From ccd382b9997b27147ff1407f2bca46c74ccb29b5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 1 Sep 2018 14:35:36 -0700 Subject: [PATCH] 3.18-stable patches added patches: fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch fuse-don-t-access-pipe-buffers-without-pipe_lock.patch x86-process-re-export-start_thread.patch --- ...d-unlock_page-to-fuse_readpages_fill.patch | 31 +++++++++++++ ...ccess-pipe-buffers-without-pipe_lock.patch | 45 +++++++++++++++++++ queue-3.18/series | 3 ++ .../x86-process-re-export-start_thread.patch | 42 +++++++++++++++++ 4 files changed, 121 insertions(+) create mode 100644 queue-3.18/fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch create mode 100644 queue-3.18/fuse-don-t-access-pipe-buffers-without-pipe_lock.patch create mode 100644 queue-3.18/x86-process-re-export-start_thread.patch diff --git a/queue-3.18/fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch b/queue-3.18/fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch new file mode 100644 index 00000000000..c2aa28536cf --- /dev/null +++ b/queue-3.18/fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch @@ -0,0 +1,31 @@ +From 109728ccc5933151c68d1106e4065478a487a323 Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Thu, 19 Jul 2018 15:49:39 +0300 +Subject: fuse: Add missed unlock_page() to fuse_readpages_fill() + +From: Kirill Tkhai + +commit 109728ccc5933151c68d1106e4065478a487a323 upstream. + +The above error path returns with page unlocked, so this place seems also +to behave the same. + +Fixes: f8dbdf81821b ("fuse: rework fuse_readpages()") +Signed-off-by: Kirill Tkhai +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -910,6 +910,7 @@ static int fuse_readpages_fill(void *_da + } + + if (WARN_ON(req->num_pages >= req->max_pages)) { ++ unlock_page(page); + fuse_put_request(fc, req); + return -EIO; + } diff --git a/queue-3.18/fuse-don-t-access-pipe-buffers-without-pipe_lock.patch b/queue-3.18/fuse-don-t-access-pipe-buffers-without-pipe_lock.patch new file mode 100644 index 00000000000..55c635197f1 --- /dev/null +++ b/queue-3.18/fuse-don-t-access-pipe-buffers-without-pipe_lock.patch @@ -0,0 +1,45 @@ +From a2477b0e67c52f4364a47c3ad70902bc2a61bd4c Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Tue, 17 Jul 2018 19:00:33 +0300 +Subject: fuse: Don't access pipe->buffers without pipe_lock() + +From: Andrey Ryabinin + +commit a2477b0e67c52f4364a47c3ad70902bc2a61bd4c upstream. + +fuse_dev_splice_write() reads pipe->buffers to determine the size of +'bufs' array before taking the pipe_lock(). This is not safe as +another thread might change the 'pipe->buffers' between the allocation +and taking the pipe_lock(). So we end up with too small 'bufs' array. + +Move the bufs allocations inside pipe_lock()/pipe_unlock() to fix this. + +Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") +Signed-off-by: Andrey Ryabinin +Cc: # v2.6.35 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1913,11 +1913,14 @@ static ssize_t fuse_dev_splice_write(str + if (!fc) + return -EPERM; + ++ pipe_lock(pipe); ++ + bufs = kmalloc(pipe->buffers * sizeof(struct pipe_buffer), GFP_KERNEL); +- if (!bufs) ++ if (!bufs) { ++ pipe_unlock(pipe); + return -ENOMEM; ++ } + +- pipe_lock(pipe); + nbuf = 0; + rem = 0; + for (idx = 0; idx < pipe->nrbufs && rem < len; idx++) diff --git a/queue-3.18/series b/queue-3.18/series index ae2a57dc2f3..6432e1a4685 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -39,3 +39,6 @@ ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch arm64-mm-check-for-upper-page_shift-bits-in-pfn_valid.patch kvm-arm-arm64-skip-updating-pte-entry-if-no-change.patch kvm-arm-arm64-skip-updating-pmd-entry-if-no-change.patch +x86-process-re-export-start_thread.patch +fuse-don-t-access-pipe-buffers-without-pipe_lock.patch +fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch diff --git a/queue-3.18/x86-process-re-export-start_thread.patch b/queue-3.18/x86-process-re-export-start_thread.patch new file mode 100644 index 00000000000..e0f5c5924e7 --- /dev/null +++ b/queue-3.18/x86-process-re-export-start_thread.patch @@ -0,0 +1,42 @@ +From dc76803e57cc86589c4efcb5362918f9b0c0436f Mon Sep 17 00:00:00 2001 +From: Rian Hunter +Date: Sun, 19 Aug 2018 16:08:53 -0700 +Subject: x86/process: Re-export start_thread() + +From: Rian Hunter + +commit dc76803e57cc86589c4efcb5362918f9b0c0436f upstream. + +The consolidation of the start_thread() functions removed the export +unintentionally. This breaks binfmt handlers built as a module. + +Add it back. + +Fixes: e634d8fc792c ("x86-64: merge the standard and compat start_thread() functions") +Signed-off-by: Rian Hunter +Signed-off-by: Thomas Gleixner +Cc: "H. Peter Anvin" +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Vitaly Kuznetsov +Cc: Joerg Roedel +Cc: Dmitry Safonov +Cc: Josh Poimboeuf +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20180819230854.7275-1-rian@alum.mit.edu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/process_64.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -438,6 +438,7 @@ __switch_to(struct task_struct *prev_p, + + return prev_p; + } ++EXPORT_SYMBOL_GPL(start_thread); + + void set_personality_64bit(void) + { -- 2.47.3