From 20d3bc8c34cb24df0d170a2a06759d7d1e71da03 Mon Sep 17 00:00:00 2001
From: Anton Chevychalov <achevychalov@mirantis.com>
Date: Mon, 21 Nov 2016 13:07:07 +0300
Subject: [PATCH] Fix CVE-2016-5195 Dirty COW

Due to possible problems with docker (LP#1485954)
it is not safe to update kernel, so backport fix
from RHEL linux-2.6.32-642.6.2.el6.

Change-Id: Ieead012b983e765d9a05f6b7c3ed4e4cdfb508be
Closes-Bug: #1636528
---
 cve-2016-2016-5195.patch | 83 ++++++++++++++++++++++++++++++++++++++++
 kernel.spec              |  9 +++++
 2 files changed, 92 insertions(+)
 create mode 100644 cve-2016-2016-5195.patch

diff --git a/cve-2016-2016-5195.patch b/cve-2016-2016-5195.patch
new file mode 100644
index 0000000..fc4b752
--- /dev/null
+++ b/cve-2016-2016-5195.patch
@@ -0,0 +1,83 @@
+--- a/include/linux/mm.h	2016-08-25 18:07:47.000000000 +0300
++++ b/include/linux/mm.h	2016-10-24 16:19:16.000000000 +0300
+@@ -1401,6 +1401,7 @@
+ #define FOLL_HWPOISON	0x100	/* check page is hwpoisoned */
+ #define FOLL_NUMA	0x200	/* force NUMA hinting page fault */
+ #define FOLL_MIGRATION	0x400	/* wait for page to replace migration entry */
++#define FOLL_COW	0x4000	/* internal GUP flag */
+ 
+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
+ 			void *data);
+diff -Naur ./mm/memory.c ../linux-2.6.32-642.6.2.el6/mm/memory.c
+--- a/mm/memory.c	2016-08-25 18:06:57.000000000 +0300
++++ b/mm/memory.c	2016-10-24 16:19:16.000000000 +0300
+@@ -1191,6 +1191,24 @@
+ }
+ EXPORT_SYMBOL_GPL(zap_vma_ptes);
+ 
++static inline bool can_follow_write_pte(pte_t pte, struct page *page,
++					unsigned int flags)
++{
++	if (pte_write(pte))
++		return true;
++
++	/*
++	 * Make sure that we are really following CoWed page. We do not really
++	 * have to care about exclusiveness of the page because we only want
++	 * to ensure that once COWed page hasn't disappeared in the meantime
++	 * or it hasn't been merged to a KSM page.
++	 */
++	if ((flags & FOLL_FORCE) && (flags & FOLL_COW))
++		return page && PageAnon(page) && !PageKsm(page);
++
++	return false;
++}
++
+ /*
+  * Do a quick page-table lookup for a single page.
+  */
+@@ -1280,10 +1298,11 @@
+ 		migration_entry_wait(mm, pmd, address);
+ 		goto split_fallthrough;
+ 	}
+-	if ((flags & FOLL_WRITE) && !pte_write(pte))
+-		goto unlock;
+-
+ 	page = vm_normal_page(vma, address, pte);
++	if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) {
++		pte_unmap_unlock(ptep, ptl);
++		return NULL;
++	}
+ 	if (unlikely(!page)) {
+ 		if ((flags & FOLL_DUMP) ||
+ 		    !is_zero_pfn(pte_pfn(pte)))
+@@ -1304,7 +1323,6 @@
+ 		 */
+ 		mark_page_accessed(page);
+ 	}
+-unlock:
+ 	pte_unmap_unlock(ptep, ptl);
+ out:
+ 	return page;
+@@ -1503,17 +1520,13 @@
+ 				 * The VM_FAULT_WRITE bit tells us that
+ 				 * do_wp_page has broken COW when necessary,
+ 				 * even if maybe_mkwrite decided not to set
+-				 * pte_write. We can thus safely do subsequent
+-				 * page lookups as if they were reads. But only
+-				 * do so when looping for pte_write is futile:
+-				 * in some cases userspace may also be wanting
+-				 * to write to the gotten user page, which a
+-				 * read fault here might prevent (a readonly
+-				 * page might get reCOWed by userspace write).
++				 * pte_write. We cannot simply drop FOLL_WRITE
++				 * here because the COWed page might be gone by
++				 * the time we do the subsequent page lookups.
+ 				 */
+ 				if ((ret & VM_FAULT_WRITE) &&
+ 				    !(vma->vm_flags & VM_WRITE))
+-					foll_flags &= ~FOLL_WRITE;
++					foll_flags |= FOLL_COW;
+ 
+ 				cond_resched();
+ 			}
diff --git a/kernel.spec b/kernel.spec
index 6a09b0a..db483ca 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -16,6 +16,7 @@ Summary: The Linux kernel
 # by setting the define to ".local" or ".bz123456"
 #
 # % define buildid .local
+%define buildid .mos1
 
 %define distro_build 431.20.3
 %define signmodules 1
@@ -614,6 +615,9 @@ Source84: config-s390x-generic-rhel
 Source85: config-powerpc64-debug-rhel
 Source86: config-s390x-debug-rhel
 
+# LP: https://bugs.launchpad.net/mos/+bug/1636528
+Patch1: cve-2016-2016-5195.patch
+
 # empty final patch file to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
 
@@ -936,6 +940,8 @@ cp %{SOURCE15} %{SOURCE1} %{SOURCE16} %{SOURCE17} %{SOURCE18} .
 # Dynamically generate kernel .config files from config-* files
 make -f %{SOURCE20} VERSION=%{version} configs
 
+ApplyPatch cve-2016-2016-5195.patch
+
 ApplyOptionalPatch linux-kernel-test.patch
 
 # Any further pre-build tree manipulations happen here.
@@ -1739,6 +1745,9 @@ fi
 %endif
 
 %changelog
+* Mon Nov 14 2016 Anton Chevychalov <achevychalov@mirantis.com> [2.6.32-431.20.3.mos1.el6.centos]
+- [mm] Backport fix for CVE-2015-5195
+
 * Thu Jun 19 2014 Johnny Hughes <johnny@centos.org> [2.6.32-431.20.3.el6.centos]
 - Roll in CentOS Branding
 
-- 
2.32.3