--- /dev/null
+From b5c40d598f5408bd0ca22dfffa82f03cd9433f23 Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Tue, 22 May 2018 15:02:12 -0700
+Subject: Btrfs: fix clone vs chattr NODATASUM race
+
+From: Omar Sandoval <osandov@fb.com>
+
+commit b5c40d598f5408bd0ca22dfffa82f03cd9433f23 upstream.
+
+In btrfs_clone_files(), we must check the NODATASUM flag while the
+inodes are locked. Otherwise, it's possible that btrfs_ioctl_setflags()
+will change the flags after we check and we can end up with a party
+checksummed file.
+
+The race window is only a few instructions in size, between the if and
+the locks which is:
+
+3834 if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode))
+3835 return -EISDIR;
+
+where the setflags must be run and toggle the NODATASUM flag (provided
+the file size is 0). The clone will block on the inode lock, segflags
+takes the inode lock, changes flags, releases log and clone continues.
+
+Not impossible but still needs a lot of bad luck to hit unintentionally.
+
+Fixes: 0e7b824c4ef9 ("Btrfs: don't make a file partly checksummed through file clone")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ update changelog ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ adjusted for 4.4 ]
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+
+---
+ fs/btrfs/ioctl.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3923,11 +3923,6 @@ static noinline long btrfs_ioctl_clone(s
+ if (!(src_file.file->f_mode & FMODE_READ))
+ goto out_fput;
+
+- /* don't make the dst file partly checksummed */
+- if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) !=
+- (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM))
+- goto out_fput;
+-
+ ret = -EISDIR;
+ if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode))
+ goto out_fput;
+@@ -3942,6 +3937,13 @@ static noinline long btrfs_ioctl_clone(s
+ mutex_lock(&src->i_mutex);
+ }
+
++ /* don't make the dst file partly checksummed */
++ if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) !=
++ (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ /* determine range to clone */
+ ret = -EINVAL;
+ if (off + len > src->i_size || off + len < off)
--- /dev/null
+From c043ec1ca5baae63726aae32abbe003192bc6eec Mon Sep 17 00:00:00 2001
+From: Martin Kelly <mkelly@xevo.com>
+Date: Mon, 26 Mar 2018 14:27:51 -0700
+Subject: iio:buffer: make length types match kfifo types
+
+From: Martin Kelly <mkelly@xevo.com>
+
+commit c043ec1ca5baae63726aae32abbe003192bc6eec upstream.
+
+Currently, we use int for buffer length and bytes_per_datum. However,
+kfifo uses unsigned int for length and size_t for element size. We need
+to make sure these matches or we will have bugs related to overflow (in
+the range between INT_MAX and UINT_MAX for length, for example).
+
+In addition, set_bytes_per_datum uses size_t while bytes_per_datum is an
+int, which would cause bugs for large values of bytes_per_datum.
+
+Change buffer length to use unsigned int and bytes_per_datum to use
+size_t.
+
+Signed-off-by: Martin Kelly <mkelly@xevo.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[bwh: Backported to 4.4:
+ - Drop change to iio_dma_buffer_set_length()
+ - Adjust filename, context]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/buffer/kfifo_buf.c | 4 ++--
+ include/linux/iio/buffer.h | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/buffer/kfifo_buf.c
++++ b/drivers/iio/buffer/kfifo_buf.c
+@@ -19,7 +19,7 @@ struct iio_kfifo {
+ #define iio_to_kfifo(r) container_of(r, struct iio_kfifo, buffer)
+
+ static inline int __iio_allocate_kfifo(struct iio_kfifo *buf,
+- int bytes_per_datum, int length)
++ size_t bytes_per_datum, unsigned int length)
+ {
+ if ((length == 0) || (bytes_per_datum == 0))
+ return -EINVAL;
+@@ -71,7 +71,7 @@ static int iio_set_bytes_per_datum_kfifo
+ return 0;
+ }
+
+-static int iio_set_length_kfifo(struct iio_buffer *r, int length)
++static int iio_set_length_kfifo(struct iio_buffer *r, unsigned int length)
+ {
+ /* Avoid an invalid state */
+ if (length < 2)
+--- a/include/linux/iio/buffer.h
++++ b/include/linux/iio/buffer.h
+@@ -49,7 +49,7 @@ struct iio_buffer_access_funcs {
+ int (*request_update)(struct iio_buffer *buffer);
+
+ int (*set_bytes_per_datum)(struct iio_buffer *buffer, size_t bpd);
+- int (*set_length)(struct iio_buffer *buffer, int length);
++ int (*set_length)(struct iio_buffer *buffer, unsigned int length);
+
+ void (*release)(struct iio_buffer *buffer);
+
+@@ -78,8 +78,8 @@ struct iio_buffer_access_funcs {
+ * @watermark: [INTERN] number of datums to wait for poll/read.
+ */
+ struct iio_buffer {
+- int length;
+- int bytes_per_datum;
++ unsigned int length;
++ size_t bytes_per_datum;
+ struct attribute_group *scan_el_attrs;
+ long *scan_mask;
+ bool scan_timestamp;
--- /dev/null
+From 18f3e95b90b28318ef35910d21c39908de672331 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 12 Jun 2018 17:54:42 +0800
+Subject: MIPS: io: Add barrier after register read in inX()
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 18f3e95b90b28318ef35910d21c39908de672331 upstream.
+
+While a barrier is present in the outX() functions before the register
+write, a similar barrier is missing in the inX() functions after the
+register read. This could allow memory accesses following inX() to
+observe stale data.
+
+This patch is very similar to commit a1cc7034e33d12dc1 ("MIPS: io: Add
+barrier after register read in readX()"). Because war_io_reorder_wmb()
+is both used by writeX() and outX(), if readX() need a barrier then so
+does inX().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19516/
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: Huacai Chen <chenhuacai@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/io.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/include/asm/io.h
++++ b/arch/mips/include/asm/io.h
+@@ -411,6 +411,8 @@ static inline type pfx##in##bwlq##p(unsi
+ __val = *__addr; \
+ slow; \
+ \
++ /* prevent prefetching of coherent DMA data prematurely */ \
++ rmb(); \
+ return pfx##ioswab##bwlq(__addr, __val); \
+ }
+
mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch
mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch
pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch
+mips-io-add-barrier-after-register-read-in-inx.patch
+time-make-sure-jiffies_to_msecs-preserves-non-zero-time-periods.patch
+x.509-unpack-rsa-signaturevalue-field-from-bit-string.patch
+btrfs-fix-clone-vs-chattr-nodatasum-race.patch
+iio-buffer-make-length-types-match-kfifo-types.patch
--- /dev/null
+From abcbcb80cd09cd40f2089d912764e315459b71f7 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Fri, 22 Jun 2018 16:33:57 +0200
+Subject: time: Make sure jiffies_to_msecs() preserves non-zero time periods
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+commit abcbcb80cd09cd40f2089d912764e315459b71f7 upstream.
+
+For the common cases where 1000 is a multiple of HZ, or HZ is a multiple of
+1000, jiffies_to_msecs() never returns zero when passed a non-zero time
+period.
+
+However, if HZ > 1000 and not an integer multiple of 1000 (e.g. 1024 or
+1200, as used on alpha and DECstation), jiffies_to_msecs() may return zero
+for small non-zero time periods. This may break code that relies on
+receiving back a non-zero value.
+
+jiffies_to_usecs() does not need such a fix: one jiffy can only be less
+than one µs if HZ > 1000000, and such large values of HZ are already
+rejected at build time, twice:
+
+ - include/linux/jiffies.h does #error if HZ >= 12288,
+ - kernel/time/time.c has BUILD_BUG_ON(HZ > USEC_PER_SEC).
+
+Broken since forever.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: linux-alpha@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180622143357.7495-1-geert@linux-m68k.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/time.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -28,6 +28,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/kernel.h>
+ #include <linux/timex.h>
+ #include <linux/capability.h>
+ #include <linux/timekeeper_internal.h>
+@@ -258,9 +259,10 @@ unsigned int jiffies_to_msecs(const unsi
+ return (j + (HZ / MSEC_PER_SEC) - 1)/(HZ / MSEC_PER_SEC);
+ #else
+ # if BITS_PER_LONG == 32
+- return (HZ_TO_MSEC_MUL32 * j) >> HZ_TO_MSEC_SHR32;
++ return (HZ_TO_MSEC_MUL32 * j + (1ULL << HZ_TO_MSEC_SHR32) - 1) >>
++ HZ_TO_MSEC_SHR32;
+ # else
+- return (j * HZ_TO_MSEC_NUM) / HZ_TO_MSEC_DEN;
++ return DIV_ROUND_UP(j * HZ_TO_MSEC_NUM, HZ_TO_MSEC_DEN);
+ # endif
+ #endif
+ }
--- /dev/null
+From b65c32ec5a942ab3ada93a048089a938918aba7f Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Sat, 19 May 2018 14:23:54 +0200
+Subject: X.509: unpack RSA signatureValue field from BIT STRING
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+commit b65c32ec5a942ab3ada93a048089a938918aba7f upstream.
+
+The signatureValue field of a X.509 certificate is encoded as a BIT STRING.
+For RSA signatures this BIT STRING is of so-called primitive subtype, which
+contains a u8 prefix indicating a count of unused bits in the encoding.
+
+We have to strip this prefix from signature data, just as we already do for
+key data in x509_extract_key_data() function.
+
+This wasn't noticed earlier because this prefix byte is zero for RSA key
+sizes divisible by 8. Since BIT STRING is a big-endian encoding adding zero
+prefixes has no bearing on its value.
+
+The signature length, however was incorrect, which is a problem for RSA
+implementations that need it to be exactly correct (like AMD CCP).
+
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Fixes: c26fd69fa009 ("X.509: Add a crypto key parser for binary (DER) X.509 certificates")
+Cc: stable@vger.kernel.org
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -239,6 +239,15 @@ int x509_note_signature(void *context, s
+ return -EINVAL;
+ }
+
++ if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0) {
++ /* Discard the BIT STRING metadata */
++ if (vlen < 1 || *(const u8 *)value != 0)
++ return -EBADMSG;
++
++ value++;
++ vlen--;
++ }
++
+ ctx->cert->raw_sig = value;
+ ctx->cert->raw_sig_size = vlen;
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
