc380a599db0b03cbd9d9 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 1 Sep 2016 11:12:00 +0200 +Subject: ovl: listxattr: use strnlen() + +From: Miklos Szeredi + +commit 7cb35119d067191ce9ebc380a599db0b03cbd9d9 upstream. + +Be defensive about what underlying fs provides us in the returned xattr +list buffer. If it's not properly null terminated, bail out with a warning +insead of BUG. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/inode.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -279,24 +279,27 @@ ssize_t ovl_listxattr(struct dentry *den + { + struct dentry *realdentry = ovl_dentry_real(dentry); + ssize_t res; +- int off; ++ size_t len; ++ char *s; + + res = vfs_listxattr(realdentry, list, size); + if (res <= 0 || size == 0) + return res; + + /* filter out private xattrs */ +- for (off = 0; off < res;) { +- char *s = list + off; +- size_t slen = strlen(s) + 1; ++ for (s = list, len = res; len;) { ++ size_t slen = strnlen(s, len) + 1; + +- BUG_ON(off + slen > res); ++ /* underlying fs providing us with an broken xattr list? */ ++ if (WARN_ON(slen > len)) ++ return -EIO; + ++ len -= slen; + if (ovl_is_private_xattr(s)) { + res -= slen; +- memmove(s, s + slen, res - off); ++ memmove(s, s + slen, len); + } else { +- off += slen; ++ s += slen; + } + } + diff --git a/queue-4.7/ovl-proper-cleanup-of-workdir.patch b/queue-4.7/ovl-proper-cleanup-of-workdir.patch new file mode 100644 index 00000000000..248952b958d --- /dev/null +++ b/queue-4.7/ovl-proper-cleanup-of-workdir.patch @@ -0,0 +1,136 @@ +From eea2fb4851e9dcbab6b991aaf47e2e024f1f55a0 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 1 Sep 2016 11:11:59 +0200 +Subject: ovl: proper cleanup of workdir + +From: Miklos Szeredi + +commit eea2fb4851e9dcbab6b991aaf47e2e024f1f55a0 upstream. + +When mounting overlayfs it needs a clean "work" directory under the +supplied workdir. + +Previously the mount code removed this directory if it already existed and +created a new one. If the removal failed (e.g. directory was not empty) +then it fell back to a read-only mount not using the workdir. + +While this has never been reported, it is possible to get a non-empty +"work" dir from a previous mount of overlayfs in case of crash in the +middle of an operation using the work directory. + +In this case the left over state should be discarded and the overlay +filesystem will be consistent, guaranteed by the atomicity of operations on +moving to/from the workdir to the upper layer. + +This patch implements cleaning out any files left in workdir. It is +implemented using real recursion for simplicity, but the depth is limited +to 2, because the worst case is that of a directory containing whiteouts +under "work". + +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/overlayfs.h | 2 + + fs/overlayfs/readdir.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++- + fs/overlayfs/super.c | 2 - + 3 files changed, 65 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/overlayfs.h ++++ b/fs/overlayfs/overlayfs.h +@@ -168,6 +168,8 @@ int ovl_check_empty_dir(struct dentry *d + void ovl_cleanup_whiteouts(struct dentry *upper, struct list_head *list); + void ovl_cache_free(struct list_head *list); + int ovl_check_d_type_supported(struct path *realpath); ++void ovl_workdir_cleanup(struct inode *dir, struct vfsmount *mnt, ++ struct dentry *dentry, int level); + + /* inode.c */ + int ovl_setattr(struct dentry *dentry, struct iattr *attr); +--- a/fs/overlayfs/readdir.c ++++ b/fs/overlayfs/readdir.c +@@ -248,7 +248,7 @@ static inline int ovl_dir_read(struct pa + err = rdd->err; + } while (!err && rdd->count); + +- if (!err && rdd->first_maybe_whiteout) ++ if (!err && rdd->first_maybe_whiteout && rdd->dentry) + err = ovl_check_whiteouts(realpath->dentry, rdd); + + fput(realfile); +@@ -606,3 +606,64 @@ int ovl_check_d_type_supported(struct pa + + return rdd.d_type_supported; + } ++ ++static void ovl_workdir_cleanup_recurse(struct path *path, int level) ++{ ++ int err; ++ struct inode *dir = path->dentry->d_inode; ++ LIST_HEAD(list); ++ struct ovl_cache_entry *p; ++ struct ovl_readdir_data rdd = { ++ .ctx.actor = ovl_fill_merge, ++ .dentry = NULL, ++ .list = &list, ++ .root = RB_ROOT, ++ .is_lowest = false, ++ }; ++ ++ err = ovl_dir_read(path, &rdd); ++ if (err) ++ goto out; ++ ++ inode_lock_nested(dir, I_MUTEX_PARENT); ++ list_for_each_entry(p, &list, l_node) { ++ struct dentry *dentry; ++ ++ if (p->name[0] == '.') { ++ if (p->len == 1) ++ continue; ++ if (p->len == 2 && p->name[1] == '.') ++ continue; ++ } ++ dentry = lookup_one_len(p->name, path->dentry, p->len); ++ if (IS_ERR(dentry)) ++ continue; ++ if (dentry->d_inode) ++ ovl_workdir_cleanup(dir, path->mnt, dentry, level); ++ dput(dentry); ++ } ++ inode_unlock(dir); ++out: ++ ovl_cache_free(&list); ++} ++ ++void ovl_workdir_cleanup(struct inode *dir, struct vfsmount *mnt, ++ struct dentry *dentry, int level) ++{ ++ int err; ++ ++ if (!d_is_dir(dentry) || level > 1) { ++ ovl_cleanup(dir, dentry); ++ return; ++ } ++ ++ err = ovl_do_rmdir(dir, dentry); ++ if (err) { ++ struct path path = { .mnt = mnt, .dentry = dentry }; ++ ++ inode_unlock(dir); ++ ovl_workdir_cleanup_recurse(&path, level + 1); ++ inode_lock_nested(dir, I_MUTEX_PARENT); ++ ovl_cleanup(dir, dentry); ++ } ++} +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -805,7 +805,7 @@ retry: + goto out_dput; + + retried = true; +- ovl_cleanup(dir, work); ++ ovl_workdir_cleanup(dir, mnt, work, 0); + dput(work); + goto retry; + } diff --git a/queue-4.7/ovl-remove-posix_acl_default-from-workdir.patch b/queue-4.7/ovl-remove-posix_acl_default-from-workdir.patch new file mode 100644 index 00000000000..f6556f98d95 --- /dev/null +++ b/queue-4.7/ovl-remove-posix_acl_default-from-workdir.patch @@ -0,0 +1,54 @@ +From c11b9fdd6a612f376a5e886505f1c54c16d8c380 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 1 Sep 2016 11:11:59 +0200 +Subject: ovl: remove posix_acl_default from workdir + +From: Miklos Szeredi + +commit c11b9fdd6a612f376a5e886505f1c54c16d8c380 upstream. + +Clear out posix acl xattrs on workdir and also reset the mode after +creation so that an inherited sgid bit is cleared. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -798,6 +798,10 @@ retry: + struct kstat stat = { + .mode = S_IFDIR | 0, + }; ++ struct iattr attr = { ++ .ia_valid = ATTR_MODE, ++ .ia_mode = stat.mode, ++ }; + + if (work->d_inode) { + err = -EEXIST; +@@ -813,6 +817,21 @@ retry: + err = ovl_create_real(dir, work, &stat, NULL, NULL, true); + if (err) + goto out_dput; ++ ++ err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_DEFAULT); ++ if (err && err != -ENODATA) ++ goto out_dput; ++ ++ err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_ACCESS); ++ if (err && err != -ENODATA) ++ goto out_dput; ++ ++ /* Clear any inherited mode bits */ ++ inode_lock(work->d_inode); ++ err = notify_change(work, &attr, NULL); ++ inode_unlock(work->d_inode); ++ if (err) ++ goto out_dput; + } + out_unlock: + inode_unlock(dir); diff --git a/queue-4.7/series b/queue-4.7/series index 0bcbfee4115..425a34e0526 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -27,3 +27,17 @@ xfs-fix-superblock-inprogress-check.patch timekeeping-cap-array-access-in-timekeeping_debug.patch timekeeping-avoid-taking-lock-in-nmi-path-with-config_debug_timekeeping.patch xenbus-don-t-look-up-transaction-ids-for-ordinary-writes.patch +ovl-proper-cleanup-of-workdir.patch +ovl-don-t-copy-up-opaqueness.patch +ovl-remove-posix_acl_default-from-workdir.patch +ovl-listxattr-use-strnlen.patch +ovl-fix-workdir-creation.patch +mei-me-disable-driver-on-spt-sps-firmware.patch +ubifs-fix-xattr-generic-handler-usage.patch +ubifs-fix-assertion-in-layout_in_gaps.patch +bdev-fix-null-pointer-dereference.patch +bcache-reserve_prio-is-too-small-by-one-when-prio_buckets-is-a-power-of-two.patch +irqchip-mips-gic-cleanup-chip-and-handler-setup.patch +irqchip-mips-gic-implement-activate-op-for-device-domain.patch +vhost-scsi-fix-reuse-of-vq-iov-in-response.patch +x86-apic-do-not-init-irq-remapping-if-ioapic-is-disabled.patch diff --git a/queue-4.7/ubifs-fix-assertion-in-layout_in_gaps.patch b/queue-4.7/ubifs-fix-assertion-in-layout_in_gaps.patch new file mode 100644 index 00000000000..dac98df9bcc --- /dev/null +++ b/queue-4.7/ubifs-fix-assertion-in-layout_in_gaps.patch @@ -0,0 +1,40 @@ +From c0082e985fdf77b02fc9e0dac3b58504dcf11b7a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Vincent=20Stehl=C3=A9?= +Date: Fri, 12 Aug 2016 15:26:30 +0200 +Subject: ubifs: Fix assertion in layout_in_gaps() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vincent Stehlé + +commit c0082e985fdf77b02fc9e0dac3b58504dcf11b7a upstream. + +An assertion in layout_in_gaps() verifies that the gap_lebs pointer is +below the maximum bound. When computing this maximum bound the idx_lebs +count is multiplied by sizeof(int), while C pointers arithmetic does take +into account the size of the pointed elements implicitly already. Remove +the multiplication to fix the assertion. + +Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system") +Signed-off-by: Vincent Stehlé +Cc: Artem Bityutskiy +Signed-off-by: Artem Bityutskiy +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/tnc_commit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ubifs/tnc_commit.c ++++ b/fs/ubifs/tnc_commit.c +@@ -370,7 +370,7 @@ static int layout_in_gaps(struct ubifs_i + + p = c->gap_lebs; + do { +- ubifs_assert(p < c->gap_lebs + sizeof(int) * c->lst.idx_lebs); ++ ubifs_assert(p < c->gap_lebs + c->lst.idx_lebs); + written = layout_leb_in_gaps(c, p); + if (written < 0) { + err = written; diff --git a/queue-4.7/ubifs-fix-xattr-generic-handler-usage.patch b/queue-4.7/ubifs-fix-xattr-generic-handler-usage.patch new file mode 100644 index 00000000000..97c2dd1cbcd --- /dev/null +++ b/queue-4.7/ubifs-fix-xattr-generic-handler-usage.patch @@ -0,0 +1,44 @@ +From 17ce1eb0b64eb27d4f9180daae7495fa022c7b0d Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sun, 31 Jul 2016 21:42:23 +0200 +Subject: ubifs: Fix xattr generic handler usage + +From: Richard Weinberger + +commit 17ce1eb0b64eb27d4f9180daae7495fa022c7b0d upstream. + +UBIFS uses full names to work with xattrs, therefore we have to use +xattr_full_name() to obtain the xattr prefix as string. + +Cc: Andreas Gruenbacher +Fixes: 2b88fc21ca ("ubifs: Switch to generic xattr handlers") +Signed-off-by: Richard Weinberger +Reviewed-by: Andreas Gruenbacher +Tested-by: Dongsheng Yang +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/xattr.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ubifs/xattr.c ++++ b/fs/ubifs/xattr.c +@@ -575,7 +575,8 @@ static int ubifs_xattr_get(const struct + dbg_gen("xattr '%s', ino %lu ('%pd'), buf size %zd", name, + inode->i_ino, dentry, size); + +- return __ubifs_getxattr(inode, name, buffer, size); ++ name = xattr_full_name(handler, name); ++ return __ubifs_getxattr(inode, name, buffer, size); + } + + static int ubifs_xattr_set(const struct xattr_handler *handler, +@@ -586,6 +587,8 @@ static int ubifs_xattr_set(const struct + dbg_gen("xattr '%s', host ino %lu ('%pd'), size %zd", + name, inode->i_ino, dentry, size); + ++ name = xattr_full_name(handler, name); ++ + if (value) + return __ubifs_setxattr(inode, name, value, size, flags); + else diff --git a/queue-4.7/vhost-scsi-fix-reuse-of-vq-iov-in-response.patch b/queue-4.7/vhost-scsi-fix-reuse-of-vq-iov-in-response.patch new file mode 100644 index 00000000000..7cd217915b4 --- /dev/null +++ b/queue-4.7/vhost-scsi-fix-reuse-of-vq-iov-in-response.patch @@ -0,0 +1,53 @@ +From a77ec83a57890240c546df00ca5df1cdeedb1cc3 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Mon, 6 Jun 2016 18:07:59 -0400 +Subject: vhost/scsi: fix reuse of &vq->iov[out] in response + +From: Benjamin Coddington + +commit a77ec83a57890240c546df00ca5df1cdeedb1cc3 upstream. + +The address of the iovec &vq->iov[out] is not guaranteed to contain the scsi +command's response iovec throughout the lifetime of the command. Rather, it +is more likely to contain an iovec from an immediately following command +after looping back around to vhost_get_vq_desc(). Pass along the iovec +entirely instead. + +Fixes: 79c14141a487 ("vhost/scsi: Convert completion path to use copy_to_iter") +Signed-off-by: Benjamin Coddington +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/scsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -88,7 +88,7 @@ struct vhost_scsi_cmd { + struct scatterlist *tvc_prot_sgl; + struct page **tvc_upages; + /* Pointer to response header iovec */ +- struct iovec *tvc_resp_iov; ++ struct iovec tvc_resp_iov; + /* Pointer to vhost_scsi for our device */ + struct vhost_scsi *tvc_vhost; + /* Pointer to vhost_virtqueue for the cmd */ +@@ -547,7 +547,7 @@ static void vhost_scsi_complete_cmd_work + memcpy(v_rsp.sense, cmd->tvc_sense_buf, + se_cmd->scsi_sense_length); + +- iov_iter_init(&iov_iter, READ, cmd->tvc_resp_iov, ++ iov_iter_init(&iov_iter, READ, &cmd->tvc_resp_iov, + cmd->tvc_in_iovs, sizeof(v_rsp)); + ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter); + if (likely(ret == sizeof(v_rsp))) { +@@ -1044,7 +1044,7 @@ vhost_scsi_handle_vq(struct vhost_scsi * + } + cmd->tvc_vhost = vs; + cmd->tvc_vq = vq; +- cmd->tvc_resp_iov = &vq->iov[out]; ++ cmd->tvc_resp_iov = vq->iov[out]; + cmd->tvc_in_iovs = in; + + pr_debug("vhost_scsi got command opcode: %#02x, lun: %d\n", diff --git a/queue-4.7/x86-apic-do-not-init-irq-remapping-if-ioapic-is-disabled.patch b/queue-4.7/x86-apic-do-not-init-irq-remapping-if-ioapic-is-disabled.patch new file mode 100644 index 00000000000..f4f2d68eda4 --- /dev/null +++ b/queue-4.7/x86-apic-do-not-init-irq-remapping-if-ioapic-is-disabled.patch @@ -0,0 +1,45 @@ +From 2e63ad4bd5dd583871e6602f9d398b9322d358d9 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Tue, 23 Aug 2016 20:07:19 +0800 +Subject: x86/apic: Do not init irq remapping if ioapic is disabled + +From: Wanpeng Li + +commit 2e63ad4bd5dd583871e6602f9d398b9322d358d9 upstream. + +native_smp_prepare_cpus + -> default_setup_apic_routing + -> enable_IR_x2apic + -> irq_remapping_prepare + -> intel_prepare_irq_remapping + -> intel_setup_irq_remapping + +So IR table is setup even if "noapic" boot parameter is added. As a result we +crash later when the interrupt affinity is set due to a half initialized +remapping infrastructure. + +Prevent remap initialization when IOAPIC is disabled. + +Signed-off-by: Wanpeng Li +Cc: Peter Zijlstra +Cc: Joerg Roedel +Link: http://lkml.kernel.org/r/1471954039-3942-1-git-send-email-wanpeng.li@hotmail.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1597,6 +1597,9 @@ void __init enable_IR_x2apic(void) + unsigned long flags; + int ret, ir_stat; + ++ if (skip_ioapic_setup) ++ return; ++ + ir_stat = irq_remapping_prepare(); + if (ir_stat < 0 && !x2apic_supported()) + return;