4.14-stable patches

added patches:
	cls_matchall-fix-tcf_unbind_filter-missing.patch
	isdn-disable-iiocdbgvar.patch

diff --git a/queue-4.14/cls_matchall-fix-tcf_unbind_filter-missing.patch b/queue-4.14/cls_matchall-fix-tcf_unbind_filter-missing.patch
new file mode 100644 (file)
index 0000000..3beebb0
--- /dev/null
+++ b/queue-4.14/cls_matchall-fix-tcf_unbind_filter-missing.patch
@@ -0,0 +1,33 @@
+From foo@baz Tue Aug 21 07:38:13 CEST 2018
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 14 Aug 2018 17:28:26 +0800
+Subject: cls_matchall: fix tcf_unbind_filter missing
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit a51c76b4dfb30496dc65396a957ef0f06af7fb22 ]
+
+Fix tcf_unbind_filter missing in cls_matchall as this will trigger
+WARN_ON() in cbq_destroy_class().
+
+Fixes: fd62d9f5c575f ("net/sched: matchall: Fix configuration race")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_matchall.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sched/cls_matchall.c
++++ b/net/sched/cls_matchall.c
+@@ -112,6 +112,8 @@ static void mall_destroy(struct tcf_prot
+       if (!head)
+               return;
+ 
++      tcf_unbind_filter(tp, &head->res);
++
+       if (tc_should_offload(dev, head->flags))
+               mall_destroy_hw_filter(tp, head, (unsigned long) head);
+ 

diff --git a/queue-4.14/isdn-disable-iiocdbgvar.patch b/queue-4.14/isdn-disable-iiocdbgvar.patch
new file mode 100644 (file)
index 0000000..efa2225
--- /dev/null
+++ b/queue-4.14/isdn-disable-iiocdbgvar.patch
@@ -0,0 +1,41 @@
+From foo@baz Tue Aug 21 07:37:56 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 15 Aug 2018 12:14:05 -0700
+Subject: isdn: Disable IIOCDBGVAR
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ]
+
+It was possible to directly leak the kernel address where the isdn_dev
+structure pointer was stored. This is a kernel ASLR bypass for anyone
+with access to the ioctl. The code had been present since the beginning
+of git history, though this shouldn't ever be needed for normal operation,
+therefore remove it.
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/i4l/isdn_common.c |    8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd,
+                       } else
+                               return -EINVAL;
+               case IIOCDBGVAR:
+-                      if (arg) {
+-                              if (copy_to_user(argp, &dev, sizeof(ulong)))
+-                                      return -EFAULT;
+-                              return 0;
+-                      } else
+-                              return -EINVAL;
+-                      break;
++                      return -EINVAL;
+               default:
+                       if ((cmd & IIOCDRVCTL) == IIOCDRVCTL)
+                               cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;

diff --git a/queue-4.14/series b/queue-4.14/series
index 736d7502618a03c080c8c708a5d0489b24ea7e22..81b6e0f1e9c5214d52d9c8eb45d6aeb9941e83bf 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -25,3 +25,5 @@ serial-8250_dw-always-set-baud-rate-in-dw8250_set_termios.patch
 serial-8250_dw-add-acpi-support-for-uart-on-broadcom-soc.patch
 misc-sram-fix-resource-leaks-in-probe-error-path.patch
 bluetooth-avoid-killing-an-already-killed-socket.patch
+isdn-disable-iiocdbgvar.patch
+cls_matchall-fix-tcf_unbind_filter-missing.patch