--- /dev/null
+From 0facef7fb053be4353c0a48c2f48c9dbee91cb19 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Wed, 3 Aug 2016 10:58:53 +1000
+Subject: xfs: in _attrlist_by_handle, copy the cursor back to userspace
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+commit 0facef7fb053be4353c0a48c2f48c9dbee91cb19 upstream.
+
+When we're iterating inode xattrs by handle, we have to copy the
+cursor back to userspace so that a subsequent invocation actually
+retrieves subsequent contents.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Cc: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_ioctl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/xfs/xfs_ioctl.c
++++ b/fs/xfs/xfs_ioctl.c
+@@ -403,6 +403,7 @@ xfs_attrlist_by_handle(
+ {
+ int error = -ENOMEM;
+ attrlist_cursor_kern_t *cursor;
++ struct xfs_fsop_attrlist_handlereq __user *p = arg;
+ xfs_fsop_attrlist_handlereq_t al_hreq;
+ struct dentry *dentry;
+ char *kbuf;
+@@ -435,6 +436,11 @@ xfs_attrlist_by_handle(
+ if (error)
+ goto out_kfree;
+
++ if (copy_to_user(&p->pos, cursor, sizeof(attrlist_cursor_kern_t))) {
++ error = -EFAULT;
++ goto out_kfree;
++ }
++
+ if (copy_to_user(al_hreq.buffer, kbuf, al_hreq.buflen))
+ error = -EFAULT;
+
--- /dev/null
+From 2a6fba6d2311151598abaa1e7c9abd5f8d024a43 Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@sandeen.net>
+Date: Wed, 6 Apr 2016 07:57:18 +1000
+Subject: xfs: only return -errno or success from attr ->put_listent
+
+From: Eric Sandeen <sandeen@sandeen.net>
+
+commit 2a6fba6d2311151598abaa1e7c9abd5f8d024a43 upstream.
+
+Today, the put_listent formatters return either 1 or 0; if
+they return 1, some callers treat this as an error and return
+it up the stack, despite "1" not being a valid (negative)
+error code.
+
+The intent seems to be that if the input buffer is full,
+we set seen_enough or set count = -1, and return 1;
+but some callers check the return before checking the
+seen_enough or count fields of the context.
+
+Fix this by only returning non-zero for actual errors
+encountered, and rely on the caller to first check the
+return value, then check the values in the context to
+decide what to do.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_attr.h | 1 +
+ fs/xfs/xfs_attr_list.c | 8 +++-----
+ fs/xfs/xfs_xattr.c | 15 ++++++++++-----
+ 3 files changed, 14 insertions(+), 10 deletions(-)
+
+--- a/fs/xfs/xfs_attr.h
++++ b/fs/xfs/xfs_attr.h
+@@ -112,6 +112,7 @@ typedef struct attrlist_cursor_kern {
+ *========================================================================*/
+
+
++/* Return 0 on success, or -errno; other state communicated via *context */
+ typedef int (*put_listent_func_t)(struct xfs_attr_list_context *, int,
+ unsigned char *, int, int, unsigned char *);
+
+--- a/fs/xfs/xfs_attr_list.c
++++ b/fs/xfs/xfs_attr_list.c
+@@ -108,16 +108,14 @@ xfs_attr_shortform_list(xfs_attr_list_co
+ (int)sfe->namelen,
+ (int)sfe->valuelen,
+ &sfe->nameval[sfe->namelen]);
+-
++ if (error)
++ return error;
+ /*
+ * Either search callback finished early or
+ * didn't fit it all in the buffer after all.
+ */
+ if (context->seen_enough)
+ break;
+-
+- if (error)
+- return error;
+ sfe = XFS_ATTR_SF_NEXTENTRY(sfe);
+ }
+ trace_xfs_attr_list_sf_all(context);
+@@ -581,7 +579,7 @@ xfs_attr_put_listent(
+ trace_xfs_attr_list_full(context);
+ alist->al_more = 1;
+ context->seen_enough = 1;
+- return 1;
++ return 0;
+ }
+
+ aep = (attrlist_ent_t *)&context->alist[context->firstu];
+--- a/fs/xfs/xfs_xattr.c
++++ b/fs/xfs/xfs_xattr.c
+@@ -180,7 +180,7 @@ xfs_xattr_put_listent(
+ arraytop = context->count + prefix_len + namelen + 1;
+ if (arraytop > context->firstu) {
+ context->count = -1; /* insufficient space */
+- return 1;
++ return 0;
+ }
+ offset = (char *)context->alist + context->count;
+ strncpy(offset, xfs_xattr_prefix(flags), prefix_len);
+@@ -222,12 +222,15 @@ list_one_attr(const char *name, const si
+ }
+
+ ssize_t
+-xfs_vn_listxattr(struct dentry *dentry, char *data, size_t size)
++xfs_vn_listxattr(
++ struct dentry *dentry,
++ char *data,
++ size_t size)
+ {
+ struct xfs_attr_list_context context;
+ struct attrlist_cursor_kern cursor = { 0 };
+- struct inode *inode = d_inode(dentry);
+- int error;
++ struct inode *inode = d_inode(dentry);
++ int error;
+
+ /*
+ * First read the regular on-disk attributes.
+@@ -245,7 +248,9 @@ xfs_vn_listxattr(struct dentry *dentry,
+ else
+ context.put_listent = xfs_xattr_put_listent_sizes;
+
+- xfs_attr_list_int(&context);
++ error = xfs_attr_list_int(&context);
++ if (error)
++ return error;
+ if (context.count < 0)
+ return -ERANGE;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
