<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs, branch v3.16.41</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>tmpfs: clear S_ISGID when setting posix ACLs</title>
<updated>2017-02-26T20:01:49+00:00</updated>
<author>
<name>Gu Zheng</name>
<email>guzheng1@huawei.com</email>
</author>
<published>2017-01-09T01:34:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b35e1587153b27e12747137ce7a0df0eb921cd85'/>
<id>b35e1587153b27e12747137ce7a0df0eb921cd85</id>
<content type='text'>
commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream.

This change was missed the tmpfs modification in In CVE-2016-7097
commit 073931017b49 ("posix_acl: Clear SGID bit when setting
file permissions")
It can test by xfstest generic/375, which failed to clear
setgid bit in the following test case on tmpfs:

  touch $testfile
  chown 100:100 $testfile
  chmod 2755 $testfile
  _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile

Signed-off-by: Gu Zheng &lt;guzheng1@huawei.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream.

This change was missed the tmpfs modification in In CVE-2016-7097
commit 073931017b49 ("posix_acl: Clear SGID bit when setting
file permissions")
It can test by xfstest generic/375, which failed to clear
setgid bit in the following test case on tmpfs:

  touch $testfile
  chown 100:100 $testfile
  chmod 2755 $testfile
  _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile

Signed-off-by: Gu Zheng &lt;guzheng1@huawei.com&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: validate s_first_meta_bg at mount time</title>
<updated>2017-02-26T20:01:49+00:00</updated>
<author>
<name>Eryu Guan</name>
<email>guaneryu@gmail.com</email>
</author>
<published>2016-12-01T20:08:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cde863587b6809fdf61ea3c5391ecf06884b5516'/>
<id>cde863587b6809fdf61ea3c5391ecf06884b5516</id>
<content type='text'>
commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe upstream.

Ralf Spenneberg reported that he hit a kernel crash when mounting a
modified ext4 image. And it turns out that kernel crashed when
calculating fs overhead (ext4_calculate_overhead()), this is because
the image has very large s_first_meta_bg (debug code shows it's
842150400), and ext4 overruns the memory in count_overhead() when
setting bitmap buffer, which is PAGE_SIZE.

ext4_calculate_overhead():
  buf = get_zeroed_page(GFP_NOFS);  &lt;=== PAGE_SIZE buffer
  blks = count_overhead(sb, i, buf);

count_overhead():
  for (j = ext4_bg_num_gdb(sb, grp); j &gt; 0; j--) { &lt;=== j = 842150400
          ext4_set_bit(EXT4_B2C(sbi, s++), buf);   &lt;=== buffer overrun
          count++;
  }

This can be reproduced easily for me by this script:

  #!/bin/bash
  rm -f fs.img
  mkdir -p /mnt/ext4
  fallocate -l 16M fs.img
  mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
  debugfs -w -R "ssv first_meta_bg 842150400" fs.img
  mount -o loop fs.img /mnt/ext4

Fix it by validating s_first_meta_bg first at mount time, and
refusing to mount if its value exceeds the largest possible meta_bg
number.

Reported-by: Ralf Spenneberg &lt;ralf@os-t.de&gt;
Signed-off-by: Eryu Guan &lt;guaneryu@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Reviewed-by: Andreas Dilger &lt;adilger@dilger.ca&gt;
[bwh: Backported to 3.16: use EXT4_HAS_INCOMPAT_FEATURE()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe upstream.

Ralf Spenneberg reported that he hit a kernel crash when mounting a
modified ext4 image. And it turns out that kernel crashed when
calculating fs overhead (ext4_calculate_overhead()), this is because
the image has very large s_first_meta_bg (debug code shows it's
842150400), and ext4 overruns the memory in count_overhead() when
setting bitmap buffer, which is PAGE_SIZE.

ext4_calculate_overhead():
  buf = get_zeroed_page(GFP_NOFS);  &lt;=== PAGE_SIZE buffer
  blks = count_overhead(sb, i, buf);

count_overhead():
  for (j = ext4_bg_num_gdb(sb, grp); j &gt; 0; j--) { &lt;=== j = 842150400
          ext4_set_bit(EXT4_B2C(sbi, s++), buf);   &lt;=== buffer overrun
          count++;
  }

This can be reproduced easily for me by this script:

  #!/bin/bash
  rm -f fs.img
  mkdir -p /mnt/ext4
  fallocate -l 16M fs.img
  mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
  debugfs -w -R "ssv first_meta_bg 842150400" fs.img
  mount -o loop fs.img /mnt/ext4

Fix it by validating s_first_meta_bg first at mount time, and
refusing to mount if its value exceeds the largest possible meta_bg
number.

Reported-by: Ralf Spenneberg &lt;ralf@os-t.de&gt;
Signed-off-by: Eryu Guan &lt;guaneryu@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Reviewed-by: Andreas Dilger &lt;adilger@dilger.ca&gt;
[bwh: Backported to 3.16: use EXT4_HAS_INCOMPAT_FEATURE()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mnt: Add a per mount namespace limit on the number of mounts</title>
<updated>2017-02-26T20:01:48+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2016-09-28T05:27:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b71f455440fd7ed03f088580b3a117352fc815dd'/>
<id>b71f455440fd7ed03f088580b3a117352fc815dd</id>
<content type='text'>
commit d29216842a85c7970c536108e093963f02714498 upstream.

CAI Qian &lt;caiqian@redhat.com&gt; pointed out that the semantics
of shared subtrees make it possible to create an exponentially
increasing number of mounts in a mount namespace.

    mkdir /tmp/1 /tmp/2
    mount --make-rshared /
    for i in $(seq 1 20) ; do mount --bind /tmp/1 /tmp/2 ; done

Will create create 2^20 or 1048576 mounts, which is a practical problem
as some people have managed to hit this by accident.

As such CVE-2016-6213 was assigned.

Ian Kent &lt;raven@themaw.net&gt; described the situation for autofs users
as follows:

&gt; The number of mounts for direct mount maps is usually not very large because of
&gt; the way they are implemented, large direct mount maps can have performance
&gt; problems. There can be anywhere from a few (likely case a few hundred) to less
&gt; than 10000, plus mounts that have been triggered and not yet expired.
&gt;
&gt; Indirect mounts have one autofs mount at the root plus the number of mounts that
&gt; have been triggered and not yet expired.
&gt;
&gt; The number of autofs indirect map entries can range from a few to the common
&gt; case of several thousand and in rare cases up to between 30000 and 50000. I've
&gt; not heard of people with maps larger than 50000 entries.
&gt;
&gt; The larger the number of map entries the greater the possibility for a large
&gt; number of active mounts so it's not hard to expect cases of a 1000 or somewhat
&gt; more active mounts.

So I am setting the default number of mounts allowed per mount
namespace at 100,000.  This is more than enough for any use case I
know of, but small enough to quickly stop an exponential increase
in mounts.  Which should be perfect to catch misconfigurations and
malfunctioning programs.

For anyone who needs a higher limit this can be changed by writing
to the new /proc/sys/fs/mount-max sysctl.

Tested-by: CAI Qian &lt;caiqian@redhat.com&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
[bwh: Backported to 3.16:
 - Use ACCESS_ONCE() instead of READ_ONCE()
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d29216842a85c7970c536108e093963f02714498 upstream.

CAI Qian &lt;caiqian@redhat.com&gt; pointed out that the semantics
of shared subtrees make it possible to create an exponentially
increasing number of mounts in a mount namespace.

    mkdir /tmp/1 /tmp/2
    mount --make-rshared /
    for i in $(seq 1 20) ; do mount --bind /tmp/1 /tmp/2 ; done

Will create create 2^20 or 1048576 mounts, which is a practical problem
as some people have managed to hit this by accident.

As such CVE-2016-6213 was assigned.

Ian Kent &lt;raven@themaw.net&gt; described the situation for autofs users
as follows:

&gt; The number of mounts for direct mount maps is usually not very large because of
&gt; the way they are implemented, large direct mount maps can have performance
&gt; problems. There can be anywhere from a few (likely case a few hundred) to less
&gt; than 10000, plus mounts that have been triggered and not yet expired.
&gt;
&gt; Indirect mounts have one autofs mount at the root plus the number of mounts that
&gt; have been triggered and not yet expired.
&gt;
&gt; The number of autofs indirect map entries can range from a few to the common
&gt; case of several thousand and in rare cases up to between 30000 and 50000. I've
&gt; not heard of people with maps larger than 50000 entries.
&gt;
&gt; The larger the number of map entries the greater the possibility for a large
&gt; number of active mounts so it's not hard to expect cases of a 1000 or somewhat
&gt; more active mounts.

So I am setting the default number of mounts allowed per mount
namespace at 100,000.  This is more than enough for any use case I
know of, but small enough to quickly stop an exponential increase
in mounts.  Which should be perfect to catch misconfigurations and
malfunctioning programs.

For anyone who needs a higher limit this can be changed by writing
to the new /proc/sys/fs/mount-max sysctl.

Tested-by: CAI Qian &lt;caiqian@redhat.com&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
[bwh: Backported to 3.16:
 - Use ACCESS_ONCE() instead of READ_ONCE()
 - Adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sysctl: Drop reference added by grab_header in proc_sys_readdir</title>
<updated>2017-02-23T03:54:47+00:00</updated>
<author>
<name>Zhou Chengming</name>
<email>zhouchengming1@huawei.com</email>
</author>
<published>2017-01-06T01:32:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0b66ea3bca021aea839c526d7643df085c5dadbc'/>
<id>0b66ea3bca021aea839c526d7643df085c5dadbc</id>
<content type='text'>
commit 93362fa47fe98b62e4a34ab408c4a418432e7939 upstream.

Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
added by grab_header when return from !dir_emit_dots path.
It can cause any path called unregister_sysctl_table will
wait forever.

The calltrace of CVE-2016-9191:

[ 5535.960522] Call Trace:
[ 5535.963265]  [&lt;ffffffff817cdaaf&gt;] schedule+0x3f/0xa0
[ 5535.968817]  [&lt;ffffffff817d33fb&gt;] schedule_timeout+0x3db/0x6f0
[ 5535.975346]  [&lt;ffffffff817cf055&gt;] ? wait_for_completion+0x45/0x130
[ 5535.982256]  [&lt;ffffffff817cf0d3&gt;] wait_for_completion+0xc3/0x130
[ 5535.988972]  [&lt;ffffffff810d1fd0&gt;] ? wake_up_q+0x80/0x80
[ 5535.994804]  [&lt;ffffffff8130de64&gt;] drop_sysctl_table+0xc4/0xe0
[ 5536.001227]  [&lt;ffffffff8130de17&gt;] drop_sysctl_table+0x77/0xe0
[ 5536.007648]  [&lt;ffffffff8130decd&gt;] unregister_sysctl_table+0x4d/0xa0
[ 5536.014654]  [&lt;ffffffff8130deff&gt;] unregister_sysctl_table+0x7f/0xa0
[ 5536.021657]  [&lt;ffffffff810f57f5&gt;] unregister_sched_domain_sysctl+0x15/0x40
[ 5536.029344]  [&lt;ffffffff810d7704&gt;] partition_sched_domains+0x44/0x450
[ 5536.036447]  [&lt;ffffffff817d0761&gt;] ? __mutex_unlock_slowpath+0x111/0x1f0
[ 5536.043844]  [&lt;ffffffff81167684&gt;] rebuild_sched_domains_locked+0x64/0xb0
[ 5536.051336]  [&lt;ffffffff8116789d&gt;] update_flag+0x11d/0x210
[ 5536.057373]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.064186]  [&lt;ffffffff81167acb&gt;] ? cpuset_css_offline+0x1b/0x60
[ 5536.070899]  [&lt;ffffffff810fce3d&gt;] ? trace_hardirqs_on+0xd/0x10
[ 5536.077420]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.084234]  [&lt;ffffffff8115a9f5&gt;] ? css_killed_work_fn+0x25/0x220
[ 5536.091049]  [&lt;ffffffff81167ae5&gt;] cpuset_css_offline+0x35/0x60
[ 5536.097571]  [&lt;ffffffff8115aa2c&gt;] css_killed_work_fn+0x5c/0x220
[ 5536.104207]  [&lt;ffffffff810bc83f&gt;] process_one_work+0x1df/0x710
[ 5536.110736]  [&lt;ffffffff810bc7c0&gt;] ? process_one_work+0x160/0x710
[ 5536.117461]  [&lt;ffffffff810bce9b&gt;] worker_thread+0x12b/0x4a0
[ 5536.123697]  [&lt;ffffffff810bcd70&gt;] ? process_one_work+0x710/0x710
[ 5536.130426]  [&lt;ffffffff810c3f7e&gt;] kthread+0xfe/0x120
[ 5536.135991]  [&lt;ffffffff817d4baf&gt;] ret_from_fork+0x1f/0x40
[ 5536.142041]  [&lt;ffffffff810c3e80&gt;] ? kthread_create_on_node+0x230/0x230

One cgroup maintainer mentioned that "cgroup is trying to offline
a cpuset css, which takes place under cgroup_mutex.  The offlining
ends up trying to drain active usages of a sysctl table which apprently
is not happening."
The real reason is that proc_sys_readdir doesn't drop reference added
by grab_header when return from !dir_emit_dots path. So this cpuset
offline path will wait here forever.

See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13

Fixes: f0c3b5093add ("[readdir] convert procfs")
Reported-by: CAI Qian &lt;caiqian@redhat.com&gt;
Tested-by: Yang Shukui &lt;yangshukui@huawei.com&gt;
Signed-off-by: Zhou Chengming &lt;zhouchengming1@huawei.com&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 93362fa47fe98b62e4a34ab408c4a418432e7939 upstream.

Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
added by grab_header when return from !dir_emit_dots path.
It can cause any path called unregister_sysctl_table will
wait forever.

The calltrace of CVE-2016-9191:

[ 5535.960522] Call Trace:
[ 5535.963265]  [&lt;ffffffff817cdaaf&gt;] schedule+0x3f/0xa0
[ 5535.968817]  [&lt;ffffffff817d33fb&gt;] schedule_timeout+0x3db/0x6f0
[ 5535.975346]  [&lt;ffffffff817cf055&gt;] ? wait_for_completion+0x45/0x130
[ 5535.982256]  [&lt;ffffffff817cf0d3&gt;] wait_for_completion+0xc3/0x130
[ 5535.988972]  [&lt;ffffffff810d1fd0&gt;] ? wake_up_q+0x80/0x80
[ 5535.994804]  [&lt;ffffffff8130de64&gt;] drop_sysctl_table+0xc4/0xe0
[ 5536.001227]  [&lt;ffffffff8130de17&gt;] drop_sysctl_table+0x77/0xe0
[ 5536.007648]  [&lt;ffffffff8130decd&gt;] unregister_sysctl_table+0x4d/0xa0
[ 5536.014654]  [&lt;ffffffff8130deff&gt;] unregister_sysctl_table+0x7f/0xa0
[ 5536.021657]  [&lt;ffffffff810f57f5&gt;] unregister_sched_domain_sysctl+0x15/0x40
[ 5536.029344]  [&lt;ffffffff810d7704&gt;] partition_sched_domains+0x44/0x450
[ 5536.036447]  [&lt;ffffffff817d0761&gt;] ? __mutex_unlock_slowpath+0x111/0x1f0
[ 5536.043844]  [&lt;ffffffff81167684&gt;] rebuild_sched_domains_locked+0x64/0xb0
[ 5536.051336]  [&lt;ffffffff8116789d&gt;] update_flag+0x11d/0x210
[ 5536.057373]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.064186]  [&lt;ffffffff81167acb&gt;] ? cpuset_css_offline+0x1b/0x60
[ 5536.070899]  [&lt;ffffffff810fce3d&gt;] ? trace_hardirqs_on+0xd/0x10
[ 5536.077420]  [&lt;ffffffff817cf61f&gt;] ? mutex_lock_nested+0x2df/0x450
[ 5536.084234]  [&lt;ffffffff8115a9f5&gt;] ? css_killed_work_fn+0x25/0x220
[ 5536.091049]  [&lt;ffffffff81167ae5&gt;] cpuset_css_offline+0x35/0x60
[ 5536.097571]  [&lt;ffffffff8115aa2c&gt;] css_killed_work_fn+0x5c/0x220
[ 5536.104207]  [&lt;ffffffff810bc83f&gt;] process_one_work+0x1df/0x710
[ 5536.110736]  [&lt;ffffffff810bc7c0&gt;] ? process_one_work+0x160/0x710
[ 5536.117461]  [&lt;ffffffff810bce9b&gt;] worker_thread+0x12b/0x4a0
[ 5536.123697]  [&lt;ffffffff810bcd70&gt;] ? process_one_work+0x710/0x710
[ 5536.130426]  [&lt;ffffffff810c3f7e&gt;] kthread+0xfe/0x120
[ 5536.135991]  [&lt;ffffffff817d4baf&gt;] ret_from_fork+0x1f/0x40
[ 5536.142041]  [&lt;ffffffff810c3e80&gt;] ? kthread_create_on_node+0x230/0x230

One cgroup maintainer mentioned that "cgroup is trying to offline
a cpuset css, which takes place under cgroup_mutex.  The offlining
ends up trying to drain active usages of a sysctl table which apprently
is not happening."
The real reason is that proc_sys_readdir doesn't drop reference added
by grab_header when return from !dir_emit_dots path. So this cpuset
offline path will wait here forever.

See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13

Fixes: f0c3b5093add ("[readdir] convert procfs")
Reported-by: CAI Qian &lt;caiqian@redhat.com&gt;
Tested-by: Yang Shukui &lt;yangshukui@huawei.com&gt;
Signed-off-by: Zhou Chengming &lt;zhouchengming1@huawei.com&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: fix clearing suid, sgid for chown()</title>
<updated>2017-02-23T03:54:43+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2016-12-06T15:18:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a4ab1eeb4f60563209664142185a4969c703f02d'/>
<id>a4ab1eeb4f60563209664142185a4969c703f02d</id>
<content type='text'>
commit c01638f5d919728f565bf8b5e0a6a159642df0d9 upstream.

Basically, the pjdfstests set the ownership of a file to 06555, and then
chowns it (as root) to a new uid/gid. Prior to commit a09f99eddef4 ("fuse:
fix killing s[ug]id in setattr"), fuse would send down a setattr with both
the uid/gid change and a new mode.  Now, it just sends down the uid/gid
change.

Technically this is NOTABUG, since POSIX doesn't _require_ that we clear
these bits for a privileged process, but Linux (wisely) has done that and I
think we don't want to change that behavior here.

This is caused by the use of should_remove_suid(), which will always return
0 when the process has CAP_FSETID.

In fact we really don't need to be calling should_remove_suid() at all,
since we've already been indicated that we should remove the suid, we just
don't want to use a (very) stale mode for that.

This patch should fix the above as well as simplify the logic.

Reported-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Fixes: a09f99eddef4 ("fuse: fix killing s[ug]id in setattr")
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c01638f5d919728f565bf8b5e0a6a159642df0d9 upstream.

Basically, the pjdfstests set the ownership of a file to 06555, and then
chowns it (as root) to a new uid/gid. Prior to commit a09f99eddef4 ("fuse:
fix killing s[ug]id in setattr"), fuse would send down a setattr with both
the uid/gid change and a new mode.  Now, it just sends down the uid/gid
change.

Technically this is NOTABUG, since POSIX doesn't _require_ that we clear
these bits for a privileged process, but Linux (wisely) has done that and I
think we don't want to change that behavior here.

This is caused by the use of should_remove_suid(), which will always return
0 when the process has CAP_FSETID.

In fact we really don't need to be calling should_remove_suid() at all,
since we've already been indicated that we should remove the suid, we just
don't want to use a (very) stale mode for that.

This patch should fix the above as well as simplify the logic.

Reported-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Fixes: a09f99eddef4 ("fuse: fix killing s[ug]id in setattr")
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: sanity check the block and cluster size at mount time</title>
<updated>2017-02-23T03:54:38+00:00</updated>
<author>
<name>Theodore Ts'o</name>
<email>tytso@mit.edu</email>
</author>
<published>2016-11-18T18:00:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=304ad3c9caa7687ecf43125a423b325c0e32fb6f'/>
<id>304ad3c9caa7687ecf43125a423b325c0e32fb6f</id>
<content type='text'>
commit 8cdf3372fe8368f56315e66bea9f35053c418093 upstream.

If the block size or cluster size is insane, reject the mount.  This
is important for security reasons (although we shouldn't be just
depending on this check).

Ref: http://www.securityfocus.com/archive/1/539661
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1332506
Reported-by: Borislav Petkov &lt;bp@alien8.de&gt;
Reported-by: Nikolay Borisov &lt;kernel@kyup.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8cdf3372fe8368f56315e66bea9f35053c418093 upstream.

If the block size or cluster size is insane, reject the mount.  This
is important for security reasons (although we shouldn't be just
depending on this check).

Ref: http://www.securityfocus.com/archive/1/539661
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1332506
Reported-by: Borislav Petkov &lt;bp@alien8.de&gt;
Reported-by: Nikolay Borisov &lt;kernel@kyup.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>fuse: fix fuse_write_end() if zero bytes were copied</title>
<updated>2017-02-23T03:54:33+00:00</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@redhat.com</email>
</author>
<published>2016-08-18T07:10:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f578da7993474f470fca4dac8bf562026ff2543c'/>
<id>f578da7993474f470fca4dac8bf562026ff2543c</id>
<content type='text'>
commit 59c3b76cc61d1d676f965c192cc7969aa5cb2744 upstream.

If pos is at the beginning of a page and copied is zero then page is not
zeroed but is marked uptodate.

Fix by skipping everything except unlock/put of page if zero bytes were
copied.

Reported-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Fixes: 6b12c1b37e55 ("fuse: Implement write_begin/write_end callbacks")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 59c3b76cc61d1d676f965c192cc7969aa5cb2744 upstream.

If pos is at the beginning of a page and copied is zero then page is not
zeroed but is marked uptodate.

Fix by skipping everything except unlock/put of page if zero bytes were
copied.

Reported-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Fixes: 6b12c1b37e55 ("fuse: Implement write_begin/write_end callbacks")
Signed-off-by: Miklos Szeredi &lt;mszeredi@redhat.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>coredump: fix unfreezable coredumping task</title>
<updated>2017-02-23T03:54:32+00:00</updated>
<author>
<name>Andrey Ryabinin</name>
<email>aryabinin@virtuozzo.com</email>
</author>
<published>2016-11-10T18:46:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=032889978169077fd75f4745fef3d378ed808c07'/>
<id>032889978169077fd75f4745fef3d378ed808c07</id>
<content type='text'>
commit 70d78fe7c8b640b5acfad56ad341985b3810998a upstream.

It could be not possible to freeze coredumping task when it waits for
'core_state-&gt;startup' completion, because threads are frozen in
get_signal() before they got a chance to complete 'core_state-&gt;startup'.

Inability to freeze a task during suspend will cause suspend to fail.
Also CRIU uses cgroup freezer during dump operation.  So with an
unfreezable task the CRIU dump will fail because it waits for a
transition from 'FREEZING' to 'FROZEN' state which will never happen.

Use freezer_do_not_count() to tell freezer to ignore coredumping task
while it waits for core_state-&gt;startup completion.

Link: http://lkml.kernel.org/r/1475225434-3753-1-git-send-email-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin &lt;aryabinin@virtuozzo.com&gt;
Acked-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Acked-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: Alexander Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Tejun Heo &lt;tj@kernel.org&gt;
Cc: "Rafael J. Wysocki" &lt;rjw@rjwysocki.net&gt;
Cc: Michal Hocko &lt;mhocko@kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 70d78fe7c8b640b5acfad56ad341985b3810998a upstream.

It could be not possible to freeze coredumping task when it waits for
'core_state-&gt;startup' completion, because threads are frozen in
get_signal() before they got a chance to complete 'core_state-&gt;startup'.

Inability to freeze a task during suspend will cause suspend to fail.
Also CRIU uses cgroup freezer during dump operation.  So with an
unfreezable task the CRIU dump will fail because it waits for a
transition from 'FREEZING' to 'FROZEN' state which will never happen.

Use freezer_do_not_count() to tell freezer to ignore coredumping task
while it waits for core_state-&gt;startup completion.

Link: http://lkml.kernel.org/r/1475225434-3753-1-git-send-email-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin &lt;aryabinin@virtuozzo.com&gt;
Acked-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Acked-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: Alexander Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Tejun Heo &lt;tj@kernel.org&gt;
Cc: "Rafael J. Wysocki" &lt;rjw@rjwysocki.net&gt;
Cc: Michal Hocko &lt;mhocko@kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ubifs: Fix regression in ubifs_readdir()</title>
<updated>2017-02-23T03:54:24+00:00</updated>
<author>
<name>Richard Weinberger</name>
<email>richard@nod.at</email>
</author>
<published>2016-10-28T09:49:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dba8e88e9827d87f1210c8ae392542508aecbd13'/>
<id>dba8e88e9827d87f1210c8ae392542508aecbd13</id>
<content type='text'>
commit a00052a296e54205cf238c75bd98d17d5d02a6db upstream.

Commit c83ed4c9dbb35 ("ubifs: Abort readdir upon error") broke
overlayfs support because the fix exposed an internal error
code to VFS.

Reported-by: Peter Rosin &lt;peda@axentia.se&gt;
Tested-by: Peter Rosin &lt;peda@axentia.se&gt;
Reported-by: Ralph Sennhauser &lt;ralph.sennhauser@gmail.com&gt;
Tested-by: Ralph Sennhauser &lt;ralph.sennhauser@gmail.com&gt;
Fixes: c83ed4c9dbb35 ("ubifs: Abort readdir upon error")
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a00052a296e54205cf238c75bd98d17d5d02a6db upstream.

Commit c83ed4c9dbb35 ("ubifs: Abort readdir upon error") broke
overlayfs support because the fix exposed an internal error
code to VFS.

Reported-by: Peter Rosin &lt;peda@axentia.se&gt;
Tested-by: Peter Rosin &lt;peda@axentia.se&gt;
Reported-by: Ralph Sennhauser &lt;ralph.sennhauser@gmail.com&gt;
Tested-by: Ralph Sennhauser &lt;ralph.sennhauser@gmail.com&gt;
Fixes: c83ed4c9dbb35 ("ubifs: Abort readdir upon error")
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>btrfs: fix races on root_log_ctx lists</title>
<updated>2017-02-23T03:54:23+00:00</updated>
<author>
<name>Chris Mason</name>
<email>clm@fb.com</email>
</author>
<published>2016-10-27T17:42:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f86f1bbd61797f5f26d66382776e0e727c7f9ae3'/>
<id>f86f1bbd61797f5f26d66382776e0e727c7f9ae3</id>
<content type='text'>
commit 570dd45042a7c8a7aba1ee029c5dd0f5ccf41b9b upstream.

btrfs_remove_all_log_ctxs takes a shortcut where it avoids walking the
list because it knows all of the waiters are patiently waiting for the
commit to finish.

But, there's a small race where btrfs_sync_log can remove itself from
the list if it finds a log commit is already done.  Also, it uses
list_del_init() to remove itself from the list, but there's no way to
know if btrfs_remove_all_log_ctxs has already run, so we don't know for
sure if it is safe to call list_del_init().

This gets rid of all the shortcuts for btrfs_remove_all_log_ctxs(), and
just calls it with the proper locking.

This is part two of the corruption fixed by cbd60aa7cd1.  I should have
done this in the first place, but convinced myself the optimizations were
safe.  A 12 hour run of dbench 2048 will eventually trigger a list debug
WARN_ON for the list_del_init() in btrfs_sync_log().

Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4
Reported-by: Dave Jones &lt;davej@codemonkey.org.uk&gt;
Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 570dd45042a7c8a7aba1ee029c5dd0f5ccf41b9b upstream.

btrfs_remove_all_log_ctxs takes a shortcut where it avoids walking the
list because it knows all of the waiters are patiently waiting for the
commit to finish.

But, there's a small race where btrfs_sync_log can remove itself from
the list if it finds a log commit is already done.  Also, it uses
list_del_init() to remove itself from the list, but there's no way to
know if btrfs_remove_all_log_ctxs has already run, so we don't know for
sure if it is safe to call list_del_init().

This gets rid of all the shortcuts for btrfs_remove_all_log_ctxs(), and
just calls it with the proper locking.

This is part two of the corruption fixed by cbd60aa7cd1.  I should have
done this in the first place, but convinced myself the optimizations were
safe.  A 12 hour run of dbench 2048 will eventually trigger a list debug
WARN_ON for the list_del_init() in btrfs_sync_log().

Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4
Reported-by: Dave Jones &lt;davej@codemonkey.org.uk&gt;
Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
