--- /dev/null
+From 203f45003a3d03eea8fa28d74cfc74c354416fdb Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Tue, 19 Dec 2017 19:09:07 +0100
+Subject: crypto: n2 - cure use after free
+
+From: Jan Engelhardt <jengelh@inai.de>
+
+commit 203f45003a3d03eea8fa28d74cfc74c354416fdb upstream.
+
+queue_cache_init is first called for the Control Word Queue
+(n2_crypto_probe). At that time, queue_cache[0] is NULL and a new
+kmem_cache will be allocated. If the subsequent n2_register_algs call
+fails, the kmem_cache will be released in queue_cache_destroy, but
+queue_cache_init[0] is not set back to NULL.
+
+So when the Module Arithmetic Unit gets probed next (n2_mau_probe),
+queue_cache_init will not allocate a kmem_cache again, but leave it
+as its bogus value, causing a BUG() to trigger when queue_cache[0] is
+eventually passed to kmem_cache_zalloc:
+
+ n2_crypto: Found N2CP at /virtual-devices@100/n2cp@7
+ n2_crypto: Registered NCS HVAPI version 2.0
+ called queue_cache_init
+ n2_crypto: md5 alg registration failed
+ n2cp f028687c: /virtual-devices@100/n2cp@7: Unable to register algorithms.
+ called queue_cache_destroy
+ n2cp: probe of f028687c failed with error -22
+ n2_crypto: Found NCP at /virtual-devices@100/ncp@6
+ n2_crypto: Registered NCS HVAPI version 2.0
+ called queue_cache_init
+ kernel BUG at mm/slab.c:2993!
+ Call Trace:
+ [0000000000604488] kmem_cache_alloc+0x1a8/0x1e0
+ (inlined) kmem_cache_zalloc
+ (inlined) new_queue
+ (inlined) spu_queue_setup
+ (inlined) handle_exec_unit
+ [0000000010c61eb4] spu_mdesc_scan+0x1f4/0x460 [n2_crypto]
+ [0000000010c62b80] n2_mau_probe+0x100/0x220 [n2_crypto]
+ [000000000084b174] platform_drv_probe+0x34/0xc0
+
+Signed-off-by: Jan Engelhardt <jengelh@inai.de>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/n2_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/crypto/n2_core.c
++++ b/drivers/crypto/n2_core.c
+@@ -1641,6 +1641,7 @@ static int queue_cache_init(void)
+ CWQ_ENTRY_SIZE, 0, NULL);
+ if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) {
+ kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
+ return -ENOMEM;
+ }
+ return 0;
+@@ -1650,6 +1651,8 @@ static void queue_cache_destroy(void)
+ {
+ kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
+ kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]);
++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
++ queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL;
+ }
+
+ static int spu_queue_register(struct spu_queue *p, unsigned long q_type)
--- /dev/null
+From 98801506552593c9b8ac11021b0cdad12cab4f6b Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 2 Jan 2018 10:02:19 +0000
+Subject: fscache: Fix the default for fscache_maybe_release_page()
+
+From: David Howells <dhowells@redhat.com>
+
+commit 98801506552593c9b8ac11021b0cdad12cab4f6b upstream.
+
+Fix the default for fscache_maybe_release_page() for when the cookie isn't
+valid or the page isn't cached. It mustn't return false as that indicates
+the page cannot yet be freed.
+
+The problem with the default is that if, say, there's no cache, but a
+network filesystem's pages are using up almost all the available memory, a
+system can OOM because the filesystem ->releasepage() op will not allow
+them to be released as fscache_maybe_release_page() incorrectly prevents
+it.
+
+This can be tested by writing a sequence of 512MiB files to an AFS mount.
+It does not affect NFS or CIFS because both of those wrap the call in a
+check of PG_fscache and it shouldn't bother Ceph as that only has
+PG_private set whilst writeback is in progress. This might be an issue for
+9P, however.
+
+Note that the pages aren't entirely stuck. Removing a file or unmounting
+will clear things because that uses ->invalidatepage() instead.
+
+Fixes: 201a15428bd5 ("FS-Cache: Handle pages pending storage that get evicted under OOM conditions")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Tested-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/fscache.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/fscache.h
++++ b/include/linux/fscache.h
+@@ -764,7 +764,7 @@ bool fscache_maybe_release_page(struct f
+ {
+ if (fscache_cookie_valid(cookie) && PageFsCache(page))
+ return __fscache_maybe_release_page(cookie, page, gfp);
+- return false;
++ return true;
+ }
+
+ /**
--- /dev/null
+From 4d9570158b6260f449e317a5f9ed030c2504a615 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Thu, 4 Jan 2018 16:17:49 -0800
+Subject: kernel/acct.c: fix the acct->needcheck check in check_free_space()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 4d9570158b6260f449e317a5f9ed030c2504a615 upstream.
+
+As Tsukada explains, the time_is_before_jiffies(acct->needcheck) check
+is very wrong, we need time_is_after_jiffies() to make sys_acct() work.
+
+Ignoring the overflows, the code should "goto out" if needcheck >
+jiffies, while currently it checks "needcheck < jiffies" and thus in the
+likely case check_free_space() does nothing until jiffies overflow.
+
+In particular this means that sys_acct() is simply broken, acct_on()
+sets acct->needcheck = jiffies and expects that check_free_space()
+should set acct->active = 1 after the free-space check, but this won't
+happen if jiffies increments in between.
+
+This was broken by commit 32dc73086015 ("get rid of timer in
+kern/acct.c") in 2011, then another (correct) commit 795a2f22a8ea
+("acct() should honour the limits from the very beginning") made the
+problem more visible.
+
+Link: http://lkml.kernel.org/r/20171213133940.GA6554@redhat.com
+Fixes: 32dc73086015 ("get rid of timer in kern/acct.c")
+Reported-by: TSUKADA Koutaro <tsukada@ascade.co.jp>
+Suggested-by: TSUKADA Koutaro <tsukada@ascade.co.jp>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/acct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -96,7 +96,7 @@ static int check_free_space(struct bsd_a
+ {
+ struct kstatfs sbuf;
+
+- if (time_is_before_jiffies(acct->needcheck))
++ if (time_is_after_jiffies(acct->needcheck))
+ goto out;
+
+ /* May block */
--- /dev/null
+kernel-acct.c-fix-the-acct-needcheck-check-in-check_free_space.patch
+crypto-n2-cure-use-after-free.patch
+fscache-fix-the-default-for-fscache_maybe_release_page.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
