From a3316c0ebb6bf333b75b318453d95346fafe2d74 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Aug 2018 07:51:35 +0200 Subject: [PATCH] 4.9-stable patches added patches: cls_matchall-fix-tcf_unbind_filter-missing.patch isdn-disable-iiocdbgvar.patch --- ...tchall-fix-tcf_unbind_filter-missing.patch | 33 +++++++++++++++ queue-4.9/isdn-disable-iiocdbgvar.patch | 41 +++++++++++++++++++ queue-4.9/series | 2 + 3 files changed, 76 insertions(+) create mode 100644 queue-4.9/cls_matchall-fix-tcf_unbind_filter-missing.patch create mode 100644 queue-4.9/isdn-disable-iiocdbgvar.patch diff --git a/queue-4.9/cls_matchall-fix-tcf_unbind_filter-missing.patch b/queue-4.9/cls_matchall-fix-tcf_unbind_filter-missing.patch new file mode 100644 index 00000000000..6002599e52b --- /dev/null +++ b/queue-4.9/cls_matchall-fix-tcf_unbind_filter-missing.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Aug 21 07:39:57 CEST 2018 +From: Hangbin Liu +Date: Tue, 14 Aug 2018 17:28:26 +0800 +Subject: cls_matchall: fix tcf_unbind_filter missing + +From: Hangbin Liu + +[ Upstream commit a51c76b4dfb30496dc65396a957ef0f06af7fb22 ] + +Fix tcf_unbind_filter missing in cls_matchall as this will trigger +WARN_ON() in cbq_destroy_class(). + +Fixes: fd62d9f5c575f ("net/sched: matchall: Fix configuration race") +Reported-by: Li Shuang +Signed-off-by: Hangbin Liu +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_matchall.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/sched/cls_matchall.c ++++ b/net/sched/cls_matchall.c +@@ -94,6 +94,8 @@ static bool mall_destroy(struct tcf_prot + if (!head) + return true; + ++ tcf_unbind_filter(tp, &head->res); ++ + if (tc_should_offload(dev, tp, head->flags)) + mall_destroy_hw_filter(tp, head, (unsigned long) head); + diff --git a/queue-4.9/isdn-disable-iiocdbgvar.patch b/queue-4.9/isdn-disable-iiocdbgvar.patch new file mode 100644 index 00000000000..f6dbbc30843 --- /dev/null +++ b/queue-4.9/isdn-disable-iiocdbgvar.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Aug 21 07:39:57 CEST 2018 +From: Kees Cook +Date: Wed, 15 Aug 2018 12:14:05 -0700 +Subject: isdn: Disable IIOCDBGVAR + +From: Kees Cook + +[ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ] + +It was possible to directly leak the kernel address where the isdn_dev +structure pointer was stored. This is a kernel ASLR bypass for anyone +with access to the ioctl. The code had been present since the beginning +of git history, though this shouldn't ever be needed for normal operation, +therefore remove it. + +Reported-by: Al Viro +Cc: Karsten Keil +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/i4l/isdn_common.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1655,13 +1655,7 @@ isdn_ioctl(struct file *file, uint cmd, + } else + return -EINVAL; + case IIOCDBGVAR: +- if (arg) { +- if (copy_to_user(argp, &dev, sizeof(ulong))) +- return -EFAULT; +- return 0; +- } else +- return -EINVAL; +- break; ++ return -EINVAL; + default: + if ((cmd & IIOCDRVCTL) == IIOCDRVCTL) + cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK; diff --git a/queue-4.9/series b/queue-4.9/series index 8611a742799..bec47303718 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -13,6 +13,8 @@ alsa-cs5535audio-fix-invalid-endian-conversion.patch alsa-hda-correct-asrock-b85m-itx-power_save-blacklist-entry.patch alsa-memalloc-don-t-exceed-over-the-requested-size.patch alsa-vxpocket-fix-invalid-endian-conversions.patch +isdn-disable-iiocdbgvar.patch +cls_matchall-fix-tcf_unbind_filter-missing.patch usb-serial-sierra-fix-potential-deadlock-at-close.patch usb-option-add-support-for-dw5821e.patch acpi-pm-save-nvs-memory-for-asus-1025c-laptop.patch -- 2.47.3