--- /dev/null
+From 317168d0c766defd14b3d0e9c2c4a9a258b803ee Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 28 Oct 2014 12:42:19 +0100
+Subject: ALSA: pcm: Zero-clear reserved fields of PCM status ioctl in compat mode
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 317168d0c766defd14b3d0e9c2c4a9a258b803ee upstream.
+
+In compat mode, we copy each field of snd_pcm_status struct but don't
+touch the reserved fields, and this leaves uninitialized values
+there. Meanwhile the native ioctl does zero-clear the whole
+structure, so we should follow the same rule in compat mode, too.
+
+Reported-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_compat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -206,6 +206,8 @@ static int snd_pcm_status_user_compat(st
+ if (err < 0)
+ return err;
+
++ if (clear_user(src, sizeof(*src)))
++ return -EFAULT;
+ if (put_user(status.state, &src->state) ||
+ compat_put_timespec(&status.trigger_tstamp, &src->trigger_tstamp) ||
+ compat_put_timespec(&status.tstamp, &src->tstamp) ||
--- /dev/null
+From 3b1deef6b1289a99505858a3b212c5b50adf0c2f Mon Sep 17 00:00:00 2001
+From: Dmitry Kasatkin <d.kasatkin@samsung.com>
+Date: Tue, 28 Oct 2014 14:28:49 +0200
+Subject: evm: check xattr value length and type in evm_inode_setxattr()
+
+From: Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+commit 3b1deef6b1289a99505858a3b212c5b50adf0c2f upstream.
+
+evm_inode_setxattr() can be called with no value. The function does not
+check the length so that following command can be used to produce the
+kernel oops: setfattr -n security.evm FOO. This patch fixes it.
+
+Changes in v3:
+* there is no reason to return different error codes for EVM_XATTR_HMAC
+ and non EVM_XATTR_HMAC. Remove unnecessary test then.
+
+Changes in v2:
+* testing for validity of xattr type
+
+[ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 1106.398192] IP: [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
+[ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0
+[ 1106.399953] Oops: 0000 [#1] SMP
+[ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
+[ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936
+[ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000
+[ 1106.400020] RIP: 0010:[<ffffffff812af7b8>] [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
+[ 1106.400020] RSP: 0018:ffff88002917fd50 EFLAGS: 00010246
+[ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000
+[ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8
+[ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df
+[ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00
+[ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 1106.400020] FS: 00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
+[ 1106.400020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0
+[ 1106.400020] Stack:
+[ 1106.400020] ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98
+[ 1106.400020] ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000
+[ 1106.400020] 0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8
+[ 1106.400020] Call Trace:
+[ 1106.400020] [<ffffffff812a1030>] security_inode_setxattr+0x5d/0x6a
+[ 1106.400020] [<ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f
+[ 1106.400020] [<ffffffff8116d1e0>] setxattr+0x122/0x16c
+[ 1106.400020] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
+[ 1106.400020] [<ffffffff8114d011>] ? __sb_start_write+0x10f/0x143
+[ 1106.400020] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
+[ 1106.400020] [<ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f
+[ 1106.400020] [<ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0
+[ 1106.400020] [<ffffffff81529da9>] system_call_fastpath+0x16/0x1b
+[ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 <41> 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83
+[ 1106.400020] RIP [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
+[ 1106.400020] RSP <ffff88002917fd50>
+[ 1106.400020] CR2: 0000000000000000
+[ 1106.428061] ---[ end trace ae08331628ba3050 ]---
+
+Reported-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/evm/evm_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -286,9 +286,12 @@ int evm_inode_setxattr(struct dentry *de
+ {
+ const struct evm_ima_xattr_data *xattr_data = xattr_value;
+
+- if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
+- && (xattr_data->type == EVM_XATTR_HMAC))
+- return -EPERM;
++ if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
++ if (!xattr_value_len)
++ return -EINVAL;
++ if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
++ return -EPERM;
++ }
+ return evm_protect_xattr(dentry, xattr_name, xattr_value,
+ xattr_value_len);
+ }
--- /dev/null
+From 24dff96a37a2ca319e75a74d3929b2de22447ca6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 8 Oct 2014 23:44:00 -0400
+Subject: fix misuses of f_count() in ppp and netlink
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 24dff96a37a2ca319e75a74d3929b2de22447ca6 upstream.
+
+we used to check for "nobody else could start doing anything with
+that opened file" by checking that refcount was 2 or less - one
+for descriptor table and one we'd acquired in fget() on the way to
+wherever we are. That was race-prone (somebody else might have
+had a reference to descriptor table and do fget() just as we'd
+been checking) and it had become flat-out incorrect back when
+we switched to fget_light() on those codepaths - unlike fget(),
+it doesn't grab an extra reference unless the descriptor table
+is shared. The same change allowed a race-free check, though -
+we are safe exactly when refcount is less than 2.
+
+It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading
+to ppp one) and 2.6.17 for sendmsg() (netlink one). OTOH,
+netlink hadn't grown that check until 3.9 and ppp used to live
+in drivers/net, not drivers/net/ppp until 3.1. The bug existed
+well before that, though, and the same fix used to apply in old
+location of file.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ppp/ppp_generic.c | 2 +-
+ net/netlink/af_netlink.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -601,7 +601,7 @@ static long ppp_ioctl(struct file *file,
+ if (file == ppp->owner)
+ ppp_shutdown_interface(ppp);
+ }
+- if (atomic_long_read(&file->f_count) <= 2) {
++ if (atomic_long_read(&file->f_count) < 2) {
+ ppp_release(NULL, file);
+ err = 0;
+ } else
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -571,7 +571,7 @@ static int netlink_mmap_sendmsg(struct s
+ * after validation, the socket and the ring may only be used by a
+ * single process, otherwise we fall back to copying.
+ */
+- if (atomic_long_read(&sk->sk_socket->file->f_count) > 2 ||
++ if (atomic_long_read(&sk->sk_socket->file->f_count) > 1 ||
+ atomic_read(&nlk->mapped) > 1)
+ excl = false;
+
--- /dev/null
+From 99358a1ca53e8e6ce09423500191396f0e6584d2 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Fri, 1 Aug 2014 20:13:40 +0100
+Subject: [jffs2] kill wbuf_queued/wbuf_dwork_lock
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 99358a1ca53e8e6ce09423500191396f0e6584d2 upstream.
+
+schedule_delayed_work() happening when the work is already pending is
+a cheap no-op. Don't bother with ->wbuf_queued logics - it's both
+broken (cancelling ->wbuf_dwork leaves it set, as spotted by Jeff Harris)
+and pointless. It's cheaper to let schedule_delayed_work() handle that
+case.
+
+Reported-by: Jeff Harris <jefftharris@gmail.com>
+Tested-by: Jeff Harris <jefftharris@gmail.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/jffs2_fs_sb.h | 2 --
+ fs/jffs2/wbuf.c | 17 ++---------------
+ 2 files changed, 2 insertions(+), 17 deletions(-)
+
+--- a/fs/jffs2/jffs2_fs_sb.h
++++ b/fs/jffs2/jffs2_fs_sb.h
+@@ -134,8 +134,6 @@ struct jffs2_sb_info {
+ struct rw_semaphore wbuf_sem; /* Protects the write buffer */
+
+ struct delayed_work wbuf_dwork; /* write-buffer write-out work */
+- int wbuf_queued; /* non-zero delayed work is queued */
+- spinlock_t wbuf_dwork_lock; /* protects wbuf_dwork and and wbuf_queued */
+
+ unsigned char *oobbuf;
+ int oobavail; /* How many bytes are available for JFFS2 in OOB */
+--- a/fs/jffs2/wbuf.c
++++ b/fs/jffs2/wbuf.c
+@@ -1162,10 +1162,6 @@ static void delayed_wbuf_sync(struct wor
+ struct jffs2_sb_info *c = work_to_sb(work);
+ struct super_block *sb = OFNI_BS_2SFFJ(c);
+
+- spin_lock(&c->wbuf_dwork_lock);
+- c->wbuf_queued = 0;
+- spin_unlock(&c->wbuf_dwork_lock);
+-
+ if (!(sb->s_flags & MS_RDONLY)) {
+ jffs2_dbg(1, "%s()\n", __func__);
+ jffs2_flush_wbuf_gc(c, 0);
+@@ -1180,14 +1176,9 @@ void jffs2_dirty_trigger(struct jffs2_sb
+ if (sb->s_flags & MS_RDONLY)
+ return;
+
+- spin_lock(&c->wbuf_dwork_lock);
+- if (!c->wbuf_queued) {
++ delay = msecs_to_jiffies(dirty_writeback_interval * 10);
++ if (queue_delayed_work(system_long_wq, &c->wbuf_dwork, delay))
+ jffs2_dbg(1, "%s()\n", __func__);
+- delay = msecs_to_jiffies(dirty_writeback_interval * 10);
+- queue_delayed_work(system_long_wq, &c->wbuf_dwork, delay);
+- c->wbuf_queued = 1;
+- }
+- spin_unlock(&c->wbuf_dwork_lock);
+ }
+
+ int jffs2_nand_flash_setup(struct jffs2_sb_info *c)
+@@ -1211,7 +1202,6 @@ int jffs2_nand_flash_setup(struct jffs2_
+
+ /* Initialise write buffer */
+ init_rwsem(&c->wbuf_sem);
+- spin_lock_init(&c->wbuf_dwork_lock);
+ INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync);
+ c->wbuf_pagesize = c->mtd->writesize;
+ c->wbuf_ofs = 0xFFFFFFFF;
+@@ -1251,7 +1241,6 @@ int jffs2_dataflash_setup(struct jffs2_s
+
+ /* Initialize write buffer */
+ init_rwsem(&c->wbuf_sem);
+- spin_lock_init(&c->wbuf_dwork_lock);
+ INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync);
+ c->wbuf_pagesize = c->mtd->erasesize;
+
+@@ -1311,7 +1300,6 @@ int jffs2_nor_wbuf_flash_setup(struct jf
+
+ /* Initialize write buffer */
+ init_rwsem(&c->wbuf_sem);
+- spin_lock_init(&c->wbuf_dwork_lock);
+ INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync);
+
+ c->wbuf_pagesize = c->mtd->writesize;
+@@ -1346,7 +1334,6 @@ int jffs2_ubivol_setup(struct jffs2_sb_i
+ return 0;
+
+ init_rwsem(&c->wbuf_sem);
+- spin_lock_init(&c->wbuf_dwork_lock);
+ INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync);
+
+ c->wbuf_pagesize = c->mtd->writesize;
x86_64-entry-filter-rflags.nt-on-entry-from-userspace.patch
x86_64-entry-fix-out-of-bounds-read-on-sysenter.patch
x86-pageattr-prevent-overflow-in-slow_virt_to_phys-for-x86_pae.patch
+evm-check-xattr-value-length-and-type-in-evm_inode_setxattr.patch
+alsa-pcm-zero-clear-reserved-fields-of-pcm-status-ioctl-in-compat-mode.patch
+kill-wbuf_queued-wbuf_dwork_lock.patch
+fix-misuses-of-f_count-in-ppp-and-netlink.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
