From: Greg Kroah-Hartman Date: Thu, 29 Nov 2018 12:49:53 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.19.6~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8517b845af6b43d648e54fcab34d7482087c64d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: lan78xx-read-mac-address-from-dt-if-present.patch namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch s390-mm-check-for-valid-vma-before-zapping-in-gmap_discard.patch sched-core-allow-__sched_setscheduler-in-interrupts-when-pi-is-not-used.patch usb-xhci-fix-uninitialized-completion-when-usb3-port-got-wrong-status.patch --- diff --git a/queue-4.9/lan78xx-read-mac-address-from-dt-if-present.patch b/queue-4.9/lan78xx-read-mac-address-from-dt-if-present.patch new file mode 100644 index 00000000000..889dd088b1d --- /dev/null +++ b/queue-4.9/lan78xx-read-mac-address-from-dt-if-present.patch @@ -0,0 +1,87 @@ +From 760db29bdc97b73ff60b091315ad787b1deb5cf5 Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Thu, 19 Apr 2018 17:59:38 +0100 +Subject: lan78xx: Read MAC address from DT if present + +From: Phil Elwell + +commit 760db29bdc97b73ff60b091315ad787b1deb5cf5 upstream. + +There is a standard mechanism for locating and using a MAC address from +the Device Tree. Use this facility in the lan78xx driver to support +applications without programmed EEPROM or OTP. At the same time, +regularise the handling of the different address sources. + +Signed-off-by: Phil Elwell +Signed-off-by: David S. Miller +Tested-by: Paolo Pisati +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/lan78xx.c | 42 ++++++++++++++++++++---------------------- + 1 file changed, 20 insertions(+), 22 deletions(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include "lan78xx.h" + + #define DRIVER_AUTHOR "WOOJUNG HUH " +@@ -1644,34 +1645,31 @@ static void lan78xx_init_mac_address(str + addr[5] = (addr_hi >> 8) & 0xFF; + + if (!is_valid_ether_addr(addr)) { +- /* reading mac address from EEPROM or OTP */ +- if ((lan78xx_read_eeprom(dev, EEPROM_MAC_OFFSET, ETH_ALEN, +- addr) == 0) || +- (lan78xx_read_otp(dev, EEPROM_MAC_OFFSET, ETH_ALEN, +- addr) == 0)) { +- if (is_valid_ether_addr(addr)) { +- /* eeprom values are valid so use them */ +- netif_dbg(dev, ifup, dev->net, +- "MAC address read from EEPROM"); +- } else { +- /* generate random MAC */ +- random_ether_addr(addr); +- netif_dbg(dev, ifup, dev->net, +- "MAC address set to random addr"); +- } +- +- addr_lo = addr[0] | (addr[1] << 8) | +- (addr[2] << 16) | (addr[3] << 24); +- addr_hi = addr[4] | (addr[5] << 8); +- +- ret = lan78xx_write_reg(dev, RX_ADDRL, addr_lo); +- ret = lan78xx_write_reg(dev, RX_ADDRH, addr_hi); ++ if (!eth_platform_get_mac_address(&dev->udev->dev, addr)) { ++ /* valid address present in Device Tree */ ++ netif_dbg(dev, ifup, dev->net, ++ "MAC address read from Device Tree"); ++ } else if (((lan78xx_read_eeprom(dev, EEPROM_MAC_OFFSET, ++ ETH_ALEN, addr) == 0) || ++ (lan78xx_read_otp(dev, EEPROM_MAC_OFFSET, ++ ETH_ALEN, addr) == 0)) && ++ is_valid_ether_addr(addr)) { ++ /* eeprom values are valid so use them */ ++ netif_dbg(dev, ifup, dev->net, ++ "MAC address read from EEPROM"); + } else { + /* generate random MAC */ + random_ether_addr(addr); + netif_dbg(dev, ifup, dev->net, + "MAC address set to random addr"); + } ++ ++ addr_lo = addr[0] | (addr[1] << 8) | ++ (addr[2] << 16) | (addr[3] << 24); ++ addr_hi = addr[4] | (addr[5] << 8); ++ ++ ret = lan78xx_write_reg(dev, RX_ADDRL, addr_lo); ++ ret = lan78xx_write_reg(dev, RX_ADDRH, addr_hi); + } + + ret = lan78xx_write_reg(dev, MAF_LO(0), addr_lo); diff --git a/queue-4.9/namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch b/queue-4.9/namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch new file mode 100644 index 00000000000..93b4dd4df8c --- /dev/null +++ b/queue-4.9/namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch @@ -0,0 +1,233 @@ +From 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 Mon Sep 17 00:00:00 2001 +From: Salvatore Mesoraca +Date: Thu, 23 Aug 2018 17:00:35 -0700 +Subject: namei: allow restricted O_CREAT of FIFOs and regular files + +From: Salvatore Mesoraca + +commit 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 upstream. + +Disallows open of FIFOs or regular files not owned by the user in world +writable sticky directories, unless the owner is the same as that of the +directory or the file is opened without the O_CREAT flag. The purpose +is to make data spoofing attacks harder. This protection can be turned +on and off separately for FIFOs and regular files via sysctl, just like +the symlinks/hardlinks protection. This patch is based on Openwall's +"HARDEN_FIFO" feature by Solar Designer. + +This is a brief list of old vulnerabilities that could have been prevented +by this feature, some of them even allow for privilege escalation: + +CVE-2000-1134 +CVE-2007-3852 +CVE-2008-0525 +CVE-2009-0416 +CVE-2011-4834 +CVE-2015-1838 +CVE-2015-7442 +CVE-2016-7489 + +This list is not meant to be complete. It's difficult to track down all +vulnerabilities of this kind because they were often reported without any +mention of this particular attack vector. In fact, before +hardlinks/symlinks restrictions, fifos/regular files weren't the favorite +vehicle to exploit them. + +[s.mesoraca16@gmail.com: fix bug reported by Dan Carpenter] + Link: https://lkml.kernel.org/r/20180426081456.GA7060@mwanda + Link: http://lkml.kernel.org/r/1524829819-11275-1-git-send-email-s.mesoraca16@gmail.com +[keescook@chromium.org: drop pr_warn_ratelimited() in favor of audit changes in the future] +[keescook@chromium.org: adjust commit subjet] +Link: http://lkml.kernel.org/r/20180416175918.GA13494@beast +Signed-off-by: Salvatore Mesoraca +Signed-off-by: Kees Cook +Suggested-by: Solar Designer +Suggested-by: Kees Cook +Cc: Al Viro +Cc: Dan Carpenter +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Loic +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/sysctl/fs.txt | 36 +++++++++++++++++++++++++++++ + fs/namei.c | 53 +++++++++++++++++++++++++++++++++++++++++--- + include/linux/fs.h | 2 + + kernel/sysctl.c | 18 ++++++++++++++ + 4 files changed, 106 insertions(+), 3 deletions(-) + +--- a/Documentation/sysctl/fs.txt ++++ b/Documentation/sysctl/fs.txt +@@ -34,7 +34,9 @@ Currently, these files are in /proc/sys/ + - overflowgid + - pipe-user-pages-hard + - pipe-user-pages-soft ++- protected_fifos + - protected_hardlinks ++- protected_regular + - protected_symlinks + - suid_dumpable + - super-max +@@ -182,6 +184,24 @@ applied. + + ============================================================== + ++protected_fifos: ++ ++The intent of this protection is to avoid unintentional writes to ++an attacker-controlled FIFO, where a program expected to create a regular ++file. ++ ++When set to "0", writing to FIFOs is unrestricted. ++ ++When set to "1" don't allow O_CREAT open on FIFOs that we don't own ++in world writable sticky directories, unless they are owned by the ++owner of the directory. ++ ++When set to "2" it also applies to group writable sticky directories. ++ ++This protection is based on the restrictions in Openwall. ++ ++============================================================== ++ + protected_hardlinks: + + A long-standing class of security issues is the hardlink-based +@@ -202,6 +222,22 @@ This protection is based on the restrict + + ============================================================== + ++protected_regular: ++ ++This protection is similar to protected_fifos, but it ++avoids writes to an attacker-controlled regular file, where a program ++expected to create one. ++ ++When set to "0", writing to regular files is unrestricted. ++ ++When set to "1" don't allow O_CREAT open on regular files that we ++don't own in world writable sticky directories, unless they are ++owned by the owner of the directory. ++ ++When set to "2" it also applies to group writable sticky directories. ++ ++============================================================== ++ + protected_symlinks: + + A long-standing class of security issues is the symlink-based +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -892,6 +892,8 @@ static inline void put_link(struct namei + + int sysctl_protected_symlinks __read_mostly = 0; + int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_fifos __read_mostly; ++int sysctl_protected_regular __read_mostly; + + /** + * may_follow_link - Check symlink following for unsafe situations +@@ -1005,6 +1007,45 @@ static int may_linkat(struct path *link) + return -EPERM; + } + ++/** ++ * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory ++ * should be allowed, or not, on files that already ++ * exist. ++ * @dir: the sticky parent directory ++ * @inode: the inode of the file to open ++ * ++ * Block an O_CREAT open of a FIFO (or a regular file) when: ++ * - sysctl_protected_fifos (or sysctl_protected_regular) is enabled ++ * - the file already exists ++ * - we are in a sticky directory ++ * - we don't own the file ++ * - the owner of the directory doesn't own the file ++ * - the directory is world writable ++ * If the sysctl_protected_fifos (or sysctl_protected_regular) is set to 2 ++ * the directory doesn't have to be world writable: being group writable will ++ * be enough. ++ * ++ * Returns 0 if the open is allowed, -ve on error. ++ */ ++static int may_create_in_sticky(struct dentry * const dir, ++ struct inode * const inode) ++{ ++ if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) || ++ (!sysctl_protected_regular && S_ISREG(inode->i_mode)) || ++ likely(!(dir->d_inode->i_mode & S_ISVTX)) || ++ uid_eq(inode->i_uid, dir->d_inode->i_uid) || ++ uid_eq(current_fsuid(), inode->i_uid)) ++ return 0; ++ ++ if (likely(dir->d_inode->i_mode & 0002) || ++ (dir->d_inode->i_mode & 0020 && ++ ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) || ++ (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) { ++ return -EACCES; ++ } ++ return 0; ++} ++ + static __always_inline + const char *get_link(struct nameidata *nd) + { +@@ -3356,9 +3397,15 @@ finish_open: + if (error) + return error; + audit_inode(nd->name, nd->path.dentry, 0); +- error = -EISDIR; +- if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry)) +- goto out; ++ if (open_flag & O_CREAT) { ++ error = -EISDIR; ++ if (d_is_dir(nd->path.dentry)) ++ goto out; ++ error = may_create_in_sticky(dir, ++ d_backing_inode(nd->path.dentry)); ++ if (unlikely(error)) ++ goto out; ++ } + error = -ENOTDIR; + if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry)) + goto out; +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -69,6 +69,8 @@ extern struct inodes_stat_t inodes_stat; + extern int leases_enable, lease_break_time; + extern int sysctl_protected_symlinks; + extern int sysctl_protected_hardlinks; ++extern int sysctl_protected_fifos; ++extern int sysctl_protected_regular; + + struct buffer_head; + typedef int (get_block_t)(struct inode *inode, sector_t iblock, +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1795,6 +1795,24 @@ static struct ctl_table fs_table[] = { + .extra2 = &one, + }, + { ++ .procname = "protected_fifos", ++ .data = &sysctl_protected_fifos, ++ .maxlen = sizeof(int), ++ .mode = 0600, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &two, ++ }, ++ { ++ .procname = "protected_regular", ++ .data = &sysctl_protected_regular, ++ .maxlen = sizeof(int), ++ .mode = 0600, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &two, ++ }, ++ { + .procname = "suid_dumpable", + .data = &suid_dumpable, + .maxlen = sizeof(int), diff --git a/queue-4.9/s390-mm-check-for-valid-vma-before-zapping-in-gmap_discard.patch b/queue-4.9/s390-mm-check-for-valid-vma-before-zapping-in-gmap_discard.patch new file mode 100644 index 00000000000..d55b94f8014 --- /dev/null +++ b/queue-4.9/s390-mm-check-for-valid-vma-before-zapping-in-gmap_discard.patch @@ -0,0 +1,39 @@ +From 1843abd03250115af6cec0892683e70cf2297c25 Mon Sep 17 00:00:00 2001 +From: Janosch Frank +Date: Thu, 16 Aug 2018 09:02:31 +0100 +Subject: s390/mm: Check for valid vma before zapping in gmap_discard + +From: Janosch Frank + +commit 1843abd03250115af6cec0892683e70cf2297c25 upstream. + +Userspace could have munmapped the area before doing unmapping from +the gmap. This would leave us with a valid vmaddr, but an invalid vma +from which we would try to zap memory. + +Let's check before using the vma. + +Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c") +Signed-off-by: Janosch Frank +Reviewed-by: David Hildenbrand +Reported-by: Dan Carpenter +Message-Id: <20180816082432.78828-1-frankja@linux.ibm.com> +Signed-off-by: Janosch Frank +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/s390/mm/gmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -686,6 +686,8 @@ void gmap_discard(struct gmap *gmap, uns + vmaddr |= gaddr & ~PMD_MASK; + /* Find vma in the parent mm */ + vma = find_vma(gmap->mm, vmaddr); ++ if (!vma) ++ continue; + size = min(to - gaddr, PMD_SIZE - (gaddr & ~PMD_MASK)); + zap_page_range(vma, vmaddr, size, NULL); + } diff --git a/queue-4.9/sched-core-allow-__sched_setscheduler-in-interrupts-when-pi-is-not-used.patch b/queue-4.9/sched-core-allow-__sched_setscheduler-in-interrupts-when-pi-is-not-used.patch new file mode 100644 index 00000000000..73acfa4d570 --- /dev/null +++ b/queue-4.9/sched-core-allow-__sched_setscheduler-in-interrupts-when-pi-is-not-used.patch @@ -0,0 +1,62 @@ +From 896bbb2522587e3b8eb2a0d204d43ccc1042a00d Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 9 Mar 2017 10:18:42 -0500 +Subject: sched/core: Allow __sched_setscheduler() in interrupts when PI is not used + +From: Steven Rostedt (VMware) + +commit 896bbb2522587e3b8eb2a0d204d43ccc1042a00d upstream. + +When priority inheritance was added back in 2.6.18 to sched_setscheduler(), it +added a path to taking an rt-mutex wait_lock, which is not IRQ safe. As PI +is not a common occurrence, lockdep will likely never trigger if +sched_setscheduler was called from interrupt context. A BUG_ON() was added +to trigger if __sched_setscheduler() was ever called from interrupt context +because there was a possibility to take the wait_lock. + +Today the wait_lock is irq safe, but the path to taking it in +sched_setscheduler() is the same as the path to taking it from normal +context. The wait_lock is taken with raw_spin_lock_irq() and released with +raw_spin_unlock_irq() which will indiscriminately enable interrupts, +which would be bad in interrupt context. + +The problem is that normalize_rt_tasks, which is called by triggering the +sysrq nice-all-RT-tasks was changed to call __sched_setscheduler(), and this +is done from interrupt context! + +Now __sched_setscheduler() takes a "pi" parameter that is used to know if +the priority inheritance should be called or not. As the BUG_ON() only cares +about calling the PI code, it should only bug if called from interrupt +context with the "pi" parameter set to true. + +Reported-by: Laurent Dufour +Tested-by: Laurent Dufour +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: dbc7f069b93a ("sched: Use replace normalize_task() with __sched_setscheduler()") +Link: http://lkml.kernel.org/r/20170308124654.10e598f2@gandalf.local.home +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + + +--- + kernel/sched/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -4087,8 +4087,8 @@ static int __sched_setscheduler(struct t + int queue_flags = DEQUEUE_SAVE | DEQUEUE_MOVE; + struct rq *rq; + +- /* may grab non-irq protected spin_locks */ +- BUG_ON(in_interrupt()); ++ /* The pi code expects interrupts enabled */ ++ BUG_ON(pi && in_interrupt()); + recheck: + /* double check policy once rq lock held */ + if (policy < 0) { diff --git a/queue-4.9/series b/queue-4.9/series index 73d3d3173b8..979fc3c8dd7 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -79,3 +79,8 @@ scsi-ufshcd-release-resources-if-probe-fails.patch include-linux-pfn_t.h-force-to-be-parsed-as-an-unary-operator.patch tty-wipe-buffer.patch tty-wipe-buffer-if-not-echoing-data.patch +usb-xhci-fix-uninitialized-completion-when-usb3-port-got-wrong-status.patch +sched-core-allow-__sched_setscheduler-in-interrupts-when-pi-is-not-used.patch +namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch +lan78xx-read-mac-address-from-dt-if-present.patch +s390-mm-check-for-valid-vma-before-zapping-in-gmap_discard.patch diff --git a/queue-4.9/usb-xhci-fix-uninitialized-completion-when-usb3-port-got-wrong-status.patch b/queue-4.9/usb-xhci-fix-uninitialized-completion-when-usb3-port-got-wrong-status.patch new file mode 100644 index 00000000000..421f042a00f --- /dev/null +++ b/queue-4.9/usb-xhci-fix-uninitialized-completion-when-usb3-port-got-wrong-status.patch @@ -0,0 +1,52 @@ +From 958c0bd86075d4ef1c936998deefe1947e539240 Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Fri, 9 Nov 2018 17:21:20 +0200 +Subject: usb: xhci: fix uninitialized completion when USB3 port got wrong status + +From: Aaron Ma + +commit 958c0bd86075d4ef1c936998deefe1947e539240 upstream. + +Realtek USB3.0 Card Reader [0bda:0328] reports wrong port status on +Cannon lake PCH USB3.1 xHCI [8086:a36d] after resume from S3, +after clear port reset it works fine. + +Since this device is registered on USB3 roothub at boot, +when port status reports not superspeed, xhci_get_port_status will call +an uninitialized completion in bus_state[0]. +Kernel will hang because of NULL pointer. + +Restrict the USB2 resume status check in USB2 roothub to fix hang issue. + +Cc: stable@vger.kernel.org +Signed-off-by: Aaron Ma +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-hub.c | 2 +- + drivers/usb/host/xhci-ring.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -768,7 +768,7 @@ static u32 xhci_get_port_status(struct u + status |= USB_PORT_STAT_SUSPEND; + } + if ((raw_port_status & PORT_PLS_MASK) == XDEV_RESUME && +- !DEV_SUPERSPEED_ANY(raw_port_status)) { ++ !DEV_SUPERSPEED_ANY(raw_port_status) && hcd->speed < HCD_USB3) { + if ((raw_port_status & PORT_RESET) || + !(raw_port_status & PORT_PE)) + return 0xffffffff; +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1676,7 +1676,7 @@ static void handle_port_status(struct xh + * RExit to a disconnect state). If so, let the the driver know it's + * out of the RExit state. + */ +- if (!DEV_SUPERSPEED_ANY(temp) && ++ if (!DEV_SUPERSPEED_ANY(portsc) && hcd->speed < HCD_USB3 && + test_and_clear_bit(faked_port_index, + &bus_state->rexit_ports)) { + complete(&bus_state->rexit_done[faked_port_index]);