From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 Nov 2017 09:31:28 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v3.18.84~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92e81833a17226ca78da622fb8c76f8676b01f3d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	coda-fix-kernel-memory-exposure-attempt-in-fsync.patch
---

diff --git a/queue-4.14/coda-fix-kernel-memory-exposure-attempt-in-fsync.patch b/queue-4.14/coda-fix-kernel-memory-exposure-attempt-in-fsync.patch
new file mode 100644
index 00000000000..b55e8e1a087
--- /dev/null
+++ b/queue-4.14/coda-fix-kernel-memory-exposure-attempt-in-fsync.patch
@@ -0,0 +1,41 @@
+From d337b66a4c52c7b04eec661d86c2ef6e168965a2 Mon Sep 17 00:00:00 2001
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+Date: Wed, 27 Sep 2017 15:52:12 -0400
+Subject: coda: fix 'kernel memory exposure attempt' in fsync
+
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+
+commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream.
+
+When an application called fsync on a file in Coda a small request with
+just the file identifier was allocated, but the declared length was set
+to the size of union of all possible upcall requests.
+
+This bug has been around for a very long time and is now caught by the
+extra checking in usercopy that was introduced in Linux-4.8.
+
+The exposure happens when the Coda cache manager process reads the fsync
+upcall request at which point it is killed. As a result there is nobody
+servicing any further upcalls, trapping any processes that try to access
+the mounted Coda filesystem.
+
+Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/coda/upcall.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/coda/upcall.c
++++ b/fs/coda/upcall.c
+@@ -447,8 +447,7 @@ int venus_fsync(struct super_block *sb,
+ 	UPARG(CODA_FSYNC);
+ 
+ 	inp->coda_fsync.VFid = *fid;
+-	error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs),
+-			    &outsize, inp);
++	error = coda_upcall(coda_vcp(sb), insize, &outsize, inp);
+ 
+ 	CODA_FREE(inp, insize);
+ 	return error;
diff --git a/queue-4.14/mm-swap-fix-false-error-message-in-__swp_swapcount.patch b/queue-4.14/mm-swap-fix-false-error-message-in-__swp_swapcount.patch
deleted file mode 100644
index 9aa1f168154..00000000000
--- a/queue-4.14/mm-swap-fix-false-error-message-in-__swp_swapcount.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From e9a6effa500526e2a19d5ad042cb758b55b1ef93 Mon Sep 17 00:00:00 2001
-From: Huang Ying <huang.ying.caritas@gmail.com>
-Date: Wed, 15 Nov 2017 17:33:15 -0800
-Subject: mm, swap: fix false error message in __swp_swapcount()
-
-From: Huang Ying <huang.ying.caritas@gmail.com>
-
-commit e9a6effa500526e2a19d5ad042cb758b55b1ef93 upstream.
-
-When a page fault occurs for a swap entry, the physical swap readahead
-(not the VMA base swap readahead) may readahead several swap entries
-after the fault swap entry.  The readahead algorithm calculates some of
-the swap entries to readahead via increasing the offset of the fault
-swap entry without checking whether they are beyond the end of the swap
-device and it relys on the __swp_swapcount() and swapcache_prepare() to
-check it.  Although __swp_swapcount() checks for the swap entry passed
-in, it will complain with the error message as follow for the expected
-invalid swap entry.  This may make the end users confused.
-
-  swap_info_get: Bad swap offset entry 0200f8a7
-
-To fix the false error message, the swap entry checking is added in
-swapin_readahead() to avoid to pass the out-of-bound swap entries and
-the swap entry reserved for the swap header to __swp_swapcount() and
-swapcache_prepare().
-
-Link: http://lkml.kernel.org/r/20171102054225.22897-1-ying.huang@intel.com
-Fixes: e8c26ab60598 ("mm/swap: skip readahead for unreferenced swap slots")
-Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
-Reported-by: Christian Kujau <lists@nerdbynature.de>
-Acked-by: Minchan Kim <minchan@kernel.org>
-Suggested-by: Minchan Kim <minchan@kernel.org>
-Cc: Tim Chen <tim.c.chen@linux.intel.com>
-Cc: Michal Hocko <mhocko@suse.com>
-Cc: Hugh Dickins <hughd@google.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- mm/swap_state.c |    3 +++
- 1 file changed, 3 insertions(+)
-
---- a/mm/swap_state.c
-+++ b/mm/swap_state.c
-@@ -559,6 +559,7 @@ struct page *swapin_readahead(swp_entry_
- 	unsigned long offset = entry_offset;
- 	unsigned long start_offset, end_offset;
- 	unsigned long mask;
-+	struct swap_info_struct *si = swp_swap_info(entry);
- 	struct blk_plug plug;
- 	bool do_poll = true, page_allocated;
- 
-@@ -572,6 +573,8 @@ struct page *swapin_readahead(swp_entry_
- 	end_offset = offset | mask;
- 	if (!start_offset)	/* First page is swap header. */
- 		start_offset++;
-+	if (end_offset >= si->max)
-+		end_offset = si->max - 1;
- 
- 	blk_start_plug(&plug);
- 	for (offset = start_offset; offset <= end_offset ; offset++) {
diff --git a/queue-4.14/series b/queue-4.14/series
index 64f271ece7d..4f00aaf1188 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -13,6 +13,6 @@ mm-pagewalk.c-report-holes-in-hugetlb-ranges.patch
 ocfs2-fix-cluster-hang-after-a-node-dies.patch
 ocfs2-should-wait-dio-before-inode-lock-in-ocfs2_setattr.patch
 ipmi-fix-unsigned-long-underflow.patch
-mm-swap-fix-false-error-message-in-__swp_swapcount.patch
 mm-page_alloc.c-broken-deferred-calculation.patch
 mm-page_ext.c-check-if-page_ext-is-not-prepared.patch
+coda-fix-kernel-memory-exposure-attempt-in-fsync.patch