From 4ef37369275e3a673d0886988889b7f9ce014f3f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 17 Oct 2015 16:57:42 -0700 Subject: [PATCH] 4.2-stable patches added patches: dcache-handle-escaped-paths-in-prepend_path.patch mmc-core-don-t-return-an-error-for-cd-wp-gpios-when-gpiolib-is-unset.patch mmc-core-fix-dead-loop-of-mmc_retune.patch vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch --- ...handle-escaped-paths-in-prepend_path.patch | 64 +++++++++++ ...or-cd-wp-gpios-when-gpiolib-is-unset.patch | 48 ++++++++ ...mmc-core-fix-dead-loop-of-mmc_retune.patch | 41 +++++++ queue-4.2/series | 4 + ...-are-unreachable-from-their-mnt_root.patch | 108 ++++++++++++++++++ 5 files changed, 265 insertions(+) create mode 100644 queue-4.2/dcache-handle-escaped-paths-in-prepend_path.patch create mode 100644 queue-4.2/mmc-core-don-t-return-an-error-for-cd-wp-gpios-when-gpiolib-is-unset.patch create mode 100644 queue-4.2/mmc-core-fix-dead-loop-of-mmc_retune.patch create mode 100644 queue-4.2/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch diff --git a/queue-4.2/dcache-handle-escaped-paths-in-prepend_path.patch b/queue-4.2/dcache-handle-escaped-paths-in-prepend_path.patch new file mode 100644 index 00000000000..48278dd523f --- /dev/null +++ b/queue-4.2/dcache-handle-escaped-paths-in-prepend_path.patch @@ -0,0 +1,64 @@ +From cde93be45a8a90d8c264c776fab63487b5038a65 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sat, 15 Aug 2015 13:36:12 -0500 +Subject: dcache: Handle escaped paths in prepend_path + +From: "Eric W. Biederman" + +commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream. + +A rename can result in a dentry that by walking up d_parent +will never reach it's mnt_root. For lack of a better term +I call this an escaped path. + +prepend_path is called by four different functions __d_path, +d_absolute_path, d_path, and getcwd. + +__d_path only wants to see paths are connected to the root it passes +in. So __d_path needs prepend_path to return an error. + +d_absolute_path similarly wants to see paths that are connected to +some root. Escaped paths are not connected to any mnt_root so +d_absolute_path needs prepend_path to return an error greater +than 1. So escaped paths will be treated like paths on lazily +unmounted mounts. + +getcwd needs to prepend "(unreachable)" so getcwd also needs +prepend_path to return an error. + +d_path is the interesting hold out. d_path just wants to print +something, and does not care about the weird cases. Which raises +the question what should be printed? + +Given that / should result in -ENOENT I +believe it is desirable for escaped paths to be printed as empty +paths. As there are not really any meaninful path components when +considered from the perspective of a mount tree. + +So tweak prepend_path to return an empty path with an new error +code of 3 when it encounters an escaped path. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2926,6 +2926,13 @@ restart: + + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) { + struct mount *parent = ACCESS_ONCE(mnt->mnt_parent); ++ /* Escaped? */ ++ if (dentry != vfsmnt->mnt_root) { ++ bptr = *buffer; ++ blen = *buflen; ++ error = 3; ++ break; ++ } + /* Global root? */ + if (mnt != parent) { + dentry = ACCESS_ONCE(mnt->mnt_mountpoint); diff --git a/queue-4.2/mmc-core-don-t-return-an-error-for-cd-wp-gpios-when-gpiolib-is-unset.patch b/queue-4.2/mmc-core-don-t-return-an-error-for-cd-wp-gpios-when-gpiolib-is-unset.patch new file mode 100644 index 00000000000..1bfee62f2b9 --- /dev/null +++ b/queue-4.2/mmc-core-don-t-return-an-error-for-cd-wp-gpios-when-gpiolib-is-unset.patch @@ -0,0 +1,48 @@ +From 43934ece2ea72c1dd279c0b0478c1a036d5d77ee Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Mon, 14 Sep 2015 12:18:55 +0200 +Subject: mmc: core: Don't return an error for CD/WP GPIOs when GPIOLIB is unset + +From: Ulf Hansson + +commit 43934ece2ea72c1dd279c0b0478c1a036d5d77ee upstream. + +When CONFIG_GPIOLIB is unset, its stubs will return -ENOSYS. That means +when the mmc core parses DT for CD/WP GPIOs via mmc_of_parse(), -ENOSYS +becomes propagated to the caller. Typically this means that the mmc host +driver fails to probe. + +As the CD/WP GPIOs are already treated as optional, let's extend that to +cover the case when CONFIG_GPIOLIB is unset. + +Reported-by: Michal Simek +Fixes: 16b23787fc70 ("mmc: sdhci-of-arasan: Call OF parsing for MMC") +Signed-off-by: Ulf Hansson +Tested-by: Michal Simek +Acked-by: Venu Byravarasu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/host.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/core/host.c ++++ b/drivers/mmc/core/host.c +@@ -457,7 +457,7 @@ int mmc_of_parse(struct mmc_host *host) + 0, &cd_gpio_invert); + if (!ret) + dev_info(host->parent, "Got CD GPIO\n"); +- else if (ret != -ENOENT) ++ else if (ret != -ENOENT && ret != -ENOSYS) + return ret; + + /* +@@ -481,7 +481,7 @@ int mmc_of_parse(struct mmc_host *host) + ret = mmc_gpiod_request_ro(host, "wp", 0, false, 0, &ro_gpio_invert); + if (!ret) + dev_info(host->parent, "Got WP GPIO\n"); +- else if (ret != -ENOENT) ++ else if (ret != -ENOENT && ret != -ENOSYS) + return ret; + + if (of_property_read_bool(np, "disable-wp")) diff --git a/queue-4.2/mmc-core-fix-dead-loop-of-mmc_retune.patch b/queue-4.2/mmc-core-fix-dead-loop-of-mmc_retune.patch new file mode 100644 index 00000000000..00fc9f27957 --- /dev/null +++ b/queue-4.2/mmc-core-fix-dead-loop-of-mmc_retune.patch @@ -0,0 +1,41 @@ +From 031277d4d33d33f0174fbb569ca8f68238175617 Mon Sep 17 00:00:00 2001 +From: Chaotian Jing +Date: Wed, 30 Sep 2015 17:37:18 +0800 +Subject: mmc: core: fix dead loop of mmc_retune + +From: Chaotian Jing + +commit 031277d4d33d33f0174fbb569ca8f68238175617 upstream. + +When get a CRC error, start the mmc_retune, it will issue CMD19/CMD21 +to do tune, assume there were 10 clock phase need to try, phase 0 to +phase 6 is ok, phase 7 to phase 9 is NG, we try it from 0 to 9, so +the last CMD19/CMD21 will get CRC error, host->need_retune was set and +cause mmc_retune was called, then dead loop of mmc_retune + +Signed-off-by: Chaotian Jing +Acked-by: Adrian Hunter +Fixes: bd11e8bd03ca ("mmc: core: Flag re-tuning is needed on CRC errors") +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -134,9 +134,11 @@ void mmc_request_done(struct mmc_host *h + int err = cmd->error; + + /* Flag re-tuning needed on CRC errors */ +- if (err == -EILSEQ || (mrq->sbc && mrq->sbc->error == -EILSEQ) || ++ if ((cmd->opcode != MMC_SEND_TUNING_BLOCK && ++ cmd->opcode != MMC_SEND_TUNING_BLOCK_HS200) && ++ (err == -EILSEQ || (mrq->sbc && mrq->sbc->error == -EILSEQ) || + (mrq->data && mrq->data->error == -EILSEQ) || +- (mrq->stop && mrq->stop->error == -EILSEQ)) ++ (mrq->stop && mrq->stop->error == -EILSEQ))) + mmc_retune_needed(host); + + if (err && cmd->retries && mmc_host_is_spi(host)) { diff --git a/queue-4.2/series b/queue-4.2/series index ebc42f3d168..f4dc45d2c87 100644 --- a/queue-4.2/series +++ b/queue-4.2/series @@ -221,3 +221,7 @@ ubi-validate-data_size.patch ubi-return-enospc-if-no-enough-space-available.patch net-via-kconfig-generic_pci_iomap-required-if-pci-not-selected.patch iscsi-target-avoid-ofmarker-ifmarker-negotiation.patch +mmc-core-don-t-return-an-error-for-cd-wp-gpios-when-gpiolib-is-unset.patch +mmc-core-fix-dead-loop-of-mmc_retune.patch +dcache-handle-escaped-paths-in-prepend_path.patch +vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch diff --git a/queue-4.2/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch b/queue-4.2/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch new file mode 100644 index 00000000000..da655fcae6e --- /dev/null +++ b/queue-4.2/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch @@ -0,0 +1,108 @@ +From 397d425dc26da728396e66d392d5dcb8dac30c37 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sat, 15 Aug 2015 20:27:13 -0500 +Subject: vfs: Test for and handle paths that are unreachable from their mnt_root + +From: "Eric W. Biederman" + +commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream. + +In rare cases a directory can be renamed out from under a bind mount. +In those cases without special handling it becomes possible to walk up +the directory tree to the root dentry of the filesystem and down +from the root dentry to every other file or directory on the filesystem. + +Like division by zero .. from an unconnected path can not be given +a useful semantic as there is no predicting at which path component +the code will realize it is unconnected. We certainly can not match +the current behavior as the current behavior is a security hole. + +Therefore when encounting .. when following an unconnected path +return -ENOENT. + +- Add a function path_connected to verify path->dentry is reachable + from path->mnt.mnt_root. AKA to validate that rename did not do + something nasty to the bind mount. + + To avoid races path_connected must be called after following a path + component to it's next path component. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -560,6 +560,24 @@ static int __nd_alloc_stack(struct namei + return 0; + } + ++/** ++ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root ++ * @path: nameidate to verify ++ * ++ * Rename can sometimes move a file or directory outside of a bind ++ * mount, path_connected allows those cases to be detected. ++ */ ++static bool path_connected(const struct path *path) ++{ ++ struct vfsmount *mnt = path->mnt; ++ ++ /* Only bind mounts can have disconnected paths */ ++ if (mnt->mnt_root == mnt->mnt_sb->s_root) ++ return true; ++ ++ return is_subdir(path->dentry, mnt->mnt_root); ++} ++ + static inline int nd_alloc_stack(struct nameidata *nd) + { + if (likely(nd->depth != EMBEDDED_LEVELS)) +@@ -1296,6 +1314,8 @@ static int follow_dotdot_rcu(struct name + return -ECHILD; + nd->path.dentry = parent; + nd->seq = seq; ++ if (unlikely(!path_connected(&nd->path))) ++ return -ENOENT; + break; + } else { + struct mount *mnt = real_mount(nd->path.mnt); +@@ -1396,7 +1416,7 @@ static void follow_mount(struct path *pa + } + } + +-static void follow_dotdot(struct nameidata *nd) ++static int follow_dotdot(struct nameidata *nd) + { + if (!nd->root.mnt) + set_root(nd); +@@ -1412,6 +1432,8 @@ static void follow_dotdot(struct nameida + /* rare case of legitimate dget_parent()... */ + nd->path.dentry = dget_parent(nd->path.dentry); + dput(old); ++ if (unlikely(!path_connected(&nd->path))) ++ return -ENOENT; + break; + } + if (!follow_up(&nd->path)) +@@ -1419,6 +1441,7 @@ static void follow_dotdot(struct nameida + } + follow_mount(&nd->path); + nd->inode = nd->path.dentry->d_inode; ++ return 0; + } + + /* +@@ -1634,7 +1657,7 @@ static inline int handle_dots(struct nam + if (nd->flags & LOOKUP_RCU) { + return follow_dotdot_rcu(nd); + } else +- follow_dotdot(nd); ++ return follow_dotdot(nd); + } + return 0; + } -- 2.47.3