From a83bd0628743b9f46a6f877251dba64316f5c859 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 29 Apr 2018 12:21:16 +0200
Subject: [PATCH] 3.18-stable patches

added patches:
	ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
---
 ...a-failure-starting-a-reserved-handle.patch | 43 +++++++++++++++++++
 queue-3.18/series                             |  1 +
 queue-4.14/series                             |  3 ++
 queue-4.16/series                             |  3 ++
 queue-4.4/series                              |  2 +
 queue-4.9/series                              |  2 +
 6 files changed, 54 insertions(+)
 create mode 100644 queue-3.18/ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
 create mode 100644 queue-3.18/series
 create mode 100644 queue-4.14/series
 create mode 100644 queue-4.16/series
 create mode 100644 queue-4.4/series
 create mode 100644 queue-4.9/series

diff --git a/queue-3.18/ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch b/queue-3.18/ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
new file mode 100644
index 00000000000..8939b34e5fc
--- /dev/null
+++ b/queue-3.18/ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
@@ -0,0 +1,43 @@
+From b2569260d55228b617bd82aba6d0db2faeeb4116 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 18 Apr 2018 11:49:31 -0400
+Subject: ext4: set h_journal if there is a failure starting a reserved handle
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit b2569260d55228b617bd82aba6d0db2faeeb4116 upstream.
+
+If ext4 tries to start a reserved handle via
+jbd2_journal_start_reserved(), and the journal has been aborted, this
+can result in a NULL pointer dereference.  This is because the fields
+h_journal and h_transaction in the handle structure share the same
+memory, via a union, so jbd2_journal_start_reserved() will clear
+h_journal before calling start_this_handle().  If this function fails
+due to an aborted handle, h_journal will still be NULL, and the call
+to jbd2_journal_free_reserved() will pass a NULL journal to
+sub_reserve_credits().
+
+This can be reproduced by running "kvm-xfstests -c dioread_nolock
+generic/475".
+
+Cc: stable@kernel.org # 3.11
+Fixes: 8f7d89f36829b ("jbd2: transaction reservation support")
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -515,6 +515,7 @@ int jbd2_journal_start_reserved(handle_t
+ 	 */
+ 	ret = start_this_handle(journal, handle, GFP_NOFS);
+ 	if (ret < 0) {
++		handle->h_journal = journal;
+ 		jbd2_journal_free_reserved(handle);
+ 		return ret;
+ 	}
diff --git a/queue-3.18/series b/queue-3.18/series
new file mode 100644
index 00000000000..60ba5a295d7
--- /dev/null
+++ b/queue-3.18/series
@@ -0,0 +1 @@
+ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
diff --git a/queue-4.14/series b/queue-4.14/series
new file mode 100644
index 00000000000..d4dec00715c
--- /dev/null
+++ b/queue-4.14/series
@@ -0,0 +1,3 @@
+ext4-prevent-right-shifting-extents-beyond-ext_max_blocks.patch
+ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
+ext4-add-module_softdep-to-ensure-crc32c-is-included-in-the-initramfs.patch
diff --git a/queue-4.16/series b/queue-4.16/series
new file mode 100644
index 00000000000..d4dec00715c
--- /dev/null
+++ b/queue-4.16/series
@@ -0,0 +1,3 @@
+ext4-prevent-right-shifting-extents-beyond-ext_max_blocks.patch
+ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
+ext4-add-module_softdep-to-ensure-crc32c-is-included-in-the-initramfs.patch
diff --git a/queue-4.4/series b/queue-4.4/series
new file mode 100644
index 00000000000..20861aca094
--- /dev/null
+++ b/queue-4.4/series
@@ -0,0 +1,2 @@
+ext4-prevent-right-shifting-extents-beyond-ext_max_blocks.patch
+ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
diff --git a/queue-4.9/series b/queue-4.9/series
new file mode 100644
index 00000000000..20861aca094
--- /dev/null
+++ b/queue-4.9/series
@@ -0,0 +1,2 @@
+ext4-prevent-right-shifting-extents-beyond-ext_max_blocks.patch
+ext4-set-h_journal-if-there-is-a-failure-starting-a-reserved-handle.patch
-- 
2.47.3