From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 21 Feb 2019 11:52:50 +0000 (+0100)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.136~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=797f2a9ad74b2f300ef3ac0ce371400d889b4620;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	hwmon-lm80-fix-missing-unlock-on-error-in-set_fan_div.patch
	kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch
---

diff --git a/queue-3.18/hwmon-lm80-fix-missing-unlock-on-error-in-set_fan_div.patch b/queue-3.18/hwmon-lm80-fix-missing-unlock-on-error-in-set_fan_div.patch
new file mode 100644
index 00000000000..f231c68fa89
--- /dev/null
+++ b/queue-3.18/hwmon-lm80-fix-missing-unlock-on-error-in-set_fan_div.patch
@@ -0,0 +1,35 @@
+From 07bd14ccc3049f9c0147a91a4227a571f981601a Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Wed, 26 Dec 2018 11:28:24 +0000
+Subject: hwmon: (lm80) Fix missing unlock on error in set_fan_div()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 07bd14ccc3049f9c0147a91a4227a571f981601a upstream.
+
+Add the missing unlock before return from function set_fan_div()
+in the error handling case.
+
+Fixes: c9c63915519b ("hwmon: (lm80) fix a missing check of the status of SMBus read")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/lm80.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwmon/lm80.c
++++ b/drivers/hwmon/lm80.c
+@@ -393,8 +393,10 @@ static ssize_t set_fan_div(struct device
+ 	}
+ 
+ 	rv = lm80_read_value(client, LM80_REG_FANDIV);
+-	if (rv < 0)
++	if (rv < 0) {
++		mutex_unlock(&data->update_lock);
+ 		return rv;
++	}
+ 	reg = (rv & ~(3 << (2 * (nr + 1))))
+ 	    | (data->fan_div[nr] << (2 * (nr + 1)));
+ 	lm80_write_value(client, LM80_REG_FANDIV, reg);
diff --git a/queue-3.18/kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch b/queue-3.18/kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch
new file mode 100644
index 00000000000..f46e7c43633
--- /dev/null
+++ b/queue-3.18/kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch
@@ -0,0 +1,55 @@
+From cfa39381173d5f969daf43582c95ad679189cbc9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Sat, 26 Jan 2019 01:54:33 +0100
+Subject: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
+
+From: Jann Horn <jannh@google.com>
+
+commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream.
+
+kvm_ioctl_create_device() does the following:
+
+1. creates a device that holds a reference to the VM object (with a borrowed
+   reference, the VM's refcount has not been bumped yet)
+2. initializes the device
+3. transfers the reference to the device to the caller's file descriptor table
+4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
+   reference
+
+The ownership transfer in step 3 must not happen before the reference to the VM
+becomes a proper, non-borrowed reference, which only happens in step 4.
+After step 3, an attacker can close the file descriptor and drop the borrowed
+reference, which can cause the refcount of the kvm object to drop to zero.
+
+This means that we need to grab a reference for the device before
+anon_inode_getfd(), otherwise the VM can disappear from under us.
+
+Fixes: 852b6d57dc7f ("kvm: add device control API")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2398,14 +2398,15 @@ static int kvm_ioctl_create_device(struc
+ 		return ret;
+ 	}
+ 
++	kvm_get_kvm(kvm);
+ 	ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
+ 	if (ret < 0) {
++		kvm_put_kvm(kvm);
+ 		ops->destroy(dev);
+ 		return ret;
+ 	}
+ 
+ 	list_add(&dev->vm_node, &kvm->devices);
+-	kvm_get_kvm(kvm);
+ 	cd->fd = ret;
+ 	return 0;
+ }
diff --git a/queue-3.18/series b/queue-3.18/series
index f56f36f2637..6c6d19906d2 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -6,3 +6,5 @@ vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch
 vsock-cope-with-memory-allocation-failure-at-socket-creation-time.patch
 net-stmmac-fix-a-race-in-eee-enable-callback.patch
 net-ipv4-use-a-dedicated-counter-for-icmp_v4-redirect-packets.patch
+hwmon-lm80-fix-missing-unlock-on-error-in-set_fan_div.patch
+kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch