--- /dev/null
+From 8bc1379b82b8e809eef77a9fedbb75c6c297be19 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 23:41:59 -0400
+Subject: ext4: avoid running out of journal credits when appending to an inline file
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 8bc1379b82b8e809eef77a9fedbb75c6c297be19 upstream.
+
+Use a separate journal transaction if it turns out that we need to
+convert an inline file to use an data block. Otherwise we could end
+up failing due to not having journal credits.
+
+This addresses CVE-2018-10883.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200071
+
+Change-Id: Ifbe92e379f7a25fb252a2584356ccb91f902ea8f
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+[fengc@google.com: 4.4 and 4.9 backport: adjust context]
+Signed-off-by: Chenbo Feng <fengc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/ext4.h | 3 ---
+ fs/ext4/inline.c | 38 +-------------------------------------
+ fs/ext4/xattr.c | 18 ++----------------
+ 3 files changed, 3 insertions(+), 56 deletions(-)
+
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index 43e27d8ec770..567a6c7af677 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -3038,9 +3038,6 @@ extern struct buffer_head *ext4_get_first_inline_block(struct inode *inode,
+ extern int ext4_inline_data_fiemap(struct inode *inode,
+ struct fiemap_extent_info *fieinfo,
+ int *has_inline, __u64 start, __u64 len);
+-extern int ext4_try_to_evict_inline_data(handle_t *handle,
+- struct inode *inode,
+- int needed);
+ extern void ext4_inline_data_truncate(struct inode *inode, int *has_inline);
+
+ extern int ext4_convert_inline_data(struct inode *inode);
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index 211539a7adfc..6779a9f1de3b 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -889,11 +889,11 @@ int ext4_da_write_inline_data_begin(struct address_space *mapping,
+ flags |= AOP_FLAG_NOFS;
+
+ if (ret == -ENOSPC) {
++ ext4_journal_stop(handle);
+ ret = ext4_da_convert_inline_data_to_extent(mapping,
+ inode,
+ flags,
+ fsdata);
+- ext4_journal_stop(handle);
+ if (ret == -ENOSPC &&
+ ext4_should_retry_alloc(inode->i_sb, &retries))
+ goto retry_journal;
+@@ -1865,42 +1865,6 @@ int ext4_inline_data_fiemap(struct inode *inode,
+ return (error < 0 ? error : 0);
+ }
+
+-/*
+- * Called during xattr set, and if we can sparse space 'needed',
+- * just create the extent tree evict the data to the outer block.
+- *
+- * We use jbd2 instead of page cache to move data to the 1st block
+- * so that the whole transaction can be committed as a whole and
+- * the data isn't lost because of the delayed page cache write.
+- */
+-int ext4_try_to_evict_inline_data(handle_t *handle,
+- struct inode *inode,
+- int needed)
+-{
+- int error;
+- struct ext4_xattr_entry *entry;
+- struct ext4_inode *raw_inode;
+- struct ext4_iloc iloc;
+-
+- error = ext4_get_inode_loc(inode, &iloc);
+- if (error)
+- return error;
+-
+- raw_inode = ext4_raw_inode(&iloc);
+- entry = (struct ext4_xattr_entry *)((void *)raw_inode +
+- EXT4_I(inode)->i_inline_off);
+- if (EXT4_XATTR_LEN(entry->e_name_len) +
+- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) {
+- error = -ENOSPC;
+- goto out;
+- }
+-
+- error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
+-out:
+- brelse(iloc.bh);
+- return error;
+-}
+-
+ void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
+ {
+ handle_t *handle;
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index c19c96840480..3b402c86565a 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1080,22 +1080,8 @@ int ext4_xattr_ibody_inline_set(handle_t *handle, struct inode *inode,
+ if (EXT4_I(inode)->i_extra_isize == 0)
+ return -ENOSPC;
+ error = ext4_xattr_set_entry(i, s);
+- if (error) {
+- if (error == -ENOSPC &&
+- ext4_has_inline_data(inode)) {
+- error = ext4_try_to_evict_inline_data(handle, inode,
+- EXT4_XATTR_LEN(strlen(i->name) +
+- EXT4_XATTR_SIZE(i->value_len)));
+- if (error)
+- return error;
+- error = ext4_xattr_ibody_find(inode, i, is);
+- if (error)
+- return error;
+- error = ext4_xattr_set_entry(i, s);
+- }
+- if (error)
+- return error;
+- }
++ if (error)
++ return error;
+ header = IHDR(inode, ext4_raw_inode(&is->iloc));
+ if (!IS_LAST_ENTRY(s->first)) {
+ header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);
+--
+2.19.0.605.g01d371f741-goog
+
--- /dev/null
+From 08d9db00fe0e300d6df976e6c294f974988226dd Mon Sep 17 00:00:00 2001
+From: Edgar Cherkasov <echerkasov@dev.rtsoft.ru>
+Date: Thu, 27 Sep 2018 11:56:03 +0300
+Subject: i2c: i2c-scmi: fix for i2c_smbus_write_block_data
+
+From: Edgar Cherkasov <echerkasov@dev.rtsoft.ru>
+
+commit 08d9db00fe0e300d6df976e6c294f974988226dd upstream.
+
+The i2c-scmi driver crashes when the SMBus Write Block transaction is
+executed:
+
+WARNING: CPU: 9 PID: 2194 at mm/page_alloc.c:3931 __alloc_pages_slowpath+0x9db/0xec0
+ Call Trace:
+ ? get_page_from_freelist+0x49d/0x11f0
+ ? alloc_pages_current+0x6a/0xe0
+ ? new_slab+0x499/0x690
+ __alloc_pages_nodemask+0x265/0x280
+ alloc_pages_current+0x6a/0xe0
+ kmalloc_order+0x18/0x40
+ kmalloc_order_trace+0x24/0xb0
+ ? acpi_ut_allocate_object_desc_dbg+0x62/0x10c
+ __kmalloc+0x203/0x220
+ acpi_os_allocate_zeroed+0x34/0x36
+ acpi_ut_copy_eobject_to_iobject+0x266/0x31e
+ acpi_evaluate_object+0x166/0x3b2
+ acpi_smbus_cmi_access+0x144/0x530 [i2c_scmi]
+ i2c_smbus_xfer+0xda/0x370
+ i2cdev_ioctl_smbus+0x1bd/0x270
+ i2cdev_ioctl+0xaa/0x250
+ do_vfs_ioctl+0xa4/0x600
+ SyS_ioctl+0x79/0x90
+ do_syscall_64+0x73/0x130
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ACPI Error: Evaluating _SBW: 4 (20170831/smbus_cmi-185)
+
+This problem occurs because the length of ACPI Buffer object is not
+defined/initialized in the code before a corresponding ACPI method is
+called. The obvious patch below fixes this issue.
+
+Signed-off-by: Edgar Cherkasov <echerkasov@dev.rtsoft.ru>
+Acked-by: Viktor Krasnov <vkrasnov@dev.rtsoft.ru>
+Acked-by: Michael Brunner <Michael.Brunner@kontron.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-scmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/i2c/busses/i2c-scmi.c
++++ b/drivers/i2c/busses/i2c-scmi.c
+@@ -152,6 +152,7 @@ acpi_smbus_cmi_access(struct i2c_adapter
+ mt_params[3].type = ACPI_TYPE_INTEGER;
+ mt_params[3].integer.value = len;
+ mt_params[4].type = ACPI_TYPE_BUFFER;
++ mt_params[4].buffer.length = len;
+ mt_params[4].buffer.pointer = data->block + 1;
+ }
+ break;
mach64-detect-the-dot-clock-divider-correctly-on-sparc.patch
perf-script-python-fix-export-to-postgresql.py-occasional-failure.patch
mm-preserve-_page_devmap-across-mprotect-calls.patch
+i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch
+xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch
+ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch
--- /dev/null
+From 1208d8a84fdcae6b395c57911cdf907450d30e70 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Mon, 12 Feb 2018 14:24:47 +0200
+Subject: xhci: Don't print a warning when setting link state for disabled ports
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 1208d8a84fdcae6b395c57911cdf907450d30e70 upstream.
+
+When disabling a USB3 port the hub driver will set the port link state to
+U3 to prevent "ejected" or "safely removed" devices that are still
+physically connected from immediately re-enumerating.
+
+If the device was really unplugged, then error messages were printed
+as the hub tries to set the U3 link state for a port that is no longer
+enabled.
+
+xhci-hcd ee000000.usb: Cannot set link state.
+usb usb8-port1: cannot disable (err = -32)
+
+Don't print error message in xhci-hub if hub tries to set port link state
+for a disabled port. Return -ENODEV instead which also silences hub driver.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Ross Zwisler <zwisler@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-hub.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -1072,17 +1072,17 @@ int xhci_hub_control(struct usb_hcd *hcd
+ temp = readl(port_array[wIndex]);
+ break;
+ }
+-
+- /* Software should not attempt to set
+- * port link state above '3' (U3) and the port
+- * must be enabled.
+- */
+- if ((temp & PORT_PE) == 0 ||
+- (link_state > USB_SS_PORT_LS_U3)) {
+- xhci_warn(xhci, "Cannot set link state.\n");
++ /* Port must be enabled */
++ if (!(temp & PORT_PE)) {
++ retval = -ENODEV;
++ break;
++ }
++ /* Can't set port link state above '3' (U3) */
++ if (link_state > USB_SS_PORT_LS_U3) {
++ xhci_warn(xhci, "Cannot set port %d link state %d\n",
++ wIndex, link_state);
+ goto error;
+ }
+-
+ if (link_state == USB_SS_PORT_LS_U3) {
+ slot_id = xhci_find_slot_id_by_port(hcd, xhci,
+ wIndex + 1);
projects / thirdparty / kernel / stable-queue.git / commitdiff
