From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 12 Jul 2012 15:51:47 +0000 (-0700)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.37~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1623a188ce660a533da76c60a0a12372b8832f15;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	3.0-mm-Hold-a-file-reference-in-madvise_remove.patch
---

diff --git a/queue-3.0/3.0-mm-Hold-a-file-reference-in-madvise_remove.patch b/queue-3.0/3.0-mm-Hold-a-file-reference-in-madvise_remove.patch
new file mode 100644
index 00000000000..f75dbce9600
--- /dev/null
+++ b/queue-3.0/3.0-mm-Hold-a-file-reference-in-madvise_remove.patch
@@ -0,0 +1,80 @@
+From a88e489ab2bd7d0b50a8782b948a58b38d4d239a Mon Sep 17 00:00:00 2001
+Message-Id: <a88e489ab2bd7d0b50a8782b948a58b38d4d239a.1342049669.git.luto@amacapital.net>
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Thu, 5 Jul 2012 16:00:11 -0700
+Subject: mm: Hold a file reference in madvise_remove
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb upstream.
+
+Otherwise the code races with munmap (causing a use-after-free
+of the vma) or with close (causing a use-after-free of the struct
+file).
+
+The bug was introduced by commit 90ed52ebe481 ("[PATCH] holepunch: fix
+mmap_sem i_mutex deadlock")
+
+[bwh: Backported to 3.2:
+ - Adjust context
+ - madvise_remove() calls vmtruncate_range(), not do_fallocate()]
+[luto: Backported to 3.0: Adjust context]
+
+Cc: Hugh Dickins <hugh@veritas.com>
+Cc: Miklos Szeredi <mszeredi@suse.cz>
+Cc: Badari Pulavarty <pbadari@us.ibm.com>
+Cc: Nick Piggin <npiggin@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/madvise.c |   16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -13,6 +13,7 @@
+ #include <linux/hugetlb.h>
+ #include <linux/sched.h>
+ #include <linux/ksm.h>
++#include <linux/file.h>
+ 
+ /*
+  * Any behaviour which results in changes to the vma->vm_flags needs to
+@@ -197,14 +198,16 @@ static long madvise_remove(struct vm_are
+ 	struct address_space *mapping;
+ 	loff_t offset, endoff;
+ 	int error;
++	struct file *f;
+ 
+ 	*prev = NULL;	/* tell sys_madvise we drop mmap_sem */
+ 
+ 	if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB))
+ 		return -EINVAL;
+ 
+-	if (!vma->vm_file || !vma->vm_file->f_mapping
+-		|| !vma->vm_file->f_mapping->host) {
++	f = vma->vm_file;
++
++	if (!f || !f->f_mapping || !f->f_mapping->host) {
+ 			return -EINVAL;
+ 	}
+ 
+@@ -218,9 +221,16 @@ static long madvise_remove(struct vm_are
+ 	endoff = (loff_t)(end - vma->vm_start - 1)
+ 			+ ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
+ 
+-	/* vmtruncate_range needs to take i_mutex and i_alloc_sem */
++	/*
++	 * vmtruncate_range may need to take i_mutex and i_alloc_sem.
++	 * We need to explicitly grab a reference because the vma (and
++	 * hence the vma's reference to the file) can go away as soon as
++	 * we drop mmap_sem.
++	 */
++	get_file(f);
+ 	up_read(&current->mm->mmap_sem);
+ 	error = vmtruncate_range(mapping->host, offset, endoff);
++	fput(f);
+ 	down_read(&current->mm->mmap_sem);
+ 	return error;
+ }
diff --git a/queue-3.0/series b/queue-3.0/series
index 5610ce51033..d4a413a9501 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -63,3 +63,4 @@ memory-hotplug-fix-invalid-memory-access-caused-by-stale-kswapd-pointer.patch
 drivers-rtc-rtc-mxc.c-fix-irq-enabled-interrupts-warning.patch
 mm-thp-abort-compaction-if-migration-page-cannot-be-charged-to-memcg.patch
 fs-ramfs-file-nommu-add-setpageuptodate.patch
+3.0-mm-Hold-a-file-reference-in-madvise_remove.patch