From 33fa022f32638873f12ecaaa949a8fb2754f3fed Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Thu, 9 Aug 2018 06:51:57 -0500
Subject: Linux v4.17.14

---
 ...n-t-call-xfs_da_shrink_inode-with-NULL-bp.patch |  43 ------
 ...ate-cached-inodes-are-free-when-allocated.patch | 155 ---------------------
 kernel.spec                                        |  11 +-
 sources                                            |   2 +-
 4 files changed, 5 insertions(+), 206 deletions(-)
 delete mode 100644 0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch
 delete mode 100644 0001-xfs-validate-cached-inodes-are-free-when-allocated.patch

diff --git a/0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch b/0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch
deleted file mode 100644
index 874536f24..000000000
--- a/0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a Mon Sep 17 00:00:00 2001
-From: Eric Sandeen <sandeen@sandeen.net>
-Date: Fri, 8 Jun 2018 09:53:49 -0700
-Subject: [PATCH] xfs: don't call xfs_da_shrink_inode with NULL bp
-
-xfs_attr3_leaf_create may have errored out before instantiating a buffer,
-for example if the blkno is out of range.  In that case there is no work
-to do to remove it, and in fact xfs_da_shrink_inode will lead to an oops
-if we try.
-
-This also seems to fix a flaw where the original error from
-xfs_attr3_leaf_create gets overwritten in the cleanup case, and it
-removes a pointless assignment to bp which isn't used after this.
-
-Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199969
-Reported-by: Xu, Wen <wen.xu@gatech.edu>
-Tested-by: Xu, Wen <wen.xu@gatech.edu>
-Signed-off-by: Eric Sandeen <sandeen@redhat.com>
-Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
-Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
----
- fs/xfs/libxfs/xfs_attr_leaf.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
-index 99e0f5749dba..76e90046731c 100644
---- a/fs/xfs/libxfs/xfs_attr_leaf.c
-+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
-@@ -791,9 +791,8 @@ xfs_attr_shortform_to_leaf(
- 	ASSERT(blkno == 0);
- 	error = xfs_attr3_leaf_create(args, blkno, &bp);
- 	if (error) {
--		error = xfs_da_shrink_inode(args, 0, bp);
--		bp = NULL;
--		if (error)
-+		/* xfs_attr3_leaf_create may not have instantiated a block */
-+		if (bp && (xfs_da_shrink_inode(args, 0, bp) != 0))
- 			goto out;
- 		xfs_idata_realloc(dp, size, XFS_ATTR_FORK);	/* try to put */
- 		memcpy(ifp->if_u1.if_data, tmpbuffer, size);	/* it back */
--- 
-2.17.1
-
diff --git a/0001-xfs-validate-cached-inodes-are-free-when-allocated.patch b/0001-xfs-validate-cached-inodes-are-free-when-allocated.patch
deleted file mode 100644
index ce78bed80..000000000
--- a/0001-xfs-validate-cached-inodes-are-free-when-allocated.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From afca6c5b2595fc44383919fba740c194b0b76aff Mon Sep 17 00:00:00 2001
-From: Dave Chinner <dchinner@redhat.com>
-Date: Tue, 17 Apr 2018 17:17:34 -0700
-Subject: [PATCH] xfs: validate cached inodes are free when allocated
-
-A recent fuzzed filesystem image cached random dcache corruption
-when the reproducer was run. This often showed up as panics in
-lookup_slow() on a null inode->i_ops pointer when doing pathwalks.
-
-BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
-....
-Call Trace:
- lookup_slow+0x44/0x60
- walk_component+0x3dd/0x9f0
- link_path_walk+0x4a7/0x830
- path_lookupat+0xc1/0x470
- filename_lookup+0x129/0x270
- user_path_at_empty+0x36/0x40
- path_listxattr+0x98/0x110
- SyS_listxattr+0x13/0x20
- do_syscall_64+0xf5/0x280
- entry_SYSCALL_64_after_hwframe+0x42/0xb7
-
-but had many different failure modes including deadlocks trying to
-lock the inode that was just allocated or KASAN reports of
-use-after-free violations.
-
-The cause of the problem was a corrupt INOBT on a v4 fs where the
-root inode was marked as free in the inobt record. Hence when we
-allocated an inode, it chose the root inode to allocate, found it in
-the cache and re-initialised it.
-
-We recently fixed a similar inode allocation issue caused by inobt
-record corruption problem in xfs_iget_cache_miss() in commit
-ee457001ed6c ("xfs: catch inode allocation state mismatch
-corruption"). This change adds similar checks to the cache-hit path
-to catch it, and turns the reproducer into a corruption shutdown
-situation.
-
-Reported-by: Wen Xu <wen.xu@gatech.edu>
-Signed-Off-By: Dave Chinner <dchinner@redhat.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
-Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
-[darrick: fix typos in comment]
-Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
----
- fs/xfs/xfs_icache.c | 73 +++++++++++++++++++++++++++++----------------
- 1 file changed, 48 insertions(+), 25 deletions(-)
-
-diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
-index 9a18f69f6e96..817899961f48 100644
---- a/fs/xfs/xfs_icache.c
-+++ b/fs/xfs/xfs_icache.c
-@@ -308,6 +308,46 @@ xfs_reinit_inode(
- 	return error;
- }
-
-+/*
-+ * If we are allocating a new inode, then check what was returned is
-+ * actually a free, empty inode. If we are not allocating an inode,
-+ * then check we didn't find a free inode.
-+ *
-+ * Returns:
-+ *	0		if the inode free state matches the lookup context
-+ *	-ENOENT		if the inode is free and we are not allocating
-+ *	-EFSCORRUPTED	if there is any state mismatch at all
-+ */
-+static int
-+xfs_iget_check_free_state(
-+	struct xfs_inode	*ip,
-+	int			flags)
-+{
-+	if (flags & XFS_IGET_CREATE) {
-+		/* should be a free inode */
-+		if (VFS_I(ip)->i_mode != 0) {
-+			xfs_warn(ip->i_mount,
-+"Corruption detected! Free inode 0x%llx not marked free! (mode 0x%x)",
-+				ip->i_ino, VFS_I(ip)->i_mode);
-+			return -EFSCORRUPTED;
-+		}
-+
-+		if (ip->i_d.di_nblocks != 0) {
-+			xfs_warn(ip->i_mount,
-+"Corruption detected! Free inode 0x%llx has blocks allocated!",
-+				ip->i_ino);
-+			return -EFSCORRUPTED;
-+		}
-+		return 0;
-+	}
-+
-+	/* should be an allocated inode */
-+	if (VFS_I(ip)->i_mode == 0)
-+		return -ENOENT;
-+
-+	return 0;
-+}
-+
- /*
-  * Check the validity of the inode we just found it the cache
-  */
-@@ -357,12 +397,12 @@ xfs_iget_cache_hit(
- 	}
-
- 	/*
--	 * If lookup is racing with unlink return an error immediately.
-+	 * Check the inode free state is valid. This also detects lookup
-+	 * racing with unlinks.
- 	 */
--	if (VFS_I(ip)->i_mode == 0 && !(flags & XFS_IGET_CREATE)) {
--		error = -ENOENT;
-+	error = xfs_iget_check_free_state(ip, flags);
-+	if (error)
- 		goto out_error;
--	}
-
- 	/*
- 	 * If IRECLAIMABLE is set, we've torn down the VFS inode already.
-@@ -485,29 +525,12 @@ xfs_iget_cache_miss(
-
-
- 	/*
--	 * If we are allocating a new inode, then check what was returned is
--	 * actually a free, empty inode. If we are not allocating an inode,
--	 * the check we didn't find a free inode.
-+	 * Check the inode free state is valid. This also detects lookup
-+	 * racing with unlinks.
- 	 */
--	if (flags & XFS_IGET_CREATE) {
--		if (VFS_I(ip)->i_mode != 0) {
--			xfs_warn(mp,
--"Corruption detected! Free inode 0x%llx not marked free on disk",
--				ino);
--			error = -EFSCORRUPTED;
--			goto out_destroy;
--		}
--		if (ip->i_d.di_nblocks != 0) {
--			xfs_warn(mp,
--"Corruption detected! Free inode 0x%llx has blocks allocated!",
--				ino);
--			error = -EFSCORRUPTED;
--			goto out_destroy;
--		}
--	} else if (VFS_I(ip)->i_mode == 0) {
--		error = -ENOENT;
-+	error = xfs_iget_check_free_state(ip, flags);
-+	if (error)
- 		goto out_destroy;
--	}
-
- 	/*
- 	 * Preload the radix tree so we can insert safely under the
--- 
-2.17.1
-
diff --git a/kernel.spec b/kernel.spec
index 981a6581b..04eb70a9a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 13
+%define stable_update 14
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -659,12 +659,6 @@ Patch518: alarmtimer-prevent-overflow-for-relative-nanosleep.patch
 Patch519: 1-2-posix-timers-Make-forward-callback-return-s64.patch
 Patch520: 2-2-posix-timers-Sanitize-overrun-handling.patch
 
-# CVE-2018-13093 rhbz 1597766 1597767
-Patch521: 0001-xfs-validate-cached-inodes-are-free-when-allocated.patch
-
-# CVE-2018-13094 rhbz 1597771 1597772
-Patch522: 0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch
-
 # CVE-2018-13095 rhbz 1597775 1597777
 Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch
 
@@ -1920,6 +1914,9 @@ fi
 #
 #
 %changelog
+* Thu Aug 09 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.14-200
+- Linux v4.17.14
+
 * Wed Aug 08 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.13-200
 - Linux v4.17.13
 
diff --git a/sources b/sources
index 5602f649d..68740e077 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db
-SHA512 (patch-4.17.13.xz) = 8f77239c6c0393aa6e854f98d0ef0832e0a3e936251805ca1fcde2b5d24e0b086582f68e3f494a4a287b404573c26a867170958d53f3c1bf4c46c4c5697188b2
+SHA512 (patch-4.17.14.xz) = 99b76b9305868a93139d9e977ee244c02ada7e3966856a1c559c049dff4543cd39595b723d9fc9b8f27ffef9ff0e4b28bcfbdb28738d5e19342473336553eb27
-- 
cgit