From 507a0f77215a9d5c882b4d3644e478fe3e2a7ed6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 29 Sep 2018 16:46:37 -0700 Subject: [PATCH] 3.18-stable patches added patches: floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch serial-cpm_uart-return-immediately-from-console-poll.patch spi-rspi-fix-interrupted-dma-transfers.patch spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch spi-tegra20-slink-explicitly-enable-disable-clock.patch usb-fix-error-handling-in-usb_driver_claim_interface.patch usb-handle-null-config-in-usb_find_alt_setting.patch --- ...ter-to-user-memory-in-fdgetprm-ioctl.patch | 46 ++++++++++ ...return-immediately-from-console-poll.patch | 48 +++++++++++ queue-3.18/series | 7 ++ ...i-rspi-fix-interrupted-dma-transfers.patch | 58 +++++++++++++ ...ng-of-write-value-for-sistr-register.patch | 38 +++++++++ ...link-explicitly-enable-disable-clock.patch | 84 +++++++++++++++++++ ...ndling-in-usb_driver_claim_interface.patch | 58 +++++++++++++ ...-null-config-in-usb_find_alt_setting.patch | 38 +++++++++ 8 files changed, 377 insertions(+) create mode 100644 queue-3.18/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch create mode 100644 queue-3.18/serial-cpm_uart-return-immediately-from-console-poll.patch create mode 100644 queue-3.18/spi-rspi-fix-interrupted-dma-transfers.patch create mode 100644 queue-3.18/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch create mode 100644 queue-3.18/spi-tegra20-slink-explicitly-enable-disable-clock.patch create mode 100644 queue-3.18/usb-fix-error-handling-in-usb_driver_claim_interface.patch create mode 100644 queue-3.18/usb-handle-null-config-in-usb_find_alt_setting.patch diff --git a/queue-3.18/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch b/queue-3.18/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch new file mode 100644 index 00000000000..a3e8157d9f9 --- /dev/null +++ b/queue-3.18/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch @@ -0,0 +1,46 @@ +From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001 +From: Andy Whitcroft +Date: Thu, 20 Sep 2018 09:09:48 -0600 +Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl + +From: Andy Whitcroft + +commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream. + +The final field of a floppy_struct is the field "name", which is a pointer +to a string in kernel memory. The kernel pointer should not be copied to +user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, +including this "name" field. This pointer cannot be used by the user +and it will leak a kernel address to user-space, which will reveal the +location of kernel code and data and undermine KASLR protection. + +Model this code after the compat ioctl which copies the returned data +to a previously cleared temporary structure on the stack (excluding the +name pointer) and copy out to userspace from there. As we already have +an inparam union with an appropriate member and that memory is already +cleared even for read only calls make use of that as a temporary store. + +Based on an initial patch by Brian Belleville. + +CVE-2018-7755 +Signed-off-by: Andy Whitcroft +Broke up long line. +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_ + (struct floppy_struct **)&outparam); + if (ret) + return ret; ++ memcpy(&inparam.g, outparam, ++ offsetof(struct floppy_struct, name)); ++ outparam = &inparam.g; + break; + case FDMSGON: + UDP->flags |= FTD_MSG; diff --git a/queue-3.18/serial-cpm_uart-return-immediately-from-console-poll.patch b/queue-3.18/serial-cpm_uart-return-immediately-from-console-poll.patch new file mode 100644 index 00000000000..0692c0e2285 --- /dev/null +++ b/queue-3.18/serial-cpm_uart-return-immediately-from-console-poll.patch @@ -0,0 +1,48 @@ +From be28c1e3ca29887e207f0cbcd294cefe5074bab6 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 14 Sep 2018 10:32:50 +0000 +Subject: serial: cpm_uart: return immediately from console poll + +From: Christophe Leroy + +commit be28c1e3ca29887e207f0cbcd294cefe5074bab6 upstream. + +kgdb expects poll function to return immediately and +returning NO_POLL_CHAR when no character is available. + +Fixes: f5316b4aea024 ("kgdb,8250,pl011: Return immediately from console poll") +Cc: Jason Wessel +Cc: +Signed-off-by: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -1054,8 +1054,8 @@ static int poll_wait_key(char *obuf, str + /* Get the address of the host memory buffer. + */ + bdp = pinfo->rx_cur; +- while (bdp->cbd_sc & BD_SC_EMPTY) +- ; ++ if (bdp->cbd_sc & BD_SC_EMPTY) ++ return NO_POLL_CHAR; + + /* If the buffer address is in the CPM DPRAM, don't + * convert it. +@@ -1089,7 +1089,11 @@ static int cpm_get_poll_char(struct uart + poll_chars = 0; + } + if (poll_chars <= 0) { +- poll_chars = poll_wait_key(poll_buf, pinfo); ++ int ret = poll_wait_key(poll_buf, pinfo); ++ ++ if (ret == NO_POLL_CHAR) ++ return ret; ++ poll_chars = ret; + pollp = poll_buf; + } + poll_chars--; diff --git a/queue-3.18/series b/queue-3.18/series index 70233a22cd4..9f5bb13b4b3 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -46,3 +46,10 @@ audit-fix-extended-comparison-of-gid-egid.patch asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch module-exclude-shn_undef-symbols-from-kallsyms-api.patch nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch +floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch +serial-cpm_uart-return-immediately-from-console-poll.patch +spi-tegra20-slink-explicitly-enable-disable-clock.patch +spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch +spi-rspi-fix-interrupted-dma-transfers.patch +usb-fix-error-handling-in-usb_driver_claim_interface.patch +usb-handle-null-config-in-usb_find_alt_setting.patch diff --git a/queue-3.18/spi-rspi-fix-interrupted-dma-transfers.patch b/queue-3.18/spi-rspi-fix-interrupted-dma-transfers.patch new file mode 100644 index 00000000000..8d25f1becde --- /dev/null +++ b/queue-3.18/spi-rspi-fix-interrupted-dma-transfers.patch @@ -0,0 +1,58 @@ +From 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Sep 2018 10:49:39 +0200 +Subject: spi: rspi: Fix interrupted DMA transfers + +From: Geert Uytterhoeven + +commit 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf upstream. + +When interrupted, wait_event_interruptible_timeout() returns +-ERESTARTSYS, and the SPI transfer in progress will fail, as expected: + + m25p80 spi0.0: SPI transfer failed: -512 + spi_master spi0: failed to transfer one message from queue + +However, as the underlying DMA transfers may not have completed, all +subsequent SPI transfers may start to fail: + + spi_master spi0: receive timeout + qspi_transfer_out_in() returned -110 + m25p80 spi0.0: SPI transfer failed: -110 + spi_master spi0: failed to transfer one message from queue + +Fix this by calling dmaengine_terminate_all() not only for timeouts, but +also for errors. + +This can be reproduced on r8a7991/koelsch, using "hd /dev/mtd0" followed +by CTRL-C. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rspi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -538,11 +538,13 @@ static int rspi_dma_transfer(struct rspi + + ret = wait_event_interruptible_timeout(rspi->wait, + rspi->dma_callbacked, HZ); +- if (ret > 0 && rspi->dma_callbacked) ++ if (ret > 0 && rspi->dma_callbacked) { + ret = 0; +- else if (!ret) { +- dev_err(&rspi->master->dev, "DMA timeout\n"); +- ret = -ETIMEDOUT; ++ } else { ++ if (!ret) { ++ dev_err(&rspi->master->dev, "DMA timeout\n"); ++ ret = -ETIMEDOUT; ++ } + if (tx) + dmaengine_terminate_all(rspi->master->dma_tx); + if (rx) diff --git a/queue-3.18/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch b/queue-3.18/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch new file mode 100644 index 00000000000..735e05a4855 --- /dev/null +++ b/queue-3.18/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch @@ -0,0 +1,38 @@ +From 31a5fae4c5a009898da6d177901d5328051641ff Mon Sep 17 00:00:00 2001 +From: Hiromitsu Yamasaki +Date: Wed, 5 Sep 2018 10:49:37 +0200 +Subject: spi: sh-msiof: Fix handling of write value for SISTR register + +From: Hiromitsu Yamasaki + +commit 31a5fae4c5a009898da6d177901d5328051641ff upstream. + +This patch changes writing to the SISTR register according to the H/W +user's manual. + +The TDREQ bit and RDREQ bits of SISTR are read-only, and must be written +their initial values of zero. + +Signed-off-by: Hiromitsu Yamasaki +[geert: reword] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh-msiof.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -332,7 +332,8 @@ static void sh_msiof_spi_set_mode_regs(s + + static void sh_msiof_reset_str(struct sh_msiof_spi_priv *p) + { +- sh_msiof_write(p, STR, sh_msiof_read(p, STR)); ++ sh_msiof_write(p, STR, ++ sh_msiof_read(p, STR) & ~(STR_TDREQ | STR_RDREQ)); + } + + static void sh_msiof_spi_write_fifo_8(struct sh_msiof_spi_priv *p, diff --git a/queue-3.18/spi-tegra20-slink-explicitly-enable-disable-clock.patch b/queue-3.18/spi-tegra20-slink-explicitly-enable-disable-clock.patch new file mode 100644 index 00000000000..d1773786fc3 --- /dev/null +++ b/queue-3.18/spi-tegra20-slink-explicitly-enable-disable-clock.patch @@ -0,0 +1,84 @@ +From 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler +Date: Wed, 29 Aug 2018 08:47:57 +0200 +Subject: spi: tegra20-slink: explicitly enable/disable clock + +From: Marcel Ziswiler + +commit 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 upstream. + +Depending on the SPI instance one may get an interrupt storm upon +requesting resp. interrupt unless the clock is explicitly enabled +beforehand. This has been observed trying to bring up instance 4 on +T20. + +Signed-off-by: Marcel Ziswiler +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-tegra20-slink.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1063,6 +1063,24 @@ static int tegra_slink_probe(struct plat + goto exit_free_master; + } + ++ /* disabled clock may cause interrupt storm upon request */ ++ tspi->clk = devm_clk_get(&pdev->dev, NULL); ++ if (IS_ERR(tspi->clk)) { ++ ret = PTR_ERR(tspi->clk); ++ dev_err(&pdev->dev, "Can not get clock %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_prepare(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock prepare failed %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_enable(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock enable failed %d\n", ret); ++ goto exit_free_master; ++ } ++ + spi_irq = platform_get_irq(pdev, 0); + tspi->irq = spi_irq; + ret = request_threaded_irq(tspi->irq, tegra_slink_isr, +@@ -1071,14 +1089,7 @@ static int tegra_slink_probe(struct plat + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n", + tspi->irq); +- goto exit_free_master; +- } +- +- tspi->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(tspi->clk)) { +- dev_err(&pdev->dev, "can not get clock\n"); +- ret = PTR_ERR(tspi->clk); +- goto exit_free_irq; ++ goto exit_clk_disable; + } + + tspi->rst = devm_reset_control_get(&pdev->dev, "spi"); +@@ -1138,6 +1149,8 @@ exit_rx_dma_free: + tegra_slink_deinit_dma_param(tspi, true); + exit_free_irq: + free_irq(spi_irq, tspi); ++exit_clk_disable: ++ clk_disable(tspi->clk); + exit_free_master: + spi_master_put(master); + return ret; +@@ -1150,6 +1163,8 @@ static int tegra_slink_remove(struct pla + + free_irq(tspi->irq, tspi); + ++ clk_disable(tspi->clk); ++ + if (tspi->tx_dma_chan) + tegra_slink_deinit_dma_param(tspi, false); + diff --git a/queue-3.18/usb-fix-error-handling-in-usb_driver_claim_interface.patch b/queue-3.18/usb-fix-error-handling-in-usb_driver_claim_interface.patch new file mode 100644 index 00000000000..a40399036f5 --- /dev/null +++ b/queue-3.18/usb-fix-error-handling-in-usb_driver_claim_interface.patch @@ -0,0 +1,58 @@ +From bd729f9d67aa9a303d8925bb8c4f06af25f407d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 13:59:59 -0400 +Subject: USB: fix error handling in usb_driver_claim_interface() + +From: Alan Stern + +commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream. + +The syzbot fuzzing project found a use-after-free bug in the USB +core. The bug was caused by usbfs not unbinding from an interface +when the USB device file was closed, which led another process to +attempt the unbind later on, after the private data structure had been +deallocated. + +The reason usbfs did not unbind the interface at the appropriate time +was because it thought the interface had never been claimed in the +first place. This was caused by the fact that +usb_driver_claim_interface() does not clean up properly when +device_bind_driver() returns an error. Although the error code gets +passed back to the caller, the iface->dev.driver pointer remains set +and iface->condition remains equal to USB_INTERFACE_BOUND. + +This patch adds proper error handling to usb_driver_claim_interface(). + +Signed-off-by: Alan Stern +Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -555,6 +555,21 @@ int usb_driver_claim_interface(struct us + if (!lpm_disable_error) + usb_unlocked_enable_lpm(udev); + ++ if (retval) { ++ dev->driver = NULL; ++ usb_set_intfdata(iface, NULL); ++ iface->needs_remote_wakeup = 0; ++ iface->condition = USB_INTERFACE_UNBOUND; ++ ++ /* ++ * Unbound interfaces are always runtime-PM-disabled ++ * and runtime-PM-suspended ++ */ ++ if (driver->supports_autosuspend) ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ } ++ + return retval; + } + EXPORT_SYMBOL_GPL(usb_driver_claim_interface); diff --git a/queue-3.18/usb-handle-null-config-in-usb_find_alt_setting.patch b/queue-3.18/usb-handle-null-config-in-usb_find_alt_setting.patch new file mode 100644 index 00000000000..7d3e335a3c2 --- /dev/null +++ b/queue-3.18/usb-handle-null-config-in-usb_find_alt_setting.patch @@ -0,0 +1,38 @@ +From c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 14:00:53 -0400 +Subject: USB: handle NULL config in usb_find_alt_setting() + +From: Alan Stern + +commit c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 upstream. + +usb_find_alt_setting() takes a pointer to a struct usb_host_config as +an argument; it searches for an interface with specified interface and +alternate setting numbers in that config. However, it crashes if the +usb_host_config pointer argument is NULL. + +Since this is a general-purpose routine, available for use in many +places, we want to to be more robust. This patch makes it return NULL +whenever the config argument is NULL. + +Signed-off-by: Alan Stern +Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -79,6 +79,8 @@ struct usb_host_interface *usb_find_alt_ + struct usb_interface_cache *intf_cache = NULL; + int i; + ++ if (!config) ++ return NULL; + for (i = 0; i < config->desc.bNumInterfaces; i++) { + if (config->intf_cache[i]->altsetting[0].desc.bInterfaceNumber + == iface_num) { -- 2.47.3