From: Greg Kroah-Hartman Date: Mon, 19 Aug 2024 09:57:40 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v6.1.107~137 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=817c71410f2a9605e2b028397d402a99bf265aa0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: drm-amdgpu-actually-check-flags-for-all-context-ops.patch memcg_write_event_control-fix-a-user-triggerable-oops.patch selinux-add-the-processing-of-the-failure-of-avc_add_xperms_decision.patch selinux-fix-potential-counting-error-in-avc_add_xperms_decision.patch --- diff --git a/queue-4.19/drm-amdgpu-actually-check-flags-for-all-context-ops.patch b/queue-4.19/drm-amdgpu-actually-check-flags-for-all-context-ops.patch new file mode 100644 index 00000000000..26f6aa8888c --- /dev/null +++ b/queue-4.19/drm-amdgpu-actually-check-flags-for-all-context-ops.patch @@ -0,0 +1,50 @@ +From 0573a1e2ea7e35bff08944a40f1adf2bb35cea61 Mon Sep 17 00:00:00 2001 +From: Bas Nieuwenhuizen +Date: Tue, 6 Aug 2024 22:27:32 +0200 +Subject: drm/amdgpu: Actually check flags for all context ops. + +From: Bas Nieuwenhuizen + +commit 0573a1e2ea7e35bff08944a40f1adf2bb35cea61 upstream. + +Missing validation ... + +Checked libdrm and it clears all the structs, so we should be +safe to just check everything. + +Signed-off-by: Bas Nieuwenhuizen +Signed-off-by: Alex Deucher +(cherry picked from commit c6b86421f1f9ddf9d706f2453159813ee39d0cf9) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c +@@ -288,16 +288,24 @@ int amdgpu_ctx_ioctl(struct drm_device * + + switch (args->in.op) { + case AMDGPU_CTX_OP_ALLOC_CTX: ++ if (args->in.flags) ++ return -EINVAL; + r = amdgpu_ctx_alloc(adev, fpriv, filp, priority, &id); + args->out.alloc.ctx_id = id; + break; + case AMDGPU_CTX_OP_FREE_CTX: ++ if (args->in.flags) ++ return -EINVAL; + r = amdgpu_ctx_free(fpriv, id); + break; + case AMDGPU_CTX_OP_QUERY_STATE: ++ if (args->in.flags) ++ return -EINVAL; + r = amdgpu_ctx_query(adev, fpriv, id, &args->out); + break; + case AMDGPU_CTX_OP_QUERY_STATE2: ++ if (args->in.flags) ++ return -EINVAL; + r = amdgpu_ctx_query2(adev, fpriv, id, &args->out); + break; + default: diff --git a/queue-4.19/memcg_write_event_control-fix-a-user-triggerable-oops.patch b/queue-4.19/memcg_write_event_control-fix-a-user-triggerable-oops.patch new file mode 100644 index 00000000000..0bac7d34d68 --- /dev/null +++ b/queue-4.19/memcg_write_event_control-fix-a-user-triggerable-oops.patch @@ -0,0 +1,39 @@ +From 046667c4d3196938e992fba0dfcde570aa85cd0e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Jul 2024 14:45:08 -0400 +Subject: memcg_write_event_control(): fix a user-triggerable oops + +From: Al Viro + +commit 046667c4d3196938e992fba0dfcde570aa85cd0e upstream. + +we are *not* guaranteed that anything past the terminating NUL +is mapped (let alone initialized with anything sane). + +Fixes: 0dea116876ee ("cgroup: implement eventfd-based generic API for notifications") +Cc: stable@vger.kernel.org +Cc: Andrew Morton +Acked-by: Michal Hocko +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4140,9 +4140,12 @@ static ssize_t memcg_write_event_control + buf = endp + 1; + + cfd = simple_strtoul(buf, &endp, 10); +- if ((*endp != ' ') && (*endp != '\0')) ++ if (*endp == '\0') ++ buf = endp; ++ else if (*endp == ' ') ++ buf = endp + 1; ++ else + return -EINVAL; +- buf = endp + 1; + + event = kzalloc(sizeof(*event), GFP_KERNEL); + if (!event) diff --git a/queue-4.19/selinux-add-the-processing-of-the-failure-of-avc_add_xperms_decision.patch b/queue-4.19/selinux-add-the-processing-of-the-failure-of-avc_add_xperms_decision.patch new file mode 100644 index 00000000000..9571b860b30 --- /dev/null +++ b/queue-4.19/selinux-add-the-processing-of-the-failure-of-avc_add_xperms_decision.patch @@ -0,0 +1,39 @@ +From 6dd1e4c045afa6a4ba5d46f044c83bd357c593c2 Mon Sep 17 00:00:00 2001 +From: Zhen Lei +Date: Wed, 7 Aug 2024 17:00:56 +0800 +Subject: selinux: add the processing of the failure of avc_add_xperms_decision() + +From: Zhen Lei + +commit 6dd1e4c045afa6a4ba5d46f044c83bd357c593c2 upstream. + +When avc_add_xperms_decision() fails, the information recorded by the new +avc node is incomplete. In this case, the new avc node should be released +instead of replacing the old avc node. + +Cc: stable@vger.kernel.org +Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") +Suggested-by: Stephen Smalley +Signed-off-by: Zhen Lei +Acked-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/avc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -925,7 +925,11 @@ static int avc_update_node(struct selinu + node->ae.avd.auditdeny &= ~perms; + break; + case AVC_CALLBACK_ADD_XPERMS: +- avc_add_xperms_decision(node, xpd); ++ rc = avc_add_xperms_decision(node, xpd); ++ if (rc) { ++ avc_node_kill(node); ++ goto out_unlock; ++ } + break; + } + avc_node_replace(avc, node, orig); diff --git a/queue-4.19/selinux-fix-potential-counting-error-in-avc_add_xperms_decision.patch b/queue-4.19/selinux-fix-potential-counting-error-in-avc_add_xperms_decision.patch new file mode 100644 index 00000000000..c4fc76b7666 --- /dev/null +++ b/queue-4.19/selinux-fix-potential-counting-error-in-avc_add_xperms_decision.patch @@ -0,0 +1,38 @@ +From 379d9af3f3da2da1bbfa67baf1820c72a080d1f1 Mon Sep 17 00:00:00 2001 +From: Zhen Lei +Date: Tue, 6 Aug 2024 14:51:13 +0800 +Subject: selinux: fix potential counting error in avc_add_xperms_decision() + +From: Zhen Lei + +commit 379d9af3f3da2da1bbfa67baf1820c72a080d1f1 upstream. + +The count increases only when a node is successfully added to +the linked list. + +Cc: stable@vger.kernel.org +Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") +Signed-off-by: Zhen Lei +Acked-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/avc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -401,12 +401,12 @@ static int avc_add_xperms_decision(struc + { + struct avc_xperms_decision_node *dest_xpd; + +- node->ae.xp_node->xp.len++; + dest_xpd = avc_xperms_decision_alloc(src->used); + if (!dest_xpd) + return -ENOMEM; + avc_copy_xperms_decision(&dest_xpd->xpd, src); + list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head); ++ node->ae.xp_node->xp.len++; + return 0; + } + diff --git a/queue-4.19/series b/queue-4.19/series index ded9034d4c1..b654037f682 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -6,3 +6,7 @@ dm-resume-don-t-return-einval-when-signalled.patch dm-persistent-data-fix-memory-allocation-failure.patch bitmap-introduce-generic-optimized-bitmap_size.patch fix-bitmap-corruption-on-close_range-with-close_range_unshare.patch +selinux-fix-potential-counting-error-in-avc_add_xperms_decision.patch +selinux-add-the-processing-of-the-failure-of-avc_add_xperms_decision.patch +drm-amdgpu-actually-check-flags-for-all-context-ops.patch +memcg_write_event_control-fix-a-user-triggerable-oops.patch