From: Greg Kroah-Hartman Date: Tue, 27 Jan 2015 23:18:36 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.67~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd14be309701f0e98496d07d4525beadae863b58;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: keys-close-race-between-key-lookup-and-freeing.patch sata_dwc_460ex-fix-resource-leak-on-error-path.patch --- diff --git a/queue-3.14/keys-close-race-between-key-lookup-and-freeing.patch b/queue-3.14/keys-close-race-between-key-lookup-and-freeing.patch new file mode 100644 index 00000000000..85606c60b2b --- /dev/null +++ b/queue-3.14/keys-close-race-between-key-lookup-and-freeing.patch @@ -0,0 +1,48 @@ +From a3a8784454692dd72e5d5d34dcdab17b4420e74c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2014 09:39:01 -0500 +Subject: KEYS: close race between key lookup and freeing + +From: Sasha Levin + +commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream. + +When a key is being garbage collected, it's key->user would get put before +the ->destroy() callback is called, where the key is removed from it's +respective tracking structures. + +This leaves a key hanging in a semi-invalid state which leaves a window open +for a different task to try an access key->user. An example is +find_keyring_by_name() which would dereference key->user for a key that is +in the process of being garbage collected (where key->user was freed but +->destroy() wasn't called yet - so it's still present in the linked list). + +This would cause either a panic, or corrupt memory. + +Fixes CVE-2014-9529. + +Signed-off-by: Sasha Levin +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/gc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -157,12 +157,12 @@ static noinline void key_gc_unused_keys( + if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) + atomic_dec(&key->user->nikeys); + +- key_user_put(key->user); +- + /* now throw away the key memory */ + if (key->type->destroy) + key->type->destroy(key); + ++ key_user_put(key->user); ++ + kfree(key->description); + + #ifdef KEY_DEBUGGING diff --git a/queue-3.14/sata_dwc_460ex-fix-resource-leak-on-error-path.patch b/queue-3.14/sata_dwc_460ex-fix-resource-leak-on-error-path.patch new file mode 100644 index 00000000000..e63b6c725fe --- /dev/null +++ b/queue-3.14/sata_dwc_460ex-fix-resource-leak-on-error-path.patch @@ -0,0 +1,111 @@ +From 4aaa71873ddb9faf4b0c4826579e2f6d18ff9ab4 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 7 Jan 2015 15:24:19 +0200 +Subject: sata_dwc_460ex: fix resource leak on error path + +From: Andy Shevchenko + +commit 4aaa71873ddb9faf4b0c4826579e2f6d18ff9ab4 upstream. + +DMA mapped IO should be unmapped on the error path in probe() and +unconditionally on remove(). + +Fixes: 62936009f35a ([libata] Add 460EX on-chip SATA driver, sata_dwc_460ex) +Signed-off-by: Andy Shevchenko +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_dwc_460ex.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +--- a/drivers/ata/sata_dwc_460ex.c ++++ b/drivers/ata/sata_dwc_460ex.c +@@ -799,7 +799,7 @@ static int dma_dwc_init(struct sata_dwc_ + if (err) { + dev_err(host_pvt.dwc_dev, "%s: dma_request_interrupts returns" + " %d\n", __func__, err); +- goto error_out; ++ return err; + } + + /* Enabe DMA */ +@@ -810,11 +810,6 @@ static int dma_dwc_init(struct sata_dwc_ + sata_dma_regs); + + return 0; +- +-error_out: +- dma_dwc_exit(hsdev); +- +- return err; + } + + static int sata_dwc_scr_read(struct ata_link *link, unsigned int scr, u32 *val) +@@ -1664,7 +1659,7 @@ static int sata_dwc_probe(struct platfor + char *ver = (char *)&versionr; + u8 *base = NULL; + int err = 0; +- int irq, rc; ++ int irq; + struct ata_host *host; + struct ata_port_info pi = sata_dwc_port_info[0]; + const struct ata_port_info *ppi[] = { &pi, NULL }; +@@ -1727,7 +1722,7 @@ static int sata_dwc_probe(struct platfor + if (irq == NO_IRQ) { + dev_err(&ofdev->dev, "no SATA DMA irq\n"); + err = -ENODEV; +- goto error_out; ++ goto error_iomap; + } + + /* Get physical SATA DMA register base address */ +@@ -1736,14 +1731,16 @@ static int sata_dwc_probe(struct platfor + dev_err(&ofdev->dev, "ioremap failed for AHBDMA register" + " address\n"); + err = -ENODEV; +- goto error_out; ++ goto error_iomap; + } + + /* Save dev for later use in dev_xxx() routines */ + host_pvt.dwc_dev = &ofdev->dev; + + /* Initialize AHB DMAC */ +- dma_dwc_init(hsdev, irq); ++ err = dma_dwc_init(hsdev, irq); ++ if (err) ++ goto error_dma_iomap; + + /* Enable SATA Interrupts */ + sata_dwc_enable_interrupts(hsdev); +@@ -1761,9 +1758,8 @@ static int sata_dwc_probe(struct platfor + * device discovery process, invoking our port_start() handler & + * error_handler() to execute a dummy Softreset EH session + */ +- rc = ata_host_activate(host, irq, sata_dwc_isr, 0, &sata_dwc_sht); +- +- if (rc != 0) ++ err = ata_host_activate(host, irq, sata_dwc_isr, 0, &sata_dwc_sht); ++ if (err) + dev_err(&ofdev->dev, "failed to activate host"); + + dev_set_drvdata(&ofdev->dev, host); +@@ -1772,7 +1768,8 @@ static int sata_dwc_probe(struct platfor + error_out: + /* Free SATA DMA resources */ + dma_dwc_exit(hsdev); +- ++error_dma_iomap: ++ iounmap((void __iomem *)host_pvt.sata_dma_regs); + error_iomap: + iounmap(base); + error_kmalloc: +@@ -1793,6 +1790,7 @@ static int sata_dwc_remove(struct platfo + /* Free SATA DMA resources */ + dma_dwc_exit(hsdev); + ++ iounmap((void __iomem *)host_pvt.sata_dma_regs); + iounmap(hsdev->reg_base); + kfree(hsdev); + kfree(host); diff --git a/queue-3.14/series b/queue-3.14/series index 5187fc3aa62..19312e5bd85 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -28,3 +28,5 @@ x86-tls-ldt-stop-checking-lm-in-ldt_empty.patch x86-tls-interpret-an-all-zero-struct-user_desc-as-no-segment.patch x86-apic-re-enable-pci_msi-support-for-non-smp-x86_32.patch x86-asm-traps-disable-tracing-and-kprobes-in-fixup_bad_iret-and-sync_regs.patch +sata_dwc_460ex-fix-resource-leak-on-error-path.patch +keys-close-race-between-key-lookup-and-freeing.patch