From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 5 Apr 2022 06:03:08 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v5.17.2~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d47fae95a4f725aa28f90e02ab64f2cb3ec379b;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	coredump-remove-the-warn_on-in-dump_vma_snapshot.patch
---

diff --git a/queue-5.10/coredump-remove-the-warn_on-in-dump_vma_snapshot.patch b/queue-5.10/coredump-remove-the-warn_on-in-dump_vma_snapshot.patch
new file mode 100644
index 00000000000..caa068dce7f
--- /dev/null
+++ b/queue-5.10/coredump-remove-the-warn_on-in-dump_vma_snapshot.patch
@@ -0,0 +1,40 @@
+From 49c1866348f364478a0c4d3dd13fd08bb82d3a5b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 8 Mar 2022 13:01:19 -0600
+Subject: coredump: Remove the WARN_ON in dump_vma_snapshot
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 49c1866348f364478a0c4d3dd13fd08bb82d3a5b upstream.
+
+The condition is impossible and to the best of my knowledge has never
+triggered.
+
+We are in deep trouble if that conditions happens and we walk past
+the end of our allocated array.
+
+So delete the WARN_ON and the code that makes it look like the kernel
+can handle the case of walking past the end of it's vma_meta array.
+
+Reviewed-by: Jann Horn <jannh@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/coredump.c |    5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/fs/coredump.c
++++ b/fs/coredump.c
+@@ -1123,11 +1123,6 @@ int dump_vma_snapshot(struct coredump_pa
+ 
+ 	mmap_write_unlock(mm);
+ 
+-	if (WARN_ON(i != *vma_count)) {
+-		kvfree(*vma_meta);
+-		return -EFAULT;
+-	}
+-
+ 	for (i = 0; i < *vma_count; i++) {
+ 		struct core_vma_metadata *m = (*vma_meta) + i;
+ 
diff --git a/queue-5.10/series b/queue-5.10/series
index d77f79affa5..b4b856fe1fd 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -592,3 +592,4 @@ openvswitch-fixed-nd-target-mask-field-in-the-flow-dump.patch
 kvm-x86-mmu-do-compare-and-exchange-of-gpte-via-the-user-address.patch
 can-m_can-m_can_tx_handler-fix-use-after-free-of-skb.patch
 can-usb_8dev-usb_8dev_start_xmit-fix-double-dev_kfree_skb-in-error-path.patch
+coredump-remove-the-warn_on-in-dump_vma_snapshot.patch