3.18-stable patches

added patches:
	fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch
	fuse-don-t-access-pipe-buffers-without-pipe_lock.patch
	x86-process-re-export-start_thread.patch

diff --git a/queue-3.18/fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch b/queue-3.18/fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch
new file mode 100644 (file)
index 0000000..c2aa285
--- /dev/null
+++ b/queue-3.18/fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch
@@ -0,0 +1,31 @@
+From 109728ccc5933151c68d1106e4065478a487a323 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Thu, 19 Jul 2018 15:49:39 +0300
+Subject: fuse: Add missed unlock_page() to fuse_readpages_fill()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit 109728ccc5933151c68d1106e4065478a487a323 upstream.
+
+The above error path returns with page unlocked, so this place seems also
+to behave the same.
+
+Fixes: f8dbdf81821b ("fuse: rework fuse_readpages()")
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -910,6 +910,7 @@ static int fuse_readpages_fill(void *_da
+       }
+ 
+       if (WARN_ON(req->num_pages >= req->max_pages)) {
++              unlock_page(page);
+               fuse_put_request(fc, req);
+               return -EIO;
+       }

diff --git a/queue-3.18/fuse-don-t-access-pipe-buffers-without-pipe_lock.patch b/queue-3.18/fuse-don-t-access-pipe-buffers-without-pipe_lock.patch
new file mode 100644 (file)
index 0000000..55c6351
--- /dev/null
+++ b/queue-3.18/fuse-don-t-access-pipe-buffers-without-pipe_lock.patch
@@ -0,0 +1,45 @@
+From a2477b0e67c52f4364a47c3ad70902bc2a61bd4c Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Tue, 17 Jul 2018 19:00:33 +0300
+Subject: fuse: Don't access pipe->buffers without pipe_lock()
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit a2477b0e67c52f4364a47c3ad70902bc2a61bd4c upstream.
+
+fuse_dev_splice_write() reads pipe->buffers to determine the size of
+'bufs' array before taking the pipe_lock(). This is not safe as
+another thread might change the 'pipe->buffers' between the allocation
+and taking the pipe_lock(). So we end up with too small 'bufs' array.
+
+Move the bufs allocations inside pipe_lock()/pipe_unlock() to fix this.
+
+Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: <stable@vger.kernel.org> # v2.6.35
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1913,11 +1913,14 @@ static ssize_t fuse_dev_splice_write(str
+       if (!fc)
+               return -EPERM;
+ 
++      pipe_lock(pipe);
++
+       bufs = kmalloc(pipe->buffers * sizeof(struct pipe_buffer), GFP_KERNEL);
+-      if (!bufs)
++      if (!bufs) {
++              pipe_unlock(pipe);
+               return -ENOMEM;
++      }
+ 
+-      pipe_lock(pipe);
+       nbuf = 0;
+       rem = 0;
+       for (idx = 0; idx < pipe->nrbufs && rem < len; idx++)

diff --git a/queue-3.18/series b/queue-3.18/series
index ae2a57dc2f3ad0850b423019fa7f7a2bf55a96c4..6432e1a468532a0a134ba1aa9d15cbe1e99f4d32 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -39,3 +39,6 @@ ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch
 arm64-mm-check-for-upper-page_shift-bits-in-pfn_valid.patch
 kvm-arm-arm64-skip-updating-pte-entry-if-no-change.patch
 kvm-arm-arm64-skip-updating-pmd-entry-if-no-change.patch
+x86-process-re-export-start_thread.patch
+fuse-don-t-access-pipe-buffers-without-pipe_lock.patch
+fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch

diff --git a/queue-3.18/x86-process-re-export-start_thread.patch b/queue-3.18/x86-process-re-export-start_thread.patch
new file mode 100644 (file)
index 0000000..e0f5c59
--- /dev/null
+++ b/queue-3.18/x86-process-re-export-start_thread.patch
@@ -0,0 +1,42 @@
+From dc76803e57cc86589c4efcb5362918f9b0c0436f Mon Sep 17 00:00:00 2001
+From: Rian Hunter <rian@alum.mit.edu>
+Date: Sun, 19 Aug 2018 16:08:53 -0700
+Subject: x86/process: Re-export start_thread()
+
+From: Rian Hunter <rian@alum.mit.edu>
+
+commit dc76803e57cc86589c4efcb5362918f9b0c0436f upstream.
+
+The consolidation of the start_thread() functions removed the export
+unintentionally. This breaks binfmt handlers built as a module.
+
+Add it back.
+
+Fixes: e634d8fc792c ("x86-64: merge the standard and compat start_thread() functions")
+Signed-off-by: Rian Hunter <rian@alum.mit.edu>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bpetkov@suse.de>
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Dmitry Safonov <dima@arista.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180819230854.7275-1-rian@alum.mit.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/process_64.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -438,6 +438,7 @@ __switch_to(struct task_struct *prev_p,
+ 
+       return prev_p;
+ }
++EXPORT_SYMBOL_GPL(start_thread);
+ 
+ void set_personality_64bit(void)
+ {