From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 2 Mar 2019 08:35:45 +0000 (+0100)
Subject: 3.18-stable patches
X-Git-Tag: v4.9.162~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f0e7b9c15fcd07fbd7825cbfe54b854ec25135ec;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch
	mmc-spi-fix-card-detection-during-probe.patch
---

diff --git a/queue-3.18/mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch b/queue-3.18/mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch
new file mode 100644
index 00000000000..448b943eedb
--- /dev/null
+++ b/queue-3.18/mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch
@@ -0,0 +1,44 @@
+From 0a1d52994d440e21def1c2174932410b4f2a98a1 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 27 Feb 2019 21:29:52 +0100
+Subject: mm: enforce min addr even if capable() in expand_downwards()
+
+From: Jann Horn <jannh@google.com>
+
+commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.
+
+security_mmap_addr() does a capability check with current_cred(), but
+we can reach this code from contexts like a VFS write handler where
+current_cred() must not be used.
+
+This can be abused on systems without SMAP to make NULL pointer
+dereferences exploitable again.
+
+Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2292,12 +2292,11 @@ int expand_downwards(struct vm_area_stru
+ {
+ 	struct vm_area_struct *prev;
+ 	unsigned long gap_addr;
+-	int error;
++	int error = 0;
+ 
+ 	address &= PAGE_MASK;
+-	error = security_mmap_addr(address);
+-	if (error)
+-		return error;
++	if (address < mmap_min_addr)
++		return -EPERM;
+ 
+ 	/* Enforce stack_guard_gap */
+ 	gap_addr = address - stack_guard_gap;
diff --git a/queue-3.18/mmc-spi-fix-card-detection-during-probe.patch b/queue-3.18/mmc-spi-fix-card-detection-during-probe.patch
new file mode 100644
index 00000000000..00b89fc6136
--- /dev/null
+++ b/queue-3.18/mmc-spi-fix-card-detection-during-probe.patch
@@ -0,0 +1,55 @@
+From c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonathan=20Neusch=C3=A4fer?= <j.neuschaefer@gmx.net>
+Date: Sun, 10 Feb 2019 18:31:07 +0100
+Subject: mmc: spi: Fix card detection during probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+
+commit c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6 upstream.
+
+When using the mmc_spi driver with a card-detect pin, I noticed that the
+card was not detected immediately after probe, but only after it was
+unplugged and plugged back in (and the CD IRQ fired).
+
+The call tree looks something like this:
+
+mmc_spi_probe
+  mmc_add_host
+    mmc_start_host
+      _mmc_detect_change
+        mmc_schedule_delayed_work(&host->detect, 0)
+          mmc_rescan
+            host->bus_ops->detect(host)
+              mmc_detect
+                _mmc_detect_card_removed
+                  host->ops->get_cd(host)
+                    mmc_gpio_get_cd -> -ENOSYS (ctx->cd_gpio not set)
+  mmc_gpiod_request_cd
+    ctx->cd_gpio = desc
+
+To fix this issue, call mmc_detect_change after the card-detect GPIO/IRQ
+is registered.
+
+Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/mmc_spi.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -1451,6 +1451,7 @@ static int mmc_spi_probe(struct spi_devi
+ 		if (status != 0)
+ 			goto fail_add_host;
+ 	}
++	mmc_detect_change(mmc, 0);
+ 
+ 	dev_info(&spi->dev, "SD/MMC host %s%s%s%s%s\n",
+ 			dev_name(&mmc->class_dev),
diff --git a/queue-3.18/series b/queue-3.18/series
index 5a403a885d9..6b54d930029 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -38,3 +38,5 @@ ibmveth-do-not-process-frames-after-calling-napi_res.patch
 mac80211-don-t-initiate-tdls-connection-if-station-i.patch
 cfg80211-extend-range-deviation-for-dmg.patch
 kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch
+mmc-spi-fix-card-detection-during-probe.patch
+mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch