--- /dev/null
+From 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:31 -0500
+Subject: PCI: hotplug: Don't leak pci_slot on registration failure
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.
+
+If addition of sysfs files fails on registration of a hotplug slot, the
+struct pci_slot as well as the entry in the slot_list is leaked. The
+issue has been present since the hotplug core was introduced in 2002:
+https://git.kernel.org/tglx/history/c/a8a2069f432c
+
+Perhaps the idea was that even though sysfs addition fails, the slot
+should still be usable. But that's not how drivers use the interface,
+they abort probe if a non-zero value is returned.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v2.4.15+
+Cc: Greg Kroah-Hartman <greg@kroah.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pci_hotplug_core.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/pci/hotplug/pci_hotplug_core.c
++++ b/drivers/pci/hotplug/pci_hotplug_core.c
+@@ -457,8 +457,17 @@ int __pci_hp_register(struct hotplug_slo
+ list_add(&slot->slot_list, &pci_hotplug_slot_list);
+
+ result = fs_add_slot(pci_slot);
++ if (result)
++ goto err_list_del;
++
+ kobject_uevent(&pci_slot->kobj, KOBJ_ADD);
+ dbg("Added slot %s to the list\n", name);
++ goto out;
++
++err_list_del:
++ list_del(&slot->slot_list);
++ pci_slot->hotplug = NULL;
++ pci_destroy_slot(pci_slot);
+ out:
+ mutex_unlock(&pci_hp_mutex);
+ return result;
--- /dev/null
+From a13f085d111e90469faf2d9965eb39b11c114d7e Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 21 Aug 2018 21:59:37 -0700
+Subject: reiserfs: fix broken xattr handling (heap corruption, bad retval)
+
+From: Jann Horn <jannh@google.com>
+
+commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.
+
+This fixes the following issues:
+
+- When a buffer size is supplied to reiserfs_listxattr() such that each
+ individual name fits, but the concatenation of all names doesn't fit,
+ reiserfs_listxattr() overflows the supplied buffer. This leads to a
+ kernel heap overflow (verified using KASAN) followed by an out-of-bounds
+ usercopy and is therefore a security bug.
+
+- When a buffer size is supplied to reiserfs_listxattr() such that a
+ name doesn't fit, -ERANGE should be returned. But reiserfs instead just
+ truncates the list of names; I have verified that if the only xattr on a
+ file has a longer name than the supplied buffer length, listxattr()
+ incorrectly returns zero.
+
+With my patch applied, -ERANGE is returned in both cases and the memory
+corruption doesn't happen anymore.
+
+Credit for making me clean this code up a bit goes to Al Viro, who pointed
+out that the ->actor calling convention is suboptimal and should be
+changed.
+
+Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
+Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Cc: Eric Biggers <ebiggers@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/xattr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -842,8 +842,10 @@ static int listxattr_filler(void *buf, c
+ size = handler->list(b->dentry, b->buf + b->pos,
+ b->size, name, namelen,
+ handler->flags);
+- if (size > b->size)
++ if (b->pos + size > b->size) {
++ b->pos = -ERANGE;
+ return -ERANGE;
++ }
+ } else {
+ size = handler->list(b->dentry, NULL, 0, name,
+ namelen, handler->flags);
projects / thirdparty / kernel / stable-queue.git / commitdiff
