4.13-stable patches

added patches:
	coda-fix-kernel-memory-exposure-attempt-in-fsync.patch

diff --git a/queue-4.13/coda-fix-kernel-memory-exposure-attempt-in-fsync.patch b/queue-4.13/coda-fix-kernel-memory-exposure-attempt-in-fsync.patch
new file mode 100644 (file)
index 0000000..adf3024
--- /dev/null
+++ b/queue-4.13/coda-fix-kernel-memory-exposure-attempt-in-fsync.patch
@@ -0,0 +1,41 @@
+From d337b66a4c52c7b04eec661d86c2ef6e168965a2 Mon Sep 17 00:00:00 2001
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+Date: Wed, 27 Sep 2017 15:52:12 -0400
+Subject: coda: fix 'kernel memory exposure attempt' in fsync
+
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+
+commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream.
+
+When an application called fsync on a file in Coda a small request with
+just the file identifier was allocated, but the declared length was set
+to the size of union of all possible upcall requests.
+
+This bug has been around for a very long time and is now caught by the
+extra checking in usercopy that was introduced in Linux-4.8.
+
+The exposure happens when the Coda cache manager process reads the fsync
+upcall request at which point it is killed. As a result there is nobody
+servicing any further upcalls, trapping any processes that try to access
+the mounted Coda filesystem.
+
+Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/coda/upcall.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/coda/upcall.c
++++ b/fs/coda/upcall.c
+@@ -446,8 +446,7 @@ int venus_fsync(struct super_block *sb,
+       UPARG(CODA_FSYNC);
+ 
+       inp->coda_fsync.VFid = *fid;
+-      error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs),
+-                          &outsize, inp);
++      error = coda_upcall(coda_vcp(sb), insize, &outsize, inp);
+ 
+       CODA_FREE(inp, insize);
+       return error;

diff --git a/queue-4.13/mm-swap-fix-false-error-message-in-__swp_swapcount.patch b/queue-4.13/mm-swap-fix-false-error-message-in-__swp_swapcount.patch
deleted file mode 100644 (file)
index 2b7de56..0000000
--- a/queue-4.13/mm-swap-fix-false-error-message-in-__swp_swapcount.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From e9a6effa500526e2a19d5ad042cb758b55b1ef93 Mon Sep 17 00:00:00 2001
-From: Huang Ying <huang.ying.caritas@gmail.com>
-Date: Wed, 15 Nov 2017 17:33:15 -0800
-Subject: mm, swap: fix false error message in __swp_swapcount()
-
-From: Huang Ying <huang.ying.caritas@gmail.com>
-
-commit e9a6effa500526e2a19d5ad042cb758b55b1ef93 upstream.
-
-When a page fault occurs for a swap entry, the physical swap readahead
-(not the VMA base swap readahead) may readahead several swap entries
-after the fault swap entry.  The readahead algorithm calculates some of
-the swap entries to readahead via increasing the offset of the fault
-swap entry without checking whether they are beyond the end of the swap
-device and it relys on the __swp_swapcount() and swapcache_prepare() to
-check it.  Although __swp_swapcount() checks for the swap entry passed
-in, it will complain with the error message as follow for the expected
-invalid swap entry.  This may make the end users confused.
-
-  swap_info_get: Bad swap offset entry 0200f8a7
-
-To fix the false error message, the swap entry checking is added in
-swapin_readahead() to avoid to pass the out-of-bound swap entries and
-the swap entry reserved for the swap header to __swp_swapcount() and
-swapcache_prepare().
-
-Link: http://lkml.kernel.org/r/20171102054225.22897-1-ying.huang@intel.com
-Fixes: e8c26ab60598 ("mm/swap: skip readahead for unreferenced swap slots")
-Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
-Reported-by: Christian Kujau <lists@nerdbynature.de>
-Acked-by: Minchan Kim <minchan@kernel.org>
-Suggested-by: Minchan Kim <minchan@kernel.org>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Michal Hocko <mhocko@suse.com>
-Cc: Hugh Dickins <hughd@google.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- mm/swap_state.c |    3 +++
- 1 file changed, 3 insertions(+)
-
---- a/mm/swap_state.c
-+++ b/mm/swap_state.c
-@@ -506,6 +506,7 @@ struct page *swapin_readahead(swp_entry_
-       unsigned long offset = entry_offset;
-       unsigned long start_offset, end_offset;
-       unsigned long mask;
-+      struct swap_info_struct *si = swp_swap_info(entry);
-       struct blk_plug plug;
-       bool do_poll = true;
- 
-@@ -519,6 +520,8 @@ struct page *swapin_readahead(swp_entry_
-       end_offset = offset | mask;
-       if (!start_offset)      /* First page is swap header. */
-               start_offset++;
-+      if (end_offset >= si->max)
-+              end_offset = si->max - 1;
- 
-       blk_start_plug(&plug);
-       for (offset = start_offset; offset <= end_offset ; offset++) {

diff --git a/queue-4.13/series b/queue-4.13/series
index e99dc0bb619077278bb0db73e1723731b784dca0..ec20644f7ca19f4867af391d1e8d798e0fc5c8e5 100644 (file)
--- a/queue-4.13/series
+++ b/queue-4.13/series
@@ -29,7 +29,7 @@ mm-pagewalk.c-report-holes-in-hugetlb-ranges.patch
 ocfs2-fix-cluster-hang-after-a-node-dies.patch
 ocfs2-should-wait-dio-before-inode-lock-in-ocfs2_setattr.patch
 ipmi-fix-unsigned-long-underflow.patch
-mm-swap-fix-false-error-message-in-__swp_swapcount.patch
 mm-page_alloc.c-broken-deferred-calculation.patch
 mm-page_ext.c-check-if-page_ext-is-not-prepared.patch
 x86-cpu-amd-derive-l3-shared_cpu_map-from-cpu_llc_shared_mask.patch
+coda-fix-kernel-memory-exposure-attempt-in-fsync.patch