From: Greg Kroah-Hartman Date: Sat, 12 May 2018 14:17:45 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.109~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef0fcdc4bce214998f831aaf6698600dc089afda;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: atm-zatm-fix-potential-spectre-v1.patch can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch drm-i915-fix-drm-intel_enable_lvds-error-message-in-kernel-log.patch drm-vc4-fix-scaling-of-uni-planar-formats.patch gpio-fix-aspeed_gpio-unmask-irq.patch gpio-fix-error-path-in-lineevent_create.patch gpioib-do-not-free-unrequested-descriptors.patch libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch net-atm-fix-potential-spectre-v1.patch rfkill-gpio-fix-memory-leak-in-probe-error-path.patch tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch --- diff --git a/queue-4.9/atm-zatm-fix-potential-spectre-v1.patch b/queue-4.9/atm-zatm-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..87dc645727a --- /dev/null +++ b/queue-4.9/atm-zatm-fix-potential-spectre-v1.patch @@ -0,0 +1,54 @@ +From 2be147f7459db5bbf292e0a6f135037b55e20b39 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 3 May 2018 13:17:12 -0500 +Subject: atm: zatm: Fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit 2be147f7459db5bbf292e0a6f135037b55e20b39 upstream. + +pool can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/atm/zatm.c:1462 zatm_ioctl() warn: potential spectre issue +'zatm_dev->pool_info' (local cap) + +Fix this by sanitizing pool before using it to index +zatm_dev->pool_info + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/atm/zatm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1458,6 +1459,8 @@ static int zatm_ioctl(struct atm_dev *de + return -EFAULT; + if (pool < 0 || pool > ZATM_LAST_POOL) + return -EINVAL; ++ pool = array_index_nospec(pool, ++ ZATM_LAST_POOL + 1); + spin_lock_irqsave(&zatm_dev->lock, flags); + info = zatm_dev->pool_info[pool]; + if (cmd == ZATM_GETPOOLZ) { diff --git a/queue-4.9/can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch b/queue-4.9/can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch new file mode 100644 index 00000000000..5dbf981fabc --- /dev/null +++ b/queue-4.9/can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch @@ -0,0 +1,31 @@ +From 6ee00865ffe4e8c8ba4a68d26db53c7ec09bbb89 Mon Sep 17 00:00:00 2001 +From: Jimmy Assarsson +Date: Fri, 20 Apr 2018 14:38:46 +0200 +Subject: can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() + +From: Jimmy Assarsson + +commit 6ee00865ffe4e8c8ba4a68d26db53c7ec09bbb89 upstream. + +Increase rx_dropped, if alloc_can_skb() fails, not tx_dropped. + +Signed-off-by: Jimmy Assarsson +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/kvaser_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/kvaser_usb.c ++++ b/drivers/net/can/usb/kvaser_usb.c +@@ -1179,7 +1179,7 @@ static void kvaser_usb_rx_can_msg(const + + skb = alloc_can_skb(priv->netdev, &cf); + if (!skb) { +- stats->tx_dropped++; ++ stats->rx_dropped++; + return; + } + diff --git a/queue-4.9/drm-i915-fix-drm-intel_enable_lvds-error-message-in-kernel-log.patch b/queue-4.9/drm-i915-fix-drm-intel_enable_lvds-error-message-in-kernel-log.patch new file mode 100644 index 00000000000..78ffdffd034 --- /dev/null +++ b/queue-4.9/drm-i915-fix-drm-intel_enable_lvds-error-message-in-kernel-log.patch @@ -0,0 +1,63 @@ +From e8f48f96db7e482995743f461b3e8a5c1a102533 Mon Sep 17 00:00:00 2001 +From: Florent Flament +Date: Thu, 19 Apr 2018 19:07:00 +0300 +Subject: drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florent Flament + +commit e8f48f96db7e482995743f461b3e8a5c1a102533 upstream. + +Fix `[drm:intel_enable_lvds] *ERROR* timed out waiting for panel to +power on` in kernel log at boot time. + +Toshiba Satellite Z930 laptops needs between 1 and 2 seconds to power +on its screen during Intel i915 DRM initialization. This currently +results in a `[drm:intel_enable_lvds] *ERROR* timed out waiting for +panel to power on` message appearing in the kernel log during boot +time and when stopping the machine. + +This change increases the timeout of the `intel_enable_lvds` function +from 1 to 5 seconds, letting enough time for the Satellite 930 LCD +screen to power on, and suppressing the error message from the kernel +log. + +This patch has been successfully tested on Linux 4.14 running on a +Toshiba Satellite Z930. + +[vsyrjala: bump the timeout from 2 to 5 seconds to match the DP + code and properly cover the max hw timeout of ~4 seconds, and + drop the comment about the specific machine since this is not + a particulary surprising issue, nor specific to that one machine] + +Signed-off-by: Florent Flament +Cc: stable@vger.kernel.org +Cc: Pavel Petrovic +Cc: Sérgio M. Basto +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103414 +References: https://bugzilla.kernel.org/show_bug.cgi?id=57591 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20180419160700.19828-1-ville.syrjala@linux.intel.com +Reviewed-by: Jani Nikula +(cherry picked from commit 280b54ade5914d3b4abe4f0ebe083ddbd4603246) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_lvds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_lvds.c ++++ b/drivers/gpu/drm/i915/intel_lvds.c +@@ -321,7 +321,8 @@ static void intel_enable_lvds(struct int + + I915_WRITE(PP_CONTROL(0), I915_READ(PP_CONTROL(0)) | PANEL_POWER_ON); + POSTING_READ(lvds_encoder->reg); +- if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 1000)) ++ ++ if (intel_wait_for_register(dev_priv, PP_STATUS(0), PP_ON, PP_ON, 5000)) + DRM_ERROR("timed out waiting for panel to power on\n"); + + intel_panel_enable_backlight(intel_connector); diff --git a/queue-4.9/drm-vc4-fix-scaling-of-uni-planar-formats.patch b/queue-4.9/drm-vc4-fix-scaling-of-uni-planar-formats.patch new file mode 100644 index 00000000000..42d18a067ae --- /dev/null +++ b/queue-4.9/drm-vc4-fix-scaling-of-uni-planar-formats.patch @@ -0,0 +1,34 @@ +From 9a0e9802217291e54c4dd1fc5462f189a4be14ec Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Mon, 7 May 2018 14:13:03 +0200 +Subject: drm/vc4: Fix scaling of uni-planar formats + +From: Boris Brezillon + +commit 9a0e9802217291e54c4dd1fc5462f189a4be14ec upstream. + +When using uni-planar formats (like RGB), the scaling parameters are +stored in plane 0, not plane 1. + +Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.") +Cc: stable@vger.kernel.org +Signed-off-by: Boris Brezillon +Reviewed-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20180507121303.5610-1-boris.brezillon@bootlin.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_plane.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -533,7 +533,7 @@ static int vc4_plane_mode_set(struct drm + * the scl fields here. + */ + if (num_planes == 1) { +- scl0 = vc4_get_scl_field(state, 1); ++ scl0 = vc4_get_scl_field(state, 0); + scl1 = scl0; + } else { + scl0 = vc4_get_scl_field(state, 1); diff --git a/queue-4.9/gpio-fix-aspeed_gpio-unmask-irq.patch b/queue-4.9/gpio-fix-aspeed_gpio-unmask-irq.patch new file mode 100644 index 00000000000..0fa2f475819 --- /dev/null +++ b/queue-4.9/gpio-fix-aspeed_gpio-unmask-irq.patch @@ -0,0 +1,32 @@ +From f241632fd087d3d9fbd5450f4d8c8604badd8348 Mon Sep 17 00:00:00 2001 +From: Govert Overgaauw +Date: Fri, 6 Apr 2018 14:41:35 +0200 +Subject: gpio: fix aspeed_gpio unmask irq + +From: Govert Overgaauw + +commit f241632fd087d3d9fbd5450f4d8c8604badd8348 upstream. + +The unmask function disables all interrupts in a bank when unmasking an +interrupt. Only disable the given interrupt. + +Cc: stable@vger.kernel.org +Signed-off-by: Govert Overgaauw +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-aspeed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-aspeed.c ++++ b/drivers/gpio/gpio-aspeed.c +@@ -256,7 +256,7 @@ static void aspeed_gpio_irq_set_mask(str + if (set) + reg |= bit; + else +- reg &= bit; ++ reg &= ~bit; + iowrite32(reg, addr); + + spin_unlock_irqrestore(&gpio->lock, flags); diff --git a/queue-4.9/gpio-fix-error-path-in-lineevent_create.patch b/queue-4.9/gpio-fix-error-path-in-lineevent_create.patch new file mode 100644 index 00000000000..de9847ec4a5 --- /dev/null +++ b/queue-4.9/gpio-fix-error-path-in-lineevent_create.patch @@ -0,0 +1,35 @@ +From f001cc351ad3309ec8736c374e90e5a4bc472d41 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Mon, 16 Apr 2018 13:17:53 +0200 +Subject: gpio: fix error path in lineevent_create +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit f001cc351ad3309ec8736c374e90e5a4bc472d41 upstream. + +If gpiod_request() fails the cleanup must not call gpiod_free(). + +Cc: stable@vger.kernel.org +Fixes: 61f922db7221 ("gpio: userspace ABI for reading GPIO line events") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -795,7 +795,7 @@ static int lineevent_create(struct gpio_ + desc = &gdev->descs[offset]; + ret = gpiod_request(desc, le->label); + if (ret) +- goto out_free_desc; ++ goto out_free_label; + le->desc = desc; + le->eflags = eflags; + diff --git a/queue-4.9/gpioib-do-not-free-unrequested-descriptors.patch b/queue-4.9/gpioib-do-not-free-unrequested-descriptors.patch new file mode 100644 index 00000000000..cd59726ea3b --- /dev/null +++ b/queue-4.9/gpioib-do-not-free-unrequested-descriptors.patch @@ -0,0 +1,58 @@ +From ab3dbcf78f60f46d6a0ad63b1f4b690b7a427140 Mon Sep 17 00:00:00 2001 +From: Timur Tabi +Date: Thu, 29 Mar 2018 13:29:12 -0500 +Subject: gpioib: do not free unrequested descriptors + +From: Timur Tabi + +commit ab3dbcf78f60f46d6a0ad63b1f4b690b7a427140 upstream. + +If the main loop in linehandle_create() encounters an error, it +unwinds completely by freeing all previously requested GPIO +descriptors. However, if the error occurs in the beginning of +the loop before that GPIO is requested, then the exit code +attempts to free a null descriptor. If extrachecks is enabled, +gpiod_free() triggers a WARN_ON. + +Instead, keep a separate count of legitimate GPIOs so that only +those are freed. + +Cc: stable@vger.kernel.org +Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines") +Reviewed-by: Bjorn Andersson +Signed-off-by: Timur Tabi +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -425,7 +425,7 @@ static int linehandle_create(struct gpio + struct gpiohandle_request handlereq; + struct linehandle_state *lh; + struct file *file; +- int fd, i, ret; ++ int fd, i, count = 0, ret; + + if (copy_from_user(&handlereq, ip, sizeof(handlereq))) + return -EFAULT; +@@ -471,6 +471,7 @@ static int linehandle_create(struct gpio + if (ret) + goto out_free_descs; + lh->descs[i] = desc; ++ count = i; + + if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) + set_bit(FLAG_ACTIVE_LOW, &desc->flags); +@@ -537,7 +538,7 @@ static int linehandle_create(struct gpio + out_put_unused_fd: + put_unused_fd(fd); + out_free_descs: +- for (; i >= 0; i--) ++ for (i = 0; i < count; i++) + gpiod_free(lh->descs[i]); + kfree(lh->label); + out_free_lh: diff --git a/queue-4.9/libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch b/queue-4.9/libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch new file mode 100644 index 00000000000..d8fb34d2db8 --- /dev/null +++ b/queue-4.9/libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch @@ -0,0 +1,45 @@ +From 184add2ca23ce5edcac0ab9c3b9be13f91e7b567 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 26 Apr 2018 22:32:21 +0200 +Subject: libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs + +From: Hans de Goede + +commit 184add2ca23ce5edcac0ab9c3b9be13f91e7b567 upstream. + +Richard Jones has reported that using med_power_with_dipm on a T450s +with a Sandisk SD7UB3Q256G1001 SSD (firmware version X2180501) is +causing the machine to hang. + +Switching the LPM to max_performance fixes this, so it seems that +this Sandisk SSD does not handle LPM well. + +Note in the past there have been bug-reports about the following +Sandisk models not working with min_power, so we may need to extend +the quirk list in the future: name - firmware +Sandisk SD6SB2M512G1022I - X210400 +Sandisk SD6PP4M-256G-1006 - A200906 + +Cc: stable@vger.kernel.org +Cc: Richard W.M. Jones +Reported-and-tested-by: Richard W.M. Jones +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4422,6 +4422,9 @@ static const struct ata_blacklist_entry + ATA_HORKAGE_ZERO_AFTER_TRIM | + ATA_HORKAGE_NOLPM, }, + ++ /* Sandisk devices which are known to not handle LPM well */ ++ { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, ++ + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, diff --git a/queue-4.9/net-atm-fix-potential-spectre-v1.patch b/queue-4.9/net-atm-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..f286eb0e53a --- /dev/null +++ b/queue-4.9/net-atm-fix-potential-spectre-v1.patch @@ -0,0 +1,61 @@ +From acf784bd0ce257fe43da7ca266f7a10b837479d2 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 3 May 2018 13:45:58 -0500 +Subject: net: atm: Fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit acf784bd0ce257fe43da7ca266f7a10b837479d2 upstream. + +ioc_data.dev_num can be controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: +net/atm/lec.c:702 lec_vcc_attach() warn: potential spectre issue +'dev_lec' + +Fix this by sanitizing ioc_data.dev_num before using it to index +dev_lec. Also, notice that there is another instance in which array +dev_lec is being indexed using ioc_data.dev_num at line 705: +lec_vcc_added(netdev_priv(dev_lec[ioc_data.dev_num]), + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/atm/lec.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = + #include + #include + ++/* Hardening for Spectre-v1 */ ++#include ++ + #include "lec.h" + #include "lec_arpc.h" + #include "resources.h" +@@ -697,8 +700,10 @@ static int lec_vcc_attach(struct atm_vcc + bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc)); + if (bytes_left != 0) + pr_info("copy from user failed for %d bytes\n", bytes_left); +- if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF || +- !dev_lec[ioc_data.dev_num]) ++ if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF) ++ return -EINVAL; ++ ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF); ++ if (!dev_lec[ioc_data.dev_num]) + return -EINVAL; + vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL); + if (!vpriv) diff --git a/queue-4.9/rfkill-gpio-fix-memory-leak-in-probe-error-path.patch b/queue-4.9/rfkill-gpio-fix-memory-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..a6e5acdca6e --- /dev/null +++ b/queue-4.9/rfkill-gpio-fix-memory-leak-in-probe-error-path.patch @@ -0,0 +1,46 @@ +From 4bf01ca21e2e0e4561d1a03c48c3d740418702db Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 26 Apr 2018 09:31:52 +0200 +Subject: rfkill: gpio: fix memory leak in probe error path + +From: Johan Hovold + +commit 4bf01ca21e2e0e4561d1a03c48c3d740418702db upstream. + +Make sure to free the rfkill device in case registration fails during +probe. + +Fixes: 5e7ca3937fbe ("net: rfkill: gpio: convert to resource managed allocation") +Cc: stable # 3.13 +Cc: Heikki Krogerus +Signed-off-by: Johan Hovold +Reviewed-by: Heikki Krogerus +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/rfkill/rfkill-gpio.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/rfkill/rfkill-gpio.c ++++ b/net/rfkill/rfkill-gpio.c +@@ -138,13 +138,18 @@ static int rfkill_gpio_probe(struct plat + + ret = rfkill_register(rfkill->rfkill_dev); + if (ret < 0) +- return ret; ++ goto err_destroy; + + platform_set_drvdata(pdev, rfkill); + + dev_info(&pdev->dev, "%s device registered.\n", rfkill->name); + + return 0; ++ ++err_destroy: ++ rfkill_destroy(rfkill->rfkill_dev); ++ ++ return ret; + } + + static int rfkill_gpio_remove(struct platform_device *pdev) diff --git a/queue-4.9/series b/queue-4.9/series index 53fbea91507..a026623b1ad 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -14,3 +14,14 @@ bdi-fix-oops-in-wb_workfn.patch kvm-ppc-book3s-hv-fix-trap-number-return-from-__kvmppc_vcore_entry.patch f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch arm64-add-work-around-for-arm-cortex-a55-erratum-1024718.patch +gpioib-do-not-free-unrequested-descriptors.patch +gpio-fix-aspeed_gpio-unmask-irq.patch +gpio-fix-error-path-in-lineevent_create.patch +rfkill-gpio-fix-memory-leak-in-probe-error-path.patch +libata-apply-nolpm-quirk-for-sandisk-sd7ub3q-g1001-ssds.patch +tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch +can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch +drm-vc4-fix-scaling-of-uni-planar-formats.patch +drm-i915-fix-drm-intel_enable_lvds-error-message-in-kernel-log.patch +net-atm-fix-potential-spectre-v1.patch +atm-zatm-fix-potential-spectre-v1.patch diff --git a/queue-4.9/tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch b/queue-4.9/tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch new file mode 100644 index 00000000000..01c5d0e5e90 --- /dev/null +++ b/queue-4.9/tracing-fix-regex_match_front-to-not-over-compare-the-test-string.patch @@ -0,0 +1,41 @@ +From dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 9 May 2018 11:59:32 -0400 +Subject: tracing: Fix regex_match_front() to not over compare the test string + +From: Steven Rostedt (VMware) + +commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d upstream. + +The regex match function regex_match_front() in the tracing filter logic, +was fixed to test just the pattern length from testing the entire test +string. That is, it went from strncmp(str, r->pattern, len) to +strcmp(str, r->pattern, r->len). + +The issue is that str is not guaranteed to be nul terminated, and if r->len +is greater than the length of str, it can access more memory than is +allocated. + +The solution is to add a simple test if (len < r->len) return 0. + +Cc: stable@vger.kernel.org +Fixes: 285caad415f45 ("tracing/filters: Fix MATCH_FRONT_ONLY filter matching") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -322,6 +322,9 @@ static int regex_match_full(char *str, s + + static int regex_match_front(char *str, struct regex *r, int len) + { ++ if (len < r->len) ++ return 0; ++ + if (strncmp(str, r->pattern, r->len) == 0) + return 1; + return 0;