From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 7 Dec 2019 12:25:09 +0000 (+0100)
Subject: 5.3-stable patches
X-Git-Tag: v5.4.3~64
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c387a07ab020ba6ab8db26d6dd429820d0076c5b;p=thirdparty%2Fkernel%2Fstable-queue.git

5.3-stable patches

added patches:
	fuse-verify-attributes.patch
	fuse-verify-nlink.patch
	io_uring-transform-send-recvmsg-erestartsys-to-eintr.patch
---

diff --git a/queue-5.3/fuse-verify-attributes.patch b/queue-5.3/fuse-verify-attributes.patch
new file mode 100644
index 00000000000..39515a91cfc
--- /dev/null
+++ b/queue-5.3/fuse-verify-attributes.patch
@@ -0,0 +1,124 @@
+From eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 12 Nov 2019 11:49:04 +0100
+Subject: fuse: verify attributes
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5 upstream.
+
+If a filesystem returns negative inode sizes, future reads on the file were
+causing the cpu to spin on truncate_pagecache.
+
+Create a helper to validate the attributes.  This now does two things:
+
+ - check the file mode
+ - check if the file size fits in i_size without overflowing
+
+Reported-by: Arijit Banerjee <arijit@rubrik.com>
+Fixes: d8a5ba45457e ("[PATCH] FUSE - core")
+Cc: <stable@vger.kernel.org> # v2.6.14
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c     |   22 ++++++++++++++++------
+ fs/fuse/fuse_i.h  |    2 ++
+ fs/fuse/readdir.c |    2 +-
+ 3 files changed, 19 insertions(+), 7 deletions(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -214,7 +214,8 @@ static int fuse_dentry_revalidate(struct
+ 		kfree(forget);
+ 		if (ret == -ENOMEM)
+ 			goto out;
+-		if (ret || (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
++		if (ret || fuse_invalid_attr(&outarg.attr) ||
++		    (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
+ 			goto invalid;
+ 
+ 		forget_all_cached_acls(inode);
+@@ -272,6 +273,12 @@ int fuse_valid_type(int m)
+ 		S_ISBLK(m) || S_ISFIFO(m) || S_ISSOCK(m);
+ }
+ 
++bool fuse_invalid_attr(struct fuse_attr *attr)
++{
++	return !fuse_valid_type(attr->mode) ||
++		attr->size > LLONG_MAX;
++}
++
+ int fuse_lookup_name(struct super_block *sb, u64 nodeid, const struct qstr *name,
+ 		     struct fuse_entry_out *outarg, struct inode **inode)
+ {
+@@ -303,7 +310,7 @@ int fuse_lookup_name(struct super_block
+ 	err = -EIO;
+ 	if (!outarg->nodeid)
+ 		goto out_put_forget;
+-	if (!fuse_valid_type(outarg->attr.mode))
++	if (fuse_invalid_attr(&outarg->attr))
+ 		goto out_put_forget;
+ 
+ 	*inode = fuse_iget(sb, outarg->nodeid, outarg->generation,
+@@ -427,7 +434,8 @@ static int fuse_create_open(struct inode
+ 		goto out_free_ff;
+ 
+ 	err = -EIO;
+-	if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid))
++	if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid) ||
++	    fuse_invalid_attr(&outentry.attr))
+ 		goto out_free_ff;
+ 
+ 	ff->fh = outopen.fh;
+@@ -535,7 +543,7 @@ static int create_new_entry(struct fuse_
+ 		goto out_put_forget_req;
+ 
+ 	err = -EIO;
+-	if (invalid_nodeid(outarg.nodeid))
++	if (invalid_nodeid(outarg.nodeid) || fuse_invalid_attr(&outarg.attr))
+ 		goto out_put_forget_req;
+ 
+ 	if ((outarg.attr.mode ^ mode) & S_IFMT)
+@@ -895,7 +903,8 @@ static int fuse_do_getattr(struct inode
+ 	args.out.args[0].value = &outarg;
+ 	err = fuse_simple_request(fc, &args);
+ 	if (!err) {
+-		if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
++		if (fuse_invalid_attr(&outarg.attr) ||
++		    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
+ 			make_bad_inode(inode);
+ 			err = -EIO;
+ 		} else {
+@@ -1518,7 +1527,8 @@ int fuse_do_setattr(struct dentry *dentr
+ 		goto error;
+ 	}
+ 
+-	if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
++	if (fuse_invalid_attr(&outarg.attr) ||
++	    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
+ 		make_bad_inode(inode);
+ 		err = -EIO;
+ 		goto error;
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -1008,6 +1008,8 @@ void fuse_ctl_remove_conn(struct fuse_co
+  */
+ int fuse_valid_type(int m);
+ 
++bool fuse_invalid_attr(struct fuse_attr *attr);
++
+ /**
+  * Is current process allowed to perform filesystem operation?
+  */
+--- a/fs/fuse/readdir.c
++++ b/fs/fuse/readdir.c
+@@ -184,7 +184,7 @@ static int fuse_direntplus_link(struct f
+ 
+ 	if (invalid_nodeid(o->nodeid))
+ 		return -EIO;
+-	if (!fuse_valid_type(o->attr.mode))
++	if (fuse_invalid_attr(&o->attr))
+ 		return -EIO;
+ 
+ 	fc = get_fuse_conn(dir);
diff --git a/queue-5.3/fuse-verify-nlink.patch b/queue-5.3/fuse-verify-nlink.patch
new file mode 100644
index 00000000000..34f7f46fa94
--- /dev/null
+++ b/queue-5.3/fuse-verify-nlink.patch
@@ -0,0 +1,32 @@
+From c634da718db9b2fac201df2ae1b1b095344ce5eb Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 12 Nov 2019 11:49:04 +0100
+Subject: fuse: verify nlink
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit c634da718db9b2fac201df2ae1b1b095344ce5eb upstream.
+
+When adding a new hard link, make sure that i_nlink doesn't overflow.
+
+Fixes: ac45d61357e8 ("fuse: fix nlink after unlink")
+Cc: <stable@vger.kernel.org> # v3.4
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -814,7 +814,8 @@ static int fuse_link(struct dentry *entr
+ 
+ 		spin_lock(&fi->lock);
+ 		fi->attr_version = atomic64_inc_return(&fc->attr_version);
+-		inc_nlink(inode);
++		if (likely(inode->i_nlink < UINT_MAX))
++			inc_nlink(inode);
+ 		spin_unlock(&fi->lock);
+ 		fuse_invalidate_attr(inode);
+ 		fuse_update_ctime(inode);
diff --git a/queue-5.3/io_uring-transform-send-recvmsg-erestartsys-to-eintr.patch b/queue-5.3/io_uring-transform-send-recvmsg-erestartsys-to-eintr.patch
new file mode 100644
index 00000000000..c471e1ccc75
--- /dev/null
+++ b/queue-5.3/io_uring-transform-send-recvmsg-erestartsys-to-eintr.patch
@@ -0,0 +1,31 @@
+From 441cdbd5449b4923cd413d3ba748124f91388be9 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 2 Dec 2019 18:49:10 -0700
+Subject: io_uring: transform send/recvmsg() -ERESTARTSYS to -EINTR
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 441cdbd5449b4923cd413d3ba748124f91388be9 upstream.
+
+We should never return -ERESTARTSYS to userspace, transform it into
+-EINTR.
+
+Cc: stable@vger.kernel.org # v5.3+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -1535,6 +1535,8 @@ static int io_send_recvmsg(struct io_kio
+ 		ret = fn(sock, msg, flags);
+ 		if (force_nonblock && ret == -EAGAIN)
+ 			return ret;
++		if (ret == -ERESTARTSYS)
++			ret = -EINTR;
+ 	}
+ 
+ 	io_cqring_add_event(req->ctx, sqe->user_data, ret);
diff --git a/queue-5.3/series b/queue-5.3/series
index 934caf0bdde..b72b9e3f6d6 100644
--- a/queue-5.3/series
+++ b/queue-5.3/series
@@ -41,3 +41,6 @@ net-hns3-fix-ets-bandwidth-validation-bug.patch
 afs-fix-race-in-commit-bulk-status-fetch.patch
 net-ep93xx_eth-fix-mismatch-of-request_mem_region-in.patch
 i2c-core-fix-use-after-free-in-of_i2c_notify.patch
+io_uring-transform-send-recvmsg-erestartsys-to-eintr.patch
+fuse-verify-nlink.patch
+fuse-verify-attributes.patch