--- /dev/null
+From 1d0cffa674cfa7d185a302c8c6850fc50b893bed Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Fri, 20 Apr 2018 12:19:07 -0500
+Subject: cifs: do not allow creating sockets except with SMB1 posix exensions
+
+From: Steve French <smfrench@gmail.com>
+
+commit 1d0cffa674cfa7d185a302c8c6850fc50b893bed upstream.
+
+RHBZ: 1453123
+
+Since at least the 3.10 kernel and likely a lot earlier we have
+not been able to create unix domain sockets in a cifs share
+when mounted using the SFU mount option (except when mounted
+with the cifs unix extensions to Samba e.g.)
+Trying to create a socket, for example using the af_unix command from
+xfstests will cause :
+BUG: unable to handle kernel NULL pointer dereference at 00000000
+00000040
+
+Since no one uses or depends on being able to create unix domains sockets
+on a cifs share the easiest fix to stop this vulnerability is to simply
+not allow creation of any other special files than char or block devices
+when sfu is used.
+
+Added update to Ronnie's patch to handle a tcon link leak, and
+to address a buf leak noticed by Gustavo and Colin.
+
+Acked-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+CC: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Reported-by: Eryu Guan <eguan@redhat.com>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -674,6 +674,9 @@ int cifs_mknod(struct inode *inode, stru
+ goto mknod_out;
+ }
+
++ if (!S_ISCHR(mode) && !S_ISBLK(mode))
++ goto mknod_out;
++
+ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL))
+ goto mknod_out;
+
+@@ -682,10 +685,8 @@ int cifs_mknod(struct inode *inode, stru
+
+ buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
+ if (buf == NULL) {
+- kfree(full_path);
+ rc = -ENOMEM;
+- free_xid(xid);
+- return rc;
++ goto mknod_out;
+ }
+
+ if (backup_cred(cifs_sb))
+@@ -732,7 +733,7 @@ int cifs_mknod(struct inode *inode, stru
+ pdev->minor = cpu_to_le64(MINOR(device_number));
+ rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
+ &bytes_written, iov, 1);
+- } /* else if (S_ISFIFO) */
++ }
+ tcon->ses->server->ops->close(xid, tcon, &fid);
+ d_drop(direntry);
+
--- /dev/null
+cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch
+x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch
--- /dev/null
+From d3878e164dcd3925a237a20e879432400e369172 Mon Sep 17 00:00:00 2001
+From: Xiaoming Gao <gxm.linux.kernel@gmail.com>
+Date: Fri, 13 Apr 2018 17:48:08 +0800
+Subject: x86/tsc: Prevent 32bit truncation in calc_hpet_ref()
+
+From: Xiaoming Gao <gxm.linux.kernel@gmail.com>
+
+commit d3878e164dcd3925a237a20e879432400e369172 upstream.
+
+The TSC calibration code uses HPET as reference. The conversion normalizes
+the delta of two HPET timestamps:
+
+ hpetref = ((tshpet1 - tshpet2) * HPET_PERIOD) / 1e6
+
+and then divides the normalized delta of the corresponding TSC timestamps
+by the result to calulate the TSC frequency.
+
+ tscfreq = ((tstsc1 - tstsc2 ) * 1e6) / hpetref
+
+This uses do_div() which takes an u32 as the divisor, which worked so far
+because the HPET frequency was low enough that 'hpetref' never exceeded
+32bit.
+
+On Skylake machines the HPET frequency increased so 'hpetref' can exceed
+32bit. do_div() truncates the divisor, which causes the calibration to
+fail.
+
+Use div64_u64() to avoid the problem.
+
+[ tglx: Fixes whitespace mangled patch and rewrote changelog ]
+
+Signed-off-by: Xiaoming Gao <newtongao@tencent.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: peterz@infradead.org
+Cc: hpa@zytor.com
+Link: https://lkml.kernel.org/r/38894564-4fc9-b8ec-353f-de702839e44e@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/tsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -399,7 +399,7 @@ static unsigned long calc_hpet_ref(u64 d
+ hpet2 -= hpet1;
+ tmp = ((u64)hpet2 * hpet_readl(HPET_PERIOD));
+ do_div(tmp, 1000000);
+- do_div(deltatsc, tmp);
++ deltatsc = div64_u64(deltatsc, tmp);
+
+ return (unsigned long) deltatsc;
+ }
--- /dev/null
+cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch
+btrfs-fix-unaligned-access-in-readdir.patch
+x86-acpi-prevent-x2apic-id-0xffffffff-from-being-accounted.patch
+clocksource-imx-tpm-correct-etime-return-condition-check.patch
+x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch
+drm-vc4-fix-memory-leak-during-bo-teardown.patch
+drm-i915-gvt-throw-error-on-unhandled-vfio-ioctls.patch
+drm-i915-audio-fix-audio-detection-issue-on-glk.patch
+drm-i915-do-no-use-kfree-to-free-a-kmem_cache_alloc-return-value.patch
+drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch
--- /dev/null
+cifs-smbd-check-for-iov-length-on-sending-the-last-iov.patch
+cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch
+btrfs-fix-unaligned-access-in-readdir.patch
+btrfs-fix-race-condition-between-delayed-refs-and-blockgroup-removal.patch
+x86-acpi-prevent-x2apic-id-0xffffffff-from-being-accounted.patch
+clocksource-imx-tpm-correct-etime-return-condition-check.patch
+posix-cpu-timers-ensure-set_process_cpu_timer-is-always-evaluated.patch
+x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch
+drm-vc4-fix-memory-leak-during-bo-teardown.patch
+drm-i915-gvt-throw-error-on-unhandled-vfio-ioctls.patch
+drm-i915-gvt-add-drm_format_mod-update.patch
+drm-i915-bios-filter-out-invalid-ddc-pins-from-vbt-child-devices.patch
+drm-i915-audio-fix-audio-detection-issue-on-glk.patch
+drm-i915-do-no-use-kfree-to-free-a-kmem_cache_alloc-return-value.patch
+drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch
--- /dev/null
+cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch
+x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch
--- /dev/null
+cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch
+x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch
+drm-vc4-fix-memory-leak-during-bo-teardown.patch
+drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
