From 30ef512e6b083b6180a2502b5c2734f6bc2e997b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 27 Jun 2014 17:45:35 -0700
Subject: [PATCH] 3.10-stable patches

added patches:
	aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch
	aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch
---
 ...-when-events-are-reaped-by-userspace.patch | 55 +++++++++++++++++++
 ...-in-io_getevents-introduced-in-v3.10.patch | 42 ++++++++++++++
 queue-3.10/series                             |  2 +
 3 files changed, 99 insertions(+)
 create mode 100644 queue-3.10/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch
 create mode 100644 queue-3.10/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch

diff --git a/queue-3.10/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch b/queue-3.10/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch
new file mode 100644
index 00000000000..e2bca97537f
--- /dev/null
+++ b/queue-3.10/aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch
@@ -0,0 +1,55 @@
+From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001
+From: Benjamin LaHaise <bcrl@kvack.org>
+Date: Tue, 24 Jun 2014 13:12:55 -0400
+Subject: aio: fix aio request leak when events are reaped by userspace
+
+From: Benjamin LaHaise <bcrl@kvack.org>
+
+commit f8567a3845ac05bb28f3c1b478ef752762bd39ef upstream.
+
+The aio cleanups and optimizations by kmo that were merged into the 3.10
+tree added a regression for userspace event reaping.  Specifically, the
+reference counts are not decremented if the event is reaped in userspace,
+leading to the application being unable to submit further aio requests.
+This patch applies to 3.12+.  A separate backport is required for 3.10/3.11.
+This issue was uncovered as part of CVE-2014-0206.
+
+[jmoyer@redhat.com: backported to 3.10]
+Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Cc: Mateusz Guzik <mguzik@redhat.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -310,7 +310,6 @@ static void free_ioctx(struct kioctx *ct
+ 
+ 		avail = (head <= ctx->tail ? ctx->tail : ctx->nr_events) - head;
+ 
+-		atomic_sub(avail, &ctx->reqs_active);
+ 		head += avail;
+ 		head %= ctx->nr_events;
+ 	}
+@@ -678,6 +677,7 @@ void aio_complete(struct kiocb *iocb, lo
+ put_rq:
+ 	/* everything turned out well, dispose of the aiocb. */
+ 	aio_put_req(iocb);
++	atomic_dec(&ctx->reqs_active);
+ 
+ 	/*
+ 	 * We have to order our ring_info tail store above and test
+@@ -755,8 +755,6 @@ static long aio_read_events_ring(struct
+ 	flush_dcache_page(ctx->ring_pages[0]);
+ 
+ 	pr_debug("%li  h%u t%u\n", ret, head, ctx->tail);
+-
+-	atomic_sub(ret, &ctx->reqs_active);
+ out:
+ 	mutex_unlock(&ctx->ring_lock);
+ 
diff --git a/queue-3.10/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch b/queue-3.10/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch
new file mode 100644
index 00000000000..e3508d1db5e
--- /dev/null
+++ b/queue-3.10/aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch
@@ -0,0 +1,42 @@
+From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001
+From: Benjamin LaHaise <bcrl@kvack.org>
+Date: Tue, 24 Jun 2014 13:32:51 -0400
+Subject: aio: fix kernel memory disclosure in io_getevents() introduced in v3.10
+
+From: Benjamin LaHaise <bcrl@kvack.org>
+
+commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream.
+
+A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
+by commit a31ad380bed817aa25f8830ad23e1a0480fef797.  The changes made to
+aio_read_events_ring() failed to correctly limit the index into
+ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
+an arbitrary page with a copy_to_user() to copy the contents into userspace.
+This vulnerability has been assigned CVE-2014-0206.  Thanks to Mateusz and
+Petr for disclosing this issue.
+
+This patch applies to v3.12+.  A separate backport is needed for 3.10/3.11.
+
+[jmoyer@redhat.com: backported to 3.10]
+Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Cc: Mateusz Guzik <mguzik@redhat.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -717,6 +717,8 @@ static long aio_read_events_ring(struct
+ 	if (head == ctx->tail)
+ 		goto out;
+ 
++	head %= ctx->nr_events;
++
+ 	while (ret < nr) {
+ 		long avail;
+ 		struct io_event *ev;
diff --git a/queue-3.10/series b/queue-3.10/series
index a6d3877defc..dabd57af7ac 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -57,3 +57,5 @@ target-explicitly-clear-ramdisk_mcp-backend-pages.patch
 x86-32-espfix-remove-filter-for-espfix32-due-to-race.patch
 x86-x32-use-compat-shims-for-io_-setup-submit.patch
 genirq-sanitize-spurious-interrupt-detection-of-threaded-irqs.patch
+aio-fix-aio-request-leak-when-events-are-reaped-by-userspace.patch
+aio-fix-kernel-memory-disclosure-in-io_getevents-introduced-in-v3.10.patch
-- 
2.47.3