<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1477060454227_3339" dir="ltr">Here is a backport for Chaos Calmer of commit https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619]19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 that patches https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195]CVE-2016-5195<br></div><div id="yui_3_16_0_ym19_1_1477060454227_3387"><br></div><div id="yui_3_16_0_ym19_1_1477060454227_3338">/DL</div><div id="yui_3_16_0_ym19_1_1477060454227_3337"><br></div><div id="yui_3_16_0_ym19_1_1477060454227_3235">Signed-off-by: dl12345 <revelstone@yahoo.com></div><div id="yui_3_16_0_ym19_1_1477060454227_3236">---</div><div id="yui_3_16_0_ym19_1_1477060454227_3237"> .../generic/patches-3.18/099-CVE-2016-5195.patch | 47 ++++++++++++++++++++++</div><div id="yui_3_16_0_ym19_1_1477060454227_3238"> 1 file changed, 47 insertions(+)</div><div id="yui_3_16_0_ym19_1_1477060454227_3239"> create mode 100644 target/linux/generic/patches-3.18/099-CVE-2016-5195.patch</div><div id="yui_3_16_0_ym19_1_1477060454227_3240"><br id="yui_3_16_0_ym19_1_1477060454227_3241"></div><div id="yui_3_16_0_ym19_1_1477060454227_3242">diff --git a/target/linux/generic/patches-3.18/099-CVE-2016-5195.patch b/target/linux/generic/patches-3.18/099-CVE-2016-5195.patch</div><div id="yui_3_16_0_ym19_1_1477060454227_3243">new file mode 100644</div><div id="yui_3_16_0_ym19_1_1477060454227_3244">index 0000000..2febc79</div><div id="yui_3_16_0_ym19_1_1477060454227_3245">--- /dev/null</div><div id="yui_3_16_0_ym19_1_1477060454227_3246">+++ b/target/linux/generic/patches-3.18/099-CVE-2016-5195.patch</div><div id="yui_3_16_0_ym19_1_1477060454227_3247">@@ -0,0 +1,47 @@</div><div id="yui_3_16_0_ym19_1_1477060454227_3248">+--- a/include/linux/mm.h</div><div id="yui_3_16_0_ym19_1_1477060454227_3249">++++ b/include/linux/mm.h</div><div id="yui_3_16_0_ym19_1_1477060454227_3250">+@@ -2029,6 +2029,7 @@ static inline struct page *follow_page(s</div><div id="yui_3_16_0_ym19_1_1477060454227_3251">+ #define FOLL_NUMA<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3252"> </span>0x200<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3253"> </span>/* force NUMA hinting page fault */</div><div id="yui_3_16_0_ym19_1_1477060454227_3254">+ #define FOLL_MIGRATION<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3255"> </span>0x400<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3256"> </span>/* wait for page to replace migration entry */</div><div id="yui_3_16_0_ym19_1_1477060454227_3257">+ #define FOLL_TRIED<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3258"> </span>0x800<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3259"> </span>/* a retry, previous pass started an IO */</div><div id="yui_3_16_0_ym19_1_1477060454227_3260">++#define FOLL_COW<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3261"> </span>0x4000<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3262"> </span>/* internal GUP flag */</div><div id="yui_3_16_0_ym19_1_1477060454227_3263">+ </div><div id="yui_3_16_0_ym19_1_1477060454227_3264">+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,</div><div id="yui_3_16_0_ym19_1_1477060454227_3265">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3266"> </span>void *data);</div><div id="yui_3_16_0_ym19_1_1477060454227_3267">+--- a/mm/gup.c</div><div id="yui_3_16_0_ym19_1_1477060454227_3268">++++ b/mm/gup.c</div><div id="yui_3_16_0_ym19_1_1477060454227_3269">+@@ -32,6 +32,16 @@ static struct page *no_page_table(struct</div><div id="yui_3_16_0_ym19_1_1477060454227_3270">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3271"> </span>return NULL;</div><div id="yui_3_16_0_ym19_1_1477060454227_3272">+ }</div><div id="yui_3_16_0_ym19_1_1477060454227_3273">+ </div><div id="yui_3_16_0_ym19_1_1477060454227_3274">++/*</div><div id="yui_3_16_0_ym19_1_1477060454227_3275">++ * FOLL_FORCE can write to even unwritable pte's, but only</div><div id="yui_3_16_0_ym19_1_1477060454227_3276">++ * after we've gone through a COW cycle and they are dirty.</div><div id="yui_3_16_0_ym19_1_1477060454227_3277">++ */</div><div id="yui_3_16_0_ym19_1_1477060454227_3278">++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)</div><div id="yui_3_16_0_ym19_1_1477060454227_3279">++{</div><div id="yui_3_16_0_ym19_1_1477060454227_3280">++<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3281"> </span>return pte_write(pte) ||</div><div id="yui_3_16_0_ym19_1_1477060454227_3282">++<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3283"> </span>((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));</div><div id="yui_3_16_0_ym19_1_1477060454227_3284">++}</div><div id="yui_3_16_0_ym19_1_1477060454227_3285">++</div><div id="yui_3_16_0_ym19_1_1477060454227_3286">+ static struct page *follow_page_pte(struct vm_area_struct *vma,</div><div id="yui_3_16_0_ym19_1_1477060454227_3287">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3288"> </span>unsigned long address, pmd_t *pmd, unsigned int flags)</div><div id="yui_3_16_0_ym19_1_1477060454227_3289">+ {</div><div id="yui_3_16_0_ym19_1_1477060454227_3290">+@@ -66,7 +76,7 @@ retry:</div><div id="yui_3_16_0_ym19_1_1477060454227_3291">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3292"> </span>}</div><div id="yui_3_16_0_ym19_1_1477060454227_3293">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3294"> </span>if ((flags & FOLL_NUMA) && pte_numa(pte))</div><div id="yui_3_16_0_ym19_1_1477060454227_3295">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3296"> </span>goto no_page;</div><div id="yui_3_16_0_ym19_1_1477060454227_3297">+-<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3298"> </span>if ((flags & FOLL_WRITE) && !pte_write(pte)) {</div><div id="yui_3_16_0_ym19_1_1477060454227_3299">++<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3300"> </span>if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {</div><div id="yui_3_16_0_ym19_1_1477060454227_3301">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3302"> </span>pte_unmap_unlock(ptep, ptl);</div><div id="yui_3_16_0_ym19_1_1477060454227_3303">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3304"> </span>return NULL;</div><div id="yui_3_16_0_ym19_1_1477060454227_3305">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3306"> </span>}</div><div id="yui_3_16_0_ym19_1_1477060454227_3307">+@@ -315,7 +325,7 @@ static int faultin_page(struct task_stru</div><div id="yui_3_16_0_ym19_1_1477060454227_3308">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3309"> </span> * reCOWed by userspace write).</div><div id="yui_3_16_0_ym19_1_1477060454227_3310">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3311"> </span> */</div><div id="yui_3_16_0_ym19_1_1477060454227_3312">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3313"> </span>if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))</div><div id="yui_3_16_0_ym19_1_1477060454227_3314">+-<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3315"> </span>*flags &= ~FOLL_WRITE;</div><div id="yui_3_16_0_ym19_1_1477060454227_3316">++<span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3317"> </span>*flags |= FOLL_COW;</div><div id="yui_3_16_0_ym19_1_1477060454227_3318">+ <span style="white-space:pre-wrap;" id="yui_3_16_0_ym19_1_1477060454227_3319"> </span>return 0;</div><div id="yui_3_16_0_ym19_1_1477060454227_3320">+ }</div><div id="yui_3_16_0_ym19_1_1477060454227_3321">+ </div><div id="yui_3_16_0_ym19_1_1477060454227_3322">-- </div><div id="yui_3_16_0_ym19_1_1477060454227_3323">1.8.3.1</div><div dir="ltr" id="yui_3_16_0_ym19_1_1477060454227_3324"><br id="yui_3_16_0_ym19_1_1477060454227_3325"></div></div></body></html>