From 5a017fa62d05fbad25b00c7b6be380ab181630f4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 18 Jul 2017 18:14:56 +0200 Subject: [PATCH] 3.18-stable patches added patches: cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch exec-limit-arg-stack-to-at-most-75-of-_stk_lim.patch fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch kernel-extable.c-mark-core_kernel_text-notrace.patch mm-fix-overflow-check-in-expand_upwards.patch parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch parisc-mm-ensure-irqs-are-off-in-switch_mm.patch parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch parisc-use-compat_sys_keyctl.patch tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch --- ...-pmkid-attribute-is-of-expected-size.patch | 42 ++++ ...r-nl80211_attr_local_mesh_power_mode.patch | 36 ++++ ...ted-in-nl80211_attr_scan_frequencies.patch | 41 ++++ ...5.26.0-unescaped-left-brace-warnings.patch | 67 ++++++ ...-arg-stack-to-at-most-75-of-_stk_lim.patch | 52 +++++ ...c-fix-spin-lockup-issue-on-nlru-lock.patch | 80 +++++++ ...-of-bound-access-in-gic_set_affinity.patch | 72 +++++++ ...able.c-mark-core_kernel_text-notrace.patch | 62 ++++++ ...fix-overflow-check-in-expand_upwards.patch | 49 +++++ ...f-bug_on-for-dma-ops-on-non-dma-devs.patch | 204 ++++++++++++++++++ ...-mm-ensure-irqs-are-off-in-switch_mm.patch | 56 +++++ ...-of-sigbus-when-running-out-of-stack.patch | 40 ++++ queue-3.18/parisc-use-compat_sys_keyctl.patch | 33 +++ queue-3.18/series | 15 ++ ...o-avoid-overflowing-lock_chain-depth.patch | 53 +++++ ...ecked-__put_user-in-tioclinux-ioctls.patch | 53 +++++ 16 files changed, 955 insertions(+) create mode 100644 queue-3.18/cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch create mode 100644 queue-3.18/cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch create mode 100644 queue-3.18/cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch create mode 100644 queue-3.18/checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch create mode 100644 queue-3.18/exec-limit-arg-stack-to-at-most-75-of-_stk_lim.patch create mode 100644 queue-3.18/fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch create mode 100644 queue-3.18/irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch create mode 100644 queue-3.18/kernel-extable.c-mark-core_kernel_text-notrace.patch create mode 100644 queue-3.18/mm-fix-overflow-check-in-expand_upwards.patch create mode 100644 queue-3.18/parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch create mode 100644 queue-3.18/parisc-mm-ensure-irqs-are-off-in-switch_mm.patch create mode 100644 queue-3.18/parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch create mode 100644 queue-3.18/parisc-use-compat_sys_keyctl.patch create mode 100644 queue-3.18/tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch create mode 100644 queue-3.18/vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch diff --git a/queue-3.18/cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch b/queue-3.18/cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch new file mode 100644 index 00000000000..c364d3c0035 --- /dev/null +++ b/queue-3.18/cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch @@ -0,0 +1,42 @@ +From 9361df14d1cbf966409d5d6f48bb334384fbe138 Mon Sep 17 00:00:00 2001 +From: Srinivas Dasari +Date: Fri, 7 Jul 2017 01:43:39 +0300 +Subject: cfg80211: Check if PMKID attribute is of expected size + +From: Srinivas Dasari + +commit 9361df14d1cbf966409d5d6f48bb334384fbe138 upstream. + +nla policy checks for only maximum length of the attribute data +when the attribute type is NLA_BINARY. If userspace sends less +data than specified, the wireless drivers may access illegal +memory. When type is NLA_UNSPEC, nla policy check ensures that +userspace sends minimum specified length number of bytes. + +Remove type assignment to NLA_BINARY from nla_policy of +NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum +WLAN_PMKID_LEN bytes are received from userspace with +NL80211_ATTR_PMKID. + +Fixes: 67fbb16be69d ("nl80211: PMKSA caching support") +Signed-off-by: Srinivas Dasari +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -301,8 +301,7 @@ static const struct nla_policy nl80211_p + [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 }, + [NL80211_ATTR_PID] = { .type = NLA_U32 }, + [NL80211_ATTR_4ADDR] = { .type = NLA_U8 }, +- [NL80211_ATTR_PMKID] = { .type = NLA_BINARY, +- .len = WLAN_PMKID_LEN }, ++ [NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN }, + [NL80211_ATTR_DURATION] = { .type = NLA_U32 }, + [NL80211_ATTR_COOKIE] = { .type = NLA_U64 }, + [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED }, diff --git a/queue-3.18/cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch b/queue-3.18/cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch new file mode 100644 index 00000000000..863ce592778 --- /dev/null +++ b/queue-3.18/cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch @@ -0,0 +1,36 @@ +From 8feb69c7bd89513be80eb19198d48f154b254021 Mon Sep 17 00:00:00 2001 +From: Srinivas Dasari +Date: Fri, 7 Jul 2017 01:43:41 +0300 +Subject: cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE + +From: Srinivas Dasari + +commit 8feb69c7bd89513be80eb19198d48f154b254021 upstream. + +Buffer overread may happen as nl80211_set_station() reads 4 bytes +from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without +validating the size of data received when userspace sends less +than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE. +Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid +the buffer overread. + +Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access") +Signed-off-by: Srinivas Dasari +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -358,6 +358,7 @@ static const struct nla_policy nl80211_p + [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 }, + [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 }, + [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 }, ++ [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 }, + [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 }, + [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED }, + [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 }, diff --git a/queue-3.18/cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch b/queue-3.18/cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch new file mode 100644 index 00000000000..57454680891 --- /dev/null +++ b/queue-3.18/cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch @@ -0,0 +1,41 @@ +From d7f13f7450369281a5d0ea463cc69890a15923ae Mon Sep 17 00:00:00 2001 +From: Srinivas Dasari +Date: Fri, 7 Jul 2017 01:43:42 +0300 +Subject: cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES + +From: Srinivas Dasari + +commit d7f13f7450369281a5d0ea463cc69890a15923ae upstream. + +validate_scan_freqs() retrieves frequencies from attributes +nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with +nla_get_u32(), which reads 4 bytes from each attribute +without validating the size of data received. Attributes +nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy. + +Validate size of each attribute before parsing to avoid potential buffer +overread. + +Fixes: 2a519311926 ("cfg80211/nl80211: scanning (and mac80211 update to use it)") +Signed-off-by: Srinivas Dasari +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -5348,6 +5348,10 @@ static int validate_scan_freqs(struct nl + struct nlattr *attr1, *attr2; + int n_channels = 0, tmp1, tmp2; + ++ nla_for_each_nested(attr1, freqs, tmp1) ++ if (nla_len(attr1) != sizeof(u32)) ++ return 0; ++ + nla_for_each_nested(attr1, freqs, tmp1) { + n_channels++; + /* diff --git a/queue-3.18/checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch b/queue-3.18/checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch new file mode 100644 index 00000000000..f58f1a9b110 --- /dev/null +++ b/queue-3.18/checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch @@ -0,0 +1,67 @@ +From 8d81ae05d0176da1c54aeaed697fa34be5c5575e Mon Sep 17 00:00:00 2001 +From: Cyril Bur +Date: Mon, 10 Jul 2017 15:52:21 -0700 +Subject: checkpatch: silence perl 5.26.0 unescaped left brace warnings + +From: Cyril Bur + +commit 8d81ae05d0176da1c54aeaed697fa34be5c5575e upstream. + +As of perl 5, version 26, subversion 0 (v5.26.0) some new warnings have +occurred when running checkpatch. + +Unescaped left brace in regex is deprecated here (and will be fatal in +Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){ +<-- HERE \s*/ at scripts/checkpatch.pl line 3544. + +Unescaped left brace in regex is deprecated here (and will be fatal in +Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){ +<-- HERE \s*/ at scripts/checkpatch.pl line 3885. + +Unescaped left brace in regex is deprecated here (and will be fatal in +Perl 5.30), passed through in regex; marked by <-- HERE in +m/^(\+.*(?:do|\))){ <-- HERE / at scripts/checkpatch.pl line 4374. + +It seems perfectly reasonable to do as the warning suggests and simply +escape the left brace in these three locations. + +Link: http://lkml.kernel.org/r/20170607060135.17384-1-cyrilbur@gmail.com +Signed-off-by: Cyril Bur +Acked-by: Joe Perches +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/checkpatch.pl | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/scripts/checkpatch.pl ++++ b/scripts/checkpatch.pl +@@ -2985,7 +2985,7 @@ sub process { + $fixedline =~ s/\s*=\s*$/ = {/; + fix_insert_line($fixlinenr, $fixedline); + $fixedline = $line; +- $fixedline =~ s/^(.\s*){\s*/$1/; ++ $fixedline =~ s/^(.\s*)\{\s*/$1/; + fix_insert_line($fixlinenr, $fixedline); + } + } +@@ -3301,7 +3301,7 @@ sub process { + my $fixedline = rtrim($prevrawline) . " {"; + fix_insert_line($fixlinenr, $fixedline); + $fixedline = $rawline; +- $fixedline =~ s/^(.\s*){\s*/$1\t/; ++ $fixedline =~ s/^(.\s*)\{\s*/$1\t/; + if ($fixedline !~ /^\+\s*$/) { + fix_insert_line($fixlinenr, $fixedline); + } +@@ -3748,7 +3748,7 @@ sub process { + if (ERROR("SPACING", + "space required before the open brace '{'\n" . $herecurr) && + $fix) { +- $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\))){/$1 {/; ++ $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\)))\{/$1 {/; + } + } + diff --git a/queue-3.18/exec-limit-arg-stack-to-at-most-75-of-_stk_lim.patch b/queue-3.18/exec-limit-arg-stack-to-at-most-75-of-_stk_lim.patch new file mode 100644 index 00000000000..462aa1c6ae8 --- /dev/null +++ b/queue-3.18/exec-limit-arg-stack-to-at-most-75-of-_stk_lim.patch @@ -0,0 +1,52 @@ +From da029c11e6b12f321f36dac8771e833b65cec962 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 7 Jul 2017 11:57:29 -0700 +Subject: exec: Limit arg stack to at most 75% of _STK_LIM + +From: Kees Cook + +commit da029c11e6b12f321f36dac8771e833b65cec962 upstream. + +To avoid pathological stack usage or the need to special-case setuid +execs, just limit all arg stack usage to at most 75% of _STK_LIM (6MB). + +Signed-off-by: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -199,8 +199,7 @@ static struct page *get_arg_page(struct + + if (write) { + unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; +- unsigned long ptr_size; +- struct rlimit *rlim; ++ unsigned long ptr_size, limit; + + /* + * Since the stack will hold pointers to the strings, we +@@ -229,14 +228,16 @@ static struct page *get_arg_page(struct + return page; + + /* +- * Limit to 1/4-th the stack size for the argv+env strings. ++ * Limit to 1/4 of the max stack size or 3/4 of _STK_LIM ++ * (whichever is smaller) for the argv+env strings. + * This ensures that: + * - the remaining binfmt code will not run out of stack space, + * - the program will have a reasonable amount of stack left + * to work from. + */ +- rlim = current->signal->rlim; +- if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) ++ limit = _STK_LIM / 4 * 3; ++ limit = min(limit, rlimit(RLIMIT_STACK) / 4); ++ if (size > limit) + goto fail; + } + diff --git a/queue-3.18/fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch b/queue-3.18/fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch new file mode 100644 index 00000000000..ade4275e544 --- /dev/null +++ b/queue-3.18/fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch @@ -0,0 +1,80 @@ +From b17c070fb624cf10162cf92ea5e1ec25cd8ac176 Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Mon, 10 Jul 2017 15:50:00 -0700 +Subject: fs/dcache.c: fix spin lockup issue on nlru->lock + +From: Sahitya Tummala + +commit b17c070fb624cf10162cf92ea5e1ec25cd8ac176 upstream. + +__list_lru_walk_one() acquires nlru spin lock (nlru->lock) for longer +duration if there are more number of items in the lru list. As per the +current code, it can hold the spin lock for upto maximum UINT_MAX +entries at a time. So if there are more number of items in the lru +list, then "BUG: spinlock lockup suspected" is observed in the below +path: + + spin_bug+0x90 + do_raw_spin_lock+0xfc + _raw_spin_lock+0x28 + list_lru_add+0x28 + dput+0x1c8 + path_put+0x20 + terminate_walk+0x3c + path_lookupat+0x100 + filename_lookup+0x6c + user_path_at_empty+0x54 + SyS_faccessat+0xd0 + el0_svc_naked+0x24 + +This nlru->lock is acquired by another CPU in this path - + + d_lru_shrink_move+0x34 + dentry_lru_isolate_shrink+0x48 + __list_lru_walk_one.isra.10+0x94 + list_lru_walk_node+0x40 + shrink_dcache_sb+0x60 + do_remount_sb+0xbc + do_emergency_remount+0xb0 + process_one_work+0x228 + worker_thread+0x2e0 + kthread+0xf4 + ret_from_fork+0x10 + +Fix this lockup by reducing the number of entries to be shrinked from +the lru list to 1024 at once. Also, add cond_resched() before +processing the lru list again. + +Link: http://marc.info/?t=149722864900001&r=1&w=2 +Link: http://lkml.kernel.org/r/1498707575-2472-1-git-send-email-stummala@codeaurora.org +Signed-off-by: Sahitya Tummala +Suggested-by: Jan Kara +Suggested-by: Vladimir Davydov +Acked-by: Vladimir Davydov +Cc: Alexander Polakov +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1104,11 +1104,12 @@ void shrink_dcache_sb(struct super_block + LIST_HEAD(dispose); + + freed = list_lru_walk(&sb->s_dentry_lru, +- dentry_lru_isolate_shrink, &dispose, UINT_MAX); ++ dentry_lru_isolate_shrink, &dispose, 1024); + + this_cpu_sub(nr_dentry_unused, freed); + shrink_dentry_list(&dispose); +- } while (freed > 0); ++ cond_resched(); ++ } while (list_lru_count(&sb->s_dentry_lru) > 0); + } + EXPORT_SYMBOL(shrink_dcache_sb); + diff --git a/queue-3.18/irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch b/queue-3.18/irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch new file mode 100644 index 00000000000..284ca80c0e7 --- /dev/null +++ b/queue-3.18/irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch @@ -0,0 +1,72 @@ +From 866d7c1b0a3c70387646c4e455e727a58c5d465a Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Fri, 30 Jun 2017 10:58:28 +0100 +Subject: irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity + +From: Suzuki K Poulose + +commit 866d7c1b0a3c70387646c4e455e727a58c5d465a upstream. + +The GICv3 driver doesn't check if the target CPU for gic_set_affinity +is valid before going ahead and making the changes. This triggers the +following splat with KASAN: + +[ 141.189434] BUG: KASAN: global-out-of-bounds in gic_set_affinity+0x8c/0x140 +[ 141.189704] Read of size 8 at addr ffff200009741d20 by task swapper/1/0 +[ 141.189958] +[ 141.190158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.12.0-rc7 +[ 141.190458] Hardware name: Foundation-v8A (DT) +[ 141.190658] Call trace: +[ 141.190908] [] dump_backtrace+0x0/0x328 +[ 141.191224] [] show_stack+0x14/0x20 +[ 141.191507] [] dump_stack+0xa4/0xc8 +[ 141.191858] [] print_address_description+0x13c/0x250 +[ 141.192219] [] kasan_report+0x210/0x300 +[ 141.192547] [] __asan_load8+0x84/0x98 +[ 141.192874] [] gic_set_affinity+0x8c/0x140 +[ 141.193158] [] irq_do_set_affinity+0x54/0xb8 +[ 141.193473] [] irq_set_affinity_locked+0x64/0xf0 +[ 141.193828] [] __irq_set_affinity+0x48/0x78 +[ 141.194158] [] arm_perf_starting_cpu+0x104/0x150 +[ 141.194513] [] cpuhp_invoke_callback+0x17c/0x1f8 +[ 141.194783] [] notify_cpu_starting+0x8c/0xb8 +[ 141.195130] [] secondary_start_kernel+0x15c/0x200 +[ 141.195390] [<0000000080db81b4>] 0x80db81b4 +[ 141.195603] +[ 141.195685] The buggy address belongs to the variable: +[ 141.196012] __cpu_logical_map+0x200/0x220 +[ 141.196176] +[ 141.196315] Memory state around the buggy address: +[ 141.196586] ffff200009741c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 141.196913] ffff200009741c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 141.197158] >ffff200009741d00: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 +[ 141.197487] ^ +[ 141.197758] ffff200009741d80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 +[ 141.198060] ffff200009741e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 141.198358] ================================================================== +[ 141.198609] Disabling lock debugging due to kernel taint +[ 141.198961] CPU1: Booted secondary processor [410fd051] + +This patch adds the check to make sure the cpu is valid. + +Fixes: commit 021f653791ad17e03f98 ("irqchip: gic-v3: Initial support for GICv3") +Signed-off-by: Suzuki K Poulose +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -531,6 +531,9 @@ static int gic_set_affinity(struct irq_d + int enabled; + u64 val; + ++ if (cpu >= nr_cpu_ids) ++ return -EINVAL; ++ + if (gic_irq_in_rdist(d)) + return -EINVAL; + diff --git a/queue-3.18/kernel-extable.c-mark-core_kernel_text-notrace.patch b/queue-3.18/kernel-extable.c-mark-core_kernel_text-notrace.patch new file mode 100644 index 00000000000..3ff9e38db93 --- /dev/null +++ b/queue-3.18/kernel-extable.c-mark-core_kernel_text-notrace.patch @@ -0,0 +1,62 @@ +From c0d80ddab89916273cb97114889d3f337bc370ae Mon Sep 17 00:00:00 2001 +From: Marcin Nowakowski +Date: Thu, 6 Jul 2017 15:35:31 -0700 +Subject: kernel/extable.c: mark core_kernel_text notrace + +From: Marcin Nowakowski + +commit c0d80ddab89916273cb97114889d3f337bc370ae upstream. + +core_kernel_text is used by MIPS in its function graph trace processing, +so having this method traced leads to an infinite set of recursive calls +such as: + + Call Trace: + ftrace_return_to_handler+0x50/0x128 + core_kernel_text+0x10/0x1b8 + prepare_ftrace_return+0x6c/0x114 + ftrace_graph_caller+0x20/0x44 + return_to_handler+0x10/0x30 + return_to_handler+0x0/0x30 + return_to_handler+0x0/0x30 + ftrace_ops_no_ops+0x114/0x1bc + core_kernel_text+0x10/0x1b8 + core_kernel_text+0x10/0x1b8 + core_kernel_text+0x10/0x1b8 + ftrace_ops_no_ops+0x114/0x1bc + core_kernel_text+0x10/0x1b8 + prepare_ftrace_return+0x6c/0x114 + ftrace_graph_caller+0x20/0x44 + (...) + +Mark the function notrace to avoid it being traced. + +Link: http://lkml.kernel.org/r/1498028607-6765-1-git-send-email-marcin.nowakowski@imgtec.com +Signed-off-by: Marcin Nowakowski +Reviewed-by: Masami Hiramatsu +Cc: Peter Zijlstra +Cc: Thomas Meyer +Cc: Ingo Molnar +Cc: Steven Rostedt +Cc: Daniel Borkmann +Cc: Paul Gortmaker +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/extable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/extable.c ++++ b/kernel/extable.c +@@ -66,7 +66,7 @@ static inline int init_kernel_text(unsig + return 0; + } + +-int core_kernel_text(unsigned long addr) ++int notrace core_kernel_text(unsigned long addr) + { + if (addr >= (unsigned long)_stext && + addr < (unsigned long)_etext) diff --git a/queue-3.18/mm-fix-overflow-check-in-expand_upwards.patch b/queue-3.18/mm-fix-overflow-check-in-expand_upwards.patch new file mode 100644 index 00000000000..9f0a5768e57 --- /dev/null +++ b/queue-3.18/mm-fix-overflow-check-in-expand_upwards.patch @@ -0,0 +1,49 @@ +From 37511fb5c91db93d8bd6e3f52f86e5a7ff7cfcdf Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 14 Jul 2017 14:49:38 -0700 +Subject: mm: fix overflow check in expand_upwards() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Helge Deller + +commit 37511fb5c91db93d8bd6e3f52f86e5a7ff7cfcdf upstream. + +Jörn Engel noticed that the expand_upwards() function might not return +-ENOMEM in case the requested address is (unsigned long)-PAGE_SIZE and +if the architecture didn't defined TASK_SIZE as multiple of PAGE_SIZE. + +Affected architectures are arm, frv, m68k, blackfin, h8300 and xtensa +which all define TASK_SIZE as 0xffffffff, but since none of those have +an upwards-growing stack we currently have no actual issue. + +Nevertheless let's fix this just in case any of the architectures with +an upward-growing stack (currently parisc, metag and partly ia64) define +TASK_SIZE similar. + +Link: http://lkml.kernel.org/r/20170702192452.GA11868@p100.box +Fixes: bd726c90b6b8 ("Allow stack to grow up to address space limit") +Signed-off-by: Helge Deller +Reported-by: Jörn Engel +Cc: Hugh Dickins +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2179,7 +2179,7 @@ int expand_upwards(struct vm_area_struct + + /* Guard against exceeding limits of the address space. */ + address &= PAGE_MASK; +- if (address >= TASK_SIZE) ++ if (address >= (TASK_SIZE & PAGE_MASK)) + return -ENOMEM; + address += PAGE_SIZE; + diff --git a/queue-3.18/parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch b/queue-3.18/parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch new file mode 100644 index 00000000000..d619e74f517 --- /dev/null +++ b/queue-3.18/parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch @@ -0,0 +1,204 @@ +From 33f9e02495d15a061f0c94ef46f5103a2d0c20f3 Mon Sep 17 00:00:00 2001 +From: Thomas Bogendoerfer +Date: Mon, 3 Jul 2017 10:38:05 +0200 +Subject: parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs + +From: Thomas Bogendoerfer + +commit 33f9e02495d15a061f0c94ef46f5103a2d0c20f3 upstream. + +Enabling parport pc driver on a B2600 (and probably other 64bit PARISC +systems) produced following BUG: + +CPU: 0 PID: 1 Comm: swapper Not tainted 4.12.0-rc5-30198-g1132d5e #156 +task: 000000009e050000 task.stack: 000000009e04c000 + + YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI +PSW: 00001000000001101111111100001111 Not tainted +r00-03 000000ff0806ff0f 000000009e04c990 0000000040871b78 000000009e04cac0 +r04-07 0000000040c14de0 ffffffffffffffff 000000009e07f098 000000009d82d200 +r08-11 000000009d82d210 0000000000000378 0000000000000000 0000000040c345e0 +r12-15 0000000000000005 0000000040c345e0 0000000000000000 0000000040c9d5e0 +r16-19 0000000040c345e0 00000000f00001c4 00000000f00001bc 0000000000000061 +r20-23 000000009e04ce28 0000000000000010 0000000000000010 0000000040b89e40 +r24-27 0000000000000003 0000000000ffffff 000000009d82d210 0000000040c14de0 +r28-31 0000000000000000 000000009e04ca90 000000009e04cb40 0000000000000000 +sr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + +IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000404aece0 00000000404aece4 + IIR: 03ffe01f ISR: 0000000010340000 IOR: 000001781304cac8 + CPU: 0 CR30: 000000009e04c000 CR31: 00000000e2976de2 + ORIG_R28: 0000000000000200 + IAOQ[0]: sba_dma_supported+0x80/0xd0 + IAOQ[1]: sba_dma_supported+0x84/0xd0 + RP(r2): parport_pc_probe_port+0x178/0x1200 + +Cause is a call to dma_coerce_mask_and_coherenet in parport_pc_probe_port, +which PARISC DMA API doesn't handle very nicely. This commit gives back +DMA_ERROR_CODE for DMA API calls, if device isn't capable of DMA +transaction. + +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/dma-mapping.h | 11 +++++++---- + drivers/parisc/ccio-dma.c | 12 ++++++++++++ + drivers/parisc/dino.c | 5 ++++- + drivers/parisc/lba_pci.c | 6 ++++-- + drivers/parisc/sba_iommu.c | 14 ++++++++++++++ + 5 files changed, 41 insertions(+), 7 deletions(-) + +--- a/arch/parisc/include/asm/dma-mapping.h ++++ b/arch/parisc/include/asm/dma-mapping.h +@@ -39,6 +39,8 @@ struct hppa_dma_ops { + ** flush/purge and allocate "regular" cacheable pages for everything. + */ + ++#define DMA_ERROR_CODE (~(dma_addr_t)0) ++ + #ifdef CONFIG_PA11 + extern struct hppa_dma_ops pcxl_dma_ops; + extern struct hppa_dma_ops pcx_dma_ops; +@@ -209,12 +211,13 @@ parisc_walk_tree(struct device *dev) + break; + } + } +- BUG_ON(!dev->platform_data); + return dev->platform_data; + } +- +-#define GET_IOC(dev) (HBA_DATA(parisc_walk_tree(dev))->iommu) +- ++ ++#define GET_IOC(dev) ({ \ ++ void *__pdata = parisc_walk_tree(dev); \ ++ __pdata ? HBA_DATA(__pdata)->iommu : NULL; \ ++}) + + #ifdef CONFIG_IOMMU_CCIO + struct parisc_device; +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -743,6 +743,8 @@ ccio_map_single(struct device *dev, void + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) ++ return DMA_ERROR_CODE; + + BUG_ON(size <= 0); + +@@ -807,6 +809,10 @@ ccio_unmap_single(struct device *dev, dm + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + + DBG_RUN("%s() iovp 0x%lx/%x\n", + __func__, (long)iova, size); +@@ -910,6 +916,8 @@ ccio_map_sg(struct device *dev, struct s + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) ++ return 0; + + DBG_RUN_SG("%s() START %d entries\n", __func__, nents); + +@@ -982,6 +990,10 @@ ccio_unmap_sg(struct device *dev, struct + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + + DBG_RUN_SG("%s() START %d entries, %08lx,%x\n", + __func__, nents, sg_virt_addr(sglist), sglist->length); +--- a/drivers/parisc/dino.c ++++ b/drivers/parisc/dino.c +@@ -154,7 +154,10 @@ struct dino_device + }; + + /* Looks nice and keeps the compiler happy */ +-#define DINO_DEV(d) ((struct dino_device *) d) ++#define DINO_DEV(d) ({ \ ++ void *__pdata = d; \ ++ BUG_ON(!__pdata); \ ++ (struct dino_device *)__pdata; }) + + + /* +--- a/drivers/parisc/lba_pci.c ++++ b/drivers/parisc/lba_pci.c +@@ -111,8 +111,10 @@ static u32 lba_t32; + + + /* Looks nice and keeps the compiler happy */ +-#define LBA_DEV(d) ((struct lba_device *) (d)) +- ++#define LBA_DEV(d) ({ \ ++ void *__pdata = d; \ ++ BUG_ON(!__pdata); \ ++ (struct lba_device *)__pdata; }) + + /* + ** Only allow 8 subsidiary busses per LBA +--- a/drivers/parisc/sba_iommu.c ++++ b/drivers/parisc/sba_iommu.c +@@ -691,6 +691,8 @@ static int sba_dma_supported( struct dev + return 0; + + ioc = GET_IOC(dev); ++ if (!ioc) ++ return 0; + + /* + * check if mask is >= than the current max IO Virt Address +@@ -722,6 +724,8 @@ sba_map_single(struct device *dev, void + int pide; + + ioc = GET_IOC(dev); ++ if (!ioc) ++ return DMA_ERROR_CODE; + + /* save offset bits */ + offset = ((dma_addr_t) (long) addr) & ~IOVP_MASK; +@@ -803,6 +807,10 @@ sba_unmap_single(struct device *dev, dma + DBG_RUN("%s() iovp 0x%lx/%x\n", __func__, (long) iova, size); + + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + offset = iova & ~IOVP_MASK; + iova ^= offset; /* clear offset bits */ + size += offset; +@@ -942,6 +950,8 @@ sba_map_sg(struct device *dev, struct sc + DBG_RUN_SG("%s() START %d entries\n", __func__, nents); + + ioc = GET_IOC(dev); ++ if (!ioc) ++ return 0; + + /* Fast path single entry scatterlists. */ + if (nents == 1) { +@@ -1028,6 +1038,10 @@ sba_unmap_sg(struct device *dev, struct + __func__, nents, sg_virt_addr(sglist), sglist->length); + + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + + #ifdef SBA_COLLECT_STATS + ioc->usg_calls++; diff --git a/queue-3.18/parisc-mm-ensure-irqs-are-off-in-switch_mm.patch b/queue-3.18/parisc-mm-ensure-irqs-are-off-in-switch_mm.patch new file mode 100644 index 00000000000..a3401373d88 --- /dev/null +++ b/queue-3.18/parisc-mm-ensure-irqs-are-off-in-switch_mm.patch @@ -0,0 +1,56 @@ +From 649aa24254e85bf6bd7807dd372d083707852b1f Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 29 May 2017 17:14:16 +0200 +Subject: parisc/mm: Ensure IRQs are off in switch_mm() + +From: Helge Deller + +commit 649aa24254e85bf6bd7807dd372d083707852b1f upstream. + +This is because of commit f98db6013c55 ("sched/core: Add switch_mm_irqs_off() +and use it in the scheduler") in which switch_mm_irqs_off() is called by the +scheduler, vs switch_mm() which is used by use_mm(). + +This patch lets the parisc code mirror the x86 and powerpc code, ie. it +disables interrupts in switch_mm(), and optimises the scheduler case by +defining switch_mm_irqs_off(). + +Signed-off-by: Helge Deller +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/mmu_context.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/parisc/include/asm/mmu_context.h ++++ b/arch/parisc/include/asm/mmu_context.h +@@ -49,15 +49,26 @@ static inline void load_context(mm_conte + mtctl(__space_to_prot(context), 8); + } + +-static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, struct task_struct *tsk) ++static inline void switch_mm_irqs_off(struct mm_struct *prev, ++ struct mm_struct *next, struct task_struct *tsk) + { +- + if (prev != next) { + mtctl(__pa(next->pgd), 25); + load_context(next->context); + } + } + ++static inline void switch_mm(struct mm_struct *prev, ++ struct mm_struct *next, struct task_struct *tsk) ++{ ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ switch_mm_irqs_off(prev, next, tsk); ++ local_irq_restore(flags); ++} ++#define switch_mm_irqs_off switch_mm_irqs_off ++ + #define deactivate_mm(tsk,mm) do { } while (0) + + static inline void activate_mm(struct mm_struct *prev, struct mm_struct *next) diff --git a/queue-3.18/parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch b/queue-3.18/parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch new file mode 100644 index 00000000000..e1e402ac34b --- /dev/null +++ b/queue-3.18/parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch @@ -0,0 +1,40 @@ +From 247462316f85a9e0479445c1a4223950b68ffac1 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 2 Jul 2017 22:00:41 +0200 +Subject: parisc: Report SIGSEGV instead of SIGBUS when running out of stack + +From: Helge Deller + +commit 247462316f85a9e0479445c1a4223950b68ffac1 upstream. + +When a process runs out of stack the parisc kernel wrongly faults with SIGBUS +instead of the expected SIGSEGV signal. + +This example shows how the kernel faults: +do_page_fault() command='a.out' type=15 address=0xfaac2000 in libc-2.24.so[f8308000+16c000] +trap #15: Data TLB miss fault, vm_start = 0xfa2c2000, vm_end = 0xfaac2000 + +The vma->vm_end value is the first address which does not belong to the vma, so +adjust the check to include vma->vm_end to the range for which to send the +SIGSEGV signal. + +This patch unbreaks building the debian libsigsegv package. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/mm/fault.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/mm/fault.c ++++ b/arch/parisc/mm/fault.c +@@ -303,7 +303,7 @@ bad_area: + case 15: /* Data TLB miss fault/Data page fault */ + /* send SIGSEGV when outside of vma */ + if (!vma || +- address < vma->vm_start || address > vma->vm_end) { ++ address < vma->vm_start || address >= vma->vm_end) { + si.si_signo = SIGSEGV; + si.si_code = SEGV_MAPERR; + break; diff --git a/queue-3.18/parisc-use-compat_sys_keyctl.patch b/queue-3.18/parisc-use-compat_sys_keyctl.patch new file mode 100644 index 00000000000..f29432c2873 --- /dev/null +++ b/queue-3.18/parisc-use-compat_sys_keyctl.patch @@ -0,0 +1,33 @@ +From b0f94efd5aa8daa8a07d7601714c2573266cd4c9 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 12 Jun 2017 23:18:30 -0700 +Subject: parisc: use compat_sys_keyctl() + +From: Eric Biggers + +commit b0f94efd5aa8daa8a07d7601714c2573266cd4c9 upstream. + +Architectures with a compat syscall table must put compat_sys_keyctl() +in it, not sys_keyctl(). The parisc architecture was not doing this; +fix it. + +Signed-off-by: Eric Biggers +Acked-by: Helge Deller +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/syscall_table.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/syscall_table.S ++++ b/arch/parisc/kernel/syscall_table.S +@@ -361,7 +361,7 @@ + ENTRY_SAME(ni_syscall) /* 263: reserved for vserver */ + ENTRY_SAME(add_key) + ENTRY_SAME(request_key) /* 265 */ +- ENTRY_SAME(keyctl) ++ ENTRY_COMP(keyctl) + ENTRY_SAME(ioprio_set) + ENTRY_SAME(ioprio_get) + ENTRY_SAME(inotify_init) diff --git a/queue-3.18/series b/queue-3.18/series index 60197df79ae..5f3ccb7d7a1 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -3,3 +3,18 @@ tcp-reset-sk_rx_dst-in-tcp_disconnect.patch net-prevent-sign-extension-in-dev_get_stats.patch ipv6-dad-don-t-remove-dynamic-addresses-if-link-is-down.patch brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80211_mgmt_tx.patch +cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch +cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch +cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch +irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch +parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch +parisc-use-compat_sys_keyctl.patch +parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch +parisc-mm-ensure-irqs-are-off-in-switch_mm.patch +tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch +kernel-extable.c-mark-core_kernel_text-notrace.patch +fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch +checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch +exec-limit-arg-stack-to-at-most-75-of-_stk_lim.patch +vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch +mm-fix-overflow-check-in-expand_upwards.patch diff --git a/queue-3.18/tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch b/queue-3.18/tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch new file mode 100644 index 00000000000..46f684abd9c --- /dev/null +++ b/queue-3.18/tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch @@ -0,0 +1,53 @@ +From 98dcea0cfd04e083ac74137ceb9a632604740e2d Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Thu, 25 May 2017 12:58:33 +0000 +Subject: tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth + +From: Ben Hutchings + +commit 98dcea0cfd04e083ac74137ceb9a632604740e2d upstream. + +liblockdep has been broken since commit 75dd602a5198 ("lockdep: Fix +lock_chain::base size"), as that adds a check that MAX_LOCK_DEPTH is +within the range of lock_chain::depth and in liblockdep it is much +too large. + +That should have resulted in a compiler error, but didn't because: + +- the check uses ARRAY_SIZE(), which isn't yet defined in liblockdep + so is assumed to be an (undeclared) function +- putting a function call inside a BUILD_BUG_ON() expression quietly + turns it into some nonsense involving a variable-length array + +It did produce a compiler warning, but I didn't notice because +liblockdep already produces too many warnings if -Wall is enabled +(which I'll fix shortly). + +Even before that commit, which reduced lock_chain::depth from 8 bits +to 6, MAX_LOCK_DEPTH was too large. + +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: a.p.zijlstra@chello.nl +Link: http://lkml.kernel.org/r/20170525130005.5947-3-alexander.levin@verizon.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/lockdep/uinclude/linux/lockdep.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/lib/lockdep/uinclude/linux/lockdep.h ++++ b/tools/lib/lockdep/uinclude/linux/lockdep.h +@@ -8,7 +8,7 @@ + #include + + +-#define MAX_LOCK_DEPTH 2000UL ++#define MAX_LOCK_DEPTH 255UL + + #define asmlinkage + #define __visible diff --git a/queue-3.18/vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch b/queue-3.18/vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch new file mode 100644 index 00000000000..8596c2f280b --- /dev/null +++ b/queue-3.18/vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch @@ -0,0 +1,53 @@ +From 6987dc8a70976561d22450b5858fc9767788cc1c Mon Sep 17 00:00:00 2001 +From: Adam Borowski +Date: Sat, 3 Jun 2017 09:35:06 +0200 +Subject: vt: fix unchecked __put_user() in tioclinux ioctls + +From: Adam Borowski + +commit 6987dc8a70976561d22450b5858fc9767788cc1c upstream. + +Only read access is checked before this call. + +Actually, at the moment this is not an issue, as every in-tree arch does +the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU +to tell them apart, but this wasn't the case in the past and may happen +again on some odd arch in the future. + +If anyone cares about 3.7 and earlier, this is a security hole (untested) +on real 80386 CPUs. + +Signed-off-by: Adam Borowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -2687,13 +2687,13 @@ int tioclinux(struct tty_struct *tty, un + * related to the kernel should not use this. + */ + data = vt_get_shift_state(); +- ret = __put_user(data, p); ++ ret = put_user(data, p); + break; + case TIOCL_GETMOUSEREPORTING: + console_lock(); /* May be overkill */ + data = mouse_reporting(); + console_unlock(); +- ret = __put_user(data, p); ++ ret = put_user(data, p); + break; + case TIOCL_SETVESABLANK: + console_lock(); +@@ -2702,7 +2702,7 @@ int tioclinux(struct tty_struct *tty, un + break; + case TIOCL_GETKMSGREDIRECT: + data = vt_get_kmsg_redirect(); +- ret = __put_user(data, p); ++ ret = put_user(data, p); + break; + case TIOCL_SETKMSGREDIRECT: + if (!capable(CAP_SYS_ADMIN)) { -- 2.47.3