Update to 4.11.6-1

1 files changed, 45 insertions, 0 deletions

diff --git a/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch b/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch
new file mode 100644
index 000000000000..58ec52fa3098
--- /dev/null
+++ b/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch
@@ -0,0 +1,45 @@
+From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 19 Jun 2017 17:34:05 +0200
+Subject: [PATCH] Allow stack to grow up to address space limit
+
+Fix expand_upwards() on architectures with an upward-growing stack (parisc,
+metag and partly IA-64) to allow the stack to reliably grow exactly up to
+the address space limit given by TASK_SIZE.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Acked-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ mm/mmap.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 290b77d9a01e0..a5e3dcd75e79f 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2230,16 +2230,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ 	if (!(vma->vm_flags & VM_GROWSUP))
+ 		return -EFAULT;
+ 
+-	/* Guard against wrapping around to address 0. */
++	/* Guard against exceeding limits of the address space. */
+ 	address &= PAGE_MASK;
+-	address += PAGE_SIZE;
+-	if (!address)
++	if (address >= TASK_SIZE)
+ 		return -ENOMEM;
++	address += PAGE_SIZE;
+ 
+ 	/* Enforce stack_guard_gap */
+ 	gap_addr = address + stack_guard_gap;
+-	if (gap_addr < address)
+-		return -ENOMEM;
++
++	/* Guard against overflow */
++	if (gap_addr < address || gap_addr > TASK_SIZE)
++		gap_addr = TASK_SIZE;
++
+ 	next = vma->vm_next;
+ 	if (next && next->vm_start < gap_addr) {
+ 		if (!(next->vm_flags & VM_GROWSUP))