From: Greg Kroah-Hartman Date: Thu, 5 Jul 2018 18:20:01 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.14.54~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a67426e6abcb7d8d1e214dc6fb4636d3d2ebbbb4;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: atm-zatm-fix-memcmp-casting.patch net-qmi_wwan-add-netgear-aircard-779s.patch net-sonic-use-dma_mapping_error.patch netfilter-ebtables-handle-string-from-userspace-with-care.patch ubi-fastmap-correctly-handle-interrupted-erasures-in-eba.patch --- diff --git a/queue-3.18/atm-zatm-fix-memcmp-casting.patch b/queue-3.18/atm-zatm-fix-memcmp-casting.patch new file mode 100644 index 00000000000..ab7deada755 --- /dev/null +++ b/queue-3.18/atm-zatm-fix-memcmp-casting.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Jul 5 20:19:50 CEST 2018 +From: Ivan Bornyakov +Date: Fri, 25 May 2018 20:49:52 +0300 +Subject: atm: zatm: fix memcmp casting + +From: Ivan Bornyakov + +[ Upstream commit f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc ] + +memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One +can lose significant bits and get 0 from non-0 value returned by the +memcmp(). + +Signed-off-by: Ivan Bornyakov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/zatm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -1148,8 +1148,8 @@ static void eprom_get_byte(struct zatm_d + } + + +-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd, +- int offset, int swap) ++static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset, ++ int swap) + { + unsigned char buf[ZEPROM_SIZE]; + struct zatm_dev *zatm_dev; diff --git a/queue-3.18/net-qmi_wwan-add-netgear-aircard-779s.patch b/queue-3.18/net-qmi_wwan-add-netgear-aircard-779s.patch new file mode 100644 index 00000000000..9dc20990dd0 --- /dev/null +++ b/queue-3.18/net-qmi_wwan-add-netgear-aircard-779s.patch @@ -0,0 +1,30 @@ +From foo@baz Thu Jul 5 20:19:50 CEST 2018 +From: Josh Hill +Date: Sun, 27 May 2018 20:10:41 -0400 +Subject: net: qmi_wwan: Add Netgear Aircard 779S + +From: Josh Hill + +[ Upstream commit 2415f3bd059fe050eb98aedf93664d000ceb4e92 ] + +Add support for Netgear Aircard 779S + +Signed-off-by: Josh Hill +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -677,6 +677,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, ++ {QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */ + {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ + {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */ diff --git a/queue-3.18/net-sonic-use-dma_mapping_error.patch b/queue-3.18/net-sonic-use-dma_mapping_error.patch new file mode 100644 index 00000000000..db05fb982df --- /dev/null +++ b/queue-3.18/net-sonic-use-dma_mapping_error.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Jul 5 20:19:50 CEST 2018 +From: Finn Thain +Date: Wed, 30 May 2018 13:03:51 +1000 +Subject: net/sonic: Use dma_mapping_error() + +From: Finn Thain + +[ Upstream commit 26de0b76d9ba3200f09c6cb9d9618bda338be5f7 ] + +With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the +message, "DMA-API: device driver failed to check map error". +Add the missing dma_mapping_error() call. + +Cc: Thomas Bogendoerfer +Signed-off-by: Finn Thain +Acked-by: Thomas Bogendoerfer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/natsemi/sonic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -71,7 +71,7 @@ static int sonic_open(struct net_device + for (i = 0; i < SONIC_NUM_RRS; i++) { + dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE), + SONIC_RBSIZE, DMA_FROM_DEVICE); +- if (!laddr) { ++ if (dma_mapping_error(lp->device, laddr)) { + while(i > 0) { /* free any that were mapped successfully */ + i--; + dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE); diff --git a/queue-3.18/netfilter-ebtables-handle-string-from-userspace-with-care.patch b/queue-3.18/netfilter-ebtables-handle-string-from-userspace-with-care.patch new file mode 100644 index 00000000000..61fe41a7d3b --- /dev/null +++ b/queue-3.18/netfilter-ebtables-handle-string-from-userspace-with-care.patch @@ -0,0 +1,100 @@ +From foo@baz Thu Jul 5 20:19:50 CEST 2018 +From: Paolo Abeni +Date: Fri, 27 Apr 2018 10:45:31 +0200 +Subject: netfilter: ebtables: handle string from userspace with care + +From: Paolo Abeni + +[ Upstream commit 94c752f99954797da583a84c4907ff19e92550a4 ] + +strlcpy() can't be safely used on a user-space provided string, +as it can try to read beyond the buffer's end, if the latter is +not NULL terminated. + +Leveraging the above, syzbot has been able to trigger the following +splat: + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 +[inline] +BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user +net/bridge/netfilter/ebtables.c:1957 [inline] +BUG: KASAN: stack-out-of-bounds in ebt_size_mwt +net/bridge/netfilter/ebtables.c:2059 [inline] +BUG: KASAN: stack-out-of-bounds in size_entry_mwt +net/bridge/netfilter/ebtables.c:2155 [inline] +BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0 +net/bridge/netfilter/ebtables.c:2194 +Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504 + +CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1b9/0x294 lib/dump_stack.c:113 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] + ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] + size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] + compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 + compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285 + compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367 + compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline] + compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156 + compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279 + inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041 + compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901 + compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050 + __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403 + __do_compat_sys_setsockopt net/compat.c:416 [inline] + __se_compat_sys_setsockopt net/compat.c:413 [inline] + __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413 + do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] + do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 + entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7fb3cb9 +RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000 +RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +The buggy address belongs to the page: +page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x2fffc0000000000() +raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff +raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000 +page dumped because: kasan: bad access detected + +Fix the issue replacing the unsafe function with strscpy() and +taking care of possible errors. + +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebtables.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1910,7 +1910,8 @@ static int compat_mtw_from_user(struct c + int off, pad = 0; + unsigned int size_kern, match_size = mwt->match_size; + +- strlcpy(name, mwt->u.name, sizeof(name)); ++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0) ++ return -EINVAL; + + if (state->buf_kern_start) + dst = state->buf_kern_start + state->buf_kern_offset; diff --git a/queue-3.18/series b/queue-3.18/series index ae17daf5cfe..cdd72b30034 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -1,3 +1,8 @@ n_tty-fix-stall-at-n_tty_receive_char_special.patch staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch x86-boot-fix-early-command-line-parsing-when-matching-at-end.patch +ubi-fastmap-correctly-handle-interrupted-erasures-in-eba.patch +netfilter-ebtables-handle-string-from-userspace-with-care.patch +atm-zatm-fix-memcmp-casting.patch +net-qmi_wwan-add-netgear-aircard-779s.patch +net-sonic-use-dma_mapping_error.patch diff --git a/queue-3.18/ubi-fastmap-correctly-handle-interrupted-erasures-in-eba.patch b/queue-3.18/ubi-fastmap-correctly-handle-interrupted-erasures-in-eba.patch new file mode 100644 index 00000000000..72aa63861d8 --- /dev/null +++ b/queue-3.18/ubi-fastmap-correctly-handle-interrupted-erasures-in-eba.patch @@ -0,0 +1,144 @@ +From 781932375ffc6411713ee0926ccae8596ed0261c Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 28 May 2018 22:04:32 +0200 +Subject: ubi: fastmap: Correctly handle interrupted erasures in EBA + +From: Richard Weinberger + +commit 781932375ffc6411713ee0926ccae8596ed0261c upstream. + +Fastmap cannot track the LEB unmap operation, therefore it can +happen that after an interrupted erasure the mapping still looks +good from Fastmap's point of view, while reading from the PEB will +cause an ECC error and confuses the upper layer. + +Instead of teaching users of UBI how to deal with that, we read back +the VID header and check for errors. If the PEB is empty or shows ECC +errors we fixup the mapping and schedule the PEB for erasure. + +Fixes: dbb7d2a88d2a ("UBI: Add fastmap core") +Cc: +Reported-by: martin bayern +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/mtd/ubi/eba.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 91 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -350,6 +350,82 @@ out_unlock: + return err; + } + ++#ifdef CONFIG_MTD_UBI_FASTMAP ++/** ++ * check_mapping - check and fixup a mapping ++ * @ubi: UBI device description object ++ * @vol: volume description object ++ * @lnum: logical eraseblock number ++ * @pnum: physical eraseblock number ++ * ++ * Checks whether a given mapping is valid. Fastmap cannot track LEB unmap ++ * operations, if such an operation is interrupted the mapping still looks ++ * good, but upon first read an ECC is reported to the upper layer. ++ * Normaly during the full-scan at attach time this is fixed, for Fastmap ++ * we have to deal with it while reading. ++ * If the PEB behind a LEB shows this symthom we change the mapping to ++ * %UBI_LEB_UNMAPPED and schedule the PEB for erasure. ++ * ++ * Returns 0 on success, negative error code in case of failure. ++ */ ++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum, ++ int *pnum) ++{ ++ int err; ++ struct ubi_vid_hdr *vid_hdr; ++ ++ if (!ubi->fast_attach) ++ return 0; ++ ++ vid_hdr = ubi_zalloc_vid_hdr(ubi, GFP_NOFS); ++ if (!vid_hdr) ++ return -ENOMEM; ++ ++ err = ubi_io_read_vid_hdr(ubi, *pnum, vid_hdr, 0); ++ if (err > 0 && err != UBI_IO_BITFLIPS) { ++ int torture = 0; ++ ++ switch (err) { ++ case UBI_IO_FF: ++ case UBI_IO_FF_BITFLIPS: ++ case UBI_IO_BAD_HDR: ++ case UBI_IO_BAD_HDR_EBADMSG: ++ break; ++ default: ++ ubi_assert(0); ++ } ++ ++ if (err == UBI_IO_BAD_HDR_EBADMSG || err == UBI_IO_FF_BITFLIPS) ++ torture = 1; ++ ++ down_read(&ubi->fm_sem); ++ vol->eba_tbl[lnum] = UBI_LEB_UNMAPPED; ++ up_read(&ubi->fm_sem); ++ ubi_wl_put_peb(ubi, vol->vol_id, lnum, *pnum, torture); ++ ++ *pnum = UBI_LEB_UNMAPPED; ++ } else if (err < 0) { ++ ubi_err("unable to read VID header back from PEB %i: %i", ++ *pnum, err); ++ ++ goto out_free; ++ } ++ ++ err = 0; ++ ++out_free: ++ ubi_free_vid_hdr(ubi, vid_hdr); ++ ++ return err; ++} ++#else ++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum, ++ int *pnum) ++{ ++ return 0; ++} ++#endif ++ + /** + * ubi_eba_read_leb - read data. + * @ubi: UBI device description object +@@ -381,7 +457,13 @@ int ubi_eba_read_leb(struct ubi_device * + return err; + + pnum = vol->eba_tbl[lnum]; +- if (pnum < 0) { ++ if (pnum >= 0) { ++ err = check_mapping(ubi, vol, lnum, &pnum); ++ if (err < 0) ++ goto out_unlock; ++ } ++ ++ if (pnum == UBI_LEB_UNMAPPED) { + /* + * The logical eraseblock is not mapped, fill the whole buffer + * with 0xFF bytes. The exception is static volumes for which +@@ -627,6 +709,14 @@ int ubi_eba_write_leb(struct ubi_device + + pnum = vol->eba_tbl[lnum]; + if (pnum >= 0) { ++ err = check_mapping(ubi, vol, lnum, &pnum); ++ if (err < 0) { ++ leb_write_unlock(ubi, vol_id, lnum); ++ return err; ++ } ++ } ++ ++ if (pnum >= 0) { + dbg_eba("write %d bytes at offset %d of LEB %d:%d, PEB %d", + len, offset, vol_id, lnum, pnum); +