debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

aufs: Update support patches to aufs4.6-20160523 

- mmap: Fix use-after-free in remap_file_pages(2)
This commit is contained in:
Ben Hutchings 2016-05-23 00:43:57 +01:00
parent 550ea78195
commit e42a61b7e0
4 changed files with 96 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/changelog vendored
View File

@ -9,6 +9,8 @@ linux (4.6-1~exp2) UNRELEASED; urgency=medium
* Fold debian/config/README into debian/README.source
* debian/README.source: Rewrite and expand explanation of kernel config file
construction
* aufs: Update support patches to aufs4.6-20160523
- mmap: Fix use-after-free in remap_file_pages(2)
[ Aurelien Jarno ]
* [mips64el] Set CPU to MIPS64 R2.

28
debian/patches/features/all/aufs4/aufs4-base.patch vendored
View File

@ -1,18 +1,18 @@
From: J. R. Okajima <hooanon05@yahoo.co.jp>
Date: Wed Mar 23 20:35:31 2016 +0900
Subject: aufs4.x-rcN base patch
Origin: https://github.com/sfjro/aufs4-standalone/tree/751023bb49e09b10f7ab4c8742eb4cee234506f4
Date: Sat May 21 13:01:18 2016 +0900
Subject: aufs4.6 base patch
Origin: https://github.com/sfjro/aufs4-standalone/tree/57b92ac80a7564243de7e5c69f77e1616af9808a
Bug-Debian: https://bugs.debian.org/541828
Patch headers added by debian/patches/features/all/aufs4/gen-patch
aufs4.x-rcN base patch
aufs4.6 base patch
diff --git a/MAINTAINERS b/MAINTAINERS
index f17159a..532681a 100644
index 9c567a4..a62aea4 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2120,6 +2120,19 @@ F: include/linux/audit.h
@@ -2128,6 +2128,19 @@ F: include/linux/audit.h
F: include/uapi/linux/audit.h
F: kernel/audit*
@ -33,10 +33,10 @@ index f17159a..532681a 100644
M: Miguel Ojeda Sandonis <miguel.ojeda.sandonis@gmail.com>
W: http://miguelojeda.es/auxdisplay.htm
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 423f4ca..0b816b2 100644
index 80cf8ad..ba9e4a7 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -706,6 +706,24 @@ static inline int is_loop_device(struct file *file)
@@ -712,6 +712,24 @@ static inline int is_loop_device(struct file *file)
return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR;
}
@ -62,7 +62,7 @@ index 423f4ca..0b816b2 100644
static ssize_t loop_attr_show(struct device *dev, char *page,
diff --git a/fs/dcache.c b/fs/dcache.c
index 32ceae3..bc599d0 100644
index d5ecc6e..4de75b2 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1156,7 +1156,7 @@ enum d_walk_ret {
@ -130,7 +130,7 @@ index cf377cf..0ebcdc5 100644
{
mm_segment_t old_fs;
diff --git a/fs/splice.c b/fs/splice.c
index 9947b5c..9037c8c 100644
index dd9bf7e..9326c2a 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1111,8 +1111,8 @@ EXPORT_SYMBOL(generic_splice_sendpage);
@ -170,10 +170,10 @@ index f87d308..9a290b3 100644
static inline void fput_light(struct file *file, int fput_needed)
{
diff --git a/include/linux/fs.h b/include/linux/fs.h
index bb703ef..aff4f16 100644
index 70e61b5..351bb05 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1261,6 +1261,7 @@ extern void fasync_free(struct fasync_struct *);
@@ -1277,6 +1277,7 @@ extern void fasync_free(struct fasync_struct *);
/* can be called from interrupts */
extern void kill_fasync(struct fasync_struct **, int, int);
@ -181,7 +181,7 @@ index bb703ef..aff4f16 100644
extern void __f_setown(struct file *filp, struct pid *, enum pid_type, int force);
extern void f_setown(struct file *filp, unsigned long arg, int force);
extern void f_delown(struct file *filp);
@@ -1642,6 +1643,7 @@ struct file_operations {
@@ -1660,6 +1661,7 @@ struct file_operations {
ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int);
unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
int (*check_flags)(int);
@ -189,7 +189,7 @@ index bb703ef..aff4f16 100644
int (*flock) (struct file *, int, struct file_lock *);
ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
@@ -1700,6 +1702,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector,
@@ -1718,6 +1720,12 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector,
struct iovec *fast_pointer,
struct iovec **ret_pointer);

98
debian/patches/features/all/aufs4/aufs4-mmap.patch vendored
View File

@ -1,16 +1,18 @@
From: J. R. Okajima <hooanon05@yahoo.co.jp>
Date: Wed Mar 23 20:35:31 2016 +0900
Subject: aufs4.x-rcN mmap patch
Origin: https://github.com/sfjro/aufs4-standalone/tree/751023bb49e09b10f7ab4c8742eb4cee234506f4
Date: Sat May 21 13:01:18 2016 +0900
Subject: aufs4.6 mmap patch
Origin: https://github.com/sfjro/aufs4-standalone/tree/57b92ac80a7564243de7e5c69f77e1616af9808a
Bug-Debian: https://bugs.debian.org/541828
Patch headers added by debian/patches/features/all/aufs4/gen-patch
aufs4.x-rcN mmap patch
aufs4.6 mmap patch
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 0d163a8..b958f79 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1933,7 +1933,7 @@ static int map_files_get_link(struct den
@@ -1934,7 +1934,7 @@ static int map_files_get_link(struct dentry *dentry, struct path *path)
down_read(&mm->mmap_sem);
vma = find_exact_vma(mm, vm_start, vm_end);
if (vma && vma->vm_file) {
@ -19,9 +21,11 @@ aufs4.x-rcN mmap patch
path_get(path);
rc = 0;
}
diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c
index f8595e8..cb8eda0 100644
--- a/fs/proc/nommu.c
+++ b/fs/proc/nommu.c
@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_
@@ -45,7 +45,10 @@ static int nommu_region_show(struct seq_file *m, struct vm_region *region)
file = region->vm_file;
if (file) {
@ -33,9 +37,11 @@ aufs4.x-rcN mmap patch
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
}
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 5415835..c41eb73 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -298,7 +298,10 @@ show_map_vma(struct seq_file *m, struct
@@ -298,7 +298,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
const char *name = NULL;
if (file) {
@ -47,7 +53,7 @@ aufs4.x-rcN mmap patch
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
@@ -1590,7 +1593,7 @@ static int show_numa_map(struct seq_file
@@ -1617,7 +1620,7 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
struct proc_maps_private *proc_priv = &numa_priv->proc_maps;
struct vm_area_struct *vma = v;
struct numa_maps *md = &numa_priv->md;
@ -56,9 +62,11 @@ aufs4.x-rcN mmap patch
struct mm_struct *mm = vma->vm_mm;
struct mm_walk walk = {
.hugetlb_entry = gather_hugetlb_stats,
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
index faacb0c..17b43be 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -163,7 +163,10 @@ static int nommu_vma_show(struct seq_fil
@@ -163,7 +163,10 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma,
file = vma->vm_file;
if (file) {
@ -70,9 +78,11 @@ aufs4.x-rcN mmap patch
dev = inode->i_sb->s_dev;
ino = inode->i_ino;
pgoff = (loff_t)vma->vm_pgoff << PAGE_SHIFT;
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 8f468e0..4ab3095 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1238,6 +1238,28 @@ static inline int fixup_user_fault(struc
@@ -1251,6 +1251,28 @@ static inline int fixup_user_fault(struct task_struct *tsk,
}
#endif
@ -101,6 +111,8 @@ aufs4.x-rcN mmap patch
extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write);
extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
void *buf, int len, int write);
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index c2d75b4..9e324fe 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -269,6 +269,7 @@ struct vm_region {
@ -119,9 +131,11 @@ aufs4.x-rcN mmap patch
void * vm_private_data; /* was vm_pte (shared mem) */
#ifndef CONFIG_MMU
diff --git a/kernel/fork.c b/kernel/fork.c
index d277e83..683b8a2 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -475,7 +475,7 @@ static int dup_mmap(struct mm_struct *mm
@@ -475,7 +475,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
struct inode *inode = file_inode(file);
struct address_space *mapping = file->f_mapping;
@ -130,9 +144,11 @@ aufs4.x-rcN mmap patch
if (tmp->vm_flags & VM_DENYWRITE)
atomic_dec(&inode->i_writecount);
i_mmap_lock_write(mapping);
diff --git a/mm/Makefile b/mm/Makefile
index deb467e..0f6ae63 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -37,7 +37,7 @@ obj-y := filemap.o mempool.o oom_kill.
@@ -37,7 +37,7 @@ obj-y := filemap.o mempool.o oom_kill.o \
mm_init.o mmu_context.o percpu.o slab_common.o \
compaction.o vmacache.o \
interval_tree.o list_lru.o workingset.o \
@ -141,9 +157,11 @@ aufs4.x-rcN mmap patch
obj-y += init-mm.o
diff --git a/mm/filemap.c b/mm/filemap.c
index f2479af..31f4b0d 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2211,7 +2211,7 @@ int filemap_page_mkwrite(struct vm_area_
@@ -2211,7 +2211,7 @@ int filemap_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
int ret = VM_FAULT_LOCKED;
sb_start_pagefault(inode->i_sb);
@ -152,9 +170,11 @@ aufs4.x-rcN mmap patch
lock_page(page);
if (page->mapping != inode->i_mapping) {
unlock_page(page);
diff --git a/mm/memory.c b/mm/memory.c
index 07493e3..dc696bc 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2065,7 +2065,7 @@ static inline int wp_page_reuse(struct m
@@ -2098,7 +2098,7 @@ static inline int wp_page_reuse(struct mm_struct *mm,
}
if (!page_mkwrite)
@ -163,9 +183,11 @@ aufs4.x-rcN mmap patch
}
return VM_FAULT_WRITE;
diff --git a/mm/mmap.c b/mm/mmap.c
index bd2e1a53..7328b74 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -166,7 +166,7 @@ static struct vm_area_struct *remove_vma
@@ -166,7 +166,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
if (vma->vm_ops && vma->vm_ops->close)
vma->vm_ops->close(vma);
if (vma->vm_file)
@ -174,7 +196,7 @@ aufs4.x-rcN mmap patch
mpol_put(vma_policy(vma));
kmem_cache_free(vm_area_cachep, vma);
return next;
@@ -785,7 +785,7 @@ again: remove_next = 1 + (end > next->
@@ -785,7 +785,7 @@ again: remove_next = 1 + (end > next->vm_end);
if (remove_next) {
if (file) {
uprobe_munmap(next, next->vm_start, next->vm_end);
@ -193,7 +215,7 @@ aufs4.x-rcN mmap patch
/* Undo any partial mapping done by a device driver. */
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
@@ -2362,7 +2362,7 @@ static int __split_vma(struct mm_struct
@@ -2362,7 +2362,7 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
goto out_free_mpol;
if (new->vm_file)
@ -202,7 +224,7 @@ aufs4.x-rcN mmap patch
if (new->vm_ops && new->vm_ops->open)
new->vm_ops->open(new);
@@ -2381,7 +2381,7 @@ static int __split_vma(struct mm_struct
@@ -2381,7 +2381,7 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
if (new->vm_ops && new->vm_ops->close)
new->vm_ops->close(new);
if (new->vm_file)
@ -211,28 +233,45 @@ aufs4.x-rcN mmap patch
unlink_anon_vmas(new);
out_free_mpol:
mpol_put(vma_policy(new));
@@ -2523,7 +2523,6 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
@@ -2523,7 +2523,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
struct vm_area_struct *vma;
unsigned long populate = 0;
unsigned long ret = -EINVAL;
- struct file *file;
+ struct file *file, *prfile;
pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.\n",
current->comm, current->pid);
@@ -2590,10 +2589,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
@@ -2590,10 +2590,27 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
}
}
- file = get_file(vma->vm_file);
+ vma_get_file(vma);
+ file = vma->vm_file;
+ prfile = vma->vm_prfile;
ret = do_mmap_pgoff(vma->vm_file, start, size,
prot, flags, pgoff, &populate);
- fput(file);
+ vma_fput(vma);
+ if (!IS_ERR_VALUE(ret) && file && prfile) {
+ struct vm_area_struct *new_vma;
+
+ new_vma = find_vma(mm, ret);
+ if (!new_vma->vm_prfile)
+ new_vma->vm_prfile = prfile;
+ if (new_vma != vma)
+ get_file(prfile);
+ }
+ /*
+ * two fput()s instead of vma_fput(vma),
+ * coz vma may not be available anymore.
+ */
fput(file);
+ if (prfile)
+ fput(prfile);
out:
up_write(&mm->mmap_sem);
if (populate)
@@ -2864,7 +2863,7 @@ struct vm_area_struct *copy_vma(struct v
@@ -2864,7 +2881,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
if (anon_vma_clone(new_vma, vma))
goto out_free_mempol;
if (new_vma->vm_file)
@ -241,9 +280,11 @@ aufs4.x-rcN mmap patch
if (new_vma->vm_ops && new_vma->vm_ops->open)
new_vma->vm_ops->open(new_vma);
vma_link(mm, new_vma, prev, rb_link, rb_parent);
diff --git a/mm/nommu.c b/mm/nommu.c
index c8bd59a..4cfc2fc 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -646,7 +646,7 @@ static void __put_nommu_region(struct vm
@@ -644,7 +644,7 @@ static void __put_nommu_region(struct vm_region *region)
up_write(&nommu_region_sem);
if (region->vm_file)
@ -252,7 +293,7 @@ aufs4.x-rcN mmap patch
/* IO memory and memory shared directly out of the pagecache
* from ramfs/tmpfs mustn't be released here */
@@ -804,7 +804,7 @@ static void delete_vma(struct mm_struct
@@ -802,7 +802,7 @@ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma)
if (vma->vm_ops && vma->vm_ops->close)
vma->vm_ops->close(vma);
if (vma->vm_file)
@ -261,7 +302,7 @@ aufs4.x-rcN mmap patch
put_nommu_region(vma->vm_region);
kmem_cache_free(vm_area_cachep, vma);
}
@@ -1330,7 +1330,7 @@ unsigned long do_mmap(struct file *file,
@@ -1328,7 +1328,7 @@ unsigned long do_mmap(struct file *file,
goto error_just_free;
}
}
@ -270,7 +311,7 @@ aufs4.x-rcN mmap patch
kmem_cache_free(vm_region_jar, region);
region = pregion;
result = start;
@@ -1405,10 +1405,10 @@ error_just_free:
@@ -1403,10 +1403,10 @@ error_just_free:
up_write(&nommu_region_sem);
error:
if (region->vm_file)
@ -283,6 +324,9 @@ aufs4.x-rcN mmap patch
kmem_cache_free(vm_area_cachep, vma);
return ret;
diff --git a/mm/prfile.c b/mm/prfile.c
new file mode 100644
index 0000000..b323b8a
--- /dev/null
+++ b/mm/prfile.c
@@ -0,0 +1,86 @@

18
debian/patches/features/all/aufs4/aufs4-standalone.patch vendored
View File

@ -1,15 +1,15 @@
From: J. R. Okajima <hooanon05@yahoo.co.jp>
Date: Wed Mar 23 20:35:31 2016 +0900
Subject: aufs4.x-rcN standalone patch
Origin: https://github.com/sfjro/aufs4-standalone/tree/751023bb49e09b10f7ab4c8742eb4cee234506f4
Date: Sat May 21 13:01:18 2016 +0900
Subject: aufs4.6 standalone patch
Origin: https://github.com/sfjro/aufs4-standalone/tree/57b92ac80a7564243de7e5c69f77e1616af9808a
Bug-Debian: https://bugs.debian.org/541828
Patch headers added by debian/patches/features/all/aufs4/gen-patch
aufs4.x-rcN standalone patch
aufs4.6 standalone patch
diff --git a/fs/dcache.c b/fs/dcache.c
index bc599d0..1b735a9 100644
index 4de75b2..0dd0237 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1261,6 +1261,7 @@ rename_retry:
@ -21,7 +21,7 @@ index bc599d0..1b735a9 100644
/*
* Search for at least 1 mount point in the dentry's subdirs.
diff --git a/fs/exec.c b/fs/exec.c
index 9bdf0ed..8c87f6c 100644
index c4010b8..c2b225f 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -104,6 +104,7 @@ bool path_noexec(const struct path *path)
@ -173,7 +173,7 @@ index 7115c5d..ac2bd69 100644
static void fsnotify_mark_destroy(struct work_struct *work)
{
diff --git a/fs/open.c b/fs/open.c
index 55bdc75..fd1df73 100644
index 081d3d6..b4359e4 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -64,6 +64,7 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
@ -213,7 +213,7 @@ index 0ebcdc5..0a43d7b 100644
ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t *pos)
{
diff --git a/fs/splice.c b/fs/splice.c
index 9037c8c..72cc871 100644
index 9326c2a..0606690 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1124,6 +1124,7 @@ long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
@ -224,7 +224,7 @@ index 9037c8c..72cc871 100644
/*
* Attempt to initiate a splice from a file to a pipe.
@@ -1150,6 +1151,7 @@ long do_splice_to(struct file *in, loff_t *ppos,
@@ -1153,6 +1154,7 @@ long do_splice_to(struct file *in, loff_t *ppos,
return splice_read(in, ppos, pipe, len, flags);
}