--- /dev/null
+From 2e90ca68b0d2f5548804f22f0dd61145516171e3 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 21 Feb 2020 12:43:35 -0800
+Subject: floppy: check FDC index for errors before assigning it
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2e90ca68b0d2f5548804f22f0dd61145516171e3 upstream.
+
+Jordy Zomer reported a KASAN out-of-bounds read in the floppy driver in
+wait_til_ready().
+
+Which on the face of it can't happen, since as Willy Tarreau points out,
+the function does no particular memory access. Except through the FDCS
+macro, which just indexes a static allocation through teh current fdc,
+which is always checked against N_FDC.
+
+Except the checking happens after we've already assigned the value.
+
+The floppy driver is a disgrace (a lot of it going back to my original
+horrd "design"), and has no real maintainer. Nobody has the hardware,
+and nobody really cares. But it still gets used in virtual environment
+because it's one of those things that everybody supports.
+
+The whole thing should be re-written, or at least parts of it should be
+seriously cleaned up. The 'current fdc' index, which is used by the
+FDCS macro, and which is often shadowed by a local 'fdc' variable, is a
+prime example of how not to write code.
+
+But because nobody has the hardware or the motivation, let's just fix up
+the immediate problem with a nasty band-aid: test the fdc index before
+actually assigning it to the static 'fdc' variable.
+
+Reported-by: Jordy Zomer <jordy@simplyhacker.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -848,14 +848,17 @@ static void reset_fdc_info(int mode)
+ /* selects the fdc and drive, and enables the fdc's input/dma. */
+ static void set_fdc(int drive)
+ {
++ unsigned int new_fdc = fdc;
++
+ if (drive >= 0 && drive < N_DRIVE) {
+- fdc = FDC(drive);
++ new_fdc = FDC(drive);
+ current_drive = drive;
+ }
+- if (fdc != 1 && fdc != 0) {
++ if (new_fdc >= N_FDC) {
+ pr_info("bad fdc value\n");
+ return;
+ }
++ fdc = new_fdc;
+ set_dor(fdc, ~0, 8);
+ #if N_FDC > 1
+ set_dor(1 - fdc, ~8, 0);
enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch
net-sched-matchall-add-missing-validation-of-tca_matchall_flags.patch
net-sched-flower-add-missing-validation-of-tca_flower_flags.patch
+floppy-check-fdc-index-for-errors-before-assigning-it.patch
+vt-selection-handle-pending-signals-in-paste_selection.patch
+staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch
+staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch
--- /dev/null
+From 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Mon, 27 Jan 2020 15:56:16 -0800
+Subject: staging: android: ashmem: Disallow ashmem memory from being remapped
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 upstream.
+
+When ashmem file is mmapped, the resulting vma->vm_file points to the
+backing shmem file with the generic fops that do not check ashmem
+permissions like fops of ashmem do. If an mremap is done on the ashmem
+region, then the permission checks will be skipped. Fix that by disallowing
+mapping operation on the backing shmem file.
+
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Cc: stable <stable@vger.kernel.org> # 4.4,4.9,4.14,4.18,5.4
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Link: https://lore.kernel.org/r/20200127235616.48920-1-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -370,8 +370,23 @@ static inline vm_flags_t calc_vm_may_fla
+ _calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC);
+ }
+
++static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma)
++{
++ /* do not allow to mmap ashmem backing shmem file directly */
++ return -EPERM;
++}
++
++static unsigned long
++ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr,
++ unsigned long len, unsigned long pgoff,
++ unsigned long flags)
++{
++ return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
++}
++
+ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
+ {
++ static struct file_operations vmfile_fops;
+ struct ashmem_area *asma = file->private_data;
+ int ret = 0;
+
+@@ -412,6 +427,19 @@ static int ashmem_mmap(struct file *file
+ }
+ vmfile->f_mode |= FMODE_LSEEK;
+ asma->file = vmfile;
++ /*
++ * override mmap operation of the vmfile so that it can't be
++ * remapped which would lead to creation of a new vma with no
++ * asma permission checks. Have to override get_unmapped_area
++ * as well to prevent VM_BUG_ON check for f_ops modification.
++ */
++ if (!vmfile_fops.mmap) {
++ vmfile_fops = *vmfile->f_op;
++ vmfile_fops.mmap = ashmem_vmfile_mmap;
++ vmfile_fops.get_unmapped_area =
++ ashmem_vmfile_get_unmapped_area;
++ }
++ vmfile->f_op = &vmfile_fops;
+ }
+ get_file(asma->file);
+
--- /dev/null
+From 93134df520f23f4e9998c425b8987edca7016817 Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Tue, 4 Feb 2020 19:34:02 +0000
+Subject: staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit 93134df520f23f4e9998c425b8987edca7016817 upstream.
+
+bb_pre_ed_rssi is an u8 rx_dm always returns negative signed
+values add minus operator to always yield positive.
+
+fixes issue where rx sensitivity is always set to maximum because
+the unsigned numbers were always greater then 100.
+
+Fixes: 63b9907f58f1 ("staging: vt6656: mac80211 conversion: create rx function.")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/aceac98c-6e69-3ce1-dfec-2bf27b980221@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/dpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/vt6656/dpc.c
++++ b/drivers/staging/vt6656/dpc.c
+@@ -140,7 +140,7 @@ int vnt_rx_data(struct vnt_private *priv
+
+ vnt_rf_rssi_to_dbm(priv, *rssi, &rx_dbm);
+
+- priv->bb_pre_ed_rssi = (u8)rx_dbm + 1;
++ priv->bb_pre_ed_rssi = (u8)-rx_dbm + 1;
+ priv->current_rssi = priv->bb_pre_ed_rssi;
+
+ frame = skb_data + 8;
--- /dev/null
+From 687bff0cd08f790d540cfb7b2349f0d876cdddec Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 10 Feb 2020 09:11:30 +0100
+Subject: vt: selection, handle pending signals in paste_selection
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 687bff0cd08f790d540cfb7b2349f0d876cdddec upstream.
+
+When pasting a selection to a vt, the task is set as INTERRUPTIBLE while
+waiting for a tty to unthrottle. But signals are not handled at all.
+Normally, this is not a problem as tty_ldisc_receive_buf receives all
+the goods and a user has no reason to interrupt the task.
+
+There are two scenarios where this matters:
+1) when the tty is throttled and a signal is sent to the process, it
+ spins on a CPU until the tty is unthrottled. schedule() does not
+ really echedule, but returns immediately, of course.
+2) when the sel_buffer becomes invalid, KASAN prevents any reads from it
+ and the loop simply does not proceed and spins forever (causing the
+ tty to throttle, but the code never sleeps, the same as above). This
+ sometimes happens as there is a race in the sel_buffer handling code.
+
+So add signal handling to this ioctl (TIOCL_PASTESEL) and return -EINTR
+in case a signal is pending.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200210081131.23572-1-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/selection.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/selection.c
++++ b/drivers/tty/vt/selection.c
+@@ -26,6 +26,8 @@
+ #include <linux/console.h>
+ #include <linux/tty_flip.h>
+
++#include <linux/sched/signal.h>
++
+ /* Don't take this from <ctype.h>: 011-015 on the screen aren't spaces */
+ #define isspace(c) ((c) == ' ')
+
+@@ -341,6 +343,7 @@ int paste_selection(struct tty_struct *t
+ unsigned int count;
+ struct tty_ldisc *ld;
+ DECLARE_WAITQUEUE(wait, current);
++ int ret = 0;
+
+ console_lock();
+ poke_blanked_console();
+@@ -354,6 +357,10 @@ int paste_selection(struct tty_struct *t
+ add_wait_queue(&vc->paste_wait, &wait);
+ while (sel_buffer && sel_buffer_lth > pasted) {
+ set_current_state(TASK_INTERRUPTIBLE);
++ if (signal_pending(current)) {
++ ret = -EINTR;
++ break;
++ }
+ if (tty_throttled(tty)) {
+ schedule();
+ continue;
+@@ -369,5 +376,5 @@ int paste_selection(struct tty_struct *t
+
+ tty_buffer_unlock_exclusive(&vc->port);
+ tty_ldisc_deref(ld);
+- return 0;
++ return ret;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
