From 515d52b81c0a8c8639d528aad51f7af54c9491d5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 24 Jun 2018 22:21:52 +0800 Subject: [PATCH] 4.14-stable patches added patches: fs-binfmt_misc.c-do-not-allow-offset-overflow.patch hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch hid-wacom-correct-logical-maximum-y-for-2nd-gen-intuos-pro-large.patch iwlwifi-fw-harden-page-loading-code.patch mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch orangefs-report-attributes_mask-and-attributes-for-statx.patch orangefs-set-i_size-on-new-symlink.patch vhost-fix-info-leak-due-to-uninitialized-memory.patch --- ..._misc.c-do-not-allow-offset-overflow.patch | 80 ++++++++++ ...-pm-callbacks-to-support-hibernation.patch | 110 ++++++++++++++ ...ximum-y-for-2nd-gen-intuos-pro-large.patch | 45 ++++++ .../iwlwifi-fw-harden-page-loading-code.patch | 141 ++++++++++++++++++ ...eak-__gfp_thisnode-by-zonelist-reset.patch | 75 ++++++++++ ...ibutes_mask-and-attributes-for-statx.patch | 41 +++++ .../orangefs-set-i_size-on-new-symlink.patch | 59 ++++++++ queue-4.14/series | 8 + ...nfo-leak-due-to-uninitialized-memory.patch | 41 +++++ 9 files changed, 600 insertions(+) create mode 100644 queue-4.14/fs-binfmt_misc.c-do-not-allow-offset-overflow.patch create mode 100644 queue-4.14/hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch create mode 100644 queue-4.14/hid-wacom-correct-logical-maximum-y-for-2nd-gen-intuos-pro-large.patch create mode 100644 queue-4.14/iwlwifi-fw-harden-page-loading-code.patch create mode 100644 queue-4.14/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch create mode 100644 queue-4.14/orangefs-report-attributes_mask-and-attributes-for-statx.patch create mode 100644 queue-4.14/orangefs-set-i_size-on-new-symlink.patch create mode 100644 queue-4.14/vhost-fix-info-leak-due-to-uninitialized-memory.patch diff --git a/queue-4.14/fs-binfmt_misc.c-do-not-allow-offset-overflow.patch b/queue-4.14/fs-binfmt_misc.c-do-not-allow-offset-overflow.patch new file mode 100644 index 00000000000..b4c087ce27a --- /dev/null +++ b/queue-4.14/fs-binfmt_misc.c-do-not-allow-offset-overflow.patch @@ -0,0 +1,80 @@ +From 5cc41e099504b77014358b58567c5ea6293dd220 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Thu, 7 Jun 2018 17:11:01 -0700 +Subject: fs/binfmt_misc.c: do not allow offset overflow + +From: Thadeu Lima de Souza Cascardo + +commit 5cc41e099504b77014358b58567c5ea6293dd220 upstream. + +WHen registering a new binfmt_misc handler, it is possible to overflow +the offset to get a negative value, which might crash the system, or +possibly leak kernel data. + +Here is a crash log when 2500000000 was used as an offset: + + BUG: unable to handle kernel paging request at ffff989cfd6edca0 + IP: load_misc_binary+0x22b/0x470 [binfmt_misc] + PGD 1ef3e067 P4D 1ef3e067 PUD 0 + Oops: 0000 [#1] SMP NOPTI + Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy + CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014 + RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc] + Call Trace: + search_binary_handler+0x97/0x1d0 + do_execveat_common.isra.34+0x667/0x810 + SyS_execve+0x31/0x40 + do_syscall_64+0x73/0x130 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Use kstrtoint instead of simple_strtoul. It will work as the code +already set the delimiter byte to '\0' and we only do it when the field +is not empty. + +Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested +with examples documented at Documentation/admin-guide/binfmt-misc.rst +and other registrations from packages on Ubuntu. + +Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Andrew Morton +Cc: Alexander Viro +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_misc.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -387,8 +387,13 @@ static Node *create_entry(const char __u + s = strchr(p, del); + if (!s) + goto einval; +- *s++ = '\0'; +- e->offset = simple_strtoul(p, &p, 10); ++ *s = '\0'; ++ if (p != s) { ++ int r = kstrtoint(p, 10, &e->offset); ++ if (r != 0 || e->offset < 0) ++ goto einval; ++ } ++ p = s; + if (*p++) + goto einval; + pr_debug("register: offset: %#x\n", e->offset); +@@ -428,7 +433,8 @@ static Node *create_entry(const char __u + if (e->mask && + string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size) + goto einval; +- if (e->size + e->offset > BINPRM_BUF_SIZE) ++ if (e->size > BINPRM_BUF_SIZE || ++ BINPRM_BUF_SIZE - e->size < e->offset) + goto einval; + pr_debug("register: magic/mask length: %i\n", e->size); + if (USE_DEBUG) { diff --git a/queue-4.14/hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch b/queue-4.14/hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch new file mode 100644 index 00000000000..be805cf1195 --- /dev/null +++ b/queue-4.14/hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch @@ -0,0 +1,110 @@ +From ebeaa367548e9e92dd9374b9464ff6e7d157117b Mon Sep 17 00:00:00 2001 +From: Even Xu +Date: Fri, 12 Feb 2016 04:11:34 +0800 +Subject: HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation + +From: Even Xu + +commit ebeaa367548e9e92dd9374b9464ff6e7d157117b upstream. + +Current ISH driver only registers suspend/resume PM callbacks which don't +support hibernation (suspend to disk). Basically after hiberation, the ISH +can't resume properly and user may not see sensor events (for example: screen + rotation may not work). + +User will not see a crash or panic or anything except the following message +in log: + + hid-sensor-hub 001F:8086:22D8.0001: timeout waiting for response from ISHTP device + +So this patch adds support for S4/hiberbation to ISH by using the +SIMPLE_DEV_PM_OPS() MACRO instead of struct dev_pm_ops directly. The suspend +and resume functions will now be used for both suspend to RAM and hibernation. + +If power management is disabled, SIMPLE_DEV_PM_OPS will do nothing, the suspend +and resume related functions won't be used, so mark them as __maybe_unused to +clarify that this is the intended behavior, and remove #ifdefs for power +management. + +Cc: stable@vger.kernel.org +Signed-off-by: Even Xu +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/intel-ish-hid/ipc/pci-ish.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c ++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c +@@ -204,8 +204,7 @@ static void ish_remove(struct pci_dev *p + kfree(ishtp_dev); + } + +-#ifdef CONFIG_PM +-static struct device *ish_resume_device; ++static struct device __maybe_unused *ish_resume_device; + + /* 50ms to get resume response */ + #define WAIT_FOR_RESUME_ACK_MS 50 +@@ -219,7 +218,7 @@ static struct device *ish_resume_device; + * in that case a simple resume message is enough, others we need + * a reset sequence. + */ +-static void ish_resume_handler(struct work_struct *work) ++static void __maybe_unused ish_resume_handler(struct work_struct *work) + { + struct pci_dev *pdev = to_pci_dev(ish_resume_device); + struct ishtp_device *dev = pci_get_drvdata(pdev); +@@ -261,7 +260,7 @@ static void ish_resume_handler(struct wo + * + * Return: 0 to the pm core + */ +-static int ish_suspend(struct device *device) ++static int __maybe_unused ish_suspend(struct device *device) + { + struct pci_dev *pdev = to_pci_dev(device); + struct ishtp_device *dev = pci_get_drvdata(pdev); +@@ -287,7 +286,7 @@ static int ish_suspend(struct device *de + return 0; + } + +-static DECLARE_WORK(resume_work, ish_resume_handler); ++static __maybe_unused DECLARE_WORK(resume_work, ish_resume_handler); + /** + * ish_resume() - ISH resume callback + * @device: device pointer +@@ -296,7 +295,7 @@ static DECLARE_WORK(resume_work, ish_res + * + * Return: 0 to the pm core + */ +-static int ish_resume(struct device *device) ++static int __maybe_unused ish_resume(struct device *device) + { + struct pci_dev *pdev = to_pci_dev(device); + struct ishtp_device *dev = pci_get_drvdata(pdev); +@@ -310,21 +309,14 @@ static int ish_resume(struct device *dev + return 0; + } + +-static const struct dev_pm_ops ish_pm_ops = { +- .suspend = ish_suspend, +- .resume = ish_resume, +-}; +-#define ISHTP_ISH_PM_OPS (&ish_pm_ops) +-#else +-#define ISHTP_ISH_PM_OPS NULL +-#endif /* CONFIG_PM */ ++static SIMPLE_DEV_PM_OPS(ish_pm_ops, ish_suspend, ish_resume); + + static struct pci_driver ish_driver = { + .name = KBUILD_MODNAME, + .id_table = ish_pci_tbl, + .probe = ish_probe, + .remove = ish_remove, +- .driver.pm = ISHTP_ISH_PM_OPS, ++ .driver.pm = &ish_pm_ops, + }; + + module_pci_driver(ish_driver); diff --git a/queue-4.14/hid-wacom-correct-logical-maximum-y-for-2nd-gen-intuos-pro-large.patch b/queue-4.14/hid-wacom-correct-logical-maximum-y-for-2nd-gen-intuos-pro-large.patch new file mode 100644 index 00000000000..8e53516a1a5 --- /dev/null +++ b/queue-4.14/hid-wacom-correct-logical-maximum-y-for-2nd-gen-intuos-pro-large.patch @@ -0,0 +1,45 @@ +From d471b6b22d37bf9928c6d0202bdaaf76583b8b61 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Tue, 12 Jun 2018 13:42:46 -0700 +Subject: HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large + +From: Jason Gerecke + +commit d471b6b22d37bf9928c6d0202bdaaf76583b8b61 upstream. + +The HID descriptor for the 2nd-gen Intuos Pro large (PTH-860) contains +a typo which defines an incorrect logical maximum Y value. This causes +a small portion of the bottom of the tablet to become unusable (both +because the area is below the "bottom" of the tablet and because +'wacom_wac_event' ignores out-of-range values). It also results in a +skewed aspect ratio. + +To fix this, we add a quirk to 'wacom_usage_mapping' which overwrites +the data with the correct value. + +Signed-off-by: Jason Gerecke +CC: stable@vger.kernel.org # v4.10+ +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_sys.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -284,6 +284,14 @@ static void wacom_usage_mapping(struct h + } + } + ++ /* 2nd-generation Intuos Pro Large has incorrect Y maximum */ ++ if (hdev->vendor == USB_VENDOR_ID_WACOM && ++ hdev->product == 0x0358 && ++ WACOM_PEN_FIELD(field) && ++ wacom_equivalent_usage(usage->hid) == HID_GD_Y) { ++ field->logical_maximum = 43200; ++ } ++ + switch (usage->hid) { + case HID_GD_X: + features->x_max = field->logical_maximum; diff --git a/queue-4.14/iwlwifi-fw-harden-page-loading-code.patch b/queue-4.14/iwlwifi-fw-harden-page-loading-code.patch new file mode 100644 index 00000000000..c119ae20037 --- /dev/null +++ b/queue-4.14/iwlwifi-fw-harden-page-loading-code.patch @@ -0,0 +1,141 @@ +From 9039d985811d5b109b58b202b7594fd24e433fed Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Tue, 13 Feb 2018 11:09:40 +0200 +Subject: iwlwifi: fw: harden page loading code + +From: Luca Coelho + +commit 9039d985811d5b109b58b202b7594fd24e433fed upstream. + +The page loading code trusts the data provided in the firmware images +a bit too much and may cause a buffer overflow or copy unknown data if +the block sizes don't match what we expect. + +To prevent potential problems, harden the code by checking if the +sizes we are copying are what we expect. + +Cc: stable@vger.kernel.org +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/fw/paging.c | 49 ++++++++++++++++++++----- + 1 file changed, 41 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/fw/paging.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/paging.c +@@ -8,6 +8,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -30,6 +31,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -174,7 +176,7 @@ static int iwl_alloc_fw_paging_mem(struc + static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt, + const struct fw_img *image) + { +- int sec_idx, idx; ++ int sec_idx, idx, ret; + u32 offset = 0; + + /* +@@ -201,17 +203,23 @@ static int iwl_fill_paging_mem(struct iw + */ + if (sec_idx >= image->num_sec - 1) { + IWL_ERR(fwrt, "Paging: Missing CSS and/or paging sections\n"); +- iwl_free_fw_paging(fwrt); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; + } + + /* copy the CSS block to the dram */ + IWL_DEBUG_FW(fwrt, "Paging: load paging CSS to FW, sec = %d\n", + sec_idx); + ++ if (image->sec[sec_idx].len > fwrt->fw_paging_db[0].fw_paging_size) { ++ IWL_ERR(fwrt, "CSS block is larger than paging size\n"); ++ ret = -EINVAL; ++ goto err; ++ } ++ + memcpy(page_address(fwrt->fw_paging_db[0].fw_paging_block), + image->sec[sec_idx].data, +- fwrt->fw_paging_db[0].fw_paging_size); ++ image->sec[sec_idx].len); + dma_sync_single_for_device(fwrt->trans->dev, + fwrt->fw_paging_db[0].fw_paging_phys, + fwrt->fw_paging_db[0].fw_paging_size, +@@ -232,6 +240,14 @@ static int iwl_fill_paging_mem(struct iw + for (idx = 1; idx < fwrt->num_of_paging_blk; idx++) { + struct iwl_fw_paging *block = &fwrt->fw_paging_db[idx]; + ++ if (block->fw_paging_size > image->sec[sec_idx].len - offset) { ++ IWL_ERR(fwrt, ++ "Paging: paging size is larger than remaining data in block %d\n", ++ idx); ++ ret = -EINVAL; ++ goto err; ++ } ++ + memcpy(page_address(block->fw_paging_block), + image->sec[sec_idx].data + offset, + block->fw_paging_size); +@@ -242,19 +258,32 @@ static int iwl_fill_paging_mem(struct iw + + IWL_DEBUG_FW(fwrt, + "Paging: copied %d paging bytes to block %d\n", +- fwrt->fw_paging_db[idx].fw_paging_size, +- idx); ++ block->fw_paging_size, idx); ++ ++ offset += block->fw_paging_size; + +- offset += fwrt->fw_paging_db[idx].fw_paging_size; ++ if (offset > image->sec[sec_idx].len) { ++ IWL_ERR(fwrt, ++ "Paging: offset goes over section size\n"); ++ ret = -EINVAL; ++ goto err; ++ } + } + + /* copy the last paging block */ + if (fwrt->num_of_pages_in_last_blk > 0) { + struct iwl_fw_paging *block = &fwrt->fw_paging_db[idx]; + ++ if (image->sec[sec_idx].len - offset > block->fw_paging_size) { ++ IWL_ERR(fwrt, ++ "Paging: last block is larger than paging size\n"); ++ ret = -EINVAL; ++ goto err; ++ } ++ + memcpy(page_address(block->fw_paging_block), + image->sec[sec_idx].data + offset, +- FW_PAGING_SIZE * fwrt->num_of_pages_in_last_blk); ++ image->sec[sec_idx].len - offset); + dma_sync_single_for_device(fwrt->trans->dev, + block->fw_paging_phys, + block->fw_paging_size, +@@ -266,6 +295,10 @@ static int iwl_fill_paging_mem(struct iw + } + + return 0; ++ ++err: ++ iwl_free_fw_paging(fwrt); ++ return ret; + } + + static int iwl_save_fw_paging(struct iwl_fw_runtime *fwrt, diff --git a/queue-4.14/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch b/queue-4.14/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch new file mode 100644 index 00000000000..a9060b55236 --- /dev/null +++ b/queue-4.14/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch @@ -0,0 +1,75 @@ +From 7810e6781e0fcbca78b91cf65053f895bf59e85f Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Thu, 7 Jun 2018 17:09:29 -0700 +Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset + +From: Vlastimil Babka + +commit 7810e6781e0fcbca78b91cf65053f895bf59e85f upstream. + +In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for +allocations that can ignore memory policies. The zonelist is obtained +from current CPU's node. This is a problem for __GFP_THISNODE +allocations that want to allocate on a different node, e.g. because the +allocating thread has been migrated to a different CPU. + +This has been observed to break SLAB in our 4.4-based kernel, because +there it relies on __GFP_THISNODE working as intended. If a slab page +is put on wrong node's list, then further list manipulations may corrupt +the list because page_to_nid() is used to determine which node's +list_lock should be locked and thus we may take a wrong lock and race. + +Current SLAB implementation seems to be immune by luck thanks to commit +511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on +arbitrary node") but there may be others assuming that __GFP_THISNODE +works as promised. + +We can fix it by simply removing the zonelist reset completely. There +is actually no reason to reset it, because memory policies and cpusets +don't affect the zonelist choice in the first place. This was different +when commit 183f6371aac2 ("mm: ignore mempolicies when using +ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their +own restricted zonelists. + +We might consider this for 4.17 although I don't know if there's +anything currently broken. + +SLAB is currently not affected, but in kernels older than 4.7 that don't +yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page +allocated on arbitrary node") it is. That's at least 4.4 LTS. Older +ones I'll have to check. + +So stable backports should be more important, but will have to be +reviewed carefully, as the code went through many changes. BTW I think +that also the ac->preferred_zoneref reset is currently useless if we +don't also reset ac->nodemask from a mempolicy to NULL first (which we +probably should for the OOM victims etc?), but I would leave that for a +separate patch. + +Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz +Signed-off-by: Vlastimil Babka +Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") +Acked-by: Mel Gorman +Cc: Michal Hocko +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3981,7 +3981,6 @@ retry: + * orientated. + */ + if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) { +- ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); + ac->preferred_zoneref = first_zones_zonelist(ac->zonelist, + ac->high_zoneidx, ac->nodemask); + } diff --git a/queue-4.14/orangefs-report-attributes_mask-and-attributes-for-statx.patch b/queue-4.14/orangefs-report-attributes_mask-and-attributes-for-statx.patch new file mode 100644 index 00000000000..ebea644a949 --- /dev/null +++ b/queue-4.14/orangefs-report-attributes_mask-and-attributes-for-statx.patch @@ -0,0 +1,41 @@ +From 7f54910fa8dfe504f2e1563f4f6ddc3294dfbf3a Mon Sep 17 00:00:00 2001 +From: Martin Brandenburg +Date: Thu, 31 May 2018 16:37:00 +0000 +Subject: orangefs: report attributes_mask and attributes for statx + +From: Martin Brandenburg + +commit 7f54910fa8dfe504f2e1563f4f6ddc3294dfbf3a upstream. + +OrangeFS formerly failed to set attributes_mask with the result that +software could not see immutable and append flags present in the +filesystem. + +Reported-by: Becky Ligon +Signed-off-by: Martin Brandenburg +Fixes: 68a24a6cc4a6 ("orangefs: implement statx") +Cc: stable@vger.kernel.org +Cc: hubcap@omnibond.com +Signed-off-by: Mike Marshall +Signed-off-by: Greg Kroah-Hartman + +--- + fs/orangefs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/orangefs/inode.c ++++ b/fs/orangefs/inode.c +@@ -269,6 +269,13 @@ int orangefs_getattr(const struct path * + else + stat->result_mask = STATX_BASIC_STATS & + ~STATX_SIZE; ++ ++ stat->attributes_mask = STATX_ATTR_IMMUTABLE | ++ STATX_ATTR_APPEND; ++ if (inode->i_flags & S_IMMUTABLE) ++ stat->attributes |= STATX_ATTR_IMMUTABLE; ++ if (inode->i_flags & S_APPEND) ++ stat->attributes |= STATX_ATTR_APPEND; + } + return ret; + } diff --git a/queue-4.14/orangefs-set-i_size-on-new-symlink.patch b/queue-4.14/orangefs-set-i_size-on-new-symlink.patch new file mode 100644 index 00000000000..bd1eb367559 --- /dev/null +++ b/queue-4.14/orangefs-set-i_size-on-new-symlink.patch @@ -0,0 +1,59 @@ +From f6a4b4c9d07dda90c7c29dae96d6119ac6425dca Mon Sep 17 00:00:00 2001 +From: Martin Brandenburg +Date: Thu, 31 May 2018 16:36:58 +0000 +Subject: orangefs: set i_size on new symlink + +From: Martin Brandenburg + +commit f6a4b4c9d07dda90c7c29dae96d6119ac6425dca upstream. + +As long as a symlink inode remains in-core, the destination (and +therefore size) will not be re-fetched from the server, as it cannot +change. The original implementation of the attribute cache assumed that +setting the expiry time in the past was sufficient to cause a re-fetch +of all attributes on the next getattr. That does not work in this case. + +The bug manifested itself as follows. When the command sequence + +touch foo; ln -s foo bar; ls -l bar + +is run, the output was + +lrwxrwxrwx. 1 fedora fedora 4906 Apr 24 19:10 bar -> foo + +However, after a re-mount, ls -l bar produces + +lrwxrwxrwx. 1 fedora fedora 3 Apr 24 19:10 bar -> foo + +After this commit, even before a re-mount, the output is + +lrwxrwxrwx. 1 fedora fedora 3 Apr 24 19:10 bar -> foo + +Reported-by: Becky Ligon +Signed-off-by: Martin Brandenburg +Fixes: 71680c18c8f2 ("orangefs: Cache getattr results.") +Cc: stable@vger.kernel.org +Cc: hubcap@omnibond.com +Signed-off-by: Mike Marshall +Signed-off-by: Greg Kroah-Hartman + +--- + fs/orangefs/namei.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/orangefs/namei.c ++++ b/fs/orangefs/namei.c +@@ -314,6 +314,13 @@ static int orangefs_symlink(struct inode + ret = PTR_ERR(inode); + goto out; + } ++ /* ++ * This is necessary because orangefs_inode_getattr will not ++ * re-read symlink size as it is impossible for it to change. ++ * Invalidating the cache does not help. orangefs_new_inode ++ * does not set the correct size (it does not know symname). ++ */ ++ inode->i_size = strlen(symname); + + gossip_debug(GOSSIP_NAME_DEBUG, + "Assigned symlink inode new number of %pU\n", diff --git a/queue-4.14/series b/queue-4.14/series index ff78c9e7c7d..3f8c1667f90 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -42,3 +42,11 @@ libata-zpodd-small-read-overflow-in-eject_tray.patch libata-drop-sandisk-sd7ub3q-g1001-nolpm-quirk.patch w1-mxc_w1-enable-clock-before-calling-clk_get_rate-on-it.patch x86-intel_rdt-enable-cmt-and-mbm-on-new-skylake-stepping.patch +iwlwifi-fw-harden-page-loading-code.patch +orangefs-set-i_size-on-new-symlink.patch +orangefs-report-attributes_mask-and-attributes-for-statx.patch +hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch +hid-wacom-correct-logical-maximum-y-for-2nd-gen-intuos-pro-large.patch +vhost-fix-info-leak-due-to-uninitialized-memory.patch +fs-binfmt_misc.c-do-not-allow-offset-overflow.patch +mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch diff --git a/queue-4.14/vhost-fix-info-leak-due-to-uninitialized-memory.patch b/queue-4.14/vhost-fix-info-leak-due-to-uninitialized-memory.patch new file mode 100644 index 00000000000..8357c86c5d2 --- /dev/null +++ b/queue-4.14/vhost-fix-info-leak-due-to-uninitialized-memory.patch @@ -0,0 +1,41 @@ +From 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Sat, 12 May 2018 00:33:10 +0300 +Subject: vhost: fix info leak due to uninitialized memory + +From: Michael S. Tsirkin + +commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad upstream. + +struct vhost_msg within struct vhost_msg_node is copied to userspace. +Unfortunately it turns out on 64 bit systems vhost_msg has padding after +type which gcc doesn't initialize, leaking 4 uninitialized bytes to +userspace. + +This padding also unfortunately means 32 bit users of this interface are +broken on a 64 bit kernel which will need to be fixed separately. + +Fixes: CVE-2018-1118 +Cc: stable@vger.kernel.org +Reported-by: Kevin Easton +Signed-off-by: Michael S. Tsirkin +Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/vhost.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2382,6 +2382,9 @@ struct vhost_msg_node *vhost_new_msg(str + struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); + if (!node) + return NULL; ++ ++ /* Make sure all padding within the structure is initialized. */ ++ memset(&node->msg, 0, sizeof node->msg); + node->vq = vq; + node->msg.type = type; + return node; -- 2.47.3