2 files changed, 95 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch
new file mode 100644
index 0000000..5e355ae
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch
@@ -0,0 +1,94 @@
+From c2219da51664451149350e47321aa0fcf72a8b8f Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Fri, 17 Feb 2017 16:19:39 -0500
+Subject: [PATCH] irda: Fix lockdep annotations in hashbin_delete().
+[ Upstream commit 4c03b862b12f980456f9de92db6d508a4999b788 ]
+A nested lock depth was added to the hasbin_delete() code but it
+doesn't actually work some well and results in tons of lockdep splats.
+Fix the code instead to properly drop the lock around the operation
+and just keep peeking the head of the hashbin queue.
+CVE: CVE-2017-6348
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/irda/irqueue.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
+index acbe61c..160dc89 100644
+--- a/net/irda/irqueue.c
+++ b/net/irda/irqueue.c
+@@ -383,9 +383,6 @@ hashbin_t *hashbin_new(int type)
+  *    for deallocating this structure if it's complex. If not the user can
+  *    just supply kfree, which should take care of the job.
+  */
+-#ifdef CONFIG_LOCKDEP
+-static int hashbin_lock_depth = 0;
+-#endif
+ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+ {
+        irda_queue_t* queue;
+@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+        IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
+ 
+        /* Synchronize */
+-       if ( hashbin->hb_type & HB_LOCK ) {
+-               spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
+-                                        hashbin_lock_depth++);
+-       }
+       if (hashbin->hb_type & HB_LOCK)
+               spin_lock_irqsave(&hashbin->hb_spinlock, flags);
+ 
+        /*
+         *  Free the entries in the hashbin, TODO: use hashbin_clear when
+         *  it has been shown to work
+         */
+        for (i = 0; i < HASHBIN_SIZE; i ++ ) {
+-               queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
+-               while (queue ) {
+-                       if (free_func)
+-                               (*free_func)(queue);
+-                       queue = dequeue_first(
+-                               (irda_queue_t**) &hashbin->hb_queue[i]);
+               while (1) {
+                       queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
+
+                       if (!queue)
+                               break;
+
+                       if (free_func) {
+                               if (hashbin->hb_type & HB_LOCK)
+                                       spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
+                               free_func(queue);
+                               if (hashbin->hb_type & HB_LOCK)
+                                       spin_lock_irqsave(&hashbin->hb_spinlock, flags);
+                       }
+                }
+        }
+ 
+@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+        hashbin->magic = ~HB_MAGIC;
+ 
+        /* Release lock */
+-       if ( hashbin->hb_type & HB_LOCK) {
+       if (hashbin->hb_type & HB_LOCK)
+                spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
+-#ifdef CONFIG_LOCKDEP
+-               hashbin_lock_depth--;
+-#endif
+-       }
+ 
+        /*
+         *  Free the hashbin structure
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index c6959ab..13a4bda 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -24,6 +24,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2017-5986.patch \
           file://CVE-2017-6214.patch \
           file://CVE-2017-6345.patch \
+           file://CVE-2017-6348.patch \
           file://CVE-2017-7487.patch \
           file://CVE-2017-7618.patch \
           file://CVE-2017-7645.patch \

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch new file mode 100644 index 0000000..5e355ae --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6348.patch
@@ -0,0 +1,94 @@
		1	From c2219da51664451149350e47321aa0fcf72a8b8f Mon Sep 17 00:00:00 2001
		2	From: "David S. Miller" <davem@davemloft.net>
		3	Date: Fri, 17 Feb 2017 16:19:39 -0500
		4	Subject: [PATCH] irda: Fix lockdep annotations in hashbin_delete().
		5
		6	[ Upstream commit 4c03b862b12f980456f9de92db6d508a4999b788 ]
		7
		8	A nested lock depth was added to the hasbin_delete() code but it
		9	doesn't actually work some well and results in tons of lockdep splats.
		10
		11	Fix the code instead to properly drop the lock around the operation
		12	and just keep peeking the head of the hashbin queue.
		13
		14	CVE: CVE-2017-6348
		15	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
		16
		17	Reported-by: Dmitry Vyukov <dvyukov@google.com>
		18	Tested-by: Dmitry Vyukov <dvyukov@google.com>
		19	Signed-off-by: David S. Miller <davem@davemloft.net>
		20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		21	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		22	---
		23	net/irda/irqueue.c \| 34 ++++++++++++++++------------------
		24	1 file changed, 16 insertions(+), 18 deletions(-)
		25
		26	diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
		27	index acbe61c..160dc89 100644
		28	--- a/net/irda/irqueue.c
		29	+++ b/net/irda/irqueue.c
		30	@@ -383,9 +383,6 @@ hashbin_t *hashbin_new(int type)
		31	* for deallocating this structure if it's complex. If not the user can
		32	* just supply kfree, which should take care of the job.
		33	*/
		34	-#ifdef CONFIG_LOCKDEP
		35	-static int hashbin_lock_depth = 0;
		36	-#endif
		37	int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
		38	{
		39	irda_queue_t* queue;
		40	@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
		41	IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
		42
		43	/* Synchronize */
		44	- if ( hashbin->hb_type & HB_LOCK ) {
		45	- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
		46	- hashbin_lock_depth++);
		47	- }
		48	+ if (hashbin->hb_type & HB_LOCK)
		49	+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
		50
		51	/*
		52	* Free the entries in the hashbin, TODO: use hashbin_clear when
		53	* it has been shown to work
		54	*/
		55	for (i = 0; i < HASHBIN_SIZE; i ++ ) {
		56	- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
		57	- while (queue ) {
		58	- if (free_func)
		59	- (*free_func)(queue);
		60	- queue = dequeue_first(
		61	- (irda_queue_t**) &hashbin->hb_queue[i]);
		62	+ while (1) {
		63	+ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
		64	+
		65	+ if (!queue)
		66	+ break;
		67	+
		68	+ if (free_func) {
		69	+ if (hashbin->hb_type & HB_LOCK)
		70	+ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
		71	+ free_func(queue);
		72	+ if (hashbin->hb_type & HB_LOCK)
		73	+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
		74	+ }
		75	}
		76	}
		77
		78	@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
		79	hashbin->magic = ~HB_MAGIC;
		80
		81	/* Release lock */
		82	- if ( hashbin->hb_type & HB_LOCK) {
		83	+ if (hashbin->hb_type & HB_LOCK)
		84	spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
		85	-#ifdef CONFIG_LOCKDEP
		86	- hashbin_lock_depth--;
		87	-#endif
		88	- }
		89
		90	/*
		91	* Free the hashbin structure
		92	--
		93	1.9.1
		94


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index c6959ab..13a4bda 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -24,6 +24,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
24	file://CVE-2017-5986.patch \	24	file://CVE-2017-5986.patch \
25	file://CVE-2017-6214.patch \	25	file://CVE-2017-6214.patch \
26	file://CVE-2017-6345.patch \	26	file://CVE-2017-6345.patch \
		27	file://CVE-2017-6348.patch \
27	file://CVE-2017-7487.patch \	28	file://CVE-2017-7487.patch \
28	file://CVE-2017-7618.patch \	29	file://CVE-2017-7618.patch \
29	file://CVE-2017-7645.patch \	30	file://CVE-2017-7645.patch \