From: Greg Kroah-Hartman Date: Mon, 21 Jan 2019 12:00:11 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.20.4~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2fbdc8fa9c0312aaee20f73bf1447b31737eceba;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: block-loop-use-global-lock-for-ioctl-operation.patch disable-msi-also-when-pcie-octeon.pcie_disable-on.patch media-vb2-vb2_mmap-move-lock-up.patch media-vivid-fix-error-handling-of-kthread_run.patch media-vivid-set-min-width-height-to-a-value-0.patch mfd-tps6586x-handle-interrupts-on-suspend.patch omap2fb-fix-stack-memory-disclosure.patch sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch selinux-fix-gpf-on-invalid-policy.patch sunrpc-handle-enomem-in-rpcb_getport_async.patch --- diff --git a/queue-3.18/block-loop-use-global-lock-for-ioctl-operation.patch b/queue-3.18/block-loop-use-global-lock-for-ioctl-operation.patch new file mode 100644 index 00000000000..521e1d274d4 --- /dev/null +++ b/queue-3.18/block-loop-use-global-lock-for-ioctl-operation.patch @@ -0,0 +1,208 @@ +From 310ca162d779efee8a2dc3731439680f3e9c1e86 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 8 Nov 2018 14:01:02 +0100 +Subject: block/loop: Use global lock for ioctl() operation. + +From: Tetsuo Handa + +commit 310ca162d779efee8a2dc3731439680f3e9c1e86 upstream. + +syzbot is reporting NULL pointer dereference [1] which is caused by +race condition between ioctl(loop_fd, LOOP_CLR_FD, 0) versus +ioctl(other_loop_fd, LOOP_SET_FD, loop_fd) due to traversing other +loop devices at loop_validate_file() without holding corresponding +lo->lo_ctl_mutex locks. + +Since ioctl() request on loop devices is not frequent operation, we don't +need fine grained locking. Let's use global lock in order to allow safe +traversal at loop_validate_file(). + +Note that syzbot is also reporting circular locking dependency between +bdev->bd_mutex and lo->lo_ctl_mutex [2] which is caused by calling +blkdev_reread_part() with lock held. This patch does not address it. + +[1] https://syzkaller.appspot.com/bug?id=f3cfe26e785d85f9ee259f385515291d21bd80a3 +[2] https://syzkaller.appspot.com/bug?id=bf154052f0eea4bc7712499e4569505907d15889 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Reviewed-by: Jan Kara +Signed-off-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 47 ++++++++++++++++++++++++----------------------- + drivers/block/loop.h | 1 - + 2 files changed, 24 insertions(+), 24 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -81,6 +81,7 @@ + + static DEFINE_IDR(loop_index_idr); + static DEFINE_MUTEX(loop_index_mutex); ++static DEFINE_MUTEX(loop_ctl_mutex); + + static int max_part; + static int part_shift; +@@ -1012,7 +1013,7 @@ static int loop_clr_fd(struct loop_devic + */ + if (lo->lo_refcnt > 1) { + lo->lo_flags |= LO_FLAGS_AUTOCLEAR; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return 0; + } + +@@ -1061,12 +1062,12 @@ static int loop_clr_fd(struct loop_devic + lo->lo_flags = 0; + if (!part_shift) + lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + /* +- * Need not hold lo_ctl_mutex to fput backing file. +- * Calling fput holding lo_ctl_mutex triggers a circular ++ * Need not hold loop_ctl_mutex to fput backing file. ++ * Calling fput holding loop_ctl_mutex triggers a circular + * lock dependency possibility warning as fput can take +- * bd_mutex which is usually taken before lo_ctl_mutex. ++ * bd_mutex which is usually taken before loop_ctl_mutex. + */ + fput(filp); + return 0; +@@ -1300,7 +1301,7 @@ static int lo_ioctl(struct block_device + struct loop_device *lo = bdev->bd_disk->private_data; + int err; + +- mutex_lock_nested(&lo->lo_ctl_mutex, 1); ++ mutex_lock_nested(&loop_ctl_mutex, 1); + switch (cmd) { + case LOOP_SET_FD: + err = loop_set_fd(lo, mode, bdev, arg); +@@ -1309,7 +1310,7 @@ static int lo_ioctl(struct block_device + err = loop_change_fd(lo, bdev, arg); + break; + case LOOP_CLR_FD: +- /* loop_clr_fd would have unlocked lo_ctl_mutex on success */ ++ /* loop_clr_fd would have unlocked loop_ctl_mutex on success */ + err = loop_clr_fd(lo); + if (!err) + goto out_unlocked; +@@ -1340,7 +1341,7 @@ static int lo_ioctl(struct block_device + default: + err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL; + } +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + + out_unlocked: + return err; +@@ -1473,16 +1474,16 @@ static int lo_compat_ioctl(struct block_ + + switch(cmd) { + case LOOP_SET_STATUS: +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + err = loop_set_status_compat( + lo, (const struct compat_loop_info __user *) arg); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + break; + case LOOP_GET_STATUS: +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + err = loop_get_status_compat( + lo, (struct compat_loop_info __user *) arg); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + break; + case LOOP_SET_CAPACITY: + case LOOP_CLR_FD: +@@ -1513,9 +1514,9 @@ static int lo_open(struct block_device * + goto out; + } + +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + lo->lo_refcnt++; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + out: + mutex_unlock(&loop_index_mutex); + return err; +@@ -1525,7 +1526,7 @@ static void __lo_release(struct loop_dev + { + int err; + +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + + if (--lo->lo_refcnt) + goto out; +@@ -1547,7 +1548,7 @@ static void __lo_release(struct loop_dev + } + + out: +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + } + + static void lo_release(struct gendisk *disk, fmode_t mode) +@@ -1593,10 +1594,10 @@ static int unregister_transfer_cb(int id + struct loop_device *lo = ptr; + struct loop_func_table *xfer = data; + +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + if (lo->lo_encryption == xfer) + loop_release_xfer(lo); +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + return 0; + } + +@@ -1677,7 +1678,7 @@ static int loop_add(struct loop_device * + if (!part_shift) + disk->flags |= GENHD_FL_NO_PART_SCAN; + disk->flags |= GENHD_FL_EXT_DEVT; +- mutex_init(&lo->lo_ctl_mutex); ++ mutex_init(&loop_ctl_mutex); + lo->lo_number = i; + lo->lo_thread = NULL; + init_waitqueue_head(&lo->lo_event); +@@ -1789,19 +1790,19 @@ static long loop_control_ioctl(struct fi + ret = loop_lookup(&lo, parm); + if (ret < 0) + break; +- mutex_lock(&lo->lo_ctl_mutex); ++ mutex_lock(&loop_ctl_mutex); + if (lo->lo_state != Lo_unbound) { + ret = -EBUSY; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + break; + } + if (lo->lo_refcnt > 0) { + ret = -EBUSY; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + break; + } + lo->lo_disk->private_data = NULL; +- mutex_unlock(&lo->lo_ctl_mutex); ++ mutex_unlock(&loop_ctl_mutex); + idr_remove(&loop_index_idr, lo->lo_number); + loop_remove(lo); + break; +--- a/drivers/block/loop.h ++++ b/drivers/block/loop.h +@@ -55,7 +55,6 @@ struct loop_device { + struct bio_list lo_bio_list; + unsigned int lo_bio_count; + int lo_state; +- struct mutex lo_ctl_mutex; + struct task_struct *lo_thread; + wait_queue_head_t lo_event; + /* wait queue for incoming requests */ diff --git a/queue-3.18/disable-msi-also-when-pcie-octeon.pcie_disable-on.patch b/queue-3.18/disable-msi-also-when-pcie-octeon.pcie_disable-on.patch new file mode 100644 index 00000000000..195aaafdf83 --- /dev/null +++ b/queue-3.18/disable-msi-also-when-pcie-octeon.pcie_disable-on.patch @@ -0,0 +1,40 @@ +From a214720cbf50cd8c3f76bbb9c3f5c283910e9d33 Mon Sep 17 00:00:00 2001 +From: YunQiang Su +Date: Tue, 8 Jan 2019 13:45:10 +0800 +Subject: Disable MSI also when pcie-octeon.pcie_disable on + +From: YunQiang Su + +commit a214720cbf50cd8c3f76bbb9c3f5c283910e9d33 upstream. + +Octeon has an boot-time option to disable pcie. + +Since MSI depends on PCI-E, we should also disable MSI also with +this option is on in order to avoid inadvertently accessing PCIe +registers. + +Signed-off-by: YunQiang Su +Signed-off-by: Paul Burton +Cc: pburton@wavecomp.com +Cc: linux-mips@vger.kernel.org +Cc: aaro.koskinen@iki.fi +Cc: stable@vger.kernel.org # v3.3+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/pci/msi-octeon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/mips/pci/msi-octeon.c ++++ b/arch/mips/pci/msi-octeon.c +@@ -369,7 +369,9 @@ int __init octeon_msi_initialize(void) + int irq; + struct irq_chip *msi; + +- if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) { ++ if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_INVALID) { ++ return 0; ++ } else if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) { + msi_rcv_reg[0] = CVMX_PEXP_NPEI_MSI_RCV0; + msi_rcv_reg[1] = CVMX_PEXP_NPEI_MSI_RCV1; + msi_rcv_reg[2] = CVMX_PEXP_NPEI_MSI_RCV2; diff --git a/queue-3.18/media-vb2-vb2_mmap-move-lock-up.patch b/queue-3.18/media-vb2-vb2_mmap-move-lock-up.patch new file mode 100644 index 00000000000..b3dd9431d6d --- /dev/null +++ b/queue-3.18/media-vb2-vb2_mmap-move-lock-up.patch @@ -0,0 +1,65 @@ +From cd26d1c4d1bc947b56ae404998ae2276df7b39b7 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 13 Nov 2018 09:06:46 -0500 +Subject: media: vb2: vb2_mmap: move lock up + +From: Hans Verkuil + +commit cd26d1c4d1bc947b56ae404998ae2276df7b39b7 upstream. + +If a filehandle is dup()ped, then it is possible to close it from one fd +and call mmap from the other. This creates a race condition in vb2_mmap +where it is using queue data that __vb2_queue_free (called from close()) +is in the process of releasing. + +By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided +since __vb2_queue_free is called with the same mutex locked. So vb2_mmap +now reads consistent buffer data. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-core.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -2474,9 +2474,13 @@ int vb2_mmap(struct vb2_queue *q, struct + return -EINVAL; + } + } ++ ++ mutex_lock(&q->mmap_lock); ++ + if (vb2_fileio_is_active(q)) { + dprintk(1, "mmap: file io in progress\n"); +- return -EBUSY; ++ ret = -EBUSY; ++ goto unlock; + } + + /* +@@ -2484,7 +2488,7 @@ int vb2_mmap(struct vb2_queue *q, struct + */ + ret = __find_plane_by_offset(q, off, &buffer, &plane); + if (ret) +- return ret; ++ goto unlock; + + vb = q->bufs[buffer]; + +@@ -2500,8 +2504,9 @@ int vb2_mmap(struct vb2_queue *q, struct + return -EINVAL; + } + +- mutex_lock(&q->mmap_lock); + ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma); ++ ++unlock: + mutex_unlock(&q->mmap_lock); + if (ret) + return ret; diff --git a/queue-3.18/media-vivid-fix-error-handling-of-kthread_run.patch b/queue-3.18/media-vivid-fix-error-handling-of-kthread_run.patch new file mode 100644 index 00000000000..a8d6cceea6f --- /dev/null +++ b/queue-3.18/media-vivid-fix-error-handling-of-kthread_run.patch @@ -0,0 +1,57 @@ +From 701f49bc028edb19ffccd101997dd84f0d71e279 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 29 Oct 2018 06:15:31 -0400 +Subject: media: vivid: fix error handling of kthread_run + +From: Hans Verkuil + +commit 701f49bc028edb19ffccd101997dd84f0d71e279 upstream. + +kthread_run returns an error pointer, but elsewhere in the code +dev->kthread_vid_cap/out is checked against NULL. + +If kthread_run returns an error, then set the pointer to NULL. + +I chose this method over changing all kthread_vid_cap/out tests +elsewhere since this is more robust. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+53d5b2df0d9744411e2e@syzkaller.appspotmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-kthread-cap.c | 5 ++++- + drivers/media/platform/vivid/vivid-kthread-out.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/vivid/vivid-kthread-cap.c ++++ b/drivers/media/platform/vivid/vivid-kthread-cap.c +@@ -829,8 +829,11 @@ int vivid_start_generating_vid_cap(struc + "%s-vid-cap", dev->v4l2_dev.name); + + if (IS_ERR(dev->kthread_vid_cap)) { ++ int err = PTR_ERR(dev->kthread_vid_cap); ++ ++ dev->kthread_vid_cap = NULL; + v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n"); +- return PTR_ERR(dev->kthread_vid_cap); ++ return err; + } + *pstreaming = true; + vivid_grab_controls(dev, true); +--- a/drivers/media/platform/vivid/vivid-kthread-out.c ++++ b/drivers/media/platform/vivid/vivid-kthread-out.c +@@ -248,8 +248,11 @@ int vivid_start_generating_vid_out(struc + "%s-vid-out", dev->v4l2_dev.name); + + if (IS_ERR(dev->kthread_vid_out)) { ++ int err = PTR_ERR(dev->kthread_vid_out); ++ ++ dev->kthread_vid_out = NULL; + v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n"); +- return PTR_ERR(dev->kthread_vid_out); ++ return err; + } + *pstreaming = true; + vivid_grab_controls(dev, true); diff --git a/queue-3.18/media-vivid-set-min-width-height-to-a-value-0.patch b/queue-3.18/media-vivid-set-min-width-height-to-a-value-0.patch new file mode 100644 index 00000000000..497338542a3 --- /dev/null +++ b/queue-3.18/media-vivid-set-min-width-height-to-a-value-0.patch @@ -0,0 +1,35 @@ +From 9729d6d282a6d7ce88e64c9119cecdf79edf4e88 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 29 Oct 2018 13:32:38 -0400 +Subject: media: vivid: set min width/height to a value > 0 + +From: Hans Verkuil + +commit 9729d6d282a6d7ce88e64c9119cecdf79edf4e88 upstream. + +The capture DV timings capabilities allowed for a minimum width and +height of 0. So passing a timings struct with 0 values is allowed +and will later cause a division by zero. + +Ensure that the width and height must be >= 16 to avoid this. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+57c3d83d71187054d56f@syzkaller.appspotmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-vid-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/vivid/vivid-vid-common.c ++++ b/drivers/media/platform/vivid/vivid-vid-common.c +@@ -33,7 +33,7 @@ const struct v4l2_dv_timings_cap vivid_d + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, MAX_WIDTH, 0, MAX_HEIGHT, 25000000, 600000000, ++ V4L2_INIT_BT_TIMINGS(16, MAX_WIDTH, 16, MAX_HEIGHT, 25000000, 600000000, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT, + V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_INTERLACED) + }; diff --git a/queue-3.18/mfd-tps6586x-handle-interrupts-on-suspend.patch b/queue-3.18/mfd-tps6586x-handle-interrupts-on-suspend.patch new file mode 100644 index 00000000000..1d13bf42f47 --- /dev/null +++ b/queue-3.18/mfd-tps6586x-handle-interrupts-on-suspend.patch @@ -0,0 +1,94 @@ +From ac4ca4b9f4623ba5e1ea7a582f286567c611e027 Mon Sep 17 00:00:00 2001 +From: Jonathan Hunter +Date: Tue, 13 Nov 2018 08:56:31 +0000 +Subject: mfd: tps6586x: Handle interrupts on suspend + +From: Jonathan Hunter + +commit ac4ca4b9f4623ba5e1ea7a582f286567c611e027 upstream. + +The tps6586x driver creates an irqchip that is used by its various child +devices for managing interrupts. The tps6586x-rtc device is one of its +children that uses the tps6586x irqchip. When using the tps6586x-rtc as +a wake-up device from suspend, the following is seen: + + PM: Syncing filesystems ... done. + Freezing user space processes ... (elapsed 0.001 seconds) done. + OOM killer disabled. + Freezing remaining freezable tasks ... (elapsed 0.000 seconds) done. + Disabling non-boot CPUs ... + Entering suspend state LP1 + Enabling non-boot CPUs ... + CPU1 is up + tps6586x 3-0034: failed to read interrupt status + tps6586x 3-0034: failed to read interrupt status + +The reason why the tps6586x interrupt status cannot be read is because +the tps6586x interrupt is not masked during suspend and when the +tps6586x-rtc interrupt occurs, to wake-up the device, the interrupt is +seen before the i2c controller has been resumed in order to read the +tps6586x interrupt status. + +The tps6586x-rtc driver sets it's interrupt as a wake-up source during +suspend, which gets propagated to the parent tps6586x interrupt. +However, the tps6586x-rtc driver cannot disable it's interrupt during +suspend otherwise we would never be woken up and so the tps6586x must +disable it's interrupt instead. + +Prevent the tps6586x interrupt handler from executing on exiting suspend +before the i2c controller has been resumed by disabling the tps6586x +interrupt on entering suspend and re-enabling it on resuming from +suspend. + +Cc: stable@vger.kernel.org +Signed-off-by: Jon Hunter +Reviewed-by: Dmitry Osipenko +Tested-by: Dmitry Osipenko +Acked-by: Thierry Reding +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/tps6586x.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/mfd/tps6586x.c ++++ b/drivers/mfd/tps6586x.c +@@ -601,6 +601,29 @@ static int tps6586x_i2c_remove(struct i2 + return 0; + } + ++static int __maybe_unused tps6586x_i2c_suspend(struct device *dev) ++{ ++ struct tps6586x *tps6586x = dev_get_drvdata(dev); ++ ++ if (tps6586x->client->irq) ++ disable_irq(tps6586x->client->irq); ++ ++ return 0; ++} ++ ++static int __maybe_unused tps6586x_i2c_resume(struct device *dev) ++{ ++ struct tps6586x *tps6586x = dev_get_drvdata(dev); ++ ++ if (tps6586x->client->irq) ++ enable_irq(tps6586x->client->irq); ++ ++ return 0; ++} ++ ++static SIMPLE_DEV_PM_OPS(tps6586x_pm_ops, tps6586x_i2c_suspend, ++ tps6586x_i2c_resume); ++ + static const struct i2c_device_id tps6586x_id_table[] = { + { "tps6586x", 0 }, + { }, +@@ -612,6 +635,7 @@ static struct i2c_driver tps6586x_driver + .name = "tps6586x", + .owner = THIS_MODULE, + .of_match_table = of_match_ptr(tps6586x_of_match), ++ .pm = &tps6586x_pm_ops, + }, + .probe = tps6586x_i2c_probe, + .remove = tps6586x_i2c_remove, diff --git a/queue-3.18/omap2fb-fix-stack-memory-disclosure.patch b/queue-3.18/omap2fb-fix-stack-memory-disclosure.patch new file mode 100644 index 00000000000..4cfe9a4fdeb --- /dev/null +++ b/queue-3.18/omap2fb-fix-stack-memory-disclosure.patch @@ -0,0 +1,41 @@ +From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001 +From: Vlad Tsyrklevich +Date: Fri, 11 Jan 2019 14:34:38 +0100 +Subject: omap2fb: Fix stack memory disclosure + +From: Vlad Tsyrklevich + +commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream. + +Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE, +OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO +cases could all leak uninitialized stack memory--either due to +uninitialized padding or 'reserved' fields. + +Fix them by clearing the shared union used to store copied out data. + +[1] https://github.com/vlad902/kernel-uninitialized-memory-checker + +Signed-off-by: Vlad Tsyrklevich +Reviewed-by: Kees Cook +Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver") +Cc: security@kernel.org +[b.zolnierkie: prefix patch subject with "omap2fb: "] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c ++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +@@ -606,6 +606,8 @@ int omapfb_ioctl(struct fb_info *fbi, un + + int r = 0; + ++ memset(&p, 0, sizeof(p)); ++ + switch (cmd) { + case OMAPFB_SYNC_GFX: + DBG("ioctl SYNC_GFX\n"); diff --git a/queue-3.18/sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch b/queue-3.18/sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch new file mode 100644 index 00000000000..49c9835a1b6 --- /dev/null +++ b/queue-3.18/sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch @@ -0,0 +1,74 @@ +From 400b8b9a2a17918f8ce00786f596f530e7f30d50 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 14 Jan 2019 18:34:02 +0800 +Subject: sctp: allocate sctp_sockaddr_entry with kzalloc + +From: Xin Long + +commit 400b8b9a2a17918f8ce00786f596f530e7f30d50 upstream. + +The similar issue as fixed in Commit 4a2eb0c37b47 ("sctp: initialize +sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event") also exists +in sctp_inetaddr_event, as Alexander noticed. + +To fix it, allocate sctp_sockaddr_entry with kzalloc for both sctp +ipv4 and ipv6 addresses, as does in sctp_v4/6_copy_addrlist(). + +Reported-by: Alexander Potapenko +Signed-off-by: Xin Long +Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com +Acked-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/ipv6.c | 5 +---- + net/sctp/protocol.c | 4 +--- + 2 files changed, 2 insertions(+), 7 deletions(-) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -97,11 +97,9 @@ static int sctp_inet6addr_event(struct n + + switch (ev) { + case NETDEV_UP: +- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC); ++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v6.sin6_family = AF_INET6; +- addr->a.v6.sin6_port = 0; +- addr->a.v6.sin6_flowinfo = 0; + addr->a.v6.sin6_addr = ifa->addr; + addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex; + addr->valid = 1; +@@ -411,7 +409,6 @@ static void sctp_v6_copy_addrlist(struct + addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v6.sin6_family = AF_INET6; +- addr->a.v6.sin6_port = 0; + addr->a.v6.sin6_addr = ifp->addr; + addr->a.v6.sin6_scope_id = dev->ifindex; + addr->valid = 1; +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -149,7 +149,6 @@ static void sctp_v4_copy_addrlist(struct + addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v4.sin_family = AF_INET; +- addr->a.v4.sin_port = 0; + addr->a.v4.sin_addr.s_addr = ifa->ifa_local; + addr->valid = 1; + INIT_LIST_HEAD(&addr->list); +@@ -755,10 +754,9 @@ static int sctp_inetaddr_event(struct no + + switch (ev) { + case NETDEV_UP: +- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC); ++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC); + if (addr) { + addr->a.v4.sin_family = AF_INET; +- addr->a.v4.sin_port = 0; + addr->a.v4.sin_addr.s_addr = ifa->ifa_local; + addr->valid = 1; + spin_lock_bh(&net->sctp.local_addr_lock); diff --git a/queue-3.18/selinux-fix-gpf-on-invalid-policy.patch b/queue-3.18/selinux-fix-gpf-on-invalid-policy.patch new file mode 100644 index 00000000000..b5aee60ee3e --- /dev/null +++ b/queue-3.18/selinux-fix-gpf-on-invalid-policy.patch @@ -0,0 +1,34 @@ +From 5b0e7310a2a33c06edc7eb81ffc521af9b2c5610 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Wed, 9 Jan 2019 10:55:10 -0500 +Subject: selinux: fix GPF on invalid policy + +From: Stephen Smalley + +commit 5b0e7310a2a33c06edc7eb81ffc521af9b2c5610 upstream. + +levdatum->level can be NULL if we encounter an error while loading +the policy during sens_read prior to initializing it. Make sure +sens_destroy handles that case correctly. + +Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/policydb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/selinux/ss/policydb.c ++++ b/security/selinux/ss/policydb.c +@@ -717,7 +717,8 @@ static int sens_destroy(void *key, void + kfree(key); + if (datum) { + levdatum = datum; +- ebitmap_destroy(&levdatum->level->cat); ++ if (levdatum->level) ++ ebitmap_destroy(&levdatum->level->cat); + kfree(levdatum->level); + } + kfree(datum); diff --git a/queue-3.18/series b/queue-3.18/series index 3fb00c15df1..0e5493d43b4 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -19,3 +19,13 @@ crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch btrfs-wait-on-ordered-extents-on-abort-cleanup.patch yama-check-for-pid-death-before-checking-ancestry.patch scsi-sd-fix-cache_type_store.patch +mfd-tps6586x-handle-interrupts-on-suspend.patch +disable-msi-also-when-pcie-octeon.pcie_disable-on.patch +omap2fb-fix-stack-memory-disclosure.patch +media-vivid-fix-error-handling-of-kthread_run.patch +media-vivid-set-min-width-height-to-a-value-0.patch +media-vb2-vb2_mmap-move-lock-up.patch +sunrpc-handle-enomem-in-rpcb_getport_async.patch +selinux-fix-gpf-on-invalid-policy.patch +sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch +block-loop-use-global-lock-for-ioctl-operation.patch diff --git a/queue-3.18/sunrpc-handle-enomem-in-rpcb_getport_async.patch b/queue-3.18/sunrpc-handle-enomem-in-rpcb_getport_async.patch new file mode 100644 index 00000000000..8ef1efee7f2 --- /dev/null +++ b/queue-3.18/sunrpc-handle-enomem-in-rpcb_getport_async.patch @@ -0,0 +1,44 @@ +From 81c88b18de1f11f70c97f28ced8d642c00bb3955 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 20 Dec 2018 10:35:11 -0500 +Subject: sunrpc: handle ENOMEM in rpcb_getport_async + +From: J. Bruce Fields + +commit 81c88b18de1f11f70c97f28ced8d642c00bb3955 upstream. + +If we ignore the error we'll hit a null dereference a little later. + +Reported-by: syzbot+4b98281f2401ab849f4b@syzkaller.appspotmail.com +Signed-off-by: J. Bruce Fields +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/rpcb_clnt.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/sunrpc/rpcb_clnt.c ++++ b/net/sunrpc/rpcb_clnt.c +@@ -772,6 +772,12 @@ void rpcb_getport_async(struct rpc_task + case RPCBVERS_3: + map->r_netid = xprt->address_strings[RPC_DISPLAY_NETID]; + map->r_addr = rpc_sockaddr2uaddr(sap, GFP_ATOMIC); ++ if (!map->r_addr) { ++ status = -ENOMEM; ++ dprintk("RPC: %5u %s: no memory available\n", ++ task->tk_pid, __func__); ++ goto bailout_free_args; ++ } + map->r_owner = ""; + break; + case RPCBVERS_2: +@@ -794,6 +800,8 @@ void rpcb_getport_async(struct rpc_task + rpc_put_task(child); + return; + ++bailout_free_args: ++ kfree(map); + bailout_release_client: + rpc_release_client(rpcb_clnt); + bailout_nofree: