From: Greg Kroah-Hartman Date: Tue, 2 Oct 2018 12:04:06 +0000 (-0700) Subject: 3.18-stable patches X-Git-Tag: v4.18.12~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=74689d949a89d87cf54af373092cbe4b6d046ec7;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: arm64-kvm-tighten-guest-core-register-access-from-userspace.patch e1000-check-on-netif_running-before-calling-e1000_up.patch e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch ext4-verify-the-depth-of-extent-tree-in-ext4_find_extent.patch hwmon-adt7475-make-adt7475_read_word-return-errors.patch thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch --- diff --git a/queue-3.18/arm64-kvm-tighten-guest-core-register-access-from-userspace.patch b/queue-3.18/arm64-kvm-tighten-guest-core-register-access-from-userspace.patch new file mode 100644 index 00000000000..e2bb155f929 --- /dev/null +++ b/queue-3.18/arm64-kvm-tighten-guest-core-register-access-from-userspace.patch @@ -0,0 +1,99 @@ +From d26c25a9d19b5976b319af528886f89cf455692d Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 27 Sep 2018 16:53:21 +0100 +Subject: arm64: KVM: Tighten guest core register access from userspace + +From: Dave Martin + +commit d26c25a9d19b5976b319af528886f89cf455692d upstream. + +We currently allow userspace to access the core register file +in about any possible way, including straddling multiple +registers and doing unaligned accesses. + +This is not the expected use of the ABI, and nobody is actually +using it that way. Let's tighten it by explicitly checking +the size and alignment for each field of the register file. + +Cc: +Fixes: 2f4a07c5f9fe ("arm64: KVM: guest one-reg interface") +Reviewed-by: Christoffer Dall +Reviewed-by: Mark Rutland +Signed-off-by: Dave Martin +[maz: rewrote Dave's initial patch to be more easily backported] +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/guest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +--- a/arch/arm64/kvm/guest.c ++++ b/arch/arm64/kvm/guest.c +@@ -46,6 +46,45 @@ static u64 core_reg_offset_from_id(u64 i + return id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_CORE); + } + ++static int validate_core_offset(const struct kvm_one_reg *reg) ++{ ++ u64 off = core_reg_offset_from_id(reg->id); ++ int size; ++ ++ switch (off) { ++ case KVM_REG_ARM_CORE_REG(regs.regs[0]) ... ++ KVM_REG_ARM_CORE_REG(regs.regs[30]): ++ case KVM_REG_ARM_CORE_REG(regs.sp): ++ case KVM_REG_ARM_CORE_REG(regs.pc): ++ case KVM_REG_ARM_CORE_REG(regs.pstate): ++ case KVM_REG_ARM_CORE_REG(sp_el1): ++ case KVM_REG_ARM_CORE_REG(elr_el1): ++ case KVM_REG_ARM_CORE_REG(spsr[0]) ... ++ KVM_REG_ARM_CORE_REG(spsr[KVM_NR_SPSR - 1]): ++ size = sizeof(__u64); ++ break; ++ ++ case KVM_REG_ARM_CORE_REG(fp_regs.vregs[0]) ... ++ KVM_REG_ARM_CORE_REG(fp_regs.vregs[31]): ++ size = sizeof(__uint128_t); ++ break; ++ ++ case KVM_REG_ARM_CORE_REG(fp_regs.fpsr): ++ case KVM_REG_ARM_CORE_REG(fp_regs.fpcr): ++ size = sizeof(__u32); ++ break; ++ ++ default: ++ return -EINVAL; ++ } ++ ++ if (KVM_REG_SIZE(reg->id) == size && ++ IS_ALIGNED(off, size / sizeof(__u32))) ++ return 0; ++ ++ return -EINVAL; ++} ++ + static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) + { + /* +@@ -65,6 +104,9 @@ static int get_core_reg(struct kvm_vcpu + (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs) + return -ENOENT; + ++ if (validate_core_offset(reg)) ++ return -EINVAL; ++ + if (copy_to_user(uaddr, ((u32 *)regs) + off, KVM_REG_SIZE(reg->id))) + return -EFAULT; + +@@ -87,6 +129,9 @@ static int set_core_reg(struct kvm_vcpu + (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs) + return -ENOENT; + ++ if (validate_core_offset(reg)) ++ return -EINVAL; ++ + if (KVM_REG_SIZE(reg->id) > sizeof(tmp)) + return -EINVAL; + diff --git a/queue-3.18/e1000-check-on-netif_running-before-calling-e1000_up.patch b/queue-3.18/e1000-check-on-netif_running-before-calling-e1000_up.patch new file mode 100644 index 00000000000..46d07c04c3a --- /dev/null +++ b/queue-3.18/e1000-check-on-netif_running-before-calling-e1000_up.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Oct 2 05:04:00 PDT 2018 +From: Bo Chen +Date: Mon, 23 Jul 2018 09:01:29 -0700 +Subject: e1000: check on netif_running() before calling e1000_up() + +From: Bo Chen + +[ Upstream commit cf1acec008f8d7761aa3fd7c4bca7e17b2d2512d ] + +When the device is not up, the call to 'e1000_up()' from the error handling path +of 'e1000_set_ringparam()' causes a kernel oops with a null-pointer +dereference. The null-pointer dereference is triggered in function +'e1000_alloc_rx_buffers()' at line 'buffer_info = &rx_ring->buffer_info[i]'. + +This bug was reported by COD, a tool for testing kernel module binaries I am +building. This bug was also detected by KFI from Dr. Kai Cong. + +This patch fixes the bug by checking on 'netif_running()' before calling +'e1000_up()' in 'e1000_set_ringparam()'. + +Signed-off-by: Bo Chen +Acked-by: Alexander Duyck +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -666,7 +666,8 @@ err_setup_rx: + err_alloc_rx: + kfree(txdr); + err_alloc_tx: +- e1000_up(adapter); ++ if (netif_running(adapter->netdev)) ++ e1000_up(adapter); + err_setup: + clear_bit(__E1000_RESETTING, &adapter->flags); + return err; diff --git a/queue-3.18/e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch b/queue-3.18/e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch new file mode 100644 index 00000000000..cbf128de794 --- /dev/null +++ b/queue-3.18/e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Oct 2 05:04:00 PDT 2018 +From: Bo Chen +Date: Mon, 23 Jul 2018 09:01:30 -0700 +Subject: e1000: ensure to free old tx/rx rings in set_ringparam() + +From: Bo Chen + +[ Upstream commit ee400a3f1bfe7004a3e14b81c38ccc5583c26295 ] + +In 'e1000_set_ringparam()', the tx_ring and rx_ring are updated with new value +and the old tx/rx rings are freed only when the device is up. There are resource +leaks on old tx/rx rings when the device is not up. This bug is reported by COD, +a tool for testing kernel module binaries I am building. + +This patch fixes the bug by always calling 'kfree()' on old tx/rx rings in +'e1000_set_ringparam()'. + +Signed-off-by: Bo Chen +Reviewed-by: Alexander Duyck +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -646,14 +646,14 @@ static int e1000_set_ringparam(struct ne + adapter->tx_ring = tx_old; + e1000_free_all_rx_resources(adapter); + e1000_free_all_tx_resources(adapter); +- kfree(tx_old); +- kfree(rx_old); + adapter->rx_ring = rxdr; + adapter->tx_ring = txdr; + err = e1000_up(adapter); + if (err) + goto err_setup; + } ++ kfree(tx_old); ++ kfree(rx_old); + + clear_bit(__E1000_RESETTING, &adapter->flags); + return 0; diff --git a/queue-3.18/ext4-verify-the-depth-of-extent-tree-in-ext4_find_extent.patch b/queue-3.18/ext4-verify-the-depth-of-extent-tree-in-ext4_find_extent.patch new file mode 100644 index 00000000000..dcb33ae7c21 --- /dev/null +++ b/queue-3.18/ext4-verify-the-depth-of-extent-tree-in-ext4_find_extent.patch @@ -0,0 +1,53 @@ +From 09999807edd836f8d96ca5a5b8bf007856c5f268 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 14 Jun 2018 12:55:10 -0400 +Subject: ext4: verify the depth of extent tree in ext4_find_extent() + +From: Theodore Ts'o + +commit bc890a60247171294acc0bd67d211fa4b88d40ba upstream. + +If there is a corupted file system where the claimed depth of the +extent tree is -1, this can cause a massive buffer overrun leading to +sadness. + +This addresses CVE-2018-10877. + +https://bugzilla.kernel.org/show_bug.cgi?id=199417 + +Signed-off-by: Theodore Ts'o +[bwh: Backported to 3.16: return -EIO instead of -EFSCORRUPTED] +Signed-off-by: Ben Hutchings +Cc: Greg Hackmann +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/ext4_extents.h | 1 + + fs/ext4/extents.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/fs/ext4/ext4_extents.h ++++ b/fs/ext4/ext4_extents.h +@@ -103,6 +103,7 @@ struct ext4_extent_header { + }; + + #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) ++#define EXT4_MAX_EXTENT_DEPTH 5 + + #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ + (sizeof(struct ext4_extent_header) + \ +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -870,6 +870,12 @@ ext4_find_extent(struct inode *inode, ex + + eh = ext_inode_hdr(inode); + depth = ext_depth(inode); ++ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { ++ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", ++ depth); ++ ret = -EIO; ++ goto err; ++ } + + if (path) { + ext4_ext_drop_refs(path); diff --git a/queue-3.18/hwmon-adt7475-make-adt7475_read_word-return-errors.patch b/queue-3.18/hwmon-adt7475-make-adt7475_read_word-return-errors.patch new file mode 100644 index 00000000000..de87dbb3a15 --- /dev/null +++ b/queue-3.18/hwmon-adt7475-make-adt7475_read_word-return-errors.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Oct 2 05:04:00 PDT 2018 +From: Dan Carpenter +Date: Tue, 14 Aug 2018 13:07:47 +0300 +Subject: hwmon: (adt7475) Make adt7475_read_word() return errors + +From: Dan Carpenter + +[ Upstream commit f196dec6d50abb2e65fb54a0621b2f1b4d922995 ] + +The adt7475_read_word() function was meant to return negative error +codes on failure. + +Signed-off-by: Dan Carpenter +Reviewed-by: Tokunori Ikegami +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/adt7475.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -274,14 +274,18 @@ static inline u16 volt2reg(int channel, + return clamp_val(reg, 0, 1023) & (0xff << 2); + } + +-static u16 adt7475_read_word(struct i2c_client *client, int reg) ++static int adt7475_read_word(struct i2c_client *client, int reg) + { +- u16 val; ++ int val1, val2; + +- val = i2c_smbus_read_byte_data(client, reg); +- val |= (i2c_smbus_read_byte_data(client, reg + 1) << 8); ++ val1 = i2c_smbus_read_byte_data(client, reg); ++ if (val1 < 0) ++ return val1; ++ val2 = i2c_smbus_read_byte_data(client, reg + 1); ++ if (val2 < 0) ++ return val2; + +- return val; ++ return val1 | (val2 << 8); + } + + static void adt7475_write_word(struct i2c_client *client, int reg, u16 val) diff --git a/queue-3.18/series b/queue-3.18/series index a36bd88c31b..2d6dbf8fe1e 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -60,3 +60,9 @@ revert-usb-cdc-wdm-fix-a-sleep-in-atomic-context-bug-in-service_outstanding_inte usb-remove-lpm-management-from-usb_driver_claim_interface.patch scsi-target-iscsi-use-bin2hex-instead-of-a-re-implementation.patch staging-android-ion-fix-ion_ioc_-map-share-use-after-free.patch +arm64-kvm-tighten-guest-core-register-access-from-userspace.patch +ext4-verify-the-depth-of-extent-tree-in-ext4_find_extent.patch +thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch +e1000-check-on-netif_running-before-calling-e1000_up.patch +e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch +hwmon-adt7475-make-adt7475_read_word-return-errors.patch diff --git a/queue-3.18/thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch b/queue-3.18/thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch new file mode 100644 index 00000000000..5cfe149e84b --- /dev/null +++ b/queue-3.18/thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Oct 2 05:04:00 PDT 2018 +From: Anson Huang +Date: Tue, 31 Jul 2018 00:56:49 +0800 +Subject: thermal: of-thermal: disable passive polling when thermal zone is disabled + +From: Anson Huang + +[ Upstream commit 152395fd03d4ce1e535a75cdbf58105e50587611 ] + +When thermal zone is in passive mode, disabling its mode from +sysfs is NOT taking effect at all, it is still polling the +temperature of the disabled thermal zone and handling all thermal +trips, it makes user confused. The disabling operation should +disable the thermal zone behavior completely, for both active and +passive mode, this patch clears the passive_delay when thermal +zone is disabled and restores it when it is enabled. + +Signed-off-by: Anson Huang +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/of-thermal.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/of-thermal.c ++++ b/drivers/thermal/of-thermal.c +@@ -209,10 +209,13 @@ static int of_thermal_set_mode(struct th + + mutex_lock(&tz->lock); + +- if (mode == THERMAL_DEVICE_ENABLED) ++ if (mode == THERMAL_DEVICE_ENABLED) { + tz->polling_delay = data->polling_delay; +- else ++ tz->passive_delay = data->passive_delay; ++ } else { + tz->polling_delay = 0; ++ tz->passive_delay = 0; ++ } + + mutex_unlock(&tz->lock); +