--- /dev/null
+From 800a7340ab7dd667edf95e74d8e4f23a17e87076 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Wed, 3 Oct 2018 11:43:59 -0500
+Subject: dm ioctl: harden copy_params()'s copy_from_user() from malicious users
+
+From: Wenwen Wang <wang6495@umn.edu>
+
+commit 800a7340ab7dd667edf95e74d8e4f23a17e87076 upstream.
+
+In copy_params(), the struct 'dm_ioctl' is first copied from the user
+space buffer 'user' to 'param_kernel' and the field 'data_size' is
+checked against 'minimum_data_size' (size of 'struct dm_ioctl' payload
+up to its 'data' member). If the check fails, an error code EINVAL will be
+returned. Otherwise, param_kernel->data_size is used to do a second copy,
+which copies from the same user-space buffer to 'dmi'. After the second
+copy, only 'dmi->data_size' is checked against 'param_kernel->data_size'.
+Given that the buffer 'user' resides in the user space, a malicious
+user-space process can race to change the content in the buffer between
+the two copies. This way, the attacker can inject inconsistent data
+into 'dmi' (versus previously validated 'param_kernel').
+
+Fix redundant copying of 'minimum_data_size' from user-space buffer by
+using the first copy stored in 'param_kernel'. Also remove the
+'data_size' check after the second copy because it is now unnecessary.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-ioctl.c | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -1681,8 +1681,7 @@ static void free_params(struct dm_ioctl
+ }
+
+ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel,
+- int ioctl_flags,
+- struct dm_ioctl **param, int *param_flags)
++ int ioctl_flags, struct dm_ioctl **param, int *param_flags)
+ {
+ struct dm_ioctl *dmi;
+ int secure_data;
+@@ -1730,18 +1729,13 @@ static int copy_params(struct dm_ioctl _
+ return -ENOMEM;
+ }
+
+- if (copy_from_user(dmi, user, param_kernel->data_size))
+- goto bad;
++ /* Copy from param_kernel (which was already copied from user) */
++ memcpy(dmi, param_kernel, minimum_data_size);
+
+-data_copied:
+- /*
+- * Abort if something changed the ioctl data while it was being copied.
+- */
+- if (dmi->data_size != param_kernel->data_size) {
+- DMERR("rejecting ioctl: data size modified while processing parameters");
++ if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size,
++ param_kernel->data_size - minimum_data_size))
+ goto bad;
+- }
+-
++data_copied:
+ /* Wipe the user buffer so we do not return it to userspace */
+ if (secure_data && clear_user(user, param_kernel->data_size))
+ goto bad;
--- /dev/null
+From 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Fri, 28 Sep 2018 20:41:48 +0300
+Subject: lockd: fix access beyond unterminated strings in prints
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee upstream.
+
+printk format used %*s instead of %.*s, so hostname_len does not limit
+the number of bytes accessed from hostname.
+
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/lockd/host.c
++++ b/fs/lockd/host.c
+@@ -339,7 +339,7 @@ struct nlm_host *nlmsvc_lookup_host(cons
+ };
+ struct lockd_net *ln = net_generic(net, lockd_net_id);
+
+- dprintk("lockd: %s(host='%*s', vers=%u, proto=%s)\n", __func__,
++ dprintk("lockd: %s(host='%.*s', vers=%u, proto=%s)\n", __func__,
+ (int)hostname_len, hostname, rqstp->rq_vers,
+ (rqstp->rq_prot == IPPROTO_UDP ? "udp" : "tcp"));
+
--- /dev/null
+From c0fae7e2452b90c31edd2d25eb3baf0c76b400ca Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sat, 27 Oct 2018 01:46:34 +0300
+Subject: MIPS: OCTEON: fix out of bounds array access on CN68XX
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit c0fae7e2452b90c31edd2d25eb3baf0c76b400ca upstream.
+
+The maximum number of interfaces is returned by
+cvmx_helper_get_number_of_interfaces(), and the value is used to access
+interface_port_count[]. When CN68XX support was added, we forgot
+to increase the array size. Fix that.
+
+Fixes: 2c8c3f0201333 ("MIPS: Octeon: Support additional interfaces on CN68XX")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20949/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/cavium-octeon/executive/cvmx-helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
+@@ -67,7 +67,7 @@ void (*cvmx_override_pko_queue_priority)
+ void (*cvmx_override_ipd_port_setup) (int ipd_port);
+
+ /* Port count per interface */
+-static int interface_port_count[5];
++static int interface_port_count[9];
+
+ /* Port last configured link info index by IPD/PKO port */
+ static cvmx_helper_link_info_t
--- /dev/null
+From bb6ad5572c0022e17e846b382d7413cdcf8055be Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Tue, 9 Oct 2018 15:54:15 -0400
+Subject: nfsd: Fix an Oops in free_session()
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit bb6ad5572c0022e17e846b382d7413cdcf8055be upstream.
+
+In call_xpt_users(), we delete the entry from the list, but we
+do not reinitialise it. This triggers the list poisoning when
+we later call unregister_xpt_user() in nfsd4_del_conns().
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/svc_xprt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -902,7 +902,7 @@ static void call_xpt_users(struct svc_xp
+ spin_lock(&xprt->xpt_lock);
+ while (!list_empty(&xprt->xpt_users)) {
+ u = list_first_entry(&xprt->xpt_users, struct svc_xpt_user, list);
+- list_del(&u->list);
++ list_del_init(&u->list);
+ u->callback(u);
+ }
+ spin_unlock(&xprt->xpt_lock);
--- /dev/null
+From 943cff67b842839f4f35364ba2db5c2d3f025d94 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 18 Sep 2018 10:07:44 -0400
+Subject: NFSv4.1: Fix the r/wsize checking
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 943cff67b842839f4f35364ba2db5c2d3f025d94 upstream.
+
+The intention of nfs4_session_set_rwsize() was to cap the r/wsize to the
+buffer sizes negotiated by the CREATE_SESSION. The initial code had a
+bug whereby we would not check the values negotiated by nfs_probe_fsinfo()
+(the assumption being that CREATE_SESSION will always negotiate buffer values
+that are sane w.r.t. the server's preferred r/wsizes) but would only check
+values set by the user in the 'mount' command.
+
+The code was changed in 4.11 to _always_ set the r/wsize, meaning that we
+now never use the server preferred r/wsizes. This is the regression that
+this patch fixes.
+Also rename the function to nfs4_session_limit_rwsize() in order to avoid
+future confusion.
+
+Fixes: 033853325fe3 (NFSv4.1 respect server's max size in CREATE_SESSION")
+Cc: stable@vger.kernel.org # v4.11+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -891,10 +891,10 @@ EXPORT_SYMBOL_GPL(nfs4_set_ds_client);
+
+ /*
+ * Session has been established, and the client marked ready.
+- * Set the mount rsize and wsize with negotiated fore channel
+- * attributes which will be bound checked in nfs_server_set_fsinfo.
++ * Limit the mount rsize, wsize and dtsize using negotiated fore
++ * channel attributes.
+ */
+-static void nfs4_session_set_rwsize(struct nfs_server *server)
++static void nfs4_session_limit_rwsize(struct nfs_server *server)
+ {
+ #ifdef CONFIG_NFS_V4_1
+ struct nfs4_session *sess;
+@@ -907,9 +907,11 @@ static void nfs4_session_set_rwsize(stru
+ server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead;
+ server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead;
+
+- if (!server->rsize || server->rsize > server_resp_sz)
++ if (server->dtsize > server_resp_sz)
++ server->dtsize = server_resp_sz;
++ if (server->rsize > server_resp_sz)
+ server->rsize = server_resp_sz;
+- if (!server->wsize || server->wsize > server_rqst_sz)
++ if (server->wsize > server_rqst_sz)
+ server->wsize = server_rqst_sz;
+ #endif /* CONFIG_NFS_V4_1 */
+ }
+@@ -956,12 +958,12 @@ static int nfs4_server_common_setup(stru
+ (unsigned long long) server->fsid.minor);
+ nfs_display_fhandle(mntfh, "Pseudo-fs root FH");
+
+- nfs4_session_set_rwsize(server);
+-
+ error = nfs_probe_fsinfo(server, mntfh, fattr);
+ if (error < 0)
+ goto out;
+
++ nfs4_session_limit_rwsize(server);
++
+ if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
+ server->namelen = NFS4_MAXNAMLEN;
+
smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch
smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch
printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch
+nfsv4.1-fix-the-r-wsize-checking.patch
+nfsd-fix-an-oops-in-free_session.patch
+lockd-fix-access-beyond-unterminated-strings-in-prints.patch
+dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch
+mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch
+tc-set-dma-masks-for-devices.patch
--- /dev/null
+From 3f2aa244ee1a0d17ed5b6c86564d2c1b24d1c96b Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@linux-mips.org>
+Date: Wed, 3 Oct 2018 13:21:07 +0100
+Subject: TC: Set DMA masks for devices
+
+From: Maciej W. Rozycki <macro@linux-mips.org>
+
+commit 3f2aa244ee1a0d17ed5b6c86564d2c1b24d1c96b upstream.
+
+Fix a TURBOchannel support regression with commit 205e1b7f51e4
+("dma-mapping: warn when there is no coherent_dma_mask") that caused
+coherent DMA allocations to produce a warning such as:
+
+defxx: v1.11 2014/07/01 Lawrence V. Stefani and others
+tc1: DEFTA at MMIO addr = 0x1e900000, IRQ = 20, Hardware addr = 08-00-2b-a3-a3-29
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 dfx_dev_register+0x670/0x678
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper Not tainted 4.19.0-rc6 #2
+Stack : ffffffff8009ffc0 fffffffffffffec0 0000000000000000 ffffffff80647650
+ 0000000000000000 0000000000000000 ffffffff806f5f80 ffffffffffffffff
+ 0000000000000000 0000000000000000 0000000000000001 ffffffff8065d4e8
+ 98000000031b6300 ffffffff80563478 ffffffff805685b0 ffffffffffffffff
+ 0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8
+ 0000000000000000 0000000000000009 ffffffff8053efd0 ffffffff806657d0
+ 0000000000000000 ffffffff803177f8 0000000000000000 ffffffff806d0000
+ 9800000003078000 980000000307b9e0 000000001e900000 ffffffff80067940
+ 0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8
+ ffffffff805176c0 ffffffff8004dc78 0000000000000000 ffffffff80067940
+ ...
+Call Trace:
+[<ffffffff8004dc78>] show_stack+0xa0/0x130
+[<ffffffff80067940>] __warn+0x128/0x170
+---[ end trace b1d1e094f67f3bb2 ]---
+
+This is because the TURBOchannel bus driver fails to set the coherent
+DMA mask for devices enumerated.
+
+Set the regular and coherent DMA masks for TURBOchannel devices then,
+observing that the bus protocol supports a 34-bit (16GiB) DMA address
+space, by interpreting the value presented in the address cycle across
+the 32 `ad' lines as a 32-bit word rather than byte address[1]. The
+architectural size of the TURBOchannel DMA address space exceeds the
+maximum amount of RAM any actual TURBOchannel system in existence may
+have, hence both masks are the same.
+
+This removes the warning shown above.
+
+References:
+
+[1] "TURBOchannel Hardware Specification", EK-369AA-OD-007B, Digital
+ Equipment Corporation, January 1993, Section "DMA", pp. 1-15 -- 1-17
+
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20835/
+Fixes: 205e1b7f51e4 ("dma-mapping: warn when there is no coherent_dma_mask")
+Cc: stable@vger.kernel.org # 4.16+
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tc/tc.c | 8 +++++++-
+ include/linux/tc.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/tc/tc.c
++++ b/drivers/tc/tc.c
+@@ -2,7 +2,7 @@
+ * TURBOchannel bus services.
+ *
+ * Copyright (c) Harald Koerfgen, 1998
+- * Copyright (c) 2001, 2003, 2005, 2006 Maciej W. Rozycki
++ * Copyright (c) 2001, 2003, 2005, 2006, 2018 Maciej W. Rozycki
+ * Copyright (c) 2005 James Simmons
+ *
+ * This file is subject to the terms and conditions of the GNU
+@@ -10,6 +10,7 @@
+ * directory of this archive for more details.
+ */
+ #include <linux/compiler.h>
++#include <linux/dma-mapping.h>
+ #include <linux/errno.h>
+ #include <linux/init.h>
+ #include <linux/ioport.h>
+@@ -93,6 +94,11 @@ static void __init tc_bus_add_devices(st
+ tdev->dev.bus = &tc_bus_type;
+ tdev->slot = slot;
+
++ /* TURBOchannel has 34-bit DMA addressing (16GiB space). */
++ tdev->dma_mask = DMA_BIT_MASK(34);
++ tdev->dev.dma_mask = &tdev->dma_mask;
++ tdev->dev.coherent_dma_mask = DMA_BIT_MASK(34);
++
+ for (i = 0; i < 8; i++) {
+ tdev->firmware[i] =
+ readb(module + offset + TC_FIRM_VER + 4 * i);
+--- a/include/linux/tc.h
++++ b/include/linux/tc.h
+@@ -84,6 +84,7 @@ struct tc_dev {
+ device. */
+ struct device dev; /* Generic device interface. */
+ struct resource resource; /* Address space of this device. */
++ u64 dma_mask; /* DMA addressable range. */
+ char vendor[9];
+ char name[9];
+ char firmware[9];
projects / thirdparty / kernel / stable-queue.git / commitdiff
