From 0f5b12126e57e644a648dfc0674067a273cfaba5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 27 Jun 2017 14:19:19 +0200 Subject: [PATCH] 4.11-stable patches added patches: net-phy-fix-marvell-phy-status-reading.patch netfilter-xtables-fix-build-failure-from-compat_xt_align-outside-config_compat.patch netfilter-xtables-zero-padding-in-data_to_user.patch spi-double-time-out-tolerance.patch usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch --- ...t-phy-fix-marvell-phy-status-reading.patch | 40 ++++++ ...ompat_xt_align-outside-config_compat.patch | 93 ++++++++++++++ ...xtables-zero-padding-in-data_to_user.patch | 114 ++++++++++++++++++ queue-4.11/series | 5 + .../spi-double-time-out-tolerance.patch | 44 +++++++ ...id-out-of-bounds-access-on-comp_desc.patch | 106 ++++++++++++++++ 6 files changed, 402 insertions(+) create mode 100644 queue-4.11/net-phy-fix-marvell-phy-status-reading.patch create mode 100644 queue-4.11/netfilter-xtables-fix-build-failure-from-compat_xt_align-outside-config_compat.patch create mode 100644 queue-4.11/netfilter-xtables-zero-padding-in-data_to_user.patch create mode 100644 queue-4.11/spi-double-time-out-tolerance.patch create mode 100644 queue-4.11/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch diff --git a/queue-4.11/net-phy-fix-marvell-phy-status-reading.patch b/queue-4.11/net-phy-fix-marvell-phy-status-reading.patch new file mode 100644 index 00000000000..a7e01e18b18 --- /dev/null +++ b/queue-4.11/net-phy-fix-marvell-phy-status-reading.patch @@ -0,0 +1,40 @@ +From 898805e0cdf7fd860ec21bf661d3a0285a3defbd Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 30 May 2017 16:21:51 +0100 +Subject: net: phy: fix marvell phy status reading + +From: Russell King + +commit 898805e0cdf7fd860ec21bf661d3a0285a3defbd upstream. + +The Marvell driver incorrectly provides phydev->lp_advertising as the +logical and of the link partner's advert and our advert. This is +incorrect - this field is supposed to store the link parter's unmodified +advertisment. + +This allows ethtool to report the correct link partner auto-negotiation +status. + +Fixes: be937f1f89ca ("Marvell PHY m88e1111 driver fix") +Signed-off-by: Russell King +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/phy/marvell.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1127,8 +1127,6 @@ static int marvell_read_status_page(stru + if (adv < 0) + return adv; + +- lpa &= adv; +- + if (status & MII_M1011_PHY_STATUS_FULLDUPLEX) + phydev->duplex = DUPLEX_FULL; + else diff --git a/queue-4.11/netfilter-xtables-fix-build-failure-from-compat_xt_align-outside-config_compat.patch b/queue-4.11/netfilter-xtables-fix-build-failure-from-compat_xt_align-outside-config_compat.patch new file mode 100644 index 00000000000..d612f50694a --- /dev/null +++ b/queue-4.11/netfilter-xtables-fix-build-failure-from-compat_xt_align-outside-config_compat.patch @@ -0,0 +1,93 @@ +From 751a9c763849f5859cb69ea44b0430d00672f637 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Wed, 17 May 2017 11:24:47 -0400 +Subject: netfilter: xtables: fix build failure from COMPAT_XT_ALIGN outside CONFIG_COMPAT + +From: Willem de Bruijn + +commit 751a9c763849f5859cb69ea44b0430d00672f637 upstream. + +The patch in the Fixes references COMPAT_XT_ALIGN in the definition +of XT_DATA_TO_USER, outside an #ifdef CONFIG_COMPAT block. + +Split XT_DATA_TO_USER into separate compat and non compat variants and +define the first inside an CONFIG_COMPAT block. + +This simplifies both variants by removing branches inside the macro. + +Fixes: 324318f0248c ("netfilter: xtables: zero padding in data_to_user") +Reported-by: Stephen Rothwell +Signed-off-by: Willem de Bruijn +Signed-off-by: Pablo Neira Ayuso +Cc: Florian Westphal +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/x_tables.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -296,18 +296,17 @@ int xt_data_to_user(void __user *dst, co + } + EXPORT_SYMBOL_GPL(xt_data_to_user); + +-#define XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \ ++#define XT_DATA_TO_USER(U, K, TYPE) \ + xt_data_to_user(U->data, K->data, \ + K->u.kernel.TYPE->usersize, \ +- C_SIZE ? : K->u.kernel.TYPE->TYPE##size, \ +- C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) : \ +- XT_ALIGN(K->u.kernel.TYPE->TYPE##size)) ++ K->u.kernel.TYPE->TYPE##size, \ ++ XT_ALIGN(K->u.kernel.TYPE->TYPE##size)) + + int xt_match_to_user(const struct xt_entry_match *m, + struct xt_entry_match __user *u) + { + return XT_OBJ_TO_USER(u, m, match, 0) || +- XT_DATA_TO_USER(u, m, match, 0); ++ XT_DATA_TO_USER(u, m, match); + } + EXPORT_SYMBOL_GPL(xt_match_to_user); + +@@ -315,7 +314,7 @@ int xt_target_to_user(const struct xt_en + struct xt_entry_target __user *u) + { + return XT_OBJ_TO_USER(u, t, target, 0) || +- XT_DATA_TO_USER(u, t, target, 0); ++ XT_DATA_TO_USER(u, t, target); + } + EXPORT_SYMBOL_GPL(xt_target_to_user); + +@@ -614,6 +613,12 @@ void xt_compat_match_from_user(struct xt + } + EXPORT_SYMBOL_GPL(xt_compat_match_from_user); + ++#define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \ ++ xt_data_to_user(U->data, K->data, \ ++ K->u.kernel.TYPE->usersize, \ ++ C_SIZE, \ ++ COMPAT_XT_ALIGN(C_SIZE)) ++ + int xt_compat_match_to_user(const struct xt_entry_match *m, + void __user **dstptr, unsigned int *size) + { +@@ -629,7 +634,7 @@ int xt_compat_match_to_user(const struct + if (match->compat_to_user((void __user *)cm->data, m->data)) + return -EFAULT; + } else { +- if (XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm))) ++ if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm))) + return -EFAULT; + } + +@@ -984,7 +989,7 @@ int xt_compat_target_to_user(const struc + if (target->compat_to_user((void __user *)ct->data, t->data)) + return -EFAULT; + } else { +- if (XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct))) ++ if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct))) + return -EFAULT; + } + diff --git a/queue-4.11/netfilter-xtables-zero-padding-in-data_to_user.patch b/queue-4.11/netfilter-xtables-zero-padding-in-data_to_user.patch new file mode 100644 index 00000000000..266fbda03f6 --- /dev/null +++ b/queue-4.11/netfilter-xtables-zero-padding-in-data_to_user.patch @@ -0,0 +1,114 @@ +From 324318f0248c31be8a08984146e7e4dd7cdd091d Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Tue, 9 May 2017 16:17:37 -0400 +Subject: netfilter: xtables: zero padding in data_to_user + +From: Willem de Bruijn + +commit 324318f0248c31be8a08984146e7e4dd7cdd091d upstream. + +When looking up an iptables rule, the iptables binary compares the +aligned match and target data (XT_ALIGN). In some cases this can +exceed the actual data size to include padding bytes. + +Before commit f77bc5b23fb1 ("iptables: use match, target and data +copy_to_user helpers") the malloc()ed bytes were overwritten by the +kernel with kzalloced contents, zeroing the padding and making the +comparison succeed. After this patch, the kernel copies and clears +only data, leaving the padding bytes undefined. + +Extend the clear operation from data size to aligned data size to +include the padding bytes, if any. + +Padding bytes can be observed in both match and target, and the bug +triggered, by issuing a rule with match icmp and target ACCEPT: + + iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT + iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT + +Fixes: f77bc5b23fb1 ("iptables: use match, target and data copy_to_user helpers") +Reported-by: Paul Moore +Reported-by: Richard Guy Briggs +Signed-off-by: Willem de Bruijn +Signed-off-by: Pablo Neira Ayuso +Cc: Florian Westphal +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter/x_tables.h | 2 +- + net/bridge/netfilter/ebtables.c | 9 ++++++--- + net/netfilter/x_tables.c | 9 ++++++--- + 3 files changed, 13 insertions(+), 7 deletions(-) + +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -294,7 +294,7 @@ int xt_match_to_user(const struct xt_ent + int xt_target_to_user(const struct xt_entry_target *t, + struct xt_entry_target __user *u); + int xt_data_to_user(void __user *dst, const void *src, +- int usersize, int size); ++ int usersize, int size, int aligned_size); + + void *xt_copy_counters_from_user(const void __user *user, unsigned int len, + struct xt_counters_info *info, bool compat); +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1358,7 +1358,8 @@ static inline int ebt_obj_to_user(char _ + strlcpy(name, _name, sizeof(name)); + if (copy_to_user(um, name, EBT_FUNCTION_MAXNAMELEN) || + put_user(datasize, (int __user *)(um + EBT_FUNCTION_MAXNAMELEN)) || +- xt_data_to_user(um + entrysize, data, usersize, datasize)) ++ xt_data_to_user(um + entrysize, data, usersize, datasize, ++ XT_ALIGN(datasize))) + return -EFAULT; + + return 0; +@@ -1643,7 +1644,8 @@ static int compat_match_to_user(struct e + if (match->compat_to_user(cm->data, m->data)) + return -EFAULT; + } else { +- if (xt_data_to_user(cm->data, m->data, match->usersize, msize)) ++ if (xt_data_to_user(cm->data, m->data, match->usersize, msize, ++ COMPAT_XT_ALIGN(msize))) + return -EFAULT; + } + +@@ -1672,7 +1674,8 @@ static int compat_target_to_user(struct + if (target->compat_to_user(cm->data, t->data)) + return -EFAULT; + } else { +- if (xt_data_to_user(cm->data, t->data, target->usersize, tsize)) ++ if (xt_data_to_user(cm->data, t->data, target->usersize, tsize, ++ COMPAT_XT_ALIGN(tsize))) + return -EFAULT; + } + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -283,12 +283,13 @@ static int xt_obj_to_user(u16 __user *ps + &U->u.user.revision, K->u.kernel.TYPE->revision) + + int xt_data_to_user(void __user *dst, const void *src, +- int usersize, int size) ++ int usersize, int size, int aligned_size) + { + usersize = usersize ? : size; + if (copy_to_user(dst, src, usersize)) + return -EFAULT; +- if (usersize != size && clear_user(dst + usersize, size - usersize)) ++ if (usersize != aligned_size && ++ clear_user(dst + usersize, aligned_size - usersize)) + return -EFAULT; + + return 0; +@@ -298,7 +299,9 @@ EXPORT_SYMBOL_GPL(xt_data_to_user); + #define XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \ + xt_data_to_user(U->data, K->data, \ + K->u.kernel.TYPE->usersize, \ +- C_SIZE ? : K->u.kernel.TYPE->TYPE##size) ++ C_SIZE ? : K->u.kernel.TYPE->TYPE##size, \ ++ C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) : \ ++ XT_ALIGN(K->u.kernel.TYPE->TYPE##size)) + + int xt_match_to_user(const struct xt_entry_match *m, + struct xt_entry_match __user *u) diff --git a/queue-4.11/series b/queue-4.11/series index 96ae65293df..df875c30875 100644 --- a/queue-4.11/series +++ b/queue-4.11/series @@ -50,3 +50,8 @@ acpi-scan-apply-default-enumeration-to-devices-with-acpi-drivers.patch acpi-scan-fix-enumeration-for-special-spi-and-i2c-devices.patch rxrpc-fix-several-cases-where-a-padded-len-isn-t-checked-in-ticket-decode.patch drm-fix-getconnector-regression.patch +usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch +spi-double-time-out-tolerance.patch +net-phy-fix-marvell-phy-status-reading.patch +netfilter-xtables-zero-padding-in-data_to_user.patch +netfilter-xtables-fix-build-failure-from-compat_xt_align-outside-config_compat.patch diff --git a/queue-4.11/spi-double-time-out-tolerance.patch b/queue-4.11/spi-double-time-out-tolerance.patch new file mode 100644 index 00000000000..dbe3731ba38 --- /dev/null +++ b/queue-4.11/spi-double-time-out-tolerance.patch @@ -0,0 +1,44 @@ +From 833bfade96561216aa2129516a5926a0326860a2 Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Mon, 17 Apr 2017 01:38:05 +0200 +Subject: spi: double time out tolerance + +From: Hauke Mehrtens + +commit 833bfade96561216aa2129516a5926a0326860a2 upstream. + +The generic SPI code calculates how long the issued transfer would take +and adds 100ms in addition to the timeout as tolerance. On my 500 MHz +Lantiq Mips SoC I am getting timeouts from the SPI like this when the +system boots up: + +m25p80 spi32766.4: SPI transfer timed out +blk_update_request: I/O error, dev mtdblock3, sector 2 +SQUASHFS error: squashfs_read_data failed to read block 0x6e + +After increasing the tolerance for the timeout to 200ms I haven't seen +these SPI transfer time outs any more. +The Lantiq SPI driver in use here has an extra work queue in between, +which gets triggered when the controller send the last word and the +hardware FIFOs used for reading and writing are only 8 words long. + +Signed-off-by: Hauke Mehrtens +Signed-off-by: Mark Brown +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1015,7 +1015,7 @@ static int spi_transfer_one_message(stru + ret = 0; + ms = 8LL * 1000LL * xfer->len; + do_div(ms, xfer->speed_hz); +- ms += ms + 100; /* some tolerance */ ++ ms += ms + 200; /* some tolerance */ + + if (ms > UINT_MAX) + ms = UINT_MAX; diff --git a/queue-4.11/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch b/queue-4.11/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch new file mode 100644 index 00000000000..c4efe510d96 --- /dev/null +++ b/queue-4.11/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch @@ -0,0 +1,106 @@ +From b7f73850bb4fac1e2209a4dd5e636d39be92f42c Mon Sep 17 00:00:00 2001 +From: William Wu +Date: Tue, 25 Apr 2017 17:45:48 +0800 +Subject: usb: gadget: f_fs: avoid out of bounds access on comp_desc + +From: William Wu + +commit b7f73850bb4fac1e2209a4dd5e636d39be92f42c upstream. + +Companion descriptor is only used for SuperSpeed endpoints, +if the endpoints are HighSpeed or FullSpeed, the Companion +descriptor will not allocated, so we can only access it if +gadget is SuperSpeed. + +I can reproduce this issue on Rockchip platform rk3368 SoC +which supports USB 2.0, and use functionfs for ADB. Kernel +build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report +the following BUG: + +================================================================== +BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509 +Read of size 1 by task swapper/0/0 +============================================================================ +BUG kmalloc-256 (Not tainted): kasan: bad access detected +---------------------------------------------------------------------------- + +Disabling lock debugging due to kernel taint +INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1 +alloc_debug_processing+0x128/0x17c +___slab_alloc.constprop.58+0x50c/0x610 +__slab_alloc.isra.55.constprop.57+0x24/0x34 +__kmalloc+0xe0/0x250 +ffs_func_bind+0x52c/0x99c +usb_add_function+0xd8/0x1d4 +configfs_composite_bind+0x48c/0x570 +udc_bind_to_driver+0x6c/0x170 +usb_udc_attach_driver+0xa4/0xd0 +gadget_dev_desc_UDC_store+0xcc/0x118 +configfs_write_file+0x1a0/0x1f8 +__vfs_write+0x64/0x174 +vfs_write+0xe4/0x200 +SyS_write+0x68/0xc8 +el0_svc_naked+0x24/0x28 +INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247 +... +Call trace: +[] dump_backtrace+0x0/0x230 +[] show_stack+0x14/0x1c +[] dump_stack+0xa0/0xc8 +[] print_trailer+0x188/0x198 +[] object_err+0x3c/0x4c +[] kasan_report+0x324/0x4dc +[] __asan_load1+0x24/0x50 +[] ffs_func_set_alt+0x224/0x3a0 +[] composite_setup+0xdcc/0x1ac8 +[] android_setup+0x124/0x1a0 +[] _setup+0x54/0x74 +[] handle_ep0+0x3288/0x4390 +[] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4 +[] dwc_otg_pcd_handle_intr+0x1ec/0x298 +[] dwc_otg_pcd_irq+0x10/0x20 +[] handle_irq_event_percpu+0x124/0x3ac +[] handle_irq_event+0x60/0xa0 +[] handle_fasteoi_irq+0x10c/0x1d4 +[] generic_handle_irq+0x30/0x40 +[] __handle_domain_irq+0xac/0xdc +[] gic_handle_irq+0x64/0xa4 +... +Memory state around the buggy address: + ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc + >ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 +================================================================== + +Signed-off-by: William Wu +Signed-off-by: Felipe Balbi +Cc: Jerry Zhang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1859,12 +1859,12 @@ static int ffs_func_eps_enable(struct ff + ep->ep->driver_data = ep; + ep->ep->desc = ds; + +- comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + +- USB_DT_ENDPOINT_SIZE); +- ep->ep->maxburst = comp_desc->bMaxBurst + 1; +- +- if (needs_comp_desc) ++ if (needs_comp_desc) { ++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + ++ USB_DT_ENDPOINT_SIZE); ++ ep->ep->maxburst = comp_desc->bMaxBurst + 1; + ep->ep->comp_desc = comp_desc; ++ } + + ret = usb_ep_enable(ep->ep); + if (likely(!ret)) { -- 2.47.3