From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 25 Oct 2017 09:47:38 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.78~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=921a6141d4900daf7cdc40574141aee98736f444;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	fs-cache-fix-dereference-of-null-user_key_payload.patch
---

diff --git a/queue-3.18/fs-cache-fix-dereference-of-null-user_key_payload.patch b/queue-3.18/fs-cache-fix-dereference-of-null-user_key_payload.patch
new file mode 100644
index 00000000000..f62452f2762
--- /dev/null
+++ b/queue-3.18/fs-cache-fix-dereference-of-null-user_key_payload.patch
@@ -0,0 +1,45 @@
+From d124b2c53c7bee6569d2a2d0b18b4a1afde00134 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:40:00 -0700
+Subject: FS-Cache: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit d124b2c53c7bee6569d2a2d0b18b4a1afde00134 upstream.
+
+When the file /proc/fs/fscache/objects (available with
+CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with
+description "fscache:objlist", then access its payload.  However, a
+revoked key has a NULL payload, and we failed to check for this.
+request_key() *does* skip revoked keys, but there is still a window
+where the key can be revoked before we access its payload.
+
+Fix it by checking for a NULL payload, treating it like a key which was
+already revoked at the time it was requested.
+
+Fixes: 4fbf4291aa15 ("FS-Cache: Allow the current state of all objects to be dumped")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fscache/object-list.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/fscache/object-list.c
++++ b/fs/fscache/object-list.c
+@@ -330,6 +330,13 @@ static void fscache_objlist_config(struc
+ 	rcu_read_lock();
+ 
+ 	confkey = key->payload.data;
++	if (!confkey) {
++		/* key was revoked */
++		rcu_read_unlock();
++		key_put(key);
++		goto no_config;
++	}
++
+ 	buf = confkey->data;
+ 
+ 	for (len = confkey->datalen - 1; len >= 0; len--) {
diff --git a/queue-3.18/series b/queue-3.18/series
index 10377a76fba..e402baa67c9 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -18,3 +18,4 @@ cls_api.c-fix-dumping-of-non-existing-actions-stats.patch
 parisc-avoid-trashing-sr2-and-sr3-in-lws-code.patch
 parisc-fix-double-word-compare-and-exchange-in-lws-code-on-32-bit-kernels.patch
 af_packet-don-t-pass-empty-blocks-for-packet_v3.patch
+fs-cache-fix-dereference-of-null-user_key_payload.patch