From 4a5487dfa973840179280a6337f3ab5f971d5625 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 23 Aug 2018 09:03:46 +0200
Subject: [PATCH] 3.18-stable patches

added patches:
	pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch
	reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch
---
 ...eak-pci_slot-on-registration-failure.patch | 48 +++++++++++++++
 ...-handling-heap-corruption-bad-retval.patch | 59 +++++++++++++++++++
 queue-3.18/series                             |  2 +
 3 files changed, 109 insertions(+)
 create mode 100644 queue-3.18/pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch
 create mode 100644 queue-3.18/reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch

diff --git a/queue-3.18/pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch b/queue-3.18/pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch
new file mode 100644
index 00000000000..af352d2adfb
--- /dev/null
+++ b/queue-3.18/pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch
@@ -0,0 +1,48 @@
+From 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:31 -0500
+Subject: PCI: hotplug: Don't leak pci_slot on registration failure
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.
+
+If addition of sysfs files fails on registration of a hotplug slot, the
+struct pci_slot as well as the entry in the slot_list is leaked.  The
+issue has been present since the hotplug core was introduced in 2002:
+https://git.kernel.org/tglx/history/c/a8a2069f432c
+
+Perhaps the idea was that even though sysfs addition fails, the slot
+should still be usable.  But that's not how drivers use the interface,
+they abort probe if a non-zero value is returned.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v2.4.15+
+Cc: Greg Kroah-Hartman <greg@kroah.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pci_hotplug_core.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/pci/hotplug/pci_hotplug_core.c
++++ b/drivers/pci/hotplug/pci_hotplug_core.c
+@@ -457,8 +457,17 @@ int __pci_hp_register(struct hotplug_slo
+ 	list_add(&slot->slot_list, &pci_hotplug_slot_list);
+ 
+ 	result = fs_add_slot(pci_slot);
++	if (result)
++		goto err_list_del;
++
+ 	kobject_uevent(&pci_slot->kobj, KOBJ_ADD);
+ 	dbg("Added slot %s to the list\n", name);
++	goto out;
++
++err_list_del:
++	list_del(&slot->slot_list);
++	pci_slot->hotplug = NULL;
++	pci_destroy_slot(pci_slot);
+ out:
+ 	mutex_unlock(&pci_hp_mutex);
+ 	return result;
diff --git a/queue-3.18/reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch b/queue-3.18/reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch
new file mode 100644
index 00000000000..4b4215a78a6
--- /dev/null
+++ b/queue-3.18/reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch
@@ -0,0 +1,59 @@
+From a13f085d111e90469faf2d9965eb39b11c114d7e Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 21 Aug 2018 21:59:37 -0700
+Subject: reiserfs: fix broken xattr handling (heap corruption, bad retval)
+
+From: Jann Horn <jannh@google.com>
+
+commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.
+
+This fixes the following issues:
+
+- When a buffer size is supplied to reiserfs_listxattr() such that each
+  individual name fits, but the concatenation of all names doesn't fit,
+  reiserfs_listxattr() overflows the supplied buffer.  This leads to a
+  kernel heap overflow (verified using KASAN) followed by an out-of-bounds
+  usercopy and is therefore a security bug.
+
+- When a buffer size is supplied to reiserfs_listxattr() such that a
+  name doesn't fit, -ERANGE should be returned.  But reiserfs instead just
+  truncates the list of names; I have verified that if the only xattr on a
+  file has a longer name than the supplied buffer length, listxattr()
+  incorrectly returns zero.
+
+With my patch applied, -ERANGE is returned in both cases and the memory
+corruption doesn't happen anymore.
+
+Credit for making me clean this code up a bit goes to Al Viro, who pointed
+out that the ->actor calling convention is suboptimal and should be
+changed.
+
+Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
+Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Cc: Eric Biggers <ebiggers@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/xattr.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -842,8 +842,10 @@ static int listxattr_filler(void *buf, c
+ 			size = handler->list(b->dentry, b->buf + b->pos,
+ 					 b->size, name, namelen,
+ 					 handler->flags);
+-			if (size > b->size)
++			if (b->pos + size > b->size) {
++				b->pos = -ERANGE;
+ 				return -ERANGE;
++			}
+ 		} else {
+ 			size = handler->list(b->dentry, NULL, 0, name,
+ 					     namelen, handler->flags);
diff --git a/queue-3.18/series b/queue-3.18/series
index 6cb01961acb..78d9775e2f3 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -53,3 +53,5 @@ staging-android-ion-check-for-kref-overflow.patch
 xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
 netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch
 packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch
+pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch
+reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch
-- 
2.47.3