From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 8 Aug 2016 18:01:56 +0000 (+0200)
Subject: 4.7-stable patches
X-Git-Tag: v3.14.75~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=73b0633f582539c520bfee0c56925fd1a24ed563;p=thirdparty%2Fkernel%2Fstable-queue.git

4.7-stable patches

added patches:
	vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
	vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch
---

diff --git a/queue-4.7/series b/queue-4.7/series
index b7207450164..17bb2879fc7 100644
--- a/queue-4.7/series
+++ b/queue-4.7/series
@@ -1 +1,3 @@
 ext4-verify-extent-header-depth.patch
+vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch
+vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
diff --git a/queue-4.7/vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch b/queue-4.7/vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
new file mode 100644
index 00000000000..150b391dc40
--- /dev/null
+++ b/queue-4.7/vfs-fix-deadlock-in-file_remove_privs-on-overlayfs.patch
@@ -0,0 +1,47 @@
+From c1892c37769cf89c7e7ba57528ae2ccb5d153c9b Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 3 Aug 2016 13:44:27 +0200
+Subject: vfs: fix deadlock in file_remove_privs() on overlayfs
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit c1892c37769cf89c7e7ba57528ae2ccb5d153c9b upstream.
+
+file_remove_privs() is called with inode lock on file_inode(), which
+proceeds to calling notify_change() on file->f_path.dentry.  Which triggers
+the WARN_ON_ONCE(!inode_is_locked(inode)) in addition to deadlocking later
+when ovl_setattr tries to lock the underlying inode again.
+
+Fix this mess by not mixing the layers, but doing everything on underlying
+dentry/inode.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 07a2daab49c5 ("ovl: Copy up underlying inode's ->i_mode to overlay inode")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/inode.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1740,8 +1740,8 @@ static int __remove_privs(struct dentry
+  */
+ int file_remove_privs(struct file *file)
+ {
+-	struct dentry *dentry = file->f_path.dentry;
+-	struct inode *inode = d_inode(dentry);
++	struct dentry *dentry = file_dentry(file);
++	struct inode *inode = file_inode(file);
+ 	int kill;
+ 	int error = 0;
+ 
+@@ -1749,7 +1749,7 @@ int file_remove_privs(struct file *file)
+ 	if (IS_NOSEC(inode))
+ 		return 0;
+ 
+-	kill = file_needs_remove_privs(file);
++	kill = dentry_needs_remove_privs(dentry);
+ 	if (kill < 0)
+ 		return kill;
+ 	if (kill)
diff --git a/queue-4.7/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch b/queue-4.7/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch
new file mode 100644
index 00000000000..e3fb6eef42a
--- /dev/null
+++ b/queue-4.7/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch
@@ -0,0 +1,31 @@
+From 10eec60ce79187686e052092e5383c99b4420a20 Mon Sep 17 00:00:00 2001
+From: Scott Bauer <sbauer@plzdonthack.me>
+Date: Wed, 27 Jul 2016 19:11:29 -0600
+Subject: vfs: ioctl: prevent double-fetch in dedupe ioctl
+
+From: Scott Bauer <sbauer@plzdonthack.me>
+
+commit 10eec60ce79187686e052092e5383c99b4420a20 upstream.
+
+This prevents a double-fetch from user space that can lead to to an
+undersized allocation and heap overflow.
+
+Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs")
+Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ioctl.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ioctl.c
++++ b/fs/ioctl.c
+@@ -590,6 +590,7 @@ static long ioctl_file_dedupe_range(stru
+ 		goto out;
+ 	}
+ 
++	same->dest_count = count;
+ 	ret = vfs_dedupe_file_range(file, same);
+ 	if (ret)
+ 		goto out;