From 5ffbe1476e5b2b3f43487e73b52dea0338f31471 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 22 Apr 2018 11:49:01 +0200
Subject: [PATCH] 3.18-stable patches

added patches:
	autofs-mount-point-create-should-honour-passed-in-mode.patch
	don-t-leak-mnt_internal-away-from-internal-mounts.patch
	hypfs_kill_super-deal-with-failed-allocations.patch
	jffs2_kill_sb-deal-with-failed-allocations.patch
	rpc_pipefs-fix-double-dput.patch
---
 ...-create-should-honour-passed-in-mode.patch | 40 +++++++++++++++++++
 ...t_internal-away-from-internal-mounts.patch | 37 +++++++++++++++++
 ...l_super-deal-with-failed-allocations.patch | 31 ++++++++++++++
 ...kill_sb-deal-with-failed-allocations.patch | 31 ++++++++++++++
 queue-3.18/rpc_pipefs-fix-double-dput.patch   | 31 ++++++++++++++
 queue-3.18/series                             |  5 +++
 6 files changed, 175 insertions(+)
 create mode 100644 queue-3.18/autofs-mount-point-create-should-honour-passed-in-mode.patch
 create mode 100644 queue-3.18/don-t-leak-mnt_internal-away-from-internal-mounts.patch
 create mode 100644 queue-3.18/hypfs_kill_super-deal-with-failed-allocations.patch
 create mode 100644 queue-3.18/jffs2_kill_sb-deal-with-failed-allocations.patch
 create mode 100644 queue-3.18/rpc_pipefs-fix-double-dput.patch

diff --git a/queue-3.18/autofs-mount-point-create-should-honour-passed-in-mode.patch b/queue-3.18/autofs-mount-point-create-should-honour-passed-in-mode.patch
new file mode 100644
index 00000000000..58a88f142e7
--- /dev/null
+++ b/queue-3.18/autofs-mount-point-create-should-honour-passed-in-mode.patch
@@ -0,0 +1,40 @@
+From 1e6306652ba18723015d1b4967fe9de55f042499 Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Fri, 20 Apr 2018 14:55:59 -0700
+Subject: autofs: mount point create should honour passed in mode
+
+From: Ian Kent <raven@themaw.net>
+
+commit 1e6306652ba18723015d1b4967fe9de55f042499 upstream.
+
+The autofs file system mkdir inode operation blindly sets the created
+directory mode to S_IFDIR | 0555, ingoring the passed in mode, which can
+cause selinux dac_override denials.
+
+But the function also checks if the caller is the daemon (as no-one else
+should be able to do anything here) so there's no point in not honouring
+the passed in mode, allowing the daemon to set appropriate mode when
+required.
+
+Link: http://lkml.kernel.org/r/152361593601.8051.14014139124905996173.stgit@pluto.themaw.net
+Signed-off-by: Ian Kent <raven@themaw.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/autofs4/root.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/autofs4/root.c
++++ b/fs/autofs4/root.c
+@@ -753,7 +753,7 @@ static int autofs4_dir_mkdir(struct inod
+ 
+ 	autofs4_del_active(dentry);
+ 
+-	inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555);
++	inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode);
+ 	if (!inode)
+ 		return -ENOMEM;
+ 	d_add(dentry, inode);
diff --git a/queue-3.18/don-t-leak-mnt_internal-away-from-internal-mounts.patch b/queue-3.18/don-t-leak-mnt_internal-away-from-internal-mounts.patch
new file mode 100644
index 00000000000..a26afb37b74
--- /dev/null
+++ b/queue-3.18/don-t-leak-mnt_internal-away-from-internal-mounts.patch
@@ -0,0 +1,37 @@
+From 16a34adb9392b2fe4195267475ab5b472e55292c Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 19 Apr 2018 22:03:08 -0400
+Subject: Don't leak MNT_INTERNAL away from internal mounts
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 16a34adb9392b2fe4195267475ab5b472e55292c upstream.
+
+We want it only for the stuff created by SB_KERNMOUNT mounts, *not* for
+their copies.  As it is, creating a deep stack of bindings of /proc/*/ns/*
+somewhere in a new namespace and exiting yields a stack overflow.
+
+Cc: stable@kernel.org
+Reported-by: Alexander Aring <aring@mojatatu.com>
+Bisected-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Tested-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Tested-by: Alexander Aring <aring@mojatatu.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -944,7 +944,8 @@ static struct mount *clone_mnt(struct mo
+ 			goto out_free;
+ 	}
+ 
+-	mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
++	mnt->mnt.mnt_flags = old->mnt.mnt_flags;
++	mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);
+ 	/* Don't allow unprivileged users to change mount flags */
+ 	if (flag & CL_UNPRIVILEGED) {
+ 		mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
diff --git a/queue-3.18/hypfs_kill_super-deal-with-failed-allocations.patch b/queue-3.18/hypfs_kill_super-deal-with-failed-allocations.patch
new file mode 100644
index 00000000000..e0b7d8c8001
--- /dev/null
+++ b/queue-3.18/hypfs_kill_super-deal-with-failed-allocations.patch
@@ -0,0 +1,31 @@
+From a24cd490739586a7d2da3549a1844e1d7c4f4fc4 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon, 2 Apr 2018 23:50:31 -0400
+Subject: hypfs_kill_super(): deal with failed allocations
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a24cd490739586a7d2da3549a1844e1d7c4f4fc4 upstream.
+
+hypfs_fill_super() might fail to allocate sbi; hypfs_kill_super()
+should not oops on that.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/hypfs/inode.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/hypfs/inode.c
++++ b/arch/s390/hypfs/inode.c
+@@ -326,7 +326,7 @@ static void hypfs_kill_super(struct supe
+ 
+ 	if (sb->s_root)
+ 		hypfs_delete_tree(sb->s_root);
+-	if (sb_info->update_file)
++	if (sb_info && sb_info->update_file)
+ 		hypfs_remove(sb_info->update_file);
+ 	kfree(sb->s_fs_info);
+ 	sb->s_fs_info = NULL;
diff --git a/queue-3.18/jffs2_kill_sb-deal-with-failed-allocations.patch b/queue-3.18/jffs2_kill_sb-deal-with-failed-allocations.patch
new file mode 100644
index 00000000000..9fdb42400f8
--- /dev/null
+++ b/queue-3.18/jffs2_kill_sb-deal-with-failed-allocations.patch
@@ -0,0 +1,31 @@
+From c66b23c2840446a82c389e4cb1a12eb2a71fa2e4 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon, 2 Apr 2018 23:56:44 -0400
+Subject: jffs2_kill_sb(): deal with failed allocations
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c66b23c2840446a82c389e4cb1a12eb2a71fa2e4 upstream.
+
+jffs2_fill_super() might fail to allocate jffs2_sb_info;
+jffs2_kill_sb() must survive that.
+
+Cc: stable@kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/super.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jffs2/super.c
++++ b/fs/jffs2/super.c
+@@ -345,7 +345,7 @@ static void jffs2_put_super (struct supe
+ static void jffs2_kill_sb(struct super_block *sb)
+ {
+ 	struct jffs2_sb_info *c = JFFS2_SB_INFO(sb);
+-	if (!(sb->s_flags & MS_RDONLY))
++	if (c && !(sb->s_flags & MS_RDONLY))
+ 		jffs2_stop_garbage_collect_thread(c);
+ 	kill_mtd_super(sb);
+ 	kfree(c);
diff --git a/queue-3.18/rpc_pipefs-fix-double-dput.patch b/queue-3.18/rpc_pipefs-fix-double-dput.patch
new file mode 100644
index 00000000000..34820007607
--- /dev/null
+++ b/queue-3.18/rpc_pipefs-fix-double-dput.patch
@@ -0,0 +1,31 @@
+From 4a3877c4cedd95543f8726b0a98743ed8db0c0fb Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 3 Apr 2018 01:15:46 -0400
+Subject: rpc_pipefs: fix double-dput()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 4a3877c4cedd95543f8726b0a98743ed8db0c0fb upstream.
+
+if we ever hit rpc_gssd_dummy_depopulate() dentry passed to
+it has refcount equal to 1.  __rpc_rmpipe() drops it and
+dput() done after that hits an already freed dentry.
+
+Cc: stable@kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/rpc_pipe.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sunrpc/rpc_pipe.c
++++ b/net/sunrpc/rpc_pipe.c
+@@ -1375,6 +1375,7 @@ rpc_gssd_dummy_depopulate(struct dentry
+ 	struct dentry *clnt_dir = pipe_dentry->d_parent;
+ 	struct dentry *gssd_dir = clnt_dir->d_parent;
+ 
++	dget(pipe_dentry);
+ 	__rpc_rmpipe(clnt_dir->d_inode, pipe_dentry);
+ 	__rpc_depopulate(clnt_dir, gssd_dummy_info_file, 0, 1);
+ 	__rpc_depopulate(gssd_dir, gssd_dummy_clnt_dir, 0, 1);
diff --git a/queue-3.18/series b/queue-3.18/series
index 18a7cce207e..3856b262212 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -44,3 +44,8 @@ mips-memset.s-eva-fault-support-for-small_memset.patch
 mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch
 mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch
 powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch
+jffs2_kill_sb-deal-with-failed-allocations.patch
+hypfs_kill_super-deal-with-failed-allocations.patch
+rpc_pipefs-fix-double-dput.patch
+don-t-leak-mnt_internal-away-from-internal-mounts.patch
+autofs-mount-point-create-should-honour-passed-in-mode.patch
-- 
2.47.3