From: Greg Kroah-Hartman Date: Mon, 2 Oct 2017 12:49:45 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.73~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3fd95347b479d911d82c0bc75cda053c1aef3276;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm64-fault-route-pte-translation-faults-via-do_translation_fault.patch arm64-make-sure-spsel-is-always-set.patch bsg-lib-don-t-free-job-in-bsg_prepare_job.patch btrfs-fix-null-pointer-dereference-from-free_reloc_roots.patch btrfs-prevent-to-set-invalid-default-subvolid.patch btrfs-propagate-error-to-btrfs_cmp_data_prepare-caller.patch fix-smb3.1.1-guest-authentication-to-samba.patch kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch nl80211-check-for-the-required-netlink-attributes-presence.patch pci-fix-race-condition-with-driver_override.patch powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch seccomp-fix-the-usage-of-get-put_seccomp_filter-in-seccomp_get_filter.patch smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch --- diff --git a/queue-4.4/arm64-fault-route-pte-translation-faults-via-do_translation_fault.patch b/queue-4.4/arm64-fault-route-pte-translation-faults-via-do_translation_fault.patch new file mode 100644 index 00000000000..c35223cc0df --- /dev/null +++ b/queue-4.4/arm64-fault-route-pte-translation-faults-via-do_translation_fault.patch @@ -0,0 +1,65 @@ +From 760bfb47c36a07741a089bf6a28e854ffbee7dc9 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 29 Sep 2017 12:27:41 +0100 +Subject: arm64: fault: Route pte translation faults via do_translation_fault + +From: Will Deacon + +commit 760bfb47c36a07741a089bf6a28e854ffbee7dc9 upstream. + +We currently route pte translation faults via do_page_fault, which elides +the address check against TASK_SIZE before invoking the mm fault handling +code. However, this can cause issues with the path walking code in +conjunction with our word-at-a-time implementation because +load_unaligned_zeropad can end up faulting in kernel space if it reads +across a page boundary and runs into a page fault (e.g. by attempting to +read from a guard region). + +In the case of such a fault, load_unaligned_zeropad has registered a +fixup to shift the valid data and pad with zeroes, however the abort is +reported as a level 3 translation fault and we dispatch it straight to +do_page_fault, despite it being a kernel address. This results in calling +a sleeping function from atomic context: + + BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:313 + in_atomic(): 0, irqs_disabled(): 0, pid: 10290 + Internal error: Oops - BUG: 0 [#1] PREEMPT SMP + [...] + [] ___might_sleep+0x134/0x144 + [] __might_sleep+0x7c/0x8c + [] do_page_fault+0x140/0x330 + [] do_mem_abort+0x54/0xb0 + Exception stack(0xfffffffb20247a70 to 0xfffffffb20247ba0) + [...] + [] el1_da+0x18/0x78 + [] path_parentat+0x44/0x88 + [] filename_parentat+0x5c/0xd8 + [] filename_create+0x4c/0x128 + [] SyS_mkdirat+0x50/0xc8 + [] el0_svc_naked+0x24/0x28 + Code: 36380080 d5384100 f9400800 9402566d (d4210000) + ---[ end trace 2d01889f2bca9b9f ]--- + +Fix this by dispatching all translation faults to do_translation_faults, +which avoids invoking the page fault logic for faults on kernel addresses. + +Reported-by: Ankit Jain +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/fault.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -447,7 +447,7 @@ static struct fault_info { + { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 0 translation fault" }, + { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 1 translation fault" }, + { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 2 translation fault" }, +- { do_page_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" }, ++ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" }, + { do_bad, SIGBUS, 0, "unknown 8" }, + { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 1 access flag fault" }, + { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 2 access flag fault" }, diff --git a/queue-4.4/arm64-make-sure-spsel-is-always-set.patch b/queue-4.4/arm64-make-sure-spsel-is-always-set.patch new file mode 100644 index 00000000000..5c18b62b5fb --- /dev/null +++ b/queue-4.4/arm64-make-sure-spsel-is-always-set.patch @@ -0,0 +1,40 @@ +From 5371513fb338fb9989c569dc071326d369d6ade8 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 26 Sep 2017 15:57:16 +0100 +Subject: arm64: Make sure SPsel is always set + +From: Marc Zyngier + +commit 5371513fb338fb9989c569dc071326d369d6ade8 upstream. + +When the kernel is entered at EL2 on an ARMv8.0 system, we construct +the EL1 pstate and make sure this uses the the EL1 stack pointer +(we perform an exception return to EL1h). + +But if the kernel is either entered at EL1 or stays at EL2 (because +we're on a VHE-capable system), we fail to set SPsel, and use whatever +stack selection the higher exception level has choosen for us. + +Let's not take any chance, and make sure that SPsel is set to one +before we decide the mode we're going to run in. + +Acked-by: Mark Rutland +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/head.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -446,6 +446,7 @@ ENDPROC(__mmap_switched) + * booted in EL1 or EL2 respectively. + */ + ENTRY(el2_setup) ++ msr SPsel, #1 // We want to use SP_EL{1,2} + mrs x0, CurrentEL + cmp x0, #CurrentEL_EL2 + b.ne 1f diff --git a/queue-4.4/bsg-lib-don-t-free-job-in-bsg_prepare_job.patch b/queue-4.4/bsg-lib-don-t-free-job-in-bsg_prepare_job.patch new file mode 100644 index 00000000000..50a9d4a25a6 --- /dev/null +++ b/queue-4.4/bsg-lib-don-t-free-job-in-bsg_prepare_job.patch @@ -0,0 +1,31 @@ +From f507b54dccfd8000c517d740bc45f20c74532d18 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 7 Sep 2017 13:54:35 +0200 +Subject: bsg-lib: don't free job in bsg_prepare_job + +From: Christoph Hellwig + +commit f507b54dccfd8000c517d740bc45f20c74532d18 upstream. + +The job structure is allocated as part of the request, so we should not +free it in the error path of bsg_prepare_job. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/bsg-lib.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/block/bsg-lib.c ++++ b/block/bsg-lib.c +@@ -147,7 +147,6 @@ static int bsg_create_job(struct device + failjob_rls_rqst_payload: + kfree(job->request_payload.sg_list); + failjob_rls_job: +- kfree(job); + return -ENOMEM; + } + diff --git a/queue-4.4/btrfs-fix-null-pointer-dereference-from-free_reloc_roots.patch b/queue-4.4/btrfs-fix-null-pointer-dereference-from-free_reloc_roots.patch new file mode 100644 index 00000000000..000a47768b9 --- /dev/null +++ b/queue-4.4/btrfs-fix-null-pointer-dereference-from-free_reloc_roots.patch @@ -0,0 +1,39 @@ +From bb166d7207432d3c7d10c45dc052f12ba3a2121d Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Fri, 25 Aug 2017 14:15:14 +0900 +Subject: btrfs: fix NULL pointer dereference from free_reloc_roots() + +From: Naohiro Aota + +commit bb166d7207432d3c7d10c45dc052f12ba3a2121d upstream. + +__del_reloc_root should be called before freeing up reloc_root->node. +If not, calling __del_reloc_root() dereference reloc_root->node, causing +the system BUG. + +Fixes: 6bdf131fac23 ("Btrfs: don't leak reloc root nodes on error") +Signed-off-by: Naohiro Aota +Reviewed-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/relocation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -2350,11 +2350,11 @@ void free_reloc_roots(struct list_head * + while (!list_empty(list)) { + reloc_root = list_entry(list->next, struct btrfs_root, + root_list); ++ __del_reloc_root(reloc_root); + free_extent_buffer(reloc_root->node); + free_extent_buffer(reloc_root->commit_root); + reloc_root->node = NULL; + reloc_root->commit_root = NULL; +- __del_reloc_root(reloc_root); + } + } + diff --git a/queue-4.4/btrfs-prevent-to-set-invalid-default-subvolid.patch b/queue-4.4/btrfs-prevent-to-set-invalid-default-subvolid.patch new file mode 100644 index 00000000000..43d30916a32 --- /dev/null +++ b/queue-4.4/btrfs-prevent-to-set-invalid-default-subvolid.patch @@ -0,0 +1,37 @@ +From 6d6d282932d1a609e60dc4467677e0e863682f57 Mon Sep 17 00:00:00 2001 +From: satoru takeuchi +Date: Tue, 12 Sep 2017 22:42:52 +0900 +Subject: btrfs: prevent to set invalid default subvolid + +From: satoru takeuchi + +commit 6d6d282932d1a609e60dc4467677e0e863682f57 upstream. + +`btrfs sub set-default` succeeds to set an ID which isn't corresponding to any +fs/file tree. If such the bad ID is set to a filesystem, we can't mount this +filesystem without specifying `subvol` or `subvolid` mount options. + +Fixes: 6ef5ed0d386b ("Btrfs: add ioctl and incompat flag to set the default mount subvol") +Signed-off-by: Satoru Takeuchi +Reviewed-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -4118,6 +4118,10 @@ static long btrfs_ioctl_default_subvol(s + ret = PTR_ERR(new_root); + goto out; + } ++ if (!is_fstree(new_root->objectid)) { ++ ret = -ENOENT; ++ goto out; ++ } + + path = btrfs_alloc_path(); + if (!path) { diff --git a/queue-4.4/btrfs-propagate-error-to-btrfs_cmp_data_prepare-caller.patch b/queue-4.4/btrfs-propagate-error-to-btrfs_cmp_data_prepare-caller.patch new file mode 100644 index 00000000000..1cb1381281a --- /dev/null +++ b/queue-4.4/btrfs-propagate-error-to-btrfs_cmp_data_prepare-caller.patch @@ -0,0 +1,38 @@ +From 78ad4ce014d025f41b8dde3a81876832ead643cf Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Fri, 8 Sep 2017 17:48:55 +0900 +Subject: btrfs: propagate error to btrfs_cmp_data_prepare caller + +From: Naohiro Aota + +commit 78ad4ce014d025f41b8dde3a81876832ead643cf upstream. + +btrfs_cmp_data_prepare() (almost) always returns 0 i.e. ignoring errors +from gather_extent_pages(). While the pages are freed by +btrfs_cmp_data_free(), cmp->num_pages still has > 0. Then, +btrfs_extent_same() try to access the already freed pages causing faults +(or violates PageLocked assertion). + +This patch just return the error as is so that the caller stop the process. + +Signed-off-by: Naohiro Aota +Fixes: f441460202cb ("btrfs: fix deadlock with extent-same and readpage") +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2984,7 +2984,7 @@ static int btrfs_cmp_data_prepare(struct + out: + if (ret) + btrfs_cmp_data_free(cmp); +- return 0; ++ return ret; + } + + static int btrfs_cmp_data(struct inode *src, u64 loff, struct inode *dst, diff --git a/queue-4.4/fix-smb3.1.1-guest-authentication-to-samba.patch b/queue-4.4/fix-smb3.1.1-guest-authentication-to-samba.patch new file mode 100644 index 00000000000..80a10da6365 --- /dev/null +++ b/queue-4.4/fix-smb3.1.1-guest-authentication-to-samba.patch @@ -0,0 +1,32 @@ +From 23586b66d84ba3184b8820277f3fc42761640f87 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 18 Sep 2017 18:18:45 -0500 +Subject: Fix SMB3.1.1 guest authentication to Samba + +From: Steve French + +commit 23586b66d84ba3184b8820277f3fc42761640f87 upstream. + +Samba rejects SMB3.1.1 dialect (vers=3.1.1) negotiate requests from +the kernel client due to the two byte pad at the end of the negotiate +contexts. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -361,7 +361,7 @@ assemble_neg_contexts(struct smb2_negoti + build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt); + req->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT); + req->NegotiateContextCount = cpu_to_le16(2); +- inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context) + 2 ++ inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context) + + sizeof(struct smb2_encryption_neg_context)); /* calculate hash */ + } + #else diff --git a/queue-4.4/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch b/queue-4.4/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch new file mode 100644 index 00000000000..a428c620caf --- /dev/null +++ b/queue-4.4/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch @@ -0,0 +1,39 @@ +From 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f Mon Sep 17 00:00:00 2001 +From: Jim Mattson +Date: Tue, 12 Sep 2017 13:02:54 -0700 +Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8 + +From: Jim Mattson + +commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f upstream. + +If L1 does not specify the "use TPR shadow" VM-execution control in +vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store +exiting" VM-execution controls in vmcs02. Failure to do so will give +the L2 VM unrestricted read/write access to the hardware CR8. + +This fixes CVE-2017-12154. + +Signed-off-by: Jim Mattson +Reviewed-by: David Hildenbrand +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -9683,6 +9683,11 @@ static void prepare_vmcs02(struct kvm_vc + vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, + page_to_phys(vmx->nested.virtual_apic_page)); + vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold); ++ } else { ++#ifdef CONFIG_X86_64 ++ exec_control |= CPU_BASED_CR8_LOAD_EXITING | ++ CPU_BASED_CR8_STORE_EXITING; ++#endif + } + + if (cpu_has_vmx_msr_bitmap() && diff --git a/queue-4.4/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch b/queue-4.4/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch new file mode 100644 index 00000000000..0fcfda7c1c6 --- /dev/null +++ b/queue-4.4/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch @@ -0,0 +1,57 @@ +From 3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= +Date: Thu, 7 Sep 2017 19:02:30 +0100 +Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan H. Schönherr + +commit 3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb upstream. + +The value of the guest_irq argument to vmx_update_pi_irte() is +ultimately coming from a KVM_IRQFD API call. Do not BUG() in +vmx_update_pi_irte() if the value is out-of bounds. (Especially, +since KVM as a whole seems to hang after that.) + +Instead, print a message only once if we find that we don't have a +route for a certain IRQ (which can be out-of-bounds or within the +array). + +This fixes CVE-2017-1000252. + +Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts") +Signed-off-by: Jan H. Schönherr +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10755,7 +10755,7 @@ static int vmx_update_pi_irte(struct kvm + struct kvm_lapic_irq irq; + struct kvm_vcpu *vcpu; + struct vcpu_data vcpu_info; +- int idx, ret = -EINVAL; ++ int idx, ret = 0; + + if (!kvm_arch_has_assigned_device(kvm) || + !irq_remapping_cap(IRQ_POSTING_CAP)) +@@ -10763,7 +10763,12 @@ static int vmx_update_pi_irte(struct kvm + + idx = srcu_read_lock(&kvm->irq_srcu); + irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu); +- BUG_ON(guest_irq >= irq_rt->nr_rt_entries); ++ if (guest_irq >= irq_rt->nr_rt_entries || ++ hlist_empty(&irq_rt->map[guest_irq])) { ++ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n", ++ guest_irq, irq_rt->nr_rt_entries); ++ goto out; ++ } + + hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) { + if (e->type != KVM_IRQ_ROUTING_MSI) diff --git a/queue-4.4/nl80211-check-for-the-required-netlink-attributes-presence.patch b/queue-4.4/nl80211-check-for-the-required-netlink-attributes-presence.patch new file mode 100644 index 00000000000..3814b1e5e4d --- /dev/null +++ b/queue-4.4/nl80211-check-for-the-required-netlink-attributes-presence.patch @@ -0,0 +1,41 @@ +From e785fa0a164aa11001cba931367c7f94ffaff888 Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Wed, 13 Sep 2017 00:21:21 +0200 +Subject: nl80211: check for the required netlink attributes presence + +From: Vladis Dronov + +commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream. + +nl80211_set_rekey_data() does not check if the required attributes +NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing +NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by +users with CAP_NET_ADMIN privilege and may result in NULL dereference +and a system crash. Add a check for the required attributes presence. +This patch is based on the patch by bo Zhang. + +This fixes CVE-2017-12153. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 +Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload") +Reported-by: bo Zhang +Signed-off-by: Vladis Dronov +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -9786,6 +9786,9 @@ static int nl80211_set_rekey_data(struct + if (err) + return err; + ++ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || ++ !tb[NL80211_REKEY_DATA_KCK]) ++ return -EINVAL; + if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) + return -ERANGE; + if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) diff --git a/queue-4.4/pci-fix-race-condition-with-driver_override.patch b/queue-4.4/pci-fix-race-condition-with-driver_override.patch new file mode 100644 index 00000000000..27ba94b7324 --- /dev/null +++ b/queue-4.4/pci-fix-race-condition-with-driver_override.patch @@ -0,0 +1,66 @@ +From 9561475db680f7144d2223a409dd3d7e322aca03 Mon Sep 17 00:00:00 2001 +From: Nicolai Stange +Date: Mon, 11 Sep 2017 09:45:40 +0200 +Subject: PCI: Fix race condition with driver_override + +From: Nicolai Stange + +commit 9561475db680f7144d2223a409dd3d7e322aca03 upstream. + +The driver_override implementation is susceptible to a race condition when +different threads are reading vs. storing a different driver override. Add +locking to avoid the race condition. + +This is in close analogy to commit 6265539776a0 ("driver core: platform: +fix race condition with driver_override") from Adrian Salido. + +Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using pci_dev.driver_override") +Signed-off-by: Nicolai Stange +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-sysfs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -522,7 +522,7 @@ static ssize_t driver_override_store(str + const char *buf, size_t count) + { + struct pci_dev *pdev = to_pci_dev(dev); +- char *driver_override, *old = pdev->driver_override, *cp; ++ char *driver_override, *old, *cp; + + /* We need to keep extra room for a newline */ + if (count >= (PAGE_SIZE - 1)) +@@ -536,12 +536,15 @@ static ssize_t driver_override_store(str + if (cp) + *cp = '\0'; + ++ device_lock(dev); ++ old = pdev->driver_override; + if (strlen(driver_override)) { + pdev->driver_override = driver_override; + } else { + kfree(driver_override); + pdev->driver_override = NULL; + } ++ device_unlock(dev); + + kfree(old); + +@@ -552,8 +555,12 @@ static ssize_t driver_override_show(stru + struct device_attribute *attr, char *buf) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ ssize_t len; + +- return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override); ++ device_lock(dev); ++ len = snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override); ++ device_unlock(dev); ++ return len; + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/queue-4.4/powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch b/queue-4.4/powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch new file mode 100644 index 00000000000..d6d0ed50a63 --- /dev/null +++ b/queue-4.4/powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch @@ -0,0 +1,39 @@ +From b537ca6fede69a281dc524983e5e633d79a10a08 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Wed, 20 Sep 2017 17:02:52 -0400 +Subject: powerpc/pseries: Fix parent_dn reference leak in add_dt_node() + +From: Tyrel Datwyler + +commit b537ca6fede69a281dc524983e5e633d79a10a08 upstream. + +A reference to the parent device node is held by add_dt_node() for the +node to be added. If the call to dlpar_configure_connector() fails +add_dt_node() returns ENOENT and that reference is not freed. + +Add a call to of_node_put(parent_dn) prior to bailing out after a +failed dlpar_configure_connector() call. + +Fixes: 8d5ff320766f ("powerpc/pseries: Make dlpar_configure_connector parent node aware") +Signed-off-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/mobility.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -225,8 +225,10 @@ static int add_dt_node(__be32 parent_pha + return -ENOENT; + + dn = dlpar_configure_connector(drc_index, parent_dn); +- if (!dn) ++ if (!dn) { ++ of_node_put(parent_dn); + return -ENOENT; ++ } + + rc = dlpar_attach_node(dn); + if (rc) diff --git a/queue-4.4/seccomp-fix-the-usage-of-get-put_seccomp_filter-in-seccomp_get_filter.patch b/queue-4.4/seccomp-fix-the-usage-of-get-put_seccomp_filter-in-seccomp_get_filter.patch new file mode 100644 index 00000000000..542b0f81b93 --- /dev/null +++ b/queue-4.4/seccomp-fix-the-usage-of-get-put_seccomp_filter-in-seccomp_get_filter.patch @@ -0,0 +1,91 @@ +From 66a733ea6b611aecf0119514d2dddab5f9d6c01e Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Wed, 27 Sep 2017 09:25:30 -0600 +Subject: seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() + +From: Oleg Nesterov + +commit 66a733ea6b611aecf0119514d2dddab5f9d6c01e upstream. + +As Chris explains, get_seccomp_filter() and put_seccomp_filter() can end +up using different filters. Once we drop ->siglock it is possible for +task->seccomp.filter to have been replaced by SECCOMP_FILTER_FLAG_TSYNC. + +Fixes: f8e529ed941b ("seccomp, ptrace: add support for dumping seccomp filters") +Reported-by: Chris Salls +Signed-off-by: Oleg Nesterov +[tycho: add __get_seccomp_filter vs. open coding refcount_inc()] +Signed-off-by: Tycho Andersen +[kees: tweak commit log] +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/seccomp.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/kernel/seccomp.c ++++ b/kernel/seccomp.c +@@ -457,14 +457,19 @@ static long seccomp_attach_filter(unsign + return 0; + } + ++void __get_seccomp_filter(struct seccomp_filter *filter) ++{ ++ /* Reference count is bounded by the number of total processes. */ ++ atomic_inc(&filter->usage); ++} ++ + /* get_seccomp_filter - increments the reference count of the filter on @tsk */ + void get_seccomp_filter(struct task_struct *tsk) + { + struct seccomp_filter *orig = tsk->seccomp.filter; + if (!orig) + return; +- /* Reference count is bounded by the number of total processes. */ +- atomic_inc(&orig->usage); ++ __get_seccomp_filter(orig); + } + + static inline void seccomp_filter_free(struct seccomp_filter *filter) +@@ -475,10 +480,8 @@ static inline void seccomp_filter_free(s + } + } + +-/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */ +-void put_seccomp_filter(struct task_struct *tsk) ++static void __put_seccomp_filter(struct seccomp_filter *orig) + { +- struct seccomp_filter *orig = tsk->seccomp.filter; + /* Clean up single-reference branches iteratively. */ + while (orig && atomic_dec_and_test(&orig->usage)) { + struct seccomp_filter *freeme = orig; +@@ -487,6 +490,12 @@ void put_seccomp_filter(struct task_stru + } + } + ++/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */ ++void put_seccomp_filter(struct task_struct *tsk) ++{ ++ __put_seccomp_filter(tsk->seccomp.filter); ++} ++ + /** + * seccomp_send_sigsys - signals the task to allow in-process syscall emulation + * @syscall: syscall number to send to userland +@@ -927,13 +936,13 @@ long seccomp_get_filter(struct task_stru + if (!data) + goto out; + +- get_seccomp_filter(task); ++ __get_seccomp_filter(filter); + spin_unlock_irq(&task->sighand->siglock); + + if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog))) + ret = -EFAULT; + +- put_seccomp_filter(task); ++ __put_seccomp_filter(filter); + return ret; + + out: diff --git a/queue-4.4/series b/queue-4.4/series index c26e863f652..500ca05664a 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,19 @@ crypto-talitos-fix-sha224.patch keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch keys-prevent-creating-a-different-user-s-keyrings.patch keys-prevent-keyctl_read-on-negative-key.patch +powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch +fix-smb3.1.1-guest-authentication-to-samba.patch +smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch +smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch +vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch +nl80211-check-for-the-required-netlink-attributes-presence.patch +bsg-lib-don-t-free-job-in-bsg_prepare_job.patch +seccomp-fix-the-usage-of-get-put_seccomp_filter-in-seccomp_get_filter.patch +arm64-make-sure-spsel-is-always-set.patch +arm64-fault-route-pte-translation-faults-via-do_translation_fault.patch +kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch +kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch +pci-fix-race-condition-with-driver_override.patch +btrfs-fix-null-pointer-dereference-from-free_reloc_roots.patch +btrfs-propagate-error-to-btrfs_cmp_data_prepare-caller.patch +btrfs-prevent-to-set-invalid-default-subvolid.patch diff --git a/queue-4.4/smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch b/queue-4.4/smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch new file mode 100644 index 00000000000..f9d268705a9 --- /dev/null +++ b/queue-4.4/smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch @@ -0,0 +1,56 @@ +From 0603c96f3af50e2f9299fa410c224ab1d465e0f9 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 20 Sep 2017 19:57:18 -0500 +Subject: SMB: Validate negotiate (to protect against downgrade) even if signing off + +From: Steve French + +commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 upstream. + +As long as signing is supported (ie not a guest user connection) and +connection is SMB3 or SMB3.02, then validate negotiate (protect +against man in the middle downgrade attacks). We had been doing this +only when signing was required, not when signing was just enabled, +but this more closely matches recommended SMB3 behavior and is +better security. Suggested by Metze. + +Signed-off-by: Steve French +Reviewed-by: Jeremy Allison +Acked-by: Stefan Metzmacher +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -526,15 +526,22 @@ int smb3_validate_negotiate(const unsign + + /* + * validation ioctl must be signed, so no point sending this if we +- * can not sign it. We could eventually change this to selectively ++ * can not sign it (ie are not known user). Even if signing is not ++ * required (enabled but not negotiated), in those cases we selectively + * sign just this, the first and only signed request on a connection. +- * This is good enough for now since a user who wants better security +- * would also enable signing on the mount. Having validation of +- * negotiate info for signed connections helps reduce attack vectors ++ * Having validation of negotiate info helps reduce attack vectors. + */ +- if (tcon->ses->server->sign == false) ++ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST) + return 0; /* validation requires signing */ + ++ if (tcon->ses->user_name == NULL) { ++ cifs_dbg(FYI, "Can't validate negotiate: null user mount\n"); ++ return 0; /* validation requires signing */ ++ } ++ ++ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL) ++ cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n"); ++ + vneg_inbuf.Capabilities = + cpu_to_le32(tcon->ses->server->vals->req_capabilities); + memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid, diff --git a/queue-4.4/smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch b/queue-4.4/smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch new file mode 100644 index 00000000000..d63c58f4d79 --- /dev/null +++ b/queue-4.4/smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch @@ -0,0 +1,34 @@ +From 1013e760d10e614dc10b5624ce9fc41563ba2e65 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 22 Sep 2017 01:40:27 -0500 +Subject: SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags + +From: Steve French + +commit 1013e760d10e614dc10b5624ce9fc41563ba2e65 upstream. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -224,6 +224,13 @@ cifs_nt_open(char *full_path, struct ino + if (backup_cred(cifs_sb)) + create_options |= CREATE_OPEN_BACKUP_INTENT; + ++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */ ++ if (f_flags & O_SYNC) ++ create_options |= CREATE_WRITE_THROUGH; ++ ++ if (f_flags & O_DIRECT) ++ create_options |= CREATE_NO_BUFFER; ++ + oparms.tcon = tcon; + oparms.cifs_sb = cifs_sb; + oparms.desired_access = desired_access; diff --git a/queue-4.4/vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch b/queue-4.4/vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch new file mode 100644 index 00000000000..215e05fb6da --- /dev/null +++ b/queue-4.4/vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch @@ -0,0 +1,44 @@ +From fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 25 Sep 2017 12:23:03 +0200 +Subject: vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets + +From: Andreas Gruenbacher + +commit fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 upstream. + +In generic_file_llseek_size, return -ENXIO for negative offsets as well +as offsets beyond EOF. This affects filesystems which don't implement +SEEK_HOLE / SEEK_DATA internally, possibly because they don't support +holes. + +Fixes xfstest generic/448. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/read_write.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -112,7 +112,7 @@ generic_file_llseek_size(struct file *fi + * In the generic case the entire file is data, so as long as + * offset isn't at the end of the file then the offset is data. + */ +- if (offset >= eof) ++ if ((unsigned long long)offset >= eof) + return -ENXIO; + break; + case SEEK_HOLE: +@@ -120,7 +120,7 @@ generic_file_llseek_size(struct file *fi + * There is a virtual hole at the end of the file, so as long as + * offset isn't i_size or larger, return i_size. + */ +- if (offset >= eof) ++ if ((unsigned long long)offset >= eof) + return -ENXIO; + offset = eof; + break;