From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 5 Sep 2017 06:22:23 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.70~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=038cac16d1083a90aa4df4492a0d3ef6c56df4cb;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
---

diff --git a/queue-4.4/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch b/queue-4.4/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
new file mode 100644
index 00000000000..5d552e73291
--- /dev/null
+++ b/queue-4.4/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
@@ -0,0 +1,44 @@
+From 445a582738de6802669aeed9c33ca406c23c3b1f Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Wed, 16 Aug 2017 11:56:24 +0200
+Subject: crypto: algif_skcipher - only call put_page on referenced and used pages
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit 445a582738de6802669aeed9c33ca406c23c3b1f upstream.
+
+For asynchronous operation, SGs are allocated without a page mapped to
+them or with a page that is not used (ref-counted). If the SGL is freed,
+the code must only call put_page for an SG if there was a page assigned
+and ref-counted in the first place.
+
+This fixes a kernel crash when using io_submit with more than one iocb
+using the sendmsg and sendpage (vmsplice/splice) interface.
+
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ crypto/algif_skcipher.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -86,8 +86,13 @@ static void skcipher_free_async_sgls(str
+ 	}
+ 	sgl = sreq->tsg;
+ 	n = sg_nents(sgl);
+-	for_each_sg(sgl, sg, n, i)
+-		put_page(sg_page(sg));
++	for_each_sg(sgl, sg, n, i) {
++		struct page *page = sg_page(sg);
++
++		/* some SGs may not have a page mapped */
++		if (page && atomic_read(&page->_count))
++			put_page(page);
++	}
+ 
+ 	kfree(sreq->tsg);
+ }
diff --git a/queue-4.4/series b/queue-4.4/series
index af8c9fa295f..87c5631da7e 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -13,3 +13,4 @@ drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch
 kvm-arm-arm64-fix-race-in-resetting-stage2-pgd.patch
 kvm-arm-arm64-force-reading-uncached-stage2-pgd.patch
 epoll-fix-race-between-ep_poll_callback-pollfree-and-ep_free-ep_remove.patch
+crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch