--- /dev/null
+From d0ffb805b729322626639336986bc83fc2e60871 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin (Intel)" <hpa@zytor.com>
+Date: Mon, 22 Oct 2018 09:19:05 -0700
+Subject: arch/alpha, termios: implement BOTHER, IBSHIFT and termios2
+
+From: H. Peter Anvin (Intel) <hpa@zytor.com>
+
+commit d0ffb805b729322626639336986bc83fc2e60871 upstream.
+
+Alpha has had c_ispeed and c_ospeed, but still set speeds in c_cflags
+using arbitrary flags. Because BOTHER is not defined, the general
+Linux code doesn't allow setting arbitrary baud rates, and because
+CBAUDEX == 0, we can have an array overrun of the baud_rate[] table in
+drivers/tty/tty_baudrate.c if (c_cflags & CBAUD) == 037.
+
+Resolve both problems by #defining BOTHER to 037 on Alpha.
+
+However, userspace still needs to know if setting BOTHER is actually
+safe given legacy kernels (does anyone actually care about that on
+Alpha anymore?), so enable the TCGETS2/TCSETS*2 ioctls on Alpha, even
+though they use the same structure. Define struct termios2 just for
+compatibility; it is the exact same structure as struct termios. In a
+future patchset, this will be cleaned up so the uapi headers are
+usable from libc.
+
+Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Eugene Syromiatnikov <esyr@redhat.com>
+Cc: <linux-alpha@vger.kernel.org>
+Cc: <linux-serial@vger.kernel.org>
+Cc: Johan Hovold <johan@kernel.org>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/include/asm/termios.h | 8 +++++++-
+ arch/alpha/include/uapi/asm/ioctls.h | 5 +++++
+ arch/alpha/include/uapi/asm/termbits.h | 17 +++++++++++++++++
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+--- a/arch/alpha/include/asm/termios.h
++++ b/arch/alpha/include/asm/termios.h
+@@ -72,9 +72,15 @@
+ })
+
+ #define user_termios_to_kernel_termios(k, u) \
+- copy_from_user(k, u, sizeof(struct termios))
++ copy_from_user(k, u, sizeof(struct termios2))
+
+ #define kernel_termios_to_user_termios(u, k) \
++ copy_to_user(u, k, sizeof(struct termios2))
++
++#define user_termios_to_kernel_termios_1(k, u) \
++ copy_from_user(k, u, sizeof(struct termios))
++
++#define kernel_termios_to_user_termios_1(u, k) \
+ copy_to_user(u, k, sizeof(struct termios))
+
+ #endif /* _ALPHA_TERMIOS_H */
+--- a/arch/alpha/include/uapi/asm/ioctls.h
++++ b/arch/alpha/include/uapi/asm/ioctls.h
+@@ -31,6 +31,11 @@
+ #define TCXONC _IO('t', 30)
+ #define TCFLSH _IO('t', 31)
+
++#define TCGETS2 _IOR('T', 42, struct termios2)
++#define TCSETS2 _IOW('T', 43, struct termios2)
++#define TCSETSW2 _IOW('T', 44, struct termios2)
++#define TCSETSF2 _IOW('T', 45, struct termios2)
++
+ #define TIOCSWINSZ _IOW('t', 103, struct winsize)
+ #define TIOCGWINSZ _IOR('t', 104, struct winsize)
+ #define TIOCSTART _IO('t', 110) /* start output, like ^Q */
+--- a/arch/alpha/include/uapi/asm/termbits.h
++++ b/arch/alpha/include/uapi/asm/termbits.h
+@@ -25,6 +25,19 @@ struct termios {
+ speed_t c_ospeed; /* output speed */
+ };
+
++/* Alpha has identical termios and termios2 */
++
++struct termios2 {
++ tcflag_t c_iflag; /* input mode flags */
++ tcflag_t c_oflag; /* output mode flags */
++ tcflag_t c_cflag; /* control mode flags */
++ tcflag_t c_lflag; /* local mode flags */
++ cc_t c_cc[NCCS]; /* control characters */
++ cc_t c_line; /* line discipline (== c_cc[19]) */
++ speed_t c_ispeed; /* input speed */
++ speed_t c_ospeed; /* output speed */
++};
++
+ /* Alpha has matching termios and ktermios */
+
+ struct ktermios {
+@@ -147,6 +160,7 @@ struct ktermios {
+ #define B3000000 00034
+ #define B3500000 00035
+ #define B4000000 00036
++#define BOTHER 00037
+
+ #define CSIZE 00001400
+ #define CS5 00000000
+@@ -164,6 +178,9 @@ struct ktermios {
+ #define CMSPAR 010000000000 /* mark or space (stick) parity */
+ #define CRTSCTS 020000000000 /* flow control */
+
++#define CIBAUD 07600000
++#define IBSHIFT 16
++
+ /* c_lflag bits */
+ #define ISIG 0x00000080
+ #define ICANON 0x00000100
--- /dev/null
+From 1823342a1f2b47a4e6f5667f67cd28ab6bc4d6cd Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sun, 1 Jul 2018 13:56:54 -0700
+Subject: configfs: replace strncpy with memcpy
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 1823342a1f2b47a4e6f5667f67cd28ab6bc4d6cd upstream.
+
+gcc 8.1.0 complains:
+
+fs/configfs/symlink.c:67:3: warning:
+ 'strncpy' output truncated before terminating nul copying as many
+ bytes from a string as its length
+fs/configfs/symlink.c: In function 'configfs_get_link':
+fs/configfs/symlink.c:63:13: note: length computed here
+
+Using strncpy() is indeed less than perfect since the length of data to
+be copied has already been determined with strlen(). Replace strncpy()
+with memcpy() to address the warning and optimize the code a little.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu@cybertrust.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/configfs/symlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/configfs/symlink.c
++++ b/fs/configfs/symlink.c
+@@ -64,7 +64,7 @@ static void fill_item_path(struct config
+
+ /* back up enough to print this bus id with '/' */
+ length -= cur;
+- strncpy(buffer + length,config_item_name(p),cur);
++ memcpy(buffer + length, config_item_name(p), cur);
+ *(buffer + --length) = '/';
+ }
+ }
--- /dev/null
+From 61a9c11e5e7a0dab5381afa5d9d4dd5ebf18f7a0 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Sat, 3 Nov 2018 16:50:08 -0400
+Subject: ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 61a9c11e5e7a0dab5381afa5d9d4dd5ebf18f7a0 upstream.
+
+Fixes: 01f795f9e0d6 ("ext4: add online resizing support for meta_bg ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.7
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -899,6 +899,7 @@ static int add_new_gdb_meta_bg(struct su
+ sizeof(struct buffer_head *),
+ GFP_NOFS);
+ if (!n_group_desc) {
++ brelse(gdb_bh);
+ err = -ENOMEM;
+ ext4_warning(sb, "not enough memory for %lu groups",
+ gdb_num + 1);
+@@ -914,8 +915,6 @@ static int add_new_gdb_meta_bg(struct su
+ ext4_kvfree(o_group_desc);
+ BUFFER_TRACE(gdb_bh, "get_write_access");
+ err = ext4_journal_get_write_access(handle, gdb_bh);
+- if (unlikely(err))
+- brelse(gdb_bh);
+ return err;
+ }
+
--- /dev/null
+From cea5794122125bf67559906a0762186cf417099c Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Sat, 3 Nov 2018 16:22:10 -0400
+Subject: ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit cea5794122125bf67559906a0762186cf417099c upstream.
+
+Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...")
+Cc: stable@kernel.org # 3.3
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -429,16 +429,18 @@ static int set_flexbg_block_bitmap(struc
+
+ BUFFER_TRACE(bh, "get_write_access");
+ err = ext4_journal_get_write_access(handle, bh);
+- if (err)
++ if (err) {
++ brelse(bh);
+ return err;
++ }
+ ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block,
+ block - start, count2);
+ ext4_set_bits(bh->b_data, block - start, count2);
+
+ err = ext4_handle_dirty_metadata(handle, NULL, bh);
++ brelse(bh);
+ if (unlikely(err))
+ return err;
+- brelse(bh);
+ }
+
+ return 0;
--- /dev/null
+From ea0abbb648452cdb6e1734b702b6330a7448fcf8 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Sat, 3 Nov 2018 17:11:19 -0400
+Subject: ext4: add missing brelse() update_backups()'s error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit ea0abbb648452cdb6e1734b702b6330a7448fcf8 upstream.
+
+Fixes: ac27a0ec112a ("ext4: initial copy of files from ext3")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.19
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1095,8 +1095,10 @@ static void update_backups(struct super_
+ backup_block, backup_block -
+ ext4_group_first_block_no(sb, group));
+ BUFFER_TRACE(bh, "get_write_access");
+- if ((err = ext4_journal_get_write_access(handle, bh)))
++ if ((err = ext4_journal_get_write_access(handle, bh))) {
++ brelse(bh);
+ break;
++ }
+ lock_buffer(bh);
+ memcpy(bh->b_data, data, size);
+ if (rest)
--- /dev/null
+From feaf264ce7f8d54582e2f66eb82dd9dd124c94f3 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 6 Nov 2018 17:01:36 -0500
+Subject: ext4: avoid buffer leak in ext4_orphan_add() after prior errors
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit feaf264ce7f8d54582e2f66eb82dd9dd124c94f3 upstream.
+
+Fixes: d745a8c20c1f ("ext4: reduce contention on s_orphan_lock")
+Fixes: 6e3617e579e0 ("ext4: Handle non empty on-disk orphan link")
+Cc: Dmitry Monakhov <dmonakhov@gmail.com>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.34
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2604,7 +2604,9 @@ int ext4_orphan_add(handle_t *handle, st
+ list_del_init(&EXT4_I(inode)->i_orphan);
+ mutex_unlock(&sbi->s_orphan_lock);
+ }
+- }
++ } else
++ brelse(iloc.bh);
++
+ jbd_debug(4, "superblock will point to %lu\n", inode->i_ino);
+ jbd_debug(4, "orphan inode %lu will point to %d\n",
+ inode->i_ino, NEXT_ORPHAN(inode));
--- /dev/null
+From 4f32c38b4662312dd3c5f113d8bdd459887fb773 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 6 Nov 2018 17:18:17 -0500
+Subject: ext4: avoid possible double brelse() in add_new_gdb() on error path
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 4f32c38b4662312dd3c5f113d8bdd459887fb773 upstream.
+
+Fixes: b40971426a83 ("ext4: add error checking to calls to ...")
+Reported-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.38
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -844,6 +844,7 @@ static int add_new_gdb(handle_t *handle,
+ err = ext4_handle_dirty_metadata(handle, NULL, gdb_bh);
+ if (unlikely(err)) {
+ ext4_std_error(sb, err);
++ iloc.bh = NULL;
+ goto exit_inode;
+ }
+ brelse(dind);
--- /dev/null
+From 9e4028935cca3f9ef9b6a90df9da6f1f94853536 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Sat, 3 Nov 2018 16:13:17 -0400
+Subject: ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 9e4028935cca3f9ef9b6a90df9da6f1f94853536 upstream.
+
+Currently bh is set to NULL only during first iteration of for cycle,
+then this pointer is not cleared after end of using.
+Therefore rollback after errors can lead to extra brelse(bh) call,
+decrements bh counter and later trigger an unexpected warning in __brelse()
+
+Patch moves brelse() calls in body of cycle to exclude requirement of
+brelse() call in rollback.
+
+Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -577,7 +577,6 @@ handle_bb:
+ bh = bclean(handle, sb, block);
+ if (IS_ERR(bh)) {
+ err = PTR_ERR(bh);
+- bh = NULL;
+ goto out;
+ }
+ overhead = ext4_group_overhead_blocks(sb, group);
+@@ -589,9 +588,9 @@ handle_bb:
+ ext4_mark_bitmap_end(group_data[i].blocks_count,
+ sb->s_blocksize * 8, bh->b_data);
+ err = ext4_handle_dirty_metadata(handle, NULL, bh);
++ brelse(bh);
+ if (err)
+ goto out;
+- brelse(bh);
+
+ handle_ib:
+ if (bg_flags[i] & EXT4_BG_INODE_UNINIT)
+@@ -606,18 +605,16 @@ handle_ib:
+ bh = bclean(handle, sb, block);
+ if (IS_ERR(bh)) {
+ err = PTR_ERR(bh);
+- bh = NULL;
+ goto out;
+ }
+
+ ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
+ sb->s_blocksize * 8, bh->b_data);
+ err = ext4_handle_dirty_metadata(handle, NULL, bh);
++ brelse(bh);
+ if (err)
+ goto out;
+- brelse(bh);
+ }
+- bh = NULL;
+
+ /* Mark group tables in block bitmap */
+ for (j = 0; j < GROUP_TABLE_COUNT; j++) {
+@@ -648,7 +645,6 @@ handle_ib:
+ }
+
+ out:
+- brelse(bh);
+ err2 = ext4_journal_stop(handle);
+ if (err2 && !err)
+ err = err2;
--- /dev/null
+From de59fae0043f07de5d25e02ca360f7d57bfa5866 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 7 Nov 2018 22:36:23 -0500
+Subject: ext4: fix buffer leak in __ext4_read_dirblock() on error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit de59fae0043f07de5d25e02ca360f7d57bfa5866 upstream.
+
+Fixes: dc6982ff4db1 ("ext4: refactor code to read directory blocks ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.9
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -122,6 +122,7 @@ static struct buffer_head *__ext4_read_d
+ if (!is_dx_block && type == INDEX) {
+ ext4_error_inode(inode, __func__, line, block,
+ "directory leaf block found instead of index block");
++ brelse(bh);
+ return ERR_PTR(-EIO);
+ }
+ if (!ext4_has_metadata_csum(inode->i_sb) ||
--- /dev/null
+From 6bdc9977fcdedf47118d2caf7270a19f4b6d8a8f Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 7 Nov 2018 11:10:21 -0500
+Subject: ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 6bdc9977fcdedf47118d2caf7270a19f4b6d8a8f upstream.
+
+Fixes: 3f2571c1f91f ("ext4: factor out xattr moving")
+Fixes: 6dd4ee7cab7e ("ext4: Expand extra_inodes space per ...")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.23
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1489,6 +1489,8 @@ cleanup:
+ kfree(buffer);
+ if (is)
+ brelse(is->iloc.bh);
++ if (bs)
++ brelse(bs->bh);
+ kfree(is);
+ kfree(bs);
+ brelse(bh);
--- /dev/null
+From f348e2241fb73515d65b5d77dd9c174128a7fbf2 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 6 Nov 2018 16:16:01 -0500
+Subject: ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit f348e2241fb73515d65b5d77dd9c174128a7fbf2 upstream.
+
+Fixes: 117fff10d7f1 ("ext4: grow the s_flex_groups array as needed ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.7
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1992,7 +1992,7 @@ retry:
+
+ err = ext4_alloc_flex_bg_array(sb, n_group + 1);
+ if (err)
+- return err;
++ goto out;
+
+ err = ext4_mb_alloc_groupinfo(sb, n_group + 1);
+ if (err)
--- /dev/null
+From db6aee62406d9fbb53315fcddd81f1dc271d49fa Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Tue, 6 Nov 2018 16:20:40 -0500
+Subject: ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit db6aee62406d9fbb53315fcddd81f1dc271d49fa upstream.
+
+Fixes: 1c6bd7173d66 ("ext4: convert file system to meta_bg if needed ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.7
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -2028,6 +2028,10 @@ retry:
+ n_blocks_count_retry = 0;
+ free_flex_gd(flex_gd);
+ flex_gd = NULL;
++ if (resize_inode) {
++ iput(resize_inode);
++ resize_inode = NULL;
++ }
+ goto retry;
+ }
+
--- /dev/null
+From 9e463084cdb22e0b56b2dfbc50461020409a5fd3 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 7 Nov 2018 10:32:53 -0500
+Subject: ext4: fix possible leak of sbi->s_group_desc_leak in error path
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 9e463084cdb22e0b56b2dfbc50461020409a5fd3 upstream.
+
+Fixes: bfe0a5f47ada ("ext4: add more mount time checks of the superblock")
+Reported-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 4.18
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3976,6 +3976,14 @@ static int ext4_fill_super(struct super_
+ sbi->s_groups_count = blocks_count;
+ sbi->s_blockfile_groups = min_t(ext4_group_t, sbi->s_groups_count,
+ (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
++ if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
++ le32_to_cpu(es->s_inodes_count)) {
++ ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
++ le32_to_cpu(es->s_inodes_count),
++ ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
++ ret = -EINVAL;
++ goto failed_mount;
++ }
+ db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
+ EXT4_DESC_PER_BLOCK(sb);
+ if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_META_BG)) {
+@@ -3995,14 +4003,6 @@ static int ext4_fill_super(struct super_
+ ret = -ENOMEM;
+ goto failed_mount;
+ }
+- if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
+- le32_to_cpu(es->s_inodes_count)) {
+- ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
+- le32_to_cpu(es->s_inodes_count),
+- ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
+- ret = -EINVAL;
+- goto failed_mount;
+- }
+
+ if (ext4_proc_root)
+ sbi->s_proc = proc_mkdir(sb->s_id, ext4_proc_root);
--- /dev/null
+From 45ae932d246f721e6584430017176cbcadfde610 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 7 Nov 2018 11:07:01 -0500
+Subject: ext4: release bs.bh before re-using in ext4_xattr_block_find()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 45ae932d246f721e6584430017176cbcadfde610 upstream.
+
+bs.bh was taken in previous ext4_xattr_block_find() call,
+it should be released before re-using
+
+Fixes: 7e01c8e5420b ("ext3/4: fix uninitialized bs in ...")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 2.6.26
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1162,6 +1162,8 @@ ext4_xattr_set_handle(handle_t *handle,
+ error = ext4_xattr_block_set(handle, inode, &i, &bs);
+ } else if (error == -ENOSPC) {
+ if (EXT4_I(inode)->i_file_acl && !bs.s.base) {
++ brelse(bs.bh);
++ bs.bh = NULL;
+ error = ext4_xattr_block_find(inode, &i, &bs);
+ if (error)
+ goto cleanup;
--- /dev/null
+From 7fabaf303458fcabb694999d6fa772cc13d4e217 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 9 Nov 2018 15:52:16 +0100
+Subject: fuse: fix leaked notify reply
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 7fabaf303458fcabb694999d6fa772cc13d4e217 upstream.
+
+fuse_request_send_notify_reply() may fail if the connection was reset for
+some reason (e.g. fs was unmounted). Don't leak request reference in this
+case. Besides leaking memory, this resulted in fc->num_waiting not being
+decremented and hence fuse_wait_aborted() left in a hanging and unkillable
+state.
+
+Fixes: 2d45ba381a74 ("fuse: add retrieve request")
+Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests")
+Reported-and-tested-by: syzbot+6339eda9cb4ebbc4c37b@syzkaller.appspotmail.com
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Cc: <stable@vger.kernel.org> #v2.6.36
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1675,8 +1675,10 @@ static int fuse_retrieve(struct fuse_con
+ req->in.args[1].size = total_len;
+
+ err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
+- if (err)
++ if (err) {
+ fuse_retrieve_end(fc, req);
++ fuse_put_request(fc, req);
++ }
+
+ return err;
+ }
--- /dev/null
+From 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri, 16 Nov 2018 15:08:04 -0800
+Subject: hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf upstream.
+
+This bug has been experienced several times by the Oracle DB team. The
+BUG is in remove_inode_hugepages() as follows:
+
+ /*
+ * If page is mapped, it was faulted in after being
+ * unmapped in caller. Unmap (again) now after taking
+ * the fault mutex. The mutex will prevent faults
+ * until we finish removing the page.
+ *
+ * This race can only happen in the hole punch case.
+ * Getting here in a truncate operation is a bug.
+ */
+ if (unlikely(page_mapped(page))) {
+ BUG_ON(truncate_op);
+
+In this case, the elevated map count is not the result of a race.
+Rather it was incorrectly incremented as the result of a bug in the huge
+pmd sharing code. Consider the following:
+
+ - Process A maps a hugetlbfs file of sufficient size and alignment
+ (PUD_SIZE) that a pmd page could be shared.
+
+ - Process B maps the same hugetlbfs file with the same size and
+ alignment such that a pmd page is shared.
+
+ - Process B then calls mprotect() to change protections for the mapping
+ with the shared pmd. As a result, the pmd is 'unshared'.
+
+ - Process B then calls mprotect() again to chage protections for the
+ mapping back to their original value. pmd remains unshared.
+
+ - Process B then forks and process C is created. During the fork
+ process, we do dup_mm -> dup_mmap -> copy_page_range to copy page
+ tables. Copying page tables for hugetlb mappings is done in the
+ routine copy_hugetlb_page_range.
+
+In copy_hugetlb_page_range(), the destination pte is obtained by:
+
+ dst_pte = huge_pte_alloc(dst, addr, sz);
+
+If pmd sharing is possible, the returned pointer will be to a pte in an
+existing page table. In the situation above, process C could share with
+either process A or process B. Since process A is first in the list,
+the returned pte is a pointer to a pte in process A's page table.
+
+However, the check for pmd sharing in copy_hugetlb_page_range is:
+
+ /* If the pagetables are shared don't copy or take references */
+ if (dst_pte == src_pte)
+ continue;
+
+Since process C is sharing with process A instead of process B, the
+above test fails. The code in copy_hugetlb_page_range which follows
+assumes dst_pte points to a huge_pte_none pte. It copies the pte entry
+from src_pte to dst_pte and increments this map count of the associated
+page. This is how we end up with an elevated map count.
+
+To solve, check the dst_pte entry for huge_pte_none. If !none, this
+implies PMD sharing so do not copy.
+
+Link: http://lkml.kernel.org/r/20181105212315.14125-1-mike.kravetz@oracle.com
+Fixes: c5c99429fa57 ("fix hugepages leak due to pagetable page sharing")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Prakash Sangappa <prakash.sangappa@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2576,7 +2576,7 @@ static int is_hugetlb_entry_hwpoisoned(p
+ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
+ struct vm_area_struct *vma)
+ {
+- pte_t *src_pte, *dst_pte, entry;
++ pte_t *src_pte, *dst_pte, entry, dst_entry;
+ struct page *ptepage;
+ unsigned long addr;
+ int cow;
+@@ -2604,15 +2604,30 @@ int copy_hugetlb_page_range(struct mm_st
+ break;
+ }
+
+- /* If the pagetables are shared don't copy or take references */
+- if (dst_pte == src_pte)
++ /*
++ * If the pagetables are shared don't copy or take references.
++ * dst_pte == src_pte is the common case of src/dest sharing.
++ *
++ * However, src could have 'unshared' and dst shares with
++ * another vma. If dst_pte !none, this implies sharing.
++ * Check here before taking page table lock, and once again
++ * after taking the lock below.
++ */
++ dst_entry = huge_ptep_get(dst_pte);
++ if ((dst_pte == src_pte) || !huge_pte_none(dst_entry))
+ continue;
+
+ dst_ptl = huge_pte_lock(h, dst, dst_pte);
+ src_ptl = huge_pte_lockptr(h, src, src_pte);
+ spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);
+ entry = huge_ptep_get(src_pte);
+- if (huge_pte_none(entry)) { /* skip none entry */
++ dst_entry = huge_ptep_get(dst_pte);
++ if (huge_pte_none(entry) || !huge_pte_none(dst_entry)) {
++ /*
++ * Skip if src entry none. Also, skip in the
++ * unlikely case dst entry !none as this implies
++ * sharing with another vma.
++ */
+ ;
+ } else if (unlikely(is_hugetlb_entry_migration(entry) ||
+ is_hugetlb_entry_hwpoisoned(entry))) {
--- /dev/null
+From df7342b240185d58d3d9665c0bbf0a0f5570ec29 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 25 Oct 2018 09:04:18 -0500
+Subject: mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit df7342b240185d58d3d9665c0bbf0a0f5570ec29 upstream.
+
+Jonathan Calmels from NVIDIA reported that he's able to bypass the
+mount visibility security check in place in the Linux kernel by using
+a combination of the unbindable property along with the private mount
+propagation option to allow a unprivileged user to see a path which
+was purposefully hidden by the root user.
+
+Reproducer:
+ # Hide a path to all users using a tmpfs
+ root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
+ root@castiana:~#
+
+ # As an unprivileged user, unshare user namespace and mount namespace
+ stgraber@castiana:~$ unshare -U -m -r
+
+ # Confirm the path is still not accessible
+ root@castiana:~# ls /sys/devices/
+
+ # Make /sys recursively unbindable and private
+ root@castiana:~# mount --make-runbindable /sys
+ root@castiana:~# mount --make-private /sys
+
+ # Recursively bind-mount the rest of /sys over to /mnnt
+ root@castiana:~# mount --rbind /sys/ /mnt
+
+ # Access our hidden /sys/device as an unprivileged user
+ root@castiana:~# ls /mnt/devices/
+ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe
+ LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system
+ tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
+
+Solve this by teaching copy_tree to fail if a mount turns out to be
+both unbindable and locked.
+
+Cc: stable@vger.kernel.org
+Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
+Reported-by: Jonathan Calmels <jcalmels@nvidia.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1661,8 +1661,14 @@ struct mount *copy_tree(struct mount *mn
+ struct mount *t = NULL;
+ if (!(flag & CL_COPY_UNBINDABLE) &&
+ IS_MNT_UNBINDABLE(s)) {
+- s = skip_mnt_tree(s);
+- continue;
++ if (s->mnt.mnt_flags & MNT_LOCKED) {
++ /* Both unbindable and locked. */
++ q = ERR_PTR(-EPERM);
++ goto out;
++ } else {
++ s = skip_mnt_tree(s);
++ continue;
++ }
+ }
+ if (!(flag & CL_COPY_MNT_NS_FILE) &&
+ is_mnt_ns_file(s->mnt.mnt_root)) {
--- /dev/null
+From 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 25 Oct 2018 12:05:11 -0500
+Subject: mount: Prevent MNT_DETACH from disconnecting locked mounts
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 upstream.
+
+Timothy Baldwin <timbaldwin@fastmail.co.uk> wrote:
+> As per mount_namespaces(7) unprivileged users should not be able to look under mount points:
+>
+> Mounts that come as a single unit from more privileged mount are locked
+> together and may not be separated in a less privileged mount namespace.
+>
+> However they can:
+>
+> 1. Create a mount namespace.
+> 2. In the mount namespace open a file descriptor to the parent of a mount point.
+> 3. Destroy the mount namespace.
+> 4. Use the file descriptor to look under the mount point.
+>
+> I have reproduced this with Linux 4.16.18 and Linux 4.18-rc8.
+>
+> The setup:
+>
+> $ sudo sysctl kernel.unprivileged_userns_clone=1
+> kernel.unprivileged_userns_clone = 1
+> $ mkdir -p A/B/Secret
+> $ sudo mount -t tmpfs hide A/B
+>
+>
+> "Secret" is indeed hidden as expected:
+>
+> $ ls -lR A
+> A:
+> total 0
+> drwxrwxrwt 2 root root 40 Feb 12 21:08 B
+>
+> A/B:
+> total 0
+>
+>
+> The attack revealing "Secret":
+>
+> $ unshare -Umr sh -c "exec unshare -m ls -lR /proc/self/fd/4/ 4<A"
+> /proc/self/fd/4/:
+> total 0
+> drwxr-xr-x 3 root root 60 Feb 12 21:08 B
+>
+> /proc/self/fd/4/B:
+> total 0
+> drwxr-xr-x 2 root root 40 Feb 12 21:08 Secret
+>
+> /proc/self/fd/4/B/Secret:
+> total 0
+
+I tracked this down to put_mnt_ns running passing UMOUNT_SYNC and
+disconnecting all of the mounts in a mount namespace. Fix this by
+factoring drop_mounts out of drop_collected_mounts and passing
+0 instead of UMOUNT_SYNC.
+
+There are two possible behavior differences that result from this.
+- No longer setting UMOUNT_SYNC will no longer set MNT_SYNC_UMOUNT on
+ the vfsmounts being unmounted. This effects the lazy rcu walk by
+ kicking the walk out of rcu mode and forcing it to be a non-lazy
+ walk.
+- No longer disconnecting locked mounts will keep some mounts around
+ longer as they stay because the are locked to other mounts.
+
+There are only two users of drop_collected mounts: audit_tree.c and
+put_mnt_ns.
+
+In audit_tree.c the mounts are private and there are no rcu lazy walks
+only calls to iterate_mounts. So the changes should have no effect
+except for a small timing effect as the connected mounts are disconnected.
+
+In put_mnt_ns there may be references from process outside the mount
+namespace to the mounts. So the mounts remaining connected will
+be the bug fix that is needed. That rcu walks are allowed to continue
+appears not to be a problem especially as the rcu walk change was about
+an implementation detail not about semantics.
+
+Cc: stable@vger.kernel.org
+Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
+Reported-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
+Tested-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1728,7 +1728,7 @@ void drop_collected_mounts(struct vfsmou
+ {
+ namespace_lock();
+ lock_mount_hash();
+- umount_tree(real_mount(mnt), UMOUNT_SYNC);
++ umount_tree(real_mount(mnt), 0);
+ unlock_mount_hash();
+ namespace_unlock();
+ }
--- /dev/null
+From 25d202ed820ee347edec0bf3bf553544556bf64b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 22 Oct 2018 10:21:38 -0500
+Subject: mount: Retest MNT_LOCKED in do_umount
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 25d202ed820ee347edec0bf3bf553544556bf64b upstream.
+
+It was recently pointed out that the one instance of testing MNT_LOCKED
+outside of the namespace_sem is in ksys_umount.
+
+Fix that by adding a test inside of do_umount with namespace_sem and
+the mount_lock held. As it helps to fail fails the existing test is
+maintained with an additional comment pointing out that it may be racy
+because the locks are not held.
+
+Cc: stable@vger.kernel.org
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1478,8 +1478,13 @@ static int do_umount(struct mount *mnt,
+
+ namespace_lock();
+ lock_mount_hash();
+- event++;
+
++ /* Recheck MNT_LOCKED with the locks held */
++ retval = -EINVAL;
++ if (mnt->mnt.mnt_flags & MNT_LOCKED)
++ goto out;
++
++ event++;
+ if (flags & MNT_DETACH) {
+ if (!list_empty(&mnt->mnt_list))
+ umount_tree(mnt, UMOUNT_PROPAGATE);
+@@ -1493,6 +1498,7 @@ static int do_umount(struct mount *mnt,
+ retval = 0;
+ }
+ }
++out:
+ unlock_mount_hash();
+ namespace_unlock();
+ return retval;
+@@ -1571,7 +1577,7 @@ SYSCALL_DEFINE2(umount, char __user *, n
+ goto dput_and_out;
+ if (!check_mnt(mnt))
+ goto dput_and_out;
+- if (mnt->mnt.mnt_flags & MNT_LOCKED)
++ if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
+ goto dput_and_out;
+ retval = -EPERM;
+ if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
mach64-fix-image-corruption-due-to-reading-accelerator-registers.patch
ocfs2-fix-a-misuse-a-of-brelse-after-failing-ocfs2_check_dir_entry.patch
mtd-docg3-don-t-set-conflicting-bch_const_params-option.patch
+termios-tty-tty_baudrate.c-fix-buffer-overrun.patch
+arch-alpha-termios-implement-bother-ibshift-and-termios2.patch
+ext4-add-missing-brelse-update_backups-s-error-path.patch
+ext4-add-missing-brelse-in-set_flexbg_block_bitmap-s-error-path.patch
+ext4-add-missing-brelse-add_new_gdb_meta_bg-s-error-path.patch
+ext4-avoid-potential-extra-brelse-in-setup_new_flex_group_blocks.patch
+ext4-fix-possible-inode-leak-in-the-retry-loop-of-ext4_resize_fs.patch
+ext4-avoid-buffer-leak-in-ext4_orphan_add-after-prior-errors.patch
+ext4-fix-missing-cleanup-if-ext4_alloc_flex_bg_array-fails-while-resizing.patch
+ext4-avoid-possible-double-brelse-in-add_new_gdb-on-error-path.patch
+ext4-fix-possible-leak-of-sbi-s_group_desc_leak-in-error-path.patch
+ext4-release-bs.bh-before-re-using-in-ext4_xattr_block_find.patch
+ext4-fix-buffer-leak-in-ext4_xattr_move_to_block-on-error-path.patch
+ext4-fix-buffer-leak-in-__ext4_read_dirblock-on-error-path.patch
+mount-retest-mnt_locked-in-do_umount.patch
+mount-don-t-allow-copying-mnt_unbindable-mnt_locked-mounts.patch
+mount-prevent-mnt_detach-from-disconnecting-locked-mounts.patch
+sunrpc-correct-the-computation-for-page_ptr-when-truncating.patch
+fuse-fix-leaked-notify-reply.patch
+configfs-replace-strncpy-with-memcpy.patch
+hugetlbfs-fix-kernel-bug-at-fs-hugetlbfs-inode.c-444.patch
--- /dev/null
+From 5d7a5bcb67c70cbc904057ef52d3fcfeb24420bb Mon Sep 17 00:00:00 2001
+From: Frank Sorenson <sorenson@redhat.com>
+Date: Tue, 30 Oct 2018 15:10:40 -0500
+Subject: sunrpc: correct the computation for page_ptr when truncating
+
+From: Frank Sorenson <sorenson@redhat.com>
+
+commit 5d7a5bcb67c70cbc904057ef52d3fcfeb24420bb upstream.
+
+When truncating the encode buffer, the page_ptr is getting
+advanced, causing the next page to be skipped while encoding.
+The page is still included in the response, so the response
+contains a page of bogus data.
+
+We need to adjust the page_ptr backwards to ensure we encode
+the next page into the correct place.
+
+We saw this triggered when concurrent directory modifications caused
+nfsd4_encode_direct_fattr() to return nfserr_noent, and the resulting
+call to xdr_truncate_encode() corrupted the READDIR reply.
+
+Signed-off-by: Frank Sorenson <sorenson@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xdr.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/sunrpc/xdr.c
++++ b/net/sunrpc/xdr.c
+@@ -638,11 +638,10 @@ void xdr_truncate_encode(struct xdr_stre
+ /* xdr->iov should already be NULL */
+ return;
+ }
+- if (fraglen) {
++ if (fraglen)
+ xdr->end = head->iov_base + head->iov_len;
+- xdr->page_ptr--;
+- }
+ /* (otherwise assume xdr->end is already set) */
++ xdr->page_ptr--;
+ head->iov_len = len;
+ buf->len = len;
+ xdr->p = head->iov_base + head->iov_len;
--- /dev/null
+From 991a25194097006ec1e0d2e0814ff920e59e3465 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa@zytor.com>
+Date: Mon, 22 Oct 2018 09:19:04 -0700
+Subject: termios, tty/tty_baudrate.c: fix buffer overrun
+
+From: H. Peter Anvin <hpa@zytor.com>
+
+commit 991a25194097006ec1e0d2e0814ff920e59e3465 upstream.
+
+On architectures with CBAUDEX == 0 (Alpha and PowerPC), the code in tty_baudrate.c does
+not do any limit checking on the tty_baudrate[] array, and in fact a
+buffer overrun is possible on both architectures. Add a limit check to
+prevent that situation.
+
+This will be followed by a much bigger cleanup/simplification patch.
+
+Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+Requested-by: Cc: Johan Hovold <johan@kernel.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Philippe Ombredanne <pombredanne@nexb.com>
+Cc: Eugene Syromiatnikov <esyr@redhat.com>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_ioctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/tty_ioctl.c
++++ b/drivers/tty/tty_ioctl.c
+@@ -327,7 +327,7 @@ speed_t tty_termios_baud_rate(struct kte
+ else
+ cbaud += 15;
+ }
+- return baud_table[cbaud];
++ return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
+ }
+ EXPORT_SYMBOL(tty_termios_baud_rate);
+
+@@ -363,7 +363,7 @@ speed_t tty_termios_input_baud_rate(stru
+ else
+ cbaud += 15;
+ }
+- return baud_table[cbaud];
++ return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
+ #else
+ return tty_termios_baud_rate(termios);
+ #endif
projects / thirdparty / kernel / stable-queue.git / commitdiff
