From: Greg Kroah-Hartman Date: Mon, 30 Oct 2017 10:18:56 +0000 (+0100) Subject: 4.13-stable patches X-Git-Tag: v3.18.79~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eef2fb41015a96cdbc9b6b71eadfae7e7030d696;p=thirdparty%2Fkernel%2Fstable-queue.git 4.13-stable patches added patches: ipsec-fix-aborted-xfrm-policy-dump-crash.patch regulator-fan53555-fix-i2c-device-ids.patch --- diff --git a/queue-4.13/ipsec-fix-aborted-xfrm-policy-dump-crash.patch b/queue-4.13/ipsec-fix-aborted-xfrm-policy-dump-crash.patch new file mode 100644 index 00000000000..d7369636149 --- /dev/null +++ b/queue-4.13/ipsec-fix-aborted-xfrm-policy-dump-crash.patch @@ -0,0 +1,101 @@ +From 1137b5e2529a8f5ca8ee709288ecba3e68044df2 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 19 Oct 2017 20:51:10 +0800 +Subject: ipsec: Fix aborted xfrm policy dump crash + +From: Herbert Xu + +commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream. + +An independent security researcher, Mohamed Ghannam, has reported +this vulnerability to Beyond Security's SecuriTeam Secure Disclosure +program. + +The xfrm_dump_policy_done function expects xfrm_dump_policy to +have been called at least once or it will crash. This can be +triggered if a dump fails because the target socket's receive +buffer is full. + +This patch fixes it by using the cb->start mechanism to ensure that +the initialisation is always done regardless of the buffer situation. + +Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") +Signed-off-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_user.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1684,32 +1684,34 @@ static int dump_one_policy(struct xfrm_p + + static int xfrm_dump_policy_done(struct netlink_callback *cb) + { +- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; ++ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; + struct net *net = sock_net(cb->skb->sk); + + xfrm_policy_walk_done(walk, net); + return 0; + } + ++static int xfrm_dump_policy_start(struct netlink_callback *cb) ++{ ++ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; ++ ++ BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args)); ++ ++ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); ++ return 0; ++} ++ + static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); +- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; ++ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; + struct xfrm_dump_info info; + +- BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) > +- sizeof(cb->args) - sizeof(cb->args[0])); +- + info.in_skb = cb->skb; + info.out_skb = skb; + info.nlmsg_seq = cb->nlh->nlmsg_seq; + info.nlmsg_flags = NLM_F_MULTI; + +- if (!cb->args[0]) { +- cb->args[0] = 1; +- xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); +- } +- + (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); + + return skb->len; +@@ -2467,6 +2469,7 @@ static const struct nla_policy xfrma_spd + + static const struct xfrm_link { + int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **); ++ int (*start)(struct netlink_callback *); + int (*dump)(struct sk_buff *, struct netlink_callback *); + int (*done)(struct netlink_callback *); + const struct nla_policy *nla_pol; +@@ -2480,6 +2483,7 @@ static const struct xfrm_link { + [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, + [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, + [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, ++ .start = xfrm_dump_policy_start, + .dump = xfrm_dump_policy, + .done = xfrm_dump_policy_done }, + [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, +@@ -2532,6 +2536,7 @@ static int xfrm_user_rcv_msg(struct sk_b + + { + struct netlink_dump_control c = { ++ .start = link->start, + .dump = link->dump, + .done = link->done, + }; diff --git a/queue-4.13/regulator-fan53555-fix-i2c-device-ids.patch b/queue-4.13/regulator-fan53555-fix-i2c-device-ids.patch new file mode 100644 index 00000000000..6f5113c43ff --- /dev/null +++ b/queue-4.13/regulator-fan53555-fix-i2c-device-ids.patch @@ -0,0 +1,41 @@ +From fc1111b885437f374ed54aadda44d8b241ebd2a3 Mon Sep 17 00:00:00 2001 +From: Guillaume Tucker +Date: Mon, 21 Aug 2017 13:47:43 +0100 +Subject: regulator: fan53555: fix I2C device ids + +From: Guillaume Tucker + +commit fc1111b885437f374ed54aadda44d8b241ebd2a3 upstream. + +The device tree nodes all correctly describe the regulators as +syr827 or syr828, but the I2C device id is currently set to the +wildcard value of syr82x in the driver. This causes udev to fail +to match the driver module with the modalias data from sysfs. + +Fix this by replacing the I2C device ids with ones that match the +device tree descriptions, with syr827 and syr828. Tested on +Firefly rk3288 board. The syr82x id was not used anywhere. + +Fixes: e80c47bd738b (regulator: fan53555: Export I2C module alias information) +Signed-off-by: Guillaume Tucker +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/fan53555.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/regulator/fan53555.c ++++ b/drivers/regulator/fan53555.c +@@ -476,7 +476,10 @@ static const struct i2c_device_id fan535 + .name = "fan53555", + .driver_data = FAN53555_VENDOR_FAIRCHILD + }, { +- .name = "syr82x", ++ .name = "syr827", ++ .driver_data = FAN53555_VENDOR_SILERGY ++ }, { ++ .name = "syr828", + .driver_data = FAN53555_VENDOR_SILERGY + }, + { }, diff --git a/queue-4.13/series b/queue-4.13/series index ee887918ea2..559230cde12 100644 --- a/queue-4.13/series +++ b/queue-4.13/series @@ -39,3 +39,5 @@ can-sun4i-fix-loopback-mode.patch can-kvaser_usb-correct-return-value-in-printout.patch can-kvaser_usb-ignore-cmd_flush_queue_reply-messages.patch cfg80211-fix-connect-disconnect-edge-cases.patch +ipsec-fix-aborted-xfrm-policy-dump-crash.patch +regulator-fan53555-fix-i2c-device-ids.patch