From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 2 Aug 2020 06:51:55 +0000 (+0200)
Subject: 5.7-stable patches
X-Git-Tag: v5.7.13~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0dc28d8ff091fdad60304298e868874c6aef526b;p=thirdparty%2Fkernel%2Fstable-queue.git

5.7-stable patches

added patches:
	libtraceevent-fix-build-with-binutils-2.35.patch
	rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
---

diff --git a/queue-5.7/libtraceevent-fix-build-with-binutils-2.35.patch b/queue-5.7/libtraceevent-fix-build-with-binutils-2.35.patch
new file mode 100644
index 00000000000..45ef6812ecd
--- /dev/null
+++ b/queue-5.7/libtraceevent-fix-build-with-binutils-2.35.patch
@@ -0,0 +1,37 @@
+From 39efdd94e314336f4acbac4c07e0f37bdc3bef71 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 25 Jul 2020 02:06:23 +0100
+Subject: libtraceevent: Fix build with binutils 2.35
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 39efdd94e314336f4acbac4c07e0f37bdc3bef71 upstream.
+
+In binutils 2.35, 'nm -D' changed to show symbol versions along with
+symbol names, with the usual @@ separator.  When generating
+libtraceevent-dynamic-list we need just the names, so strip off the
+version suffix if present.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Tested-by: Salvatore Bonaccorso <carnil@debian.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: linux-trace-devel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/traceevent/plugins/Makefile |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/lib/traceevent/plugins/Makefile
++++ b/tools/lib/traceevent/plugins/Makefile
+@@ -197,7 +197,7 @@ define do_generate_dynamic_list_file
+ 	xargs echo "U w W" | tr 'w ' 'W\n' | sort -u | xargs echo`;\
+ 	if [ "$$symbol_type" = "U W" ];then				\
+ 		(echo '{';                                              \
+-		$(NM) -u -D $1 | awk 'NF>1 {print "\t"$$2";"}' | sort -u;\
++		$(NM) -u -D $1 | awk 'NF>1 {sub("@.*", "", $$2); print "\t"$$2";"}' | sort -u;\
+ 		echo '};';                                              \
+ 		) > $2;                                                 \
+ 	else                                                            \
diff --git a/queue-5.7/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch b/queue-5.7/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
new file mode 100644
index 00000000000..85fd470545b
--- /dev/null
+++ b/queue-5.7/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
@@ -0,0 +1,47 @@
+From bbc8a99e952226c585ac17477a85ef1194501762 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Thu, 30 Jul 2020 15:20:26 -0400
+Subject: rds: Prevent kernel-infoleak in rds_notify_queue_get()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit bbc8a99e952226c585ac17477a85ef1194501762 upstream.
+
+rds_notify_queue_get() is potentially copying uninitialized kernel stack
+memory to userspace since the compiler may leave a 4-byte hole at the end
+of `cmsg`.
+
+In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which
+unfortunately does not always initialize that 4-byte hole. Fix it by using
+memset() instead.
+
+Cc: stable@vger.kernel.org
+Fixes: f037590fff30 ("rds: fix a leak of kernel memory")
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/recv.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -450,12 +450,13 @@ static int rds_still_queued(struct rds_s
+ int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr)
+ {
+ 	struct rds_notifier *notifier;
+-	struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */
++	struct rds_rdma_notify cmsg;
+ 	unsigned int count = 0, max_messages = ~0U;
+ 	unsigned long flags;
+ 	LIST_HEAD(copy);
+ 	int err = 0;
+ 
++	memset(&cmsg, 0, sizeof(cmsg));	/* fill holes with zero */
+ 
+ 	/* put_cmsg copies to user space and thus may sleep. We can't do this
+ 	 * with rs_lock held, so first grab as many notifications as we can stuff
diff --git a/queue-5.7/series b/queue-5.7/series
index 4bbf17068d4..e0005df7ee1 100644
--- a/queue-5.7/series
+++ b/queue-5.7/series
@@ -29,3 +29,5 @@ drm-hold-gem-reference-until-object-is-no-longer-accessed.patch
 drm-of-fix-double-free-bug.patch
 random-fix-circular-include-dependency-on-arm64-after-addition-of-percpu.h.patch
 random32-remove-net_rand_state-from-the-latent-entropy-gcc-plugin.patch
+rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
+libtraceevent-fix-build-with-binutils-2.35.patch