--- /dev/null
+From d26c25a9d19b5976b319af528886f89cf455692d Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 27 Sep 2018 16:53:21 +0100
+Subject: arm64: KVM: Tighten guest core register access from userspace
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit d26c25a9d19b5976b319af528886f89cf455692d upstream.
+
+We currently allow userspace to access the core register file
+in about any possible way, including straddling multiple
+registers and doing unaligned accesses.
+
+This is not the expected use of the ABI, and nobody is actually
+using it that way. Let's tighten it by explicitly checking
+the size and alignment for each field of the register file.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 2f4a07c5f9fe ("arm64: KVM: guest one-reg interface")
+Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+[maz: rewrote Dave's initial patch to be more easily backported]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kvm/guest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+--- a/arch/arm64/kvm/guest.c
++++ b/arch/arm64/kvm/guest.c
+@@ -46,6 +46,45 @@ static u64 core_reg_offset_from_id(u64 i
+ return id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_CORE);
+ }
+
++static int validate_core_offset(const struct kvm_one_reg *reg)
++{
++ u64 off = core_reg_offset_from_id(reg->id);
++ int size;
++
++ switch (off) {
++ case KVM_REG_ARM_CORE_REG(regs.regs[0]) ...
++ KVM_REG_ARM_CORE_REG(regs.regs[30]):
++ case KVM_REG_ARM_CORE_REG(regs.sp):
++ case KVM_REG_ARM_CORE_REG(regs.pc):
++ case KVM_REG_ARM_CORE_REG(regs.pstate):
++ case KVM_REG_ARM_CORE_REG(sp_el1):
++ case KVM_REG_ARM_CORE_REG(elr_el1):
++ case KVM_REG_ARM_CORE_REG(spsr[0]) ...
++ KVM_REG_ARM_CORE_REG(spsr[KVM_NR_SPSR - 1]):
++ size = sizeof(__u64);
++ break;
++
++ case KVM_REG_ARM_CORE_REG(fp_regs.vregs[0]) ...
++ KVM_REG_ARM_CORE_REG(fp_regs.vregs[31]):
++ size = sizeof(__uint128_t);
++ break;
++
++ case KVM_REG_ARM_CORE_REG(fp_regs.fpsr):
++ case KVM_REG_ARM_CORE_REG(fp_regs.fpcr):
++ size = sizeof(__u32);
++ break;
++
++ default:
++ return -EINVAL;
++ }
++
++ if (KVM_REG_SIZE(reg->id) == size &&
++ IS_ALIGNED(off, size / sizeof(__u32)))
++ return 0;
++
++ return -EINVAL;
++}
++
+ static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
+ {
+ /*
+@@ -65,6 +104,9 @@ static int get_core_reg(struct kvm_vcpu
+ (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs)
+ return -ENOENT;
+
++ if (validate_core_offset(reg))
++ return -EINVAL;
++
+ if (copy_to_user(uaddr, ((u32 *)regs) + off, KVM_REG_SIZE(reg->id)))
+ return -EFAULT;
+
+@@ -87,6 +129,9 @@ static int set_core_reg(struct kvm_vcpu
+ (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs)
+ return -ENOENT;
+
++ if (validate_core_offset(reg))
++ return -EINVAL;
++
+ if (KVM_REG_SIZE(reg->id) > sizeof(tmp))
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Tue Oct 2 05:04:00 PDT 2018
+From: Bo Chen <chenbo@pdx.edu>
+Date: Mon, 23 Jul 2018 09:01:29 -0700
+Subject: e1000: check on netif_running() before calling e1000_up()
+
+From: Bo Chen <chenbo@pdx.edu>
+
+[ Upstream commit cf1acec008f8d7761aa3fd7c4bca7e17b2d2512d ]
+
+When the device is not up, the call to 'e1000_up()' from the error handling path
+of 'e1000_set_ringparam()' causes a kernel oops with a null-pointer
+dereference. The null-pointer dereference is triggered in function
+'e1000_alloc_rx_buffers()' at line 'buffer_info = &rx_ring->buffer_info[i]'.
+
+This bug was reported by COD, a tool for testing kernel module binaries I am
+building. This bug was also detected by KFI from Dr. Kai Cong.
+
+This patch fixes the bug by checking on 'netif_running()' before calling
+'e1000_up()' in 'e1000_set_ringparam()'.
+
+Signed-off-by: Bo Chen <chenbo@pdx.edu>
+Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -666,7 +666,8 @@ err_setup_rx:
+ err_alloc_rx:
+ kfree(txdr);
+ err_alloc_tx:
+- e1000_up(adapter);
++ if (netif_running(adapter->netdev))
++ e1000_up(adapter);
+ err_setup:
+ clear_bit(__E1000_RESETTING, &adapter->flags);
+ return err;
--- /dev/null
+From foo@baz Tue Oct 2 05:04:00 PDT 2018
+From: Bo Chen <chenbo@pdx.edu>
+Date: Mon, 23 Jul 2018 09:01:30 -0700
+Subject: e1000: ensure to free old tx/rx rings in set_ringparam()
+
+From: Bo Chen <chenbo@pdx.edu>
+
+[ Upstream commit ee400a3f1bfe7004a3e14b81c38ccc5583c26295 ]
+
+In 'e1000_set_ringparam()', the tx_ring and rx_ring are updated with new value
+and the old tx/rx rings are freed only when the device is up. There are resource
+leaks on old tx/rx rings when the device is not up. This bug is reported by COD,
+a tool for testing kernel module binaries I am building.
+
+This patch fixes the bug by always calling 'kfree()' on old tx/rx rings in
+'e1000_set_ringparam()'.
+
+Signed-off-by: Bo Chen <chenbo@pdx.edu>
+Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -646,14 +646,14 @@ static int e1000_set_ringparam(struct ne
+ adapter->tx_ring = tx_old;
+ e1000_free_all_rx_resources(adapter);
+ e1000_free_all_tx_resources(adapter);
+- kfree(tx_old);
+- kfree(rx_old);
+ adapter->rx_ring = rxdr;
+ adapter->tx_ring = txdr;
+ err = e1000_up(adapter);
+ if (err)
+ goto err_setup;
+ }
++ kfree(tx_old);
++ kfree(rx_old);
+
+ clear_bit(__E1000_RESETTING, &adapter->flags);
+ return 0;
--- /dev/null
+From 09999807edd836f8d96ca5a5b8bf007856c5f268 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 14 Jun 2018 12:55:10 -0400
+Subject: ext4: verify the depth of extent tree in ext4_find_extent()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit bc890a60247171294acc0bd67d211fa4b88d40ba upstream.
+
+If there is a corupted file system where the claimed depth of the
+extent tree is -1, this can cause a massive buffer overrun leading to
+sadness.
+
+This addresses CVE-2018-10877.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=199417
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[bwh: Backported to 3.16: return -EIO instead of -EFSCORRUPTED]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4_extents.h | 1 +
+ fs/ext4/extents.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/fs/ext4/ext4_extents.h
++++ b/fs/ext4/ext4_extents.h
+@@ -103,6 +103,7 @@ struct ext4_extent_header {
+ };
+
+ #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a)
++#define EXT4_MAX_EXTENT_DEPTH 5
+
+ #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
+ (sizeof(struct ext4_extent_header) + \
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -870,6 +870,12 @@ ext4_find_extent(struct inode *inode, ex
+
+ eh = ext_inode_hdr(inode);
+ depth = ext_depth(inode);
++ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
++ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
++ depth);
++ ret = -EIO;
++ goto err;
++ }
+
+ if (path) {
+ ext4_ext_drop_refs(path);
--- /dev/null
+From foo@baz Tue Oct 2 05:04:00 PDT 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 Aug 2018 13:07:47 +0300
+Subject: hwmon: (adt7475) Make adt7475_read_word() return errors
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit f196dec6d50abb2e65fb54a0621b2f1b4d922995 ]
+
+The adt7475_read_word() function was meant to return negative error
+codes on failure.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/adt7475.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/hwmon/adt7475.c
++++ b/drivers/hwmon/adt7475.c
+@@ -274,14 +274,18 @@ static inline u16 volt2reg(int channel,
+ return clamp_val(reg, 0, 1023) & (0xff << 2);
+ }
+
+-static u16 adt7475_read_word(struct i2c_client *client, int reg)
++static int adt7475_read_word(struct i2c_client *client, int reg)
+ {
+- u16 val;
++ int val1, val2;
+
+- val = i2c_smbus_read_byte_data(client, reg);
+- val |= (i2c_smbus_read_byte_data(client, reg + 1) << 8);
++ val1 = i2c_smbus_read_byte_data(client, reg);
++ if (val1 < 0)
++ return val1;
++ val2 = i2c_smbus_read_byte_data(client, reg + 1);
++ if (val2 < 0)
++ return val2;
+
+- return val;
++ return val1 | (val2 << 8);
+ }
+
+ static void adt7475_write_word(struct i2c_client *client, int reg, u16 val)
usb-remove-lpm-management-from-usb_driver_claim_interface.patch
scsi-target-iscsi-use-bin2hex-instead-of-a-re-implementation.patch
staging-android-ion-fix-ion_ioc_-map-share-use-after-free.patch
+arm64-kvm-tighten-guest-core-register-access-from-userspace.patch
+ext4-verify-the-depth-of-extent-tree-in-ext4_find_extent.patch
+thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch
+e1000-check-on-netif_running-before-calling-e1000_up.patch
+e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch
+hwmon-adt7475-make-adt7475_read_word-return-errors.patch
--- /dev/null
+From foo@baz Tue Oct 2 05:04:00 PDT 2018
+From: Anson Huang <Anson.Huang@nxp.com>
+Date: Tue, 31 Jul 2018 00:56:49 +0800
+Subject: thermal: of-thermal: disable passive polling when thermal zone is disabled
+
+From: Anson Huang <Anson.Huang@nxp.com>
+
+[ Upstream commit 152395fd03d4ce1e535a75cdbf58105e50587611 ]
+
+When thermal zone is in passive mode, disabling its mode from
+sysfs is NOT taking effect at all, it is still polling the
+temperature of the disabled thermal zone and handling all thermal
+trips, it makes user confused. The disabling operation should
+disable the thermal zone behavior completely, for both active and
+passive mode, this patch clears the passive_delay when thermal
+zone is disabled and restores it when it is enabled.
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/of-thermal.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/thermal/of-thermal.c
++++ b/drivers/thermal/of-thermal.c
+@@ -209,10 +209,13 @@ static int of_thermal_set_mode(struct th
+
+ mutex_lock(&tz->lock);
+
+- if (mode == THERMAL_DEVICE_ENABLED)
++ if (mode == THERMAL_DEVICE_ENABLED) {
+ tz->polling_delay = data->polling_delay;
+- else
++ tz->passive_delay = data->passive_delay;
++ } else {
+ tz->polling_delay = 0;
++ tz->passive_delay = 0;
++ }
+
+ mutex_unlock(&tz->lock);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
