From ab837f0901c853d6877610832a48fde8f0d44efe Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Jan 2015 17:38:25 -0800 Subject: [PATCH] 3.14-stable patches added patches: audit-restore-audit_loginuid-unset-abi.patch btrfs-do-not-move-em-to-modified-list-when-unpinning.patch btrfs-fix-fs-corruption-on-transaction-abort-if-device-supports-discard.patch crypto-af_alg-fix-backlog-handling.patch ecryptfs-force-ro-mount-when-encrypted-view-is-enabled.patch ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode-routine.patch exit-pidns-alloc_pid-leaks-pid_namespace-if-child_reaper-is-exiting.patch ncpfs-return-proper-error-from-ncp_ioc_setroot-ioctl.patch udf-check-component-length-before-reading-it.patch udf-check-path-length-when-reading-symlink.patch udf-verify-i_size-when-loading-inode.patch udf-verify-symlink-size-before-loading-it.patch --- ...dit-restore-audit_loginuid-unset-abi.patch | 100 ++++++++ ...e-em-to-modified-list-when-unpinning.patch | 55 +++++ ...ion-abort-if-device-supports-discard.patch | 172 +++++++++++++ .../crypto-af_alg-fix-backlog-handling.patch | 48 ++++ ...mount-when-encrypted-view-is-enabled.patch | 103 ++++++++ ...ry-write-in-file-name-decode-routine.patch | 34 +++ ...namespace-if-child_reaper-is-exiting.patch | 41 ++++ ...per-error-from-ncp_ioc_setroot-ioctl.patch | 39 +++ queue-3.14/series | 12 + ...k-component-length-before-reading-it.patch | 61 +++++ ...eck-path-length-when-reading-symlink.patch | 228 ++++++++++++++++++ ...udf-verify-i_size-when-loading-inode.patch | 44 ++++ ...erify-symlink-size-before-loading-it.patch | 67 +++++ 13 files changed, 1004 insertions(+) create mode 100644 queue-3.14/audit-restore-audit_loginuid-unset-abi.patch create mode 100644 queue-3.14/btrfs-do-not-move-em-to-modified-list-when-unpinning.patch create mode 100644 queue-3.14/btrfs-fix-fs-corruption-on-transaction-abort-if-device-supports-discard.patch create mode 100644 queue-3.14/crypto-af_alg-fix-backlog-handling.patch create mode 100644 queue-3.14/ecryptfs-force-ro-mount-when-encrypted-view-is-enabled.patch create mode 100644 queue-3.14/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode-routine.patch create mode 100644 queue-3.14/exit-pidns-alloc_pid-leaks-pid_namespace-if-child_reaper-is-exiting.patch create mode 100644 queue-3.14/ncpfs-return-proper-error-from-ncp_ioc_setroot-ioctl.patch create mode 100644 queue-3.14/udf-check-component-length-before-reading-it.patch create mode 100644 queue-3.14/udf-check-path-length-when-reading-symlink.patch create mode 100644 queue-3.14/udf-verify-i_size-when-loading-inode.patch create mode 100644 queue-3.14/udf-verify-symlink-size-before-loading-it.patch diff --git a/queue-3.14/audit-restore-audit_loginuid-unset-abi.patch b/queue-3.14/audit-restore-audit_loginuid-unset-abi.patch new file mode 100644 index 00000000000..8cedfe5dc2c --- /dev/null +++ b/queue-3.14/audit-restore-audit_loginuid-unset-abi.patch @@ -0,0 +1,100 @@ +From 041d7b98ffe59c59fdd639931dea7d74f9aa9a59 Mon Sep 17 00:00:00 2001 +From: Richard Guy Briggs +Date: Tue, 23 Dec 2014 13:02:04 -0500 +Subject: audit: restore AUDIT_LOGINUID unset ABI + +From: Richard Guy Briggs + +commit 041d7b98ffe59c59fdd639931dea7d74f9aa9a59 upstream. + +A regression was caused by commit 780a7654cee8: + audit: Make testing for a valid loginuid explicit. +(which in turn attempted to fix a regression caused by e1760bd) + +When audit_krule_to_data() fills in the rules to get a listing, there was a +missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID. + +This broke userspace by not returning the same information that was sent and +expected. + +The rule: + auditctl -a exit,never -F auid=-1 +gives: + auditctl -l + LIST_RULES: exit,never f24=0 syscall=all +when it should give: + LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all + +Tag it so that it is reported the same way it was set. Create a new +private flags audit_krule field (pflags) to store it that won't interact with +the public one from the API. + +Signed-off-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/audit.h | 4 ++++ + kernel/auditfilter.c | 10 ++++++++++ + 2 files changed, 14 insertions(+) + +--- a/include/linux/audit.h ++++ b/include/linux/audit.h +@@ -47,6 +47,7 @@ struct sk_buff; + + struct audit_krule { + int vers_ops; ++ u32 pflags; + u32 flags; + u32 listnr; + u32 action; +@@ -64,6 +65,9 @@ struct audit_krule { + u64 prio; + }; + ++/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ ++#define AUDIT_LOGINUID_LEGACY 0x1 ++ + struct audit_field { + u32 type; + u32 val; +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -429,6 +429,7 @@ static struct audit_entry *audit_data_to + if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { + f->type = AUDIT_LOGINUID_SET; + f->val = 0; ++ entry->rule.pflags |= AUDIT_LOGINUID_LEGACY; + } + + err = audit_field_valid(entry, f); +@@ -604,6 +605,13 @@ static struct audit_rule_data *audit_kru + data->buflen += data->values[i] = + audit_pack_string(&bufp, krule->filterkey); + break; ++ case AUDIT_LOGINUID_SET: ++ if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) { ++ data->fields[i] = AUDIT_LOGINUID; ++ data->values[i] = AUDIT_UID_UNSET; ++ break; ++ } ++ /* fallthrough if set */ + default: + data->values[i] = f->val; + } +@@ -620,6 +628,7 @@ static int audit_compare_rule(struct aud + int i; + + if (a->flags != b->flags || ++ a->pflags != b->pflags || + a->listnr != b->listnr || + a->action != b->action || + a->field_count != b->field_count) +@@ -738,6 +747,7 @@ struct audit_entry *audit_dupe_rule(stru + new = &entry->rule; + new->vers_ops = old->vers_ops; + new->flags = old->flags; ++ new->pflags = old->pflags; + new->listnr = old->listnr; + new->action = old->action; + for (i = 0; i < AUDIT_BITMASK_SIZE; i++) diff --git a/queue-3.14/btrfs-do-not-move-em-to-modified-list-when-unpinning.patch b/queue-3.14/btrfs-do-not-move-em-to-modified-list-when-unpinning.patch new file mode 100644 index 00000000000..3f5430bd1af --- /dev/null +++ b/queue-3.14/btrfs-do-not-move-em-to-modified-list-when-unpinning.patch @@ -0,0 +1,55 @@ +From a28046956c71985046474283fa3bcd256915fb72 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 14 Nov 2014 16:16:30 -0500 +Subject: Btrfs: do not move em to modified list when unpinning + +From: Josef Bacik + +commit a28046956c71985046474283fa3bcd256915fb72 upstream. + +We use the modified list to keep track of which extents have been modified so we +know which ones are candidates for logging at fsync() time. Newly modified +extents are added to the list at modification time, around the same time the +ordered extent is created. We do this so that we don't have to wait for ordered +extents to complete before we know what we need to log. The problem is when +something like this happens + +log extent 0-4k on inode 1 +copy csum for 0-4k from ordered extent into log +sync log +commit transaction +log some other extent on inode 1 +ordered extent for 0-4k completes and adds itself onto modified list again +log changed extents +see ordered extent for 0-4k has already been logged + at this point we assume the csum has been copied +sync log +crash + +On replay we will see the extent 0-4k in the log, drop the original 0-4k extent +which is the same one that we are replaying which also drops the csum, and then +we won't find the csum in the log for that bytenr. This of course causes us to +have errors about not having csums for certain ranges of our inode. So remove +the modified list manipulation in unpin_extent_cache, any modified extents +should have been added well before now, and we don't want them re-logged. This +fixes my test that I could reliably reproduce this problem with. Thanks, + +Signed-off-by: Josef Bacik +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent_map.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/btrfs/extent_map.c ++++ b/fs/btrfs/extent_map.c +@@ -290,8 +290,6 @@ int unpin_extent_cache(struct extent_map + if (!em) + goto out; + +- if (!test_bit(EXTENT_FLAG_LOGGING, &em->flags)) +- list_move(&em->list, &tree->modified_extents); + em->generation = gen; + clear_bit(EXTENT_FLAG_PINNED, &em->flags); + em->mod_start = em->start; diff --git a/queue-3.14/btrfs-fix-fs-corruption-on-transaction-abort-if-device-supports-discard.patch b/queue-3.14/btrfs-fix-fs-corruption-on-transaction-abort-if-device-supports-discard.patch new file mode 100644 index 00000000000..b5c1e01e9a5 --- /dev/null +++ b/queue-3.14/btrfs-fix-fs-corruption-on-transaction-abort-if-device-supports-discard.patch @@ -0,0 +1,172 @@ +From 678886bdc6378c1cbd5072da2c5a3035000214e3 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Sun, 7 Dec 2014 21:31:47 +0000 +Subject: Btrfs: fix fs corruption on transaction abort if device supports discard + +From: Filipe Manana + +commit 678886bdc6378c1cbd5072da2c5a3035000214e3 upstream. + +When we abort a transaction we iterate over all the ranges marked as dirty +in fs_info->freed_extents[0] and fs_info->freed_extents[1], clear them +from those trees, add them back (unpin) to the free space caches and, if +the fs was mounted with "-o discard", perform a discard on those regions. +Also, after adding the regions to the free space caches, a fitrim ioctl call +can see those ranges in a block group's free space cache and perform a discard +on the ranges, so the same issue can happen without "-o discard" as well. + +This causes corruption, affecting one or multiple btree nodes (in the worst +case leaving the fs unmountable) because some of those ranges (the ones in +the fs_info->pinned_extents tree) correspond to btree nodes/leafs that are +referred by the last committed super block - breaking the rule that anything +that was committed by a transaction is untouched until the next transaction +commits successfully. + +I ran into this while running in a loop (for several hours) the fstest that +I recently submitted: + + [PATCH] fstests: add btrfs test to stress chunk allocation/removal and fstrim + +The corruption always happened when a transaction aborted and then fsck complained +like this: + + _check_btrfs_filesystem: filesystem on /dev/sdc is inconsistent + *** fsck.btrfs output *** + Check tree block failed, want=94945280, have=0 + Check tree block failed, want=94945280, have=0 + Check tree block failed, want=94945280, have=0 + Check tree block failed, want=94945280, have=0 + Check tree block failed, want=94945280, have=0 + read block failed check_tree_block + Couldn't open file system + +In this case 94945280 corresponded to the root of a tree. +Using frace what I observed was the following sequence of steps happened: + + 1) transaction N started, fs_info->pinned_extents pointed to + fs_info->freed_extents[0]; + + 2) node/eb 94945280 is created; + + 3) eb is persisted to disk; + + 4) transaction N commit starts, fs_info->pinned_extents now points to + fs_info->freed_extents[1], and transaction N completes; + + 5) transaction N + 1 starts; + + 6) eb is COWed, and btrfs_free_tree_block() called for this eb; + + 7) eb range (94945280 to 94945280 + 16Kb) is added to + fs_info->pinned_extents (fs_info->freed_extents[1]); + + 8) Something goes wrong in transaction N + 1, like hitting ENOSPC + for example, and the transaction is aborted, turning the fs into + readonly mode. The stack trace I got for example: + + [112065.253935] [] dump_stack+0x4d/0x66 + [112065.254271] [] warn_slowpath_common+0x7f/0x98 + [112065.254567] [] ? __btrfs_abort_transaction+0x50/0x10b [btrfs] + [112065.261674] [] warn_slowpath_fmt+0x48/0x50 + [112065.261922] [] ? btrfs_free_path+0x26/0x29 [btrfs] + [112065.262211] [] __btrfs_abort_transaction+0x50/0x10b [btrfs] + [112065.262545] [] btrfs_remove_chunk+0x537/0x58b [btrfs] + [112065.262771] [] btrfs_delete_unused_bgs+0x1de/0x21b [btrfs] + [112065.263105] [] cleaner_kthread+0x100/0x12f [btrfs] + (...) + [112065.264493] ---[ end trace dd7903a975a31a08 ]--- + [112065.264673] BTRFS: error (device sdc) in btrfs_remove_chunk:2625: errno=-28 No space left + [112065.264997] BTRFS info (device sdc): forced readonly + + 9) The clear kthread sees that the BTRFS_FS_STATE_ERROR bit is set in + fs_info->fs_state and calls btrfs_cleanup_transaction(), which in + turn calls btrfs_destroy_pinned_extent(); + + 10) Then btrfs_destroy_pinned_extent() iterates over all the ranges + marked as dirty in fs_info->freed_extents[], and for each one + it calls discard, if the fs was mounted with "-o discard", and + adds the range to the free space cache of the respective block + group; + + 11) btrfs_trim_block_group(), invoked from the fitrim ioctl code path, + sees the free space entries and performs a discard; + + 12) After an umount and mount (or fsck), our eb's location on disk was full + of zeroes, and it should have been untouched, because it was marked as + dirty in the fs_info->pinned_extents tree, and therefore used by the + trees that the last committed superblock points to. + +Fix this by not performing a discard and not adding the ranges to the free space +caches - it's useless from this point since the fs is now in readonly mode and +we won't write free space caches to disk anymore (otherwise we would leak space) +nor any new superblock. By not adding the ranges to the free space caches, it +prevents other code paths from allocating that space and write to it as well, +therefore being safer and simpler. + +This isn't a new problem, as it's been present since 2011 (git commit +acce952b0263825da32cf10489413dec78053347). + +Signed-off-by: Filipe Manana +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/disk-io.c | 6 ------ + fs/btrfs/extent-tree.c | 10 ++++++---- + 2 files changed, 6 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3978,12 +3978,6 @@ again: + if (ret) + break; + +- /* opt_discard */ +- if (btrfs_test_opt(root, DISCARD)) +- ret = btrfs_error_discard_extent(root, start, +- end + 1 - start, +- NULL); +- + clear_extent_dirty(unpin, start, end, GFP_NOFS); + btrfs_error_unpin_extent_range(root, start, end); + cond_resched(); +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -5503,7 +5503,8 @@ void btrfs_prepare_extent_commit(struct + update_global_block_rsv(fs_info); + } + +-static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end) ++static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end, ++ const bool return_free_space) + { + struct btrfs_fs_info *fs_info = root->fs_info; + struct btrfs_block_group_cache *cache = NULL; +@@ -5527,7 +5528,8 @@ static int unpin_extent_range(struct btr + + if (start < cache->last_byte_to_unpin) { + len = min(len, cache->last_byte_to_unpin - start); +- btrfs_add_free_space(cache, start, len); ++ if (return_free_space) ++ btrfs_add_free_space(cache, start, len); + } + + start += len; +@@ -5590,7 +5592,7 @@ int btrfs_finish_extent_commit(struct bt + end + 1 - start, NULL); + + clear_extent_dirty(unpin, start, end, GFP_NOFS); +- unpin_extent_range(root, start, end); ++ unpin_extent_range(root, start, end, true); + cond_resched(); + } + +@@ -8886,7 +8888,7 @@ out: + + int btrfs_error_unpin_extent_range(struct btrfs_root *root, u64 start, u64 end) + { +- return unpin_extent_range(root, start, end); ++ return unpin_extent_range(root, start, end, false); + } + + int btrfs_error_discard_extent(struct btrfs_root *root, u64 bytenr, diff --git a/queue-3.14/crypto-af_alg-fix-backlog-handling.patch b/queue-3.14/crypto-af_alg-fix-backlog-handling.patch new file mode 100644 index 00000000000..67ba40de99a --- /dev/null +++ b/queue-3.14/crypto-af_alg-fix-backlog-handling.patch @@ -0,0 +1,48 @@ +From 7e77bdebff5cb1e9876c561f69710b9ab8fa1f7e Mon Sep 17 00:00:00 2001 +From: Rabin Vincent +Date: Fri, 19 Dec 2014 13:36:08 +0100 +Subject: crypto: af_alg - fix backlog handling + +From: Rabin Vincent + +commit 7e77bdebff5cb1e9876c561f69710b9ab8fa1f7e upstream. + +If a request is backlogged, it's complete() handler will get called +twice: once with -EINPROGRESS, and once with the final error code. + +af_alg's complete handler, unlike other users, does not handle the +-EINPROGRESS but instead always completes the completion that recvmsg() +is waiting on. This can lead to a return to user space while the +request is still pending in the driver. If userspace closes the sockets +before the requests are handled by the driver, this will lead to +use-after-frees (and potential crashes) in the kernel due to the tfm +having been freed. + +The crashes can be easily reproduced (for example) by reducing the max +queue length in cryptod.c and running the following (from +http://www.chronox.de/libkcapi.html) on AES-NI capable hardware: + + $ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \ + -k 00000000000000000000000000000000 \ + -p 00000000000000000000000000000000 >/dev/null & done + +Signed-off-by: Rabin Vincent +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -449,6 +449,9 @@ void af_alg_complete(struct crypto_async + { + struct af_alg_completion *completion = req->data; + ++ if (err == -EINPROGRESS) ++ return; ++ + completion->err = err; + complete(&completion->completion); + } diff --git a/queue-3.14/ecryptfs-force-ro-mount-when-encrypted-view-is-enabled.patch b/queue-3.14/ecryptfs-force-ro-mount-when-encrypted-view-is-enabled.patch new file mode 100644 index 00000000000..c1d2711b0d3 --- /dev/null +++ b/queue-3.14/ecryptfs-force-ro-mount-when-encrypted-view-is-enabled.patch @@ -0,0 +1,103 @@ +From 332b122d39c9cbff8b799007a825d94b2e7c12f2 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Tue, 7 Oct 2014 15:51:55 -0500 +Subject: eCryptfs: Force RO mount when encrypted view is enabled + +From: Tyler Hicks + +commit 332b122d39c9cbff8b799007a825d94b2e7c12f2 upstream. + +The ecryptfs_encrypted_view mount option greatly changes the +functionality of an eCryptfs mount. Instead of encrypting and decrypting +lower files, it provides a unified view of the encrypted files in the +lower filesystem. The presence of the ecryptfs_encrypted_view mount +option is intended to force a read-only mount and modifying files is not +supported when the feature is in use. See the following commit for more +information: + + e77a56d [PATCH] eCryptfs: Encrypted passthrough + +This patch forces the mount to be read-only when the +ecryptfs_encrypted_view mount option is specified by setting the +MS_RDONLY flag on the superblock. Additionally, this patch removes some +broken logic in ecryptfs_open() that attempted to prevent modifications +of files when the encrypted view feature was in use. The check in +ecryptfs_open() was not sufficient to prevent file modifications using +system calls that do not operate on a file descriptor. + +Signed-off-by: Tyler Hicks +Reported-by: Priya Bansal +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/file.c | 12 ------------ + fs/ecryptfs/main.c | 16 +++++++++++++--- + 2 files changed, 13 insertions(+), 15 deletions(-) + +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -191,23 +191,11 @@ static int ecryptfs_open(struct inode *i + { + int rc = 0; + struct ecryptfs_crypt_stat *crypt_stat = NULL; +- struct ecryptfs_mount_crypt_stat *mount_crypt_stat; + struct dentry *ecryptfs_dentry = file->f_path.dentry; + /* Private value of ecryptfs_dentry allocated in + * ecryptfs_lookup() */ + struct ecryptfs_file_info *file_info; + +- mount_crypt_stat = &ecryptfs_superblock_to_private( +- ecryptfs_dentry->d_sb)->mount_crypt_stat; +- if ((mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) +- && ((file->f_flags & O_WRONLY) || (file->f_flags & O_RDWR) +- || (file->f_flags & O_CREAT) || (file->f_flags & O_TRUNC) +- || (file->f_flags & O_APPEND))) { +- printk(KERN_WARNING "Mount has encrypted view enabled; " +- "files may only be read\n"); +- rc = -EPERM; +- goto out; +- } + /* Released in ecryptfs_release or end of function if failure */ + file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL); + ecryptfs_set_file_private(file, file_info); +--- a/fs/ecryptfs/main.c ++++ b/fs/ecryptfs/main.c +@@ -493,6 +493,7 @@ static struct dentry *ecryptfs_mount(str + { + struct super_block *s; + struct ecryptfs_sb_info *sbi; ++ struct ecryptfs_mount_crypt_stat *mount_crypt_stat; + struct ecryptfs_dentry_info *root_info; + const char *err = "Getting sb failed"; + struct inode *inode; +@@ -511,6 +512,7 @@ static struct dentry *ecryptfs_mount(str + err = "Error parsing options"; + goto out; + } ++ mount_crypt_stat = &sbi->mount_crypt_stat; + + s = sget(fs_type, NULL, set_anon_super, flags, NULL); + if (IS_ERR(s)) { +@@ -557,11 +559,19 @@ static struct dentry *ecryptfs_mount(str + + /** + * Set the POSIX ACL flag based on whether they're enabled in the lower +- * mount. Force a read-only eCryptfs mount if the lower mount is ro. +- * Allow a ro eCryptfs mount even when the lower mount is rw. ++ * mount. + */ + s->s_flags = flags & ~MS_POSIXACL; +- s->s_flags |= path.dentry->d_sb->s_flags & (MS_RDONLY | MS_POSIXACL); ++ s->s_flags |= path.dentry->d_sb->s_flags & MS_POSIXACL; ++ ++ /** ++ * Force a read-only eCryptfs mount when: ++ * 1) The lower mount is ro ++ * 2) The ecryptfs_encrypted_view mount option is specified ++ */ ++ if (path.dentry->d_sb->s_flags & MS_RDONLY || ++ mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) ++ s->s_flags |= MS_RDONLY; + + s->s_maxbytes = path.dentry->d_sb->s_maxbytes; + s->s_blocksize = path.dentry->d_sb->s_blocksize; diff --git a/queue-3.14/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode-routine.patch b/queue-3.14/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode-routine.patch new file mode 100644 index 00000000000..64b4ea9cc0d --- /dev/null +++ b/queue-3.14/ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode-routine.patch @@ -0,0 +1,34 @@ +From 942080643bce061c3dd9d5718d3b745dcb39a8bc Mon Sep 17 00:00:00 2001 +From: Michael Halcrow +Date: Wed, 26 Nov 2014 09:09:16 -0800 +Subject: eCryptfs: Remove buggy and unnecessary write in file name decode routine + +From: Michael Halcrow + +commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream. + +Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the +end of the allocated buffer during encrypted filename decoding. This +fix corrects the issue by getting rid of the unnecessary 0 write when +the current bit offset is 2. + +Signed-off-by: Michael Halcrow +Reported-by: Dmitry Chernenkov +Suggested-by: Kees Cook +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned c + break; + case 2: + dst[dst_byte_offset++] |= (src_byte); +- dst[dst_byte_offset] = 0; + current_bit_offset = 0; + break; + } diff --git a/queue-3.14/exit-pidns-alloc_pid-leaks-pid_namespace-if-child_reaper-is-exiting.patch b/queue-3.14/exit-pidns-alloc_pid-leaks-pid_namespace-if-child_reaper-is-exiting.patch new file mode 100644 index 00000000000..ad23c056280 --- /dev/null +++ b/queue-3.14/exit-pidns-alloc_pid-leaks-pid_namespace-if-child_reaper-is-exiting.patch @@ -0,0 +1,41 @@ +From 24c037ebf5723d4d9ab0996433cee4f96c292a4d Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Wed, 10 Dec 2014 15:55:25 -0800 +Subject: exit: pidns: alloc_pid() leaks pid_namespace if child_reaper is exiting + +From: Oleg Nesterov + +commit 24c037ebf5723d4d9ab0996433cee4f96c292a4d upstream. + +alloc_pid() does get_pid_ns() beforehand but forgets to put_pid_ns() if it +fails because disable_pid_allocation() was called by the exiting +child_reaper. + +We could simply move get_pid_ns() down to successful return, but this fix +tries to be as trivial as possible. + +Signed-off-by: Oleg Nesterov +Reviewed-by: "Eric W. Biederman" +Cc: Aaron Tomlin +Cc: Pavel Emelyanov +Cc: Serge Hallyn +Cc: Sterling Alexander +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/pid.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -341,6 +341,8 @@ out: + + out_unlock: + spin_unlock_irq(&pidmap_lock); ++ put_pid_ns(ns); ++ + out_free: + while (++i <= ns->level) + free_pidmap(pid->numbers + i); diff --git a/queue-3.14/ncpfs-return-proper-error-from-ncp_ioc_setroot-ioctl.patch b/queue-3.14/ncpfs-return-proper-error-from-ncp_ioc_setroot-ioctl.patch new file mode 100644 index 00000000000..7976400cc8c --- /dev/null +++ b/queue-3.14/ncpfs-return-proper-error-from-ncp_ioc_setroot-ioctl.patch @@ -0,0 +1,39 @@ +From a682e9c28cac152e6e54c39efcf046e0c8cfcf63 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 10 Dec 2014 15:52:22 -0800 +Subject: ncpfs: return proper error from NCP_IOC_SETROOT ioctl + +From: Jan Kara + +commit a682e9c28cac152e6e54c39efcf046e0c8cfcf63 upstream. + +If some error happens in NCP_IOC_SETROOT ioctl, the appropriate error +return value is then (in most cases) just overwritten before we return. +This can result in reporting success to userspace although error happened. + +This bug was introduced by commit 2e54eb96e2c8 ("BKL: Remove BKL from +ncpfs"). Propagate the errors correctly. + +Coverity id: 1226925. + +Fixes: 2e54eb96e2c80 ("BKL: Remove BKL from ncpfs") +Signed-off-by: Jan Kara +Cc: Petr Vandrovec +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ncpfs/ioctl.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/ncpfs/ioctl.c ++++ b/fs/ncpfs/ioctl.c +@@ -448,7 +448,6 @@ static long __ncp_ioctl(struct inode *in + result = -EIO; + } + } +- result = 0; + } + mutex_unlock(&server->root_setup_lock); + diff --git a/queue-3.14/series b/queue-3.14/series index 656a12d7317..dd3b6927ba3 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -41,3 +41,15 @@ userns-rename-id_map_mutex-to-userns_state_mutex.patch userns-add-a-knob-to-disable-setgroups-on-a-per-user-namespace-basis.patch userns-allow-setting-gid_maps-without-privilege-when-setgroups-is-disabled.patch userns-unbreak-the-unprivileged-remount-tests.patch +audit-restore-audit_loginuid-unset-abi.patch +crypto-af_alg-fix-backlog-handling.patch +ncpfs-return-proper-error-from-ncp_ioc_setroot-ioctl.patch +exit-pidns-alloc_pid-leaks-pid_namespace-if-child_reaper-is-exiting.patch +udf-check-path-length-when-reading-symlink.patch +udf-verify-i_size-when-loading-inode.patch +udf-verify-symlink-size-before-loading-it.patch +udf-check-component-length-before-reading-it.patch +ecryptfs-force-ro-mount-when-encrypted-view-is-enabled.patch +ecryptfs-remove-buggy-and-unnecessary-write-in-file-name-decode-routine.patch +btrfs-do-not-move-em-to-modified-list-when-unpinning.patch +btrfs-fix-fs-corruption-on-transaction-abort-if-device-supports-discard.patch diff --git a/queue-3.14/udf-check-component-length-before-reading-it.patch b/queue-3.14/udf-check-component-length-before-reading-it.patch new file mode 100644 index 00000000000..157bfecf68f --- /dev/null +++ b/queue-3.14/udf-check-component-length-before-reading-it.patch @@ -0,0 +1,61 @@ +From e237ec37ec154564f8690c5bd1795339955eeef9 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 19 Dec 2014 14:27:55 +0100 +Subject: udf: Check component length before reading it + +From: Jan Kara + +commit e237ec37ec154564f8690c5bd1795339955eeef9 upstream. + +Check that length specified in a component of a symlink fits in the +input buffer we are reading. Also properly ignore component length for +component types that do not use it. Otherwise we read memory after end +of buffer for corrupted udf image. + +Reported-by: Carl Henrik Lunde +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/symlink.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/udf/symlink.c ++++ b/fs/udf/symlink.c +@@ -42,14 +42,17 @@ static int udf_pc_to_char(struct super_b + tolen--; + while (elen < fromlen) { + pc = (struct pathComponent *)(from + elen); ++ elen += sizeof(struct pathComponent); + switch (pc->componentType) { + case 1: + /* + * Symlink points to some place which should be agreed + * upon between originator and receiver of the media. Ignore. + */ +- if (pc->lengthComponentIdent > 0) ++ if (pc->lengthComponentIdent > 0) { ++ elen += pc->lengthComponentIdent; + break; ++ } + /* Fall through */ + case 2: + if (tolen == 0) +@@ -74,6 +77,9 @@ static int udf_pc_to_char(struct super_b + /* that would be . - just ignore */ + break; + case 5: ++ elen += pc->lengthComponentIdent; ++ if (elen > fromlen) ++ return -EIO; + comp_len = udf_get_filename(sb, pc->componentIdent, + pc->lengthComponentIdent, + p, tolen); +@@ -85,7 +91,6 @@ static int udf_pc_to_char(struct super_b + tolen--; + break; + } +- elen += sizeof(struct pathComponent) + pc->lengthComponentIdent; + } + if (p > to + 1) + p[-1] = '\0'; diff --git a/queue-3.14/udf-check-path-length-when-reading-symlink.patch b/queue-3.14/udf-check-path-length-when-reading-symlink.patch new file mode 100644 index 00000000000..b0d21979c46 --- /dev/null +++ b/queue-3.14/udf-check-path-length-when-reading-symlink.patch @@ -0,0 +1,228 @@ +From 0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 18 Dec 2014 22:37:50 +0100 +Subject: udf: Check path length when reading symlink + +From: Jan Kara + +commit 0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 upstream. + +Symlink reading code does not check whether the resulting path fits into +the page provided by the generic code. This isn't as easy as just +checking the symlink size because of various encoding conversions we +perform on path. So we have to check whether there is still enough space +in the buffer on the fly. + +Reported-by: Carl Henrik Lunde +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/dir.c | 3 ++- + fs/udf/namei.c | 3 ++- + fs/udf/symlink.c | 31 ++++++++++++++++++++++++++----- + fs/udf/udfdecl.h | 3 ++- + fs/udf/unicode.c | 28 ++++++++++++++++------------ + 5 files changed, 48 insertions(+), 20 deletions(-) + +--- a/fs/udf/dir.c ++++ b/fs/udf/dir.c +@@ -167,7 +167,8 @@ static int udf_readdir(struct file *file + continue; + } + +- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi); ++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname, ++ UDF_NAME_LEN); + if (!flen) + continue; + +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -233,7 +233,8 @@ static struct fileIdentDesc *udf_find_en + if (!lfi) + continue; + +- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi); ++ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname, ++ UDF_NAME_LEN); + if (flen && udf_match(flen, fname, child->len, child->name)) + goto out_ok; + } +--- a/fs/udf/symlink.c ++++ b/fs/udf/symlink.c +@@ -30,13 +30,16 @@ + #include + #include "udf_i.h" + +-static void udf_pc_to_char(struct super_block *sb, unsigned char *from, +- int fromlen, unsigned char *to) ++static int udf_pc_to_char(struct super_block *sb, unsigned char *from, ++ int fromlen, unsigned char *to, int tolen) + { + struct pathComponent *pc; + int elen = 0; ++ int comp_len; + unsigned char *p = to; + ++ /* Reserve one byte for terminating \0 */ ++ tolen--; + while (elen < fromlen) { + pc = (struct pathComponent *)(from + elen); + switch (pc->componentType) { +@@ -49,22 +52,37 @@ static void udf_pc_to_char(struct super_ + break; + /* Fall through */ + case 2: ++ if (tolen == 0) ++ return -ENAMETOOLONG; + p = to; + *p++ = '/'; ++ tolen--; + break; + case 3: ++ if (tolen < 3) ++ return -ENAMETOOLONG; + memcpy(p, "../", 3); + p += 3; ++ tolen -= 3; + break; + case 4: ++ if (tolen < 2) ++ return -ENAMETOOLONG; + memcpy(p, "./", 2); + p += 2; ++ tolen -= 2; + /* that would be . - just ignore */ + break; + case 5: +- p += udf_get_filename(sb, pc->componentIdent, p, +- pc->lengthComponentIdent); ++ comp_len = udf_get_filename(sb, pc->componentIdent, ++ pc->lengthComponentIdent, ++ p, tolen); ++ p += comp_len; ++ tolen -= comp_len; ++ if (tolen == 0) ++ return -ENAMETOOLONG; + *p++ = '/'; ++ tolen--; + break; + } + elen += sizeof(struct pathComponent) + pc->lengthComponentIdent; +@@ -73,6 +91,7 @@ static void udf_pc_to_char(struct super_ + p[-1] = '\0'; + else + p[0] = '\0'; ++ return 0; + } + + static int udf_symlink_filler(struct file *file, struct page *page) +@@ -100,8 +119,10 @@ static int udf_symlink_filler(struct fil + symlink = bh->b_data; + } + +- udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p); ++ err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE); + brelse(bh); ++ if (err) ++ goto out_unlock_inode; + + up_read(&iinfo->i_data_sem); + SetPageUptodate(page); +--- a/fs/udf/udfdecl.h ++++ b/fs/udf/udfdecl.h +@@ -201,7 +201,8 @@ udf_get_lb_pblock(struct super_block *sb + } + + /* unicode.c */ +-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int); ++extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *, ++ int); + extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *, + int); + extern int udf_build_ustr(struct ustr *, dstring *, int); +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -28,7 +28,8 @@ + + #include "udf_sb.h" + +-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int); ++static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *, ++ int); + + static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen) + { +@@ -333,8 +334,8 @@ try_again: + return u_len + 1; + } + +-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname, +- int flen) ++int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen, ++ uint8_t *dname, int dlen) + { + struct ustr *filename, *unifilename; + int len = 0; +@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block + if (!unifilename) + goto out1; + +- if (udf_build_ustr_exact(unifilename, sname, flen)) ++ if (udf_build_ustr_exact(unifilename, sname, slen)) + goto out2; + + if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) { +@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block + } else + goto out2; + +- len = udf_translate_to_linux(dname, filename->u_name, filename->u_len, ++ len = udf_translate_to_linux(dname, dlen, ++ filename->u_name, filename->u_len, + unifilename->u_name, unifilename->u_len); + out2: + kfree(unifilename); +@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block + #define EXT_MARK '.' + #define CRC_MARK '#' + #define EXT_SIZE 5 ++/* Number of chars we need to store generated CRC to make filename unique */ ++#define CRC_LEN 5 + +-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName, +- int udfLen, uint8_t *fidName, +- int fidNameLen) ++static int udf_translate_to_linux(uint8_t *newName, int newLen, ++ uint8_t *udfName, int udfLen, ++ uint8_t *fidName, int fidNameLen) + { + int index, newIndex = 0, needsCRC = 0; + int extIndex = 0, newExtIndex = 0, hasExt = 0; +@@ -440,7 +444,7 @@ static int udf_translate_to_linux(uint8_ + newExtIndex = newIndex; + } + } +- if (newIndex < 256) ++ if (newIndex < newLen) + newName[newIndex++] = curr; + else + needsCRC = 1; +@@ -468,13 +472,13 @@ static int udf_translate_to_linux(uint8_ + } + ext[localExtIndex++] = curr; + } +- maxFilenameLen = 250 - localExtIndex; ++ maxFilenameLen = newLen - CRC_LEN - localExtIndex; + if (newIndex > maxFilenameLen) + newIndex = maxFilenameLen; + else + newIndex = newExtIndex; +- } else if (newIndex > 250) +- newIndex = 250; ++ } else if (newIndex > newLen - CRC_LEN) ++ newIndex = newLen - CRC_LEN; + newName[newIndex++] = CRC_MARK; + valueCRC = crc_itu_t(0, fidName, fidNameLen); + newName[newIndex++] = hexChar[(valueCRC & 0xf000) >> 12]; diff --git a/queue-3.14/udf-verify-i_size-when-loading-inode.patch b/queue-3.14/udf-verify-i_size-when-loading-inode.patch new file mode 100644 index 00000000000..935516d6c89 --- /dev/null +++ b/queue-3.14/udf-verify-i_size-when-loading-inode.patch @@ -0,0 +1,44 @@ +From e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 19 Dec 2014 12:03:53 +0100 +Subject: udf: Verify i_size when loading inode + +From: Jan Kara + +commit e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 upstream. + +Verify that inode size is sane when loading inode with data stored in +ICB. Otherwise we may get confused later when working with the inode and +inode size is too big. + +Reported-by: Carl Henrik Lunde +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/inode.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1496,6 +1496,20 @@ static void udf_fill_inode(struct inode + iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint); + } + ++ /* Sanity checks for files in ICB so that we don't get confused later */ ++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { ++ /* ++ * For file in ICB data is stored in allocation descriptor ++ * so sizes should match ++ */ ++ if (iinfo->i_lenAlloc != inode->i_size) ++ goto out; ++ /* File in ICB has to fit in there... */ ++ if (inode->i_size > inode->i_sb->s_blocksize - ++ udf_file_entry_alloc_offset(inode)) ++ goto out; ++ } ++ + switch (fe->icbTag.fileType) { + case ICBTAG_FILE_TYPE_DIRECTORY: + inode->i_op = &udf_dir_inode_operations; diff --git a/queue-3.14/udf-verify-symlink-size-before-loading-it.patch b/queue-3.14/udf-verify-symlink-size-before-loading-it.patch new file mode 100644 index 00000000000..483ed63907a --- /dev/null +++ b/queue-3.14/udf-verify-symlink-size-before-loading-it.patch @@ -0,0 +1,67 @@ +From a1d47b262952a45aae62bd49cfaf33dd76c11a2c Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 19 Dec 2014 12:21:47 +0100 +Subject: udf: Verify symlink size before loading it + +From: Jan Kara + +commit a1d47b262952a45aae62bd49cfaf33dd76c11a2c upstream. + +UDF specification allows arbitrarily large symlinks. However we support +only symlinks at most one block large. Check the length of the symlink +so that we don't access memory beyond end of the symlink block. + +Reported-by: Carl Henrik Lunde +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/symlink.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/fs/udf/symlink.c ++++ b/fs/udf/symlink.c +@@ -99,11 +99,17 @@ static int udf_symlink_filler(struct fil + struct inode *inode = page->mapping->host; + struct buffer_head *bh = NULL; + unsigned char *symlink; +- int err = -EIO; ++ int err; + unsigned char *p = kmap(page); + struct udf_inode_info *iinfo; + uint32_t pos; + ++ /* We don't support symlinks longer than one block */ ++ if (inode->i_size > inode->i_sb->s_blocksize) { ++ err = -ENAMETOOLONG; ++ goto out_unmap; ++ } ++ + iinfo = UDF_I(inode); + pos = udf_block_map(inode, 0); + +@@ -113,8 +119,10 @@ static int udf_symlink_filler(struct fil + } else { + bh = sb_bread(inode->i_sb, pos); + +- if (!bh) +- goto out; ++ if (!bh) { ++ err = -EIO; ++ goto out_unlock_inode; ++ } + + symlink = bh->b_data; + } +@@ -130,9 +138,10 @@ static int udf_symlink_filler(struct fil + unlock_page(page); + return 0; + +-out: ++out_unlock_inode: + up_read(&iinfo->i_data_sem); + SetPageError(page); ++out_unmap: + kunmap(page); + unlock_page(page); + return err; -- 2.47.3