From: Greg Kroah-Hartman Date: Sun, 14 Aug 2016 18:36:49 +0000 (+0200) Subject: 3.14-stable patches X-Git-Tag: v3.14.76~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d8a4a511654ac3ba6df49c1568bd9a832ac55345;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: block-fix-use-after-free-in-seq-file.patch crypto-gcm-filter-out-async-ghash-if-necessary.patch crypto-scatterwalk-fix-test-in-scatterwalk_done.patch ext4-check-for-extents-that-wrap-around.patch ext4-don-t-call-ext4_should_journal_data-on-the-journal-inode.patch ext4-fix-deadlock-during-page-writeback.patch ext4-short-cut-orphan-cleanup-on-error.patch fuse-fix-wrong-assignment-of-flags-in-fuse_send_init.patch sysv-ipc-fix-security-layer-leaking.patch --- diff --git a/queue-3.14/block-fix-use-after-free-in-seq-file.patch b/queue-3.14/block-fix-use-after-free-in-seq-file.patch new file mode 100644 index 00000000000..7db6b66c9ef --- /dev/null +++ b/queue-3.14/block-fix-use-after-free-in-seq-file.patch @@ -0,0 +1,112 @@ +From 77da160530dd1dc94f6ae15a981f24e5f0021e84 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Fri, 29 Jul 2016 10:40:31 +0200 +Subject: block: fix use-after-free in seq file + +From: Vegard Nossum + +commit 77da160530dd1dc94f6ae15a981f24e5f0021e84 upstream. + +I got a KASAN report of use-after-free: + + ================================================================== + BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508 + Read of size 8 by task trinity-c1/315 + ============================================================================= + BUG kmalloc-32 (Not tainted): kasan: bad access detected + ----------------------------------------------------------------------------- + + Disabling lock debugging due to kernel taint + INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315 + ___slab_alloc+0x4f1/0x520 + __slab_alloc.isra.58+0x56/0x80 + kmem_cache_alloc_trace+0x260/0x2a0 + disk_seqf_start+0x66/0x110 + traverse+0x176/0x860 + seq_read+0x7e3/0x11a0 + proc_reg_read+0xbc/0x180 + do_loop_readv_writev+0x134/0x210 + do_readv_writev+0x565/0x660 + vfs_readv+0x67/0xa0 + do_preadv+0x126/0x170 + SyS_preadv+0xc/0x10 + do_syscall_64+0x1a1/0x460 + return_from_SYSCALL_64+0x0/0x6a + INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315 + __slab_free+0x17a/0x2c0 + kfree+0x20a/0x220 + disk_seqf_stop+0x42/0x50 + traverse+0x3b5/0x860 + seq_read+0x7e3/0x11a0 + proc_reg_read+0xbc/0x180 + do_loop_readv_writev+0x134/0x210 + do_readv_writev+0x565/0x660 + vfs_readv+0x67/0xa0 + do_preadv+0x126/0x170 + SyS_preadv+0xc/0x10 + do_syscall_64+0x1a1/0x460 + return_from_SYSCALL_64+0x0/0x6a + + CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 + ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480 + ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480 + ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970 + Call Trace: + [] dump_stack+0x65/0x84 + [] print_trailer+0x10d/0x1a0 + [] object_err+0x2f/0x40 + [] kasan_report_error+0x221/0x520 + [] __asan_report_load8_noabort+0x3e/0x40 + [] klist_iter_exit+0x61/0x70 + [] class_dev_iter_exit+0x9/0x10 + [] disk_seqf_stop+0x3a/0x50 + [] seq_read+0x4b2/0x11a0 + [] proc_reg_read+0xbc/0x180 + [] do_loop_readv_writev+0x134/0x210 + [] do_readv_writev+0x565/0x660 + [] vfs_readv+0x67/0xa0 + [] do_preadv+0x126/0x170 + [] SyS_preadv+0xc/0x10 + +This problem can occur in the following situation: + +open() + - pread() + - .seq_start() + - iter = kmalloc() // succeeds + - seqf->private = iter + - .seq_stop() + - kfree(seqf->private) + - pread() + - .seq_start() + - iter = kmalloc() // fails + - .seq_stop() + - class_dev_iter_exit(seqf->private) // boom! old pointer + +As the comment in disk_seqf_stop() says, stop is called even if start +failed, so we need to reinitialise the private pointer to NULL when seq +iteration stops. + +An alternative would be to set the private pointer to NULL when the +kmalloc() in disk_seqf_start() fails. + +Signed-off-by: Vegard Nossum +Acked-by: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/genhd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_fi + if (iter) { + class_dev_iter_exit(iter); + kfree(iter); ++ seqf->private = NULL; + } + } + diff --git a/queue-3.14/crypto-gcm-filter-out-async-ghash-if-necessary.patch b/queue-3.14/crypto-gcm-filter-out-async-ghash-if-necessary.patch new file mode 100644 index 00000000000..9681d2fe73e --- /dev/null +++ b/queue-3.14/crypto-gcm-filter-out-async-ghash-if-necessary.patch @@ -0,0 +1,36 @@ +From b30bdfa86431afbafe15284a3ad5ac19b49b88e3 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Wed, 15 Jun 2016 22:27:05 +0800 +Subject: crypto: gcm - Filter out async ghash if necessary + +From: Herbert Xu + +commit b30bdfa86431afbafe15284a3ad5ac19b49b88e3 upstream. + +As it is if you ask for a sync gcm you may actually end up with +an async one because it does not filter out async implementations +of ghash. + +This patch fixes this by adding the necessary filter when looking +for ghash. + +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/gcm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/gcm.c ++++ b/crypto/gcm.c +@@ -716,7 +716,9 @@ static struct crypto_instance *crypto_gc + + ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type, + CRYPTO_ALG_TYPE_HASH, +- CRYPTO_ALG_TYPE_AHASH_MASK); ++ CRYPTO_ALG_TYPE_AHASH_MASK | ++ crypto_requires_sync(algt->type, ++ algt->mask)); + if (IS_ERR(ghash_alg)) + return ERR_CAST(ghash_alg); + diff --git a/queue-3.14/crypto-scatterwalk-fix-test-in-scatterwalk_done.patch b/queue-3.14/crypto-scatterwalk-fix-test-in-scatterwalk_done.patch new file mode 100644 index 00000000000..1f44d537416 --- /dev/null +++ b/queue-3.14/crypto-scatterwalk-fix-test-in-scatterwalk_done.patch @@ -0,0 +1,39 @@ +From 5f070e81bee35f1b7bd1477bb223a873ff657803 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 12 Jul 2016 13:17:57 +0800 +Subject: crypto: scatterwalk - Fix test in scatterwalk_done + +From: Herbert Xu + +commit 5f070e81bee35f1b7bd1477bb223a873ff657803 upstream. + +When there is more data to be processed, the current test in +scatterwalk_done may prevent us from calling pagedone even when +we should. + +In particular, if we're on an SG entry spanning multiple pages +where the last page is not a full page, we will incorrectly skip +calling pagedone on the second last page. + +This patch fixes this by adding a separate test for whether we've +reached the end of a page. + +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/scatterwalk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/scatterwalk.c ++++ b/crypto/scatterwalk.c +@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct + + void scatterwalk_done(struct scatter_walk *walk, int out, int more) + { +- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more) ++ if (!more || walk->offset >= walk->sg->offset + walk->sg->length || ++ !(walk->offset & (PAGE_SIZE - 1))) + scatterwalk_pagedone(walk, out, more); + } + EXPORT_SYMBOL_GPL(scatterwalk_done); diff --git a/queue-3.14/ext4-check-for-extents-that-wrap-around.patch b/queue-3.14/ext4-check-for-extents-that-wrap-around.patch new file mode 100644 index 00000000000..8a8c17cc50e --- /dev/null +++ b/queue-3.14/ext4-check-for-extents-that-wrap-around.patch @@ -0,0 +1,55 @@ +From f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Thu, 30 Jun 2016 11:53:46 -0400 +Subject: ext4: check for extents that wrap around + +From: Vegard Nossum + +commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 upstream. + +An extent with lblock = 4294967295 and len = 1 will pass the +ext4_valid_extent() test: + + ext4_lblk_t last = lblock + len - 1; + + if (len == 0 || lblock > last) + return 0; + +since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger +the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end(). + +We can simplify it by removing the - 1 altogether and changing the test +to use lblock + len <= lblock, since now if len = 0, then lblock + 0 == +lblock and it fails, and if len > 0 then lblock + len > lblock in order +to pass (i.e. it doesn't overflow). + +Fixes: 5946d0893 ("ext4: check for overlapping extents in ext4_valid_extent_entries()") +Fixes: 2f974865f ("ext4: check for zero length extent explicitly") +Cc: Eryu Guan +Signed-off-by: Phil Turnbull +Signed-off-by: Vegard Nossum +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -359,9 +359,13 @@ static int ext4_valid_extent(struct inod + ext4_fsblk_t block = ext4_ext_pblock(ext); + int len = ext4_ext_get_actual_len(ext); + ext4_lblk_t lblock = le32_to_cpu(ext->ee_block); +- ext4_lblk_t last = lblock + len - 1; + +- if (len == 0 || lblock > last) ++ /* ++ * We allow neither: ++ * - zero length ++ * - overflow/wrap-around ++ */ ++ if (lblock + len <= lblock) + return 0; + return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len); + } diff --git a/queue-3.14/ext4-don-t-call-ext4_should_journal_data-on-the-journal-inode.patch b/queue-3.14/ext4-don-t-call-ext4_should_journal_data-on-the-journal-inode.patch new file mode 100644 index 00000000000..4b5c76ded0a --- /dev/null +++ b/queue-3.14/ext4-don-t-call-ext4_should_journal_data-on-the-journal-inode.patch @@ -0,0 +1,44 @@ +From 6a7fd522a7c94cdef0a3b08acf8e6702056e635c Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Mon, 4 Jul 2016 11:03:00 -0400 +Subject: ext4: don't call ext4_should_journal_data() on the journal inode + +From: Vegard Nossum + +commit 6a7fd522a7c94cdef0a3b08acf8e6702056e635c upstream. + +If ext4_fill_super() fails early, it's possible for ext4_evict_inode() +to call ext4_should_journal_data() before superblock options and flags +are fully set up. In that case, the iput() on the journal inode can +end up causing a BUG(). + +Work around this problem by reordering the tests so we only call +ext4_should_journal_data() after we know it's not the journal inode. + +Fixes: 2d859db3e4 ("ext4: fix data corruption in inodes with journalled data") +Fixes: 2b405bfa84 ("ext4: fix data=journal fast mount/umount hang") +Cc: Jan Kara +Signed-off-by: Vegard Nossum +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -204,9 +204,9 @@ void ext4_evict_inode(struct inode *inod + * Note that directories do not have this problem because they + * don't use page cache. + */ +- if (ext4_should_journal_data(inode) && +- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) && +- inode->i_ino != EXT4_JOURNAL_INO) { ++ if (inode->i_ino != EXT4_JOURNAL_INO && ++ ext4_should_journal_data(inode) && ++ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) { + journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; + tid_t commit_tid = EXT4_I(inode)->i_datasync_tid; + diff --git a/queue-3.14/ext4-fix-deadlock-during-page-writeback.patch b/queue-3.14/ext4-fix-deadlock-during-page-writeback.patch new file mode 100644 index 00000000000..667ab624501 --- /dev/null +++ b/queue-3.14/ext4-fix-deadlock-during-page-writeback.patch @@ -0,0 +1,78 @@ +From 646caa9c8e196880b41cd3e3d33a2ebc752bdb85 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 4 Jul 2016 10:14:01 -0400 +Subject: ext4: fix deadlock during page writeback + +From: Jan Kara + +commit 646caa9c8e196880b41cd3e3d33a2ebc752bdb85 upstream. + +Commit 06bd3c36a733 (ext4: fix data exposure after a crash) uncovered a +deadlock in ext4_writepages() which was previously much harder to hit. +After this commit xfstest generic/130 reproduces the deadlock on small +filesystems. + +The problem happens when ext4_do_update_inode() sets LARGE_FILE feature +and marks current inode handle as synchronous. That subsequently results +in ext4_journal_stop() called from ext4_writepages() to block waiting for +transaction commit while still holding page locks, reference to io_end, +and some prepared bio in mpd structure each of which can possibly block +transaction commit from completing and thus results in deadlock. + +Fix the problem by releasing page locks, io_end reference, and +submitting prepared bio before calling ext4_journal_stop(). + +[ Changed to defer the call to ext4_journal_stop() only if the handle + is synchronous. --tytso ] + +Reported-and-tested-by: Eryu Guan +Signed-off-by: Theodore Ts'o +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2579,13 +2579,36 @@ retry: + done = true; + } + } +- ext4_journal_stop(handle); ++ /* ++ * Caution: If the handle is synchronous, ++ * ext4_journal_stop() can wait for transaction commit ++ * to finish which may depend on writeback of pages to ++ * complete or on page lock to be released. In that ++ * case, we have to wait until after after we have ++ * submitted all the IO, released page locks we hold, ++ * and dropped io_end reference (for extent conversion ++ * to be able to complete) before stopping the handle. ++ */ ++ if (!ext4_handle_valid(handle) || handle->h_sync == 0) { ++ ext4_journal_stop(handle); ++ handle = NULL; ++ } + /* Submit prepared bio */ + ext4_io_submit(&mpd.io_submit); + /* Unlock pages we didn't use */ + mpage_release_unused_pages(&mpd, give_up_on_write); +- /* Drop our io_end reference we got from init */ +- ext4_put_io_end(mpd.io_submit.io_end); ++ /* ++ * Drop our io_end reference we got from init. We have ++ * to be careful and use deferred io_end finishing if ++ * we are still holding the transaction as we can ++ * release the last reference to io_end which may end ++ * up doing unwritten extent conversion. ++ */ ++ if (handle) { ++ ext4_put_io_end_defer(mpd.io_submit.io_end); ++ ext4_journal_stop(handle); ++ } else ++ ext4_put_io_end(mpd.io_submit.io_end); + + if (ret == -ENOSPC && sbi->s_journal) { + /* diff --git a/queue-3.14/ext4-short-cut-orphan-cleanup-on-error.patch b/queue-3.14/ext4-short-cut-orphan-cleanup-on-error.patch new file mode 100644 index 00000000000..104e50a4074 --- /dev/null +++ b/queue-3.14/ext4-short-cut-orphan-cleanup-on-error.patch @@ -0,0 +1,60 @@ +From c65d5c6c81a1f27dec5f627f67840726fcd146de Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Thu, 14 Jul 2016 23:21:35 -0400 +Subject: ext4: short-cut orphan cleanup on error + +From: Vegard Nossum + +commit c65d5c6c81a1f27dec5f627f67840726fcd146de upstream. + +If we encounter a filesystem error during orphan cleanup, we should stop. +Otherwise, we may end up in an infinite loop where the same inode is +processed again and again. + + EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended + EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 2, block bitmap and bg descriptor inconsistent: 6117 vs 0 free clusters + Aborting journal on device loop0-8. + EXT4-fs (loop0): Remounting filesystem read-only + EXT4-fs error (device loop0) in ext4_free_blocks:4895: Journal has aborted + EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted + EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted + EXT4-fs error (device loop0) in ext4_ext_remove_space:3068: IO failure + EXT4-fs error (device loop0) in ext4_ext_truncate:4667: Journal has aborted + EXT4-fs error (device loop0) in ext4_orphan_del:2927: Journal has aborted + EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted + EXT4-fs (loop0): Inode 16 (00000000618192a0): orphan list check failed! + [...] + EXT4-fs (loop0): Inode 16 (0000000061819748): orphan list check failed! + [...] + EXT4-fs (loop0): Inode 16 (0000000061819bf0): orphan list check failed! + [...] + +See-also: c9eb13a9105 ("ext4: fix hang when processing corrupted orphaned inode list") +Cc: Jan Kara +Signed-off-by: Vegard Nossum +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2222,6 +2222,16 @@ static void ext4_orphan_cleanup(struct s + while (es->s_last_orphan) { + struct inode *inode; + ++ /* ++ * We may have encountered an error during cleanup; if ++ * so, skip the rest. ++ */ ++ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) { ++ jbd_debug(1, "Skipping orphan recovery on fs with errors.\n"); ++ es->s_last_orphan = 0; ++ break; ++ } ++ + inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan)); + if (IS_ERR(inode)) { + es->s_last_orphan = 0; diff --git a/queue-3.14/fuse-fix-wrong-assignment-of-flags-in-fuse_send_init.patch b/queue-3.14/fuse-fix-wrong-assignment-of-flags-in-fuse_send_init.patch new file mode 100644 index 00000000000..76664ad9d61 --- /dev/null +++ b/queue-3.14/fuse-fix-wrong-assignment-of-flags-in-fuse_send_init.patch @@ -0,0 +1,31 @@ +From 9446385f05c9af25fed53dbed3cc75763730be52 Mon Sep 17 00:00:00 2001 +From: Wei Fang +Date: Mon, 25 Jul 2016 21:17:04 +0800 +Subject: fuse: fix wrong assignment of ->flags in fuse_send_init() + +From: Wei Fang + +commit 9446385f05c9af25fed53dbed3cc75763730be52 upstream. + +FUSE_HAS_IOCTL_DIR should be assigned to ->flags, it may be a typo. + +Signed-off-by: Wei Fang +Signed-off-by: Miklos Szeredi +Fixes: 69fe05c90ed5 ("fuse: add missing INIT flags") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -911,7 +911,7 @@ static void fuse_send_init(struct fuse_c + arg->flags |= FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC | + FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK | + FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ | +- FUSE_FLOCK_LOCKS | FUSE_IOCTL_DIR | FUSE_AUTO_INVAL_DATA | ++ FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA | + FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO; + req->in.h.opcode = FUSE_INIT; + req->in.numargs = 1; diff --git a/queue-3.14/ib-security-restrict-use-of-the-write-interface.patch b/queue-3.14/ib-security-restrict-use-of-the-write-interface.patch index 3c451058226..40bb6d14498 100644 --- a/queue-3.14/ib-security-restrict-use-of-the-write-interface.patch +++ b/queue-3.14/ib-security-restrict-use-of-the-write-interface.patch @@ -108,7 +108,7 @@ Signed-off-by: Greg Kroah-Hartman ssize_t ret = 0; void *dest; -+ if (WARN_ON_ONCE(!ib_safe_file_access(filp))) ++ if (WARN_ON_ONCE(!ib_safe_file_access(fp))) + return -EACCES; + if (count < sizeof(cmd.type)) { diff --git a/queue-3.14/series b/queue-3.14/series index 7a573c7d260..185046ce51f 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -13,3 +13,12 @@ random-strengthen-input-validation-for-rndaddtoentcnt.patch scsi-remove-scsi_end_request.patch scsi_lib-correctly-retry-failed-zero-length-req_type_fs-commands.patch ib-security-restrict-use-of-the-write-interface.patch +block-fix-use-after-free-in-seq-file.patch +sysv-ipc-fix-security-layer-leaking.patch +fuse-fix-wrong-assignment-of-flags-in-fuse_send_init.patch +crypto-gcm-filter-out-async-ghash-if-necessary.patch +crypto-scatterwalk-fix-test-in-scatterwalk_done.patch +ext4-check-for-extents-that-wrap-around.patch +ext4-fix-deadlock-during-page-writeback.patch +ext4-don-t-call-ext4_should_journal_data-on-the-journal-inode.patch +ext4-short-cut-orphan-cleanup-on-error.patch diff --git a/queue-3.14/sysv-ipc-fix-security-layer-leaking.patch b/queue-3.14/sysv-ipc-fix-security-layer-leaking.patch new file mode 100644 index 00000000000..74d71efa076 --- /dev/null +++ b/queue-3.14/sysv-ipc-fix-security-layer-leaking.patch @@ -0,0 +1,112 @@ +From 9b24fef9f0410fb5364245d6cc2bd044cc064007 Mon Sep 17 00:00:00 2001 +From: Fabian Frederick +Date: Tue, 2 Aug 2016 14:03:07 -0700 +Subject: sysv, ipc: fix security-layer leaking + +From: Fabian Frederick + +commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 upstream. + +Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref() +to receive rcu freeing function but used generic ipc_rcu_free() instead +of msg_rcu_free() which does security cleaning. + +Running LTP msgsnd06 with kmemleak gives the following: + + cat /sys/kernel/debug/kmemleak + + unreferenced object 0xffff88003c0a11f8 (size 8): + comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s) + hex dump (first 8 bytes): + 1b 00 00 00 01 00 00 00 ........ + backtrace: + kmemleak_alloc+0x23/0x40 + kmem_cache_alloc_trace+0xe1/0x180 + selinux_msg_queue_alloc_security+0x3f/0xd0 + security_msg_queue_alloc+0x2e/0x40 + newque+0x4e/0x150 + ipcget+0x159/0x1b0 + SyS_msgget+0x39/0x40 + entry_SYSCALL_64_fastpath+0x13/0x8f + +Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to +only use ipc_rcu_free in case of security allocation failure in newary() + +Fixes: 53dad6d3a8e ("ipc: fix race with LSMs") +Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be +Signed-off-by: Fabian Frederick +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/msg.c | 2 +- + ipc/sem.c | 12 ++++++------ + 2 files changed, 7 insertions(+), 7 deletions(-) + +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -745,7 +745,7 @@ long do_msgsnd(int msqid, long mtype, vo + rcu_read_lock(); + ipc_lock_object(&msq->q_perm); + +- ipc_rcu_putref(msq, ipc_rcu_free); ++ ipc_rcu_putref(msq, msg_rcu_free); + /* raced with RMID? */ + if (!ipc_valid_object(&msq->q_perm)) { + err = -EIDRM; +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -441,7 +441,7 @@ static inline struct sem_array *sem_obta + static inline void sem_lock_and_putref(struct sem_array *sma) + { + sem_lock(sma, NULL, -1); +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + } + + static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) +@@ -1371,7 +1371,7 @@ static int semctl_main(struct ipc_namesp + rcu_read_unlock(); + sem_io = ipc_alloc(sizeof(ushort)*nsems); + if (sem_io == NULL) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + return -ENOMEM; + } + +@@ -1405,20 +1405,20 @@ static int semctl_main(struct ipc_namesp + if (nsems > SEMMSL_FAST) { + sem_io = ipc_alloc(sizeof(ushort)*nsems); + if (sem_io == NULL) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + return -ENOMEM; + } + } + + if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + err = -EFAULT; + goto out_free; + } + + for (i = 0; i < nsems; i++) { + if (sem_io[i] > SEMVMX) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + err = -ERANGE; + goto out_free; + } +@@ -1708,7 +1708,7 @@ static struct sem_undo *find_alloc_undo( + /* step 2: allocate new undo structure */ + new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL); + if (!new) { +- ipc_rcu_putref(sma, ipc_rcu_free); ++ ipc_rcu_putref(sma, sem_rcu_free); + return ERR_PTR(-ENOMEM); + } +