--- /dev/null
+From 760db29bdc97b73ff60b091315ad787b1deb5cf5 Mon Sep 17 00:00:00 2001
+From: Phil Elwell <phil@raspberrypi.org>
+Date: Thu, 19 Apr 2018 17:59:38 +0100
+Subject: lan78xx: Read MAC address from DT if present
+
+From: Phil Elwell <phil@raspberrypi.org>
+
+commit 760db29bdc97b73ff60b091315ad787b1deb5cf5 upstream.
+
+There is a standard mechanism for locating and using a MAC address from
+the Device Tree. Use this facility in the lan78xx driver to support
+applications without programmed EEPROM or OTP. At the same time,
+regularise the handling of the different address sources.
+
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Tested-by: Paolo Pisati <p.pisati@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/lan78xx.c | 42 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -31,6 +31,7 @@
+ #include <linux/mdio.h>
+ #include <net/ip6_checksum.h>
+ #include <linux/microchipphy.h>
++#include <linux/of_net.h>
+ #include "lan78xx.h"
+
+ #define DRIVER_AUTHOR "WOOJUNG HUH <woojung.huh@microchip.com>"
+@@ -1644,34 +1645,31 @@ static void lan78xx_init_mac_address(str
+ addr[5] = (addr_hi >> 8) & 0xFF;
+
+ if (!is_valid_ether_addr(addr)) {
+- /* reading mac address from EEPROM or OTP */
+- if ((lan78xx_read_eeprom(dev, EEPROM_MAC_OFFSET, ETH_ALEN,
+- addr) == 0) ||
+- (lan78xx_read_otp(dev, EEPROM_MAC_OFFSET, ETH_ALEN,
+- addr) == 0)) {
+- if (is_valid_ether_addr(addr)) {
+- /* eeprom values are valid so use them */
+- netif_dbg(dev, ifup, dev->net,
+- "MAC address read from EEPROM");
+- } else {
+- /* generate random MAC */
+- random_ether_addr(addr);
+- netif_dbg(dev, ifup, dev->net,
+- "MAC address set to random addr");
+- }
+-
+- addr_lo = addr[0] | (addr[1] << 8) |
+- (addr[2] << 16) | (addr[3] << 24);
+- addr_hi = addr[4] | (addr[5] << 8);
+-
+- ret = lan78xx_write_reg(dev, RX_ADDRL, addr_lo);
+- ret = lan78xx_write_reg(dev, RX_ADDRH, addr_hi);
++ if (!eth_platform_get_mac_address(&dev->udev->dev, addr)) {
++ /* valid address present in Device Tree */
++ netif_dbg(dev, ifup, dev->net,
++ "MAC address read from Device Tree");
++ } else if (((lan78xx_read_eeprom(dev, EEPROM_MAC_OFFSET,
++ ETH_ALEN, addr) == 0) ||
++ (lan78xx_read_otp(dev, EEPROM_MAC_OFFSET,
++ ETH_ALEN, addr) == 0)) &&
++ is_valid_ether_addr(addr)) {
++ /* eeprom values are valid so use them */
++ netif_dbg(dev, ifup, dev->net,
++ "MAC address read from EEPROM");
+ } else {
+ /* generate random MAC */
+ random_ether_addr(addr);
+ netif_dbg(dev, ifup, dev->net,
+ "MAC address set to random addr");
+ }
++
++ addr_lo = addr[0] | (addr[1] << 8) |
++ (addr[2] << 16) | (addr[3] << 24);
++ addr_hi = addr[4] | (addr[5] << 8);
++
++ ret = lan78xx_write_reg(dev, RX_ADDRL, addr_lo);
++ ret = lan78xx_write_reg(dev, RX_ADDRH, addr_hi);
+ }
+
+ ret = lan78xx_write_reg(dev, MAF_LO(0), addr_lo);
--- /dev/null
+From 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 Mon Sep 17 00:00:00 2001
+From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
+Date: Thu, 23 Aug 2018 17:00:35 -0700
+Subject: namei: allow restricted O_CREAT of FIFOs and regular files
+
+From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
+
+commit 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 upstream.
+
+Disallows open of FIFOs or regular files not owned by the user in world
+writable sticky directories, unless the owner is the same as that of the
+directory or the file is opened without the O_CREAT flag. The purpose
+is to make data spoofing attacks harder. This protection can be turned
+on and off separately for FIFOs and regular files via sysctl, just like
+the symlinks/hardlinks protection. This patch is based on Openwall's
+"HARDEN_FIFO" feature by Solar Designer.
+
+This is a brief list of old vulnerabilities that could have been prevented
+by this feature, some of them even allow for privilege escalation:
+
+CVE-2000-1134
+CVE-2007-3852
+CVE-2008-0525
+CVE-2009-0416
+CVE-2011-4834
+CVE-2015-1838
+CVE-2015-7442
+CVE-2016-7489
+
+This list is not meant to be complete. It's difficult to track down all
+vulnerabilities of this kind because they were often reported without any
+mention of this particular attack vector. In fact, before
+hardlinks/symlinks restrictions, fifos/regular files weren't the favorite
+vehicle to exploit them.
+
+[s.mesoraca16@gmail.com: fix bug reported by Dan Carpenter]
+ Link: https://lkml.kernel.org/r/20180426081456.GA7060@mwanda
+ Link: http://lkml.kernel.org/r/1524829819-11275-1-git-send-email-s.mesoraca16@gmail.com
+[keescook@chromium.org: drop pr_warn_ratelimited() in favor of audit changes in the future]
+[keescook@chromium.org: adjust commit subjet]
+Link: http://lkml.kernel.org/r/20180416175918.GA13494@beast
+Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Suggested-by: Solar Designer <solar@openwall.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Loic <hackurx@opensec.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/sysctl/fs.txt | 36 +++++++++++++++++++++++++++++
+ fs/namei.c | 53 +++++++++++++++++++++++++++++++++++++++++---
+ include/linux/fs.h | 2 +
+ kernel/sysctl.c | 18 ++++++++++++++
+ 4 files changed, 106 insertions(+), 3 deletions(-)
+
+--- a/Documentation/sysctl/fs.txt
++++ b/Documentation/sysctl/fs.txt
+@@ -34,7 +34,9 @@ Currently, these files are in /proc/sys/
+ - overflowgid
+ - pipe-user-pages-hard
+ - pipe-user-pages-soft
++- protected_fifos
+ - protected_hardlinks
++- protected_regular
+ - protected_symlinks
+ - suid_dumpable
+ - super-max
+@@ -182,6 +184,24 @@ applied.
+
+ ==============================================================
+
++protected_fifos:
++
++The intent of this protection is to avoid unintentional writes to
++an attacker-controlled FIFO, where a program expected to create a regular
++file.
++
++When set to "0", writing to FIFOs is unrestricted.
++
++When set to "1" don't allow O_CREAT open on FIFOs that we don't own
++in world writable sticky directories, unless they are owned by the
++owner of the directory.
++
++When set to "2" it also applies to group writable sticky directories.
++
++This protection is based on the restrictions in Openwall.
++
++==============================================================
++
+ protected_hardlinks:
+
+ A long-standing class of security issues is the hardlink-based
+@@ -202,6 +222,22 @@ This protection is based on the restrict
+
+ ==============================================================
+
++protected_regular:
++
++This protection is similar to protected_fifos, but it
++avoids writes to an attacker-controlled regular file, where a program
++expected to create one.
++
++When set to "0", writing to regular files is unrestricted.
++
++When set to "1" don't allow O_CREAT open on regular files that we
++don't own in world writable sticky directories, unless they are
++owned by the owner of the directory.
++
++When set to "2" it also applies to group writable sticky directories.
++
++==============================================================
++
+ protected_symlinks:
+
+ A long-standing class of security issues is the symlink-based
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -892,6 +892,8 @@ static inline void put_link(struct namei
+
+ int sysctl_protected_symlinks __read_mostly = 0;
+ int sysctl_protected_hardlinks __read_mostly = 0;
++int sysctl_protected_fifos __read_mostly;
++int sysctl_protected_regular __read_mostly;
+
+ /**
+ * may_follow_link - Check symlink following for unsafe situations
+@@ -1005,6 +1007,45 @@ static int may_linkat(struct path *link)
+ return -EPERM;
+ }
+
++/**
++ * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
++ * should be allowed, or not, on files that already
++ * exist.
++ * @dir: the sticky parent directory
++ * @inode: the inode of the file to open
++ *
++ * Block an O_CREAT open of a FIFO (or a regular file) when:
++ * - sysctl_protected_fifos (or sysctl_protected_regular) is enabled
++ * - the file already exists
++ * - we are in a sticky directory
++ * - we don't own the file
++ * - the owner of the directory doesn't own the file
++ * - the directory is world writable
++ * If the sysctl_protected_fifos (or sysctl_protected_regular) is set to 2
++ * the directory doesn't have to be world writable: being group writable will
++ * be enough.
++ *
++ * Returns 0 if the open is allowed, -ve on error.
++ */
++static int may_create_in_sticky(struct dentry * const dir,
++ struct inode * const inode)
++{
++ if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
++ (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
++ likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
++ uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
++ uid_eq(current_fsuid(), inode->i_uid))
++ return 0;
++
++ if (likely(dir->d_inode->i_mode & 0002) ||
++ (dir->d_inode->i_mode & 0020 &&
++ ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
++ (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
++ return -EACCES;
++ }
++ return 0;
++}
++
+ static __always_inline
+ const char *get_link(struct nameidata *nd)
+ {
+@@ -3356,9 +3397,15 @@ finish_open:
+ if (error)
+ return error;
+ audit_inode(nd->name, nd->path.dentry, 0);
+- error = -EISDIR;
+- if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
+- goto out;
++ if (open_flag & O_CREAT) {
++ error = -EISDIR;
++ if (d_is_dir(nd->path.dentry))
++ goto out;
++ error = may_create_in_sticky(dir,
++ d_backing_inode(nd->path.dentry));
++ if (unlikely(error))
++ goto out;
++ }
+ error = -ENOTDIR;
+ if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
+ goto out;
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -69,6 +69,8 @@ extern struct inodes_stat_t inodes_stat;
+ extern int leases_enable, lease_break_time;
+ extern int sysctl_protected_symlinks;
+ extern int sysctl_protected_hardlinks;
++extern int sysctl_protected_fifos;
++extern int sysctl_protected_regular;
+
+ struct buffer_head;
+ typedef int (get_block_t)(struct inode *inode, sector_t iblock,
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -1795,6 +1795,24 @@ static struct ctl_table fs_table[] = {
+ .extra2 = &one,
+ },
+ {
++ .procname = "protected_fifos",
++ .data = &sysctl_protected_fifos,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = &zero,
++ .extra2 = &two,
++ },
++ {
++ .procname = "protected_regular",
++ .data = &sysctl_protected_regular,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = &zero,
++ .extra2 = &two,
++ },
++ {
+ .procname = "suid_dumpable",
+ .data = &suid_dumpable,
+ .maxlen = sizeof(int),
--- /dev/null
+From 1843abd03250115af6cec0892683e70cf2297c25 Mon Sep 17 00:00:00 2001
+From: Janosch Frank <frankja@linux.ibm.com>
+Date: Thu, 16 Aug 2018 09:02:31 +0100
+Subject: s390/mm: Check for valid vma before zapping in gmap_discard
+
+From: Janosch Frank <frankja@linux.ibm.com>
+
+commit 1843abd03250115af6cec0892683e70cf2297c25 upstream.
+
+Userspace could have munmapped the area before doing unmapping from
+the gmap. This would leave us with a valid vmaddr, but an invalid vma
+from which we would try to zap memory.
+
+Let's check before using the vma.
+
+Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c")
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Message-Id: <20180816082432.78828-1-frankja@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/s390/mm/gmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/s390/mm/gmap.c
++++ b/arch/s390/mm/gmap.c
+@@ -686,6 +686,8 @@ void gmap_discard(struct gmap *gmap, uns
+ vmaddr |= gaddr & ~PMD_MASK;
+ /* Find vma in the parent mm */
+ vma = find_vma(gmap->mm, vmaddr);
++ if (!vma)
++ continue;
+ size = min(to - gaddr, PMD_SIZE - (gaddr & ~PMD_MASK));
+ zap_page_range(vma, vmaddr, size, NULL);
+ }
--- /dev/null
+From 896bbb2522587e3b8eb2a0d204d43ccc1042a00d Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 9 Mar 2017 10:18:42 -0500
+Subject: sched/core: Allow __sched_setscheduler() in interrupts when PI is not used
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 896bbb2522587e3b8eb2a0d204d43ccc1042a00d upstream.
+
+When priority inheritance was added back in 2.6.18 to sched_setscheduler(), it
+added a path to taking an rt-mutex wait_lock, which is not IRQ safe. As PI
+is not a common occurrence, lockdep will likely never trigger if
+sched_setscheduler was called from interrupt context. A BUG_ON() was added
+to trigger if __sched_setscheduler() was ever called from interrupt context
+because there was a possibility to take the wait_lock.
+
+Today the wait_lock is irq safe, but the path to taking it in
+sched_setscheduler() is the same as the path to taking it from normal
+context. The wait_lock is taken with raw_spin_lock_irq() and released with
+raw_spin_unlock_irq() which will indiscriminately enable interrupts,
+which would be bad in interrupt context.
+
+The problem is that normalize_rt_tasks, which is called by triggering the
+sysrq nice-all-RT-tasks was changed to call __sched_setscheduler(), and this
+is done from interrupt context!
+
+Now __sched_setscheduler() takes a "pi" parameter that is used to know if
+the priority inheritance should be called or not. As the BUG_ON() only cares
+about calling the PI code, it should only bug if called from interrupt
+context with the "pi" parameter set to true.
+
+Reported-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Tested-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andrew Morton <akpm@osdl.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: dbc7f069b93a ("sched: Use replace normalize_task() with __sched_setscheduler()")
+Link: http://lkml.kernel.org/r/20170308124654.10e598f2@gandalf.local.home
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ kernel/sched/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -4087,8 +4087,8 @@ static int __sched_setscheduler(struct t
+ int queue_flags = DEQUEUE_SAVE | DEQUEUE_MOVE;
+ struct rq *rq;
+
+- /* may grab non-irq protected spin_locks */
+- BUG_ON(in_interrupt());
++ /* The pi code expects interrupts enabled */
++ BUG_ON(pi && in_interrupt());
+ recheck:
+ /* double check policy once rq lock held */
+ if (policy < 0) {
include-linux-pfn_t.h-force-to-be-parsed-as-an-unary-operator.patch
tty-wipe-buffer.patch
tty-wipe-buffer-if-not-echoing-data.patch
+usb-xhci-fix-uninitialized-completion-when-usb3-port-got-wrong-status.patch
+sched-core-allow-__sched_setscheduler-in-interrupts-when-pi-is-not-used.patch
+namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch
+lan78xx-read-mac-address-from-dt-if-present.patch
+s390-mm-check-for-valid-vma-before-zapping-in-gmap_discard.patch
--- /dev/null
+From 958c0bd86075d4ef1c936998deefe1947e539240 Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Fri, 9 Nov 2018 17:21:20 +0200
+Subject: usb: xhci: fix uninitialized completion when USB3 port got wrong status
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+commit 958c0bd86075d4ef1c936998deefe1947e539240 upstream.
+
+Realtek USB3.0 Card Reader [0bda:0328] reports wrong port status on
+Cannon lake PCH USB3.1 xHCI [8086:a36d] after resume from S3,
+after clear port reset it works fine.
+
+Since this device is registered on USB3 roothub at boot,
+when port status reports not superspeed, xhci_get_port_status will call
+an uninitialized completion in bus_state[0].
+Kernel will hang because of NULL pointer.
+
+Restrict the USB2 resume status check in USB2 roothub to fix hang issue.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-hub.c | 2 +-
+ drivers/usb/host/xhci-ring.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -768,7 +768,7 @@ static u32 xhci_get_port_status(struct u
+ status |= USB_PORT_STAT_SUSPEND;
+ }
+ if ((raw_port_status & PORT_PLS_MASK) == XDEV_RESUME &&
+- !DEV_SUPERSPEED_ANY(raw_port_status)) {
++ !DEV_SUPERSPEED_ANY(raw_port_status) && hcd->speed < HCD_USB3) {
+ if ((raw_port_status & PORT_RESET) ||
+ !(raw_port_status & PORT_PE))
+ return 0xffffffff;
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1676,7 +1676,7 @@ static void handle_port_status(struct xh
+ * RExit to a disconnect state). If so, let the the driver know it's
+ * out of the RExit state.
+ */
+- if (!DEV_SUPERSPEED_ANY(temp) &&
++ if (!DEV_SUPERSPEED_ANY(portsc) && hcd->speed < HCD_USB3 &&
+ test_and_clear_bit(faked_port_index,
+ &bus_state->rexit_ports)) {
+ complete(&bus_state->rexit_done[faked_port_index]);
projects / thirdparty / kernel / stable-queue.git / commitdiff
