From 76d8f24cfb31ef3996f07259ead2282f97844b22 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Aug 2018 07:51:04 +0200 Subject: [PATCH] 4.14-stable patches added patches: cls_matchall-fix-tcf_unbind_filter-missing.patch isdn-disable-iiocdbgvar.patch --- ...tchall-fix-tcf_unbind_filter-missing.patch | 33 +++++++++++++++ queue-4.14/isdn-disable-iiocdbgvar.patch | 41 +++++++++++++++++++ queue-4.14/series | 2 + 3 files changed, 76 insertions(+) create mode 100644 queue-4.14/cls_matchall-fix-tcf_unbind_filter-missing.patch create mode 100644 queue-4.14/isdn-disable-iiocdbgvar.patch diff --git a/queue-4.14/cls_matchall-fix-tcf_unbind_filter-missing.patch b/queue-4.14/cls_matchall-fix-tcf_unbind_filter-missing.patch new file mode 100644 index 00000000000..3beebb0502e --- /dev/null +++ b/queue-4.14/cls_matchall-fix-tcf_unbind_filter-missing.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Aug 21 07:38:13 CEST 2018 +From: Hangbin Liu +Date: Tue, 14 Aug 2018 17:28:26 +0800 +Subject: cls_matchall: fix tcf_unbind_filter missing + +From: Hangbin Liu + +[ Upstream commit a51c76b4dfb30496dc65396a957ef0f06af7fb22 ] + +Fix tcf_unbind_filter missing in cls_matchall as this will trigger +WARN_ON() in cbq_destroy_class(). + +Fixes: fd62d9f5c575f ("net/sched: matchall: Fix configuration race") +Reported-by: Li Shuang +Signed-off-by: Hangbin Liu +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_matchall.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/cls_matchall.c ++++ b/net/sched/cls_matchall.c +@@ -112,6 +112,8 @@ static void mall_destroy(struct tcf_prot + if (!head) + return; + ++ tcf_unbind_filter(tp, &head->res); ++ + if (tc_should_offload(dev, head->flags)) + mall_destroy_hw_filter(tp, head, (unsigned long) head); + diff --git a/queue-4.14/isdn-disable-iiocdbgvar.patch b/queue-4.14/isdn-disable-iiocdbgvar.patch new file mode 100644 index 00000000000..efa22252cdb --- /dev/null +++ b/queue-4.14/isdn-disable-iiocdbgvar.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Aug 21 07:37:56 CEST 2018 +From: Kees Cook +Date: Wed, 15 Aug 2018 12:14:05 -0700 +Subject: isdn: Disable IIOCDBGVAR + +From: Kees Cook + +[ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ] + +It was possible to directly leak the kernel address where the isdn_dev +structure pointer was stored. This is a kernel ASLR bypass for anyone +with access to the ioctl. The code had been present since the beginning +of git history, though this shouldn't ever be needed for normal operation, +therefore remove it. + +Reported-by: Al Viro +Cc: Karsten Keil +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/i4l/isdn_common.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd, + } else + return -EINVAL; + case IIOCDBGVAR: +- if (arg) { +- if (copy_to_user(argp, &dev, sizeof(ulong))) +- return -EFAULT; +- return 0; +- } else +- return -EINVAL; +- break; ++ return -EINVAL; + default: + if ((cmd & IIOCDRVCTL) == IIOCDRVCTL) + cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK; diff --git a/queue-4.14/series b/queue-4.14/series index 736d7502618..81b6e0f1e9c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -25,3 +25,5 @@ serial-8250_dw-always-set-baud-rate-in-dw8250_set_termios.patch serial-8250_dw-add-acpi-support-for-uart-on-broadcom-soc.patch misc-sram-fix-resource-leaks-in-probe-error-path.patch bluetooth-avoid-killing-an-already-killed-socket.patch +isdn-disable-iiocdbgvar.patch +cls_matchall-fix-tcf_unbind_filter-missing.patch -- 2.47.3