--- /dev/null
+From fc3dc67471461c0efcb1ed22fb7595121d65fad9 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Tue, 13 Jun 2017 13:35:51 +0200
+Subject: fs/fcntl: f_setown, avoid undefined behaviour
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit fc3dc67471461c0efcb1ed22fb7595121d65fad9 upstream.
+
+fcntl(0, F_SETOWN, 0x80000000) triggers:
+UBSAN: Undefined behaviour in fs/fcntl.c:118:7
+negation of -2147483648 cannot be represented in type 'int':
+CPU: 1 PID: 18261 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1
+...
+Call Trace:
+...
+ [<ffffffffad8f0868>] ? f_setown+0x1d8/0x200
+ [<ffffffffad8f19a9>] ? SyS_fcntl+0x999/0xf30
+ [<ffffffffaed1fb00>] ? entry_SYSCALL_64_fastpath+0x23/0xc1
+
+Fix that by checking the arg parameter properly (against INT_MAX) before
+"who = -who". And return immediatelly with -EINVAL in case it is wrong.
+Note that according to POSIX we can return EINVAL:
+ http://pubs.opengroup.org/onlinepubs/9699919799/functions/fcntl.html
+
+ [EINVAL]
+ The cmd argument is F_SETOWN and the value of the argument
+ is not valid as a process or process group identifier.
+
+[v2] returns an error, v1 used to fail silently
+[v3] implement proper check for the bad value INT_MIN
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Jeff Layton <jlayton@poochiereds.net>
+Cc: "J. Bruce Fields" <bfields@fieldses.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fcntl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -113,6 +113,10 @@ void f_setown(struct file *filp, unsigne
+ int who = arg;
+ type = PIDTYPE_PID;
+ if (who < 0) {
++ /* avoid overflow below */
++ if (who == INT_MIN)
++ return -EINVAL;
++
+ type = PIDTYPE_PGID;
+ who = -who;
+ }
--- /dev/null
+From 54930dfeb46e978b447af0fb8ab4e181c1bf9d7a Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Thu, 22 Jun 2017 16:35:04 -0400
+Subject: reiserfs: don't preallocate blocks for extended attributes
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 54930dfeb46e978b447af0fb8ab4e181c1bf9d7a upstream.
+
+Most extended attributes will fit in a single block. More importantly,
+we drop the reference to the inode while holding the transaction open
+so the preallocated blocks aren't released. As a result, the inode
+may be evicted before it's removed from the transaction's prealloc list
+which can cause memory corruption.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/bitmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/reiserfs/bitmap.c
++++ b/fs/reiserfs/bitmap.c
+@@ -1136,7 +1136,7 @@ static int determine_prealloc_size(reise
+ hint->prealloc_size = 0;
+
+ if (!hint->formatted_node && hint->preallocate) {
+- if (S_ISREG(hint->inode->i_mode)
++ if (S_ISREG(hint->inode->i_mode) && !IS_PRIVATE(hint->inode)
+ && hint->inode->i_size >=
+ REISERFS_SB(hint->th->t_super)->s_alloc_options.
+ preallocmin * hint->inode->i_sb->s_blocksize)
--- /dev/null
+From 08db141b5313ac2f64b844fb5725b8d81744b417 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Thu, 22 Jun 2017 16:47:34 -0400
+Subject: reiserfs: fix race in prealloc discard
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 08db141b5313ac2f64b844fb5725b8d81744b417 upstream.
+
+The main loop in __discard_prealloc is protected by the reiserfs write lock
+which is dropped across schedules like the BKL it replaced. The problem is
+that it checks the value, calls a routine that schedules, and then adjusts
+the state. As a result, two threads that are calling
+reiserfs_prealloc_discard at the same time can race when one calls
+reiserfs_free_prealloc_block, the lock is dropped, and the other calls
+reiserfs_free_prealloc_block with the same block number. In the right
+circumstances, it can cause the prealloc count to go negative.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/bitmap.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/reiserfs/bitmap.c
++++ b/fs/reiserfs/bitmap.c
+@@ -513,9 +513,17 @@ static void __discard_prealloc(struct re
+ "inode has negative prealloc blocks count.");
+ #endif
+ while (ei->i_prealloc_count > 0) {
+- reiserfs_free_prealloc_block(th, inode, ei->i_prealloc_block);
+- ei->i_prealloc_block++;
++ b_blocknr_t block_to_free;
++
++ /*
++ * reiserfs_free_prealloc_block can drop the write lock,
++ * which could allow another caller to free the same block.
++ * We can protect against it by modifying the prealloc
++ * state before calling it.
++ */
++ block_to_free = ei->i_prealloc_block++;
+ ei->i_prealloc_count--;
++ reiserfs_free_prealloc_block(th, inode, block_to_free);
+ dirty = 1;
+ }
+ if (dirty)
--- /dev/null
+From eef9ffdf9cd39b2986367bc8395e2772bc1284ba Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Mon, 9 Oct 2017 13:33:19 +0200
+Subject: scsi: libiscsi: fix shifting of DID_REQUEUE host byte
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit eef9ffdf9cd39b2986367bc8395e2772bc1284ba upstream.
+
+The SCSI host byte should be shifted left by 16 in order to have
+scsi_decide_disposition() do the right thing (.i.e. requeue the
+command).
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Fixes: 661134ad3765 ("[SCSI] libiscsi, bnx2i: make bound ep check common")
+Cc: Lee Duncan <lduncan@suse.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Bart Van Assche <Bart.VanAssche@sandisk.com>
+Cc: Chris Leech <cleech@redhat.com>
+Acked-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/libiscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1727,7 +1727,7 @@ int iscsi_queuecommand(struct Scsi_Host
+
+ if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) {
+ reason = FAILURE_SESSION_IN_RECOVERY;
+- sc->result = DID_REQUEUE;
++ sc->result = DID_REQUEUE << 16;
+ goto fault;
+ }
+
netfilter-nf_conntrack_sip-extend-request-line-validation.patch
netfilter-nfnetlink_cthelper-add-missing-permission-checks.patch
netfilter-xt_osf-add-missing-permission-checks.patch
+reiserfs-fix-race-in-prealloc-discard.patch
+reiserfs-don-t-preallocate-blocks-for-extended-attributes.patch
+fs-fcntl-f_setown-avoid-undefined-behaviour.patch
+scsi-libiscsi-fix-shifting-of-did_requeue-host-byte.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
