--- /dev/null
+From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 May 2019 17:32:26 +0200
+Subject: apparmor: enforce nullbyte at end of tag string
+
+From: Jann Horn <jannh@google.com>
+
+commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
+
+A packed AppArmor policy contains null-terminated tag strings that are read
+by unpack_nameX(). However, unpack_nameX() uses string functions on them
+without ensuring that they are actually null-terminated, potentially
+leading to out-of-bounds accesses.
+
+Make sure that the tag string is null-terminated before passing it to
+strcmp().
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/policy_unpack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -177,7 +177,7 @@ static bool unpack_nameX(struct aa_ext *
+ char *tag = NULL;
+ size_t size = unpack_u16_chunk(e, &tag);
+ /* if a name is specified it must match. otherwise skip tag */
+- if (name && (!size || strcmp(name, tag)))
++ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
+ goto fail;
+ } else if (name) {
+ /* if a name is specified and there is no name tag fail */
--- /dev/null
+From 3230f4a8d44e4a0bb7afea814b280b5129521f52 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:32 -0400
+Subject: IB/hfi1: Silence txreq allocation warnings
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 3230f4a8d44e4a0bb7afea814b280b5129521f52 upstream.
+
+The following warning can happen when a memory shortage
+occurs during txreq allocation:
+
+[10220.939246] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+[10220.939246] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016
+[10220.939247] cache: mnt_cache, object size: 384, buffer size: 384, default order: 2, min order: 0
+[10220.939260] Workqueue: hfi0_0 _hfi1_do_send [hfi1]
+[10220.939261] node 0: slabs: 1026568, objs: 43115856, free: 0
+[10220.939262] Call Trace:
+[10220.939262] node 1: slabs: 820872, objs: 34476624, free: 0
+[10220.939263] dump_stack+0x5a/0x73
+[10220.939265] warn_alloc+0x103/0x190
+[10220.939267] ? wake_all_kswapds+0x54/0x8b
+[10220.939268] __alloc_pages_slowpath+0x86c/0xa2e
+[10220.939270] ? __alloc_pages_nodemask+0x2fe/0x320
+[10220.939271] __alloc_pages_nodemask+0x2fe/0x320
+[10220.939273] new_slab+0x475/0x550
+[10220.939275] ___slab_alloc+0x36c/0x520
+[10220.939287] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939299] ? __get_txreq+0x54/0x160 [hfi1]
+[10220.939310] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939312] __slab_alloc+0x40/0x61
+[10220.939323] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939325] kmem_cache_alloc+0x181/0x1b0
+[10220.939336] hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939348] ? hfi1_verbs_send_dma+0x386/0xa10 [hfi1]
+[10220.939359] ? find_prev_entry+0xb0/0xb0 [hfi1]
+[10220.939371] hfi1_do_send+0x1d9/0x3f0 [hfi1]
+[10220.939372] process_one_work+0x171/0x380
+[10220.939374] worker_thread+0x49/0x3f0
+[10220.939375] kthread+0xf8/0x130
+[10220.939377] ? max_active_store+0x80/0x80
+[10220.939378] ? kthread_bind+0x10/0x10
+[10220.939379] ret_from_fork+0x35/0x40
+[10220.939381] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+
+The shortage is handled properly so the message isn't needed. Silence by
+adding the no warn option to the slab allocation.
+
+Fixes: 45842abbb292 ("staging/rdma/hfi1: move txreq header code")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/verbs_txreq.c | 2 +-
+ drivers/infiniband/hw/hfi1/verbs_txreq.h | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.c
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.c
+@@ -100,7 +100,7 @@ struct verbs_txreq *__get_txreq(struct h
+ if (ib_rvt_state_ops[qp->state] & RVT_PROCESS_RECV_OK) {
+ struct hfi1_qp_priv *priv;
+
+- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ if (tx)
+ goto out;
+ priv = qp->priv;
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.h
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.h
+@@ -71,6 +71,7 @@ struct hfi1_ibdev;
+ struct verbs_txreq *__get_txreq(struct hfi1_ibdev *dev,
+ struct rvt_qp *qp);
+
++#define VERBS_TXREQ_GFP (GFP_ATOMIC | __GFP_NOWARN)
+ static inline struct verbs_txreq *get_txreq(struct hfi1_ibdev *dev,
+ struct rvt_qp *qp)
+ __must_hold(&qp->slock)
+@@ -78,7 +79,7 @@ static inline struct verbs_txreq *get_tx
+ struct verbs_txreq *tx;
+ struct hfi1_qp_priv *priv = qp->priv;
+
+- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ if (unlikely(!tx)) {
+ /* call slow path to get the lock */
+ tx = __get_txreq(dev, qp);
--- /dev/null
+From 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 Mon Sep 17 00:00:00 2001
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Thu, 23 May 2019 12:55:26 -0700
+Subject: Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
+
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+
+commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream.
+
+In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and
+UI_END_FF_UPLOAD need to be adjusted before being passed on
+uinput_ioctl_handler() since code built with -m32 will be passing
+slightly different values. Extend the code already covering
+UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well.
+
+Reported-by: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/uinput.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -991,13 +991,31 @@ static long uinput_ioctl(struct file *fi
+
+ #ifdef CONFIG_COMPAT
+
+-#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++/*
++ * These IOCTLs change their size and thus their numbers between
++ * 32 and 64 bits.
++ */
++#define UI_SET_PHYS_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++#define UI_BEGIN_FF_UPLOAD_COMPAT \
++ _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
++#define UI_END_FF_UPLOAD_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
+
+ static long uinput_compat_ioctl(struct file *file,
+ unsigned int cmd, unsigned long arg)
+ {
+- if (cmd == UI_SET_PHYS_COMPAT)
++ switch (cmd) {
++ case UI_SET_PHYS_COMPAT:
+ cmd = UI_SET_PHYS;
++ break;
++ case UI_BEGIN_FF_UPLOAD_COMPAT:
++ cmd = UI_BEGIN_FF_UPLOAD;
++ break;
++ case UI_END_FF_UPLOAD_COMPAT:
++ cmd = UI_END_FF_UPLOAD;
++ break;
++ }
+
+ return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
