From 9fe3c8cc9bb7950f98956db5f2d32eec9aa9a679 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 12 May 2018 16:17:27 +0200 Subject: [PATCH] 4.4-stable patches added patches: atm-zatm-fix-potential-spectre-v1.patch can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch net-atm-fix-potential-spectre-v1.patch rfkill-gpio-fix-memory-leak-in-probe-error-path.patch tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch --- .../atm-zatm-fix-potential-spectre-v1.patch | 54 ++++++++++++++++ ...ats-counter-in-kvaser_usb_rx_can_msg.patch | 31 ++++++++++ ...quirk-for-sandisk-sd7ub3q-g1001-ssds.patch | 45 ++++++++++++++ .../net-atm-fix-potential-spectre-v1.patch | 61 +++++++++++++++++++ ...-fix-memory-leak-in-probe-error-path.patch | 46 ++++++++++++++ queue-4.4/series | 6 ++ ...-to-not-over-compare-the-test-string.patch | 41 +++++++++++++ 7 files changed, 284 insertions(+) create mode 100644 queue-4.4/atm-zatm-fix-potential-spectre-v1.patch create mode 100644 queue-4.4/can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch create mode 100644 queue-4.4/libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch create mode 100644 queue-4.4/net-atm-fix-potential-spectre-v1.patch create mode 100644 queue-4.4/rfkill-gpio-fix-memory-leak-in-probe-error-path.patch create mode 100644 queue-4.4/tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch diff --git a/queue-4.4/atm-zatm-fix-potential-spectre-v1.patch b/queue-4.4/atm-zatm-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..bfcef16a7f7 --- /dev/null +++ b/queue-4.4/atm-zatm-fix-potential-spectre-v1.patch @@ -0,0 +1,54 @@ +From 2be147f7459db5bbf292e0a6f135037b55e20b39 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 3 May 2018 13:17:12 -0500 +Subject: atm: zatm: Fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit 2be147f7459db5bbf292e0a6f135037b55e20b39 upstream. + +pool can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/atm/zatm.c:1462 zatm_ioctl() warn: potential spectre issue +'zatm_dev->pool_info' (local cap) + +Fix this by sanitizing pool before using it to index +zatm_dev->pool_info + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/atm/zatm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1456,6 +1457,8 @@ static int zatm_ioctl(struct atm_dev *de + return -EFAULT; + if (pool < 0 || pool > ZATM_LAST_POOL) + return -EINVAL; ++ pool = array_index_nospec(pool, ++ ZATM_LAST_POOL + 1); + spin_lock_irqsave(&zatm_dev->lock, flags); + info = zatm_dev->pool_info[pool]; + if (cmd == ZATM_GETPOOLZ) { diff --git a/queue-4.4/can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch b/queue-4.4/can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch new file mode 100644 index 00000000000..5fc69f1ef97 --- /dev/null +++ b/queue-4.4/can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch @@ -0,0 +1,31 @@ +From 6ee00865ffe4e8c8ba4a68d26db53c7ec09bbb89 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Fri, 20 Apr 2018 14:38:46 +0200 +Subject: can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() + +From: Jimmy Assarsson + +commit 6ee00865ffe4e8c8ba4a68d26db53c7ec09bbb89 upstream. + +Increase rx_dropped, if alloc_can_skb() fails, not tx_dropped. + +Signed-off-by: Jimmy Assarsson +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/kvaser_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/kvaser_usb.c ++++ b/drivers/net/can/usb/kvaser_usb.c +@@ -1175,7 +1175,7 @@ static void kvaser_usb_rx_can_msg(const + + skb = alloc_can_skb(priv->netdev, &cf); + if (!skb) { +- stats->tx_dropped++; ++ stats->rx_dropped++; + return; + } + diff --git a/queue-4.4/libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch b/queue-4.4/libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch new file mode 100644 index 00000000000..510f3d6aa17 --- /dev/null +++ b/queue-4.4/libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch @@ -0,0 +1,45 @@ +From 184add2ca23ce5edcac0ab9c3b9be13f91e7b567 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 26 Apr 2018 22:32:21 +0200 +Subject: libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs + +From: Hans de Goede + +commit 184add2ca23ce5edcac0ab9c3b9be13f91e7b567 upstream. + +Richard Jones has reported that using med_power_with_dipm on a T450s +with a Sandisk SD7UB3Q256G1001 SSD (firmware version X2180501) is +causing the machine to hang. + +Switching the LPM to max_performance fixes this, so it seems that +this Sandisk SSD does not handle LPM well. + +Note in the past there have been bug-reports about the following +Sandisk models not working with min_power, so we may need to extend +the quirk list in the future: name - firmware +Sandisk SD6SB2M512G1022I - X210400 +Sandisk SD6PP4M-256G-1006 - A200906 + +Cc: stable@vger.kernel.org +Cc: Richard W.M. Jones +Reported-and-tested-by: Richard W.M. Jones +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4243,6 +4243,9 @@ static const struct ata_blacklist_entry + ATA_HORKAGE_ZERO_AFTER_TRIM | + ATA_HORKAGE_NOLPM, }, + ++ /* Sandisk devices which are known to not handle LPM well */ ++ { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, ++ + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, diff --git a/queue-4.4/net-atm-fix-potential-spectre-v1.patch b/queue-4.4/net-atm-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..f286eb0e53a --- /dev/null +++ b/queue-4.4/net-atm-fix-potential-spectre-v1.patch @@ -0,0 +1,61 @@ +From acf784bd0ce257fe43da7ca266f7a10b837479d2 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 3 May 2018 13:45:58 -0500 +Subject: net: atm: Fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit acf784bd0ce257fe43da7ca266f7a10b837479d2 upstream. + +ioc_data.dev_num can be controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: +net/atm/lec.c:702 lec_vcc_attach() warn: potential spectre issue +'dev_lec' + +Fix this by sanitizing ioc_data.dev_num before using it to index +dev_lec. Also, notice that there is another instance in which array +dev_lec is being indexed using ioc_data.dev_num at line 705: +lec_vcc_added(netdev_priv(dev_lec[ioc_data.dev_num]), + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/atm/lec.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = + #include + #include + ++/* Hardening for Spectre-v1 */ ++#include ++ + #include "lec.h" + #include "lec_arpc.h" + #include "resources.h" +@@ -697,8 +700,10 @@ static int lec_vcc_attach(struct atm_vcc + bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc)); + if (bytes_left != 0) + pr_info("copy from user failed for %d bytes\n", bytes_left); +- if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF || +- !dev_lec[ioc_data.dev_num]) ++ if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF) ++ return -EINVAL; ++ ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF); ++ if (!dev_lec[ioc_data.dev_num]) + return -EINVAL; + vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL); + if (!vpriv) diff --git a/queue-4.4/rfkill-gpio-fix-memory-leak-in-probe-error-path.patch b/queue-4.4/rfkill-gpio-fix-memory-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..78af7cddae6 --- /dev/null +++ b/queue-4.4/rfkill-gpio-fix-memory-leak-in-probe-error-path.patch @@ -0,0 +1,46 @@ +From 4bf01ca21e2e0e4561d1a03c48c3d740418702db Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 26 Apr 2018 09:31:52 +0200 +Subject: rfkill: gpio: fix memory leak in probe error path + +From: Johan Hovold + +commit 4bf01ca21e2e0e4561d1a03c48c3d740418702db upstream. + +Make sure to free the rfkill device in case registration fails during +probe. + +Fixes: 5e7ca3937fbe ("net: rfkill: gpio: convert to resource managed allocation") +Cc: stable # 3.13 +Cc: Heikki Krogerus +Signed-off-by: Johan Hovold +Reviewed-by: Heikki Krogerus +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/rfkill/rfkill-gpio.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/rfkill/rfkill-gpio.c ++++ b/net/rfkill/rfkill-gpio.c +@@ -140,13 +140,18 @@ static int rfkill_gpio_probe(struct plat + + ret = rfkill_register(rfkill->rfkill_dev); + if (ret < 0) +- return ret; ++ goto err_destroy; + + platform_set_drvdata(pdev, rfkill); + + dev_info(&pdev->dev, "%s device registered.\n", rfkill->name); + + return 0; ++ ++err_destroy: ++ rfkill_destroy(rfkill->rfkill_dev); ++ ++ return ret; + } + + static int rfkill_gpio_remove(struct platform_device *pdev) diff --git a/queue-4.4/series b/queue-4.4/series index d9697b7bc0d..23443b948ce 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -42,3 +42,9 @@ tcp-fix-tcp_repair_queue-bound-checking.patch bdi-fix-oops-in-wb_workfn.patch f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch xfrm_user-fix-return-value-from-xfrm_user_rcv_msg.patch +rfkill-gpio-fix-memory-leak-in-probe-error-path.patch +libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch +tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch +can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch +net-atm-fix-potential-spectre-v1.patch +atm-zatm-fix-potential-spectre-v1.patch diff --git a/queue-4.4/tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch b/queue-4.4/tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch new file mode 100644 index 00000000000..01c5d0e5e90 --- /dev/null +++ b/queue-4.4/tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch @@ -0,0 +1,41 @@ +From dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 9 May 2018 11:59:32 -0400 +Subject: tracing: Fix regex_match_front() to not over compare the test string + +From: Steven Rostedt (VMware) + +commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d upstream. + +The regex match function regex_match_front() in the tracing filter logic, +was fixed to test just the pattern length from testing the entire test +string. That is, it went from strncmp(str, r->pattern, len) to +strcmp(str, r->pattern, r->len). + +The issue is that str is not guaranteed to be nul terminated, and if r->len +is greater than the length of str, it can access more memory than is +allocated. + +The solution is to add a simple test if (len < r->len) return 0. + +Cc: stable@vger.kernel.org +Fixes: 285caad415f45 ("tracing/filters: Fix MATCH_FRONT_ONLY filter matching") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -322,6 +322,9 @@ static int regex_match_full(char *str, s + + static int regex_match_front(char *str, struct regex *r, int len) + { ++ if (len < r->len) ++ return 0; ++ + if (strncmp(str, r->pattern, r->len) == 0) + return 1; + return 0; -- 2.47.3