4.7-stable patches

added patches:
	vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
	vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch

diff --git a/queue-4.7/series b/queue-4.7/series
index b72074501646e6cfb1a8e1942b62de1714e7ef8d..17bb2879fc79a69cb29784bbba4831979b038199 100644 (file)
--- a/queue-4.7/series
+++ b/queue-4.7/series
@@ -1 +1,3 @@
 ext4-verify-extent-header-depth.patch
+vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch
+vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch

diff --git a/queue-4.7/vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch b/queue-4.7/vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
new file mode 100644 (file)
index 0000000..150b391
--- /dev/null
+++ b/queue-4.7/vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
@@ -0,0 +1,47 @@
+From c1892c37769cf89c7e7ba57528ae2ccb5d153c9b Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 3 Aug 2016 13:44:27 +0200
+Subject: vfs: fix deadlock in file_remove_privs() on overlayfs
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit c1892c37769cf89c7e7ba57528ae2ccb5d153c9b upstream.
+
+file_remove_privs() is called with inode lock on file_inode(), which
+proceeds to calling notify_change() on file->f_path.dentry.  Which triggers
+the WARN_ON_ONCE(!inode_is_locked(inode)) in addition to deadlocking later
+when ovl_setattr tries to lock the underlying inode again.
+
+Fix this mess by not mixing the layers, but doing everything on underlying
+dentry/inode.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 07a2daab49c5 ("ovl: Copy up underlying inode's ->i_mode to overlay inode")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/inode.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1740,8 +1740,8 @@ static int __remove_privs(struct dentry
+  */
+ int file_remove_privs(struct file *file)
+ {
+-      struct dentry *dentry = file->f_path.dentry;
+-      struct inode *inode = d_inode(dentry);
++      struct dentry *dentry = file_dentry(file);
++      struct inode *inode = file_inode(file);
+       int kill;
+       int error = 0;
+ 
+@@ -1749,7 +1749,7 @@ int file_remove_privs(struct file *file)
+       if (IS_NOSEC(inode))
+               return 0;
+ 
+-      kill = file_needs_remove_privs(file);
++      kill = dentry_needs_remove_privs(dentry);
+       if (kill < 0)
+               return kill;
+       if (kill)

diff --git a/queue-4.7/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch b/queue-4.7/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch
new file mode 100644 (file)
index 0000000..e3fb6ee
--- /dev/null
+++ b/queue-4.7/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch
@@ -0,0 +1,31 @@
+From 10eec60ce79187686e052092e5383c99b4420a20 Mon Sep 17 00:00:00 2001
+From: Scott Bauer <sbauer@plzdonthack.me>
+Date: Wed, 27 Jul 2016 19:11:29 -0600
+Subject: vfs: ioctl: prevent double-fetch in dedupe ioctl
+
+From: Scott Bauer <sbauer@plzdonthack.me>
+
+commit 10eec60ce79187686e052092e5383c99b4420a20 upstream.
+
+This prevents a double-fetch from user space that can lead to to an
+undersized allocation and heap overflow.
+
+Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs")
+Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ioctl.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ioctl.c
++++ b/fs/ioctl.c
+@@ -590,6 +590,7 @@ static long ioctl_file_dedupe_range(stru
+               goto out;
+       }
+ 
++      same->dest_count = count;
+       ret = vfs_dedupe_file_range(file, same);
+       if (ret)
+               goto out;