From: Greg Kroah-Hartman Date: Thu, 13 Sep 2018 07:20:22 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.156~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e18472a5f2dd42254cfa2a2dfcf1bbdccbb61a6a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: enic-do-not-call-enic_change_mtu-in-enic_probe.patch fixes-commit-2aa6d036b716-mm-numa-avoid-waiting-on-freed-migrated-pages.patch irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch --- diff --git a/queue-4.9/enic-do-not-call-enic_change_mtu-in-enic_probe.patch b/queue-4.9/enic-do-not-call-enic_change_mtu-in-enic_probe.patch new file mode 100644 index 00000000000..259be375c26 --- /dev/null +++ b/queue-4.9/enic-do-not-call-enic_change_mtu-in-enic_probe.patch @@ -0,0 +1,43 @@ +From cb5c6568867325f9905e80c96531d963bec8e5ea Mon Sep 17 00:00:00 2001 +From: Govindarajulu Varadarajan +Date: Mon, 30 Jul 2018 09:56:54 -0700 +Subject: enic: do not call enic_change_mtu in enic_probe + +From: Govindarajulu Varadarajan + +commit cb5c6568867325f9905e80c96531d963bec8e5ea upstream. + +In commit ab123fe071c9 ("enic: handle mtu change for vf properly") +ASSERT_RTNL() is added to _enic_change_mtu() to prevent it from being +called without rtnl held. enic_probe() calls enic_change_mtu() +without rtnl held. At this point netdev is not registered yet. +Remove call to enic_change_mtu and assign the mtu to netdev->mtu. + +Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly") +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2681,7 +2681,6 @@ static int enic_probe(struct pci_dev *pd + */ + + enic->port_mtu = enic->config.mtu; +- (void)enic_change_mtu(netdev, enic->port_mtu); + + err = enic_set_mac_addr(netdev, enic->mac_addr); + if (err) { +@@ -2731,6 +2730,7 @@ static int enic_probe(struct pci_dev *pd + netdev->features |= NETIF_F_HIGHDMA; + + netdev->priv_flags |= IFF_UNICAST_FLT; ++ netdev->mtu = enic->port_mtu; + + err = register_netdev(netdev); + if (err) { diff --git a/queue-4.9/fixes-commit-2aa6d036b716-mm-numa-avoid-waiting-on-freed-migrated-pages.patch b/queue-4.9/fixes-commit-2aa6d036b716-mm-numa-avoid-waiting-on-freed-migrated-pages.patch new file mode 100644 index 00000000000..33508f78643 --- /dev/null +++ b/queue-4.9/fixes-commit-2aa6d036b716-mm-numa-avoid-waiting-on-freed-migrated-pages.patch @@ -0,0 +1,41 @@ +From 3chas3@gmail.com Thu Sep 13 09:14:01 2018 +From: Chas Williams <3chas3@gmail.com> +Date: Thu, 6 Sep 2018 11:09:10 -0400 +Subject: Fixes: Commit 2aa6d036b716 ("mm: numa: avoid waiting on freed migrated pages") +To: stable@vger.kernel.org +Cc: natechancellor@gmail.com, mark.rutland@arm.com, will.deacon@arm.com, steve.capper@arm.com, kirill.shutemov@linux.intel.com, vbabka@suse.cz, mgorman@suse.de, Chas Williams +Message-ID: <20180906150910.17486-1-3chas3@gmail.com> + + +From: Chas Williams + +Commit 2aa6d036b716 ("mm: numa: avoid waiting on freed migrated pages") +was an incomplete backport of the upstream commit. It is necessary to +always reset page_nid before attempting any early exit. + +The original commit conflicted due to lack of commit 82b0f8c39a38 +("mm: join struct fault_env and vm_fault") in 4.9 so it wasn't a clean +application, and the change must have just gotten lost in the noise. + +Signed-off-by: Chas Williams +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1259,12 +1259,12 @@ int do_huge_pmd_numa_page(struct fault_e + + /* Migration could have started since the pmd_trans_migrating check */ + if (!page_locked) { ++ page_nid = -1; + if (!get_page_unless_zero(page)) + goto out_unlock; + spin_unlock(fe->ptl); + wait_on_page_locked(page); + put_page(page); +- page_nid = -1; + goto out; + } + diff --git a/queue-4.9/irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch b/queue-4.9/irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch new file mode 100644 index 00000000000..49b290916a4 --- /dev/null +++ b/queue-4.9/irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch @@ -0,0 +1,43 @@ +From tyhicks@canonical.com Thu Sep 13 09:00:58 2018 +From: Tyler Hicks +Date: Tue, 4 Sep 2018 15:24:04 +0000 +Subject: irda: Fix memory leak caused by repeated binds of irda socket +To: stable@vger.kernel.org +Message-ID: <1536074645-14160-2-git-send-email-tyhicks@canonical.com> + +From: Tyler Hicks + +The irda_bind() function allocates memory for self->ias_obj without +checking to see if the socket is already bound. A userspace process +could repeatedly bind the socket, have each new object added into the +LM-IAS database, and lose the reference to the old object assigned to +the socket to exhaust memory resources. This patch errors out of the +bind operation when self->ias_obj is already assigned. + +CVE-2018-6554 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tyler Hicks +Reviewed-by: Seth Arnold +Reviewed-by: Stefan Bader +Signed-off-by: Greg Kroah-Hartman +--- + net/irda/af_irda.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -774,6 +774,13 @@ static int irda_bind(struct socket *sock + return -EINVAL; + + lock_sock(sk); ++ ++ /* Ensure that the socket is not already bound */ ++ if (self->ias_obj) { ++ err = -EINVAL; ++ goto out; ++ } ++ + #ifdef CONFIG_IRDA_ULTRA + /* Special care for Ultra sockets */ + if ((sk->sk_type == SOCK_DGRAM) && diff --git a/queue-4.9/irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch b/queue-4.9/irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch new file mode 100644 index 00000000000..acf56fc6937 --- /dev/null +++ b/queue-4.9/irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch @@ -0,0 +1,44 @@ +From tyhicks@canonical.com Thu Sep 13 09:02:40 2018 +From: Tyler Hicks +Date: Tue, 4 Sep 2018 15:24:05 +0000 +Subject: irda: Only insert new objects into the global database via setsockopt +To: stable@vger.kernel.org +Message-ID: <1536074645-14160-3-git-send-email-tyhicks@canonical.com> + +From: Tyler Hicks + +The irda_setsockopt() function conditionally allocates memory for a new +self->ias_object or, in some cases, reuses the existing +self->ias_object. Existing objects were incorrectly reinserted into the +LM_IAS database which corrupted the doubly linked list used for the +hashbin implementation of the LM_IAS database. When combined with a +memory leak in irda_bind(), this issue could be leveraged to create a +use-after-free vulnerability in the hashbin list. This patch fixes the +issue by only inserting newly allocated objects into the database. + +CVE-2018-6555 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tyler Hicks +Reviewed-by: Seth Arnold +Reviewed-by: Stefan Bader +Signed-off-by: Greg Kroah-Hartman +--- + net/irda/af_irda.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -2023,7 +2023,11 @@ static int irda_setsockopt(struct socket + err = -EINVAL; + goto out; + } +- irias_insert_object(ias_obj); ++ ++ /* Only insert newly allocated objects */ ++ if (free_ias) ++ irias_insert_object(ias_obj); ++ + kfree(ias_opt); + break; + case IRLMP_IAS_DEL: diff --git a/queue-4.9/kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch b/queue-4.9/kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch new file mode 100644 index 00000000000..41104c629a3 --- /dev/null +++ b/queue-4.9/kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch @@ -0,0 +1,55 @@ +From 914b087ff9e0e9a399a4927fa30793064afc0178 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 28 Aug 2018 12:59:10 -0700 +Subject: kbuild: make missing $DEPMOD a Warning instead of an Error + +From: Randy Dunlap + +commit 914b087ff9e0e9a399a4927fa30793064afc0178 upstream. + +When $DEPMOD is not found, only print a warning instead of exiting +with an error message and error status: + +Warning: 'make modules_install' requires /sbin/depmod. Please install it. +This is probably in the kmod package. + +Change the Error to a Warning because "not all build hosts for cross +compiling Linux are Linux systems and are able to provide a working +port of depmod, especially at the file patch /sbin/depmod." + +I.e., "make modules_install" may be used to copy/install the +loadable modules files to a target directory on a build system and +then transferred to an embedded device where /sbin/depmod is run +instead of it being run on the build system. + +Fixes: 934193a654c1 ("kbuild: verify that $DEPMOD is installed") +Signed-off-by: Randy Dunlap +Reported-by: H. Nikolaus Schaller +Cc: stable@vger.kernel.org +Cc: Lucas De Marchi +Cc: Lucas De Marchi +Cc: Michal Marek +Cc: Jessica Yu +Cc: Chih-Wei Huang +Signed-off-by: Masahiro Yamada +Signed-off-by: Maxim Zhukov +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/depmod.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/scripts/depmod.sh ++++ b/scripts/depmod.sh +@@ -15,9 +15,9 @@ if ! test -r System.map ; then + fi + + if [ -z $(command -v $DEPMOD) ]; then +- echo "'make modules_install' requires $DEPMOD. Please install it." >&2 ++ echo "Warning: 'make modules_install' requires $DEPMOD. Please install it." >&2 + echo "This is probably in the kmod package." >&2 +- exit 1 ++ exit 0 + fi + + # older versions of depmod don't support -P diff --git a/queue-4.9/revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch b/queue-4.9/revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch new file mode 100644 index 00000000000..c1feef7f5fb --- /dev/null +++ b/queue-4.9/revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch @@ -0,0 +1,41 @@ +From festevam@gmail.com Thu Sep 13 09:05:11 2018 +From: Fabio Estevam +Date: Mon, 3 Sep 2018 10:39:34 -0300 +Subject: Revert "ARM: imx_v6_v7_defconfig: Select ULPI support" +To: stable@vger.kernel.org +Cc: shawnguo@kernel.org, rasmus.villemoes@prevas.dk, gregkh@linuxfoundation.org, Fabio Estevam +Message-ID: <1535981974-28739-1-git-send-email-festevam@gmail.com> + +From: Fabio Estevam + +This reverts commit 721476147fd2571309b6aa6daa695b39170602ef. + +This commit causes reboot to fail on imx6 wandboard, so let's +revert it. + +Cc: #4.9 +Reported-by: Rasmus Villemoes +Signed-off-by: Fabio Estevam +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/configs/imx_v6_v7_defconfig | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/arm/configs/imx_v6_v7_defconfig ++++ b/arch/arm/configs/imx_v6_v7_defconfig +@@ -271,7 +271,6 @@ CONFIG_USB_STORAGE=y + CONFIG_USB_CHIPIDEA=y + CONFIG_USB_CHIPIDEA_UDC=y + CONFIG_USB_CHIPIDEA_HOST=y +-CONFIG_USB_CHIPIDEA_ULPI=y + CONFIG_USB_SERIAL=m + CONFIG_USB_SERIAL_GENERIC=y + CONFIG_USB_SERIAL_FTDI_SIO=m +@@ -308,7 +307,6 @@ CONFIG_USB_GADGETFS=m + CONFIG_USB_FUNCTIONFS=m + CONFIG_USB_MASS_STORAGE=m + CONFIG_USB_G_SERIAL=m +-CONFIG_USB_ULPI_BUS=y + CONFIG_MMC=y + CONFIG_MMC_SDHCI=y + CONFIG_MMC_SDHCI_PLTFM=y diff --git a/queue-4.9/series b/queue-4.9/series index 5e43942f370..e824c8da48d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -59,3 +59,9 @@ drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-b50-80.patch tcp-revert-tcp-tcp_probe-use-spin_lock_bh.patch debugobjects-make-stack-check-warning-more-informative.patch x86-pae-use-64-bit-atomic-xchg-function-in-native_ptep_get_and_clear.patch +kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch +irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch +irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch +revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch +enic-do-not-call-enic_change_mtu-in-enic_probe.patch +fixes-commit-2aa6d036b716-mm-numa-avoid-waiting-on-freed-migrated-pages.patch