From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 Sep 2018 12:06:40 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.18.9~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a47232e3ac11fc1efc818330a624d0a40c8104c3;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	autofs-fix-autofs_sbi-does-not-check-super-block-type.patch
	mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch
	netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
	xhci-fix-use-after-free-in-xhci_free_virt_device.patch
---

diff --git a/queue-4.9/autofs-fix-autofs_sbi-does-not-check-super-block-type.patch b/queue-4.9/autofs-fix-autofs_sbi-does-not-check-super-block-type.patch
new file mode 100644
index 00000000000..1d771f0d18f
--- /dev/null
+++ b/queue-4.9/autofs-fix-autofs_sbi-does-not-check-super-block-type.patch
@@ -0,0 +1,58 @@
+From 0633da48f0793aeba27f82d30605624416723a91 Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Tue, 21 Aug 2018 21:51:45 -0700
+Subject: autofs: fix autofs_sbi() does not check super block type
+
+From: Ian Kent <raven@themaw.net>
+
+commit 0633da48f0793aeba27f82d30605624416723a91 upstream.
+
+autofs_sbi() does not check the superblock magic number to verify it has
+been given an autofs super block.
+
+Backport Note: autofs4 has been renamed to autofs upstream. As a result
+the upstream patch does not apply cleanly onto 4.14.y.
+
+Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto.themaw.net
+Reported-by: <syzbot+87c3c541582e56943277@syzkaller.appspotmail.com>
+Signed-off-by: Ian Kent <raven@themaw.net>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/autofs4/autofs_i.h |    4 +++-
+ fs/autofs4/inode.c    |    1 -
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/autofs4/autofs_i.h
++++ b/fs/autofs4/autofs_i.h
+@@ -14,6 +14,7 @@
+ #include <linux/mutex.h>
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
++#include <linux/magic.h>
+ 
+ /* This is the range of ioctl() numbers we claim as ours */
+ #define AUTOFS_IOC_FIRST     AUTOFS_IOC_READY
+@@ -123,7 +124,8 @@ struct autofs_sb_info {
+ 
+ static inline struct autofs_sb_info *autofs4_sbi(struct super_block *sb)
+ {
+-	return (struct autofs_sb_info *)(sb->s_fs_info);
++	return sb->s_magic != AUTOFS_SUPER_MAGIC ?
++		NULL : (struct autofs_sb_info *)(sb->s_fs_info);
+ }
+ 
+ static inline struct autofs_info *autofs4_dentry_ino(struct dentry *dentry)
+--- a/fs/autofs4/inode.c
++++ b/fs/autofs4/inode.c
+@@ -14,7 +14,6 @@
+ #include <linux/pagemap.h>
+ #include <linux/parser.h>
+ #include <linux/bitops.h>
+-#include <linux/magic.h>
+ #include "autofs_i.h"
+ #include <linux/module.h>
+ 
diff --git a/queue-4.9/mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch b/queue-4.9/mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch
new file mode 100644
index 00000000000..9e5ce0f5ac2
--- /dev/null
+++ b/queue-4.9/mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch
@@ -0,0 +1,50 @@
+From 7233982ade15eeac05c6f351e8d347406e6bcd2f Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Thu, 18 Jan 2018 14:05:05 +0000
+Subject: mtd: ubi: wl: Fix error return code in ubi_wl_init()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 7233982ade15eeac05c6f351e8d347406e6bcd2f upstream.
+
+Fix to return error code -ENOMEM from the kmem_cache_alloc() error
+handling case instead of 0, as done elsewhere in this function.
+
+Fixes: f78e5623f45b ("ubi: fastmap: Erase outdated anchor PEBs during
+attach")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/wl.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1615,8 +1615,10 @@ int ubi_wl_init(struct ubi_device *ubi,
+ 		cond_resched();
+ 
+ 		e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
+-		if (!e)
++		if (!e) {
++			err = -ENOMEM;
+ 			goto out_free;
++		}
+ 
+ 		e->pnum = aeb->pnum;
+ 		e->ec = aeb->ec;
+@@ -1635,8 +1637,10 @@ int ubi_wl_init(struct ubi_device *ubi,
+ 			cond_resched();
+ 
+ 			e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
+-			if (!e)
++			if (!e) {
++				err = -ENOMEM;
+ 				goto out_free;
++			}
+ 
+ 			e->pnum = aeb->pnum;
+ 			e->ec = aeb->ec;
diff --git a/queue-4.9/netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch b/queue-4.9/netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
new file mode 100644
index 00000000000..b4738fb5909
--- /dev/null
+++ b/queue-4.9/netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
@@ -0,0 +1,49 @@
+From e466af75c074e76107ae1cd5a2823e9c61894ffb Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Oct 2017 02:50:07 -0700
+Subject: netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e466af75c074e76107ae1cd5a2823e9c61894ffb upstream.
+
+syzkaller reports an out of bound read in strlcpy(), triggered
+by xt_copy_counters_from_user()
+
+Fix this by using memcpy(), then forcing a zero byte at the last position
+of the destination, as Florian did for the non COMPAT code.
+
+Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/x_tables.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -877,7 +877,7 @@ void *xt_copy_counters_from_user(const v
+ 		if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
+ 			return ERR_PTR(-EFAULT);
+ 
+-		strlcpy(info->name, compat_tmp.name, sizeof(info->name));
++		memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
+ 		info->num_counters = compat_tmp.num_counters;
+ 		user += sizeof(compat_tmp);
+ 	} else
+@@ -890,9 +890,9 @@ void *xt_copy_counters_from_user(const v
+ 		if (copy_from_user(info, user, sizeof(*info)) != 0)
+ 			return ERR_PTR(-EFAULT);
+ 
+-		info->name[sizeof(info->name) - 1] = '\0';
+ 		user += sizeof(*info);
+ 	}
++	info->name[sizeof(info->name) - 1] = '\0';
+ 
+ 	size = sizeof(struct xt_counters);
+ 	size *= info->num_counters;
diff --git a/queue-4.9/series b/queue-4.9/series
index 82497579165..9a62c17ee01 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -64,3 +64,7 @@ f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch
 nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch
 mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch
 rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch
+xhci-fix-use-after-free-in-xhci_free_virt_device.patch
+netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch
+mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch
+autofs-fix-autofs_sbi-does-not-check-super-block-type.patch
diff --git a/queue-4.9/xhci-fix-use-after-free-in-xhci_free_virt_device.patch b/queue-4.9/xhci-fix-use-after-free-in-xhci_free_virt_device.patch
new file mode 100644
index 00000000000..36dbb8b8e2a
--- /dev/null
+++ b/queue-4.9/xhci-fix-use-after-free-in-xhci_free_virt_device.patch
@@ -0,0 +1,47 @@
+From 44a182b9d17765514fa2b1cc911e4e65134eef93 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 3 May 2018 17:30:07 +0300
+Subject: xhci: Fix use-after-free in xhci_free_virt_device
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream.
+
+KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
+where xhci_free_virt_device() sets slot id to 0 if udev exists:
+if (dev->udev && dev->udev->slot_id)
+	dev->udev->slot_id = 0;
+
+dev->udev will be true even if udev is freed because dev->udev is
+not set to NULL.
+
+set dev->udev pointer to NULL in xhci_free_dev()
+
+The original patch went to stable so this fix needs to be applied
+there as well.
+
+Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
+Cc: <stable@vger.kernel.org>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3656,6 +3656,9 @@ void xhci_free_dev(struct usb_hcd *hcd,
+ 	}
+ 
+ 	spin_lock_irqsave(&xhci->lock, flags);
++
++	virt_dev->udev = NULL;
++
+ 	/* Don't disable the slot if the host controller is dead. */
+ 	state = readl(&xhci->op_regs->status);
+ 	if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||