From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 24 May 2018 08:16:37 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.110~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d35b19f0bce99e15c7838658524d41b63804a6d;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	cfg80211-limit-wiphy-names-to-128-bytes.patch
	hfsplus-stop-workqueue-when-fill_super-failed.patch
	x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch
---

diff --git a/queue-3.18/cfg80211-limit-wiphy-names-to-128-bytes.patch b/queue-3.18/cfg80211-limit-wiphy-names-to-128-bytes.patch
new file mode 100644
index 00000000000..be35b3a782b
--- /dev/null
+++ b/queue-3.18/cfg80211-limit-wiphy-names-to-128-bytes.patch
@@ -0,0 +1,51 @@
+From a7cfebcb7594a24609268f91299ab85ba064bf82 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 3 Apr 2018 14:33:49 +0200
+Subject: cfg80211: limit wiphy names to 128 bytes
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a7cfebcb7594a24609268f91299ab85ba064bf82 upstream.
+
+There's currently no limit on wiphy names, other than netlink
+message size and memory limitations, but that causes issues when,
+for example, the wiphy name is used in a uevent, e.g. in rfkill
+where we use the same name for the rfkill instance, and then the
+buffer there is "only" 2k for the environment variables.
+
+This was reported by syzkaller, which used a 4k name.
+
+Limit the name to something reasonable, I randomly picked 128.
+
+Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/nl80211.h |    2 ++
+ net/wireless/core.c          |    3 +++
+ 2 files changed, 5 insertions(+)
+
+--- a/include/uapi/linux/nl80211.h
++++ b/include/uapi/linux/nl80211.h
+@@ -2026,6 +2026,8 @@ enum nl80211_attrs {
+ #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS
+ #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS
+ 
++#define NL80211_WIPHY_NAME_MAXLEN		128
++
+ #define NL80211_MAX_SUPP_RATES			32
+ #define NL80211_MAX_SUPP_HT_RATES		77
+ #define NL80211_MAX_SUPP_REG_RULES		32
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -94,6 +94,9 @@ int cfg80211_dev_rename(struct cfg80211_
+ 
+ 	ASSERT_RTNL();
+ 
++	if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN)
++		return -EINVAL;
++
+ 	/* prohibit calling the thing phy%d when %d is not its number */
+ 	sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken);
+ 	if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {
diff --git a/queue-3.18/hfsplus-stop-workqueue-when-fill_super-failed.patch b/queue-3.18/hfsplus-stop-workqueue-when-fill_super-failed.patch
new file mode 100644
index 00000000000..95c6efccff2
--- /dev/null
+++ b/queue-3.18/hfsplus-stop-workqueue-when-fill_super-failed.patch
@@ -0,0 +1,45 @@
+From 66072c29328717072fd84aaff3e070e3f008ba77 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 18 May 2018 16:09:16 -0700
+Subject: hfsplus: stop workqueue when fill_super() failed
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 66072c29328717072fd84aaff3e070e3f008ba77 upstream.
+
+syzbot is reporting ODEBUG messages at hfsplus_fill_super() [1].  This
+is because hfsplus_fill_super() forgot to call cancel_delayed_work_sync().
+
+As far as I can see, it is hfsplus_mark_mdb_dirty() from
+hfsplus_new_inode() in hfsplus_fill_super() that calls
+queue_delayed_work().  Therefore, I assume that hfsplus_new_inode() does
+not fail if queue_delayed_work() was called, and the out_put_hidden_dir
+label is the appropriate location to call cancel_delayed_work_sync().
+
+[1] https://syzkaller.appspot.com/bug?id=a66f45e96fdbeb76b796bf46eb25ea878c42a6c9
+
+Link: http://lkml.kernel.org/r/964a8b27-cd69-357c-fe78-76b066056201@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+4f2e5f086147d543ab03@syzkaller.appspotmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com>
+Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hfsplus/super.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -582,6 +582,7 @@ static int hfsplus_fill_super(struct sup
+ 	return 0;
+ 
+ out_put_hidden_dir:
++	cancel_delayed_work_sync(&sbi->sync_work);
+ 	iput(sbi->hidden_dir);
+ out_put_root:
+ 	dput(sb->s_root);
diff --git a/queue-3.18/series b/queue-3.18/series
index 5bc4f90c116..1ea2a04b728 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -40,3 +40,6 @@ tcp-purge-write-queue-in-tcp_connect_init.patch
 ext2-fix-a-block-leak.patch
 scsi-libsas-defer-ata-device-eh-commands-to-libata.patch
 scsi-sg-allocate-with-__gfp_zero-in-sg_build_indirect.patch
+cfg80211-limit-wiphy-names-to-128-bytes.patch
+hfsplus-stop-workqueue-when-fill_super-failed.patch
+x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch
diff --git a/queue-3.18/x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch b/queue-3.18/x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch
new file mode 100644
index 00000000000..10d83cd739b
--- /dev/null
+++ b/queue-3.18/x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch
@@ -0,0 +1,101 @@
+From a466ef76b815b86748d9870ef2a430af7b39c710 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 9 May 2018 19:42:20 +0900
+Subject: x86/kexec: Avoid double free_page() upon do_kexec_load() failure
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit a466ef76b815b86748d9870ef2a430af7b39c710 upstream.
+
+>From ff82bedd3e12f0d3353282054ae48c3bd8c72012 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 9 May 2018 12:12:39 +0900
+Subject: x86/kexec: Avoid double free_page() upon do_kexec_load() failure
+
+syzbot is reporting crashes after memory allocation failure inside
+do_kexec_load() [1]. This is because free_transition_pgtable() is called
+by both init_transition_pgtable() and machine_kexec_cleanup() when memory
+allocation failed inside init_transition_pgtable().
+
+Regarding 32bit code, machine_kexec_free_page_tables() is called by both
+machine_kexec_alloc_page_tables() and machine_kexec_cleanup() when memory
+allocation failed inside machine_kexec_alloc_page_tables().
+
+Fix this by leaving the error handling to machine_kexec_cleanup()
+(and optionally setting NULL after free_page()).
+
+[1] https://syzkaller.appspot.com/bug?id=91e52396168cf2bdd572fe1e1bc0bc645c1c6b40
+
+Fixes: f5deb79679af6eb4 ("x86: kexec: Use one page table in x86_64 machine_kexec")
+Fixes: 92be3d6bdf2cb349 ("kexec/i386: allocate page table pages dynamically")
+Reported-by: syzbot <syzbot+d96f60296ef613fe1d69@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: thomas.lendacky@amd.com
+Cc: prudo@linux.vnet.ibm.com
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: syzkaller-bugs@googlegroups.com
+Cc: takahiro.akashi@linaro.org
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: akpm@linux-foundation.org
+Cc: dyoung@redhat.com
+Cc: kirill.shutemov@linux.intel.com
+Link: https://lkml.kernel.org/r/201805091942.DGG12448.tMFVFSJFQOOLHO@I-love.SAKURA.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/machine_kexec_32.c |    6 +++++-
+ arch/x86/kernel/machine_kexec_64.c |    4 +++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/machine_kexec_32.c
++++ b/arch/x86/kernel/machine_kexec_32.c
+@@ -70,12 +70,17 @@ static void load_segments(void)
+ static void machine_kexec_free_page_tables(struct kimage *image)
+ {
+ 	free_page((unsigned long)image->arch.pgd);
++	image->arch.pgd = NULL;
+ #ifdef CONFIG_X86_PAE
+ 	free_page((unsigned long)image->arch.pmd0);
++	image->arch.pmd0 = NULL;
+ 	free_page((unsigned long)image->arch.pmd1);
++	image->arch.pmd1 = NULL;
+ #endif
+ 	free_page((unsigned long)image->arch.pte0);
++	image->arch.pte0 = NULL;
+ 	free_page((unsigned long)image->arch.pte1);
++	image->arch.pte1 = NULL;
+ }
+ 
+ static int machine_kexec_alloc_page_tables(struct kimage *image)
+@@ -92,7 +97,6 @@ static int machine_kexec_alloc_page_tabl
+ 	    !image->arch.pmd0 || !image->arch.pmd1 ||
+ #endif
+ 	    !image->arch.pte0 || !image->arch.pte1) {
+-		machine_kexec_free_page_tables(image);
+ 		return -ENOMEM;
+ 	}
+ 	return 0;
+--- a/arch/x86/kernel/machine_kexec_64.c
++++ b/arch/x86/kernel/machine_kexec_64.c
+@@ -34,8 +34,11 @@ static struct kexec_file_ops *kexec_file
+ static void free_transition_pgtable(struct kimage *image)
+ {
+ 	free_page((unsigned long)image->arch.pud);
++	image->arch.pud = NULL;
+ 	free_page((unsigned long)image->arch.pmd);
++	image->arch.pmd = NULL;
+ 	free_page((unsigned long)image->arch.pte);
++	image->arch.pte = NULL;
+ }
+ 
+ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd)
+@@ -76,7 +79,6 @@ static int init_transition_pgtable(struc
+ 	set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
+ 	return 0;
+ err:
+-	free_transition_pgtable(image);
+ 	return result;
+ }
+