From 1650d184c7096854ee53d90ed9c64864b34b1248 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 12 Dec 2019 10:40:44 +0100 Subject: [PATCH] 4.14-stable patches added patches: appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch appletalk-set-error-code-if-register_snap_client-failed.patch asoc-rsnd-fixup-mix-kctrl-registration.patch kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch --- ...ereference-in-unregister_snap_client.patch | 124 ++++++++++++++++++ ...-code-if-register_snap_client-failed.patch | 33 +++++ ...oc-rsnd-fixup-mix-kctrl-registration.patch | 61 +++++++++ ...vm_get_emulated_cpuid-cve-2019-19332.patch | 43 ++++++ queue-4.14/series | 4 + 5 files changed, 265 insertions(+) create mode 100644 queue-4.14/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch create mode 100644 queue-4.14/appletalk-set-error-code-if-register_snap_client-failed.patch create mode 100644 queue-4.14/asoc-rsnd-fixup-mix-kctrl-registration.patch create mode 100644 queue-4.14/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch diff --git a/queue-4.14/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch b/queue-4.14/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch new file mode 100644 index 00000000000..861b7edc0ae --- /dev/null +++ b/queue-4.14/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch @@ -0,0 +1,124 @@ +From 9804501fa1228048857910a6bf23e085aade37cc Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 14 Mar 2019 13:47:59 +0800 +Subject: appletalk: Fix potential NULL pointer dereference in unregister_snap_client + +From: YueHaibing + +commit 9804501fa1228048857910a6bf23e085aade37cc upstream. + +register_snap_client may return NULL, all the callers +check it, but only print a warning. This will result in +NULL pointer dereference in unregister_snap_client and other +places. + +It has always been used like this since v2.6 + +Reported-by: Dan Carpenter +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +[bwh: Backported to <4.15: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/atalk.h | 2 +- + net/appletalk/aarp.c | 15 ++++++++++++--- + net/appletalk/ddp.c | 20 ++++++++++++-------- + 3 files changed, 25 insertions(+), 12 deletions(-) + +--- a/include/linux/atalk.h ++++ b/include/linux/atalk.h +@@ -108,7 +108,7 @@ static __inline__ struct elapaarp *aarp_ + #define AARP_RESOLVE_TIME (10 * HZ) + + extern struct datalink_proto *ddp_dl, *aarp_dl; +-extern void aarp_proto_init(void); ++extern int aarp_proto_init(void); + + /* Inter module exports */ + +--- a/net/appletalk/aarp.c ++++ b/net/appletalk/aarp.c +@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifi + + static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 }; + +-void __init aarp_proto_init(void) ++int __init aarp_proto_init(void) + { ++ int rc; ++ + aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv); +- if (!aarp_dl) ++ if (!aarp_dl) { + printk(KERN_CRIT "Unable to register AARP with SNAP.\n"); ++ return -ENOMEM; ++ } + setup_timer(&aarp_timer, aarp_expire_timeout, 0); + aarp_timer.expires = jiffies + sysctl_aarp_expiry_time; + add_timer(&aarp_timer); +- register_netdevice_notifier(&aarp_notifier); ++ rc = register_netdevice_notifier(&aarp_notifier); ++ if (rc) { ++ del_timer_sync(&aarp_timer); ++ unregister_snap_client(aarp_dl); ++ } ++ return rc; + } + + /* Remove the AARP entries associated with a device. */ +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1911,9 +1911,6 @@ static unsigned char ddp_snap_id[] = { 0 + EXPORT_SYMBOL(atrtr_get_dev); + EXPORT_SYMBOL(atalk_find_dev_addr); + +-static const char atalk_err_snap[] __initconst = +- KERN_CRIT "Unable to register DDP with SNAP.\n"; +- + /* Called by proto.c on kernel start up */ + static int __init atalk_init(void) + { +@@ -1928,17 +1925,22 @@ static int __init atalk_init(void) + goto out_proto; + + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); +- if (!ddp_dl) +- printk(atalk_err_snap); ++ if (!ddp_dl) { ++ pr_crit("Unable to register DDP with SNAP.\n"); ++ goto out_sock; ++ } + + dev_add_pack(<alk_packet_type); + dev_add_pack(&ppptalk_packet_type); + + rc = register_netdevice_notifier(&ddp_notifier); + if (rc) +- goto out_sock; ++ goto out_snap; ++ ++ rc = aarp_proto_init(); ++ if (rc) ++ goto out_dev; + +- aarp_proto_init(); + rc = atalk_proc_init(); + if (rc) + goto out_aarp; +@@ -1952,11 +1954,13 @@ out_proc: + atalk_proc_exit(); + out_aarp: + aarp_cleanup_module(); ++out_dev: + unregister_netdevice_notifier(&ddp_notifier); +-out_sock: ++out_snap: + dev_remove_pack(&ppptalk_packet_type); + dev_remove_pack(<alk_packet_type); + unregister_snap_client(ddp_dl); ++out_sock: + sock_unregister(PF_APPLETALK); + out_proto: + proto_unregister(&ddp_proto); diff --git a/queue-4.14/appletalk-set-error-code-if-register_snap_client-failed.patch b/queue-4.14/appletalk-set-error-code-if-register_snap_client-failed.patch new file mode 100644 index 00000000000..abf682c6154 --- /dev/null +++ b/queue-4.14/appletalk-set-error-code-if-register_snap_client-failed.patch @@ -0,0 +1,33 @@ +From c93ad1337ad06a718890a89cdd85188ff9a5a5cc Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Tue, 30 Apr 2019 19:34:08 +0800 +Subject: appletalk: Set error code if register_snap_client failed + +From: YueHaibing + +commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream. + +If register_snap_client fails in atalk_init, +error code should be set, otherwise it will +triggers NULL pointer dereference while unloading +module. + +Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/appletalk/ddp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1927,6 +1927,7 @@ static int __init atalk_init(void) + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); + if (!ddp_dl) { + pr_crit("Unable to register DDP with SNAP.\n"); ++ rc = -ENOMEM; + goto out_sock; + } + diff --git a/queue-4.14/asoc-rsnd-fixup-mix-kctrl-registration.patch b/queue-4.14/asoc-rsnd-fixup-mix-kctrl-registration.patch new file mode 100644 index 00000000000..9ffb28c2582 --- /dev/null +++ b/queue-4.14/asoc-rsnd-fixup-mix-kctrl-registration.patch @@ -0,0 +1,61 @@ +From 7aea8a9d71d54f449f49e20324df06341cc18395 Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto +Date: Fri, 1 Feb 2019 16:49:30 +0900 +Subject: ASoC: rsnd: fixup MIX kctrl registration + +From: Kuninori Morimoto + +commit 7aea8a9d71d54f449f49e20324df06341cc18395 upstream. + +Renesas sound device has many IPs and many situations. +If platform/board uses MIXer, situation will be more complex. +To avoid duplicate DVC kctrl registration when MIXer was used, +it had original flags. +But it was issue when sound card was re-binded, because +no one can't cleanup this flags then. + +To solve this issue, commit 9c698e8481a15237a ("ASoC: rsnd: tidyup +registering method for rsnd_kctrl_new()") checks registered +card->controls, because if card was re-binded, these were cleanuped +automatically. This patch could solve re-binding issue. +But, it start to avoid MIX kctrl. + +To solve these issues, we need below. +To avoid card re-binding issue: check registered card->controls +To avoid duplicate DVC registration: check registered rsnd_kctrl_cfg +To allow multiple MIX registration: check registered rsnd_kctrl_cfg +This patch do it. + +Fixes: 9c698e8481a15237a ("ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()") +Reported-by: Jiada Wang +Signed-off-by: Kuninori Morimoto +Tested-By: Jiada Wang +Signed-off-by: Mark Brown +Cc: Nobuhiro Iwamatsu +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sh/rcar/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -1279,14 +1279,14 @@ int rsnd_kctrl_new(struct rsnd_mod *mod, + int ret; + + /* +- * 1) Avoid duplicate register (ex. MIXer case) +- * 2) re-register if card was rebinded ++ * 1) Avoid duplicate register for DVC with MIX case ++ * 2) Allow duplicate register for MIX ++ * 3) re-register if card was rebinded + */ + list_for_each_entry(kctrl, &card->controls, list) { + struct rsnd_kctrl_cfg *c = kctrl->private_data; + +- if (strcmp(kctrl->id.name, name) == 0 && +- c->mod == mod) ++ if (c == cfg) + return 0; + } + diff --git a/queue-4.14/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch b/queue-4.14/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch new file mode 100644 index 00000000000..43ecaf4fb56 --- /dev/null +++ b/queue-4.14/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch @@ -0,0 +1,43 @@ +From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 4 Dec 2019 10:28:54 +0100 +Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) + +From: Paolo Bonzini + +commit 433f4ba1904100da65a311033f17a9bf586b287e upstream. + +The bounds check was present in KVM_GET_SUPPORTED_CPUID but not +KVM_GET_EMULATED_CPUID. + +Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com +Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29) +Signed-off-by: Paolo Bonzini +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/cpuid.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -404,7 +404,7 @@ static inline int __do_cpuid_ent(struct + + r = -E2BIG; + +- if (*nent >= maxnent) ++ if (WARN_ON(*nent >= maxnent)) + goto out; + + do_cpuid_1_ent(entry, function, index); +@@ -707,6 +707,9 @@ out: + static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func, + u32 idx, int *nent, int maxnent, unsigned int type) + { ++ if (*nent >= maxnent) ++ return -E2BIG; ++ + if (type == KVM_GET_EMULATED_CPUID) + return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent); + diff --git a/queue-4.14/series b/queue-4.14/series index e875f0de29c..fb3d15ecda4 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -150,6 +150,10 @@ rdma-qib-validate-show-store-callbacks-before-calling-them.patch iomap-fix-pipe-page-leakage-during-splicing.patch thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch binder-handle-start-null-in-binder_update_page_range.patch +asoc-rsnd-fixup-mix-kctrl-registration.patch +kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch +appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch +appletalk-set-error-code-if-register_snap_client-failed.patch alsa-hda-fix-pending-unsol-events-at-shutdown.patch md-raid0-fix-an-error-message-in-raid0_make_request.patch watchdog-aspeed-fix-clock-behaviour-for-ast2600.patch -- 2.47.3