commit b9dd46188edc2f0d1f37328637860bb65a771124 upstream.
F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b5c66bab72a6a65edb15beb60b90d3cb84c5763b upstream.
posix_acl_update_mode() could possibly clear 'acl', if so we leak the
memory pointed by 'acl'. Save this pointer before calling
posix_acl_update_mode() and release the memory if 'acl' really gets
cleared.
Link: http://lkml.kernel.org/r/1486678332-2430-1-git-send-email-xiyou.wangcong@gmail.com
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reported-by: Mark Salyzyn <salyzyn@android.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Greg Kurz <groug@kaod.org>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
According to the following commits,
fs: icache RCU free inodes
vfs: fix the stupidity with i_dentry in inode destructors
sdcardfs_destroy_inode should be fixed for the fast path safety.
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Change-Id: I84f43c599209d23737c7e28b499dd121cb43636d
If we fail to get top, top is either NULL, or igrab found
that we're in the process of freeing that inode, and did
not grab it. Either way, we didn't grab it, and have no
business putting it.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 38117720
Change-Id: Ie2f587483b9abb5144263156a443e89bc69b767b
commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 upstream.
The NFSv2/v3 code does not systematically check whether we decode past
the end of the buffer. This generally appears to be harmless, but there
are a few places where we do arithmetic on the pointers involved and
don't account for the possibility that a length could be negative. Add
checks to catch these.
Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit db44bac41bbfc0c0d9dd943092d8bded3c9db19b upstream.
Use a couple shortcuts that will simplify a following bugfix.
(Minor backporting required to account for a change from f34b95689d
"The NFSv2/NFSv3 server does not handle zero length WRITE requests
correctly".)
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 03a8bb0e53d9562276045bdfcf2b5de2e4cff5a1 upstream.
As Al pointed, d_revalidate should return RCU lookup before using d_inode.
This was originally introduced by:
commit 34286d6662 ("fs: rcu-walk aware d_revalidate method").
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3d43bcfef5f0548845a425365011c499875491b0 upstream.
This avoids potential problems caused by a race where the inode gets
renamed out from its parent directory and the parent directory is
deleted while ext4_d_revalidate() is running.
Fixes: 28b4c263961c
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 28b4c263961c47da84ed8b5be0b5116bad1133eb upstream.
Add a validation check for dentries for encrypted directory to make
sure we're not caching stale data after a key has been added or removed.
Also check to make sure that status of the encryption key is updated
when readdir(2) is executed.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9a200d075e5d05be1fcad4547a0f8aee4e2f9a04 upstream.
...otherwise an user can enable encryption for certain files even
when the filesystem is unable to support it.
Such a case would be a filesystem created by mkfs.ext4's default
settings, 1KiB block size. Ext4 supports encyption only when block size
is equal to PAGE_SIZE.
But this constraint is only checked when the encryption feature flag
is set.
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 38bd49064a1ecb67baad33598e3d824448ab11ec upstream.
A signal can interrupt a SendReceive call which result in incoming
responses to the call being ignored. This is a problem for calls such as
open which results in the successful response being ignored. This
results in an open file resource on the server.
The patch looks into responses which were cancelled after being sent and
in case of successful open closes the open fids.
For this patch, the check is only done in SendReceive2()
RH-bz: 1403319
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1e38da300e1e395a15048b0af1e5305bd91402f6 upstream.
The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.
Protect the context for these operations with a seperate lock.
The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "linux-fsdevel@vger.kernel.org"
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/tmp-24ac44d
Linux 4.4.66
ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
ARCv2: save r30 on kernel entry as gcc uses it for code-gen
nfsd: check for oversized NFSv2/v3 arguments
Input: i8042 - add Clevo P650RS to the i8042 reset list
p9_client_readdir() fix
MIPS: Avoid BUG warning in arch_check_elf
MIPS: KGDB: Use kernel context for sleeping threads
ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type
ipv6: check raw payload size correctly in ioctl
ipv6: check skb->protocol before lookup for nexthop
macvlan: Fix device ref leak when purging bc_queue
ip6mr: fix notification device destruction
netpoll: Check for skb->queue_mapping
net: ipv6: RTF_PCPU should not be settable from userspace
dp83640: don't recieve time stamps twice
tcp: clear saved_syn in tcp_disconnect()
sctp: listen on the sock only when it's state is listening or closed
net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
l2tp: fix PPP pseudo-wire auto-loading
l2tp: take reference on sessions being dumped
net/packet: fix overflow in check for tp_reserve
net/packet: fix overflow in check for tp_frame_nr
l2tp: purge socket queues in the .destruct() callback
net: phy: handle state correctly in phy_stop_machine
net: neigh: guard against NULL solicit() method
sparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write()
sparc64: kern_addr_valid regression
xen/x86: don't lose event interrupts
usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize
regulator: core: Clear the supply pointer if enabling fails
RDS: Fix the atomicity for congestion map update
net_sched: close another race condition in tcf_mirred_release()
net: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata
MIPS: Fix crash registers on non-crashing CPUs
md:raid1: fix a dead loop when read from a WriteMostly disk
ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
drm/amdgpu: fix array out of bounds
crypto: testmgr - fix out of bound read in __test_aead()
clk: sunxi: Add apb0 gates for H3
ARM: OMAP2+: timer: add probe for clocksources
xc2028: unlock on error in xc2028_set_config()
f2fs: do more integrity verification for superblock
net: pppolac/pppopns: Add back the msg_flags
Conflicts:
drivers/regulator/core.c
Change-Id: I8e7b279efa442a0338ee735d27ff3ebe866a8dee
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
Fix the below potential race between these two contexts -
mb_cache_entry_get() and mb_cache_shrink_scan(), which results
into use after free issue.
task a:
mb_cache_shrink_scan()
|--if(!list_empty(&mb_cache_lru_list))
|--get the ce entry
|--list_del_init(&ce->e_lru_list);
|--check ce->e_used, ce->e_queued,
ce->e_refcnt and continue
-> gets prempted here
task b:
ext4_xattr_release_block()
|--mb_cache_entry_get()
|--get ce from hlist_bl_for_each_entry()
|--increment ce->e_used and
list_del_init(&ce->e_lru_list)
|--mb_cache_entry_free()
|--hlist_bl_lock(ce->e_block_hash_p);
-> results into use after free
Also, fix similar potential race between mb_cache_entry_alloc() and
mb_cache_entry_get() in case if cache->c_max_entries is reached.
Change-Id: I01049bae5d914cfb8494ab299ec2e068745d1110
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlkJWpMACgkQONu9yGCS
aT7guA/+JdSobjlRUshtcbUGVEwMjSuNFkZEpeTUWxxkrnNVPnIefP4jcCXEctvL
OxY4TxtvCQO/m+4Yx0ImVkcPBajd55OWiV90fZ0khVwu+4abLPgizj9lUhrXmmGV
LZjRyurtYFAwoGCvNsPE8NHxf923SFB8j1og0dEmoFGrH4tI+K5A9KPYKaYASU9Q
uT5rQMU0YrZBvJYzTc9DNKWHD4ekLzn7o/ORodFwQVC7pdQdGpOCq3Ap+LZbtYnn
146ziEfycRBSt3x9kYf7gztdGLv4tLZJJv7McI6qfX8+Vrt+Wgy4ObSblmTl57RH
4WAxed2gZ8NW+fnSJZFR8iomRBu1dsyyTESSt1lCEC6i29ardQip5y4/yGLaBtiJ
nbcUp1Ld+twQYm0p1UMJVo0DUE6xcrwnCoNyhkGzz1XfdQQwvFCaq30PlsjKxI6E
X/1rRfuICH2dmIn1ziiCb8qBBjHvKbZY5Mg7W8s6E12yIGKuY08m3KaimSMdWt1D
jKUKMGD9AunC2l4OAGggObMoTG5SaGSSDr8yPG9QxVvD0AvpnpSEFJ8PIi5O7JiB
jcFNZawAljzIf0VYGrbGAzbrijiaan/WHm3va7U7K1JzIdFzbOlUANpJLhBR70Mb
Gc3GEcdMflqJUJ6lapEaaFyC8qPjNI5Ks0/7ER0pgTICBoFVSyg=
=eMmm
-----END PGP SIGNATURE-----
Merge 4.4.66 into android-4.4
Changes in 4.4.66:
f2fs: do more integrity verification for superblock
xc2028: unlock on error in xc2028_set_config()
ARM: OMAP2+: timer: add probe for clocksources
clk: sunxi: Add apb0 gates for H3
crypto: testmgr - fix out of bound read in __test_aead()
drm/amdgpu: fix array out of bounds
ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
md:raid1: fix a dead loop when read from a WriteMostly disk
MIPS: Fix crash registers on non-crashing CPUs
net: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata
net_sched: close another race condition in tcf_mirred_release()
RDS: Fix the atomicity for congestion map update
regulator: core: Clear the supply pointer if enabling fails
usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize
xen/x86: don't lose event interrupts
sparc64: kern_addr_valid regression
sparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write()
net: neigh: guard against NULL solicit() method
net: phy: handle state correctly in phy_stop_machine
l2tp: purge socket queues in the .destruct() callback
net/packet: fix overflow in check for tp_frame_nr
net/packet: fix overflow in check for tp_reserve
l2tp: take reference on sessions being dumped
l2tp: fix PPP pseudo-wire auto-loading
net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
sctp: listen on the sock only when it's state is listening or closed
tcp: clear saved_syn in tcp_disconnect()
dp83640: don't recieve time stamps twice
net: ipv6: RTF_PCPU should not be settable from userspace
netpoll: Check for skb->queue_mapping
ip6mr: fix notification device destruction
macvlan: Fix device ref leak when purging bc_queue
ipv6: check skb->protocol before lookup for nexthop
ipv6: check raw payload size correctly in ioctl
ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type
ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
MIPS: KGDB: Use kernel context for sleeping threads
MIPS: Avoid BUG warning in arch_check_elf
p9_client_readdir() fix
Input: i8042 - add Clevo P650RS to the i8042 reset list
nfsd: check for oversized NFSv2/v3 arguments
ARCv2: save r30 on kernel entry as gcc uses it for code-gen
ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
Linux 4.4.66
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream.
A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.
Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply. This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE). But a client that sends an incorrectly long reply
can violate those assumptions. This was observed to cause crashes.
Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.
So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.
As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.
We may also consider rejecting calls that have any extra garbage
appended. That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.
Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream.
We aren't checking to see if the in-inode extended attribute is
corrupted before we try to expand the inode's extra isize fields.
This can lead to potential crashes caused by the BUG_ON() check in
ext4_xattr_shift_entries().
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e upstream.
Do more sanity check for superblock during ->mount.
Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/tmp-e4528dd:
Linux 4.4.65
perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
ping: implement proper locking
staging/android/ion : fix a race condition in the ion driver
vfio/pci: Fix integer overflows, bitmask check
tipc: check minimum bearer MTU
netfilter: nfnetlink: correctly validate length of batch messages
xc2028: avoid use after free
mnt: Add a per mount namespace limit on the number of mounts
tipc: fix socket timer deadlock
tipc: fix random link resets while adding a second bearer
gfs2: avoid uninitialized variable warning
hostap: avoid uninitialized variable use in hfa384x_get_rid
tty: nozomi: avoid a harmless gcc warning
tipc: correct error in node fsm
tipc: re-enable compensation for socket receive buffer double counting
tipc: make dist queue pernet
tipc: make sure IPv6 header fits in skb headroom
ANDROID: uid_sys_stats: fix access of task_uid(task)
BACKPORT: f2fs: sanity check log_blocks_per_seg
Linux 4.4.64
tipc: fix crash during node removal
block: fix del_gendisk() vs blkdev_ioctl crash
x86, pmem: fix broken __copy_user_nocache cache-bypass assumptions
hv: don't reset hv_context.tsc_page on crash
Drivers: hv: balloon: account for gaps in hot add regions
Drivers: hv: balloon: keep track of where ha_region starts
Tools: hv: kvp: ensure kvp device fd is closed on exec
kvm: arm/arm64: Fix locking for kvm_free_stage2_pgd
x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
powerpc/kprobe: Fix oops when kprobed on 'stdu' instruction
ubi/upd: Always flush after prepared for an update
mac80211: reject ToDS broadcast data frames
mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for DDR50 card
ACPI / power: Avoid maybe-uninitialized warning
Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled
VSOCK: Detach QP check should filter out non matching QPs.
Drivers: hv: vmbus: Reduce the delay between retries in vmbus_post_msg()
Drivers: hv: get rid of timeout in vmbus_open()
Drivers: hv: don't leak memory in vmbus_establish_gpadl()
s390/mm: fix CMMA vs KSM vs others
CIFS: remove bad_network_name flag
cifs: Do not send echoes before Negotiate is complete
ring-buffer: Have ring_buffer_iter_empty() return true when empty
tracing: Allocate the snapshot buffer before enabling probe
KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
KEYS: Change the name of the dead type to ".dead" to prevent user access
KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
ANDROID: sdcardfs: Call lower fs's revalidate
ANDROID: sdcardfs: Avoid setting GIDs outside of valid ranges
ANDROID: sdcardfs: Copy meta-data from lower inode
Revert "Revert "Android: sdcardfs: Don't do d_add for lower fs""
ANDROID: sdcardfs: Use filesystem specific hash
ANDROID: AVB error handler to invalidate vbmeta partition.
ANDROID: Update init/do_mounts_dm.c to the latest ChromiumOS version.
Revert "[RFC]cgroup: Change from CAP_SYS_NICE to CAP_SYS_RESOURCE for cgroup migration permissions"
Conflicts:
drivers/md/Makefile
Change-Id: I8f5ed53cb8b6cc66914f10c6ac820003b87b8759
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
This ensures that caches are maintained and no stale
data is present.
Change-Id: Ie8e92197a5a4179d422a523d3d6dad48bdf0b5d2
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlkFXvsACgkQONu9yGCS
aT6kPg//QqrRCxSUBYahQ1Jp16AVLiEWjJ3umzBhGGSPn7FfsWF8951R1WBHGlFI
lEUa3Pfi0U1sh0q4v6pTmQ/AYoa67DcKorxQegH9JoaRp0IvWpSaGMSfbmKP5pDl
PQyRL6DmOFkf/6X0dvby5ybbt2Kp59zTm8RFeFLRo3LTUK30w/tBTVvouk+UW3KA
KtjeL70OSOHgWoHXhNWDX1JTTBGFFTI2x0jlFeUtq10t2kRxAMDZpB/IY0VJ3ZTe
iso6+hC8JyzsXUYP82ZfZ7BAv/hSWBV3ErHyrUmhqWfE/Px7PFEeo3OyG3Bqosu6
aZW78jwFoqZcAhkVTQepWMHonUT+XLHUgCzc2MqFR4HW6JoQhKDdIqlt1Lqp6y1O
XsYOrPU1WqHhyoO9E3YwmAIjlYBHxYSUiCnqI9WtvvExJUhXXk/wwzgXUFrZPD01
berofViH2LJAxde0sqpidpNRg98m+MAK47M03I/tZUUykjGDi8NPTvM4FBbNCEty
3qaVVCUm7o8YzZg54QF61O+ciceoQdnsQJVy94EV3n2pgdN/7pG0v1KikBRKfsPK
1Wp+l0tdLkms56ElXyt/lHtF5Pre5i4sE6SdnZa3RHTUV168PFVYqJUCqWRwCD50
QMs+yLvRHwCFst+ix29Xn+c7KYKcMyqPvCrI8oczfokV/tvMVd8=
=1GiA
-----END PGP SIGNATURE-----
Merge 4.4.65 into android-4.4
Changes in 4.4.65:
tipc: make sure IPv6 header fits in skb headroom
tipc: make dist queue pernet
tipc: re-enable compensation for socket receive buffer double counting
tipc: correct error in node fsm
tty: nozomi: avoid a harmless gcc warning
hostap: avoid uninitialized variable use in hfa384x_get_rid
gfs2: avoid uninitialized variable warning
tipc: fix random link resets while adding a second bearer
tipc: fix socket timer deadlock
mnt: Add a per mount namespace limit on the number of mounts
xc2028: avoid use after free
netfilter: nfnetlink: correctly validate length of batch messages
tipc: check minimum bearer MTU
vfio/pci: Fix integer overflows, bitmask check
staging/android/ion : fix a race condition in the ion driver
ping: implement proper locking
perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
Linux 4.4.65
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit d29216842a85c7970c536108e093963f02714498 upstream.
CAI Qian <caiqian@redhat.com> pointed out that the semantics
of shared subtrees make it possible to create an exponentially
increasing number of mounts in a mount namespace.
mkdir /tmp/1 /tmp/2
mount --make-rshared /
for i in $(seq 1 20) ; do mount --bind /tmp/1 /tmp/2 ; done
Will create create 2^20 or 1048576 mounts, which is a practical problem
as some people have managed to hit this by accident.
As such CVE-2016-6213 was assigned.
Ian Kent <raven@themaw.net> described the situation for autofs users
as follows:
> The number of mounts for direct mount maps is usually not very large because of
> the way they are implemented, large direct mount maps can have performance
> problems. There can be anywhere from a few (likely case a few hundred) to less
> than 10000, plus mounts that have been triggered and not yet expired.
>
> Indirect mounts have one autofs mount at the root plus the number of mounts that
> have been triggered and not yet expired.
>
> The number of autofs indirect map entries can range from a few to the common
> case of several thousand and in rare cases up to between 30000 and 50000. I've
> not heard of people with maps larger than 50000 entries.
>
> The larger the number of map entries the greater the possibility for a large
> number of active mounts so it's not hard to expect cases of a 1000 or somewhat
> more active mounts.
So I am setting the default number of mounts allowed per mount
namespace at 100,000. This is more than enough for any use case I
know of, but small enough to quickly stop an exponential increase
in mounts. Which should be perfect to catch misconfigurations and
malfunctioning programs.
For anyone who needs a higher limit this can be changed by writing
to the new /proc/sys/fs/mount-max sysctl.
Tested-by: CAI Qian <caiqian@redhat.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[bwh: Backported to 4.4: adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 67893f12e5374bbcaaffbc6e570acbc2714ea884 upstream.
We get a bogus warning about a potential uninitialized variable
use in gfs2, because the compiler does not figure out that we
never use the leaf number if get_leaf_nr() returns an error:
fs/gfs2/dir.c: In function 'get_first_leaf':
fs/gfs2/dir.c:802:9: warning: 'leaf_no' may be used uninitialized in this function [-Wmaybe-uninitialized]
fs/gfs2/dir.c: In function 'dir_split_leaf':
fs/gfs2/dir.c:1021:8: warning: 'leaf_no' may be used uninitialized in this function [-Wmaybe-uninitialized]
Changing the 'if (!error)' to 'if (!IS_ERR_VALUE(error))' is
sufficient to let gcc understand that this is exactly the same
condition as in IS_ERR() so it can optimize the code path enough
to understand it.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f2fs currently only supports 4KB block size and 2MB segment size.
Sanity check log_blocks_per_seg == 9, i.e. 2MB/4KB = (1 << 9)
Partially
(cherry-picked from commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e)
f2fs: do more integrity verification for superblock
Do more sanity check for superblock during ->mount.
Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Bug: 36817013
Change-Id: I0be52e54fba82083068337ceb9f7ad985a87319f
Signed-off-by: Jin Qian <jinqian@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlkBmUYACgkQONu9yGCS
aT6uOBAAvOVUjBIwkaYoy1/Pk2ynZXXIoiBUA6Ti3LaUEPT44zVcfG6CwOKxxUsb
huIxAg8tGDXN0I41YrLZEG/Ju3ommWyjZQ+RWZA/W3an+2y6oz2BXNnBlePTpyts
9EWknm61cm6rqcA9y0himDdGjtuM/F6g2vTLboCZnc0IYlwh2TG9tvBn5gcHlVyA
1mlGCzAxBKf6ttIOKtan4LxssW0jO+e0w+W4mPrAsUViJFSnMHAY1csKQiT62r+Y
aBNrNIFSMKKSz1a2slOgf1GihaCIL9HnrTlBUcIQkxXyjawNms4ENj9lBy4fJZao
74eU6aVBvKbE2175PI/Ub90OvtbOI83EzmBgqkVgHSBXzCaPOScnDAnMlwlW3vhW
5lQU1eN4jtL6FuMi565mXQ8G4RP7PzuWrLfT9rrAaR/rqC54tY882FGjL2KCqzpd
IVLhKSDg5iqB2JrnNS/GEzJd6Y024EMYGytp+jcDkczfbUHguxfmUNkbrh8sOMSi
leMS/Z+FN6kc4bvF55NsvwW2n8XNn5Om/TWcXNdGtxvBsk6PD2W6+Bo+Tq7NotNf
aOuJFQHxBLqfA9LO6UjZMQGfTdfweZ+fAMaGH/X55+GCExLuTTkvfHxerleYFSw8
FNS+wCn1e+RonHUw2tztE4kfPY2kJ6JkILxzGe/1pC6kv0HDzsA=
=7UnS
-----END PGP SIGNATURE-----
Merge 4.4.64 into android-4.4
Changes in 4.4.64:
KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
KEYS: Change the name of the dead type to ".dead" to prevent user access
KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
tracing: Allocate the snapshot buffer before enabling probe
ring-buffer: Have ring_buffer_iter_empty() return true when empty
cifs: Do not send echoes before Negotiate is complete
CIFS: remove bad_network_name flag
s390/mm: fix CMMA vs KSM vs others
Drivers: hv: don't leak memory in vmbus_establish_gpadl()
Drivers: hv: get rid of timeout in vmbus_open()
Drivers: hv: vmbus: Reduce the delay between retries in vmbus_post_msg()
VSOCK: Detach QP check should filter out non matching QPs.
Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled
ACPI / power: Avoid maybe-uninitialized warning
mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for DDR50 card
mac80211: reject ToDS broadcast data frames
ubi/upd: Always flush after prepared for an update
powerpc/kprobe: Fix oops when kprobed on 'stdu' instruction
x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
kvm: arm/arm64: Fix locking for kvm_free_stage2_pgd
Tools: hv: kvp: ensure kvp device fd is closed on exec
Drivers: hv: balloon: keep track of where ha_region starts
Drivers: hv: balloon: account for gaps in hot add regions
hv: don't reset hv_context.tsc_page on crash
x86, pmem: fix broken __copy_user_nocache cache-bypass assumptions
block: fix del_gendisk() vs blkdev_ioctl crash
tipc: fix crash during node removal
Linux 4.4.64
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit a0918f1ce6a43ac980b42b300ec443c154970979 upstream.
STATUS_BAD_NETWORK_NAME can be received during node failover,
causing the flag to be set and making the reconnect thread
always unsuccessful, thereafter.
Once the only place where it is set is removed, the remaining
bits are rendered moot.
Removing it does not prevent "mount" from failing when a non
existent share is passed.
What happens when the share really ceases to exist while the
share is mounted is undefined now as much as it was before.
Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 62a6cfddcc0a5313e7da3e8311ba16226fe0ac10 upstream.
commit 4fcd1813e640 ("Fix reconnect to not defer smb3 session reconnect
long after socket reconnect") added support for Negotiate requests to
be initiated by echo calls.
To avoid delays in calling echo after a reconnect, I added the patch
introduced by the commit b8c600120fc8 ("Call echo service immediately
after socket reconnect").
This has however caused a regression with cifs shares which do not have
support for echo calls to trigger Negotiate requests. On connections
which need to call Negotiation, the echo calls trigger an error which
triggers a reconnect which in turn triggers another echo call. This
results in a loop which is only broken when an operation is performed on
the cifs share. For an idle share, it can DOS a server.
The patch uses the smb_operation can_echo() for cifs so that it is
called only if connection has been already been setup.
kernel bz: 194531
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Jonathan Liu <net147@gmail.com>
Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We should be calling the lower filesystem's revalidate
inside of sdcardfs's revalidate, as wrapfs does.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 35766959
Change-Id: I939d1c4192fafc1e21678aeab43fe3d588b8e2f4
When setting up the ownership of files on the lower filesystem,
ensure that these values are in reasonable ranges for apps. If
they aren't, default to AID_MEDIA_RW
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 37516160
Change-Id: I0bec76a61ac72aff0b993ab1ad04be8382178a00
This reverts commit ffa75fdb9c408f49b9622b6d55752ed99ff61488.
Turns out we just needed the right hash.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 37231161
Change-Id: I6a6de7f7df99ad42b20fa062913b219f64020c31
We weren't accounting for FS specific hash functions,
causing us to miss negative dentries for any FS that
had one.
Similar to a patch from esdfs
commit 75bd25a9476d ("esdfs: support lower's own hash")
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Change-Id: I32d1ba304d728e0ca2648cacfb4c2e441ae63608
* refs/heads/tmp-b834e92
Revert "USB: gadget: u_ether: Fix data stall issue in RNDIS tethering mode"
Linux 4.4.63
MIPS: fix Select HAVE_IRQ_EXIT_ON_IRQ_STACK patch.
sctp: deny peeloff operation on asocs with threads sleeping on it
net: ipv6: check route protocol when deleting routes
tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done
SUNRPC: fix refcounting problems with auth_gss messages.
ibmveth: calculate gso_segs for large packets
catc: Use heap buffer for memory size test
catc: Combine failure cleanup code in catc_probe()
rtl8150: Use heap buffers for all register access
pegasus: Use heap buffers for all register access
virtio-console: avoid DMA from stack
dvb-usb-firmware: don't do DMA on stack
dvb-usb: don't use stack for firmware load
mm: Tighten x86 /dev/mem with zeroing reads
rtc: tegra: Implement clock handling
platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event
ext4: fix inode checksum calculation problem if i_extra_size is small
dvb-usb-v2: avoid use-after-free
ath9k: fix NULL pointer dereference
crypto: ahash - Fix EINPROGRESS notification callback
powerpc: Disable HFSCR[TM] if TM is not supported
zram: do not use copy_page with non-page aligned address
kvm: fix page struct leak in handle_vmon
Revert "MIPS: Lantiq: Fix cascaded IRQ setup"
char: lack of bool string made CONFIG_DEVPORT always on
char: Drop bogus dependency of DEVPORT on !M68K
ftrace: Fix removing of second function probe
irqchip/irq-imx-gpcv2: Fix spinlock initialization
libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat
xen, fbfront: fix connecting to backend
scsi: sd: Fix capacity calculation with 32-bit sector_t
scsi: sd: Consider max_xfer_blocks if opt_xfer_blocks is unusable
scsi: sr: Sanity check returned mode data
iscsi-target: Drop work-around for legacy GlobalSAN initiator
iscsi-target: Fix TMR reference leak during session shutdown
acpi, nfit, libnvdimm: fix interleave set cookie calculation (64-bit comparison)
x86/vdso: Plug race between mapping and ELF header setup
x86/vdso: Ensure vdso32_enabled gets set to valid values only
perf/x86: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32()
Input: xpad - add support for Razer Wildcat gamepad
CIFS: store results of cifs_reopen_file to avoid infinite wait
drm/nouveau/mmu/nv4a: use nv04 mmu rather than the nv44 one
drm/nouveau/mpeg: mthd returns true on success now
thp: fix MADV_DONTNEED vs clear soft dirty race
cgroup, kthread: close race window where new kthreads can be migrated to non-root cgroups
ANDROID: uid_sys_stats: reduce update_io_stats overhead
UPSTREAM: char: lack of bool string made CONFIG_DEVPORT always on
UPSTREAM: char: Drop bogus dependency of DEVPORT on !M68K
Revert "Android: sdcardfs: Don't do d_add for lower fs"
ANDROID: usb: gadget: fix MTP enumeration issue under super speed mode
Android: sdcardfs: Don't complain in fixup_lower_ownership
Android: sdcardfs: Don't do d_add for lower fs
ANDROID: sdcardfs: ->iget fixes
Android: sdcardfs: Change cache GID value
BACKPORT: [UPSTREAM] ext2: convert to mbcache2
BACKPORT [UPSTREAM] ext4: convert to mbcache2
BACKPORT: [UPSTREAM] mbcache2: reimplement mbcache
Linux 4.4.62
ibmveth: set correct gso_size and gso_type
net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions
net/mlx4_core: Fix racy CQ (Completion Queue) free
net/mlx4_en: Fix bad WQE issue
usb: hub: Wait for connection to be reestablished after port reset
blk-mq: Avoid memory reclaim when remapping queues
net/packet: fix overflow in check for priv area size
crypto: caam - fix RNG deinstantiation error checking
MIPS: IRQ Stack: Fix erroneous jal to plat_irq_dispatch
MIPS: Select HAVE_IRQ_EXIT_ON_IRQ_STACK
MIPS: Switch to the irq_stack in interrupts
MIPS: Only change $28 to thread_info if coming from user mode
MIPS: Stack unwinding while on IRQ stack
MIPS: Introduce irq_stack
mtd: bcm47xxpart: fix parsing first block after aligned TRX
usb: dwc3: gadget: delay unmap of bounced requests
drm/i915: Stop using RP_DOWN_EI on Baytrail
drm/i915: Avoid tweaking evaluation thresholds on Baytrail v3
UPSTREAM: net: socket: Make unnecessarily global sockfs_setattr() static
UPSTREAM: net: ipv4: Don't crash if passing a null sk to ip_do_redirect.
UPSTREAM: net/packet: fix overflow in check for priv area size
Linux 4.4.61
mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
MIPS: Flush wrong invalid FTLB entry for huge page
MIPS: Lantiq: fix missing xbar kernel panic
MIPS: End spinlocks with .insn
MIPS: ralink: Fix typos in rt3883 pinctrl
MIPS: Force o32 fp64 support on 32bit MIPS64r6 kernels
s390/uaccess: get_user() should zero on failure (again)
s390/decompressor: fix initrd corruption caused by bss clear
nios2: reserve boot memory for device tree
powerpc: Don't try to fix up misaligned load-with-reservation instructions
powerpc/mm: Add missing global TLB invalidate if cxl is active
metag/usercopy: Add missing fixups
metag/usercopy: Fix src fixup in from user rapf loops
metag/usercopy: Set flags before ADDZ
metag/usercopy: Zero rest of buffer from copy_from_user
metag/usercopy: Add early abort to copy_to_user
metag/usercopy: Fix alignment error checking
metag/usercopy: Drop unused macros
ring-buffer: Fix return value check in test_ringbuffer()
ptrace: fix PTRACE_LISTEN race corrupting task->state
Reset TreeId to zero on SMB2 TREE_CONNECT
iio: bmg160: reset chip when probing
arm/arm64: KVM: Take mmap_sem in kvm_arch_prepare_memory_region
arm/arm64: KVM: Take mmap_sem in stage2_unmap_vm
staging: android: ashmem: lseek failed due to no FMODE_LSEEK.
sysfs: be careful of error returns from ops->show()
drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
drm/vmwgfx: Remove getparam error message
drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl()
drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
drm/vmwgfx: Type-check lookups of fence objects
Revert "Revert "Revert "CHROMIUM: android: binder: Fix potential scheduling-while-atomic"""
ANDROID: sdcardfs: Directly pass lower file for mmap
UPSTREAM: checkpatch: special audit for revert commit line
UPSTREAM: PM / sleep: make PM notifiers called symmetrically
Revert "Revert "CHROMIUM: android: binder: Fix potential scheduling-while-atomic""
Linux 4.4.60
padata: avoid race in reordering
blk: Ensure users for current->bio_list can see the full list.
blk: improve order of bio handling in generic_make_request()
power: reset: at91-poweroff: timely shutdown LPDDR memories
KVM: kvm_io_bus_unregister_dev() should never fail
rtc: s35390a: improve irq handling
rtc: s35390a: implement reset routine as suggested by the reference
rtc: s35390a: make sure all members in the output are set
rtc: s35390a: fix reading out alarm
MIPS: Lantiq: Fix cascaded IRQ setup
mm, hugetlb: use pte_present() instead of pmd_present() in follow_huge_pmd()
drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags
KVM: x86: clear bus pointer when destroyed
USB: fix linked-list corruption in rh_call_control()
tty/serial: atmel: fix TX path in atmel_console_write()
tty/serial: atmel: fix race condition (TX+DMA)
ACPI: Do not create a platform_device for IOAPIC/IOxAPIC
ACPI: Fix incompatibility with mcount-based function graph tracing
ASoC: atmel-classd: fix audio clock rate
ALSA: hda - fix a problem for lineout on a Dell AIO machine
ALSA: seq: Fix race during FIFO resize
scsi: libsas: fix ata xfer length
scsi: sg: check length passed to SG_NEXT_CMD_LEN
scsi: mpt3sas: fix hang on ata passthrough commands
xen/setup: Don't relocate p2m over existing one
libceph: force GFP_NOIO for socket allocations
Linux 4.4.59
sched/rt: Add a missing rescheduling point
fscrypt: remove broken support for detecting keyring key revocation
metag/ptrace: Reject partial NT_METAG_RPIPE writes
metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
metag/ptrace: Preserve previous registers for short regset write
sparc/ptrace: Preserve previous registers for short regset write
mips/ptrace: Preserve previous registers for short regset write
h8300/ptrace: Fix incorrect register transfer count
c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
pinctrl: qcom: Don't clear status bit on irq_unmask
virtio_balloon: init 1st buffer in stats vq
xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
xfrm: policy: init locks early
Conflicts:
drivers/scsi/sd.c
drivers/usb/gadget/function/f_mtp.c
drivers/usb/gadget/function/u_ether.c
Change-Id: I80501cf02d04204f8c0f3a7f5a036eaa4d54546e
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
In the path of task exit, the proc dentries corresponding to this
task will be killed by moving it to a shrink list. If those dentries
are already claimed by another task for shrinking, the exiting
task waits in a tight loop until those dentries are killed. This can
potentially result in a deadlock if those dentries are corresponding
to an RT task but the task which is shrinking those dentries is a
lower priority task. Fix this by not doing tight loop, if our dentries
are claimed by other task.
Change-Id: If6848521469db7dea2bbba0dbaf8597094716267
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
(https://lkml.org/lkml/2016/12/13/579)
posix_acl_update_mode() could possibly clear 'acl', if so
we leak the memory pointed by 'acl'. Save this pointer
before calling posix_acl_update_mode() and release the memory
if 'acl' really gets cleared.
Reported-by: Mark Salyzyn <salyzyn@android.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Greg Kurz <groug@kaod.org>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Bug: 32458736
Change-Id: Ia78da401e6fd1bfd569653bd2cd0ebd3f9c737a0
Git-repo: https://android.googlesource.com/kernel/msm/
Git-commit: 7c780387c931f63fe67830c817f65c1272512bb1
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlj5tRkACgkQONu9yGCS
aT5zFxAAouq2kxBFxxJIQ3255yy/7B6oBYrhilQZPrETC800PUaIqZtuQZPpaoqb
3gG0+12ve0CMHK+PidEwsQlMlAHNI1xbzmUHm2UIrLYYCV817DTkEsc7JXGUvYVA
/YA71GASKmLVi9DnsawRb0ELhTeQHec76LrPlgvyWH/OMEtNcMOv/8oWfTq9bKV2
HsHC6MOwT2R86ukhYYmcfFHomTnJSpW7KtGXwNC/LhohzIfsKQKGQWb1f1j1aHGC
u5yQ5Qc9T+DhPMHAEY+xuURz/3ohpUL8aSQXk7pua/bTD0X0klNQcf/BXVJXsaeI
s4g78q+YdTcPL81rkEW+7yUvAlb3u+FdVr+wjsl/s6ih4iL0EgBsoClqUjGUUoz+
jvCXHiMP7lHi50eIkppQf/yZSVKSobKn5YYf9AA+y6tQ9R9GguDS/IQSRe2HnHeR
OymCBXa6BSmQGGyPiMUBiNTix6roJ8Vr4dK9lbsQXZ+YZICXWs1rpMOy5HK9EJWf
M6YF6l9lHwQ38AN+MhsjUXIyKLp9zCk7syeFaeK6k/IA2kcm7dL/momiZ1QIBnhq
OHB3iwEPZ5Rr4CVjk5j7Ue22ubdrtpc8IfTYV95N7nv+g3nBwe22k+RDi70NiDwk
2pnBqhO/vtPRE9Ry3QBS73VEeXgNb9IIVwQ7hi9Rk7KUgmdEOOo=
=iS0x
-----END PGP SIGNATURE-----
Merge 4.4.63 into android-4.4
Changes in 4.4.63:
cgroup, kthread: close race window where new kthreads can be migrated to non-root cgroups
thp: fix MADV_DONTNEED vs clear soft dirty race
drm/nouveau/mpeg: mthd returns true on success now
drm/nouveau/mmu/nv4a: use nv04 mmu rather than the nv44 one
CIFS: store results of cifs_reopen_file to avoid infinite wait
Input: xpad - add support for Razer Wildcat gamepad
perf/x86: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32()
x86/vdso: Ensure vdso32_enabled gets set to valid values only
x86/vdso: Plug race between mapping and ELF header setup
acpi, nfit, libnvdimm: fix interleave set cookie calculation (64-bit comparison)
iscsi-target: Fix TMR reference leak during session shutdown
iscsi-target: Drop work-around for legacy GlobalSAN initiator
scsi: sr: Sanity check returned mode data
scsi: sd: Consider max_xfer_blocks if opt_xfer_blocks is unusable
scsi: sd: Fix capacity calculation with 32-bit sector_t
xen, fbfront: fix connecting to backend
libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat
irqchip/irq-imx-gpcv2: Fix spinlock initialization
ftrace: Fix removing of second function probe
char: Drop bogus dependency of DEVPORT on !M68K
char: lack of bool string made CONFIG_DEVPORT always on
Revert "MIPS: Lantiq: Fix cascaded IRQ setup"
kvm: fix page struct leak in handle_vmon
zram: do not use copy_page with non-page aligned address
powerpc: Disable HFSCR[TM] if TM is not supported
crypto: ahash - Fix EINPROGRESS notification callback
ath9k: fix NULL pointer dereference
dvb-usb-v2: avoid use-after-free
ext4: fix inode checksum calculation problem if i_extra_size is small
platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event
rtc: tegra: Implement clock handling
mm: Tighten x86 /dev/mem with zeroing reads
dvb-usb: don't use stack for firmware load
dvb-usb-firmware: don't do DMA on stack
virtio-console: avoid DMA from stack
pegasus: Use heap buffers for all register access
rtl8150: Use heap buffers for all register access
catc: Combine failure cleanup code in catc_probe()
catc: Use heap buffer for memory size test
ibmveth: calculate gso_segs for large packets
SUNRPC: fix refcounting problems with auth_gss messages.
tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done
net: ipv6: check route protocol when deleting routes
sctp: deny peeloff operation on asocs with threads sleeping on it
MIPS: fix Select HAVE_IRQ_EXIT_ON_IRQ_STACK patch.
Linux 4.4.63
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 05ac5aa18abd7db341e54df4ae2b4c98ea0e43b7 upstream.
We've fixed the race condition problem in calculating ext4 checksum
value in commit b47820edd163 ("ext4: avoid modifying checksum fields
directly during checksum veficationon"). However, by this change,
when calculating the checksum value of inode whose i_extra_size is
less than 4, we couldn't calculate the checksum value in a proper way.
This problem was found and reported by Nix, Thank you.
Reported-by: Nix <nix@esperi.org.uk>
Signed-off-by: Daeho Jeong <daeho.jeong@samsung.com>
Signed-off-by: Youngjin Gil <youngjin.gil@samsung.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
