--- /dev/null
+From c8ea3663f7a8e6996d44500ee818c9330ac4fd88 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 15:47:00 -0700
+Subject: drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit c8ea3663f7a8e6996d44500ee818c9330ac4fd88 upstream.
+
+strndup_user() returns error pointers on error, and then in the error
+handling we pass the error pointers to kfree(). It will cause an Oops.
+
+Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Timur Tabi <timur@freescale.com>
+Cc: Mihai Caraman <mihai.caraman@freescale.com>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/fsl_hypervisor.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -335,8 +335,8 @@ static long ioctl_dtprop(struct fsl_hv_i
+ struct fsl_hv_ioctl_prop param;
+ char __user *upath, *upropname;
+ void __user *upropval;
+- char *path = NULL, *propname = NULL;
+- void *propval = NULL;
++ char *path, *propname;
++ void *propval;
+ int ret = 0;
+
+ /* Get the parameters from the user. */
+@@ -348,32 +348,30 @@ static long ioctl_dtprop(struct fsl_hv_i
+ upropval = (void __user *)(uintptr_t)param.propval;
+
+ path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN);
+- if (IS_ERR(path)) {
+- ret = PTR_ERR(path);
+- goto out;
+- }
++ if (IS_ERR(path))
++ return PTR_ERR(path);
+
+ propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN);
+ if (IS_ERR(propname)) {
+ ret = PTR_ERR(propname);
+- goto out;
++ goto err_free_path;
+ }
+
+ if (param.proplen > FH_DTPROP_MAX_PROPLEN) {
+ ret = -EINVAL;
+- goto out;
++ goto err_free_propname;
+ }
+
+ propval = kmalloc(param.proplen, GFP_KERNEL);
+ if (!propval) {
+ ret = -ENOMEM;
+- goto out;
++ goto err_free_propname;
+ }
+
+ if (set) {
+ if (copy_from_user(propval, upropval, param.proplen)) {
+ ret = -EFAULT;
+- goto out;
++ goto err_free_propval;
+ }
+
+ param.ret = fh_partition_set_dtprop(param.handle,
+@@ -392,7 +390,7 @@ static long ioctl_dtprop(struct fsl_hv_i
+ if (copy_to_user(upropval, propval, param.proplen) ||
+ put_user(param.proplen, &p->proplen)) {
+ ret = -EFAULT;
+- goto out;
++ goto err_free_propval;
+ }
+ }
+ }
+@@ -400,10 +398,12 @@ static long ioctl_dtprop(struct fsl_hv_i
+ if (put_user(param.ret, &p->ret))
+ ret = -EFAULT;
+
+-out:
+- kfree(path);
++err_free_propval:
+ kfree(propval);
++err_free_propname:
+ kfree(propname);
++err_free_path:
++ kfree(path);
+
+ return ret;
+ }
--- /dev/null
+From 6a024330650e24556b8a18cc654ad00cfecf6c6c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 15:47:03 -0700
+Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream.
+
+The "param.count" value is a u64 thatcomes from the user. The code
+later in the function assumes that param.count is at least one and if
+it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR.
+
+Also the addition can have an integer overflow which would lead us to
+allocate a smaller "pages" array than required. I can't immediately
+tell what the possible run times implications are, but it's safest to
+prevent the overflow.
+
+Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Timur Tabi <timur@freescale.com>
+Cc: Mihai Caraman <mihai.caraman@freescale.com>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/fsl_hypervisor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i
+ * hypervisor.
+ */
+ lb_offset = param.local_vaddr & (PAGE_SIZE - 1);
++ if (param.count == 0 ||
++ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1)
++ return -EINVAL;
+ num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
+
+ /* Allocate the buffers we need */
--- /dev/null
+From 5266e58d6cd90ac85c187d673093ad9cb649e16d Mon Sep 17 00:00:00 2001
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Date: Mon, 15 Apr 2019 14:52:11 +0300
+Subject: powerpc/booke64: set RI in default MSR
+
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+
+commit 5266e58d6cd90ac85c187d673093ad9cb649e16d upstream.
+
+Set RI in the default kernel's MSR so that the architected way of
+detecting unrecoverable machine check interrupts has a chance to work.
+This is inline with the MSR setup of the rest of booke powerpc
+architectures configured here.
+
+Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg_booke.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/reg_booke.h
++++ b/arch/powerpc/include/asm/reg_booke.h
+@@ -41,7 +41,7 @@
+ #if defined(CONFIG_PPC_BOOK3E_64)
+ #define MSR_64BIT MSR_CM
+
+-#define MSR_ (MSR_ME | MSR_CE)
++#define MSR_ (MSR_ME | MSR_RI | MSR_CE)
+ #define MSR_KERNEL (MSR_ | MSR_64BIT)
+ #define MSR_USER32 (MSR_ | MSR_PR | MSR_EE)
+ #define MSR_USER64 (MSR_USER32 | MSR_64BIT)
vrf-sit-mtu-should-not-be-updated-when-vrf-netdev-is-the-link.patch
ipv4-fix-raw-socket-lookup-for-local-traffic.patch
bonding-fix-arp_validate-toggling-in-active-backup-mode.patch
+drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch
+drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch
+powerpc-booke64-set-ri-in-default-msr.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
