--- /dev/null
+From 041d7b98ffe59c59fdd639931dea7d74f9aa9a59 Mon Sep 17 00:00:00 2001
+From: Richard Guy Briggs <rgb@redhat.com>
+Date: Tue, 23 Dec 2014 13:02:04 -0500
+Subject: audit: restore AUDIT_LOGINUID unset ABI
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+commit 041d7b98ffe59c59fdd639931dea7d74f9aa9a59 upstream.
+
+A regression was caused by commit 780a7654cee8:
+ audit: Make testing for a valid loginuid explicit.
+(which in turn attempted to fix a regression caused by e1760bd)
+
+When audit_krule_to_data() fills in the rules to get a listing, there was a
+missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.
+
+This broke userspace by not returning the same information that was sent and
+expected.
+
+The rule:
+ auditctl -a exit,never -F auid=-1
+gives:
+ auditctl -l
+ LIST_RULES: exit,never f24=0 syscall=all
+when it should give:
+ LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all
+
+Tag it so that it is reported the same way it was set. Create a new
+private flags audit_krule field (pflags) to store it that won't interact with
+the public one from the API.
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/audit.h | 4 ++++
+ kernel/auditfilter.c | 10 ++++++++++
+ 2 files changed, 14 insertions(+)
+
+--- a/include/linux/audit.h
++++ b/include/linux/audit.h
+@@ -47,6 +47,7 @@ struct sk_buff;
+
+ struct audit_krule {
+ int vers_ops;
++ u32 pflags;
+ u32 flags;
+ u32 listnr;
+ u32 action;
+@@ -64,6 +65,9 @@ struct audit_krule {
+ u64 prio;
+ };
+
++/* Flag to indicate legacy AUDIT_LOGINUID unset usage */
++#define AUDIT_LOGINUID_LEGACY 0x1
++
+ struct audit_field {
+ u32 type;
+ u32 val;
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -429,6 +429,7 @@ static struct audit_entry *audit_data_to
+ if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
+ f->type = AUDIT_LOGINUID_SET;
+ f->val = 0;
++ entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
+ }
+
+ err = audit_field_valid(entry, f);
+@@ -604,6 +605,13 @@ static struct audit_rule_data *audit_kru
+ data->buflen += data->values[i] =
+ audit_pack_string(&bufp, krule->filterkey);
+ break;
++ case AUDIT_LOGINUID_SET:
++ if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
++ data->fields[i] = AUDIT_LOGINUID;
++ data->values[i] = AUDIT_UID_UNSET;
++ break;
++ }
++ /* fallthrough if set */
+ default:
+ data->values[i] = f->val;
+ }
+@@ -620,6 +628,7 @@ static int audit_compare_rule(struct aud
+ int i;
+
+ if (a->flags != b->flags ||
++ a->pflags != b->pflags ||
+ a->listnr != b->listnr ||
+ a->action != b->action ||
+ a->field_count != b->field_count)
+@@ -738,6 +747,7 @@ struct audit_entry *audit_dupe_rule(stru
+ new = &entry->rule;
+ new->vers_ops = old->vers_ops;
+ new->flags = old->flags;
++ new->pflags = old->pflags;
+ new->listnr = old->listnr;
+ new->action = old->action;
+ for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
--- /dev/null
+From a28046956c71985046474283fa3bcd256915fb72 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fb.com>
+Date: Fri, 14 Nov 2014 16:16:30 -0500
+Subject: Btrfs: do not move em to modified list when unpinning
+
+From: Josef Bacik <jbacik@fb.com>
+
+commit a28046956c71985046474283fa3bcd256915fb72 upstream.
+
+We use the modified list to keep track of which extents have been modified so we
+know which ones are candidates for logging at fsync() time. Newly modified
+extents are added to the list at modification time, around the same time the
+ordered extent is created. We do this so that we don't have to wait for ordered
+extents to complete before we know what we need to log. The problem is when
+something like this happens
+
+log extent 0-4k on inode 1
+copy csum for 0-4k from ordered extent into log
+sync log
+commit transaction
+log some other extent on inode 1
+ordered extent for 0-4k completes and adds itself onto modified list again
+log changed extents
+see ordered extent for 0-4k has already been logged
+ at this point we assume the csum has been copied
+sync log
+crash
+
+On replay we will see the extent 0-4k in the log, drop the original 0-4k extent
+which is the same one that we are replaying which also drops the csum, and then
+we won't find the csum in the log for that bytenr. This of course causes us to
+have errors about not having csums for certain ranges of our inode. So remove
+the modified list manipulation in unpin_extent_cache, any modified extents
+should have been added well before now, and we don't want them re-logged. This
+fixes my test that I could reliably reproduce this problem with. Thanks,
+
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent_map.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/btrfs/extent_map.c
++++ b/fs/btrfs/extent_map.c
+@@ -290,8 +290,6 @@ int unpin_extent_cache(struct extent_map
+ if (!em)
+ goto out;
+
+- if (!test_bit(EXTENT_FLAG_LOGGING, &em->flags))
+- list_move(&em->list, &tree->modified_extents);
+ em->generation = gen;
+ clear_bit(EXTENT_FLAG_PINNED, &em->flags);
+ em->mod_start = em->start;
--- /dev/null
+From 678886bdc6378c1cbd5072da2c5a3035000214e3 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Sun, 7 Dec 2014 21:31:47 +0000
+Subject: Btrfs: fix fs corruption on transaction abort if device supports discard
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 678886bdc6378c1cbd5072da2c5a3035000214e3 upstream.
+
+When we abort a transaction we iterate over all the ranges marked as dirty
+in fs_info->freed_extents[0] and fs_info->freed_extents[1], clear them
+from those trees, add them back (unpin) to the free space caches and, if
+the fs was mounted with "-o discard", perform a discard on those regions.
+Also, after adding the regions to the free space caches, a fitrim ioctl call
+can see those ranges in a block group's free space cache and perform a discard
+on the ranges, so the same issue can happen without "-o discard" as well.
+
+This causes corruption, affecting one or multiple btree nodes (in the worst
+case leaving the fs unmountable) because some of those ranges (the ones in
+the fs_info->pinned_extents tree) correspond to btree nodes/leafs that are
+referred by the last committed super block - breaking the rule that anything
+that was committed by a transaction is untouched until the next transaction
+commits successfully.
+
+I ran into this while running in a loop (for several hours) the fstest that
+I recently submitted:
+
+ [PATCH] fstests: add btrfs test to stress chunk allocation/removal and fstrim
+
+The corruption always happened when a transaction aborted and then fsck complained
+like this:
+
+ _check_btrfs_filesystem: filesystem on /dev/sdc is inconsistent
+ *** fsck.btrfs output ***
+ Check tree block failed, want=94945280, have=0
+ Check tree block failed, want=94945280, have=0
+ Check tree block failed, want=94945280, have=0
+ Check tree block failed, want=94945280, have=0
+ Check tree block failed, want=94945280, have=0
+ read block failed check_tree_block
+ Couldn't open file system
+
+In this case 94945280 corresponded to the root of a tree.
+Using frace what I observed was the following sequence of steps happened:
+
+ 1) transaction N started, fs_info->pinned_extents pointed to
+ fs_info->freed_extents[0];
+
+ 2) node/eb 94945280 is created;
+
+ 3) eb is persisted to disk;
+
+ 4) transaction N commit starts, fs_info->pinned_extents now points to
+ fs_info->freed_extents[1], and transaction N completes;
+
+ 5) transaction N + 1 starts;
+
+ 6) eb is COWed, and btrfs_free_tree_block() called for this eb;
+
+ 7) eb range (94945280 to 94945280 + 16Kb) is added to
+ fs_info->pinned_extents (fs_info->freed_extents[1]);
+
+ 8) Something goes wrong in transaction N + 1, like hitting ENOSPC
+ for example, and the transaction is aborted, turning the fs into
+ readonly mode. The stack trace I got for example:
+
+ [112065.253935] [<ffffffff8140c7b6>] dump_stack+0x4d/0x66
+ [112065.254271] [<ffffffff81042984>] warn_slowpath_common+0x7f/0x98
+ [112065.254567] [<ffffffffa0325990>] ? __btrfs_abort_transaction+0x50/0x10b [btrfs]
+ [112065.261674] [<ffffffff810429e5>] warn_slowpath_fmt+0x48/0x50
+ [112065.261922] [<ffffffffa032949e>] ? btrfs_free_path+0x26/0x29 [btrfs]
+ [112065.262211] [<ffffffffa0325990>] __btrfs_abort_transaction+0x50/0x10b [btrfs]
+ [112065.262545] [<ffffffffa036b1d6>] btrfs_remove_chunk+0x537/0x58b [btrfs]
+ [112065.262771] [<ffffffffa033840f>] btrfs_delete_unused_bgs+0x1de/0x21b [btrfs]
+ [112065.263105] [<ffffffffa0343106>] cleaner_kthread+0x100/0x12f [btrfs]
+ (...)
+ [112065.264493] ---[ end trace dd7903a975a31a08 ]---
+ [112065.264673] BTRFS: error (device sdc) in btrfs_remove_chunk:2625: errno=-28 No space left
+ [112065.264997] BTRFS info (device sdc): forced readonly
+
+ 9) The clear kthread sees that the BTRFS_FS_STATE_ERROR bit is set in
+ fs_info->fs_state and calls btrfs_cleanup_transaction(), which in
+ turn calls btrfs_destroy_pinned_extent();
+
+ 10) Then btrfs_destroy_pinned_extent() iterates over all the ranges
+ marked as dirty in fs_info->freed_extents[], and for each one
+ it calls discard, if the fs was mounted with "-o discard", and
+ adds the range to the free space cache of the respective block
+ group;
+
+ 11) btrfs_trim_block_group(), invoked from the fitrim ioctl code path,
+ sees the free space entries and performs a discard;
+
+ 12) After an umount and mount (or fsck), our eb's location on disk was full
+ of zeroes, and it should have been untouched, because it was marked as
+ dirty in the fs_info->pinned_extents tree, and therefore used by the
+ trees that the last committed superblock points to.
+
+Fix this by not performing a discard and not adding the ranges to the free space
+caches - it's useless from this point since the fs is now in readonly mode and
+we won't write free space caches to disk anymore (otherwise we would leak space)
+nor any new superblock. By not adding the ranges to the free space caches, it
+prevents other code paths from allocating that space and write to it as well,
+therefore being safer and simpler.
+
+This isn't a new problem, as it's been present since 2011 (git commit
+acce952b0263825da32cf10489413dec78053347).
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c | 6 ------
+ fs/btrfs/extent-tree.c | 10 ++++++----
+ 2 files changed, 6 insertions(+), 10 deletions(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3978,12 +3978,6 @@ again:
+ if (ret)
+ break;
+
+- /* opt_discard */
+- if (btrfs_test_opt(root, DISCARD))
+- ret = btrfs_error_discard_extent(root, start,
+- end + 1 - start,
+- NULL);
+-
+ clear_extent_dirty(unpin, start, end, GFP_NOFS);
+ btrfs_error_unpin_extent_range(root, start, end);
+ cond_resched();
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -5503,7 +5503,8 @@ void btrfs_prepare_extent_commit(struct
+ update_global_block_rsv(fs_info);
+ }
+
+-static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end)
++static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end,
++ const bool return_free_space)
+ {
+ struct btrfs_fs_info *fs_info = root->fs_info;
+ struct btrfs_block_group_cache *cache = NULL;
+@@ -5527,7 +5528,8 @@ static int unpin_extent_range(struct btr
+
+ if (start < cache->last_byte_to_unpin) {
+ len = min(len, cache->last_byte_to_unpin - start);
+- btrfs_add_free_space(cache, start, len);
++ if (return_free_space)
++ btrfs_add_free_space(cache, start, len);
+ }
+
+ start += len;
+@@ -5590,7 +5592,7 @@ int btrfs_finish_extent_commit(struct bt
+ end + 1 - start, NULL);
+
+ clear_extent_dirty(unpin, start, end, GFP_NOFS);
+- unpin_extent_range(root, start, end);
++ unpin_extent_range(root, start, end, true);
+ cond_resched();
+ }
+
+@@ -8886,7 +8888,7 @@ out:
+
+ int btrfs_error_unpin_extent_range(struct btrfs_root *root, u64 start, u64 end)
+ {
+- return unpin_extent_range(root, start, end);
++ return unpin_extent_range(root, start, end, false);
+ }
+
+ int btrfs_error_discard_extent(struct btrfs_root *root, u64 bytenr,
--- /dev/null
+From 7e77bdebff5cb1e9876c561f69710b9ab8fa1f7e Mon Sep 17 00:00:00 2001
+From: Rabin Vincent <rabin.vincent@axis.com>
+Date: Fri, 19 Dec 2014 13:36:08 +0100
+Subject: crypto: af_alg - fix backlog handling
+
+From: Rabin Vincent <rabin.vincent@axis.com>
+
+commit 7e77bdebff5cb1e9876c561f69710b9ab8fa1f7e upstream.
+
+If a request is backlogged, it's complete() handler will get called
+twice: once with -EINPROGRESS, and once with the final error code.
+
+af_alg's complete handler, unlike other users, does not handle the
+-EINPROGRESS but instead always completes the completion that recvmsg()
+is waiting on. This can lead to a return to user space while the
+request is still pending in the driver. If userspace closes the sockets
+before the requests are handled by the driver, this will lead to
+use-after-frees (and potential crashes) in the kernel due to the tfm
+having been freed.
+
+The crashes can be easily reproduced (for example) by reducing the max
+queue length in cryptod.c and running the following (from
+http://www.chronox.de/libkcapi.html) on AES-NI capable hardware:
+
+ $ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \
+ -k 00000000000000000000000000000000 \
+ -p 00000000000000000000000000000000 >/dev/null & done
+
+Signed-off-by: Rabin Vincent <rabin.vincent@axis.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -449,6 +449,9 @@ void af_alg_complete(struct crypto_async
+ {
+ struct af_alg_completion *completion = req->data;
+
++ if (err == -EINPROGRESS)
++ return;
++
+ completion->err = err;
+ complete(&completion->completion);
+ }
--- /dev/null
+From 332b122d39c9cbff8b799007a825d94b2e7c12f2 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue, 7 Oct 2014 15:51:55 -0500
+Subject: eCryptfs: Force RO mount when encrypted view is enabled
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit 332b122d39c9cbff8b799007a825d94b2e7c12f2 upstream.
+
+The ecryptfs_encrypted_view mount option greatly changes the
+functionality of an eCryptfs mount. Instead of encrypting and decrypting
+lower files, it provides a unified view of the encrypted files in the
+lower filesystem. The presence of the ecryptfs_encrypted_view mount
+option is intended to force a read-only mount and modifying files is not
+supported when the feature is in use. See the following commit for more
+information:
+
+ e77a56d [PATCH] eCryptfs: Encrypted passthrough
+
+This patch forces the mount to be read-only when the
+ecryptfs_encrypted_view mount option is specified by setting the
+MS_RDONLY flag on the superblock. Additionally, this patch removes some
+broken logic in ecryptfs_open() that attempted to prevent modifications
+of files when the encrypted view feature was in use. The check in
+ecryptfs_open() was not sufficient to prevent file modifications using
+system calls that do not operate on a file descriptor.
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Reported-by: Priya Bansal <p.bansal@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/file.c | 12 ------------
+ fs/ecryptfs/main.c | 16 +++++++++++++---
+ 2 files changed, 13 insertions(+), 15 deletions(-)
+
+--- a/fs/ecryptfs/file.c
++++ b/fs/ecryptfs/file.c
+@@ -191,23 +191,11 @@ static int ecryptfs_open(struct inode *i
+ {
+ int rc = 0;
+ struct ecryptfs_crypt_stat *crypt_stat = NULL;
+- struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
+ struct dentry *ecryptfs_dentry = file->f_path.dentry;
+ /* Private value of ecryptfs_dentry allocated in
+ * ecryptfs_lookup() */
+ struct ecryptfs_file_info *file_info;
+
+- mount_crypt_stat = &ecryptfs_superblock_to_private(
+- ecryptfs_dentry->d_sb)->mount_crypt_stat;
+- if ((mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
+- && ((file->f_flags & O_WRONLY) || (file->f_flags & O_RDWR)
+- || (file->f_flags & O_CREAT) || (file->f_flags & O_TRUNC)
+- || (file->f_flags & O_APPEND))) {
+- printk(KERN_WARNING "Mount has encrypted view enabled; "
+- "files may only be read\n");
+- rc = -EPERM;
+- goto out;
+- }
+ /* Released in ecryptfs_release or end of function if failure */
+ file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL);
+ ecryptfs_set_file_private(file, file_info);
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -493,6 +493,7 @@ static struct dentry *ecryptfs_mount(str
+ {
+ struct super_block *s;
+ struct ecryptfs_sb_info *sbi;
++ struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
+ struct ecryptfs_dentry_info *root_info;
+ const char *err = "Getting sb failed";
+ struct inode *inode;
+@@ -511,6 +512,7 @@ static struct dentry *ecryptfs_mount(str
+ err = "Error parsing options";
+ goto out;
+ }
++ mount_crypt_stat = &sbi->mount_crypt_stat;
+
+ s = sget(fs_type, NULL, set_anon_super, flags, NULL);
+ if (IS_ERR(s)) {
+@@ -557,11 +559,19 @@ static struct dentry *ecryptfs_mount(str
+
+ /**
+ * Set the POSIX ACL flag based on whether they're enabled in the lower
+- * mount. Force a read-only eCryptfs mount if the lower mount is ro.
+- * Allow a ro eCryptfs mount even when the lower mount is rw.
++ * mount.
+ */
+ s->s_flags = flags & ~MS_POSIXACL;
+- s->s_flags |= path.dentry->d_sb->s_flags & (MS_RDONLY | MS_POSIXACL);
++ s->s_flags |= path.dentry->d_sb->s_flags & MS_POSIXACL;
++
++ /**
++ * Force a read-only eCryptfs mount when:
++ * 1) The lower mount is ro
++ * 2) The ecryptfs_encrypted_view mount option is specified
++ */
++ if (path.dentry->d_sb->s_flags & MS_RDONLY ||
++ mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
++ s->s_flags |= MS_RDONLY;
+
+ s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
+ s->s_blocksize = path.dentry->d_sb->s_blocksize;
--- /dev/null
+From 942080643bce061c3dd9d5718d3b745dcb39a8bc Mon Sep 17 00:00:00 2001
+From: Michael Halcrow <mhalcrow@google.com>
+Date: Wed, 26 Nov 2014 09:09:16 -0800
+Subject: eCryptfs: Remove buggy and unnecessary write in file name decode routine
+
+From: Michael Halcrow <mhalcrow@google.com>
+
+commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
+
+Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
+end of the allocated buffer during encrypted filename decoding. This
+fix corrects the issue by getting rid of the unnecessary 0 write when
+the current bit offset is 2.
+
+Signed-off-by: Michael Halcrow <mhalcrow@google.com>
+Reported-by: Dmitry Chernenkov <dmitryc@google.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/crypto.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned c
+ break;
+ case 2:
+ dst[dst_byte_offset++] |= (src_byte);
+- dst[dst_byte_offset] = 0;
+ current_bit_offset = 0;
+ break;
+ }
--- /dev/null
+From 24c037ebf5723d4d9ab0996433cee4f96c292a4d Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Wed, 10 Dec 2014 15:55:25 -0800
+Subject: exit: pidns: alloc_pid() leaks pid_namespace if child_reaper is exiting
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 24c037ebf5723d4d9ab0996433cee4f96c292a4d upstream.
+
+alloc_pid() does get_pid_ns() beforehand but forgets to put_pid_ns() if it
+fails because disable_pid_allocation() was called by the exiting
+child_reaper.
+
+We could simply move get_pid_ns() down to successful return, but this fix
+tries to be as trivial as possible.
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Aaron Tomlin <atomlin@redhat.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
+Cc: Sterling Alexander <stalexan@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/pid.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -341,6 +341,8 @@ out:
+
+ out_unlock:
+ spin_unlock_irq(&pidmap_lock);
++ put_pid_ns(ns);
++
+ out_free:
+ while (++i <= ns->level)
+ free_pidmap(pid->numbers + i);
--- /dev/null
+From a682e9c28cac152e6e54c39efcf046e0c8cfcf63 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 10 Dec 2014 15:52:22 -0800
+Subject: ncpfs: return proper error from NCP_IOC_SETROOT ioctl
+
+From: Jan Kara <jack@suse.cz>
+
+commit a682e9c28cac152e6e54c39efcf046e0c8cfcf63 upstream.
+
+If some error happens in NCP_IOC_SETROOT ioctl, the appropriate error
+return value is then (in most cases) just overwritten before we return.
+This can result in reporting success to userspace although error happened.
+
+This bug was introduced by commit 2e54eb96e2c8 ("BKL: Remove BKL from
+ncpfs"). Propagate the errors correctly.
+
+Coverity id: 1226925.
+
+Fixes: 2e54eb96e2c80 ("BKL: Remove BKL from ncpfs")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Cc: Petr Vandrovec <petr@vandrovec.name>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ncpfs/ioctl.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/ncpfs/ioctl.c
++++ b/fs/ncpfs/ioctl.c
+@@ -448,7 +448,6 @@ static long __ncp_ioctl(struct inode *in
+ result = -EIO;
+ }
+ }
+- result = 0;
+ }
+ mutex_unlock(&server->root_setup_lock);
+
userns-add-a-knob-to-disable-setgroups-on-a-per-user-namespace-basis.patch
userns-allow-setting-gid_maps-without-privilege-when-setgroups-is-disabled.patch
userns-unbreak-the-unprivileged-remount-tests.patch
+audit-restore-audit_loginuid-unset-abi.patch
+crypto-af_alg-fix-backlog-handling.patch
+ncpfs-return-proper-error-from-ncp_ioc_setroot-ioctl.patch
+exit-pidns-alloc_pid-leaks-pid_namespace-if-child_reaper-is-exiting.patch
+udf-check-path-length-when-reading-symlink.patch
+udf-verify-i_size-when-loading-inode.patch
+udf-verify-symlink-size-before-loading-it.patch
+udf-check-component-length-before-reading-it.patch
+ecryptfs-force-ro-mount-when-encrypted-view-is-enabled.patch
+ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode-routine.patch
+btrfs-do-not-move-em-to-modified-list-when-unpinning.patch
+btrfs-fix-fs-corruption-on-transaction-abort-if-device-supports-discard.patch
--- /dev/null
+From e237ec37ec154564f8690c5bd1795339955eeef9 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 19 Dec 2014 14:27:55 +0100
+Subject: udf: Check component length before reading it
+
+From: Jan Kara <jack@suse.cz>
+
+commit e237ec37ec154564f8690c5bd1795339955eeef9 upstream.
+
+Check that length specified in a component of a symlink fits in the
+input buffer we are reading. Also properly ignore component length for
+component types that do not use it. Otherwise we read memory after end
+of buffer for corrupted udf image.
+
+Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/symlink.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/udf/symlink.c
++++ b/fs/udf/symlink.c
+@@ -42,14 +42,17 @@ static int udf_pc_to_char(struct super_b
+ tolen--;
+ while (elen < fromlen) {
+ pc = (struct pathComponent *)(from + elen);
++ elen += sizeof(struct pathComponent);
+ switch (pc->componentType) {
+ case 1:
+ /*
+ * Symlink points to some place which should be agreed
+ * upon between originator and receiver of the media. Ignore.
+ */
+- if (pc->lengthComponentIdent > 0)
++ if (pc->lengthComponentIdent > 0) {
++ elen += pc->lengthComponentIdent;
+ break;
++ }
+ /* Fall through */
+ case 2:
+ if (tolen == 0)
+@@ -74,6 +77,9 @@ static int udf_pc_to_char(struct super_b
+ /* that would be . - just ignore */
+ break;
+ case 5:
++ elen += pc->lengthComponentIdent;
++ if (elen > fromlen)
++ return -EIO;
+ comp_len = udf_get_filename(sb, pc->componentIdent,
+ pc->lengthComponentIdent,
+ p, tolen);
+@@ -85,7 +91,6 @@ static int udf_pc_to_char(struct super_b
+ tolen--;
+ break;
+ }
+- elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
+ }
+ if (p > to + 1)
+ p[-1] = '\0';
--- /dev/null
+From 0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 18 Dec 2014 22:37:50 +0100
+Subject: udf: Check path length when reading symlink
+
+From: Jan Kara <jack@suse.cz>
+
+commit 0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 upstream.
+
+Symlink reading code does not check whether the resulting path fits into
+the page provided by the generic code. This isn't as easy as just
+checking the symlink size because of various encoding conversions we
+perform on path. So we have to check whether there is still enough space
+in the buffer on the fly.
+
+Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/dir.c | 3 ++-
+ fs/udf/namei.c | 3 ++-
+ fs/udf/symlink.c | 31 ++++++++++++++++++++++++++-----
+ fs/udf/udfdecl.h | 3 ++-
+ fs/udf/unicode.c | 28 ++++++++++++++++------------
+ 5 files changed, 48 insertions(+), 20 deletions(-)
+
+--- a/fs/udf/dir.c
++++ b/fs/udf/dir.c
+@@ -167,7 +167,8 @@ static int udf_readdir(struct file *file
+ continue;
+ }
+
+- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++ UDF_NAME_LEN);
+ if (!flen)
+ continue;
+
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -233,7 +233,8 @@ static struct fileIdentDesc *udf_find_en
+ if (!lfi)
+ continue;
+
+- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
++ UDF_NAME_LEN);
+ if (flen && udf_match(flen, fname, child->len, child->name))
+ goto out_ok;
+ }
+--- a/fs/udf/symlink.c
++++ b/fs/udf/symlink.c
+@@ -30,13 +30,16 @@
+ #include <linux/buffer_head.h>
+ #include "udf_i.h"
+
+-static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
+- int fromlen, unsigned char *to)
++static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
++ int fromlen, unsigned char *to, int tolen)
+ {
+ struct pathComponent *pc;
+ int elen = 0;
++ int comp_len;
+ unsigned char *p = to;
+
++ /* Reserve one byte for terminating \0 */
++ tolen--;
+ while (elen < fromlen) {
+ pc = (struct pathComponent *)(from + elen);
+ switch (pc->componentType) {
+@@ -49,22 +52,37 @@ static void udf_pc_to_char(struct super_
+ break;
+ /* Fall through */
+ case 2:
++ if (tolen == 0)
++ return -ENAMETOOLONG;
+ p = to;
+ *p++ = '/';
++ tolen--;
+ break;
+ case 3:
++ if (tolen < 3)
++ return -ENAMETOOLONG;
+ memcpy(p, "../", 3);
+ p += 3;
++ tolen -= 3;
+ break;
+ case 4:
++ if (tolen < 2)
++ return -ENAMETOOLONG;
+ memcpy(p, "./", 2);
+ p += 2;
++ tolen -= 2;
+ /* that would be . - just ignore */
+ break;
+ case 5:
+- p += udf_get_filename(sb, pc->componentIdent, p,
+- pc->lengthComponentIdent);
++ comp_len = udf_get_filename(sb, pc->componentIdent,
++ pc->lengthComponentIdent,
++ p, tolen);
++ p += comp_len;
++ tolen -= comp_len;
++ if (tolen == 0)
++ return -ENAMETOOLONG;
+ *p++ = '/';
++ tolen--;
+ break;
+ }
+ elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
+@@ -73,6 +91,7 @@ static void udf_pc_to_char(struct super_
+ p[-1] = '\0';
+ else
+ p[0] = '\0';
++ return 0;
+ }
+
+ static int udf_symlink_filler(struct file *file, struct page *page)
+@@ -100,8 +119,10 @@ static int udf_symlink_filler(struct fil
+ symlink = bh->b_data;
+ }
+
+- udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p);
++ err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE);
+ brelse(bh);
++ if (err)
++ goto out_unlock_inode;
+
+ up_read(&iinfo->i_data_sem);
+ SetPageUptodate(page);
+--- a/fs/udf/udfdecl.h
++++ b/fs/udf/udfdecl.h
+@@ -201,7 +201,8 @@ udf_get_lb_pblock(struct super_block *sb
+ }
+
+ /* unicode.c */
+-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int);
++extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *,
++ int);
+ extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *,
+ int);
+ extern int udf_build_ustr(struct ustr *, dstring *, int);
+--- a/fs/udf/unicode.c
++++ b/fs/udf/unicode.c
+@@ -28,7 +28,8 @@
+
+ #include "udf_sb.h"
+
+-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int);
++static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *,
++ int);
+
+ static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen)
+ {
+@@ -333,8 +334,8 @@ try_again:
+ return u_len + 1;
+ }
+
+-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
+- int flen)
++int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen,
++ uint8_t *dname, int dlen)
+ {
+ struct ustr *filename, *unifilename;
+ int len = 0;
+@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block
+ if (!unifilename)
+ goto out1;
+
+- if (udf_build_ustr_exact(unifilename, sname, flen))
++ if (udf_build_ustr_exact(unifilename, sname, slen))
+ goto out2;
+
+ if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {
+@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block
+ } else
+ goto out2;
+
+- len = udf_translate_to_linux(dname, filename->u_name, filename->u_len,
++ len = udf_translate_to_linux(dname, dlen,
++ filename->u_name, filename->u_len,
+ unifilename->u_name, unifilename->u_len);
+ out2:
+ kfree(unifilename);
+@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block
+ #define EXT_MARK '.'
+ #define CRC_MARK '#'
+ #define EXT_SIZE 5
++/* Number of chars we need to store generated CRC to make filename unique */
++#define CRC_LEN 5
+
+-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
+- int udfLen, uint8_t *fidName,
+- int fidNameLen)
++static int udf_translate_to_linux(uint8_t *newName, int newLen,
++ uint8_t *udfName, int udfLen,
++ uint8_t *fidName, int fidNameLen)
+ {
+ int index, newIndex = 0, needsCRC = 0;
+ int extIndex = 0, newExtIndex = 0, hasExt = 0;
+@@ -440,7 +444,7 @@ static int udf_translate_to_linux(uint8_
+ newExtIndex = newIndex;
+ }
+ }
+- if (newIndex < 256)
++ if (newIndex < newLen)
+ newName[newIndex++] = curr;
+ else
+ needsCRC = 1;
+@@ -468,13 +472,13 @@ static int udf_translate_to_linux(uint8_
+ }
+ ext[localExtIndex++] = curr;
+ }
+- maxFilenameLen = 250 - localExtIndex;
++ maxFilenameLen = newLen - CRC_LEN - localExtIndex;
+ if (newIndex > maxFilenameLen)
+ newIndex = maxFilenameLen;
+ else
+ newIndex = newExtIndex;
+- } else if (newIndex > 250)
+- newIndex = 250;
++ } else if (newIndex > newLen - CRC_LEN)
++ newIndex = newLen - CRC_LEN;
+ newName[newIndex++] = CRC_MARK;
+ valueCRC = crc_itu_t(0, fidName, fidNameLen);
+ newName[newIndex++] = hexChar[(valueCRC & 0xf000) >> 12];
--- /dev/null
+From e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 19 Dec 2014 12:03:53 +0100
+Subject: udf: Verify i_size when loading inode
+
+From: Jan Kara <jack@suse.cz>
+
+commit e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 upstream.
+
+Verify that inode size is sane when loading inode with data stored in
+ICB. Otherwise we may get confused later when working with the inode and
+inode size is too big.
+
+Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/inode.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1496,6 +1496,20 @@ static void udf_fill_inode(struct inode
+ iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
+ }
+
++ /* Sanity checks for files in ICB so that we don't get confused later */
++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
++ /*
++ * For file in ICB data is stored in allocation descriptor
++ * so sizes should match
++ */
++ if (iinfo->i_lenAlloc != inode->i_size)
++ goto out;
++ /* File in ICB has to fit in there... */
++ if (inode->i_size > inode->i_sb->s_blocksize -
++ udf_file_entry_alloc_offset(inode))
++ goto out;
++ }
++
+ switch (fe->icbTag.fileType) {
+ case ICBTAG_FILE_TYPE_DIRECTORY:
+ inode->i_op = &udf_dir_inode_operations;
--- /dev/null
+From a1d47b262952a45aae62bd49cfaf33dd76c11a2c Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 19 Dec 2014 12:21:47 +0100
+Subject: udf: Verify symlink size before loading it
+
+From: Jan Kara <jack@suse.cz>
+
+commit a1d47b262952a45aae62bd49cfaf33dd76c11a2c upstream.
+
+UDF specification allows arbitrarily large symlinks. However we support
+only symlinks at most one block large. Check the length of the symlink
+so that we don't access memory beyond end of the symlink block.
+
+Reported-by: Carl Henrik Lunde <chlunde@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/symlink.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/fs/udf/symlink.c
++++ b/fs/udf/symlink.c
+@@ -99,11 +99,17 @@ static int udf_symlink_filler(struct fil
+ struct inode *inode = page->mapping->host;
+ struct buffer_head *bh = NULL;
+ unsigned char *symlink;
+- int err = -EIO;
++ int err;
+ unsigned char *p = kmap(page);
+ struct udf_inode_info *iinfo;
+ uint32_t pos;
+
++ /* We don't support symlinks longer than one block */
++ if (inode->i_size > inode->i_sb->s_blocksize) {
++ err = -ENAMETOOLONG;
++ goto out_unmap;
++ }
++
+ iinfo = UDF_I(inode);
+ pos = udf_block_map(inode, 0);
+
+@@ -113,8 +119,10 @@ static int udf_symlink_filler(struct fil
+ } else {
+ bh = sb_bread(inode->i_sb, pos);
+
+- if (!bh)
+- goto out;
++ if (!bh) {
++ err = -EIO;
++ goto out_unlock_inode;
++ }
+
+ symlink = bh->b_data;
+ }
+@@ -130,9 +138,10 @@ static int udf_symlink_filler(struct fil
+ unlock_page(page);
+ return 0;
+
+-out:
++out_unlock_inode:
+ up_read(&iinfo->i_data_sem);
+ SetPageError(page);
++out_unmap:
+ kunmap(page);
+ unlock_page(page);
+ return err;
projects / thirdparty / kernel / stable-queue.git / commitdiff
