--- /dev/null
+From 867bfa4a5fcee66f2b25639acae718e8b28b25a5 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 28 Jun 2019 12:06:46 -0700
+Subject: fs/binfmt_flat.c: make load_flat_shared_library() work
+
+From: Jann Horn <jannh@google.com>
+
+commit 867bfa4a5fcee66f2b25639acae718e8b28b25a5 upstream.
+
+load_flat_shared_library() is broken: It only calls load_flat_file() if
+prepare_binprm() returns zero, but prepare_binprm() returns the number of
+bytes read - so this only happens if the file is empty.
+
+Instead, call into load_flat_file() if the number of bytes read is
+non-negative. (Even if the number of bytes is zero - in that case,
+load_flat_file() will see nullbytes and return a nice -ENOEXEC.)
+
+In addition, remove the code related to bprm creds and stop using
+prepare_binprm() - this code is loading a library, not a main executable,
+and it only actually uses the members "buf", "file" and "filename" of the
+linux_binprm struct. Instead, call kernel_read() directly.
+
+Link: http://lkml.kernel.org/r/20190524201817.16509-1-jannh@google.com
+Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses")
+Signed-off-by: Jann Horn <jannh@google.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Greg Ungerer <gerg@linux-m68k.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_flat.c | 23 +++++++----------------
+ 1 file changed, 7 insertions(+), 16 deletions(-)
+
+--- a/fs/binfmt_flat.c
++++ b/fs/binfmt_flat.c
+@@ -856,9 +856,14 @@ err:
+
+ static int load_flat_shared_library(int id, struct lib_info *libs)
+ {
++ /*
++ * This is a fake bprm struct; only the members "buf", "file" and
++ * "filename" are actually used.
++ */
+ struct linux_binprm bprm;
+ int res;
+ char buf[16];
++ loff_t pos = 0;
+
+ memset(&bprm, 0, sizeof(bprm));
+
+@@ -872,25 +877,11 @@ static int load_flat_shared_library(int
+ if (IS_ERR(bprm.file))
+ return res;
+
+- bprm.cred = prepare_exec_creds();
+- res = -ENOMEM;
+- if (!bprm.cred)
+- goto out;
+-
+- /* We don't really care about recalculating credentials at this point
+- * as we're past the point of no return and are dealing with shared
+- * libraries.
+- */
+- bprm.called_set_creds = 1;
+-
+- res = prepare_binprm(&bprm);
++ res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos);
+
+- if (!res)
++ if (res >= 0)
+ res = load_flat_file(&bprm, libs, id, NULL);
+
+- abort_creds(bprm.cred);
+-
+-out:
+ allow_write_access(bprm.file);
+ fput(bprm.file);
+
--- /dev/null
+From cb8f381f1613cafe3aec30809991cd56e7135d92 Mon Sep 17 00:00:00 2001
+From: John Ogness <john.ogness@linutronix.de>
+Date: Fri, 28 Jun 2019 12:06:40 -0700
+Subject: fs/proc/array.c: allow reporting eip/esp for all coredumping threads
+
+From: John Ogness <john.ogness@linutronix.de>
+
+commit cb8f381f1613cafe3aec30809991cd56e7135d92 upstream.
+
+0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in /proc/PID/stat")
+stopped reporting eip/esp and fd7d56270b52 ("fs/proc: Report eip/esp in
+/prod/PID/stat for coredumping") reintroduced the feature to fix a
+regression with userspace core dump handlers (such as minicoredumper).
+
+Because PF_DUMPCORE is only set for the primary thread, this didn't fix
+the original problem for secondary threads. Allow reporting the eip/esp
+for all threads by checking for PF_EXITING as well. This is set for all
+the other threads when they are killed. coredump_wait() waits for all the
+tasks to become inactive before proceeding to invoke a core dumper.
+
+Link: http://lkml.kernel.org/r/87y32p7i7a.fsf@linutronix.de
+Link: http://lkml.kernel.org/r/20190522161614.628-1-jlu@pengutronix.de
+Fixes: fd7d56270b526ca3 ("fs/proc: Report eip/esp in /prod/PID/stat for coredumping")
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Reported-by: Jan Luebbe <jlu@pengutronix.de>
+Tested-by: Jan Luebbe <jlu@pengutronix.de>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/array.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -462,7 +462,7 @@ static int do_task_stat(struct seq_file
+ * a program is not able to use ptrace(2) in that case. It is
+ * safe because the task has stopped executing permanently.
+ */
+- if (permitted && (task->flags & PF_DUMPCORE)) {
++ if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) {
+ if (try_get_task_stack(task)) {
+ eip = KSTK_EIP(task);
+ esp = KSTK_ESP(task);
--- /dev/null
+From 29b190fa774dd1b72a1a6f19687d55dc72ea83be Mon Sep 17 00:00:00 2001
+From: zhong jiang <zhongjiang@huawei.com>
+Date: Fri, 28 Jun 2019 12:06:43 -0700
+Subject: mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask
+
+From: zhong jiang <zhongjiang@huawei.com>
+
+commit 29b190fa774dd1b72a1a6f19687d55dc72ea83be upstream.
+
+mpol_rebind_nodemask() is called for MPOL_BIND and MPOL_INTERLEAVE
+mempoclicies when the tasks's cpuset's mems_allowed changes. For
+policies created without MPOL_F_STATIC_NODES or MPOL_F_RELATIVE_NODES,
+it works by remapping the policy's allowed nodes (stored in v.nodes)
+using the previous value of mems_allowed (stored in
+w.cpuset_mems_allowed) as the domain of map and the new mems_allowed
+(passed as nodes) as the range of the map (see the comment of
+bitmap_remap() for details).
+
+The result of remapping is stored back as policy's nodemask in v.nodes,
+and the new value of mems_allowed should be stored in
+w.cpuset_mems_allowed to facilitate the next rebind, if it happens.
+
+However, 213980c0f23b ("mm, mempolicy: simplify rebinding mempolicies
+when updating cpusets") introduced a bug where the result of remapping
+is stored in w.cpuset_mems_allowed instead. Thus, a mempolicy's
+allowed nodes can evolve in an unexpected way after a series of
+rebinding due to cpuset mems_allowed changes, possibly binding to a
+wrong node or a smaller number of nodes which may e.g. overload them.
+This patch fixes the bug so rebinding again works as intended.
+
+[vbabka@suse.cz: new changlog]
+ Link: http://lkml.kernel.org/r/ef6a69c6-c052-b067-8f2c-9d615c619bb9@suse.cz
+Link: http://lkml.kernel.org/r/1558768043-23184-1-git-send-email-zhongjiang@huawei.com
+Fixes: 213980c0f23b ("mm, mempolicy: simplify rebinding mempolicies when updating cpusets")
+Signed-off-by: zhong jiang <zhongjiang@huawei.com>
+Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Ralph Campbell <rcampbell@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -306,7 +306,7 @@ static void mpol_rebind_nodemask(struct
+ else {
+ nodes_remap(tmp, pol->v.nodes,pol->w.cpuset_mems_allowed,
+ *nodes);
+- pol->w.cpuset_mems_allowed = tmp;
++ pol->w.cpuset_mems_allowed = *nodes;
+ }
+
+ if (nodes_empty(tmp))
arm64-don-t-unconditionally-add-wno-psabi-to-kbuild_cflags.patch
revert-x86-uaccess-ftrace-fix-ftrace_likely_update-v.patch
qmi_wwan-fix-out-of-bounds-read.patch
+fs-proc-array.c-allow-reporting-eip-esp-for-all-coredumping-threads.patch
+mm-mempolicy.c-fix-an-incorrect-rebind-node-in-mpol_rebind_nodemask.patch
+fs-binfmt_flat.c-make-load_flat_shared_library-work.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
