From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 26 Feb 2020 08:41:16 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.215~84
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abee810b4dd45837a1a3642ed322ab9e61d08413;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	floppy-check-fdc-index-for-errors-before-assigning-it.patch
	staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch
	staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch
	vt-selection-handle-pending-signals-in-paste_selection.patch
---

diff --git a/queue-4.14/floppy-check-fdc-index-for-errors-before-assigning-it.patch b/queue-4.14/floppy-check-fdc-index-for-errors-before-assigning-it.patch
new file mode 100644
index 00000000000..b0495148dea
--- /dev/null
+++ b/queue-4.14/floppy-check-fdc-index-for-errors-before-assigning-it.patch
@@ -0,0 +1,65 @@
+From 2e90ca68b0d2f5548804f22f0dd61145516171e3 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 21 Feb 2020 12:43:35 -0800
+Subject: floppy: check FDC index for errors before assigning it
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2e90ca68b0d2f5548804f22f0dd61145516171e3 upstream.
+
+Jordy Zomer reported a KASAN out-of-bounds read in the floppy driver in
+wait_til_ready().
+
+Which on the face of it can't happen, since as Willy Tarreau points out,
+the function does no particular memory access.  Except through the FDCS
+macro, which just indexes a static allocation through teh current fdc,
+which is always checked against N_FDC.
+
+Except the checking happens after we've already assigned the value.
+
+The floppy driver is a disgrace (a lot of it going back to my original
+horrd "design"), and has no real maintainer.  Nobody has the hardware,
+and nobody really cares.  But it still gets used in virtual environment
+because it's one of those things that everybody supports.
+
+The whole thing should be re-written, or at least parts of it should be
+seriously cleaned up.  The 'current fdc' index, which is used by the
+FDCS macro, and which is often shadowed by a local 'fdc' variable, is a
+prime example of how not to write code.
+
+But because nobody has the hardware or the motivation, let's just fix up
+the immediate problem with a nasty band-aid: test the fdc index before
+actually assigning it to the static 'fdc' variable.
+
+Reported-by: Jordy Zomer <jordy@simplyhacker.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -848,14 +848,17 @@ static void reset_fdc_info(int mode)
+ /* selects the fdc and drive, and enables the fdc's input/dma. */
+ static void set_fdc(int drive)
+ {
++	unsigned int new_fdc = fdc;
++
+ 	if (drive >= 0 && drive < N_DRIVE) {
+-		fdc = FDC(drive);
++		new_fdc = FDC(drive);
+ 		current_drive = drive;
+ 	}
+-	if (fdc != 1 && fdc != 0) {
++	if (new_fdc >= N_FDC) {
+ 		pr_info("bad fdc value\n");
+ 		return;
+ 	}
++	fdc = new_fdc;
+ 	set_dor(fdc, ~0, 8);
+ #if N_FDC > 1
+ 	set_dor(1 - fdc, ~8, 0);
diff --git a/queue-4.14/series b/queue-4.14/series
index 4bf4199942a..444e5bd0c24 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -172,3 +172,7 @@ thunderbolt-prevent-crash-if-non-active-nvmem-file-is-read.patch
 usb-misc-iowarrior-add-support-for-2-oemed-devices.patch
 usb-misc-iowarrior-add-support-for-the-28-and-28l-devices.patch
 usb-misc-iowarrior-add-support-for-the-100-device.patch
+floppy-check-fdc-index-for-errors-before-assigning-it.patch
+vt-selection-handle-pending-signals-in-paste_selection.patch
+staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch
+staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch
diff --git a/queue-4.14/staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch b/queue-4.14/staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch
new file mode 100644
index 00000000000..6ead320363c
--- /dev/null
+++ b/queue-4.14/staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch
@@ -0,0 +1,73 @@
+From 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Mon, 27 Jan 2020 15:56:16 -0800
+Subject: staging: android: ashmem: Disallow ashmem memory from being remapped
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 upstream.
+
+When ashmem file is mmapped, the resulting vma->vm_file points to the
+backing shmem file with the generic fops that do not check ashmem
+permissions like fops of ashmem do. If an mremap is done on the ashmem
+region, then the permission checks will be skipped. Fix that by disallowing
+mapping operation on the backing shmem file.
+
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Cc: stable <stable@vger.kernel.org> # 4.4,4.9,4.14,4.18,5.4
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Link: https://lore.kernel.org/r/20200127235616.48920-1-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c |   28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -361,8 +361,23 @@ static inline vm_flags_t calc_vm_may_fla
+ 	       _calc_vm_trans(prot, PROT_EXEC,  VM_MAYEXEC);
+ }
+ 
++static int ashmem_vmfile_mmap(struct file *file, struct vm_area_struct *vma)
++{
++	/* do not allow to mmap ashmem backing shmem file directly */
++	return -EPERM;
++}
++
++static unsigned long
++ashmem_vmfile_get_unmapped_area(struct file *file, unsigned long addr,
++				unsigned long len, unsigned long pgoff,
++				unsigned long flags)
++{
++	return current->mm->get_unmapped_area(file, addr, len, pgoff, flags);
++}
++
+ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
+ {
++	static struct file_operations vmfile_fops;
+ 	struct ashmem_area *asma = file->private_data;
+ 	int ret = 0;
+ 
+@@ -403,6 +418,19 @@ static int ashmem_mmap(struct file *file
+ 		}
+ 		vmfile->f_mode |= FMODE_LSEEK;
+ 		asma->file = vmfile;
++		/*
++		 * override mmap operation of the vmfile so that it can't be
++		 * remapped which would lead to creation of a new vma with no
++		 * asma permission checks. Have to override get_unmapped_area
++		 * as well to prevent VM_BUG_ON check for f_ops modification.
++		 */
++		if (!vmfile_fops.mmap) {
++			vmfile_fops = *vmfile->f_op;
++			vmfile_fops.mmap = ashmem_vmfile_mmap;
++			vmfile_fops.get_unmapped_area =
++					ashmem_vmfile_get_unmapped_area;
++		}
++		vmfile->f_op = &vmfile_fops;
+ 	}
+ 	get_file(asma->file);
+ 
diff --git a/queue-4.14/staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch b/queue-4.14/staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch
new file mode 100644
index 00000000000..4315474006e
--- /dev/null
+++ b/queue-4.14/staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch
@@ -0,0 +1,36 @@
+From 93134df520f23f4e9998c425b8987edca7016817 Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Tue, 4 Feb 2020 19:34:02 +0000
+Subject: staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit 93134df520f23f4e9998c425b8987edca7016817 upstream.
+
+bb_pre_ed_rssi is an u8 rx_dm always returns negative signed
+values add minus operator to always yield positive.
+
+fixes issue where rx sensitivity is always set to maximum because
+the unsigned numbers were always greater then 100.
+
+Fixes: 63b9907f58f1 ("staging: vt6656: mac80211 conversion: create rx function.")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/aceac98c-6e69-3ce1-dfec-2bf27b980221@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/dpc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/vt6656/dpc.c
++++ b/drivers/staging/vt6656/dpc.c
+@@ -140,7 +140,7 @@ int vnt_rx_data(struct vnt_private *priv
+ 
+ 	vnt_rf_rssi_to_dbm(priv, *rssi, &rx_dbm);
+ 
+-	priv->bb_pre_ed_rssi = (u8)rx_dbm + 1;
++	priv->bb_pre_ed_rssi = (u8)-rx_dbm + 1;
+ 	priv->current_rssi = priv->bb_pre_ed_rssi;
+ 
+ 	frame = skb_data + 8;
diff --git a/queue-4.14/vt-selection-handle-pending-signals-in-paste_selection.patch b/queue-4.14/vt-selection-handle-pending-signals-in-paste_selection.patch
new file mode 100644
index 00000000000..b824194e71e
--- /dev/null
+++ b/queue-4.14/vt-selection-handle-pending-signals-in-paste_selection.patch
@@ -0,0 +1,72 @@
+From 687bff0cd08f790d540cfb7b2349f0d876cdddec Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 10 Feb 2020 09:11:30 +0100
+Subject: vt: selection, handle pending signals in paste_selection
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 687bff0cd08f790d540cfb7b2349f0d876cdddec upstream.
+
+When pasting a selection to a vt, the task is set as INTERRUPTIBLE while
+waiting for a tty to unthrottle. But signals are not handled at all.
+Normally, this is not a problem as tty_ldisc_receive_buf receives all
+the goods and a user has no reason to interrupt the task.
+
+There are two scenarios where this matters:
+1) when the tty is throttled and a signal is sent to the process, it
+   spins on a CPU until the tty is unthrottled. schedule() does not
+   really echedule, but returns immediately, of course.
+2) when the sel_buffer becomes invalid, KASAN prevents any reads from it
+   and the loop simply does not proceed and spins forever (causing the
+   tty to throttle, but the code never sleeps, the same as above). This
+   sometimes happens as there is a race in the sel_buffer handling code.
+
+So add signal handling to this ioctl (TIOCL_PASTESEL) and return -EINTR
+in case a signal is pending.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200210081131.23572-1-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/selection.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/selection.c
++++ b/drivers/tty/vt/selection.c
+@@ -27,6 +27,8 @@
+ #include <linux/console.h>
+ #include <linux/tty_flip.h>
+ 
++#include <linux/sched/signal.h>
++
+ /* Don't take this from <ctype.h>: 011-015 on the screen aren't spaces */
+ #define isspace(c)	((c) == ' ')
+ 
+@@ -338,6 +340,7 @@ int paste_selection(struct tty_struct *t
+ 	unsigned int count;
+ 	struct  tty_ldisc *ld;
+ 	DECLARE_WAITQUEUE(wait, current);
++	int ret = 0;
+ 
+ 	console_lock();
+ 	poke_blanked_console();
+@@ -351,6 +354,10 @@ int paste_selection(struct tty_struct *t
+ 	add_wait_queue(&vc->paste_wait, &wait);
+ 	while (sel_buffer && sel_buffer_lth > pasted) {
+ 		set_current_state(TASK_INTERRUPTIBLE);
++		if (signal_pending(current)) {
++			ret = -EINTR;
++			break;
++		}
+ 		if (tty_throttled(tty)) {
+ 			schedule();
+ 			continue;
+@@ -366,5 +373,5 @@ int paste_selection(struct tty_struct *t
+ 
+ 	tty_buffer_unlock_exclusive(&vc->port);
+ 	tty_ldisc_deref(ld);
+-	return 0;
++	return ret;
+ }