From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 29 Apr 2018 10:21:17 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.16.7~58
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0479816d40a559d3231c916bd7c0a0239acdec1c;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	ext4-add-module_softdep-to-ensure-crc32c-is-included-in-the-initramfs.patch
	ext4-prevent-right-shifting-extents-beyond-ext_max_blocks.patch
	ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
---

diff --git a/queue-4.14/ext4-add-module_softdep-to-ensure-crc32c-is-included-in-the-initramfs.patch b/queue-4.14/ext4-add-module_softdep-to-ensure-crc32c-is-included-in-the-initramfs.patch
new file mode 100644
index 00000000000..055cf5da49e
--- /dev/null
+++ b/queue-4.14/ext4-add-module_softdep-to-ensure-crc32c-is-included-in-the-initramfs.patch
@@ -0,0 +1,31 @@
+From 7ef79ad52136712172eb0525bf0b462516bf2f93 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 26 Apr 2018 00:44:46 -0400
+Subject: ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 7ef79ad52136712172eb0525bf0b462516bf2f93 upstream.
+
+Fixes: a45403b51582 ("ext4: always initialize the crc32c checksum driver")
+Reported-by: François Valenduc <francoisvalenduc@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5865,5 +5865,6 @@ static void __exit ext4_exit_fs(void)
+ MODULE_AUTHOR("Remy Card, Stephen Tweedie, Andrew Morton, Andreas Dilger, Theodore Ts'o and others");
+ MODULE_DESCRIPTION("Fourth Extended Filesystem");
+ MODULE_LICENSE("GPL");
++MODULE_SOFTDEP("pre: crc32c");
+ module_init(ext4_init_fs)
+ module_exit(ext4_exit_fs)
diff --git a/queue-4.14/ext4-prevent-right-shifting-extents-beyond-ext_max_blocks.patch b/queue-4.14/ext4-prevent-right-shifting-extents-beyond-ext_max_blocks.patch
new file mode 100644
index 00000000000..7ca41c7af44
--- /dev/null
+++ b/queue-4.14/ext4-prevent-right-shifting-extents-beyond-ext_max_blocks.patch
@@ -0,0 +1,70 @@
+From 349fa7d6e1935f49bf4161c4900711b2989180a9 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 12 Apr 2018 11:48:09 -0400
+Subject: ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 349fa7d6e1935f49bf4161c4900711b2989180a9 upstream.
+
+During the "insert range" fallocate operation, extents starting at the
+range offset are shifted "right" (to a higher file offset) by the range
+length.  But, as shown by syzbot, it's not validated that this doesn't
+cause extents to be shifted beyond EXT_MAX_BLOCKS.  In that case
+->ee_block can wrap around, corrupting the extent tree.
+
+Fix it by returning an error if the space between the end of the last
+extent and EXT4_MAX_BLOCKS is smaller than the range being inserted.
+
+This bug can be reproduced by running the following commands when the
+current directory is on an ext4 filesystem with a 4k block size:
+
+        fallocate -l 8192 file
+        fallocate --keep-size -o 0xfffffffe000 -l 4096 -n file
+        fallocate --insert-range -l 8192 file
+
+Then after unmounting the filesystem, e2fsck reports corruption.
+
+Reported-by: syzbot+06c885be0edcdaeab40c@syzkaller.appspotmail.com
+Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate")
+Cc: stable@vger.kernel.org # v4.2+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -5346,8 +5346,9 @@ ext4_ext_shift_extents(struct inode *ino
+ 	stop = le32_to_cpu(extent->ee_block);
+ 
+        /*
+-	 * In case of left shift, Don't start shifting extents until we make
+-	 * sure the hole is big enough to accommodate the shift.
++	* For left shifts, make sure the hole on the left is big enough to
++	* accommodate the shift.  For right shifts, make sure the last extent
++	* won't be shifted beyond EXT_MAX_BLOCKS.
+ 	*/
+ 	if (SHIFT == SHIFT_LEFT) {
+ 		path = ext4_find_extent(inode, start - 1, &path,
+@@ -5367,9 +5368,14 @@ ext4_ext_shift_extents(struct inode *ino
+ 
+ 		if ((start == ex_start && shift > ex_start) ||
+ 		    (shift > start - ex_end)) {
+-			ext4_ext_drop_refs(path);
+-			kfree(path);
+-			return -EINVAL;
++			ret = -EINVAL;
++			goto out;
++		}
++	} else {
++		if (shift > EXT_MAX_BLOCKS -
++		    (stop + ext4_ext_get_actual_len(extent))) {
++			ret = -EINVAL;
++			goto out;
+ 		}
+ 	}
+ 
diff --git a/queue-4.14/ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch b/queue-4.14/ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
new file mode 100644
index 00000000000..032217268a8
--- /dev/null
+++ b/queue-4.14/ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
@@ -0,0 +1,43 @@
+From b2569260d55228b617bd82aba6d0db2faeeb4116 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 18 Apr 2018 11:49:31 -0400
+Subject: ext4: set h_journal if there is a failure starting a reserved handle
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit b2569260d55228b617bd82aba6d0db2faeeb4116 upstream.
+
+If ext4 tries to start a reserved handle via
+jbd2_journal_start_reserved(), and the journal has been aborted, this
+can result in a NULL pointer dereference.  This is because the fields
+h_journal and h_transaction in the handle structure share the same
+memory, via a union, so jbd2_journal_start_reserved() will clear
+h_journal before calling start_this_handle().  If this function fails
+due to an aborted handle, h_journal will still be NULL, and the call
+to jbd2_journal_free_reserved() will pass a NULL journal to
+sub_reserve_credits().
+
+This can be reproduced by running "kvm-xfstests -c dioread_nolock
+generic/475".
+
+Cc: stable@kernel.org # 3.11
+Fixes: 8f7d89f36829b ("jbd2: transaction reservation support")
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -535,6 +535,7 @@ int jbd2_journal_start_reserved(handle_t
+ 	 */
+ 	ret = start_this_handle(journal, handle, GFP_NOFS);
+ 	if (ret < 0) {
++		handle->h_journal = journal;
+ 		jbd2_journal_free_reserved(handle);
+ 		return ret;
+ 	}