From e2be1a2472e4497a689c1b1f55654199eca8728d Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 17 Apr 2015 14:39:23 +0200
Subject: [PATCH] 3.10-stable patches

added patches:
	cifs-fix-use-after-free-bug-in-find_writable_file.patch
---
 ...after-free-bug-in-find_writable_file.patch | 79 +++++++++++++++++++
 queue-3.10/series                             |  1 +
 2 files changed, 80 insertions(+)
 create mode 100644 queue-3.10/cifs-fix-use-after-free-bug-in-find_writable_file.patch

diff --git a/queue-3.10/cifs-fix-use-after-free-bug-in-find_writable_file.patch b/queue-3.10/cifs-fix-use-after-free-bug-in-find_writable_file.patch
new file mode 100644
index 00000000000..4f9d7ccc746
--- /dev/null
+++ b/queue-3.10/cifs-fix-use-after-free-bug-in-find_writable_file.patch
@@ -0,0 +1,79 @@
+From e1e9bda22d7ddf88515e8fe401887e313922823e Mon Sep 17 00:00:00 2001
+From: David Disseldorp <ddiss@suse.de>
+Date: Fri, 13 Mar 2015 14:20:29 +0100
+Subject: cifs: fix use-after-free bug in find_writable_file
+
+From: David Disseldorp <ddiss@suse.de>
+
+commit e1e9bda22d7ddf88515e8fe401887e313922823e upstream.
+
+Under intermittent network outages, find_writable_file() is susceptible
+to the following race condition, which results in a user-after-free in
+the cifs_writepages code-path:
+
+Thread 1                                        Thread 2
+========                                        ========
+
+inv_file = NULL
+refind = 0
+spin_lock(&cifs_file_list_lock)
+
+// invalidHandle found on openFileList
+
+inv_file = open_file
+// inv_file->count currently 1
+
+cifsFileInfo_get(inv_file)
+// inv_file->count = 2
+
+spin_unlock(&cifs_file_list_lock);
+
+cifs_reopen_file()                            cifs_close()
+// fails (rc != 0)                            ->cifsFileInfo_put()
+                                       spin_lock(&cifs_file_list_lock)
+                                       // inv_file->count = 1
+                                       spin_unlock(&cifs_file_list_lock)
+
+spin_lock(&cifs_file_list_lock);
+list_move_tail(&inv_file->flist,
+      &cifs_inode->openFileList);
+spin_unlock(&cifs_file_list_lock);
+
+cifsFileInfo_put(inv_file);
+->spin_lock(&cifs_file_list_lock)
+
+  // inv_file->count = 0
+  list_del(&cifs_file->flist);
+  // cleanup!!
+  kfree(cifs_file);
+
+  spin_unlock(&cifs_file_list_lock);
+
+spin_lock(&cifs_file_list_lock);
+++refind;
+// refind = 1
+goto refind_writable;
+
+At this point we loop back through with an invalid inv_file pointer
+and a refind value of 1. On second pass, inv_file is not overwritten on
+openFileList traversal, and is subsequently dereferenced.
+
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Reviewed-by: Jeff Layton <jlayton@samba.org>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/file.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -1789,6 +1789,7 @@ refind_writable:
+ 			cifsFileInfo_put(inv_file);
+ 			spin_lock(&cifs_file_list_lock);
+ 			++refind;
++			inv_file = NULL;
+ 			goto refind_writable;
+ 		}
+ 	}
diff --git a/queue-3.10/series b/queue-3.10/series
index 5bcd7e4c77c..8166b344e71 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -19,3 +19,4 @@ iio-imu-use-iio_trigger_get-for-indio_dev-trig-assignment.patch
 dmaengine-omap-dma-fix-memory-leak-when-terminating-running-transfer.patch
 cpuidle-acpi-do-not-overwrite-name-and-description-of-c0.patch
 usb-xhci-apply-xhci_avoid_bei-quirk-to-all-intel-xhci-controllers.patch
+cifs-fix-use-after-free-bug-in-find_writable_file.patch
-- 
2.47.3