From ce68cc46640aae13b3206586276206feb7d4db8b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 7 Nov 2016 17:39:50 +0100
Subject: [PATCH] 4.4-stable patches

added patches:
	ubifs-abort-readdir-upon-error.patch
	ubifs-fix-regression-in-ubifs_readdir.patch
---
 queue-4.4/series                              |  2 +
 .../ubifs-abort-readdir-upon-error.patch      | 59 +++++++++++++++++++
 ...bifs-fix-regression-in-ubifs_readdir.patch | 42 +++++++++++++
 3 files changed, 103 insertions(+)
 create mode 100644 queue-4.4/ubifs-abort-readdir-upon-error.patch
 create mode 100644 queue-4.4/ubifs-fix-regression-in-ubifs_readdir.patch

diff --git a/queue-4.4/series b/queue-4.4/series
index 1870c6d7867..aaa70b9c584 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -16,3 +16,5 @@ alsa-hda-fix-headset-mic-detection-problem-for-two-dell-laptops.patch
 android-binder-add-strong-ref-checks.patch
 android-binder-clear-binder-and-cookie-when-setting-handle-in-flat-binder-struct.patch
 btrfs-fix-races-on-root_log_ctx-lists.patch
+ubifs-abort-readdir-upon-error.patch
+ubifs-fix-regression-in-ubifs_readdir.patch
diff --git a/queue-4.4/ubifs-abort-readdir-upon-error.patch b/queue-4.4/ubifs-abort-readdir-upon-error.patch
new file mode 100644
index 00000000000..3159ea12b6e
--- /dev/null
+++ b/queue-4.4/ubifs-abort-readdir-upon-error.patch
@@ -0,0 +1,59 @@
+From c83ed4c9dbb358b9e7707486e167e940d48bfeed Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 19 Oct 2016 12:43:07 +0200
+Subject: ubifs: Abort readdir upon error
+
+From: Richard Weinberger <richard@nod.at>
+
+commit c83ed4c9dbb358b9e7707486e167e940d48bfeed upstream.
+
+If UBIFS is facing an error while walking a directory, it reports this
+error and ubifs_readdir() returns the error code. But the VFS readdir
+logic does not make the getdents system call fail in all cases. When the
+readdir cursor indicates that more entries are present, the system call
+will just return and the libc wrapper will try again since it also
+knows that more entries are present.
+This causes the libc wrapper to busy loop for ever when a directory is
+corrupted on UBIFS.
+A common approach do deal with corrupted directory entries is
+skipping them by setting the cursor to the next entry. On UBIFS this
+approach is not possible since we cannot compute the next directory
+entry cursor position without reading the current entry. So all we can
+do is setting the cursor to the "no more entries" position and make
+getdents exit.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/dir.c |    8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -350,7 +350,7 @@ static unsigned int vfs_dent_type(uint8_
+  */
+ static int ubifs_readdir(struct file *file, struct dir_context *ctx)
+ {
+-	int err;
++	int err = 0;
+ 	struct qstr nm;
+ 	union ubifs_key key;
+ 	struct ubifs_dent_node *dent;
+@@ -452,14 +452,12 @@ out:
+ 	kfree(file->private_data);
+ 	file->private_data = NULL;
+ 
+-	if (err != -ENOENT) {
++	if (err != -ENOENT)
+ 		ubifs_err(c, "cannot find next direntry, error %d", err);
+-		return err;
+-	}
+ 
+ 	/* 2 is a special value indicating that there are no more direntries */
+ 	ctx->pos = 2;
+-	return 0;
++	return err;
+ }
+ 
+ /* Free saved readdir() state when the directory is closed */
diff --git a/queue-4.4/ubifs-fix-regression-in-ubifs_readdir.patch b/queue-4.4/ubifs-fix-regression-in-ubifs_readdir.patch
new file mode 100644
index 00000000000..e4ca8288243
--- /dev/null
+++ b/queue-4.4/ubifs-fix-regression-in-ubifs_readdir.patch
@@ -0,0 +1,42 @@
+From a00052a296e54205cf238c75bd98d17d5d02a6db Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 28 Oct 2016 11:49:03 +0200
+Subject: ubifs: Fix regression in ubifs_readdir()
+
+From: Richard Weinberger <richard@nod.at>
+
+commit a00052a296e54205cf238c75bd98d17d5d02a6db upstream.
+
+Commit c83ed4c9dbb35 ("ubifs: Abort readdir upon error") broke
+overlayfs support because the fix exposed an internal error
+code to VFS.
+
+Reported-by: Peter Rosin <peda@axentia.se>
+Tested-by: Peter Rosin <peda@axentia.se>
+Reported-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
+Tested-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
+Fixes: c83ed4c9dbb35 ("ubifs: Abort readdir upon error")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/dir.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -454,6 +454,14 @@ out:
+ 
+ 	if (err != -ENOENT)
+ 		ubifs_err(c, "cannot find next direntry, error %d", err);
++	else
++		/*
++		 * -ENOENT is a non-fatal error in this context, the TNC uses
++		 * it to indicate that the cursor moved past the current directory
++		 * and readdir() has to stop.
++		 */
++		err = 0;
++
+ 
+ 	/* 2 is a special value indicating that there are no more direntries */
+ 	ctx->pos = 2;
-- 
2.47.3