From: Greg Kroah-Hartman Date: Thu, 12 Dec 2019 09:41:00 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.4.3~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2c4df22093e36e0faa438773383e1678fd61c7d8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch appletalk-set-error-code-if-register_snap_client-failed.patch asoc-rsnd-fixup-mix-kctrl-registration.patch kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch net-qrtr-fix-memort-leak-in-qrtr_tun_write_iter.patch xfs-add-missing-error-check-in-xfs_prepare_shift.patch --- diff --git a/queue-4.19/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch b/queue-4.19/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch new file mode 100644 index 00000000000..91707b1f564 --- /dev/null +++ b/queue-4.19/appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch @@ -0,0 +1,123 @@ +From 9804501fa1228048857910a6bf23e085aade37cc Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 14 Mar 2019 13:47:59 +0800 +Subject: appletalk: Fix potential NULL pointer dereference in unregister_snap_client + +From: YueHaibing + +commit 9804501fa1228048857910a6bf23e085aade37cc upstream. + +register_snap_client may return NULL, all the callers +check it, but only print a warning. This will result in +NULL pointer dereference in unregister_snap_client and other +places. + +It has always been used like this since v2.6 + +Reported-by: Dan Carpenter +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/atalk.h | 2 +- + net/appletalk/aarp.c | 15 ++++++++++++--- + net/appletalk/ddp.c | 20 ++++++++++++-------- + 3 files changed, 25 insertions(+), 12 deletions(-) + +--- a/include/linux/atalk.h ++++ b/include/linux/atalk.h +@@ -108,7 +108,7 @@ static __inline__ struct elapaarp *aarp_ + #define AARP_RESOLVE_TIME (10 * HZ) + + extern struct datalink_proto *ddp_dl, *aarp_dl; +-extern void aarp_proto_init(void); ++extern int aarp_proto_init(void); + + /* Inter module exports */ + +--- a/net/appletalk/aarp.c ++++ b/net/appletalk/aarp.c +@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifi + + static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 }; + +-void __init aarp_proto_init(void) ++int __init aarp_proto_init(void) + { ++ int rc; ++ + aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv); +- if (!aarp_dl) ++ if (!aarp_dl) { + printk(KERN_CRIT "Unable to register AARP with SNAP.\n"); ++ return -ENOMEM; ++ } + timer_setup(&aarp_timer, aarp_expire_timeout, 0); + aarp_timer.expires = jiffies + sysctl_aarp_expiry_time; + add_timer(&aarp_timer); +- register_netdevice_notifier(&aarp_notifier); ++ rc = register_netdevice_notifier(&aarp_notifier); ++ if (rc) { ++ del_timer_sync(&aarp_timer); ++ unregister_snap_client(aarp_dl); ++ } ++ return rc; + } + + /* Remove the AARP entries associated with a device. */ +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1909,9 +1909,6 @@ static unsigned char ddp_snap_id[] = { 0 + EXPORT_SYMBOL(atrtr_get_dev); + EXPORT_SYMBOL(atalk_find_dev_addr); + +-static const char atalk_err_snap[] __initconst = +- KERN_CRIT "Unable to register DDP with SNAP.\n"; +- + /* Called by proto.c on kernel start up */ + static int __init atalk_init(void) + { +@@ -1926,17 +1923,22 @@ static int __init atalk_init(void) + goto out_proto; + + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); +- if (!ddp_dl) +- printk(atalk_err_snap); ++ if (!ddp_dl) { ++ pr_crit("Unable to register DDP with SNAP.\n"); ++ goto out_sock; ++ } + + dev_add_pack(<alk_packet_type); + dev_add_pack(&ppptalk_packet_type); + + rc = register_netdevice_notifier(&ddp_notifier); + if (rc) +- goto out_sock; ++ goto out_snap; ++ ++ rc = aarp_proto_init(); ++ if (rc) ++ goto out_dev; + +- aarp_proto_init(); + rc = atalk_proc_init(); + if (rc) + goto out_aarp; +@@ -1950,11 +1952,13 @@ out_proc: + atalk_proc_exit(); + out_aarp: + aarp_cleanup_module(); ++out_dev: + unregister_netdevice_notifier(&ddp_notifier); +-out_sock: ++out_snap: + dev_remove_pack(&ppptalk_packet_type); + dev_remove_pack(<alk_packet_type); + unregister_snap_client(ddp_dl); ++out_sock: + sock_unregister(PF_APPLETALK); + out_proto: + proto_unregister(&ddp_proto); diff --git a/queue-4.19/appletalk-set-error-code-if-register_snap_client-failed.patch b/queue-4.19/appletalk-set-error-code-if-register_snap_client-failed.patch new file mode 100644 index 00000000000..36404164514 --- /dev/null +++ b/queue-4.19/appletalk-set-error-code-if-register_snap_client-failed.patch @@ -0,0 +1,33 @@ +From c93ad1337ad06a718890a89cdd85188ff9a5a5cc Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Tue, 30 Apr 2019 19:34:08 +0800 +Subject: appletalk: Set error code if register_snap_client failed + +From: YueHaibing + +commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream. + +If register_snap_client fails in atalk_init, +error code should be set, otherwise it will +triggers NULL pointer dereference while unloading +module. + +Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/appletalk/ddp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1925,6 +1925,7 @@ static int __init atalk_init(void) + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); + if (!ddp_dl) { + pr_crit("Unable to register DDP with SNAP.\n"); ++ rc = -ENOMEM; + goto out_sock; + } + diff --git a/queue-4.19/asoc-rsnd-fixup-mix-kctrl-registration.patch b/queue-4.19/asoc-rsnd-fixup-mix-kctrl-registration.patch new file mode 100644 index 00000000000..09d5a221bbd --- /dev/null +++ b/queue-4.19/asoc-rsnd-fixup-mix-kctrl-registration.patch @@ -0,0 +1,61 @@ +From 7aea8a9d71d54f449f49e20324df06341cc18395 Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto +Date: Fri, 1 Feb 2019 16:49:30 +0900 +Subject: ASoC: rsnd: fixup MIX kctrl registration + +From: Kuninori Morimoto + +commit 7aea8a9d71d54f449f49e20324df06341cc18395 upstream. + +Renesas sound device has many IPs and many situations. +If platform/board uses MIXer, situation will be more complex. +To avoid duplicate DVC kctrl registration when MIXer was used, +it had original flags. +But it was issue when sound card was re-binded, because +no one can't cleanup this flags then. + +To solve this issue, commit 9c698e8481a15237a ("ASoC: rsnd: tidyup +registering method for rsnd_kctrl_new()") checks registered +card->controls, because if card was re-binded, these were cleanuped +automatically. This patch could solve re-binding issue. +But, it start to avoid MIX kctrl. + +To solve these issues, we need below. +To avoid card re-binding issue: check registered card->controls +To avoid duplicate DVC registration: check registered rsnd_kctrl_cfg +To allow multiple MIX registration: check registered rsnd_kctrl_cfg +This patch do it. + +Fixes: 9c698e8481a15237a ("ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()") +Reported-by: Jiada Wang +Signed-off-by: Kuninori Morimoto +Tested-By: Jiada Wang +Signed-off-by: Mark Brown +Cc: Nobuhiro Iwamatsu +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sh/rcar/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -1345,14 +1345,14 @@ int rsnd_kctrl_new(struct rsnd_mod *mod, + int ret; + + /* +- * 1) Avoid duplicate register (ex. MIXer case) +- * 2) re-register if card was rebinded ++ * 1) Avoid duplicate register for DVC with MIX case ++ * 2) Allow duplicate register for MIX ++ * 3) re-register if card was rebinded + */ + list_for_each_entry(kctrl, &card->controls, list) { + struct rsnd_kctrl_cfg *c = kctrl->private_data; + +- if (strcmp(kctrl->id.name, name) == 0 && +- c->mod == mod) ++ if (c == cfg) + return 0; + } + diff --git a/queue-4.19/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch b/queue-4.19/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch new file mode 100644 index 00000000000..ee1d9ce8702 --- /dev/null +++ b/queue-4.19/kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch @@ -0,0 +1,43 @@ +From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 4 Dec 2019 10:28:54 +0100 +Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) + +From: Paolo Bonzini + +commit 433f4ba1904100da65a311033f17a9bf586b287e upstream. + +The bounds check was present in KVM_GET_SUPPORTED_CPUID but not +KVM_GET_EMULATED_CPUID. + +Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com +Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29) +Signed-off-by: Paolo Bonzini +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/cpuid.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -420,7 +420,7 @@ static inline int __do_cpuid_ent(struct + + r = -E2BIG; + +- if (*nent >= maxnent) ++ if (WARN_ON(*nent >= maxnent)) + goto out; + + do_cpuid_1_ent(entry, function, index); +@@ -729,6 +729,9 @@ out: + static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func, + u32 idx, int *nent, int maxnent, unsigned int type) + { ++ if (*nent >= maxnent) ++ return -E2BIG; ++ + if (type == KVM_GET_EMULATED_CPUID) + return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent); + diff --git a/queue-4.19/net-qrtr-fix-memort-leak-in-qrtr_tun_write_iter.patch b/queue-4.19/net-qrtr-fix-memort-leak-in-qrtr_tun_write_iter.patch new file mode 100644 index 00000000000..4b145f07dec --- /dev/null +++ b/queue-4.19/net-qrtr-fix-memort-leak-in-qrtr_tun_write_iter.patch @@ -0,0 +1,42 @@ +From a21b7f0cff1906a93a0130b74713b15a0b36481d Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Wed, 11 Sep 2019 10:09:02 -0500 +Subject: net: qrtr: fix memort leak in qrtr_tun_write_iter + +From: Navid Emamdoost + +commit a21b7f0cff1906a93a0130b74713b15a0b36481d upstream. + +In qrtr_tun_write_iter the allocated kbuf should be release in case of +error or success return. + +v2 Update: Thanks to David Miller for pointing out the release on success +path as well. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + net/qrtr/tun.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/qrtr/tun.c ++++ b/net/qrtr/tun.c +@@ -84,11 +84,14 @@ static ssize_t qrtr_tun_write_iter(struc + if (!kbuf) + return -ENOMEM; + +- if (!copy_from_iter_full(kbuf, len, from)) ++ if (!copy_from_iter_full(kbuf, len, from)) { ++ kfree(kbuf); + return -EFAULT; ++ } + + ret = qrtr_endpoint_post(&tun->ep, kbuf, len); + ++ kfree(kbuf); + return ret < 0 ? ret : len; + } + diff --git a/queue-4.19/series b/queue-4.19/series index 503e48689bb..13997b2c686 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -246,3 +246,9 @@ watchdog-aspeed-fix-clock-behaviour-for-ast2600.patch perf-script-fix-invalid-lbr-binary-mismatch-error.patch splice-don-t-read-more-than-available-pipe-space.patch iomap-partially-revert-4721a601099-simulated-directi.patch +xfs-add-missing-error-check-in-xfs_prepare_shift.patch +asoc-rsnd-fixup-mix-kctrl-registration.patch +kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch +net-qrtr-fix-memort-leak-in-qrtr_tun_write_iter.patch +appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch +appletalk-set-error-code-if-register_snap_client-failed.patch diff --git a/queue-4.19/xfs-add-missing-error-check-in-xfs_prepare_shift.patch b/queue-4.19/xfs-add-missing-error-check-in-xfs_prepare_shift.patch new file mode 100644 index 00000000000..6d7cffd954d --- /dev/null +++ b/queue-4.19/xfs-add-missing-error-check-in-xfs_prepare_shift.patch @@ -0,0 +1,41 @@ +From 1749d1ea89bdf3181328b7d846e609d5a0e53e50 Mon Sep 17 00:00:00 2001 +From: Brian Foster +Date: Fri, 26 Apr 2019 07:30:24 -0700 +Subject: xfs: add missing error check in xfs_prepare_shift() + +From: Brian Foster + +commit 1749d1ea89bdf3181328b7d846e609d5a0e53e50 upstream. + +xfs_prepare_shift() fails to check the error return from +xfs_flush_unmap_range(). If the latter fails, that could lead to an +insert/collapse range operation over a delalloc range, which is not +supported. + +Add an error check and return appropriately. This is reproduced +rarely by generic/475. + +Fixes: 7f9f71be84bc ("xfs: extent shifting doesn't fully invalidate page cache") +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Allison Collins +Reviewed-by: Dave Chinner +Cc: Nobuhiro Iwamatsu +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_bmap_util.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/xfs/xfs_bmap_util.c ++++ b/fs/xfs/xfs_bmap_util.c +@@ -1245,6 +1245,8 @@ xfs_prepare_shift( + * about to shift down every extent from offset to EOF. + */ + error = xfs_flush_unmap_range(ip, offset, XFS_ISIZE(ip)); ++ if (error) ++ return error; + + /* + * Clean out anything hanging around in the cow fork now that