From af9e3165f182b26fd5f296c6761d3f9999fa25ce Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 10 Oct 2017 20:16:36 +0200 Subject: [PATCH] 4.9-stable patches added patches: brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch brcmfmac-setup-passive-scan-if-requested-by-user-space.patch drm-i915-bios-ignore-hdmi-on-port-a.patch ext4-don-t-allow-encrypted-operations-without-keys.patch ext4-don-t-clear-sgid-when-inheriting-acls.patch ext4-fix-data-corruption-for-mmap-writes.patch f2fs-don-t-allow-encrypted-operations-without-keys.patch mmc-core-add-driver-strength-selection-when-selecting-hs400es.patch nvme-pci-use-pci-bus-address-for-data-queues-in-cmb.patch sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch vfs-deny-copy_file_range-for-non-regular-files.patch --- ...heck-in-brcmf_cfg80211_escan_handler.patch | 71 ++++++++ ...sive-scan-if-requested-by-user-space.patch | 85 +++++++++ .../drm-i915-bios-ignore-hdmi-on-port-a.patch | 48 +++++ ...ow-encrypted-operations-without-keys.patch | 54 ++++++ ...on-t-clear-sgid-when-inheriting-acls.patch | 77 ++++++++ ...-fix-data-corruption-for-mmap-writes.patch | 61 +++++++ ...ow-encrypted-operations-without-keys.patch | 50 ++++++ ...gth-selection-when-selecting-hs400es.patch | 83 +++++++++ ...i-bus-address-for-data-queues-in-cmb.patch | 86 +++++++++ ...m-fix-cpuset-vs.-suspend-resume-bugs.patch | 170 ++++++++++++++++++ queue-4.9/series | 11 ++ ...opy_file_range-for-non-regular-files.patch | 45 +++++ 12 files changed, 841 insertions(+) create mode 100644 queue-4.9/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch create mode 100644 queue-4.9/brcmfmac-setup-passive-scan-if-requested-by-user-space.patch create mode 100644 queue-4.9/drm-i915-bios-ignore-hdmi-on-port-a.patch create mode 100644 queue-4.9/ext4-don-t-allow-encrypted-operations-without-keys.patch create mode 100644 queue-4.9/ext4-don-t-clear-sgid-when-inheriting-acls.patch create mode 100644 queue-4.9/ext4-fix-data-corruption-for-mmap-writes.patch create mode 100644 queue-4.9/f2fs-don-t-allow-encrypted-operations-without-keys.patch create mode 100644 queue-4.9/mmc-core-add-driver-strength-selection-when-selecting-hs400es.patch create mode 100644 queue-4.9/nvme-pci-use-pci-bus-address-for-data-queues-in-cmb.patch create mode 100644 queue-4.9/sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch create mode 100644 queue-4.9/vfs-deny-copy_file_range-for-non-regular-files.patch diff --git a/queue-4.9/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch b/queue-4.9/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch new file mode 100644 index 00000000000..898930f68c4 --- /dev/null +++ b/queue-4.9/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch @@ -0,0 +1,71 @@ +From 17df6453d4be17910456e99c5a85025aa1b7a246 Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Tue, 12 Sep 2017 10:47:53 +0200 +Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler() + +From: Arend Van Spriel + +commit 17df6453d4be17910456e99c5a85025aa1b7a246 upstream. + +Upon handling the firmware notification for scans the length was +checked properly and may result in corrupting kernel heap memory +due to buffer overruns. This fix addresses CVE-2017-0786. + +Cc: Kevin Cernekee +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 18 ++++++++++-- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -3097,6 +3097,7 @@ brcmf_cfg80211_escan_handler(struct brcm + struct brcmf_cfg80211_info *cfg = ifp->drvr->config; + s32 status; + struct brcmf_escan_result_le *escan_result_le; ++ u32 escan_buflen; + struct brcmf_bss_info_le *bss_info_le; + struct brcmf_bss_info_le *bss = NULL; + u32 bi_length; +@@ -3113,11 +3114,23 @@ brcmf_cfg80211_escan_handler(struct brcm + + if (status == BRCMF_E_STATUS_PARTIAL) { + brcmf_dbg(SCAN, "ESCAN Partial result\n"); ++ if (e->datalen < sizeof(*escan_result_le)) { ++ brcmf_err("invalid event data length\n"); ++ goto exit; ++ } + escan_result_le = (struct brcmf_escan_result_le *) data; + if (!escan_result_le) { + brcmf_err("Invalid escan result (NULL pointer)\n"); + goto exit; + } ++ escan_buflen = le32_to_cpu(escan_result_le->buflen); ++ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE || ++ escan_buflen > e->datalen || ++ escan_buflen < sizeof(*escan_result_le)) { ++ brcmf_err("Invalid escan buffer length: %d\n", ++ escan_buflen); ++ goto exit; ++ } + if (le16_to_cpu(escan_result_le->bss_count) != 1) { + brcmf_err("Invalid bss_count %d: ignoring\n", + escan_result_le->bss_count); +@@ -3134,9 +3147,8 @@ brcmf_cfg80211_escan_handler(struct brcm + } + + bi_length = le32_to_cpu(bss_info_le->length); +- if (bi_length != (le32_to_cpu(escan_result_le->buflen) - +- WL_ESCAN_RESULTS_FIXED_SIZE)) { +- brcmf_err("Invalid bss_info length %d: ignoring\n", ++ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) { ++ brcmf_err("Ignoring invalid bss_info length: %d\n", + bi_length); + goto exit; + } diff --git a/queue-4.9/brcmfmac-setup-passive-scan-if-requested-by-user-space.patch b/queue-4.9/brcmfmac-setup-passive-scan-if-requested-by-user-space.patch new file mode 100644 index 00000000000..5ae06c00a47 --- /dev/null +++ b/queue-4.9/brcmfmac-setup-passive-scan-if-requested-by-user-space.patch @@ -0,0 +1,85 @@ +From 35f62727df0ed8e5e4857e162d94fd46d861f1cf Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Tue, 12 Sep 2017 10:47:54 +0200 +Subject: brcmfmac: setup passive scan if requested by user-space + +From: Arend Van Spriel + +commit 35f62727df0ed8e5e4857e162d94fd46d861f1cf upstream. + +The driver was not properly configuring firmware with regard to the +type of scan. It always performed an active scan even when user-space +was requesting for passive scan, ie. the scan request was done without +any SSIDs specified. + +Reported-by: Huang, Jiangyang +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 19 ++-------- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h | 5 ++ + 2 files changed, 9 insertions(+), 15 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -978,7 +978,7 @@ static void brcmf_escan_prep(struct brcm + + eth_broadcast_addr(params_le->bssid); + params_le->bss_type = DOT11_BSSTYPE_ANY; +- params_le->scan_type = 0; ++ params_le->scan_type = BRCMF_SCANTYPE_ACTIVE; + params_le->channel_num = 0; + params_le->nprobes = cpu_to_le32(-1); + params_le->active_time = cpu_to_le32(-1); +@@ -986,12 +986,9 @@ static void brcmf_escan_prep(struct brcm + params_le->home_time = cpu_to_le32(-1); + memset(¶ms_le->ssid_le, 0, sizeof(params_le->ssid_le)); + +- /* if request is null exit so it will be all channel broadcast scan */ +- if (!request) +- return; +- + n_ssids = request->n_ssids; + n_channels = request->n_channels; ++ + /* Copy channel array if applicable */ + brcmf_dbg(SCAN, "### List of channelspecs to scan ### %d\n", + n_channels); +@@ -1028,16 +1025,8 @@ static void brcmf_escan_prep(struct brcm + ptr += sizeof(ssid_le); + } + } else { +- brcmf_dbg(SCAN, "Broadcast scan %p\n", request->ssids); +- if ((request->ssids) && request->ssids->ssid_len) { +- brcmf_dbg(SCAN, "SSID %s len=%d\n", +- params_le->ssid_le.SSID, +- request->ssids->ssid_len); +- params_le->ssid_le.SSID_len = +- cpu_to_le32(request->ssids->ssid_len); +- memcpy(¶ms_le->ssid_le.SSID, request->ssids->ssid, +- request->ssids->ssid_len); +- } ++ brcmf_dbg(SCAN, "Performing passive scan\n"); ++ params_le->scan_type = BRCMF_SCANTYPE_PASSIVE; + } + /* Adding mask to channel numbers */ + params_le->channel_num = +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +@@ -45,6 +45,11 @@ + #define BRCMF_SCAN_PARAMS_COUNT_MASK 0x0000ffff + #define BRCMF_SCAN_PARAMS_NSSID_SHIFT 16 + ++/* scan type definitions */ ++#define BRCMF_SCANTYPE_DEFAULT 0xFF ++#define BRCMF_SCANTYPE_ACTIVE 0 ++#define BRCMF_SCANTYPE_PASSIVE 1 ++ + /* primary (ie tx) key */ + #define BRCMF_PRIMARY_KEY (1 << 1) + #define DOT11_BSSTYPE_ANY 2 diff --git a/queue-4.9/drm-i915-bios-ignore-hdmi-on-port-a.patch b/queue-4.9/drm-i915-bios-ignore-hdmi-on-port-a.patch new file mode 100644 index 00000000000..faf8c64f2ca --- /dev/null +++ b/queue-4.9/drm-i915-bios-ignore-hdmi-on-port-a.patch @@ -0,0 +1,48 @@ +From 2ba7d7e0437127314864238f8bfcb8369d81075c Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Thu, 21 Sep 2017 17:19:20 +0300 +Subject: drm/i915/bios: ignore HDMI on port A +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +commit 2ba7d7e0437127314864238f8bfcb8369d81075c upstream. + +The hardware state readout oopses after several warnings when trying to +use HDMI on port A, if such a combination is configured in VBT. Filter +the combo out already at the VBT parsing phase. + +v2: also ignore DVI (Ville) + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102889 +Cc: Imre Deak +Reviewed-by: Ville Syrjälä +Tested-by: Daniel Drake +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20170921141920.18172-1-jani.nikula@intel.com +(cherry picked from commit d27ffc1d00327c29b3aa97f941b42f0949f9e99f) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_bios.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_bios.c ++++ b/drivers/gpu/drm/i915/intel_bios.c +@@ -1152,6 +1152,13 @@ static void parse_ddi_port(struct drm_i9 + is_hdmi = is_dvi && (child->common.device_type & DEVICE_TYPE_NOT_HDMI_OUTPUT) == 0; + is_edp = is_dp && (child->common.device_type & DEVICE_TYPE_INTERNAL_CONNECTOR); + ++ if (port == PORT_A && is_dvi) { ++ DRM_DEBUG_KMS("VBT claims port A supports DVI%s, ignoring\n", ++ is_hdmi ? "/HDMI" : ""); ++ is_dvi = false; ++ is_hdmi = false; ++ } ++ + info->supports_dvi = is_dvi; + info->supports_hdmi = is_hdmi; + info->supports_dp = is_dp; diff --git a/queue-4.9/ext4-don-t-allow-encrypted-operations-without-keys.patch b/queue-4.9/ext4-don-t-allow-encrypted-operations-without-keys.patch new file mode 100644 index 00000000000..dfd190cd7f8 --- /dev/null +++ b/queue-4.9/ext4-don-t-allow-encrypted-operations-without-keys.patch @@ -0,0 +1,54 @@ +From 173b8439e1ba362007315868928bf9d26e5cc5a6 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 28 Dec 2016 00:22:52 -0500 +Subject: ext4: don't allow encrypted operations without keys + +From: Theodore Ts'o + +commit 173b8439e1ba362007315868928bf9d26e5cc5a6 upstream. + +While we allow deletes without the key, the following should not be +permitted: + +# cd /vdc/encrypted-dir-without-key +# ls -l +total 4 +-rw-r--r-- 1 root root 0 Dec 27 22:35 6,LKNRJsp209FbXoSvJWzB +-rw-r--r-- 1 root root 286 Dec 27 22:35 uRJ5vJh9gE7vcomYMqTAyD +# mv uRJ5vJh9gE7vcomYMqTAyD 6,LKNRJsp209FbXoSvJWzB + +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/namei.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3527,6 +3527,12 @@ static int ext4_rename(struct inode *old + EXT4_I(old_dentry->d_inode)->i_projid))) + return -EXDEV; + ++ if ((ext4_encrypted_inode(old_dir) && ++ !fscrypt_has_encryption_key(old_dir)) || ++ (ext4_encrypted_inode(new_dir) && ++ !fscrypt_has_encryption_key(new_dir))) ++ return -ENOKEY; ++ + retval = dquot_initialize(old.dir); + if (retval) + return retval; +@@ -3726,6 +3732,12 @@ static int ext4_cross_rename(struct inod + u8 new_file_type; + int retval; + ++ if ((ext4_encrypted_inode(old_dir) && ++ !fscrypt_has_encryption_key(old_dir)) || ++ (ext4_encrypted_inode(new_dir) && ++ !fscrypt_has_encryption_key(new_dir))) ++ return -ENOKEY; ++ + if ((ext4_encrypted_inode(old_dir) || + ext4_encrypted_inode(new_dir)) && + (old_dir != new_dir) && diff --git a/queue-4.9/ext4-don-t-clear-sgid-when-inheriting-acls.patch b/queue-4.9/ext4-don-t-clear-sgid-when-inheriting-acls.patch new file mode 100644 index 00000000000..a2367685f56 --- /dev/null +++ b/queue-4.9/ext4-don-t-clear-sgid-when-inheriting-acls.patch @@ -0,0 +1,77 @@ +From a3bb2d5587521eea6dab2d05326abb0afb460abd Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Sun, 30 Jul 2017 23:33:01 -0400 +Subject: ext4: Don't clear SGID when inheriting ACLs + +From: Jan Kara + +commit a3bb2d5587521eea6dab2d05326abb0afb460abd upstream. + +When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit +set, DIR1 is expected to have SGID bit set (and owning group equal to +the owning group of 'DIR0'). However when 'DIR0' also has some default +ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on +'DIR1' to get cleared if user is not member of the owning group. + +Fix the problem by moving posix_acl_update_mode() out of +__ext4_set_acl() into ext4_set_acl(). That way the function will not be +called when inheriting ACLs which is what we want as it prevents SGID +bit clearing and the mode has been properly set by posix_acl_create() +anyway. + +Fixes: 073931017b49d9458aa351605b43a7e34598caef +Signed-off-by: Theodore Ts'o +Signed-off-by: Jan Kara +Reviewed-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/acl.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/fs/ext4/acl.c ++++ b/fs/ext4/acl.c +@@ -192,13 +192,6 @@ __ext4_set_acl(handle_t *handle, struct + switch (type) { + case ACL_TYPE_ACCESS: + name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS; +- if (acl) { +- error = posix_acl_update_mode(inode, &inode->i_mode, &acl); +- if (error) +- return error; +- inode->i_ctime = ext4_current_time(inode); +- ext4_mark_inode_dirty(handle, inode); +- } + break; + + case ACL_TYPE_DEFAULT: +@@ -231,6 +224,8 @@ ext4_set_acl(struct inode *inode, struct + { + handle_t *handle; + int error, retries = 0; ++ umode_t mode = inode->i_mode; ++ int update_mode = 0; + + retry: + handle = ext4_journal_start(inode, EXT4_HT_XATTR, +@@ -238,7 +233,20 @@ retry: + if (IS_ERR(handle)) + return PTR_ERR(handle); + ++ if ((type == ACL_TYPE_ACCESS) && acl) { ++ error = posix_acl_update_mode(inode, &mode, &acl); ++ if (error) ++ goto out_stop; ++ update_mode = 1; ++ } ++ + error = __ext4_set_acl(handle, inode, type, acl); ++ if (!error && update_mode) { ++ inode->i_mode = mode; ++ inode->i_ctime = ext4_current_time(inode); ++ ext4_mark_inode_dirty(handle, inode); ++ } ++out_stop: + ext4_journal_stop(handle); + if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry; diff --git a/queue-4.9/ext4-fix-data-corruption-for-mmap-writes.patch b/queue-4.9/ext4-fix-data-corruption-for-mmap-writes.patch new file mode 100644 index 00000000000..965fd9edb7a --- /dev/null +++ b/queue-4.9/ext4-fix-data-corruption-for-mmap-writes.patch @@ -0,0 +1,61 @@ +From a056bdaae7a181f7dcc876cfab2f94538e508709 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 26 May 2017 17:45:45 -0400 +Subject: ext4: fix data corruption for mmap writes + +From: Jan Kara + +commit a056bdaae7a181f7dcc876cfab2f94538e508709 upstream. + +mpage_submit_page() can race with another process growing i_size and +writing data via mmap to the written-back page. As mpage_submit_page() +samples i_size too early, it may happen that ext4_bio_write_page() +zeroes out too large tail of the page and thus corrupts user data. + +Fix the problem by sampling i_size only after the page has been +write-protected in page tables by clear_page_dirty_for_io() call. + +Reported-by: Michael Zimmer +Fixes: cb20d5188366f04d96d2e07b1240cc92170ade40 +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2107,15 +2107,29 @@ static int ext4_writepage(struct page *p + static int mpage_submit_page(struct mpage_da_data *mpd, struct page *page) + { + int len; +- loff_t size = i_size_read(mpd->inode); ++ loff_t size; + int err; + + BUG_ON(page->index != mpd->first_page); ++ clear_page_dirty_for_io(page); ++ /* ++ * We have to be very careful here! Nothing protects writeback path ++ * against i_size changes and the page can be writeably mapped into ++ * page tables. So an application can be growing i_size and writing ++ * data through mmap while writeback runs. clear_page_dirty_for_io() ++ * write-protects our page in page tables and the page cannot get ++ * written to again until we release page lock. So only after ++ * clear_page_dirty_for_io() we are safe to sample i_size for ++ * ext4_bio_write_page() to zero-out tail of the written page. We rely ++ * on the barrier provided by TestClearPageDirty in ++ * clear_page_dirty_for_io() to make sure i_size is really sampled only ++ * after page tables are updated. ++ */ ++ size = i_size_read(mpd->inode); + if (page->index == size >> PAGE_SHIFT) + len = size & ~PAGE_MASK; + else + len = PAGE_SIZE; +- clear_page_dirty_for_io(page); + err = ext4_bio_write_page(&mpd->io_submit, page, len, mpd->wbc, false); + if (!err) + mpd->wbc->nr_to_write--; diff --git a/queue-4.9/f2fs-don-t-allow-encrypted-operations-without-keys.patch b/queue-4.9/f2fs-don-t-allow-encrypted-operations-without-keys.patch new file mode 100644 index 00000000000..0fbddbe4977 --- /dev/null +++ b/queue-4.9/f2fs-don-t-allow-encrypted-operations-without-keys.patch @@ -0,0 +1,50 @@ +From 363fa4e078cbdc97a172c19d19dc04b41b52ebc8 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Wed, 28 Dec 2016 17:31:15 -0800 +Subject: f2fs: don't allow encrypted operations without keys + +From: Jaegeuk Kim + +commit 363fa4e078cbdc97a172c19d19dc04b41b52ebc8 upstream. + +This patch fixes the renaming bug on encrypted filenames, which was pointed by + + (ext4: don't allow encrypted operations without keys) + +Cc: Theodore Ts'o +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/namei.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -663,6 +663,12 @@ static int f2fs_rename(struct inode *old + bool is_old_inline = f2fs_has_inline_dentry(old_dir); + int err = -ENOENT; + ++ if ((f2fs_encrypted_inode(old_dir) && ++ !fscrypt_has_encryption_key(old_dir)) || ++ (f2fs_encrypted_inode(new_dir) && ++ !fscrypt_has_encryption_key(new_dir))) ++ return -ENOKEY; ++ + if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) && + !fscrypt_has_permitted_context(new_dir, old_inode)) { + err = -EPERM; +@@ -843,6 +849,12 @@ static int f2fs_cross_rename(struct inod + int old_nlink = 0, new_nlink = 0; + int err = -ENOENT; + ++ if ((f2fs_encrypted_inode(old_dir) && ++ !fscrypt_has_encryption_key(old_dir)) || ++ (f2fs_encrypted_inode(new_dir) && ++ !fscrypt_has_encryption_key(new_dir))) ++ return -ENOKEY; ++ + if ((f2fs_encrypted_inode(old_dir) || f2fs_encrypted_inode(new_dir)) && + (old_dir != new_dir) && + (!fscrypt_has_permitted_context(new_dir, old_inode) || diff --git a/queue-4.9/mmc-core-add-driver-strength-selection-when-selecting-hs400es.patch b/queue-4.9/mmc-core-add-driver-strength-selection-when-selecting-hs400es.patch new file mode 100644 index 00000000000..582e4a67fb0 --- /dev/null +++ b/queue-4.9/mmc-core-add-driver-strength-selection-when-selecting-hs400es.patch @@ -0,0 +1,83 @@ +From fb458864d9a78cc433fec7979acbe4078c82d7a8 Mon Sep 17 00:00:00 2001 +From: Chanho Min +Date: Tue, 26 Sep 2017 09:03:40 +0900 +Subject: mmc: core: add driver strength selection when selecting hs400es + +From: Chanho Min + +commit fb458864d9a78cc433fec7979acbe4078c82d7a8 upstream. + +The driver strength selection is missed and required when selecting +hs400es. So, It is added here. + +Fixes: 81ac2af65793ecf ("mmc: core: implement enhanced strobe support") +Signed-off-by: Hankyung Yu +Signed-off-by: Chanho Min +Reviewed-by: Adrian Hunter +Reviewed-by: Shawn Lin +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/mmc.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1255,6 +1255,23 @@ out_err: + return err; + } + ++static void mmc_select_driver_type(struct mmc_card *card) ++{ ++ int card_drv_type, drive_strength, drv_type; ++ ++ card_drv_type = card->ext_csd.raw_driver_strength | ++ mmc_driver_type_mask(0); ++ ++ drive_strength = mmc_select_drive_strength(card, ++ card->ext_csd.hs200_max_dtr, ++ card_drv_type, &drv_type); ++ ++ card->drive_strength = drive_strength; ++ ++ if (drv_type) ++ mmc_set_driver_type(card->host, drv_type); ++} ++ + static int mmc_select_hs400es(struct mmc_card *card) + { + struct mmc_host *host = card->host; +@@ -1303,6 +1320,8 @@ static int mmc_select_hs400es(struct mmc + goto out_err; + } + ++ mmc_select_driver_type(card); ++ + /* Switch card to HS400 */ + val = EXT_CSD_TIMING_HS400 | + card->drive_strength << EXT_CSD_DRV_STR_SHIFT; +@@ -1336,23 +1355,6 @@ out_err: + return err; + } + +-static void mmc_select_driver_type(struct mmc_card *card) +-{ +- int card_drv_type, drive_strength, drv_type; +- +- card_drv_type = card->ext_csd.raw_driver_strength | +- mmc_driver_type_mask(0); +- +- drive_strength = mmc_select_drive_strength(card, +- card->ext_csd.hs200_max_dtr, +- card_drv_type, &drv_type); +- +- card->drive_strength = drive_strength; +- +- if (drv_type) +- mmc_set_driver_type(card->host, drv_type); +-} +- + /* + * For device supporting HS200 mode, the following sequence + * should be done before executing the tuning process. diff --git a/queue-4.9/nvme-pci-use-pci-bus-address-for-data-queues-in-cmb.patch b/queue-4.9/nvme-pci-use-pci-bus-address-for-data-queues-in-cmb.patch new file mode 100644 index 00000000000..3c474abef74 --- /dev/null +++ b/queue-4.9/nvme-pci-use-pci-bus-address-for-data-queues-in-cmb.patch @@ -0,0 +1,86 @@ +From 8969f1f8291762c13147c1ba89d46238af01675b Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Sun, 1 Oct 2017 09:37:35 +0200 +Subject: nvme-pci: Use PCI bus address for data/queues in CMB + +From: Christoph Hellwig + +commit 8969f1f8291762c13147c1ba89d46238af01675b upstream. + +Currently, NVMe PCI host driver is programming CMB dma address as +I/O SQs addresses. This results in failures on systems where 1:1 +outbound mapping is not used (example Broadcom iProc SOCs) because +CMB BAR will be progammed with PCI bus address but NVMe PCI EP will +try to access CMB using dma address. + +To have CMB working on systems without 1:1 outbound mapping, we +program PCI bus address for I/O SQs instead of dma address. This +approach will work on systems with/without 1:1 outbound mapping. + +Based on a report and previous patch from Abhishek Shah. + +Fixes: 8ffaadf7 ("NVMe: Use CMB for the IO SQes if available") +Reported-by: Abhishek Shah +Tested-by: Abhishek Shah +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/pci.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -96,7 +96,7 @@ struct nvme_dev { + struct mutex shutdown_lock; + bool subsystem; + void __iomem *cmb; +- dma_addr_t cmb_dma_addr; ++ pci_bus_addr_t cmb_bus_addr; + u64 cmb_size; + u32 cmbsz; + u32 cmbloc; +@@ -1037,7 +1037,7 @@ static int nvme_alloc_sq_cmds(struct nvm + if (qid && dev->cmb && use_cmb_sqes && NVME_CMB_SQS(dev->cmbsz)) { + unsigned offset = (qid - 1) * roundup(SQ_SIZE(depth), + dev->ctrl.page_size); +- nvmeq->sq_dma_addr = dev->cmb_dma_addr + offset; ++ nvmeq->sq_dma_addr = dev->cmb_bus_addr + offset; + nvmeq->sq_cmds_io = dev->cmb + offset; + } else { + nvmeq->sq_cmds = dma_alloc_coherent(dev->dev, SQ_SIZE(depth), +@@ -1343,7 +1343,7 @@ static void __iomem *nvme_map_cmb(struct + resource_size_t bar_size; + struct pci_dev *pdev = to_pci_dev(dev->dev); + void __iomem *cmb; +- dma_addr_t dma_addr; ++ int bar; + + dev->cmbsz = readl(dev->bar + NVME_REG_CMBSZ); + if (!(NVME_CMB_SZ(dev->cmbsz))) +@@ -1356,7 +1356,8 @@ static void __iomem *nvme_map_cmb(struct + szu = (u64)1 << (12 + 4 * NVME_CMB_SZU(dev->cmbsz)); + size = szu * NVME_CMB_SZ(dev->cmbsz); + offset = szu * NVME_CMB_OFST(dev->cmbloc); +- bar_size = pci_resource_len(pdev, NVME_CMB_BIR(dev->cmbloc)); ++ bar = NVME_CMB_BIR(dev->cmbloc); ++ bar_size = pci_resource_len(pdev, bar); + + if (offset > bar_size) + return NULL; +@@ -1369,12 +1370,11 @@ static void __iomem *nvme_map_cmb(struct + if (size > bar_size - offset) + size = bar_size - offset; + +- dma_addr = pci_resource_start(pdev, NVME_CMB_BIR(dev->cmbloc)) + offset; +- cmb = ioremap_wc(dma_addr, size); ++ cmb = ioremap_wc(pci_resource_start(pdev, bar) + offset, size); + if (!cmb) + return NULL; + +- dev->cmb_dma_addr = dma_addr; ++ dev->cmb_bus_addr = pci_bus_address(pdev, bar) + offset; + dev->cmb_size = size; + return cmb; + } diff --git a/queue-4.9/sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch b/queue-4.9/sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch new file mode 100644 index 00000000000..b80e1b488b9 --- /dev/null +++ b/queue-4.9/sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch @@ -0,0 +1,170 @@ +From 50e76632339d4655859523a39249dd95ee5e93e7 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 7 Sep 2017 11:13:38 +0200 +Subject: sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs + +From: Peter Zijlstra + +commit 50e76632339d4655859523a39249dd95ee5e93e7 upstream. + +Cpusets vs. suspend-resume is _completely_ broken. And it got noticed +because it now resulted in non-cpuset usage breaking too. + +On suspend cpuset_cpu_inactive() doesn't call into +cpuset_update_active_cpus() because it doesn't want to move tasks about, +there is no need, all tasks are frozen and won't run again until after +we've resumed everything. + +But this means that when we finally do call into +cpuset_update_active_cpus() after resuming the last frozen cpu in +cpuset_cpu_active(), the top_cpuset will not have any difference with +the cpu_active_mask and this it will not in fact do _anything_. + +So the cpuset configuration will not be restored. This was largely +hidden because we would unconditionally create identity domains and +mobile users would not in fact use cpusets much. And servers what do use +cpusets tend to not suspend-resume much. + +An addition problem is that we'd not in fact wait for the cpuset work to +finish before resuming the tasks, allowing spurious migrations outside +of the specified domains. + +Fix the rebuild by introducing cpuset_force_rebuild() and fix the +ordering with cpuset_wait_for_hotplug(). + +Reported-by: Andy Lutomirski +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Cc: Andy Lutomirski +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Rafael J. Wysocki +Cc: Tejun Heo +Cc: Thomas Gleixner +Fixes: deb7aa308ea2 ("cpuset: reorganize CPU / memory hotplug handling") +Link: http://lkml.kernel.org/r/20170907091338.orwxrqkbfkki3c24@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Mike Galbraith +Signed-off-by: Greg Kroah-Hartman + + +--- + include/linux/cpuset.h | 6 ++++++ + kernel/cpuset.c | 16 +++++++++++++++- + kernel/power/process.c | 5 ++++- + kernel/sched/core.c | 7 +++---- + 4 files changed, 28 insertions(+), 6 deletions(-) + +--- a/include/linux/cpuset.h ++++ b/include/linux/cpuset.h +@@ -55,7 +55,9 @@ static inline void cpuset_dec(void) + + extern int cpuset_init(void); + extern void cpuset_init_smp(void); ++extern void cpuset_force_rebuild(void); + extern void cpuset_update_active_cpus(bool cpu_online); ++extern void cpuset_wait_for_hotplug(void); + extern void cpuset_cpus_allowed(struct task_struct *p, struct cpumask *mask); + extern void cpuset_cpus_allowed_fallback(struct task_struct *p); + extern nodemask_t cpuset_mems_allowed(struct task_struct *p); +@@ -168,11 +170,15 @@ static inline bool cpusets_enabled(void) + static inline int cpuset_init(void) { return 0; } + static inline void cpuset_init_smp(void) {} + ++static inline void cpuset_force_rebuild(void) { } ++ + static inline void cpuset_update_active_cpus(bool cpu_online) + { + partition_sched_domains(1, NULL, NULL); + } + ++static inline void cpuset_wait_for_hotplug(void) { } ++ + static inline void cpuset_cpus_allowed(struct task_struct *p, + struct cpumask *mask) + { +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -2276,6 +2276,13 @@ retry: + mutex_unlock(&cpuset_mutex); + } + ++static bool force_rebuild; ++ ++void cpuset_force_rebuild(void) ++{ ++ force_rebuild = true; ++} ++ + /** + * cpuset_hotplug_workfn - handle CPU/memory hotunplug for a cpuset + * +@@ -2350,8 +2357,10 @@ static void cpuset_hotplug_workfn(struct + } + + /* rebuild sched domains if cpus_allowed has changed */ +- if (cpus_updated) ++ if (cpus_updated || force_rebuild) { ++ force_rebuild = false; + rebuild_sched_domains(); ++ } + } + + void cpuset_update_active_cpus(bool cpu_online) +@@ -2370,6 +2379,11 @@ void cpuset_update_active_cpus(bool cpu_ + schedule_work(&cpuset_hotplug_work); + } + ++void cpuset_wait_for_hotplug(void) ++{ ++ flush_work(&cpuset_hotplug_work); ++} ++ + /* + * Keep top_cpuset.mems_allowed tracking node_states[N_MEMORY]. + * Call this routine anytime after node_states[N_MEMORY] changes. +--- a/kernel/power/process.c ++++ b/kernel/power/process.c +@@ -18,8 +18,9 @@ + #include + #include + #include ++#include + +-/* ++/* + * Timeout for stopping processes + */ + unsigned int __read_mostly freeze_timeout_msecs = 20 * MSEC_PER_SEC; +@@ -200,6 +201,8 @@ void thaw_processes(void) + __usermodehelper_set_disable_depth(UMH_FREEZING); + thaw_workqueues(); + ++ cpuset_wait_for_hotplug(); ++ + read_lock(&tasklist_lock); + for_each_process_thread(g, p) { + /* No other threads should have PF_SUSPEND_TASK set */ +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -7292,16 +7292,15 @@ static void cpuset_cpu_active(void) + * operation in the resume sequence, just build a single sched + * domain, ignoring cpusets. + */ +- num_cpus_frozen--; +- if (likely(num_cpus_frozen)) { +- partition_sched_domains(1, NULL, NULL); ++ partition_sched_domains(1, NULL, NULL); ++ if (--num_cpus_frozen) + return; +- } + /* + * This is the last CPU online operation. So fall through and + * restore the original sched domains by considering the + * cpuset configurations. + */ ++ cpuset_force_rebuild(); + } + cpuset_update_active_cpus(true); + } diff --git a/queue-4.9/series b/queue-4.9/series index e4301ae579d..301c4b01797 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -91,3 +91,14 @@ netlink-fix-nla_put_-u8-u16-u32-for-kasan.patch iwlwifi-mvm-use-iwl_hcmd_nocopy-for-mcast_filter_cmd.patch iwlwifi-add-workaround-to-disable-wide-channels-in-5ghz.patch scsi-sd-do-not-override-max_sectors_kb-sysfs-setting.patch +brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch +brcmfmac-setup-passive-scan-if-requested-by-user-space.patch +drm-i915-bios-ignore-hdmi-on-port-a.patch +nvme-pci-use-pci-bus-address-for-data-queues-in-cmb.patch +mmc-core-add-driver-strength-selection-when-selecting-hs400es.patch +sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch +vfs-deny-copy_file_range-for-non-regular-files.patch +ext4-fix-data-corruption-for-mmap-writes.patch +ext4-don-t-clear-sgid-when-inheriting-acls.patch +ext4-don-t-allow-encrypted-operations-without-keys.patch +f2fs-don-t-allow-encrypted-operations-without-keys.patch diff --git a/queue-4.9/vfs-deny-copy_file_range-for-non-regular-files.patch b/queue-4.9/vfs-deny-copy_file_range-for-non-regular-files.patch new file mode 100644 index 00000000000..872370913e3 --- /dev/null +++ b/queue-4.9/vfs-deny-copy_file_range-for-non-regular-files.patch @@ -0,0 +1,45 @@ +From 11cbfb10775aa2a01cee966d118049ede9d0bdf2 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Tue, 31 Jan 2017 10:34:56 +0200 +Subject: vfs: deny copy_file_range() for non regular files + +From: Amir Goldstein + +commit 11cbfb10775aa2a01cee966d118049ede9d0bdf2 upstream. + +There is no in-tree file system that implements copy_file_range() +for non regular files. + +Deny an attempt to copy_file_range() a directory with EISDIR +and any other non regualr file with EINVAL to conform with +behavior of vfs_{clone,dedup}_file_range(). + +This change is needed prior to converting sb_start_write() +to file_start_write() in the vfs helper. + +Cc: linux-api@vger.kernel.org +Cc: Al Viro +Signed-off-by: Amir Goldstein +Reviewed-by: Christoph Hellwig +Signed-off-by: Miklos Szeredi +Cc: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/read_write.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -1518,6 +1518,11 @@ ssize_t vfs_copy_file_range(struct file + if (flags != 0) + return -EINVAL; + ++ if (S_ISDIR(inode_in->i_mode) || S_ISDIR(inode_out->i_mode)) ++ return -EISDIR; ++ if (!S_ISREG(inode_in->i_mode) || !S_ISREG(inode_out->i_mode)) ++ return -EINVAL; ++ + ret = rw_verify_area(READ, file_in, &pos_in, len); + if (unlikely(ret)) + return ret; -- 2.47.3