From: Greg Kroah-Hartman Date: Thu, 21 Jun 2018 21:24:01 +0000 (+0900) Subject: 4.17-stable patches X-Git-Tag: v4.17.3~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4a89ad609db01d7d24bc10c47d42e07516ff09ee;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: acpica-aml-parser-attempt-to-continue-loading-table-after-error.patch alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch alsa-hda-conexant-add-fixup-for-hp-z2-g4-workstation.patch alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch alsa-hda-realtek-enable-mic-mute-hotkey-for-several-lenovo-aios.patch alsa-usb-audio-disable-the-quirk-for-nura-headset.patch btrfs-allow-empty-subvol-again.patch btrfs-fix-clone-vs-chattr-nodatasum-race.patch btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch btrfs-return-error-value-if-create_io_em-failed-in-cow_file_range.patch btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch driver-core-don-t-ignore-class_dir_create_and_add-failure.patch ext4-bubble-errors-from-ext4_find_inline_data_nolock-up-to-ext4_iget.patch ext4-correctly-handle-a-zero-length-xattr-with-a-non-zero-e_value_offs.patch ext4-do-not-allow-external-inodes-for-inline-data.patch ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch x86-mce-fix-stack-out-of-bounds-write-in-mce-inject.c-flags_read.patch --- diff --git a/queue-4.17/acpica-aml-parser-attempt-to-continue-loading-table-after-error.patch b/queue-4.17/acpica-aml-parser-attempt-to-continue-loading-table-after-error.patch new file mode 100644 index 00000000000..be64d9ebff9 --- /dev/null +++ b/queue-4.17/acpica-aml-parser-attempt-to-continue-loading-table-after-error.patch @@ -0,0 +1,184 @@ +From 5088814a6e931350e5bd29f5d59fa40c6dbbdf10 Mon Sep 17 00:00:00 2001 +From: Erik Schmauss +Date: Fri, 1 Jun 2018 12:06:43 -0700 +Subject: ACPICA: AML parser: attempt to continue loading table after error + +From: Erik Schmauss + +commit 5088814a6e931350e5bd29f5d59fa40c6dbbdf10 upstream. + +This change alters the parser so that the table load does not abort +upon an error. + +Notable changes: + +If there is an error while parsing an element of the termlist, we +will skip parsing the current termlist element and continue parsing +to the next opcode in the termlist. + +If we get an error while parsing the conditional of If/Else/While or +the device name of Scope, we will skip the body of the statement all +together and pop the parser_state. + +If we get an error while parsing the base offset and length of an +operation region declaration, we will remove the operation region +from the namespace. + +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpica/psloop.c | 51 ++++++++++++++++++++++++++++++++++++++++- + drivers/acpi/acpica/psobject.c | 30 ++++++++++++++++++++++++ + drivers/acpi/acpica/uterror.c | 10 ++++---- + 3 files changed, 85 insertions(+), 6 deletions(-) + +--- a/drivers/acpi/acpica/psloop.c ++++ b/drivers/acpi/acpica/psloop.c +@@ -515,6 +515,22 @@ acpi_status acpi_ps_parse_loop(struct ac + if (ACPI_FAILURE(status)) { + return_ACPI_STATUS(status); + } ++ if (walk_state->opcode == AML_SCOPE_OP) { ++ /* ++ * If the scope op fails to parse, skip the body of the ++ * scope op because the parse failure indicates that the ++ * device may not exist. ++ */ ++ walk_state->parser_state.aml = ++ walk_state->aml + 1; ++ walk_state->parser_state.aml = ++ acpi_ps_get_next_package_end ++ (&walk_state->parser_state); ++ walk_state->aml = ++ walk_state->parser_state.aml; ++ ACPI_ERROR((AE_INFO, ++ "Skipping Scope block")); ++ } + + continue; + } +@@ -557,7 +573,40 @@ acpi_status acpi_ps_parse_loop(struct ac + if (ACPI_FAILURE(status)) { + return_ACPI_STATUS(status); + } +- ++ if ((walk_state->control_state) && ++ ((walk_state->control_state->control. ++ opcode == AML_IF_OP) ++ || (walk_state->control_state->control. ++ opcode == AML_WHILE_OP))) { ++ /* ++ * If the if/while op fails to parse, we will skip parsing ++ * the body of the op. ++ */ ++ parser_state->aml = ++ walk_state->control_state->control. ++ aml_predicate_start + 1; ++ parser_state->aml = ++ acpi_ps_get_next_package_end ++ (parser_state); ++ walk_state->aml = parser_state->aml; ++ ++ ACPI_ERROR((AE_INFO, ++ "Skipping While/If block")); ++ if (*walk_state->aml == AML_ELSE_OP) { ++ ACPI_ERROR((AE_INFO, ++ "Skipping Else block")); ++ walk_state->parser_state.aml = ++ walk_state->aml + 1; ++ walk_state->parser_state.aml = ++ acpi_ps_get_next_package_end ++ (parser_state); ++ walk_state->aml = ++ parser_state->aml; ++ } ++ ACPI_FREE(acpi_ut_pop_generic_state ++ (&walk_state->control_state)); ++ } ++ op = NULL; + continue; + } + } +--- a/drivers/acpi/acpica/psobject.c ++++ b/drivers/acpi/acpica/psobject.c +@@ -12,6 +12,7 @@ + #include "acparser.h" + #include "amlcode.h" + #include "acconvert.h" ++#include "acnamesp.h" + + #define _COMPONENT ACPI_PARSER + ACPI_MODULE_NAME("psobject") +@@ -549,6 +550,21 @@ acpi_ps_complete_op(struct acpi_walk_sta + + do { + if (*op) { ++ /* ++ * These Opcodes need to be removed from the namespace because they ++ * get created even if these opcodes cannot be created due to ++ * errors. ++ */ ++ if (((*op)->common.aml_opcode == AML_REGION_OP) ++ || ((*op)->common.aml_opcode == ++ AML_DATA_REGION_OP)) { ++ acpi_ns_delete_children((*op)->common. ++ node); ++ acpi_ns_remove_node((*op)->common.node); ++ (*op)->common.node = NULL; ++ acpi_ps_delete_parse_tree(*op); ++ } ++ + status2 = + acpi_ps_complete_this_op(walk_state, *op); + if (ACPI_FAILURE(status2)) { +@@ -574,6 +590,20 @@ acpi_ps_complete_op(struct acpi_walk_sta + #endif + walk_state->prev_op = NULL; + walk_state->prev_arg_types = walk_state->arg_types; ++ ++ if (walk_state->parse_flags & ACPI_PARSE_MODULE_LEVEL) { ++ /* ++ * There was something that went wrong while executing code at the ++ * module-level. We need to skip parsing whatever caused the ++ * error and keep going. One runtime error during the table load ++ * should not cause the entire table to not be loaded. This is ++ * because there could be correct AML beyond the parts that caused ++ * the runtime error. ++ */ ++ ACPI_ERROR((AE_INFO, ++ "Ignore error and continue table load")); ++ return_ACPI_STATUS(AE_OK); ++ } + return_ACPI_STATUS(status); + } + +--- a/drivers/acpi/acpica/uterror.c ++++ b/drivers/acpi/acpica/uterror.c +@@ -182,20 +182,20 @@ acpi_ut_prefixed_namespace_error(const c + switch (lookup_status) { + case AE_ALREADY_EXISTS: + +- acpi_os_printf(ACPI_MSG_BIOS_ERROR); ++ acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR); + message = "Failure creating"; + break; + + case AE_NOT_FOUND: + +- acpi_os_printf(ACPI_MSG_BIOS_ERROR); +- message = "Failure looking up"; ++ acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR); ++ message = "Could not resolve"; + break; + + default: + +- acpi_os_printf(ACPI_MSG_ERROR); +- message = "Failure looking up"; ++ acpi_os_printf("\n" ACPI_MSG_ERROR); ++ message = "Failure resolving"; + break; + } + diff --git a/queue-4.17/alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch b/queue-4.17/alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch new file mode 100644 index 00000000000..e55d60dfcb0 --- /dev/null +++ b/queue-4.17/alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch @@ -0,0 +1,32 @@ +From 2861751f67b91e1d24e68010ced96614fb3140f4 Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Tue, 12 Jun 2018 07:10:59 +0200 +Subject: ALSA: hda: add dock and led support for HP EliteBook 830 G5 + +From: Dennis Wassenberg + +commit 2861751f67b91e1d24e68010ced96614fb3140f4 upstream. + +This patch adds missing initialisation for HP 2013 UltraSlim Dock +Line-In/Out PINs and activates keyboard mute/micmute leds +for HP EliteBook 830 G5 + +Signed-off-by: Dennis Wassenberg +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -959,6 +959,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO), diff --git a/queue-4.17/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch b/queue-4.17/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch new file mode 100644 index 00000000000..97aa377460d --- /dev/null +++ b/queue-4.17/alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch @@ -0,0 +1,32 @@ +From 7eef32c1ef895a3a96463f9cbd04203007cd5555 Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Tue, 12 Jun 2018 07:11:11 +0200 +Subject: ALSA: hda: add dock and led support for HP ProBook 640 G4 + +From: Dennis Wassenberg + +commit 7eef32c1ef895a3a96463f9cbd04203007cd5555 upstream. + +This patch adds missing initialisation for HP 2013 UltraSlim Dock +Line-In/Out PINs and activates keyboard mute/micmute leds +for HP ProBook 640 G4 + +Signed-off-by: Dennis Wassenberg +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -960,6 +960,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO), diff --git a/queue-4.17/alsa-hda-conexant-add-fixup-for-hp-z2-g4-workstation.patch b/queue-4.17/alsa-hda-conexant-add-fixup-for-hp-z2-g4-workstation.patch new file mode 100644 index 00000000000..64780fba94b --- /dev/null +++ b/queue-4.17/alsa-hda-conexant-add-fixup-for-hp-z2-g4-workstation.patch @@ -0,0 +1,30 @@ +From f16041df4c360eccacfe90f96673b37829e4c959 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 18 May 2018 12:14:32 +0200 +Subject: ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation + +From: Takashi Iwai + +commit f16041df4c360eccacfe90f96673b37829e4c959 upstream. + +HP Z2 G4 requires the same workaround as other HP machines that have +no mic-pin detection. + +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -965,6 +965,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN), + SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO), + SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410), diff --git a/queue-4.17/alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch b/queue-4.17/alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch new file mode 100644 index 00000000000..98c8552ce58 --- /dev/null +++ b/queue-4.17/alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch @@ -0,0 +1,46 @@ +From a3aa60d511746bd6c0d0366d4eb90a7998bcde8b Mon Sep 17 00:00:00 2001 +From: Bo Chen +Date: Thu, 31 May 2018 15:35:18 -0700 +Subject: ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() + +From: Bo Chen + +commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream. + +When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is +created without setting its operators via 'snd_pcm_set_ops()'. Following +operations on the new pcm instance can trigger kernel null pointer dereferences +and cause kernel oops. + +This bug was found with my work on building a gray-box fault-injection tool for +linux-kernel-module binaries. A kernel null pointer dereference was confirmed +from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in +file 'sound/core/pcm_native.c'. + +This patch fixes the bug by calling 'snd_device_free()' in the error handling +path of 'kzalloc()', which removes the new pcm instance from the snd card before +returns with an error code. + +Signed-off-by: Bo Chen +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -748,8 +748,10 @@ int snd_hda_attach_pcm_stream(struct hda + return err; + strlcpy(pcm->name, cpcm->name, sizeof(pcm->name)); + apcm = kzalloc(sizeof(*apcm), GFP_KERNEL); +- if (apcm == NULL) ++ if (apcm == NULL) { ++ snd_device_free(chip->card, pcm); + return -ENOMEM; ++ } + apcm->chip = chip; + apcm->pcm = pcm; + apcm->codec = codec; diff --git a/queue-4.17/alsa-hda-realtek-enable-mic-mute-hotkey-for-several-lenovo-aios.patch b/queue-4.17/alsa-hda-realtek-enable-mic-mute-hotkey-for-several-lenovo-aios.patch new file mode 100644 index 00000000000..a6ecca2cd60 --- /dev/null +++ b/queue-4.17/alsa-hda-realtek-enable-mic-mute-hotkey-for-several-lenovo-aios.patch @@ -0,0 +1,46 @@ +From 986376b68dcc95bb7df60ad30c2353c1f7578fa5 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Wed, 30 May 2018 12:33:07 +0800 +Subject: ALSA: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs + +From: Hui Wang + +commit 986376b68dcc95bb7df60ad30c2353c1f7578fa5 upstream. + +We have several Lenovo AIOs like M810z, M820z and M920z, they have +the same design for mic-mute hotkey and led and they use the same +codec with the same pin configuration, so use the pin conf table to +apply fix to all of them. + +Fixes: 29693efcea0f ("ALSA: hda - Fix micmute hotkey problem for a lenovo AIO machine") +Cc: +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6580,7 +6580,6 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x312f, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x3138, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), +- SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), +@@ -6752,6 +6751,11 @@ static const struct snd_hda_pin_quirk al + {0x1b, 0x01111010}, + {0x1e, 0x01451130}, + {0x21, 0x02211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0235, 0x17aa, "Lenovo", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY, ++ {0x12, 0x90a60140}, ++ {0x14, 0x90170110}, ++ {0x19, 0x02a11030}, ++ {0x21, 0x02211020}), + SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x12, 0x90a60140}, + {0x14, 0x90170110}, diff --git a/queue-4.17/alsa-usb-audio-disable-the-quirk-for-nura-headset.patch b/queue-4.17/alsa-usb-audio-disable-the-quirk-for-nura-headset.patch new file mode 100644 index 00000000000..31de7cb00ac --- /dev/null +++ b/queue-4.17/alsa-usb-audio-disable-the-quirk-for-nura-headset.patch @@ -0,0 +1,51 @@ +From 5ebf6b1e459606d7fbf4fc67d2c28a6540953d93 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 11 Jun 2018 22:34:11 +0200 +Subject: ALSA: usb-audio: Disable the quirk for Nura headset + +From: Takashi Iwai + +commit 5ebf6b1e459606d7fbf4fc67d2c28a6540953d93 upstream. + +The commit 33193dca671c ("ALSA: usb-audio: Add a quirk for Nura's +first gen headset") added a quirk for Nura headset with USB ID +0a12:1243, with a hope that it doesn't conflict with others. +Unfortunately, other devices (e.g. Philips Wecall) with the very same +ID got broken by this change, spewing an error like: + usb 2-1.8.2: 2:1: cannot set freq 48000 to ep 0x3 + +Until we find a proper solution, fix the regression at first by +disabling the added quirk entry. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199905 +Fixes: 33193dca671c ("ALSA: usb-audio: Add a quirk for Nura's first gen headset") +Reviewed-by: Martin Peres +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks-table.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3277,6 +3277,10 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + } + }, + ++/* disabled due to regression for other devices; ++ * see https://bugzilla.kernel.org/show_bug.cgi?id=199905 ++ */ ++#if 0 + { + /* + * Nura's first gen headphones use Cambridge Silicon Radio's vendor +@@ -3324,6 +3328,7 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + } + } + }, ++#endif /* disabled */ + + { + /* diff --git a/queue-4.17/btrfs-allow-empty-subvol-again.patch b/queue-4.17/btrfs-allow-empty-subvol-again.patch new file mode 100644 index 00000000000..87c5d7b9692 --- /dev/null +++ b/queue-4.17/btrfs-allow-empty-subvol-again.patch @@ -0,0 +1,62 @@ +From 37becec95ac31b209eb1c8e096f1093a7db00f32 Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Mon, 21 May 2018 17:07:19 -0700 +Subject: Btrfs: allow empty subvol= again + +From: Omar Sandoval + +commit 37becec95ac31b209eb1c8e096f1093a7db00f32 upstream. + +I got a report that after upgrading to 4.16, someone's filesystems +weren't mounting: + +[ 23.845852] BTRFS info (device loop0): unrecognized mount option 'subvol=' + +Before 4.16, this mounted the default subvolume. It turns out that this +empty "subvol=" is actually an application bug, but it was causing the +application to fail, so it's an ABI break if you squint. + +The generic parsing code we use for mount options (match_token()) +doesn't match an empty string as "%s". Previously, setup_root_args() +removed the "subvol=" string, but the mount path was cleaned up to not +need that. Add a dummy Opt_subvol_empty to fix this. + +The simple workaround is to use / or . for the value of 'subvol=' . + +Fixes: 312c89fbca06 ("btrfs: cleanup btrfs_mount() using btrfs_mount_root()") +CC: stable@vger.kernel.org # 4.16+ +Signed-off-by: Omar Sandoval +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/super.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -323,6 +323,7 @@ enum { + Opt_ssd, Opt_nossd, + Opt_ssd_spread, Opt_nossd_spread, + Opt_subvol, ++ Opt_subvol_empty, + Opt_subvolid, + Opt_thread_pool, + Opt_treelog, Opt_notreelog, +@@ -388,6 +389,7 @@ static const match_table_t tokens = { + {Opt_ssd_spread, "ssd_spread"}, + {Opt_nossd_spread, "nossd_spread"}, + {Opt_subvol, "subvol=%s"}, ++ {Opt_subvol_empty, "subvol="}, + {Opt_subvolid, "subvolid=%s"}, + {Opt_thread_pool, "thread_pool=%u"}, + {Opt_treelog, "treelog"}, +@@ -461,6 +463,7 @@ int btrfs_parse_options(struct btrfs_fs_ + btrfs_set_opt(info->mount_opt, DEGRADED); + break; + case Opt_subvol: ++ case Opt_subvol_empty: + case Opt_subvolid: + case Opt_subvolrootid: + case Opt_device: diff --git a/queue-4.17/btrfs-fix-clone-vs-chattr-nodatasum-race.patch b/queue-4.17/btrfs-fix-clone-vs-chattr-nodatasum-race.patch new file mode 100644 index 00000000000..e14c15b1d9b --- /dev/null +++ b/queue-4.17/btrfs-fix-clone-vs-chattr-nodatasum-race.patch @@ -0,0 +1,67 @@ +From b5c40d598f5408bd0ca22dfffa82f03cd9433f23 Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Tue, 22 May 2018 15:02:12 -0700 +Subject: Btrfs: fix clone vs chattr NODATASUM race + +From: Omar Sandoval + +commit b5c40d598f5408bd0ca22dfffa82f03cd9433f23 upstream. + +In btrfs_clone_files(), we must check the NODATASUM flag while the +inodes are locked. Otherwise, it's possible that btrfs_ioctl_setflags() +will change the flags after we check and we can end up with a party +checksummed file. + +The race window is only a few instructions in size, between the if and +the locks which is: + +3834 if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode)) +3835 return -EISDIR; + +where the setflags must be run and toggle the NODATASUM flag (provided +the file size is 0). The clone will block on the inode lock, segflags +takes the inode lock, changes flags, releases log and clone continues. + +Not impossible but still needs a lot of bad luck to hit unintentionally. + +Fixes: 0e7b824c4ef9 ("Btrfs: don't make a file partly checksummed through file clone") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Omar Sandoval +Reviewed-by: Nikolay Borisov +Reviewed-by: David Sterba +[ update changelog ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3826,11 +3826,6 @@ static noinline int btrfs_clone_files(st + src->i_sb != inode->i_sb) + return -EXDEV; + +- /* don't make the dst file partly checksummed */ +- if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) != +- (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) +- return -EINVAL; +- + if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode)) + return -EISDIR; + +@@ -3840,6 +3835,13 @@ static noinline int btrfs_clone_files(st + inode_lock(src); + } + ++ /* don't make the dst file partly checksummed */ ++ if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) != ++ (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ + /* determine range to clone */ + ret = -EINVAL; + if (off + len > src->i_size || off + len < off) diff --git a/queue-4.17/btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch b/queue-4.17/btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch new file mode 100644 index 00000000000..19af443ec33 --- /dev/null +++ b/queue-4.17/btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch @@ -0,0 +1,83 @@ +From fd4e994bd1f9dc9628e168a7f619bf69f6984635 Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Tue, 22 May 2018 15:44:01 -0700 +Subject: Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() + +From: Omar Sandoval + +commit fd4e994bd1f9dc9628e168a7f619bf69f6984635 upstream. + +If we have invalid flags set, when we error out we must drop our writer +counter and free the buffer we allocated for the arguments. This bug is +trivially reproduced with the following program on 4.7+: + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + int main(int argc, char **argv) + { + struct btrfs_ioctl_vol_args_v2 vol_args = { + .flags = UINT64_MAX, + }; + int ret; + int fd; + + if (argc != 2) { + fprintf(stderr, "usage: %s PATH\n", argv[0]); + return EXIT_FAILURE; + } + + fd = open(argv[1], O_WRONLY); + if (fd == -1) { + perror("open"); + return EXIT_FAILURE; + } + + ret = ioctl(fd, BTRFS_IOC_RM_DEV_V2, &vol_args); + if (ret == -1) + perror("ioctl"); + + close(fd); + return EXIT_SUCCESS; + } + +When unmounting the filesystem, we'll hit the +WARN_ON(mnt_get_writers(mnt)) in cleanup_mnt() and also may prevent the +filesystem to be remounted read-only as the writer count will stay +lifted. + +Fixes: 6b526ed70cf1 ("btrfs: introduce device delete by devid") +CC: stable@vger.kernel.org # 4.9+ +Signed-off-by: Omar Sandoval +Reviewed-by: Su Yue +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2654,8 +2654,10 @@ static long btrfs_ioctl_rm_dev_v2(struct + } + + /* Check for compatibility reject unknown flags */ +- if (vol_args->flags & ~BTRFS_VOL_ARG_V2_FLAGS_SUPPORTED) +- return -EOPNOTSUPP; ++ if (vol_args->flags & ~BTRFS_VOL_ARG_V2_FLAGS_SUPPORTED) { ++ ret = -EOPNOTSUPP; ++ goto out; ++ } + + if (test_and_set_bit(BTRFS_FS_EXCL_OP, &fs_info->flags)) { + ret = BTRFS_ERROR_DEV_EXCL_RUN_IN_PROGRESS; diff --git a/queue-4.17/btrfs-return-error-value-if-create_io_em-failed-in-cow_file_range.patch b/queue-4.17/btrfs-return-error-value-if-create_io_em-failed-in-cow_file_range.patch new file mode 100644 index 00000000000..44ecd516f59 --- /dev/null +++ b/queue-4.17/btrfs-return-error-value-if-create_io_em-failed-in-cow_file_range.patch @@ -0,0 +1,40 @@ +From 090a127afa8f73e9618d4058d6755f7ec7453dd6 Mon Sep 17 00:00:00 2001 +From: Su Yue +Date: Wed, 30 May 2018 16:48:56 +0800 +Subject: btrfs: return error value if create_io_em failed in cow_file_range + +From: Su Yue + +commit 090a127afa8f73e9618d4058d6755f7ec7453dd6 upstream. + +In cow_file_range(), create_io_em() may fail, but its return value is +not recorded. Then return value may be 0 even it failed which is a +wrong behavior. + +Let cow_file_range() return PTR_ERR(em) if create_io_em() failed. + +Fixes: 6f9994dbabe5 ("Btrfs: create a helper to create em for IO") +CC: stable@vger.kernel.org # 4.11+ +Signed-off-by: Su Yue +Reviewed-by: Nikolay Borisov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1018,8 +1018,10 @@ static noinline int cow_file_range(struc + ram_size, /* ram_bytes */ + BTRFS_COMPRESS_NONE, /* compress_type */ + BTRFS_ORDERED_REGULAR /* type */); +- if (IS_ERR(em)) ++ if (IS_ERR(em)) { ++ ret = PTR_ERR(em); + goto out_reserve; ++ } + free_extent_map(em); + + ret = btrfs_add_ordered_extent(inode, start, ins.objectid, diff --git a/queue-4.17/btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch b/queue-4.17/btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch new file mode 100644 index 00000000000..ab5d1b174c5 --- /dev/null +++ b/queue-4.17/btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch @@ -0,0 +1,67 @@ +From ac0b4145d662a3b9e34085dea460fb06ede9b69b Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 5 Jun 2018 12:36:56 +0800 +Subject: btrfs: scrub: Don't use inode pages for device replace + +From: Qu Wenruo + +commit ac0b4145d662a3b9e34085dea460fb06ede9b69b upstream. + +[BUG] +Btrfs can create compressed extent without checksum (even though it +shouldn't), and if we then try to replace device containing such extent, +the result device will contain all the uncompressed data instead of the +compressed one. + +Test case already submitted to fstests: +https://patchwork.kernel.org/patch/10442353/ + +[CAUSE] +When handling compressed extent without checksum, device replace will +goe into copy_nocow_pages() function. + +In that function, btrfs will get all inodes referring to this data +extents and then use find_or_create_page() to get pages direct from that +inode. + +The problem here is, pages directly from inode are always uncompressed. +And for compressed data extent, they mismatch with on-disk data. +Thus this leads to corrupted compressed data extent written to replace +device. + +[FIX] +In this attempt, we could just remove the "optimization" branch, and let +unified scrub_pages() to handle it. + +Although scrub_pages() won't bother reusing page cache, it will be a +little slower, but it does the correct csum checking and won't cause +such data corruption caused by "optimization". + +Note about the fix: this is the minimal fix that can be backported to +older stable trees without conflicts. The whole callchain from +copy_nocow_pages() can be deleted, and will be in followup patches. + +Fixes: ff023aac3119 ("Btrfs: add code to scrub to copy read data to another disk") +CC: stable@vger.kernel.org # 4.4+ +Reported-by: James Harvey +Reviewed-by: James Harvey +Signed-off-by: Qu Wenruo +[ remove code removal, add note why ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/scrub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -2799,7 +2799,7 @@ static int scrub_extent(struct scrub_ctx + have_csum = scrub_find_csum(sctx, logical, csum); + if (have_csum == 0) + ++sctx->stat.no_csum; +- if (sctx->is_dev_replace && !have_csum) { ++ if (0 && sctx->is_dev_replace && !have_csum) { + ret = copy_nocow_pages(sctx, logical, l, + mirror_num, + physical_for_dev_replace); diff --git a/queue-4.17/driver-core-don-t-ignore-class_dir_create_and_add-failure.patch b/queue-4.17/driver-core-don-t-ignore-class_dir_create_and_add-failure.patch new file mode 100644 index 00000000000..575fb2f85ac --- /dev/null +++ b/queue-4.17/driver-core-don-t-ignore-class_dir_create_and_add-failure.patch @@ -0,0 +1,79 @@ +From 84d0c27d6233a9ba0578b20f5a09701eb66cee42 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 7 May 2018 19:10:31 +0900 +Subject: driver core: Don't ignore class_dir_create_and_add() failure. + +From: Tetsuo Handa + +commit 84d0c27d6233a9ba0578b20f5a09701eb66cee42 upstream. + +syzbot is hitting WARN() at kernfs_add_one() [1]. +This is because kernfs_create_link() is confused by previous device_add() +call which continued without setting dev->kobj.parent field when +get_device_parent() failed by memory allocation fault injection. +Fix this by propagating the error from class_dir_create_and_add() to +the calllers of get_device_parent(). + +[1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de6529116f + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Cc: Greg Kroah-Hartman +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -1467,7 +1467,7 @@ class_dir_create_and_add(struct class *c + + dir = kzalloc(sizeof(*dir), GFP_KERNEL); + if (!dir) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + dir->class = class; + kobject_init(&dir->kobj, &class_dir_ktype); +@@ -1477,7 +1477,7 @@ class_dir_create_and_add(struct class *c + retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name); + if (retval < 0) { + kobject_put(&dir->kobj); +- return NULL; ++ return ERR_PTR(retval); + } + return &dir->kobj; + } +@@ -1784,6 +1784,10 @@ int device_add(struct device *dev) + + parent = get_device(dev->parent); + kobj = get_device_parent(dev, parent); ++ if (IS_ERR(kobj)) { ++ error = PTR_ERR(kobj); ++ goto parent_error; ++ } + if (kobj) + dev->kobj.parent = kobj; + +@@ -1882,6 +1886,7 @@ done: + kobject_del(&dev->kobj); + Error: + cleanup_glue_dir(dev, glue_dir); ++parent_error: + put_device(parent); + name_error: + kfree(dev->p); +@@ -2701,6 +2706,11 @@ int device_move(struct device *dev, stru + device_pm_lock(); + new_parent = get_device(new_parent); + new_parent_kobj = get_device_parent(dev, new_parent); ++ if (IS_ERR(new_parent_kobj)) { ++ error = PTR_ERR(new_parent_kobj); ++ put_device(new_parent); ++ goto out; ++ } + + pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev), + __func__, new_parent ? dev_name(new_parent) : ""); diff --git a/queue-4.17/ext4-bubble-errors-from-ext4_find_inline_data_nolock-up-to-ext4_iget.patch b/queue-4.17/ext4-bubble-errors-from-ext4_find_inline_data_nolock-up-to-ext4_iget.patch new file mode 100644 index 00000000000..1dee1da9c39 --- /dev/null +++ b/queue-4.17/ext4-bubble-errors-from-ext4_find_inline_data_nolock-up-to-ext4_iget.patch @@ -0,0 +1,65 @@ +From eb9b5f01c33adebc31cbc236c02695f605b0e417 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 22 May 2018 17:14:07 -0400 +Subject: ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() + +From: Theodore Ts'o + +commit eb9b5f01c33adebc31cbc236c02695f605b0e417 upstream. + +If ext4_find_inline_data_nolock() returns an error it needs to get +reflected up to ext4_iget(). In order to fix this, +ext4_iget_extra_inode() needs to return an error (and not return +void). + +This is related to "ext4: do not allow external inodes for inline +data" (which fixes CVE-2018-11412) in that in the errors=continue +case, it would be useful to for userspace to receive an error +indicating that file system is corrupted. + +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4701,19 +4701,21 @@ static blkcnt_t ext4_inode_blocks(struct + } + } + +-static inline void ext4_iget_extra_inode(struct inode *inode, ++static inline int ext4_iget_extra_inode(struct inode *inode, + struct ext4_inode *raw_inode, + struct ext4_inode_info *ei) + { + __le32 *magic = (void *)raw_inode + + EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize; ++ + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <= + EXT4_INODE_SIZE(inode->i_sb) && + *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) { + ext4_set_inode_state(inode, EXT4_STATE_XATTR); +- ext4_find_inline_data_nolock(inode); ++ return ext4_find_inline_data_nolock(inode); + } else + EXT4_I(inode)->i_inline_off = 0; ++ return 0; + } + + int ext4_get_projid(struct inode *inode, kprojid_t *projid) +@@ -4893,7 +4895,9 @@ struct inode *ext4_iget(struct super_blo + ei->i_extra_isize = sizeof(struct ext4_inode) - + EXT4_GOOD_OLD_INODE_SIZE; + } else { +- ext4_iget_extra_inode(inode, raw_inode, ei); ++ ret = ext4_iget_extra_inode(inode, raw_inode, ei); ++ if (ret) ++ goto bad_inode; + } + } + diff --git a/queue-4.17/ext4-correctly-handle-a-zero-length-xattr-with-a-non-zero-e_value_offs.patch b/queue-4.17/ext4-correctly-handle-a-zero-length-xattr-with-a-non-zero-e_value_offs.patch new file mode 100644 index 00000000000..1956e7649dc --- /dev/null +++ b/queue-4.17/ext4-correctly-handle-a-zero-length-xattr-with-a-non-zero-e_value_offs.patch @@ -0,0 +1,69 @@ +From 8a2b307c21d4b290e3cbe33f768f194286d07c23 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 23 May 2018 11:31:03 -0400 +Subject: ext4: correctly handle a zero-length xattr with a non-zero e_value_offs + +From: Theodore Ts'o + +commit 8a2b307c21d4b290e3cbe33f768f194286d07c23 upstream. + +Ext4 will always create ext4 extended attributes which do not have a +value (where e_value_size is zero) with e_value_offs set to zero. In +most places e_value_offs will not be used in a substantive way if +e_value_size is zero. + +There was one exception to this, which is in ext4_xattr_set_entry(), +where if there is a maliciously crafted file system where there is an +extended attribute with e_value_offs is non-zero and e_value_size is +0, the attempt to remove this xattr will result in a negative value +getting passed to memmove, leading to the following sadness: + +[ 41.225365] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) +[ 44.538641] BUG: unable to handle kernel paging request at ffff9ec9a3000000 +[ 44.538733] IP: __memmove+0x81/0x1a0 +[ 44.538755] PGD 1249bd067 P4D 1249bd067 PUD 1249c1067 PMD 80000001230000e1 +[ 44.538793] Oops: 0003 [#1] SMP PTI +[ 44.539074] CPU: 0 PID: 1470 Comm: poc Not tainted 4.16.0-rc1+ #1 + ... +[ 44.539475] Call Trace: +[ 44.539832] ext4_xattr_set_entry+0x9e7/0xf80 + ... +[ 44.539972] ext4_xattr_block_set+0x212/0xea0 + ... +[ 44.540041] ext4_xattr_set_handle+0x514/0x610 +[ 44.540065] ext4_xattr_set+0x7f/0x120 +[ 44.540090] __vfs_removexattr+0x4d/0x60 +[ 44.540112] vfs_removexattr+0x75/0xe0 +[ 44.540132] removexattr+0x4d/0x80 + ... +[ 44.540279] path_removexattr+0x91/0xb0 +[ 44.540300] SyS_removexattr+0xf/0x20 +[ 44.540322] do_syscall_64+0x71/0x120 +[ 44.540344] entry_SYSCALL_64_after_hwframe+0x21/0x86 + +https://bugzilla.kernel.org/show_bug.cgi?id=199347 + +This addresses CVE-2018-10840. + +Reported-by: "Xu, Wen" +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Cc: stable@kernel.org +Fixes: dec214d00e0d7 ("ext4: xattr inode deduplication") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1688,7 +1688,7 @@ static int ext4_xattr_set_entry(struct e + + /* No failures allowed past this point. */ + +- if (!s->not_found && here->e_value_offs) { ++ if (!s->not_found && here->e_value_size && here->e_value_offs) { + /* Remove the old value. */ + void *first_val = s->base + min_offs; + size_t offs = le16_to_cpu(here->e_value_offs); diff --git a/queue-4.17/ext4-do-not-allow-external-inodes-for-inline-data.patch b/queue-4.17/ext4-do-not-allow-external-inodes-for-inline-data.patch new file mode 100644 index 00000000000..8bc33896fc2 --- /dev/null +++ b/queue-4.17/ext4-do-not-allow-external-inodes-for-inline-data.patch @@ -0,0 +1,48 @@ +From 117166efb1ee8f13c38f9e96b258f16d4923f888 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Tue, 22 May 2018 16:15:24 -0400 +Subject: ext4: do not allow external inodes for inline data + +From: Theodore Ts'o + +commit 117166efb1ee8f13c38f9e96b258f16d4923f888 upstream. + +The inline data feature was implemented before we added support for +external inodes for xattrs. It makes no sense to support that +combination, but the problem is that there are a number of extended +attribute checks that are skipped if e_value_inum is non-zero. + +Unfortunately, the inline data code is completely e_value_inum +unaware, and attempts to interpret the xattr fields as if it were an +inline xattr --- at which point, Hilarty Ensues. + +This addresses CVE-2018-11412. + +https://bugzilla.kernel.org/show_bug.cgi?id=199803 + +Reported-by: Jann Horn +Reviewed-by: Andreas Dilger +Signed-off-by: Theodore Ts'o +Fixes: e50e5129f384 ("ext4: xattr-in-inode support") +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -144,6 +144,12 @@ int ext4_find_inline_data_nolock(struct + goto out; + + if (!is.s.not_found) { ++ if (is.s.here->e_value_inum) { ++ EXT4_ERROR_INODE(inode, "inline data xattr refers " ++ "to an external xattr inode"); ++ error = -EFSCORRUPTED; ++ goto out; ++ } + EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here - + (void *)ext4_raw_inode(&is.iloc)); + EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE + diff --git a/queue-4.17/ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch b/queue-4.17/ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch new file mode 100644 index 00000000000..745d8da271a --- /dev/null +++ b/queue-4.17/ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch @@ -0,0 +1,37 @@ +From 4f2f76f751433908364ccff82f437a57d0e6e9b7 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 25 May 2018 12:51:25 -0400 +Subject: ext4: fix fencepost error in check for inode count overflow during resize + +From: Jan Kara + +commit 4f2f76f751433908364ccff82f437a57d0e6e9b7 upstream. + +ext4_resize_fs() has an off-by-one bug when checking whether growing of +a filesystem will not overflow inode count. As a result it allows a +filesystem with 8192 inodes per group to grow to 64TB which overflows +inode count to 0 and makes filesystem unusable. Fix it. + +Cc: stable@vger.kernel.org +Fixes: 3f8a6411fbada1fa482276591e037f3b1adcf55b +Reported-by: Jaco Kroon +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1933,7 +1933,7 @@ retry: + return 0; + + n_group = ext4_get_group_number(sb, n_blocks_count - 1); +- if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { ++ if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) { + ext4_warning(sb, "resize would cause inodes_count overflow"); + return -EINVAL; + } diff --git a/queue-4.17/ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch b/queue-4.17/ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch new file mode 100644 index 00000000000..538b640a6d8 --- /dev/null +++ b/queue-4.17/ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch @@ -0,0 +1,52 @@ +From 2ee3ee06a8fd792765fa3267ddf928997797eec5 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Sat, 12 May 2018 19:55:00 -0400 +Subject: ext4: fix hole length detection in ext4_ind_map_blocks() + +From: Jan Kara + +commit 2ee3ee06a8fd792765fa3267ddf928997797eec5 upstream. + +When ext4_ind_map_blocks() computes a length of a hole, it doesn't count +with the fact that mapped offset may be somewhere in the middle of the +completely empty subtree. In such case it will return too large length +of the hole which then results in lseek(SEEK_DATA) to end up returning +an incorrect offset beyond the end of the hole. + +Fix the problem by correctly taking offset within a subtree into account +when computing a length of a hole. + +Fixes: facab4d9711e7aa3532cb82643803e8f1b9518e8 +CC: stable@vger.kernel.org +Reported-by: Jeff Mahoney +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/indirect.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -561,10 +561,16 @@ int ext4_ind_map_blocks(handle_t *handle + unsigned epb = inode->i_sb->s_blocksize / sizeof(u32); + int i; + +- /* Count number blocks in a subtree under 'partial' */ +- count = 1; +- for (i = 0; partial + i != chain + depth - 1; i++) +- count *= epb; ++ /* ++ * Count number blocks in a subtree under 'partial'. At each ++ * level we count number of complete empty subtrees beyond ++ * current offset and then descend into the subtree only ++ * partially beyond current offset. ++ */ ++ count = 0; ++ for (i = partial - chain + 1; i < depth; i++) ++ count = count * epb + (epb - offsets[i] - 1); ++ count++; + /* Fill in size of a hole we found */ + map->m_pblk = 0; + map->m_len = min_t(unsigned int, map->m_len, count); diff --git a/queue-4.17/ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch b/queue-4.17/ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch new file mode 100644 index 00000000000..f04862cd8c1 --- /dev/null +++ b/queue-4.17/ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch @@ -0,0 +1,77 @@ +From eee597ac931305eff3d3fd1d61d6aae553bc0984 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Sun, 13 May 2018 19:28:35 -0400 +Subject: ext4: update mtime in ext4_punch_hole even if no blocks are released + +From: Lukas Czerner + +commit eee597ac931305eff3d3fd1d61d6aae553bc0984 upstream. + +Currently in ext4_punch_hole we're going to skip the mtime update if +there are no actual blocks to release. However we've actually modified +the file by zeroing the partial block so the mtime should be updated. + +Moreover the sync and datasync handling is skipped as well, which is +also wrong. Fix it. + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Reported-by: Joe Habermann +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 40 ++++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4298,28 +4298,28 @@ int ext4_punch_hole(struct inode *inode, + EXT4_BLOCK_SIZE_BITS(sb); + stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb); + +- /* If there are no blocks to remove, return now */ +- if (first_block >= stop_block) +- goto out_stop; +- +- down_write(&EXT4_I(inode)->i_data_sem); +- ext4_discard_preallocations(inode); +- +- ret = ext4_es_remove_extent(inode, first_block, +- stop_block - first_block); +- if (ret) { +- up_write(&EXT4_I(inode)->i_data_sem); +- goto out_stop; +- } ++ /* If there are blocks to remove, do it */ ++ if (stop_block > first_block) { ++ ++ down_write(&EXT4_I(inode)->i_data_sem); ++ ext4_discard_preallocations(inode); + +- if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) +- ret = ext4_ext_remove_space(inode, first_block, +- stop_block - 1); +- else +- ret = ext4_ind_remove_space(handle, inode, first_block, +- stop_block); ++ ret = ext4_es_remove_extent(inode, first_block, ++ stop_block - first_block); ++ if (ret) { ++ up_write(&EXT4_I(inode)->i_data_sem); ++ goto out_stop; ++ } ++ ++ if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) ++ ret = ext4_ext_remove_space(inode, first_block, ++ stop_block - 1); ++ else ++ ret = ext4_ind_remove_space(handle, inode, first_block, ++ stop_block); + +- up_write(&EXT4_I(inode)->i_data_sem); ++ up_write(&EXT4_I(inode)->i_data_sem); ++ } + if (IS_SYNC(inode)) + ext4_handle_sync(handle); + diff --git a/queue-4.17/series b/queue-4.17/series index b46bed2858a..8029605d08b 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -12,3 +12,23 @@ socket-close-race-condition-between-sock_close-and-sockfs_setattr.patch udp-fix-rx-queue-len-reported-by-diag-and-proc-interface.patch net-in-virtio_net_hdr-only-add-vlan_hlen-to-csum_start-if-payload-holds-vlan.patch hv_netvsc-fix-a-network-regression-after-ifdown-ifup.patch +acpica-aml-parser-attempt-to-continue-loading-table-after-error.patch +ext4-fix-hole-length-detection-in-ext4_ind_map_blocks.patch +ext4-update-mtime-in-ext4_punch_hole-even-if-no-blocks-are-released.patch +ext4-do-not-allow-external-inodes-for-inline-data.patch +ext4-bubble-errors-from-ext4_find_inline_data_nolock-up-to-ext4_iget.patch +ext4-correctly-handle-a-zero-length-xattr-with-a-non-zero-e_value_offs.patch +ext4-fix-fencepost-error-in-check-for-inode-count-overflow-during-resize.patch +driver-core-don-t-ignore-class_dir_create_and_add-failure.patch +btrfs-allow-empty-subvol-again.patch +btrfs-fix-clone-vs-chattr-nodatasum-race.patch +btrfs-fix-memory-and-mount-leak-in-btrfs_ioctl_rm_dev_v2.patch +btrfs-return-error-value-if-create_io_em-failed-in-cow_file_range.patch +btrfs-scrub-don-t-use-inode-pages-for-device-replace.patch +alsa-usb-audio-disable-the-quirk-for-nura-headset.patch +alsa-hda-realtek-enable-mic-mute-hotkey-for-several-lenovo-aios.patch +alsa-hda-conexant-add-fixup-for-hp-z2-g4-workstation.patch +alsa-hda-handle-kzalloc-failure-in-snd_hda_attach_pcm_stream.patch +alsa-hda-add-dock-and-led-support-for-hp-elitebook-830-g5.patch +alsa-hda-add-dock-and-led-support-for-hp-probook-640-g4.patch +x86-mce-fix-stack-out-of-bounds-write-in-mce-inject.c-flags_read.patch diff --git a/queue-4.17/x86-mce-fix-stack-out-of-bounds-write-in-mce-inject.c-flags_read.patch b/queue-4.17/x86-mce-fix-stack-out-of-bounds-write-in-mce-inject.c-flags_read.patch new file mode 100644 index 00000000000..83ba9f7c12c --- /dev/null +++ b/queue-4.17/x86-mce-fix-stack-out-of-bounds-write-in-mce-inject.c-flags_read.patch @@ -0,0 +1,46 @@ +From 985c78d3ff8e9c74450fa2bb08eb55e680d999ca Mon Sep 17 00:00:00 2001 +From: "Luck, Tony" +Date: Fri, 27 Apr 2018 09:37:08 -0700 +Subject: x86/MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read() + +From: Tony Luck + +commit 985c78d3ff8e9c74450fa2bb08eb55e680d999ca upstream. + +Each of the strings that we want to put into the buf[MAX_FLAG_OPT_SIZE] +in flags_read() is two characters long. But the sprintf() adds +a trailing newline and will add a terminating NUL byte. So +MAX_FLAG_OPT_SIZE needs to be 4. + +sprintf() calls vsnprintf() and *that* does return: + +" * The return value is the number of characters which would + * be generated for the given input, excluding the trailing + * '\0', as per ISO C99." + +Note the "excluding". + +Reported-by: Dmitry Vyukov +Signed-off-by: Tony Luck +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: linux-edac +Link: http://lkml.kernel.org/r/20180427163707.ktaiysvbk3yhk4wm@agluck-desk +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c ++++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c +@@ -48,7 +48,7 @@ static struct dentry *dfs_inj; + + static u8 n_banks; + +-#define MAX_FLAG_OPT_SIZE 3 ++#define MAX_FLAG_OPT_SIZE 4 + #define NBCFG 0x44 + + enum injection_type {