From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 7 Feb 2018 20:07:31 +0000 (-0800)
Subject: 4.4-stable patches
X-Git-Tag: v4.15.3~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d653412282b385cd59258cfe281f19ef1dbafc2;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	don-t-put-symlink-bodies-in-pagecache-into-highmem.patch
	keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch
	media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.patch
---

diff --git a/queue-4.4/don-t-put-symlink-bodies-in-pagecache-into-highmem.patch b/queue-4.4/don-t-put-symlink-bodies-in-pagecache-into-highmem.patch
new file mode 100644
index 00000000000..65673f2c895
--- /dev/null
+++ b/queue-4.4/don-t-put-symlink-bodies-in-pagecache-into-highmem.patch
@@ -0,0 +1,146 @@
+From 21fc61c73c3903c4c312d0802da01ec2b323d174 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 17 Nov 2015 01:07:57 -0500
+Subject: don't put symlink bodies in pagecache into highmem
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 21fc61c73c3903c4c312d0802da01ec2b323d174 upstream.
+
+kmap() in page_follow_link_light() needed to go - allowing to hold
+an arbitrary number of kmaps for long is a great way to deadlocking
+the system.
+
+new helper (inode_nohighmem(inode)) needs to be used for pagecache
+symlinks inodes; done for all in-tree cases.  page_follow_link_light()
+instrumented to yell about anything missed.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Jin Qian <jinqian@google.com>
+Signed-off-by: Jin Qian <jinqian@android.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c    |    1 +
+ fs/ext4/namei.c    |    1 +
+ fs/ext4/symlink.c  |   10 +++-------
+ fs/f2fs/inode.c    |    1 +
+ fs/f2fs/namei.c    |    5 ++---
+ fs/inode.c         |    6 ++++++
+ include/linux/fs.h |    1 +
+ 7 files changed, 15 insertions(+), 10 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4417,6 +4417,7 @@ struct inode *ext4_iget(struct super_blo
+ 			inode->i_op = &ext4_symlink_inode_operations;
+ 			ext4_set_aops(inode);
+ 		}
++		inode_nohighmem(inode);
+ 	} else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
+ 	      S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
+ 		inode->i_op = &ext4_special_inode_operations;
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -3151,6 +3151,7 @@ static int ext4_symlink(struct inode *di
+ 	if ((disk_link.len > EXT4_N_BLOCKS * 4)) {
+ 		if (!encryption_required)
+ 			inode->i_op = &ext4_symlink_inode_operations;
++		inode_nohighmem(inode);
+ 		ext4_set_aops(inode);
+ 		/*
+ 		 * We cannot call page_symlink() with transaction started
+--- a/fs/ext4/symlink.c
++++ b/fs/ext4/symlink.c
+@@ -45,7 +45,7 @@ static const char *ext4_encrypted_follow
+ 		cpage = read_mapping_page(inode->i_mapping, 0, NULL);
+ 		if (IS_ERR(cpage))
+ 			return ERR_CAST(cpage);
+-		caddr = kmap(cpage);
++		caddr = page_address(cpage);
+ 		caddr[size] = 0;
+ 	}
+ 
+@@ -75,16 +75,12 @@ static const char *ext4_encrypted_follow
+ 	/* Null-terminate the name */
+ 	if (res <= plen)
+ 		paddr[res] = '\0';
+-	if (cpage) {
+-		kunmap(cpage);
++	if (cpage)
+ 		page_cache_release(cpage);
+-	}
+ 	return *cookie = paddr;
+ errout:
+-	if (cpage) {
+-		kunmap(cpage);
++	if (cpage)
+ 		page_cache_release(cpage);
+-	}
+ 	kfree(paddr);
+ 	return ERR_PTR(res);
+ }
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -202,6 +202,7 @@ make_now:
+ 			inode->i_op = &f2fs_encrypted_symlink_inode_operations;
+ 		else
+ 			inode->i_op = &f2fs_symlink_inode_operations;
++		inode_nohighmem(inode);
+ 		inode->i_mapping->a_ops = &f2fs_dblock_aops;
+ 	} else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
+ 			S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -351,6 +351,7 @@ static int f2fs_symlink(struct inode *di
+ 		inode->i_op = &f2fs_encrypted_symlink_inode_operations;
+ 	else
+ 		inode->i_op = &f2fs_symlink_inode_operations;
++	inode_nohighmem(inode);
+ 	inode->i_mapping->a_ops = &f2fs_dblock_aops;
+ 
+ 	f2fs_lock_op(sbi);
+@@ -942,7 +943,7 @@ static const char *f2fs_encrypted_follow
+ 	cpage = read_mapping_page(inode->i_mapping, 0, NULL);
+ 	if (IS_ERR(cpage))
+ 		return ERR_CAST(cpage);
+-	caddr = kmap(cpage);
++	caddr = page_address(cpage);
+ 	caddr[size] = 0;
+ 
+ 	/* Symlink is encrypted */
+@@ -982,13 +983,11 @@ static const char *f2fs_encrypted_follow
+ 	/* Null-terminate the name */
+ 	paddr[res] = '\0';
+ 
+-	kunmap(cpage);
+ 	page_cache_release(cpage);
+ 	return *cookie = paddr;
+ errout:
+ 	kfree(cstr.name);
+ 	f2fs_fname_crypto_free_buffer(&pstr);
+-	kunmap(cpage);
+ 	page_cache_release(cpage);
+ 	return ERR_PTR(res);
+ }
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -2028,3 +2028,9 @@ void inode_set_flags(struct inode *inode
+ 				  new_flags) != old_flags));
+ }
+ EXPORT_SYMBOL(inode_set_flags);
++
++void inode_nohighmem(struct inode *inode)
++{
++	mapping_set_gfp_mask(inode->i_mapping, GFP_USER);
++}
++EXPORT_SYMBOL(inode_nohighmem);
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -3066,5 +3066,6 @@ static inline bool dir_relax(struct inod
+ }
+ 
+ extern bool path_noexec(const struct path *path);
++extern void inode_nohighmem(struct inode *inode);
+ 
+ #endif /* _LINUX_FS_H */
diff --git a/queue-4.4/keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch b/queue-4.4/keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch
new file mode 100644
index 00000000000..614f8f12861
--- /dev/null
+++ b/queue-4.4/keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch
@@ -0,0 +1,68 @@
+From 794b4bc292f5d31739d89c0202c54e7dc9bc3add Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 8 Jun 2017 14:48:18 +0100
+Subject: KEYS: encrypted: fix buffer overread in valid_master_desc()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add upstream.
+
+With the 'encrypted' key type it was possible for userspace to provide a
+data blob ending with a master key description shorter than expected,
+e.g. 'keyctl add encrypted desc "new x" @s'.  When validating such a
+master key description, validate_master_desc() could read beyond the end
+of the buffer.  Fix this by using strncmp() instead of memcmp().  [Also
+clean up the code to deduplicate some logic.]
+
+Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Jin Qian <jinqian@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/encrypted-keys/encrypted.c |   31 +++++++++++++++----------------
+ 1 file changed, 15 insertions(+), 16 deletions(-)
+
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const cha
+  */
+ static int valid_master_desc(const char *new_desc, const char *orig_desc)
+ {
+-	if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) {
+-		if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN)
+-			goto out;
+-		if (orig_desc)
+-			if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN))
+-				goto out;
+-	} else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) {
+-		if (strlen(new_desc) == KEY_USER_PREFIX_LEN)
+-			goto out;
+-		if (orig_desc)
+-			if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN))
+-				goto out;
+-	} else
+-		goto out;
++	int prefix_len;
++
++	if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
++		prefix_len = KEY_TRUSTED_PREFIX_LEN;
++	else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
++		prefix_len = KEY_USER_PREFIX_LEN;
++	else
++		return -EINVAL;
++
++	if (!new_desc[prefix_len])
++		return -EINVAL;
++
++	if (orig_desc && strncmp(new_desc, orig_desc, prefix_len))
++		return -EINVAL;
++
+ 	return 0;
+-out:
+-	return -EINVAL;
+ }
+ 
+ /*
diff --git a/queue-4.4/media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.patch b/queue-4.4/media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.patch
new file mode 100644
index 00000000000..893f071288b
--- /dev/null
+++ b/queue-4.4/media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.patch
@@ -0,0 +1,38 @@
+From 5331aec1bf9c9da557668174e0a4bfcee39f1121 Mon Sep 17 00:00:00 2001
+From: Jesse Chan <jc@linux.com>
+Date: Mon, 20 Nov 2017 15:56:28 -0500
+Subject: media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
+
+From: Jesse Chan <jc@linux.com>
+
+commit 5331aec1bf9c9da557668174e0a4bfcee39f1121 upstream.
+
+This change resolves a new compile-time warning
+when built as a loadable module:
+
+WARNING: modpost: missing MODULE_LICENSE() in drivers/media/platform/soc_camera/soc_scale_crop.o
+see include/linux/module.h for more information
+
+This adds the license as "GPL", which matches the header of the file.
+
+MODULE_DESCRIPTION and MODULE_AUTHOR are also added.
+
+Signed-off-by: Jesse Chan <jc@linux.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/soc_camera/soc_scale_crop.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/platform/soc_camera/soc_scale_crop.c
++++ b/drivers/media/platform/soc_camera/soc_scale_crop.c
+@@ -405,3 +405,7 @@ void soc_camera_calc_client_output(struc
+ 	mf->height = soc_camera_shift_scale(rect->height, shift, scale_v);
+ }
+ EXPORT_SYMBOL(soc_camera_calc_client_output);
++
++MODULE_DESCRIPTION("soc-camera scaling-cropping functions");
++MODULE_AUTHOR("Guennadi Liakhovetski <kernel@pengutronix.de>");
++MODULE_LICENSE("GPL");
diff --git a/queue-4.4/series b/queue-4.4/series
index 896c1345c63..74d6a0a6b6e 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -30,3 +30,6 @@ qlcnic-fix-deadlock-bug.patch
 r8169-fix-rtl8168ep-take-too-long-to-complete-driver-initialization.patch
 tcp-release-sk_frag.page-in-tcp_disconnect.patch
 vhost_net-stop-device-during-reset-owner.patch
+media-soc_camera-soc_scale_crop-add-missing-module_description-author-license.patch
+keys-encrypted-fix-buffer-overread-in-valid_master_desc.patch
+don-t-put-symlink-bodies-in-pagecache-into-highmem.patch