From: Greg Kroah-Hartman Date: Wed, 20 Mar 2019 20:25:54 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.137~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f89e29b2a4628b87747cee4911b0d624c67957c9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: i2c-tegra-fix-maximum-transfer-size.patch intel_th-don-t-reference-unassigned-outputs.patch kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch --- diff --git a/queue-4.4/i2c-tegra-fix-maximum-transfer-size.patch b/queue-4.4/i2c-tegra-fix-maximum-transfer-size.patch new file mode 100644 index 00000000000..b6abb90175a --- /dev/null +++ b/queue-4.4/i2c-tegra-fix-maximum-transfer-size.patch @@ -0,0 +1,37 @@ +From f4e3f4ae1d9c9330de355f432b69952e8cef650c Mon Sep 17 00:00:00 2001 +From: Sowjanya Komatineni +Date: Tue, 12 Feb 2019 11:06:44 -0800 +Subject: i2c: tegra: fix maximum transfer size + +From: Sowjanya Komatineni + +commit f4e3f4ae1d9c9330de355f432b69952e8cef650c upstream. + +Tegra186 and prior supports maximum 4K bytes per packet transfer +including 12 bytes of packet header. + +This patch fixes max write length limit to account packet header +size for transfers. + +Cc: stable@vger.kernel.org # 4.4+ + +Reviewed-by: Dmitry Osipenko +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -696,7 +696,7 @@ static const struct i2c_algorithm tegra_ + /* payload size is only 12 bit */ + static struct i2c_adapter_quirks tegra_i2c_quirks = { + .max_read_len = 4096, +- .max_write_len = 4096, ++ .max_write_len = 4096 - 12, + }; + + static const struct tegra_i2c_hw_feature tegra20_i2c_hw = { diff --git a/queue-4.4/intel_th-don-t-reference-unassigned-outputs.patch b/queue-4.4/intel_th-don-t-reference-unassigned-outputs.patch new file mode 100644 index 00000000000..7eeef5f4111 --- /dev/null +++ b/queue-4.4/intel_th-don-t-reference-unassigned-outputs.patch @@ -0,0 +1,58 @@ +From 9ed3f22223c33347ed963e7c7019cf2956dd4e37 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 24 Jan 2019 15:11:53 +0200 +Subject: intel_th: Don't reference unassigned outputs + +From: Alexander Shishkin + +commit 9ed3f22223c33347ed963e7c7019cf2956dd4e37 upstream. + +When an output port driver is removed, also remove references to it from +any masters. Failing to do this causes a NULL ptr dereference when +configuring another output port: + +> BUG: unable to handle kernel NULL pointer dereference at 000000000000000d +> RIP: 0010:master_attr_store+0x9d/0x160 [intel_th_gth] +> Call Trace: +> dev_attr_store+0x1b/0x30 +> sysfs_kf_write+0x3c/0x50 +> kernfs_fop_write+0x125/0x1a0 +> __vfs_write+0x3a/0x190 +> ? __vfs_write+0x5/0x190 +> ? _cond_resched+0x1a/0x50 +> ? rcu_all_qs+0x5/0xb0 +> ? __vfs_write+0x5/0x190 +> vfs_write+0xb8/0x1b0 +> ksys_write+0x55/0xc0 +> __x64_sys_write+0x1a/0x20 +> do_syscall_64+0x5a/0x140 +> entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Alexander Shishkin +Fixes: b27a6a3f97b9 ("intel_th: Add Global Trace Hub driver") +CC: stable@vger.kernel.org # v4.4+ +Reported-by: Ammy Yi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/gth.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -591,11 +591,15 @@ static void intel_th_gth_unassign(struct + { + struct gth_device *gth = dev_get_drvdata(&thdev->dev); + int port = othdev->output.port; ++ int master; + + spin_lock(>h->gth_lock); + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; ++ for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++) ++ if (gth->master[master] == port) ++ gth->master[master] = -1; + spin_unlock(>h->gth_lock); + } + diff --git a/queue-4.4/kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch b/queue-4.4/kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch new file mode 100644 index 00000000000..9e9fc2121fd --- /dev/null +++ b/queue-4.4/kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch @@ -0,0 +1,52 @@ +From 8cf7630b29701d364f8df4a50e4f1f5e752b2778 Mon Sep 17 00:00:00 2001 +From: Zev Weiss +Date: Mon, 11 Mar 2019 23:28:02 -0700 +Subject: kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv + +From: Zev Weiss + +commit 8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream. + +This bug has apparently existed since the introduction of this function +in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git, +"[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of +neighbour sysctls."). + +As a minimal fix we can simply duplicate the corresponding check in +do_proc_dointvec_conv(). + +Link: http://lkml.kernel.org/r/20190207123426.9202-3-zev@bewilderbeest.net +Signed-off-by: Zev Weiss +Cc: Brendan Higgins +Cc: Iurii Zaikin +Cc: Kees Cook +Cc: Luis Chamberlain +Cc: [2.6.2+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sysctl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2306,7 +2306,16 @@ static int do_proc_dointvec_minmax_conv( + { + struct do_proc_dointvec_minmax_conv_param *param = data; + if (write) { +- int val = *negp ? -*lvalp : *lvalp; ++ int val; ++ if (*negp) { ++ if (*lvalp > (unsigned long) INT_MAX + 1) ++ return -EINVAL; ++ val = -*lvalp; ++ } else { ++ if (*lvalp > (unsigned long) INT_MAX) ++ return -EINVAL; ++ val = *lvalp; ++ } + if ((param->min && *param->min > val) || + (param->max && *param->max < val)) + return -EINVAL; diff --git a/queue-4.4/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch b/queue-4.4/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch new file mode 100644 index 00000000000..f0892484eab --- /dev/null +++ b/queue-4.4/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch @@ -0,0 +1,86 @@ +From 401592d2e095947344e10ec0623adbcd58934dd4 Mon Sep 17 00:00:00 2001 +From: Roman Penyaev +Date: Tue, 5 Mar 2019 15:43:20 -0800 +Subject: mm/vmalloc: fix size check for remap_vmalloc_range_partial() + +From: Roman Penyaev + +commit 401592d2e095947344e10ec0623adbcd58934dd4 upstream. + +When VM_NO_GUARD is not set area->size includes adjacent guard page, +thus for correct size checking get_vm_area_size() should be used, but +not area->size. + +This fixes possible kernel oops when userspace tries to mmap an area on +1 page bigger than was allocated by vmalloc_user() call: the size check +inside remap_vmalloc_range_partial() accounts non-existing guard page +also, so check successfully passes but vmalloc_to_page() returns NULL +(guard page does not physically exist). + +The following code pattern example should trigger an oops: + + static int oops_mmap(struct file *file, struct vm_area_struct *vma) + { + void *mem; + + mem = vmalloc_user(4096); + BUG_ON(!mem); + /* Do not care about mem leak */ + + return remap_vmalloc_range(vma, mem, 0); + } + +And userspace simply mmaps size + PAGE_SIZE: + + mmap(NULL, 8192, PROT_WRITE|PROT_READ, MAP_PRIVATE, fd, 0); + +Possible candidates for oops which do not have any explicit size +checks: + + *** drivers/media/usb/stkwebcam/stk-webcam.c: + v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, sbuf->buffer, 0); + +Or the following one: + + *** drivers/video/fbdev/core/fbmem.c + static int + fb_mmap(struct file *file, struct vm_area_struct * vma) + ... + res = fb->fb_mmap(info, vma); + +Where fb_mmap callback calls remap_vmalloc_range() directly without any +explicit checks: + + *** drivers/video/fbdev/vfb.c + static int vfb_mmap(struct fb_info *info, + struct vm_area_struct *vma) + { + return remap_vmalloc_range(vma, (void *)info->fix.smem_start, vma->vm_pgoff); + } + +Link: http://lkml.kernel.org/r/20190103145954.16942-2-rpenyaev@suse.de +Signed-off-by: Roman Penyaev +Acked-by: Michal Hocko +Cc: Andrey Ryabinin +Cc: Joe Perches +Cc: "Luis R. Rodriguez" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmalloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -2162,7 +2162,7 @@ int remap_vmalloc_range_partial(struct v + if (!(area->flags & VM_USERMAP)) + return -EINVAL; + +- if (kaddr + size > area->addr + area->size) ++ if (kaddr + size > area->addr + get_vm_area_size(area)) + return -EINVAL; + + do { diff --git a/queue-4.4/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch b/queue-4.4/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch new file mode 100644 index 00000000000..0deff712d87 --- /dev/null +++ b/queue-4.4/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch @@ -0,0 +1,40 @@ +From 21698fd57984cd28207d841dbdaa026d6061bceb Mon Sep 17 00:00:00 2001 +From: QiaoChong +Date: Sat, 9 Feb 2019 20:59:07 +0000 +Subject: parport_pc: fix find_superio io compare code, should use equal test. + +From: QiaoChong + +commit 21698fd57984cd28207d841dbdaa026d6061bceb upstream. + +In the original code before 181bf1e815a2 the loop was continuing until +it finds the first matching superios[i].io and p->base. +But after 181bf1e815a2 the logic changed and the loop now returns the +pointer to the first mismatched array element which is then used in +get_superio_dma() and get_superio_irq() and thus returning the wrong +value. +Fix the condition so that it now returns the correct pointer. + +Fixes: 181bf1e815a2 ("parport_pc: clean up the modified while loops using for") +Cc: Alan Cox +Cc: stable@vger.kernel.org +Signed-off-by: QiaoChong +[rewrite the commit message] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/parport/parport_pc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/parport/parport_pc.c ++++ b/drivers/parport/parport_pc.c +@@ -1377,7 +1377,7 @@ static struct superio_struct *find_super + { + int i; + for (i = 0; i < NR_SUPERIOS; i++) +- if (superios[i].io != p->base) ++ if (superios[i].io == p->base) + return &superios[i]; + return NULL; + } diff --git a/queue-4.4/series b/queue-4.4/series index fdce934023d..4520c59960f 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -196,3 +196,8 @@ ext4-fix-crash-during-online-resizing.patch ext2-fix-underflow-in-ext2_max_size.patch clk-ingenic-fix-round_rate-misbehaving-with-non-integer-dividers.patch dmaengine-usb-dmac-make-dmac-system-sleep-callbacks-explicit.patch +mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch +kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch +intel_th-don-t-reference-unassigned-outputs.patch +parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch +i2c-tegra-fix-maximum-transfer-size.patch