From: Greg Kroah-Hartman Date: Thu, 13 Sep 2018 07:19:12 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.4.156~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=de7fe696e9d587511983cb1ba187aac339ddc8eb;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: enic-do-not-call-enic_change_mtu-in-enic_probe.patch fixes-commit-86af955d02bb-mm-numa-avoid-waiting-on-freed-migrated-pages.patch irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch --- diff --git a/queue-3.18/enic-do-not-call-enic_change_mtu-in-enic_probe.patch b/queue-3.18/enic-do-not-call-enic_change_mtu-in-enic_probe.patch new file mode 100644 index 00000000000..a38b1065c38 --- /dev/null +++ b/queue-3.18/enic-do-not-call-enic_change_mtu-in-enic_probe.patch @@ -0,0 +1,43 @@ +From cb5c6568867325f9905e80c96531d963bec8e5ea Mon Sep 17 00:00:00 2001 +From: Govindarajulu Varadarajan +Date: Mon, 30 Jul 2018 09:56:54 -0700 +Subject: enic: do not call enic_change_mtu in enic_probe + +From: Govindarajulu Varadarajan + +commit cb5c6568867325f9905e80c96531d963bec8e5ea upstream. + +In commit ab123fe071c9 ("enic: handle mtu change for vf properly") +ASSERT_RTNL() is added to _enic_change_mtu() to prevent it from being +called without rtnl held. enic_probe() calls enic_change_mtu() +without rtnl held. At this point netdev is not registered yet. +Remove call to enic_change_mtu and assign the mtu to netdev->mtu. + +Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly") +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2496,7 +2496,6 @@ static int enic_probe(struct pci_dev *pd + */ + + enic->port_mtu = enic->config.mtu; +- (void)enic_change_mtu(netdev, enic->port_mtu); + + err = enic_set_mac_addr(netdev, enic->mac_addr); + if (err) { +@@ -2545,6 +2544,7 @@ static int enic_probe(struct pci_dev *pd + netdev->features |= NETIF_F_HIGHDMA; + + netdev->priv_flags |= IFF_UNICAST_FLT; ++ netdev->mtu = enic->port_mtu; + + err = register_netdev(netdev); + if (err) { diff --git a/queue-3.18/fixes-commit-86af955d02bb-mm-numa-avoid-waiting-on-freed-migrated-pages.patch b/queue-3.18/fixes-commit-86af955d02bb-mm-numa-avoid-waiting-on-freed-migrated-pages.patch new file mode 100644 index 00000000000..ca95f448b5f --- /dev/null +++ b/queue-3.18/fixes-commit-86af955d02bb-mm-numa-avoid-waiting-on-freed-migrated-pages.patch @@ -0,0 +1,41 @@ +From 3chas3@gmail.com Thu Sep 13 09:14:31 2018 +From: Chas Williams <3chas3@gmail.com> +Date: Thu, 6 Sep 2018 11:10:41 -0400 +Subject: Fixes: Commit 86af955d02bb ("mm: numa: avoid waiting on freed migrated pages") +To: stable@vger.kernel.org +Cc: natechancellor@gmail.com, mark.rutland@arm.com, will.deacon@arm.com, steve.capper@arm.com, kirill.shutemov@linux.intel.com, vbabka@suse.cz, mgorman@suse.de, Chas Williams +Message-ID: <20180906151041.17597-1-3chas3@gmail.com> + + +From: Chas Williams + +Commit 86af955d02bb ("mm: numa: avoid waiting on freed migrated pages") +was an incomplete backport of the upstream commit. It is necessary to +always reset page_nid before attempting any early exit. + +The original commit conflicted due to lack of commit 82b0f8c39a38 +("mm: join struct fault_env and vm_fault") in 4.9 so it wasn't a clean +application, and the change must have just gotten lost in the noise. + +Signed-off-by: Chas Williams +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1329,12 +1329,12 @@ int do_huge_pmd_numa_page(struct mm_stru + + /* Migration could have started since the pmd_trans_migrating check */ + if (!page_locked) { ++ page_nid = -1; + if (!get_page_unless_zero(page)) + goto out_unlock; + spin_unlock(ptl); + wait_on_page_locked(page); + put_page(page); +- page_nid = -1; + goto out; + } + diff --git a/queue-3.18/irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch b/queue-3.18/irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch new file mode 100644 index 00000000000..e2a4d1db7fe --- /dev/null +++ b/queue-3.18/irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch @@ -0,0 +1,43 @@ +From tyhicks@canonical.com Thu Sep 13 09:00:58 2018 +From: Tyler Hicks +Date: Tue, 4 Sep 2018 15:24:04 +0000 +Subject: irda: Fix memory leak caused by repeated binds of irda socket +To: stable@vger.kernel.org +Message-ID: <1536074645-14160-2-git-send-email-tyhicks@canonical.com> + +From: Tyler Hicks + +The irda_bind() function allocates memory for self->ias_obj without +checking to see if the socket is already bound. A userspace process +could repeatedly bind the socket, have each new object added into the +LM-IAS database, and lose the reference to the old object assigned to +the socket to exhaust memory resources. This patch errors out of the +bind operation when self->ias_obj is already assigned. + +CVE-2018-6554 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tyler Hicks +Reviewed-by: Seth Arnold +Reviewed-by: Stefan Bader +Signed-off-by: Greg Kroah-Hartman +--- + net/irda/af_irda.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -785,6 +785,13 @@ static int irda_bind(struct socket *sock + return -EINVAL; + + lock_sock(sk); ++ ++ /* Ensure that the socket is not already bound */ ++ if (self->ias_obj) { ++ err = -EINVAL; ++ goto out; ++ } ++ + #ifdef CONFIG_IRDA_ULTRA + /* Special care for Ultra sockets */ + if ((sk->sk_type == SOCK_DGRAM) && diff --git a/queue-3.18/irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch b/queue-3.18/irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch new file mode 100644 index 00000000000..774977bcd43 --- /dev/null +++ b/queue-3.18/irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch @@ -0,0 +1,44 @@ +From tyhicks@canonical.com Thu Sep 13 09:02:40 2018 +From: Tyler Hicks +Date: Tue, 4 Sep 2018 15:24:05 +0000 +Subject: irda: Only insert new objects into the global database via setsockopt +To: stable@vger.kernel.org +Message-ID: <1536074645-14160-3-git-send-email-tyhicks@canonical.com> + +From: Tyler Hicks + +The irda_setsockopt() function conditionally allocates memory for a new +self->ias_object or, in some cases, reuses the existing +self->ias_object. Existing objects were incorrectly reinserted into the +LM_IAS database which corrupted the doubly linked list used for the +hashbin implementation of the LM_IAS database. When combined with a +memory leak in irda_bind(), this issue could be leveraged to create a +use-after-free vulnerability in the hashbin list. This patch fixes the +issue by only inserting newly allocated objects into the database. + +CVE-2018-6555 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tyler Hicks +Reviewed-by: Seth Arnold +Reviewed-by: Stefan Bader +Signed-off-by: Greg Kroah-Hartman +--- + net/irda/af_irda.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -2051,7 +2051,11 @@ static int irda_setsockopt(struct socket + err = -EINVAL; + goto out; + } +- irias_insert_object(ias_obj); ++ ++ /* Only insert newly allocated objects */ ++ if (free_ias) ++ irias_insert_object(ias_obj); ++ + kfree(ias_opt); + break; + case IRLMP_IAS_DEL: diff --git a/queue-3.18/kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch b/queue-3.18/kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch new file mode 100644 index 00000000000..41104c629a3 --- /dev/null +++ b/queue-3.18/kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch @@ -0,0 +1,55 @@ +From 914b087ff9e0e9a399a4927fa30793064afc0178 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 28 Aug 2018 12:59:10 -0700 +Subject: kbuild: make missing $DEPMOD a Warning instead of an Error + +From: Randy Dunlap + +commit 914b087ff9e0e9a399a4927fa30793064afc0178 upstream. + +When $DEPMOD is not found, only print a warning instead of exiting +with an error message and error status: + +Warning: 'make modules_install' requires /sbin/depmod. Please install it. +This is probably in the kmod package. + +Change the Error to a Warning because "not all build hosts for cross +compiling Linux are Linux systems and are able to provide a working +port of depmod, especially at the file patch /sbin/depmod." + +I.e., "make modules_install" may be used to copy/install the +loadable modules files to a target directory on a build system and +then transferred to an embedded device where /sbin/depmod is run +instead of it being run on the build system. + +Fixes: 934193a654c1 ("kbuild: verify that $DEPMOD is installed") +Signed-off-by: Randy Dunlap +Reported-by: H. Nikolaus Schaller +Cc: stable@vger.kernel.org +Cc: Lucas De Marchi +Cc: Lucas De Marchi +Cc: Michal Marek +Cc: Jessica Yu +Cc: Chih-Wei Huang +Signed-off-by: Masahiro Yamada +Signed-off-by: Maxim Zhukov +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/depmod.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/scripts/depmod.sh ++++ b/scripts/depmod.sh +@@ -15,9 +15,9 @@ if ! test -r System.map ; then + fi + + if [ -z $(command -v $DEPMOD) ]; then +- echo "'make modules_install' requires $DEPMOD. Please install it." >&2 ++ echo "Warning: 'make modules_install' requires $DEPMOD. Please install it." >&2 + echo "This is probably in the kmod package." >&2 +- exit 1 ++ exit 0 + fi + + # older versions of depmod don't support -P diff --git a/queue-3.18/series b/queue-3.18/series index 7aad83ff34b..6dd5bdce1bd 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -24,3 +24,8 @@ btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch debugobjects-make-stack-check-warning-more-informative.patch +kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch +irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch +irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch +enic-do-not-call-enic_change_mtu-in-enic_probe.patch +fixes-commit-86af955d02bb-mm-numa-avoid-waiting-on-freed-migrated-pages.patch