--- /dev/null
+From 0dda0b3fb255048a221f736c8a2a24c674da8bf3 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Fri, 8 Dec 2017 17:43:18 -0800
+Subject: apparmor: fix ptrace label match when matching stacked labels
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 0dda0b3fb255048a221f736c8a2a24c674da8bf3 upstream.
+
+Given a label with a profile stack of
+ A//&B or A//&C ...
+
+A ptrace rule should be able to specify a generic trace pattern with
+a rule like
+
+ ptrace trace A//&**,
+
+however this is failing because while the correct label match routine
+is called, it is being done post label decomposition so it is always
+being done against a profile instead of the stacked label.
+
+To fix this refactor the cross check to pass the full peer label in to
+the label_match.
+
+Fixes: 290f458a4f16 ("apparmor: allow ptrace checks to be finer grained than just capability")
+Reported-by: Matthew Garrett <mjg59@google.com>
+Tested-by: Matthew Garrett <mjg59@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/include/perms.h | 3 ++
+ security/apparmor/ipc.c | 53 ++++++++++++++++++++++----------------
+ 2 files changed, 35 insertions(+), 21 deletions(-)
+
+--- a/security/apparmor/include/perms.h
++++ b/security/apparmor/include/perms.h
+@@ -133,6 +133,9 @@ extern struct aa_perms allperms;
+ #define xcheck_labels_profiles(L1, L2, FN, args...) \
+ xcheck_ns_labels((L1), (L2), xcheck_ns_profile_label, (FN), args)
+
++#define xcheck_labels(L1, L2, P, FN1, FN2) \
++ xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
++
+
+ void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
+ void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);
+--- a/security/apparmor/ipc.c
++++ b/security/apparmor/ipc.c
+@@ -64,40 +64,48 @@ static void audit_ptrace_cb(struct audit
+ FLAGS_NONE, GFP_ATOMIC);
+ }
+
++/* assumes check for PROFILE_MEDIATES is already done */
+ /* TODO: conditionals */
+ static int profile_ptrace_perm(struct aa_profile *profile,
+- struct aa_profile *peer, u32 request,
+- struct common_audit_data *sa)
++ struct aa_label *peer, u32 request,
++ struct common_audit_data *sa)
+ {
+ struct aa_perms perms = { };
+
+- /* need because of peer in cross check */
+- if (profile_unconfined(profile) ||
+- !PROFILE_MEDIATES(profile, AA_CLASS_PTRACE))
+- return 0;
+-
+- aad(sa)->peer = &peer->label;
+- aa_profile_match_label(profile, &peer->label, AA_CLASS_PTRACE, request,
++ aad(sa)->peer = peer;
++ aa_profile_match_label(profile, peer, AA_CLASS_PTRACE, request,
+ &perms);
+ aa_apply_modes_to_perms(profile, &perms);
+ return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb);
+ }
+
+-static int cross_ptrace_perm(struct aa_profile *tracer,
+- struct aa_profile *tracee, u32 request,
+- struct common_audit_data *sa)
++static int profile_tracee_perm(struct aa_profile *tracee,
++ struct aa_label *tracer, u32 request,
++ struct common_audit_data *sa)
+ {
++ if (profile_unconfined(tracee) || unconfined(tracer) ||
++ !PROFILE_MEDIATES(tracee, AA_CLASS_PTRACE))
++ return 0;
++
++ return profile_ptrace_perm(tracee, tracer, request, sa);
++}
++
++static int profile_tracer_perm(struct aa_profile *tracer,
++ struct aa_label *tracee, u32 request,
++ struct common_audit_data *sa)
++{
++ if (profile_unconfined(tracer))
++ return 0;
++
+ if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE))
+- return xcheck(profile_ptrace_perm(tracer, tracee, request, sa),
+- profile_ptrace_perm(tracee, tracer,
+- request << PTRACE_PERM_SHIFT,
+- sa));
+- /* policy uses the old style capability check for ptrace */
+- if (profile_unconfined(tracer) || tracer == tracee)
++ return profile_ptrace_perm(tracer, tracee, request, sa);
++
++ /* profile uses the old style capability check for ptrace */
++ if (&tracer->label == tracee)
+ return 0;
+
+ aad(sa)->label = &tracer->label;
+- aad(sa)->peer = &tracee->label;
++ aad(sa)->peer = tracee;
+ aad(sa)->request = 0;
+ aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE, 1);
+
+@@ -115,10 +123,13 @@ static int cross_ptrace_perm(struct aa_p
+ int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
+ u32 request)
+ {
++ struct aa_profile *profile;
++ u32 xrequest = request << PTRACE_PERM_SHIFT;
+ DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE);
+
+- return xcheck_labels_profiles(tracer, tracee, cross_ptrace_perm,
+- request, &sa);
++ return xcheck_labels(tracer, tracee, profile,
++ profile_tracer_perm(profile, tracee, request, &sa),
++ profile_tracee_perm(profile, tracer, xrequest, &sa));
+ }
+
+
--- /dev/null
+From 06e7e776ca4d36547e503279aeff996cbb292c16 Mon Sep 17 00:00:00 2001
+From: Ben Seri <ben@armis.com>
+Date: Fri, 8 Dec 2017 15:14:47 +0100
+Subject: Bluetooth: Prevent stack info leak from the EFS element.
+
+From: Ben Seri <ben@armis.com>
+
+commit 06e7e776ca4d36547e503279aeff996cbb292c16 upstream.
+
+In the function l2cap_parse_conf_rsp and in the function
+l2cap_parse_conf_req the following variable is declared without
+initialization:
+
+struct l2cap_conf_efs efs;
+
+In addition, when parsing input configuration parameters in both of
+these functions, the switch case for handling EFS elements may skip the
+memcpy call that will write to the efs variable:
+
+...
+case L2CAP_CONF_EFS:
+if (olen == sizeof(efs))
+memcpy(&efs, (void *)val, olen);
+...
+
+The olen in the above if is attacker controlled, and regardless of that
+if, in both of these functions the efs variable would eventually be
+added to the outgoing configuration request that is being built:
+
+l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs);
+
+So by sending a configuration request, or response, that contains an
+L2CAP_CONF_EFS element, but with an element length that is not
+sizeof(efs) - the memcpy to the uninitialized efs variable can be
+avoided, and the uninitialized variable would be returned to the
+attacker (16 bytes).
+
+This issue has been assigned CVE-2017-1000410
+
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: Gustavo Padovan <gustavo@padovan.org>
+Cc: Johan Hedberg <johan.hedberg@gmail.com>
+Signed-off-by: Ben Seri <ben@armis.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/l2cap_core.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -3363,9 +3363,10 @@ static int l2cap_parse_conf_req(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- remote_efs = 1;
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
++ remote_efs = 1;
+ memcpy(&efs, (void *) val, olen);
++ }
+ break;
+
+ case L2CAP_CONF_EWS:
+@@ -3584,16 +3585,17 @@ static int l2cap_parse_conf_rsp(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
+ memcpy(&efs, (void *)val, olen);
+
+- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != chan->local_stype)
+- return -ECONNREFUSED;
++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != chan->local_stype)
++ return -ECONNREFUSED;
+
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+- (unsigned long) &efs, endptr - ptr);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
++ (unsigned long) &efs, endptr - ptr);
++ }
+ break;
+
+ case L2CAP_CONF_FCS:
--- /dev/null
+From 4110e02eb45ea447ec6f5459c9934de0a273fb91 Mon Sep 17 00:00:00 2001
+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Mon, 11 Dec 2017 16:26:40 +0900
+Subject: e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
+
+From: Benjamin Poirier <bpoirier@suse.com>
+
+commit 4110e02eb45ea447ec6f5459c9934de0a273fb91 upstream.
+
+e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
+are the two functions that may be assigned to mac.ops.check_for_link when
+phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
+Separate signaling for link check/link up") changed the meaning of the
+return value of check_for_link for copper media but only adjusted the first
+function. This patch adjusts the second function likewise.
+
+Reported-by: Christian Hesse <list@eworm.de>
+Reported-by: Gabriel C <nix.or.die@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
+Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Tested-by: Christian Hesse <list@eworm.de>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1367,6 +1367,9 @@ out:
+ * Checks to see of the link status of the hardware has changed. If a
+ * change in link status has been detected, then we read the PHY registers
+ * to get the current speed/duplex if link exists.
++ *
++ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
++ * up).
+ **/
+ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ {
+@@ -1382,7 +1385,7 @@ static s32 e1000_check_for_copper_link_i
+ * Change or Rx Sequence Error interrupt.
+ */
+ if (!mac->get_link_status)
+- return 0;
++ return 1;
+
+ /* First we want to see if the MII Status Register reports
+ * link. If so, then we want to get the current speed/duplex
+@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_i
+ * different link partner.
+ */
+ ret_val = e1000e_config_fc_after_link_up(hw);
+- if (ret_val)
++ if (ret_val) {
+ e_dbg("Error configuring flow control\n");
++ return ret_val;
++ }
+
+- return ret_val;
++ return 1;
+ }
+
+ static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
--- /dev/null
+From a0b1280368d1e91ab72f849ef095b4f07a39bbf1 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Fri, 12 Jan 2018 16:53:14 -0800
+Subject: kdump: write correct address of mem_section into vmcoreinfo
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit a0b1280368d1e91ab72f849ef095b4f07a39bbf1 upstream.
+
+Depending on configuration mem_section can now be an array or a pointer
+to an array allocated dynamically. In most cases, we can continue to
+refer to it as 'mem_section' regardless of what it is.
+
+But there's one exception: '&mem_section' means "address of the array"
+if mem_section is an array, but if mem_section is a pointer, it would
+mean "address of the pointer".
+
+We've stepped onto this in kdump code. VMCOREINFO_SYMBOL(mem_section)
+writes down address of pointer into vmcoreinfo, not array as we wanted.
+
+Let's introduce VMCOREINFO_SYMBOL_ARRAY() that would handle the
+situation correctly for both cases.
+
+Link: http://lkml.kernel.org/r/20180112162532.35896-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Fixes: 83e3c48729d9 ("mm/sparsemem: Allocate mem_section at runtime for CONFIG_SPARSEMEM_EXTREME=y")
+Acked-by: Baoquan He <bhe@redhat.com>
+Acked-by: Dave Young <dyoung@redhat.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/crash_core.h | 2 ++
+ kernel/crash_core.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/linux/crash_core.h
++++ b/include/linux/crash_core.h
+@@ -42,6 +42,8 @@ phys_addr_t paddr_vmcoreinfo_note(void);
+ vmcoreinfo_append_str("PAGESIZE=%ld\n", value)
+ #define VMCOREINFO_SYMBOL(name) \
+ vmcoreinfo_append_str("SYMBOL(%s)=%lx\n", #name, (unsigned long)&name)
++#define VMCOREINFO_SYMBOL_ARRAY(name) \
++ vmcoreinfo_append_str("SYMBOL(%s)=%lx\n", #name, (unsigned long)name)
+ #define VMCOREINFO_SIZE(name) \
+ vmcoreinfo_append_str("SIZE(%s)=%lu\n", #name, \
+ (unsigned long)sizeof(name))
+--- a/kernel/crash_core.c
++++ b/kernel/crash_core.c
+@@ -409,7 +409,7 @@ static int __init crash_save_vmcoreinfo_
+ VMCOREINFO_SYMBOL(contig_page_data);
+ #endif
+ #ifdef CONFIG_SPARSEMEM
+- VMCOREINFO_SYMBOL(mem_section);
++ VMCOREINFO_SYMBOL_ARRAY(mem_section);
+ VMCOREINFO_LENGTH(mem_section, NR_SECTION_ROOTS);
+ VMCOREINFO_STRUCT_SIZE(mem_section);
+ VMCOREINFO_OFFSET(mem_section, section_mem_map);
--- /dev/null
+From aa1f10e85b0ab53dee85d8e293c8159d18d293a8 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 29 Dec 2017 00:22:54 +0100
+Subject: mux: core: fix double get_device()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit aa1f10e85b0ab53dee85d8e293c8159d18d293a8 upstream.
+
+class_find_device already does a get_device on the returned device.
+So the device returned by of_find_mux_chip_by_node is already referenced
+and we should not reference it again (and unref it on error).
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mux/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mux/core.c
++++ b/drivers/mux/core.c
+@@ -413,6 +413,7 @@ static int of_dev_node_match(struct devi
+ return dev->of_node == data;
+ }
+
++/* Note this function returns a reference to the mux_chip dev. */
+ static struct mux_chip *of_find_mux_chip_by_node(struct device_node *np)
+ {
+ struct device *dev;
+@@ -466,6 +467,7 @@ struct mux_control *mux_control_get(stru
+ (!args.args_count && (mux_chip->controllers > 1))) {
+ dev_err(dev, "%pOF: wrong #mux-control-cells for %pOF\n",
+ np, args.np);
++ put_device(&mux_chip->dev);
+ return ERR_PTR(-EINVAL);
+ }
+
+@@ -476,10 +478,10 @@ struct mux_control *mux_control_get(stru
+ if (controller >= mux_chip->controllers) {
+ dev_err(dev, "%pOF: bad mux controller %u specified in %pOF\n",
+ np, controller, args.np);
++ put_device(&mux_chip->dev);
+ return ERR_PTR(-EINVAL);
+ }
+
+- get_device(&mux_chip->dev);
+ return &mux_chip->mux[controller];
+ }
+ EXPORT_SYMBOL_GPL(mux_control_get);
usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch
staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
+bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
+uas-ignore-uas-for-norelsys-ns1068-x-chips.patch
+mux-core-fix-double-get_device.patch
+kdump-write-correct-address-of-mem_section-into-vmcoreinfo.patch
+apparmor-fix-ptrace-label-match-when-matching-stacked-labels.patch
+e1000e-fix-e1000_check_for_copper_link_ich8lan-return-value.patch
--- /dev/null
+From 928afc85270753657b5543e052cc270c279a3fe9 Mon Sep 17 00:00:00 2001
+From: Icenowy Zheng <icenowy@aosc.io>
+Date: Sat, 6 Jan 2018 00:56:44 +0800
+Subject: uas: ignore UAS for Norelsys NS1068(X) chips
+
+From: Icenowy Zheng <icenowy@aosc.io>
+
+commit 928afc85270753657b5543e052cc270c279a3fe9 upstream.
+
+The UAS mode of Norelsys NS1068(X) is reported to fail to work on
+several platforms with the following error message:
+
+xhci-hcd xhci-hcd.0.auto: ERROR Transfer event for unknown stream ring slot 1 ep 8
+xhci-hcd xhci-hcd.0.auto: @00000000bf04a400 00000000 00000000 1b000000 01098001
+
+And when trying to mount a partition on the disk the disk will
+disconnect from the USB controller, then after re-connecting the device
+will be offlined and not working at all.
+
+Falling back to USB mass storage can solve this problem, so ignore UAS
+function of this chip.
+
+Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
+Acked-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_uas.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -156,6 +156,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x99
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_ATA_1X),
+
++/* Reported-by: Icenowy Zheng <icenowy@aosc.io> */
++UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999,
++ "Norelsys",
++ "NS1068X",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_IGNORE_UAS),
++
+ /* Reported-by: Takeo Nakayama <javhera@gmx.com> */
+ UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
+ "JMicron",
projects / thirdparty / kernel / stable-queue.git / commitdiff
