--- /dev/null
+From 9ccc705801bc2f262e89bf3de5aa31aef2eb46e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Apr 2020 14:46:12 -0700
+Subject: btrfs: fix error handling when submitting direct I/O bio
+
+From: Omar Sandoval <osandov@fb.com>
+
+[ Upstream commit 6d3113a193e3385c72240096fe397618ecab6e43 ]
+
+In btrfs_submit_direct_hook(), if a direct I/O write doesn't span a RAID
+stripe or chunk, we submit orig_bio without cloning it. In this case, we
+don't increment pending_bios. Then, if btrfs_submit_dio_bio() fails, we
+decrement pending_bios to -1, and we never complete orig_bio. Fix it by
+initializing pending_bios to 1 instead of incrementing later.
+
+Fixing this exposes another bug: we put orig_bio prematurely and then
+put it again from end_io. Fix it by not putting orig_bio.
+
+After this change, pending_bios is really more of a reference count, but
+I'll leave that cleanup separate to keep the fix small.
+
+Fixes: e65e15355429 ("btrfs: fix panic caused by direct IO")
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index c69e5b255745..b4f295a058d8 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -8399,7 +8399,6 @@ static int btrfs_submit_direct_hook(struct btrfs_dio_private *dip)
+
+ /* bio split */
+ ASSERT(map_length <= INT_MAX);
+- atomic_inc(&dip->pending_bios);
+ do {
+ clone_len = min_t(int, submit_len, map_length);
+
+@@ -8450,7 +8449,8 @@ static int btrfs_submit_direct_hook(struct btrfs_dio_private *dip)
+ if (!status)
+ return 0;
+
+- bio_put(bio);
++ if (bio != orig_bio)
++ bio_put(bio);
+ out_err:
+ dip->errors = 1;
+ /*
+@@ -8491,7 +8491,7 @@ static void btrfs_submit_direct(struct bio *dio_bio, struct inode *inode,
+ bio->bi_private = dip;
+ dip->orig_bio = bio;
+ dip->dio_bio = dio_bio;
+- atomic_set(&dip->pending_bios, 0);
++ atomic_set(&dip->pending_bios, 1);
+ io_bio = btrfs_io_bio(bio);
+ io_bio->logical = file_offset;
+
+--
+2.25.1
+
--- /dev/null
+From 2f7b3982d2df901d339da4ec4504f1a2e56388b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 May 2020 11:15:53 +0100
+Subject: btrfs: fix wrong file range cleanup after an error filling dealloc
+ range
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit e2c8e92d1140754073ad3799eb6620c76bab2078 ]
+
+If an error happens while running dellaloc in COW mode for a range, we can
+end up calling extent_clear_unlock_delalloc() for a range that goes beyond
+our range's end offset by 1 byte, which affects 1 extra page. This results
+in clearing bits and doing page operations (such as a page unlock) outside
+our target range.
+
+Fix that by calling extent_clear_unlock_delalloc() with an inclusive end
+offset, instead of an exclusive end offset, at cow_file_range().
+
+Fixes: a315e68f6e8b30 ("Btrfs: fix invalid attempt to free reserved space on failure to cow range")
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index b4f295a058d8..887f9ebc2bc2 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1136,8 +1136,8 @@ static noinline int cow_file_range(struct inode *inode,
+ */
+ if (extent_reserved) {
+ extent_clear_unlock_delalloc(inode, start,
+- start + cur_alloc_size,
+- start + cur_alloc_size,
++ start + cur_alloc_size - 1,
++ start + cur_alloc_size - 1,
+ locked_page,
+ clear_bits,
+ page_ops);
+--
+2.25.1
+
--- /dev/null
+From 1698279f5a9fb1064b76be3377a4305178aa4072 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jun 2020 17:08:21 +0200
+Subject: ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit 6cc7c266e5b47d3cd2b5bb7fd3aac4e6bb2dd1d2 ]
+
+If the template field 'd' is chosen and the digest to be added to the
+measurement entry was not calculated with SHA1 or MD5, it is
+recalculated with SHA1, by using the passed file descriptor. However, this
+cannot be done for boot_aggregate, because there is no file descriptor.
+
+This patch adds a call to ima_calc_boot_aggregate() in
+ima_eventdigest_init(), so that the digest can be recalculated also for the
+boot_aggregate entry.
+
+Cc: stable@vger.kernel.org # 3.13.x
+Fixes: 3ce1217d6cd5d ("ima: define template fields library and new helpers")
+Reported-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima.h | 3 ++-
+ security/integrity/ima/ima_crypto.c | 6 +++---
+ security/integrity/ima/ima_init.c | 2 +-
+ security/integrity/ima/ima_template_lib.c | 18 ++++++++++++++++++
+ 4 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
+index e7dfd460fe1d..d12b07eb3a58 100644
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -56,6 +56,7 @@ extern int ima_policy_flag;
+ extern int ima_hash_algo;
+ extern int ima_appraise;
+ extern struct tpm_chip *ima_tpm_chip;
++extern const char boot_aggregate_name[];
+
+ /* IMA event related data */
+ struct ima_event_data {
+@@ -139,7 +140,7 @@ int ima_calc_buffer_hash(const void *buf, loff_t len,
+ int ima_calc_field_array_hash(struct ima_field_data *field_data,
+ struct ima_template_desc *desc, int num_fields,
+ struct ima_digest_data *hash);
+-int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
++int ima_calc_boot_aggregate(struct ima_digest_data *hash);
+ void ima_add_violation(struct file *file, const unsigned char *filename,
+ struct integrity_iint_cache *iint,
+ const char *op, const char *cause);
+diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
+index 6a6d19ada66a..c5dd05ace28c 100644
+--- a/security/integrity/ima/ima_crypto.c
++++ b/security/integrity/ima/ima_crypto.c
+@@ -663,8 +663,8 @@ static void __init ima_pcrread(int idx, u8 *pcr)
+ /*
+ * Calculate the boot aggregate hash
+ */
+-static int __init ima_calc_boot_aggregate_tfm(char *digest,
+- struct crypto_shash *tfm)
++static int ima_calc_boot_aggregate_tfm(char *digest,
++ struct crypto_shash *tfm)
+ {
+ u8 pcr_i[TPM_DIGEST_SIZE];
+ int rc, i;
+@@ -688,7 +688,7 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
+ return rc;
+ }
+
+-int __init ima_calc_boot_aggregate(struct ima_digest_data *hash)
++int ima_calc_boot_aggregate(struct ima_digest_data *hash)
+ {
+ struct crypto_shash *tfm;
+ int rc;
+diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
+index faac9ecaa0ae..a2bc4cb4482a 100644
+--- a/security/integrity/ima/ima_init.c
++++ b/security/integrity/ima/ima_init.c
+@@ -25,7 +25,7 @@
+ #include "ima.h"
+
+ /* name for boot aggregate entry */
+-static const char *boot_aggregate_name = "boot_aggregate";
++const char boot_aggregate_name[] = "boot_aggregate";
+ struct tpm_chip *ima_tpm_chip;
+
+ /* Add the boot aggregate to the IMA measurement list and extend
+diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
+index 43752002c222..48c5a1be88ac 100644
+--- a/security/integrity/ima/ima_template_lib.c
++++ b/security/integrity/ima/ima_template_lib.c
+@@ -284,6 +284,24 @@ int ima_eventdigest_init(struct ima_event_data *event_data,
+ goto out;
+ }
+
++ if ((const char *)event_data->filename == boot_aggregate_name) {
++ if (ima_tpm_chip) {
++ hash.hdr.algo = HASH_ALGO_SHA1;
++ result = ima_calc_boot_aggregate(&hash.hdr);
++
++ /* algo can change depending on available PCR banks */
++ if (!result && hash.hdr.algo != HASH_ALGO_SHA1)
++ result = -EINVAL;
++
++ if (result < 0)
++ memset(&hash, 0, sizeof(hash));
++ }
++
++ cur_digest = hash.hdr.digest;
++ cur_digestsize = hash_digest_size[HASH_ALGO_SHA1];
++ goto out;
++ }
++
+ if (!event_data->file) /* missing info to re-calculate the digest */
+ return -EINVAL;
+
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
