From: Greg Kroah-Hartman Date: Mon, 15 Apr 2019 08:49:17 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.9.169~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=967aa1baf7e9ddf9a8e321aeed68e9fdf03f8a35;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-seq-fix-oob-reads-from-strlcpy.patch ip6_tunnel-match-to-arphrd_tunnel6-for-dev-type.patch net-ethtool-not-call-vzalloc-for-zero-sized-memory-request.patch netns-provide-pure-entropy-for-net_hash_mix.patch openvswitch-fix-flow-actions-reallocation.patch qmi_wwan-add-olicard-600.patch sctp-initialize-_pad-of-sockaddr_in-before-copying-to-user-memory.patch tty-ldisc-add-sysctl-to-prevent-autoloading-of-ldiscs.patch tty-mark-siemens-r3964-line-discipline-as-broken.patch --- diff --git a/queue-3.18/alsa-seq-fix-oob-reads-from-strlcpy.patch b/queue-3.18/alsa-seq-fix-oob-reads-from-strlcpy.patch new file mode 100644 index 00000000000..558b30cca67 --- /dev/null +++ b/queue-3.18/alsa-seq-fix-oob-reads-from-strlcpy.patch @@ -0,0 +1,52 @@ +From 212ac181c158c09038c474ba68068be49caecebb Mon Sep 17 00:00:00 2001 +From: Zubin Mithra +Date: Thu, 4 Apr 2019 14:33:55 -0700 +Subject: ALSA: seq: Fix OOB-reads from strlcpy + +From: Zubin Mithra + +commit 212ac181c158c09038c474ba68068be49caecebb upstream. + +When ioctl calls are made with non-null-terminated userspace strings, +strlcpy causes an OOB-read from within strlen. Fix by changing to use +strscpy instead. + +Signed-off-by: Zubin Mithra +Reviewed-by: Guenter Roeck +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info + + /* fill the info fields */ + if (client_info.name[0]) +- strlcpy(client->name, client_info.name, sizeof(client->name)); ++ strscpy(client->name, client_info.name, sizeof(client->name)); + + client->filter = client_info.filter; + client->event_lost = client_info.event_lost; +@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(st + /* set queue name */ + if (! info.name[0]) + snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue); +- strlcpy(q->name, info.name, sizeof(q->name)); ++ strscpy(q->name, info.name, sizeof(q->name)); + queuefree(q); + + if (copy_to_user(arg, &info, sizeof(info))) +@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info( + queuefree(q); + return -EPERM; + } +- strlcpy(q->name, info.name, sizeof(q->name)); ++ strscpy(q->name, info.name, sizeof(q->name)); + queuefree(q); + + return 0; diff --git a/queue-3.18/ip6_tunnel-match-to-arphrd_tunnel6-for-dev-type.patch b/queue-3.18/ip6_tunnel-match-to-arphrd_tunnel6-for-dev-type.patch new file mode 100644 index 00000000000..fcdb24f0e80 --- /dev/null +++ b/queue-3.18/ip6_tunnel-match-to-arphrd_tunnel6-for-dev-type.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Apr 15 07:47:06 CEST 2019 +From: Sheena Mira-ato +Date: Mon, 1 Apr 2019 13:04:42 +1300 +Subject: ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type + +From: Sheena Mira-ato + +[ Upstream commit b2e54b09a3d29c4db883b920274ca8dca4d9f04d ] + +The device type for ip6 tunnels is set to +ARPHRD_TUNNEL6. However, the ip4ip6_err function +is expecting the device type of the tunnel to be +ARPHRD_TUNNEL. Since the device types do not +match, the function exits and the ICMP error +packet is not sent to the originating host. Note +that the device type for IPv4 tunnels is set to +ARPHRD_TUNNEL. + +Fix is to expect a tunnel device type of +ARPHRD_TUNNEL6 instead. Now the tunnel device +type matches and the ICMP error packet is sent +to the originating host. + +Signed-off-by: Sheena Mira-ato +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -638,7 +638,7 @@ ip4ip6_err(struct sk_buff *skb, struct i + IPPROTO_IPIP, + RT_TOS(eiph->tos), 0); + if (IS_ERR(rt) || +- rt->dst.dev->type != ARPHRD_TUNNEL) { ++ rt->dst.dev->type != ARPHRD_TUNNEL6) { + if (!IS_ERR(rt)) + ip_rt_put(rt); + goto out; +@@ -648,7 +648,7 @@ ip4ip6_err(struct sk_buff *skb, struct i + ip_rt_put(rt); + if (ip_route_input(skb2, eiph->daddr, eiph->saddr, eiph->tos, + skb2->dev) || +- skb_dst(skb2)->dev->type != ARPHRD_TUNNEL) ++ skb_dst(skb2)->dev->type != ARPHRD_TUNNEL6) + goto out; + } + diff --git a/queue-3.18/net-ethtool-not-call-vzalloc-for-zero-sized-memory-request.patch b/queue-3.18/net-ethtool-not-call-vzalloc-for-zero-sized-memory-request.patch new file mode 100644 index 00000000000..84d49a62828 --- /dev/null +++ b/queue-3.18/net-ethtool-not-call-vzalloc-for-zero-sized-memory-request.patch @@ -0,0 +1,85 @@ +From foo@baz Mon Apr 15 07:47:06 CEST 2019 +From: Li RongQing +Date: Fri, 29 Mar 2019 09:18:02 +0800 +Subject: net: ethtool: not call vzalloc for zero sized memory request + +From: Li RongQing + +[ Upstream commit 3d8830266ffc28c16032b859e38a0252e014b631 ] + +NULL or ZERO_SIZE_PTR will be returned for zero sized memory +request, and derefencing them will lead to a segfault + +so it is unnecessory to call vzalloc for zero sized memory +request and not call functions which maybe derefence the +NULL allocated memory + +this also fixes a possible memory leak if phy_ethtool_get_stats +returns error, memory should be freed before exit + +Signed-off-by: Li RongQing +Reviewed-by: Wang Li +Reviewed-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/ethtool.c | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1257,17 +1257,22 @@ static int ethtool_get_strings(struct ne + + gstrings.len = ret; + +- data = kcalloc(gstrings.len, ETH_GSTRING_LEN, GFP_USER); +- if (!data) +- return -ENOMEM; ++ if (gstrings.len) { ++ data = kcalloc(gstrings.len, ETH_GSTRING_LEN, GFP_USER); ++ if (!data) ++ return -ENOMEM; + +- __ethtool_get_strings(dev, gstrings.string_set, data); ++ __ethtool_get_strings(dev, gstrings.string_set, data); ++ } else { ++ data = NULL; ++ } + + ret = -EFAULT; + if (copy_to_user(useraddr, &gstrings, sizeof(gstrings))) + goto out; + useraddr += sizeof(gstrings); +- if (copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) ++ if (gstrings.len && ++ copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) + goto out; + ret = 0; + +@@ -1355,17 +1360,21 @@ static int ethtool_get_stats(struct net_ + return -EFAULT; + + stats.n_stats = n_stats; +- data = kmalloc(n_stats * sizeof(u64), GFP_USER); +- if (!data) +- return -ENOMEM; ++ if (n_stats) { ++ data = kmalloc(n_stats * sizeof(u64), GFP_USER); ++ if (!data) ++ return -ENOMEM; + +- ops->get_ethtool_stats(dev, &stats, data); ++ ops->get_ethtool_stats(dev, &stats, data); ++ } else { ++ data = NULL; ++ } + + ret = -EFAULT; + if (copy_to_user(useraddr, &stats, sizeof(stats))) + goto out; + useraddr += sizeof(stats); +- if (copy_to_user(useraddr, data, stats.n_stats * sizeof(u64))) ++ if (n_stats && copy_to_user(useraddr, data, n_stats * sizeof(u64))) + goto out; + ret = 0; + diff --git a/queue-3.18/netns-provide-pure-entropy-for-net_hash_mix.patch b/queue-3.18/netns-provide-pure-entropy-for-net_hash_mix.patch new file mode 100644 index 00000000000..13b9e0c6283 --- /dev/null +++ b/queue-3.18/netns-provide-pure-entropy-for-net_hash_mix.patch @@ -0,0 +1,80 @@ +From foo@baz Mon Apr 15 07:47:06 CEST 2019 +From: Eric Dumazet +Date: Wed, 27 Mar 2019 08:21:30 -0700 +Subject: netns: provide pure entropy for net_hash_mix() + +From: Eric Dumazet + +[ Upstream commit 355b98553789b646ed97ad801a619ff898471b92 ] + +net_hash_mix() currently uses kernel address of a struct net, +and is used in many places that could be used to reveal this +address to a patient attacker, thus defeating KASLR, for +the typical case (initial net namespace, &init_net is +not dynamically allocated) + +I believe the original implementation tried to avoid spending +too many cycles in this function, but security comes first. + +Also provide entropy regardless of CONFIG_NET_NS. + +Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes") +Signed-off-by: Eric Dumazet +Reported-by: Amit Klein +Reported-by: Benny Pinkas +Cc: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/net_namespace.h | 2 ++ + include/net/netns/hash.h | 15 ++------------- + net/core/net_namespace.c | 1 + + 3 files changed, 5 insertions(+), 13 deletions(-) + +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -54,6 +54,8 @@ struct net { + #endif + spinlock_t rules_mod_lock; + ++ u32 hash_mix; ++ + struct list_head list; /* list of network namespaces */ + struct list_head cleanup_list; /* namespaces on death row */ + struct list_head exit_list; /* Use only net_mutex */ +--- a/include/net/netns/hash.h ++++ b/include/net/netns/hash.h +@@ -1,21 +1,10 @@ + #ifndef __NET_NS_HASH_H__ + #define __NET_NS_HASH_H__ + +-#include +- +-struct net; ++#include + + static inline unsigned int net_hash_mix(struct net *net) + { +-#ifdef CONFIG_NET_NS +- /* +- * shift this right to eliminate bits, that are +- * always zeroed +- */ +- +- return (unsigned)(((unsigned long)net) >> L1_CACHE_SHIFT); +-#else +- return 0; +-#endif ++ return net->hash_mix; + } + #endif +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -156,6 +156,7 @@ static __net_init int setup_net(struct n + + atomic_set(&net->count, 1); + atomic_set(&net->passive, 1); ++ get_random_bytes(&net->hash_mix, sizeof(u32)); + net->dev_base_seq = 1; + net->user_ns = user_ns; + diff --git a/queue-3.18/openvswitch-fix-flow-actions-reallocation.patch b/queue-3.18/openvswitch-fix-flow-actions-reallocation.patch new file mode 100644 index 00000000000..757350080b6 --- /dev/null +++ b/queue-3.18/openvswitch-fix-flow-actions-reallocation.patch @@ -0,0 +1,65 @@ +From foo@baz Mon Apr 15 10:13:34 CEST 2019 +From: Andrea Righi +Date: Thu, 28 Mar 2019 07:36:00 +0100 +Subject: openvswitch: fix flow actions reallocation + +From: Andrea Righi + +[ Upstream commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb ] + +The flow action buffer can be resized if it's not big enough to contain +all the requested flow actions. However, this resize doesn't take into +account the new requested size, the buffer is only increased by a factor +of 2x. This might be not enough to contain the new data, causing a +buffer overflow, for example: + +[ 42.044472] ============================================================================= +[ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten +[ 42.046415] ----------------------------------------------------------------------------- + +[ 42.047715] Disabling lock debugging due to kernel taint +[ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc +[ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101 +[ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb + +[ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........ +[ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l... +[ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x... +[ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ............... +[ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +[ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +[ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +[ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 .... +[ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ + +Fix by making sure the new buffer is properly resized to contain all the +requested data. + +BugLink: https://bugs.launchpad.net/bugs/1813244 +Signed-off-by: Andrea Righi +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/flow_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1261,14 +1261,14 @@ static struct nlattr *reserve_sfa_size(s + + struct sw_flow_actions *acts; + int new_acts_size; +- int req_size = NLA_ALIGN(attr_len); ++ size_t req_size = NLA_ALIGN(attr_len); + int next_offset = offsetof(struct sw_flow_actions, actions) + + (*sfa)->actions_len; + + if (req_size <= (ksize(*sfa) - next_offset)) + goto out; + +- new_acts_size = ksize(*sfa) * 2; ++ new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); + + if (new_acts_size > MAX_ACTIONS_BUFSIZE) { + if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) diff --git a/queue-3.18/qmi_wwan-add-olicard-600.patch b/queue-3.18/qmi_wwan-add-olicard-600.patch new file mode 100644 index 00000000000..ba26cb10032 --- /dev/null +++ b/queue-3.18/qmi_wwan-add-olicard-600.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Apr 15 10:13:34 CEST 2019 +From: "Bjørn Mork" +Date: Wed, 27 Mar 2019 15:26:01 +0100 +Subject: qmi_wwan: add Olicard 600 + +From: "Bjørn Mork" + +[ Upstream commit 6289d0facd9ebce4cc83e5da39e15643ee998dc5 ] + +This is a Qualcomm based device with a QMI function on interface 4. +It is mode switched from 2020:2030 using a standard eject message. + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 6 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2020 ProdID=2031 Rev= 2.32 +S: Manufacturer=Mobile Connect +S: Product=Mobile Connect +S: SerialNumber=0123456789ABCDEF +C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) +E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -759,6 +759,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ + {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ ++ {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */ + {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ diff --git a/queue-3.18/sctp-initialize-_pad-of-sockaddr_in-before-copying-to-user-memory.patch b/queue-3.18/sctp-initialize-_pad-of-sockaddr_in-before-copying-to-user-memory.patch new file mode 100644 index 00000000000..9ca56f47462 --- /dev/null +++ b/queue-3.18/sctp-initialize-_pad-of-sockaddr_in-before-copying-to-user-memory.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Apr 15 10:13:34 CEST 2019 +From: Xin Long +Date: Sun, 31 Mar 2019 16:58:15 +0800 +Subject: sctp: initialize _pad of sockaddr_in before copying to user memory + +From: Xin Long + +[ Upstream commit 09279e615c81ce55e04835970601ae286e3facbe ] + +Syzbot report a kernel-infoleak: + + BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 + Call Trace: + _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 + copy_to_user include/linux/uaccess.h:174 [inline] + sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline] + sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562 + ... + Uninit was stored to memory at: + sctp_transport_init net/sctp/transport.c:61 [inline] + sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115 + sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637 + sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline] + sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361 + ... + Bytes 8-15 of 16 are uninitialized + +It was caused by that th _pad field (the 8-15 bytes) of a v4 addr (saved in +struct sockaddr_in) wasn't initialized, but directly copied to user memory +in sctp_getsockopt_peer_addrs(). + +So fix it by calling memset(addr->v4.sin_zero, 0, 8) to initialize _pad of +sockaddr_in before copying it to user memory in sctp_v4_addr_to_user(), as +sctp_v6_addr_to_user() does. + +Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Tested-by: Alexander Potapenko +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/protocol.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -578,6 +578,7 @@ out: + static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr) + { + /* No address mapping for V4 sockets */ ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + return sizeof(struct sockaddr_in); + } + diff --git a/queue-3.18/series b/queue-3.18/series index 7b077c72888..b5e8fbf707f 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -41,3 +41,12 @@ dmaengine-tegra-avoid-overflow-of-byte-tracking.patch drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch binfmt_elf-switch-to-new-creds-when-switching-to-new-mm.patch lib-string.c-implement-a-basic-bcmp.patch +tty-mark-siemens-r3964-line-discipline-as-broken.patch +tty-ldisc-add-sysctl-to-prevent-autoloading-of-ldiscs.patch +openvswitch-fix-flow-actions-reallocation.patch +qmi_wwan-add-olicard-600.patch +sctp-initialize-_pad-of-sockaddr_in-before-copying-to-user-memory.patch +netns-provide-pure-entropy-for-net_hash_mix.patch +net-ethtool-not-call-vzalloc-for-zero-sized-memory-request.patch +ip6_tunnel-match-to-arphrd_tunnel6-for-dev-type.patch +alsa-seq-fix-oob-reads-from-strlcpy.patch diff --git a/queue-3.18/tty-ldisc-add-sysctl-to-prevent-autoloading-of-ldiscs.patch b/queue-3.18/tty-ldisc-add-sysctl-to-prevent-autoloading-of-ldiscs.patch new file mode 100644 index 00000000000..bfcb72f34d5 --- /dev/null +++ b/queue-3.18/tty-ldisc-add-sysctl-to-prevent-autoloading-of-ldiscs.patch @@ -0,0 +1,143 @@ +From 7c0cca7c847e6e019d67b7d793efbbe3b947d004 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 21 Jan 2019 17:26:42 +0100 +Subject: tty: ldisc: add sysctl to prevent autoloading of ldiscs + +From: Greg Kroah-Hartman + +commit 7c0cca7c847e6e019d67b7d793efbbe3b947d004 upstream. + +By default, the kernel will automatically load the module of any line +dicipline that is asked for. As this sometimes isn't the safest thing +to do, provide a sysctl to disable this feature. + +By default, we set this to 'y' as that is the historical way that Linux +has worked, and we do not want to break working systems. But in the +future, perhaps this can default to 'n' to prevent this functionality. + +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/Kconfig | 23 +++++++++++++++++++++++ + drivers/tty/tty_io.c | 3 +++ + drivers/tty/tty_ldisc.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 73 insertions(+) + +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -419,4 +419,27 @@ config DA_CONSOLE + help + This enables a console on a Dash channel. + ++config LDISC_AUTOLOAD ++ bool "Automatically load TTY Line Disciplines" ++ default y ++ help ++ Historically the kernel has always automatically loaded any ++ line discipline that is in a kernel module when a user asks ++ for it to be loaded with the TIOCSETD ioctl, or through other ++ means. This is not always the best thing to do on systems ++ where you know you will not be using some of the more ++ "ancient" line disciplines, so prevent the kernel from doing ++ this unless the request is coming from a process with the ++ CAP_SYS_MODULE permissions. ++ ++ Say 'Y' here if you trust your userspace users to do the right ++ thing, or if you have only provided the line disciplines that ++ you know you will be using, or if you wish to continue to use ++ the traditional method of on-demand loading of these modules ++ by any user. ++ ++ This functionality can be changed at runtime with the ++ dev.tty.ldisc_autoload sysctl, this configuration option will ++ only set the default value of this functionality. ++ + endif # TTY +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -492,6 +492,8 @@ static const struct file_operations hung + static DEFINE_SPINLOCK(redirect_lock); + static struct file *redirect; + ++extern void tty_sysctl_init(void); ++ + /** + * tty_wakeup - request more data + * @tty: terminal +@@ -3625,6 +3627,7 @@ void console_sysfs_notify(void) + */ + int __init tty_init(void) + { ++ tty_sysctl_init(); + cdev_init(&tty_cdev, &tty_fops); + if (cdev_add(&tty_cdev, MKDEV(TTYAUX_MAJOR, 0), 1) || + register_chrdev_region(MKDEV(TTYAUX_MAJOR, 0), 1, "/dev/tty") < 0) +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -151,6 +151,13 @@ static void put_ldops(struct tty_ldisc_o + * takes tty_ldiscs_lock to guard against ldisc races + */ + ++#if defined(CONFIG_LDISC_AUTOLOAD) ++ #define INITIAL_AUTOLOAD_STATE 1 ++#else ++ #define INITIAL_AUTOLOAD_STATE 0 ++#endif ++static int tty_ldisc_autoload = INITIAL_AUTOLOAD_STATE; ++ + static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc) + { + struct tty_ldisc *ld; +@@ -165,6 +172,8 @@ static struct tty_ldisc *tty_ldisc_get(s + */ + ldops = get_ldops(disc); + if (IS_ERR(ldops)) { ++ if (!capable(CAP_SYS_MODULE) && !tty_ldisc_autoload) ++ return ERR_PTR(-EPERM); + request_module("tty-ldisc-%d", disc); + ldops = get_ldops(disc); + if (IS_ERR(ldops)) +@@ -831,3 +840,41 @@ void tty_ldisc_begin(void) + /* Setup the default TTY line discipline. */ + (void) tty_register_ldisc(N_TTY, &tty_ldisc_N_TTY); + } ++ ++static int zero; ++static int one = 1; ++static struct ctl_table tty_table[] = { ++ { ++ .procname = "ldisc_autoload", ++ .data = &tty_ldisc_autoload, ++ .maxlen = sizeof(tty_ldisc_autoload), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &zero, ++ .extra2 = &one, ++ }, ++ { } ++}; ++ ++static struct ctl_table tty_dir_table[] = { ++ { ++ .procname = "tty", ++ .mode = 0555, ++ .child = tty_table, ++ }, ++ { } ++}; ++ ++static struct ctl_table tty_root_table[] = { ++ { ++ .procname = "dev", ++ .mode = 0555, ++ .child = tty_dir_table, ++ }, ++ { } ++}; ++ ++void tty_sysctl_init(void) ++{ ++ register_sysctl_table(tty_root_table); ++} diff --git a/queue-3.18/tty-mark-siemens-r3964-line-discipline-as-broken.patch b/queue-3.18/tty-mark-siemens-r3964-line-discipline-as-broken.patch new file mode 100644 index 00000000000..95b5135a6b1 --- /dev/null +++ b/queue-3.18/tty-mark-siemens-r3964-line-discipline-as-broken.patch @@ -0,0 +1,45 @@ +From c7084edc3f6d67750f50d4183134c4fb5712a5c8 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 5 Apr 2019 15:39:26 +0200 +Subject: tty: mark Siemens R3964 line discipline as BROKEN + +From: Greg Kroah-Hartman + +commit c7084edc3f6d67750f50d4183134c4fb5712a5c8 upstream. + +The n_r3964 line discipline driver was written in a different time, when +SMP machines were rare, and users were trusted to do the right thing. +Since then, the world has moved on but not this code, it has stayed +rooted in the past with its lovely hand-crafted list structures and +loads of "interesting" race conditions all over the place. + +After attempting to clean up most of the issues, I just gave up and am +now marking the driver as BROKEN so that hopefully someone who has this +hardware will show up out of the woodwork (I know you are out there!) +and will help with debugging a raft of changes that I had laying around +for the code, but was too afraid to commit as odds are they would break +things. + +Many thanks to Jann and Linus for pointing out the initial problems in +this codebase, as well as many reviews of my attempts to fix the issues. +It was a case of whack-a-mole, and as you can see, the mole won. + +Reported-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds + +--- + drivers/char/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -380,7 +380,7 @@ config XILINX_HWICAP + + config R3964 + tristate "Siemens R3964 line discipline" +- depends on TTY ++ depends on TTY && BROKEN + ---help--- + This driver allows synchronous communication with devices using the + Siemens R3964 packet protocol. Unless you are dealing with special