From: Greg Kroah-Hartman Date: Mon, 22 May 2017 16:38:23 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.55~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=acde252e1a6f61c273c4f0c48f14eed6caab2cf1;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: ath9k_htc-fix-null-deref-at-probe.patch ima-accept-previously-set-ima_new_file.patch regulator-tps65023-fix-inverted-core-enable-logic.patch --- diff --git a/queue-3.18/ath9k_htc-fix-null-deref-at-probe.patch b/queue-3.18/ath9k_htc-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..3911561aed2 --- /dev/null +++ b/queue-3.18/ath9k_htc-fix-null-deref-at-probe.patch @@ -0,0 +1,34 @@ +From ebeb36670ecac36c179b5fb5d5c88ff03ba191ec Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:44:20 +0100 +Subject: ath9k_htc: fix NULL-deref at probe + +From: Johan Hovold + +commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices") +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -1143,6 +1143,9 @@ static int send_eject_command(struct usb + u8 bulk_out_ep; + int r; + ++ if (iface_desc->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + /* Find bulk out endpoint */ + for (r = 1; r >= 0; r--) { + endpoint = &iface_desc->endpoint[r].desc; diff --git a/queue-3.18/ima-accept-previously-set-ima_new_file.patch b/queue-3.18/ima-accept-previously-set-ima_new_file.patch new file mode 100644 index 00000000000..9b6b52e8acd --- /dev/null +++ b/queue-3.18/ima-accept-previously-set-ima_new_file.patch @@ -0,0 +1,52 @@ +From 1ac202e978e18f045006d75bd549612620c6ec3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= +Date: Fri, 24 Feb 2017 15:05:14 +0100 +Subject: ima: accept previously set IMA_NEW_FILE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Glöckner + +commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream. + +Modifying the attributes of a file makes ima_inode_post_setattr reset +the IMA cache flags. So if the file, which has just been created, +is opened a second time before the first file descriptor is closed, +verification fails since the security.ima xattr has not been written +yet. We therefore have to look at the IMA_NEW_FILE even if the file +already existed. + +With this patch there should no longer be an error when cat tries to +open testfile: + +$ rm -f testfile +$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile + +A file being new is no reason to accept that it is missing a digital +signature demanded by the policy. + +Signed-off-by: Daniel Glöckner +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_appraise.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -203,10 +203,11 @@ int ima_appraise_measurement(int func, s + + cause = "missing-hash"; + status = INTEGRITY_NOLABEL; +- if (opened & FILE_CREATED) { ++ if (opened & FILE_CREATED) + iint->flags |= IMA_NEW_FILE; ++ if ((iint->flags & IMA_NEW_FILE) && ++ !(iint->flags & IMA_DIGSIG_REQUIRED)) + status = INTEGRITY_PASS; +- } + goto out; + } + diff --git a/queue-3.18/regulator-tps65023-fix-inverted-core-enable-logic.patch b/queue-3.18/regulator-tps65023-fix-inverted-core-enable-logic.patch new file mode 100644 index 00000000000..63709139a33 --- /dev/null +++ b/queue-3.18/regulator-tps65023-fix-inverted-core-enable-logic.patch @@ -0,0 +1,43 @@ +From c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 Mon Sep 17 00:00:00 2001 +From: Richard Cochran +Date: Mon, 17 Apr 2017 10:23:36 +0200 +Subject: regulator: tps65023: Fix inverted core enable logic. + +From: Richard Cochran + +commit c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 upstream. + +Commit 43530b69d758328d3ffe6ab98fd640463e8e3667 ("regulator: Use +regmap_read/write(), regmap_update_bits functions directly") intended +to replace working inline helper functions with standard regmap +calls. However, it also inverted the set/clear logic of the "CORE ADJ +Allowed" bit. That patch was clearly never tested, since without that +bit cleared, the core VDCDC1 voltage output does not react to I2C +configuration changes. + +This patch fixes the issue by clearing the bit as in the original, +correct implementation. Note for stable back porting that, due to +subsequent driver churn, this patch will not apply on every kernel +version. + +Fixes: 43530b69d758 ("regulator: Use regmap_read/write(), regmap_update_bits functions directly") +Signed-off-by: Richard Cochran +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/tps65023-regulator.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/regulator/tps65023-regulator.c ++++ b/drivers/regulator/tps65023-regulator.c +@@ -290,8 +290,7 @@ static int tps_65023_probe(struct i2c_cl + + /* Enable setting output voltage by I2C */ + regmap_update_bits(tps->regmap, TPS65023_REG_CON_CTRL2, +- TPS65023_REG_CTRL2_CORE_ADJ, +- TPS65023_REG_CTRL2_CORE_ADJ); ++ TPS65023_REG_CTRL2_CORE_ADJ, 0); + + return 0; + } diff --git a/queue-3.18/series b/queue-3.18/series index 53018ae1173..b962bc47a55 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -7,3 +7,6 @@ dm-bufio-avoid-a-possible-abba-deadlock.patch dm-thin-metadata-call-precommit-before-saving-the-roots.patch dm-space-map-disk-fix-some-book-keeping-in-the-disk-space-map.patch mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch +ima-accept-previously-set-ima_new_file.patch +regulator-tps65023-fix-inverted-core-enable-logic.patch +ath9k_htc-fix-null-deref-at-probe.patch