From a599253ffa85a649fe56fb54b74f75a7e00e2297 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Oct 2017 14:48:37 +0200 Subject: [PATCH] 3.18-stable patches added patches: alsa-usx2y-suppress-kernel-warning-at-page-allocation-failures.patch lsm-fix-smack_inode_removexattr-and-xattr_getsecurity-memleak.patch --- ...-warning-at-page-allocation-failures.patch | 58 ++++++++ ...exattr-and-xattr_getsecurity-memleak.patch | 129 ++++++++++++++++++ queue-3.18/series | 2 + 3 files changed, 189 insertions(+) create mode 100644 queue-3.18/alsa-usx2y-suppress-kernel-warning-at-page-allocation-failures.patch create mode 100644 queue-3.18/lsm-fix-smack_inode_removexattr-and-xattr_getsecurity-memleak.patch diff --git a/queue-3.18/alsa-usx2y-suppress-kernel-warning-at-page-allocation-failures.patch b/queue-3.18/alsa-usx2y-suppress-kernel-warning-at-page-allocation-failures.patch new file mode 100644 index 00000000000..14dea9fc521 --- /dev/null +++ b/queue-3.18/alsa-usx2y-suppress-kernel-warning-at-page-allocation-failures.patch @@ -0,0 +1,58 @@ +From 7682e399485fe19622b6fd82510b1f4551e48a25 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 2 Oct 2017 14:06:43 +0200 +Subject: ALSA: usx2y: Suppress kernel warning at page allocation failures + +From: Takashi Iwai + +commit 7682e399485fe19622b6fd82510b1f4551e48a25 upstream. + +The usx2y driver allocates the stream read/write buffers in continuous +pages depending on the stream setup, and this may spew the kernel +warning messages with a stack trace like: + WARNING: CPU: 1 PID: 1846 at mm/page_alloc.c:3883 + __alloc_pages_slowpath+0x1ef2/0x2d70 + Modules linked in: + CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted + .... + +It may confuse user as if it were any serious error, although this is +no fatal error and the driver handles the error case gracefully. +Since the driver has already some sanity check of the given size (128 +and 256 pages), it can't pass any crazy value. So it's merely page +fragmentation. + +This patch adds __GFP_NOWARN to each caller for suppressing such +kernel warnings. The original issue was spotted by syzkaller. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/usx2y/usb_stream.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/usb/usx2y/usb_stream.c ++++ b/sound/usb/usx2y/usb_stream.c +@@ -191,7 +191,8 @@ struct usb_stream *usb_stream_new(struct + } + + pg = get_order(read_size); +- sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg); ++ sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO| ++ __GFP_NOWARN, pg); + if (!sk->s) { + snd_printk(KERN_WARNING "couldn't __get_free_pages()\n"); + goto out; +@@ -211,7 +212,8 @@ struct usb_stream *usb_stream_new(struct + pg = get_order(write_size); + + sk->write_page = +- (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg); ++ (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO| ++ __GFP_NOWARN, pg); + if (!sk->write_page) { + snd_printk(KERN_WARNING "couldn't __get_free_pages()\n"); + usb_stream_free(sk); diff --git a/queue-3.18/lsm-fix-smack_inode_removexattr-and-xattr_getsecurity-memleak.patch b/queue-3.18/lsm-fix-smack_inode_removexattr-and-xattr_getsecurity-memleak.patch new file mode 100644 index 00000000000..b4bab570f1d --- /dev/null +++ b/queue-3.18/lsm-fix-smack_inode_removexattr-and-xattr_getsecurity-memleak.patch @@ -0,0 +1,129 @@ +From 57e7ba04d422c3d41c8426380303ec9b7533ded9 Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Tue, 19 Sep 2017 09:39:08 -0700 +Subject: lsm: fix smack_inode_removexattr and xattr_getsecurity memleak + +From: Casey Schaufler + +commit 57e7ba04d422c3d41c8426380303ec9b7533ded9 upstream. + +security_inode_getsecurity() provides the text string value +of a security attribute. It does not provide a "secctx". +The code in xattr_getsecurity() that calls security_inode_getsecurity() +and then calls security_release_secctx() happened to work because +SElinux and Smack treat the attribute and the secctx the same way. +It fails for cap_inode_getsecurity(), because that module has no +secctx that ever needs releasing. It turns out that Smack is the +one that's doing things wrong by not allocating memory when instructed +to do so by the "alloc" parameter. + +The fix is simple enough. Change the security_release_secctx() to +kfree() because it isn't a secctx being returned by +security_inode_getsecurity(). Change Smack to allocate the string when +told to do so. + +Note: this also fixes memory leaks for LSMs which implement +inode_getsecurity but not release_secctx, such as capabilities. + +Signed-off-by: Casey Schaufler +Reported-by: Konstantin Khlebnikov +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xattr.c | 2 - + security/smack/smack_lsm.c | 59 ++++++++++++++++++++------------------------- + 2 files changed, 28 insertions(+), 33 deletions(-) + +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -163,7 +163,7 @@ xattr_getsecurity(struct inode *inode, c + } + memcpy(value, buffer, len); + out: +- security_release_secctx(buffer, len); ++ kfree(buffer); + out_noalloc: + return len; + } +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1229,7 +1229,7 @@ static int smack_inode_removexattr(struc + * @inode: the object + * @name: attribute name + * @buffer: where to put the result +- * @alloc: unused ++ * @alloc: duplicate memory + * + * Returns the size of the attribute or an error code + */ +@@ -1242,43 +1242,38 @@ static int smack_inode_getsecurity(const + struct super_block *sbp; + struct inode *ip = (struct inode *)inode; + struct smack_known *isp; +- int ilen; +- int rc = 0; + +- if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { ++ if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) + isp = smk_of_inode(inode); +- ilen = strlen(isp->smk_known); +- *buffer = isp->smk_known; +- return ilen; ++ else { ++ /* ++ * The rest of the Smack xattrs are only on sockets. ++ */ ++ sbp = ip->i_sb; ++ if (sbp->s_magic != SOCKFS_MAGIC) ++ return -EOPNOTSUPP; ++ ++ sock = SOCKET_I(ip); ++ if (sock == NULL || sock->sk == NULL) ++ return -EOPNOTSUPP; ++ ++ ssp = sock->sk->sk_security; ++ ++ if (strcmp(name, XATTR_SMACK_IPIN) == 0) ++ isp = ssp->smk_in; ++ else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) ++ isp = ssp->smk_out; ++ else ++ return -EOPNOTSUPP; + } + +- /* +- * The rest of the Smack xattrs are only on sockets. +- */ +- sbp = ip->i_sb; +- if (sbp->s_magic != SOCKFS_MAGIC) +- return -EOPNOTSUPP; +- +- sock = SOCKET_I(ip); +- if (sock == NULL || sock->sk == NULL) +- return -EOPNOTSUPP; +- +- ssp = sock->sk->sk_security; +- +- if (strcmp(name, XATTR_SMACK_IPIN) == 0) +- isp = ssp->smk_in; +- else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) +- isp = ssp->smk_out; +- else +- return -EOPNOTSUPP; +- +- ilen = strlen(isp->smk_known); +- if (rc == 0) { +- *buffer = isp->smk_known; +- rc = ilen; ++ if (alloc) { ++ *buffer = kstrdup(isp->smk_known, GFP_KERNEL); ++ if (*buffer == NULL) ++ return -ENOMEM; + } + +- return rc; ++ return strlen(isp->smk_known); + } + + diff --git a/queue-3.18/series b/queue-3.18/series index c9b80dd3412..dbd5c16d41a 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -20,3 +20,5 @@ iio-ad7793-fix-the-serial-interface-reset.patch iio-adc-mcp320x-fix-oops-on-module-unload.patch uwb-properly-check-kthread_run-return-value.patch uwb-ensure-that-endpoint-is-interrupt.patch +lsm-fix-smack_inode_removexattr-and-xattr_getsecurity-memleak.patch +alsa-usx2y-suppress-kernel-warning-at-page-allocation-failures.patch -- 2.47.3