--- /dev/null
+From 1e6306652ba18723015d1b4967fe9de55f042499 Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Fri, 20 Apr 2018 14:55:59 -0700
+Subject: autofs: mount point create should honour passed in mode
+
+From: Ian Kent <raven@themaw.net>
+
+commit 1e6306652ba18723015d1b4967fe9de55f042499 upstream.
+
+The autofs file system mkdir inode operation blindly sets the created
+directory mode to S_IFDIR | 0555, ingoring the passed in mode, which can
+cause selinux dac_override denials.
+
+But the function also checks if the caller is the daemon (as no-one else
+should be able to do anything here) so there's no point in not honouring
+the passed in mode, allowing the daemon to set appropriate mode when
+required.
+
+Link: http://lkml.kernel.org/r/152361593601.8051.14014139124905996173.stgit@pluto.themaw.net
+Signed-off-by: Ian Kent <raven@themaw.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/autofs4/root.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/autofs4/root.c
++++ b/fs/autofs4/root.c
+@@ -746,7 +746,7 @@ static int autofs4_dir_mkdir(struct inod
+
+ autofs4_del_active(dentry);
+
+- inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555);
++ inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode);
+ if (!inode)
+ return -ENOMEM;
+ d_add(dentry, inode);
--- /dev/null
+From 16a34adb9392b2fe4195267475ab5b472e55292c Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 19 Apr 2018 22:03:08 -0400
+Subject: Don't leak MNT_INTERNAL away from internal mounts
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 16a34adb9392b2fe4195267475ab5b472e55292c upstream.
+
+We want it only for the stuff created by SB_KERNMOUNT mounts, *not* for
+their copies. As it is, creating a deep stack of bindings of /proc/*/ns/*
+somewhere in a new namespace and exiting yields a stack overflow.
+
+Cc: stable@kernel.org
+Reported-by: Alexander Aring <aring@mojatatu.com>
+Bisected-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Tested-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Tested-by: Alexander Aring <aring@mojatatu.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1033,7 +1033,8 @@ static struct mount *clone_mnt(struct mo
+ goto out_free;
+ }
+
+- mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
++ mnt->mnt.mnt_flags = old->mnt.mnt_flags;
++ mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);
+ /* Don't allow unprivileged users to change mount flags */
+ if (flag & CL_UNPRIVILEGED) {
+ mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
--- /dev/null
+From a24cd490739586a7d2da3549a1844e1d7c4f4fc4 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon, 2 Apr 2018 23:50:31 -0400
+Subject: hypfs_kill_super(): deal with failed allocations
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a24cd490739586a7d2da3549a1844e1d7c4f4fc4 upstream.
+
+hypfs_fill_super() might fail to allocate sbi; hypfs_kill_super()
+should not oops on that.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/hypfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/hypfs/inode.c
++++ b/arch/s390/hypfs/inode.c
+@@ -318,7 +318,7 @@ static void hypfs_kill_super(struct supe
+
+ if (sb->s_root)
+ hypfs_delete_tree(sb->s_root);
+- if (sb_info->update_file)
++ if (sb_info && sb_info->update_file)
+ hypfs_remove(sb_info->update_file);
+ kfree(sb->s_fs_info);
+ sb->s_fs_info = NULL;
--- /dev/null
+From c66b23c2840446a82c389e4cb1a12eb2a71fa2e4 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon, 2 Apr 2018 23:56:44 -0400
+Subject: jffs2_kill_sb(): deal with failed allocations
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c66b23c2840446a82c389e4cb1a12eb2a71fa2e4 upstream.
+
+jffs2_fill_super() might fail to allocate jffs2_sb_info;
+jffs2_kill_sb() must survive that.
+
+Cc: stable@kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jffs2/super.c
++++ b/fs/jffs2/super.c
+@@ -342,7 +342,7 @@ static void jffs2_put_super (struct supe
+ static void jffs2_kill_sb(struct super_block *sb)
+ {
+ struct jffs2_sb_info *c = JFFS2_SB_INFO(sb);
+- if (!(sb->s_flags & MS_RDONLY))
++ if (c && !(sb->s_flags & MS_RDONLY))
+ jffs2_stop_garbage_collect_thread(c);
+ kill_mtd_super(sb);
+ kfree(c);
--- /dev/null
+From abc1be13fd113ddef5e2d807a466286b864caed3 Mon Sep 17 00:00:00 2001
+From: Matthew Wilcox <mawilcox@microsoft.com>
+Date: Fri, 20 Apr 2018 14:56:20 -0700
+Subject: mm/filemap.c: fix NULL pointer in page_cache_tree_insert()
+
+From: Matthew Wilcox <mawilcox@microsoft.com>
+
+commit abc1be13fd113ddef5e2d807a466286b864caed3 upstream.
+
+f2fs specifies the __GFP_ZERO flag for allocating some of its pages.
+Unfortunately, the page cache also uses the mapping's GFP flags for
+allocating radix tree nodes. It always masked off the __GFP_HIGHMEM
+flag, and masks off __GFP_ZERO in some paths, but not all. That causes
+radix tree nodes to be allocated with a NULL list_head, which causes
+backtraces like:
+
+ __list_del_entry+0x30/0xd0
+ list_lru_del+0xac/0x1ac
+ page_cache_tree_insert+0xd8/0x110
+
+The __GFP_DMA and __GFP_DMA32 flags would also be able to sneak through
+if they are ever used. Fix them all by using GFP_RECLAIM_MASK at the
+innermost location, and remove it from earlier in the callchain.
+
+Link: http://lkml.kernel.org/r/20180411060320.14458-2-willy@infradead.org
+Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check")
+Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
+Reported-by: Chris Fries <cfries@google.com>
+Debugged-by: Minchan Kim <minchan@kernel.org>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/filemap.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -616,7 +616,7 @@ int replace_page_cache_page(struct page
+ VM_BUG_ON_PAGE(!PageLocked(new), new);
+ VM_BUG_ON_PAGE(new->mapping, new);
+
+- error = radix_tree_preload(gfp_mask & ~__GFP_HIGHMEM);
++ error = radix_tree_preload(gfp_mask & GFP_RECLAIM_MASK);
+ if (!error) {
+ struct address_space *mapping = old->mapping;
+ void (*freepage)(struct page *);
+@@ -672,7 +672,7 @@ static int __add_to_page_cache_locked(st
+ return error;
+ }
+
+- error = radix_tree_maybe_preload(gfp_mask & ~__GFP_HIGHMEM);
++ error = radix_tree_maybe_preload(gfp_mask & GFP_RECLAIM_MASK);
+ if (error) {
+ if (!huge)
+ mem_cgroup_cancel_charge(page, memcg, false);
+@@ -1247,8 +1247,7 @@ no_page:
+ if (fgp_flags & FGP_ACCESSED)
+ __SetPageReferenced(page);
+
+- err = add_to_page_cache_lru(page, mapping, offset,
+- gfp_mask & GFP_RECLAIM_MASK);
++ err = add_to_page_cache_lru(page, mapping, offset, gfp_mask);
+ if (unlikely(err)) {
+ put_page(page);
+ page = NULL;
+@@ -1996,7 +1995,7 @@ static int page_cache_read(struct file *
+ if (!page)
+ return -ENOMEM;
+
+- ret = add_to_page_cache_lru(page, mapping, offset, gfp_mask & GFP_KERNEL);
++ ret = add_to_page_cache_lru(page, mapping, offset, gfp_mask);
+ if (ret == 0)
+ ret = mapping->a_ops->readpage(file, page);
+ else if (ret == -EEXIST)
--- /dev/null
+From 659038428cb43a66e3eff71e2c845c9de3611a98 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 3 Apr 2018 00:13:17 -0400
+Subject: orangefs_kill_sb(): deal with allocation failures
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 659038428cb43a66e3eff71e2c845c9de3611a98 upstream.
+
+orangefs_fill_sb() might've failed to allocate ORANGEFS_SB(s); don't
+oops in that case.
+
+Cc: stable@kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/orangefs/super.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/orangefs/super.c
++++ b/fs/orangefs/super.c
+@@ -559,6 +559,11 @@ void orangefs_kill_sb(struct super_block
+ /* provided sb cleanup */
+ kill_anon_super(sb);
+
++ if (!ORANGEFS_SB(sb)) {
++ mutex_lock(&orangefs_request_mutex);
++ mutex_unlock(&orangefs_request_mutex);
++ return;
++ }
+ /*
+ * issue the unmount to userspace to tell it to remove the
+ * dynamic mount info it has for this superblock
#define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE)
static void _extract_crng(struct crng_state *crng,
__u8 out[CHACHA20_BLOCK_SIZE]);
-@@ -874,7 +875,8 @@ static void _extract_crng(struct crng_st
+@@ -900,7 +901,8 @@ static void _extract_crng(struct crng_st
unsigned long v, flags;
if (crng_ready() &&
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
-@@ -836,7 +836,7 @@ static void crng_reseed(struct crng_stat
+@@ -862,7 +862,7 @@ static void crng_reseed(struct crng_stat
_crng_backtrack_protect(&primary_crng, buf.block,
CHACHA20_KEY_SIZE);
}
for (i = 0; i < 8; i++) {
unsigned long rv;
if (!arch_get_random_seed_long(&rv) &&
-@@ -853,7 +853,7 @@ static void crng_reseed(struct crng_stat
+@@ -879,7 +879,7 @@ static void crng_reseed(struct crng_stat
wake_up_interruptible(&crng_init_wait);
pr_notice("random: crng init done\n");
}
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
-@@ -847,6 +847,7 @@ static void crng_reseed(struct crng_stat
- memzero_explicit(&buf, sizeof(buf));
- crng->init_time = jiffies;
- if (crng == &primary_crng && crng_init < 2) {
-+ numa_crng_init();
- crng_init = 2;
- process_random_ready_list();
- wake_up_interruptible(&crng_init_wait);
-@@ -897,6 +898,32 @@ static void extract_crng(__u8 out[CHACHA
- _extract_crng(crng, out);
+@@ -818,6 +818,32 @@ static int crng_fast_load(const char *cp
+ return 1;
}
+#ifdef CONFIG_NUMA
+static void numa_crng_init(void) {}
+#endif
+
- /*
- * Use the leftover bytes from the CRNG block output (if there is
- * enough) to mutate the CRNG key to provide backtracking protection.
+ static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
+ {
+ unsigned long flags;
+@@ -847,6 +873,7 @@ static void crng_reseed(struct crng_stat
+ memzero_explicit(&buf, sizeof(buf));
+ crng->init_time = jiffies;
+ if (crng == &primary_crng && crng_init < 2) {
++ numa_crng_init();
+ crng_init = 2;
+ process_random_ready_list();
+ wake_up_interruptible(&crng_init_wait);
@@ -1659,28 +1686,9 @@ static void init_std_data(struct entropy
*/
static int rand_initialize(void)
--- /dev/null
+From 4a3877c4cedd95543f8726b0a98743ed8db0c0fb Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 3 Apr 2018 01:15:46 -0400
+Subject: rpc_pipefs: fix double-dput()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 4a3877c4cedd95543f8726b0a98743ed8db0c0fb upstream.
+
+if we ever hit rpc_gssd_dummy_depopulate() dentry passed to
+it has refcount equal to 1. __rpc_rmpipe() drops it and
+dput() done after that hits an already freed dentry.
+
+Cc: stable@kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/rpc_pipe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sunrpc/rpc_pipe.c
++++ b/net/sunrpc/rpc_pipe.c
+@@ -1375,6 +1375,7 @@ rpc_gssd_dummy_depopulate(struct dentry
+ struct dentry *clnt_dir = pipe_dentry->d_parent;
+ struct dentry *gssd_dir = clnt_dir->d_parent;
+
++ dget(pipe_dentry);
+ __rpc_rmpipe(d_inode(clnt_dir), pipe_dentry);
+ __rpc_depopulate(clnt_dir, gssd_dummy_info_file, 0, 1);
+ __rpc_depopulate(gssd_dir, gssd_dummy_clnt_dir, 0, 1);
powerpc-eeh-fix-enabling-bridge-mmio-windows.patch
powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch
udf-fix-leak-of-utf-16-surrogates-into-encoded-strings.patch
+jffs2_kill_sb-deal-with-failed-allocations.patch
+hypfs_kill_super-deal-with-failed-allocations.patch
+orangefs_kill_sb-deal-with-allocation-failures.patch
+rpc_pipefs-fix-double-dput.patch
+don-t-leak-mnt_internal-away-from-internal-mounts.patch
+autofs-mount-point-create-should-honour-passed-in-mode.patch
+mm-filemap.c-fix-null-pointer-in-page_cache_tree_insert.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
