summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTing Liu <ting.liu@freescale.com>2015-07-17 15:17:38 +0800
committerZhenhua Luo <zhenhua.luo@freescale.com>2015-07-22 17:37:56 +0800
commit2d6e98e65e028f15019a085f5e705496a1c90175 (patch)
tree7c3437c73689cc06bec53e75e62c9dfaa48afc99
parentc1a8932311a95a541da41de0b8095c8e0cc374d1 (diff)
downloadmeta-fsl-ppc-2d6e98e65e028f15019a085f5e705496a1c90175.tar.gz
linux-qoriq: update to revision f488de6
Minor version update to 3.12.37-rt51 with new features: * e6500 hugepage TLB miss performance improvement * T1023RDB support * T1040D4RDB and T1042D4RDB support * DIU [T1042] * DPAA Ethernet: loadable module * eMMC: DDR mode [T2080] * eTSEC: Gianfar upstream updates and fixes * fmlib: table statistics, stats extension * IEEE802.1AE (MACSEC) and IEEE802.1X (port-based network access control) [T104x, T102x] * IEEE1588 ptpd open source stack includes more DPAA processors: P1023, P2041, P3041, P5020, P5040, T4240, T1023 * LAG SGMII 2.5G ports support - IPv4 traffics forwarding on aggregated 2 x 2.5Gb L2 Switch FMAN ports [1040] * LAG support of IPv6 traffics forwarding and TCP/UDP traffics over IPv6 forwarding (2 x 2.5Gb L2 Switch WAN) [1040] * LAG support of IPv6 traffics forwarding and TCP/UDP traffics over IPv6 forwarding on both 1 G RGMII port and 1G SGMII port [1040] * Power Management: Power off feature for all QDS boards except B9132QDS and B4860QDS * SEC: QI Driver IPSec performance improvement * SGMII 2.5G fixed link [T1024] * USB: Dual UTMI For detailed history, see http://git.freescale.com/git/cgit.cgi/ppc/sdk/linux.git/tag/?id=fsl-sdk-v1.8 Also remove the patches which already merged in 3.12.37-rt51 Signed-off-by: Ting Liu <ting.liu@freescale.com> Acked-by: Otavio Salvador <otavio@ossystems.com.br>
Diffstat
-rw-r--r--recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch140
-rw-r--r--recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch43
-rw-r--r--recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch52
-rw-r--r--recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch94
-rw-r--r--recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch62
-rw-r--r--recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch348
-rw-r--r--recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch141
-rw-r--r--recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch92
-rw-r--r--recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch46
-rw-r--r--recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch65
-rw-r--r--recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch86
-rw-r--r--recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch62
-rw-r--r--recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch102
-rw-r--r--recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch200
-rw-r--r--recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch114
-rw-r--r--recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch137
-rw-r--r--recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch160
-rw-r--r--recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch134
-rw-r--r--recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch51
-rw-r--r--recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch64
-rw-r--r--recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch324
-rw-r--r--recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch41
-rw-r--r--recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch212
-rw-r--r--recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch47
-rw-r--r--recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch91
-rw-r--r--recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch41
-rw-r--r--recipes-kernel/linux/files/fs-CVE-2014-4014.patch210
-rw-r--r--recipes-kernel/linux/files/mm-2014-3122.patch98
-rw-r--r--recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch24
-rw-r--r--recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch6
-rw-r--r--recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch80
-rw-r--r--recipes-kernel/linux/files/sctp-CVE-2014-4667.patch51
-rw-r--r--recipes-kernel/linux/files/sctp-CVE-2014-7841.patch85
-rw-r--r--recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch53
-rw-r--r--recipes-kernel/linux/files/target-CVE-2014-4027.patch46
-rw-r--r--recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch94
-rw-r--r--recipes-kernel/linux/files/udf-CVE-2014-6410.patch96
-rw-r--r--recipes-kernel/linux/linux-qoriq_3.12.bb38
38 files changed, 9 insertions, 3821 deletions
diff --git a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch
deleted file mode 100644
index 0130768..0000000
--- a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch
+++ /dev/null
@@ -1,140 +0,0 @@
1From ed81e6b21790b717cda5f5bab2bdb07d2ce17ab1 Mon Sep 17 00:00:00 2001
2From: Lars-Peter Clausen <lars@metafoo.de>
3Date: Wed, 18 Jun 2014 13:32:31 +0200
4Subject: [PATCH] ALSA: control: Protect user controls against concurrent
5 access
6
7commit 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 upstream.
8
9The user-control put and get handlers as well as the tlv do not protect against
10concurrent access from multiple threads. Since the state of the control is not
11updated atomically it is possible that either two write operations or a write
12and a read operation race against each other. Both can lead to arbitrary memory
13disclosure. This patch introduces a new lock that protects user-controls from
14concurrent access. Since applications typically access controls sequentially
15than in parallel a single lock per card should be fine.
16
17This fixes CVE-2014-4652
18Upstream-Status: Backport
19
20Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
21Acked-by: Jaroslav Kysela <perex@perex.cz>
22Signed-off-by: Takashi Iwai <tiwai@suse.de>
23Signed-off-by: Jiri Slaby <jslaby@suse.cz>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 include/sound/core.h | 2 ++
27 sound/core/control.c | 31 +++++++++++++++++++++++++------
28 sound/core/init.c | 1 +
29 3 files changed, 28 insertions(+), 6 deletions(-)
30
31diff --git a/include/sound/core.h b/include/sound/core.h
32index 2a14f1f..d6bc961 100644
33--- a/include/sound/core.h
34+++ b/include/sound/core.h
35@@ -121,6 +121,8 @@ struct snd_card {
36 int user_ctl_count; /* count of all user controls */
37 struct list_head controls; /* all controls for this card */
38 struct list_head ctl_files; /* active control files */
39+ struct mutex user_ctl_lock; /* protects user controls against
40+ concurrent access */
41
42 struct snd_info_entry *proc_root; /* root for soundcard specific files */
43 struct snd_info_entry *proc_id; /* the card id */
44diff --git a/sound/core/control.c b/sound/core/control.c
45index d8aa206..183fab2 100644
46--- a/sound/core/control.c
47+++ b/sound/core/control.c
48@@ -992,6 +992,7 @@ static int snd_ctl_elem_unlock(struct snd_ctl_file *file,
49
50 struct user_element {
51 struct snd_ctl_elem_info info;
52+ struct snd_card *card;
53 void *elem_data; /* element data */
54 unsigned long elem_data_size; /* size of element data in bytes */
55 void *tlv_data; /* TLV data */
56@@ -1035,7 +1036,9 @@ static int snd_ctl_elem_user_get(struct snd_kcontrol *kcontrol,
57 {
58 struct user_element *ue = kcontrol->private_data;
59
60+ mutex_lock(&ue->card->user_ctl_lock);
61 memcpy(&ucontrol->value, ue->elem_data, ue->elem_data_size);
62+ mutex_unlock(&ue->card->user_ctl_lock);
63 return 0;
64 }
65
66@@ -1044,10 +1047,12 @@ static int snd_ctl_elem_user_put(struct snd_kcontrol *kcontrol,
67 {
68 int change;
69 struct user_element *ue = kcontrol->private_data;
70-
71+
72+ mutex_lock(&ue->card->user_ctl_lock);
73 change = memcmp(&ucontrol->value, ue->elem_data, ue->elem_data_size) != 0;
74 if (change)
75 memcpy(ue->elem_data, &ucontrol->value, ue->elem_data_size);
76+ mutex_unlock(&ue->card->user_ctl_lock);
77 return change;
78 }
79
80@@ -1067,19 +1072,32 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol,
81 new_data = memdup_user(tlv, size);
82 if (IS_ERR(new_data))
83 return PTR_ERR(new_data);
84+ mutex_lock(&ue->card->user_ctl_lock);
85 change = ue->tlv_data_size != size;
86 if (!change)
87 change = memcmp(ue->tlv_data, new_data, size);
88 kfree(ue->tlv_data);
89 ue->tlv_data = new_data;
90 ue->tlv_data_size = size;
91+ mutex_unlock(&ue->card->user_ctl_lock);
92 } else {
93- if (! ue->tlv_data_size || ! ue->tlv_data)
94- return -ENXIO;
95- if (size < ue->tlv_data_size)
96- return -ENOSPC;
97+ int ret = 0;
98+
99+ mutex_lock(&ue->card->user_ctl_lock);
100+ if (!ue->tlv_data_size || !ue->tlv_data) {
101+ ret = -ENXIO;
102+ goto err_unlock;
103+ }
104+ if (size < ue->tlv_data_size) {
105+ ret = -ENOSPC;
106+ goto err_unlock;
107+ }
108 if (copy_to_user(tlv, ue->tlv_data, ue->tlv_data_size))
109- return -EFAULT;
110+ ret = -EFAULT;
111+err_unlock:
112+ mutex_unlock(&ue->card->user_ctl_lock);
113+ if (ret)
114+ return ret;
115 }
116 return change;
117 }
118@@ -1211,6 +1229,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
119 ue = kzalloc(sizeof(struct user_element) + private_size, GFP_KERNEL);
120 if (ue == NULL)
121 return -ENOMEM;
122+ ue->card = card;
123 ue->info = *info;
124 ue->info.access = 0;
125 ue->elem_data = (char *)ue + sizeof(*ue);
126diff --git a/sound/core/init.c b/sound/core/init.c
127index d047851..b9268a5 100644
128--- a/sound/core/init.c
129+++ b/sound/core/init.c
130@@ -215,6 +215,7 @@ int snd_card_create(int idx, const char *xid,
131 INIT_LIST_HEAD(&card->devices);
132 init_rwsem(&card->controls_rwsem);
133 rwlock_init(&card->ctl_files_rwlock);
134+ mutex_init(&card->user_ctl_lock);
135 INIT_LIST_HEAD(&card->controls);
136 INIT_LIST_HEAD(&card->ctl_files);
137 spin_lock_init(&card->files_lock);
138--
1391.9.1
140
diff --git a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch
deleted file mode 100644
index 9859025..0000000
--- a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From 7ee7663da07717a1b31ce60d2ebf12d2058ee975 Mon Sep 17 00:00:00 2001
2From: Lars-Peter Clausen <lars@metafoo.de>
3Date: Wed, 18 Jun 2014 13:32:35 +0200
4Subject: [PATCH] ALSA: control: Make sure that id->index does not overflow
5
6commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
7
8The ALSA control code expects that the range of assigned indices to a control is
9continuous and does not overflow. Currently there are no checks to enforce this.
10If a control with a overflowing index range is created that control becomes
11effectively inaccessible and unremovable since snd_ctl_find_id() will not be
12able to find it. This patch adds a check that makes sure that controls with a
13overflowing index range can not be created.
14
15Fixes CVE-2014-4656
16Upstream-Status: Backport
17
18Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
19Acked-by: Jaroslav Kysela <perex@perex.cz>
20Signed-off-by: Takashi Iwai <tiwai@suse.de>
21Signed-off-by: Jiri Slaby <jslaby@suse.cz>
22Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23---
24 sound/core/control.c | 3 +++
25 1 file changed, 3 insertions(+)
26
27diff --git a/sound/core/control.c b/sound/core/control.c
28index 93215b4..98a29b2 100644
29--- a/sound/core/control.c
30+++ b/sound/core/control.c
31@@ -343,6 +343,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
32 if (snd_BUG_ON(!card || !kcontrol->info))
33 goto error;
34 id = kcontrol->id;
35+ if (id.index > UINT_MAX - kcontrol->count)
36+ goto error;
37+
38 down_write(&card->controls_rwsem);
39 if (snd_ctl_find_id(card, &id)) {
40 up_write(&card->controls_rwsem);
41--
421.9.1
43
diff --git a/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
deleted file mode 100644
index 4355c68..0000000
--- a/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch
+++ /dev/null
@@ -1,52 +0,0 @@
1From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001
2From: Jiri Kosina <jkosina@suse.cz>
3Date: Wed, 27 Aug 2014 09:12:24 +0200
4Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event()
5 callback
6
7The report passed to us from transport driver could potentially be
8arbitrarily large, therefore we better sanity-check it so that
9magicmouse_emit_touch() gets only valid values of raw_id.
10
11This fixes CVE-2014-3181
12Upstream-Status: Backport
13
14Cc: stable@vger.kernel.org
15Reported-by: Steven Vittitoe <scvitti@google.com>
16Signed-off-by: Jiri Kosina <jkosina@suse.cz>
17Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
18---
19 drivers/hid/hid-magicmouse.c | 10 ++++++++++
20 1 file changed, 10 insertions(+)
21
22diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
23index ecc2cbf..29a74c1 100644
24--- a/drivers/hid/hid-magicmouse.c
25+++ b/drivers/hid/hid-magicmouse.c
26@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
27 if (size < 4 || ((size - 4) % 9) != 0)
28 return 0;
29 npoints = (size - 4) / 9;
30+ if (npoints > 15) {
31+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n",
32+ size);
33+ return 0;
34+ }
35 msc->ntouches = 0;
36 for (ii = 0; ii < npoints; ii++)
37 magicmouse_emit_touch(msc, ii, data + ii * 9 + 4);
38@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev,
39 if (size < 6 || ((size - 6) % 8) != 0)
40 return 0;
41 npoints = (size - 6) / 8;
42+ if (npoints > 15) {
43+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n",
44+ size);
45+ return 0;
46+ }
47 msc->ntouches = 0;
48 for (ii = 0; ii < npoints; ii++)
49 magicmouse_emit_touch(msc, ii, data + ii * 8 + 6);
50--
511.9.1
52
diff --git a/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch b/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch
deleted file mode 100644
index e19a3c1..0000000
--- a/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch
+++ /dev/null
@@ -1,94 +0,0 @@
1From e35b1e9f17e0567f96502f3a2a31dace727ed3da Mon Sep 17 00:00:00 2001
2From: "Michael S. Tsirkin" <mst@redhat.com>
3Date: Tue, 19 Aug 2014 19:14:50 +0800
4Subject: [PATCH] kvm: iommu: fix the third parameter of kvm_iommu_put_pages
5 (CVE-2014-3601)
6
7commit 350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7 upstream.
8
9The third parameter of kvm_iommu_put_pages is wrong,
10It should be 'gfn - slot->base_gfn'.
11
12By making gfn very large, malicious guest or userspace can cause kvm to
13go to this error path, and subsequently to pass a huge value as size.
14Alternatively if gfn is small, then pages would be pinned but never
15unpinned, causing host memory leak and local DOS.
16
17Passing a reasonable but large value could be the most dangerous case,
18because it would unpin a page that should have stayed pinned, and thus
19allow the device to DMA into arbitrary memory. However, this cannot
20happen because of the condition that can trigger the error:
21
22- out of memory (where you can't allocate even a single page)
23 should not be possible for the attacker to trigger
24
25- when exceeding the iommu's address space, guest pages after gfn
26 will also exceed the iommu's address space, and inside
27 kvm_iommu_put_pages() the iommu_iova_to_phys() will fail. The
28 page thus would not be unpinned at all.
29
30Upstream-Status: Backport
31
32Reported-by: Jack Morgenstein <jackm@mellanox.com>
33Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
34Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
35Signed-off-by: Jiri Slaby <jslaby@suse.cz>
36Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
37---
38 virt/kvm/iommu.c | 19 ++++++++++---------
39 1 file changed, 10 insertions(+), 9 deletions(-)
40
41diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
42index c329c8f..dec9971 100644
43--- a/virt/kvm/iommu.c
44+++ b/virt/kvm/iommu.c
45@@ -61,6 +61,14 @@ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
46 return pfn;
47 }
48
49+static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages)
50+{
51+ unsigned long i;
52+
53+ for (i = 0; i < npages; ++i)
54+ kvm_release_pfn_clean(pfn + i);
55+}
56+
57 int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
58 {
59 gfn_t gfn, end_gfn;
60@@ -123,6 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
61 if (r) {
62 printk(KERN_ERR "kvm_iommu_map_address:"
63 "iommu failed to map pfn=%llx\n", pfn);
64+ kvm_unpin_pages(kvm, pfn, page_size);
65 goto unmap_pages;
66 }
67
68@@ -134,7 +143,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
69 return 0;
70
71 unmap_pages:
72- kvm_iommu_put_pages(kvm, slot->base_gfn, gfn);
73+ kvm_iommu_put_pages(kvm, slot->base_gfn, gfn - slot->base_gfn);
74 return r;
75 }
76
77@@ -272,14 +281,6 @@ out_unlock:
78 return r;
79 }
80
81-static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages)
82-{
83- unsigned long i;
84-
85- for (i = 0; i < npages; ++i)
86- kvm_release_pfn_clean(pfn + i);
87-}
88-
89 static void kvm_iommu_put_pages(struct kvm *kvm,
90 gfn_t base_gfn, unsigned long npages)
91 {
92--
931.9.1
94
diff --git a/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index aec8930..0000000
--- a/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,62 +0,0 @@
1From 25c1def33a2f74079f3062b7afdf98fcf9f34e6d Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 16:26:53 -0700
4Subject: [PATCH] mnt: Only change user settable mount flags in remount
5
6commit a6138db815df5ee542d848318e5dae681590fccd upstream.
7
8Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
9read-only bind mount read-only in a user namespace the
10MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
11to the remount a read-only mount read-write.
12
13Correct this by replacing the mask of mount flags to preserve
14with a mask of mount flags that may be changed, and preserve
15all others. This ensures that any future bugs with this mask and
16remount will fail in an easy to detect way where new mount flags
17simply won't change.
18
19Fix for CVE-2014-5206 and CVE-2014-5207
20Upstream-Status: backport
21
22Cc: stable@vger.kernel.org
23Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
24Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
25Signed-off-by: Jiri Slaby <jslaby@suse.cz>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 fs/namespace.c | 2 +-
29 include/linux/mount.h | 4 +++-
30 2 files changed, 4 insertions(+), 2 deletions(-)
31
32diff --git a/fs/namespace.c b/fs/namespace.c
33index 84447db..34fa7a5 100644
34--- a/fs/namespace.c
35+++ b/fs/namespace.c
36@@ -1847,7 +1847,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
37 err = do_remount_sb(sb, flags, data, 0);
38 if (!err) {
39 br_write_lock(&vfsmount_lock);
40- mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK;
41+ mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
42 mnt->mnt.mnt_flags = mnt_flags;
43 br_write_unlock(&vfsmount_lock);
44 }
45diff --git a/include/linux/mount.h b/include/linux/mount.h
46index 38cd98f..8707c9e 100644
47--- a/include/linux/mount.h
48+++ b/include/linux/mount.h
49@@ -42,7 +42,9 @@ struct mnt_namespace;
50 * flag, consider how it interacts with shared mounts.
51 */
52 #define MNT_SHARED_MASK (MNT_UNBINDABLE)
53-#define MNT_PROPAGATION_MASK (MNT_SHARED | MNT_UNBINDABLE)
54+#define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
55+ | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
56+ | MNT_READONLY)
57
58
59 #define MNT_INTERNAL 0x4000
60--
611.9.1
62
diff --git a/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch b/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch
deleted file mode 100644
index 68289f2..0000000
--- a/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch
+++ /dev/null
@@ -1,348 +0,0 @@
1From bbd951a21e0fd555cd9ede44c7196af09d04d171 Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <dborkman@redhat.com>
3Date: Thu, 9 Oct 2014 22:55:31 +0200
4Subject: [PATCH] net: sctp: fix skb_over_panic when receiving malformed ASCONF
5 chunks
6
7commit 9de7922bc709eee2f609cd01d98aaedc4cf5ea74 upstream.
8
9Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
10ASCONF chunk") added basic verification of ASCONF chunks, however,
11it is still possible to remotely crash a server by sending a
12special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
13
14skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
15 head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
16 end:0x440 dev:<NULL>
17 ------------[ cut here ]------------
18kernel BUG at net/core/skbuff.c:129!
19[...]
20Call Trace:
21 <IRQ>
22 [<ffffffff8144fb1c>] skb_put+0x5c/0x70
23 [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
24 [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
25 [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
26 [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
27 [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
28 [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
29 [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
30 [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
31 [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
32 [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
33 [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
34 [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
35 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
36 [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
37 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
38 [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
39 [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
40 [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
41 [<ffffffff81496ac5>] ip_rcv+0x275/0x350
42 [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
43 [<ffffffff81460588>] netif_receive_skb+0x58/0x60
44
45This can be triggered e.g., through a simple scripted nmap
46connection scan injecting the chunk after the handshake, for
47example, ...
48
49 -------------- INIT[ASCONF; ASCONF_ACK] ------------->
50 <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
51 -------------------- COOKIE-ECHO -------------------->
52 <-------------------- COOKIE-ACK ---------------------
53 ------------------ ASCONF; UNKNOWN ------------------>
54
55... where ASCONF chunk of length 280 contains 2 parameters ...
56
57 1) Add IP address parameter (param length: 16)
58 2) Add/del IP address parameter (param length: 255)
59
60... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
61Address Parameter in the ASCONF chunk is even missing, too.
62This is just an example and similarly-crafted ASCONF chunks
63could be used just as well.
64
65The ASCONF chunk passes through sctp_verify_asconf() as all
66parameters passed sanity checks, and after walking, we ended
67up successfully at the chunk end boundary, and thus may invoke
68sctp_process_asconf(). Parameter walking is done with
69WORD_ROUND() to take padding into account.
70
71In sctp_process_asconf()'s TLV processing, we may fail in
72sctp_process_asconf_param() e.g., due to removal of the IP
73address that is also the source address of the packet containing
74the ASCONF chunk, and thus we need to add all TLVs after the
75failure to our ASCONF response to remote via helper function
76sctp_add_asconf_response(), which basically invokes a
77sctp_addto_chunk() adding the error parameters to the given
78skb.
79
80When walking to the next parameter this time, we proceed
81with ...
82
83 length = ntohs(asconf_param->param_hdr.length);
84 asconf_param = (void *)asconf_param + length;
85
86... instead of the WORD_ROUND()'ed length, thus resulting here
87in an off-by-one that leads to reading the follow-up garbage
88parameter length of 12336, and thus throwing an skb_over_panic
89for the reply when trying to sctp_addto_chunk() next time,
90which implicitly calls the skb_put() with that length.
91
92Fix it by using sctp_walk_params() [ which is also used in
93INIT parameter processing ] macro in the verification *and*
94in ASCONF processing: it will make sure we don't spill over,
95that we walk parameters WORD_ROUND()'ed. Moreover, we're being
96more defensive and guard against unknown parameter types and
97missized addresses.
98
99Joint work with Vlad Yasevich.
100
101Fixes CVE-2014-3673
102Upstream-Status: Backport
103
104Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
105Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
106Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
107Acked-by: Neil Horman <nhorman@tuxdriver.com>
108Signed-off-by: David S. Miller <davem@davemloft.net>
109Cc: Josh Boyer <jwboyer@fedoraproject.org>
110Signed-off-by: Jiri Slaby <jslaby@suse.cz>
111Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
112---
113 include/net/sctp/sm.h | 6 +--
114 net/sctp/sm_make_chunk.c | 99 +++++++++++++++++++++++++++---------------------
115 net/sctp/sm_statefuns.c | 18 +--------
116 3 files changed, 60 insertions(+), 63 deletions(-)
117
118diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
119index 4ef75af..c91b6f5 100644
120--- a/include/net/sctp/sm.h
121+++ b/include/net/sctp/sm.h
122@@ -249,9 +249,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *,
123 int, __be16);
124 struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc,
125 union sctp_addr *addr);
126-int sctp_verify_asconf(const struct sctp_association *asoc,
127- struct sctp_paramhdr *param_hdr, void *chunk_end,
128- struct sctp_paramhdr **errp);
129+bool sctp_verify_asconf(const struct sctp_association *asoc,
130+ struct sctp_chunk *chunk, bool addr_param_needed,
131+ struct sctp_paramhdr **errp);
132 struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
133 struct sctp_chunk *asconf);
134 int sctp_process_asconf_ack(struct sctp_association *asoc,
135diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
136index e342387..d800160 100644
137--- a/net/sctp/sm_make_chunk.c
138+++ b/net/sctp/sm_make_chunk.c
139@@ -3126,50 +3126,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
140 return SCTP_ERROR_NO_ERROR;
141 }
142
143-/* Verify the ASCONF packet before we process it. */
144-int sctp_verify_asconf(const struct sctp_association *asoc,
145- struct sctp_paramhdr *param_hdr, void *chunk_end,
146- struct sctp_paramhdr **errp) {
147- sctp_addip_param_t *asconf_param;
148+/* Verify the ASCONF packet before we process it. */
149+bool sctp_verify_asconf(const struct sctp_association *asoc,
150+ struct sctp_chunk *chunk, bool addr_param_needed,
151+ struct sctp_paramhdr **errp)
152+{
153+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr;
154 union sctp_params param;
155- int length, plen;
156-
157- param.v = (sctp_paramhdr_t *) param_hdr;
158- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
159- length = ntohs(param.p->length);
160- *errp = param.p;
161+ bool addr_param_seen = false;
162
163- if (param.v > chunk_end - length ||
164- length < sizeof(sctp_paramhdr_t))
165- return 0;
166+ sctp_walk_params(param, addip, addip_hdr.params) {
167+ size_t length = ntohs(param.p->length);
168
169+ *errp = param.p;
170 switch (param.p->type) {
171+ case SCTP_PARAM_ERR_CAUSE:
172+ break;
173+ case SCTP_PARAM_IPV4_ADDRESS:
174+ if (length != sizeof(sctp_ipv4addr_param_t))
175+ return false;
176+ addr_param_seen = true;
177+ break;
178+ case SCTP_PARAM_IPV6_ADDRESS:
179+ if (length != sizeof(sctp_ipv6addr_param_t))
180+ return false;
181+ addr_param_seen = true;
182+ break;
183 case SCTP_PARAM_ADD_IP:
184 case SCTP_PARAM_DEL_IP:
185 case SCTP_PARAM_SET_PRIMARY:
186- asconf_param = (sctp_addip_param_t *)param.v;
187- plen = ntohs(asconf_param->param_hdr.length);
188- if (plen < sizeof(sctp_addip_param_t) +
189- sizeof(sctp_paramhdr_t))
190- return 0;
191+ /* In ASCONF chunks, these need to be first. */
192+ if (addr_param_needed && !addr_param_seen)
193+ return false;
194+ length = ntohs(param.addip->param_hdr.length);
195+ if (length < sizeof(sctp_addip_param_t) +
196+ sizeof(sctp_paramhdr_t))
197+ return false;
198 break;
199 case SCTP_PARAM_SUCCESS_REPORT:
200 case SCTP_PARAM_ADAPTATION_LAYER_IND:
201 if (length != sizeof(sctp_addip_param_t))
202- return 0;
203-
204+ return false;
205 break;
206 default:
207- break;
208+ /* This is unkown to us, reject! */
209+ return false;
210 }
211-
212- param.v += WORD_ROUND(length);
213 }
214
215- if (param.v != chunk_end)
216- return 0;
217+ /* Remaining sanity checks. */
218+ if (addr_param_needed && !addr_param_seen)
219+ return false;
220+ if (!addr_param_needed && addr_param_seen)
221+ return false;
222+ if (param.v != chunk->chunk_end)
223+ return false;
224
225- return 1;
226+ return true;
227 }
228
229 /* Process an incoming ASCONF chunk with the next expected serial no. and
230@@ -3178,16 +3191,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc,
231 struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
232 struct sctp_chunk *asconf)
233 {
234+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr;
235+ bool all_param_pass = true;
236+ union sctp_params param;
237 sctp_addiphdr_t *hdr;
238 union sctp_addr_param *addr_param;
239 sctp_addip_param_t *asconf_param;
240 struct sctp_chunk *asconf_ack;
241-
242 __be16 err_code;
243 int length = 0;
244 int chunk_len;
245 __u32 serial;
246- int all_param_pass = 1;
247
248 chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
249 hdr = (sctp_addiphdr_t *)asconf->skb->data;
250@@ -3215,9 +3229,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
251 goto done;
252
253 /* Process the TLVs contained within the ASCONF chunk. */
254- while (chunk_len > 0) {
255+ sctp_walk_params(param, addip, addip_hdr.params) {
256+ /* Skip preceeding address parameters. */
257+ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
258+ param.p->type == SCTP_PARAM_IPV6_ADDRESS)
259+ continue;
260+
261 err_code = sctp_process_asconf_param(asoc, asconf,
262- asconf_param);
263+ param.addip);
264 /* ADDIP 4.1 A7)
265 * If an error response is received for a TLV parameter,
266 * all TLVs with no response before the failed TLV are
267@@ -3225,28 +3244,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
268 * the failed response are considered unsuccessful unless
269 * a specific success indication is present for the parameter.
270 */
271- if (SCTP_ERROR_NO_ERROR != err_code)
272- all_param_pass = 0;
273-
274+ if (err_code != SCTP_ERROR_NO_ERROR)
275+ all_param_pass = false;
276 if (!all_param_pass)
277- sctp_add_asconf_response(asconf_ack,
278- asconf_param->crr_id, err_code,
279- asconf_param);
280+ sctp_add_asconf_response(asconf_ack, param.addip->crr_id,
281+ err_code, param.addip);
282
283 /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
284 * an IP address sends an 'Out of Resource' in its response, it
285 * MUST also fail any subsequent add or delete requests bundled
286 * in the ASCONF.
287 */
288- if (SCTP_ERROR_RSRC_LOW == err_code)
289+ if (err_code == SCTP_ERROR_RSRC_LOW)
290 goto done;
291-
292- /* Move to the next ASCONF param. */
293- length = ntohs(asconf_param->param_hdr.length);
294- asconf_param = (void *)asconf_param + length;
295- chunk_len -= length;
296 }
297-
298 done:
299 asoc->peer.addip_serial++;
300
301diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
302index 62623cc..bf12098 100644
303--- a/net/sctp/sm_statefuns.c
304+++ b/net/sctp/sm_statefuns.c
305@@ -3595,9 +3595,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
306 struct sctp_chunk *asconf_ack = NULL;
307 struct sctp_paramhdr *err_param = NULL;
308 sctp_addiphdr_t *hdr;
309- union sctp_addr_param *addr_param;
310 __u32 serial;
311- int length;
312
313 if (!sctp_vtag_verify(chunk, asoc)) {
314 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
315@@ -3622,17 +3620,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
316 hdr = (sctp_addiphdr_t *)chunk->skb->data;
317 serial = ntohl(hdr->serial);
318
319- addr_param = (union sctp_addr_param *)hdr->params;
320- length = ntohs(addr_param->p.length);
321- if (length < sizeof(sctp_paramhdr_t))
322- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
323- (void *)addr_param, commands);
324-
325 /* Verify the ASCONF chunk before processing it. */
326- if (!sctp_verify_asconf(asoc,
327- (sctp_paramhdr_t *)((void *)addr_param + length),
328- (void *)chunk->chunk_end,
329- &err_param))
330+ if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
331 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
332 (void *)err_param, commands);
333
334@@ -3750,10 +3739,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
335 rcvd_serial = ntohl(addip_hdr->serial);
336
337 /* Verify the ASCONF-ACK chunk before processing it. */
338- if (!sctp_verify_asconf(asoc,
339- (sctp_paramhdr_t *)addip_hdr->params,
340- (void *)asconf_ack->chunk_end,
341- &err_param))
342+ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
343 return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
344 (void *)err_param, commands);
345
346--
3471.9.1
348
diff --git a/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch b/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch
deleted file mode 100644
index 00ead60..0000000
--- a/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch
+++ /dev/null
@@ -1,141 +0,0 @@
1From 8685789bd8ec12a02b07ea76df4527b055efbf20 Mon Sep 17 00:00:00 2001
2From: Hugh Dickins <hughd@google.com>
3Date: Mon, 23 Jun 2014 13:22:06 -0700
4Subject: [PATCH 1/3] shmem: fix faulting into a hole while it's punched
5
6commit f00cdc6df7d7cfcabb5b740911e6788cb0802bdb upstream.
7
8Trinity finds that mmap access to a hole while it's punched from shmem
9can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE)
10from completing, until the reader chooses to stop; with the puncher's
11hold on i_mutex locking out all other writers until it can complete.
12
13It appears that the tmpfs fault path is too light in comparison with its
14hole-punching path, lacking an i_data_sem to obstruct it; but we don't
15want to slow down the common case.
16
17Extend shmem_fallocate()'s existing range notification mechanism, so
18shmem_fault() can refrain from faulting pages into the hole while it's
19punched, waiting instead on i_mutex (when safe to sleep; or repeatedly
20faulting when not).
21
22Upstream-Status: Backport
23
24[akpm@linux-foundation.org: coding-style fixes]
25Signed-off-by: Hugh Dickins <hughd@google.com>
26Reported-by: Sasha Levin <sasha.levin@oracle.com>
27Tested-by: Sasha Levin <sasha.levin@oracle.com>
28Cc: Dave Jones <davej@redhat.com>
29Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
30Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31
32Signed-off-by: Jiri Slaby <jslaby@suse.cz>
33Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
34---
35 mm/shmem.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
36 1 file changed, 52 insertions(+), 4 deletions(-)
37
38diff --git a/mm/shmem.c b/mm/shmem.c
39index 8297623..00d412f 100644
40--- a/mm/shmem.c
41+++ b/mm/shmem.c
42@@ -80,11 +80,12 @@ static struct vfsmount *shm_mnt;
43 #define SHORT_SYMLINK_LEN 128
44
45 /*
46- * shmem_fallocate and shmem_writepage communicate via inode->i_private
47- * (with i_mutex making sure that it has only one user at a time):
48- * we would prefer not to enlarge the shmem inode just for that.
49+ * shmem_fallocate communicates with shmem_fault or shmem_writepage via
50+ * inode->i_private (with i_mutex making sure that it has only one user at
51+ * a time): we would prefer not to enlarge the shmem inode just for that.
52 */
53 struct shmem_falloc {
54+ int mode; /* FALLOC_FL mode currently operating */
55 pgoff_t start; /* start of range currently being fallocated */
56 pgoff_t next; /* the next page offset to be fallocated */
57 pgoff_t nr_falloced; /* how many new pages have been fallocated */
58@@ -826,6 +827,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
59 spin_lock(&inode->i_lock);
60 shmem_falloc = inode->i_private;
61 if (shmem_falloc &&
62+ !shmem_falloc->mode &&
63 index >= shmem_falloc->start &&
64 index < shmem_falloc->next)
65 shmem_falloc->nr_unswapped++;
66@@ -1300,6 +1302,44 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
67 int error;
68 int ret = VM_FAULT_LOCKED;
69
70+ /*
71+ * Trinity finds that probing a hole which tmpfs is punching can
72+ * prevent the hole-punch from ever completing: which in turn
73+ * locks writers out with its hold on i_mutex. So refrain from
74+ * faulting pages into the hole while it's being punched, and
75+ * wait on i_mutex to be released if vmf->flags permits.
76+ */
77+ if (unlikely(inode->i_private)) {
78+ struct shmem_falloc *shmem_falloc;
79+
80+ spin_lock(&inode->i_lock);
81+ shmem_falloc = inode->i_private;
82+ if (!shmem_falloc ||
83+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE ||
84+ vmf->pgoff < shmem_falloc->start ||
85+ vmf->pgoff >= shmem_falloc->next)
86+ shmem_falloc = NULL;
87+ spin_unlock(&inode->i_lock);
88+ /*
89+ * i_lock has protected us from taking shmem_falloc seriously
90+ * once return from shmem_fallocate() went back up that stack.
91+ * i_lock does not serialize with i_mutex at all, but it does
92+ * not matter if sometimes we wait unnecessarily, or sometimes
93+ * miss out on waiting: we just need to make those cases rare.
94+ */
95+ if (shmem_falloc) {
96+ if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
97+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
98+ up_read(&vma->vm_mm->mmap_sem);
99+ mutex_lock(&inode->i_mutex);
100+ mutex_unlock(&inode->i_mutex);
101+ return VM_FAULT_RETRY;
102+ }
103+ /* cond_resched? Leave that to GUP or return to user */
104+ return VM_FAULT_NOPAGE;
105+ }
106+ }
107+
108 error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret);
109 if (error)
110 return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS);
111@@ -1815,18 +1855,26 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
112
113 mutex_lock(&inode->i_mutex);
114
115+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE;
116+
117 if (mode & FALLOC_FL_PUNCH_HOLE) {
118 struct address_space *mapping = file->f_mapping;
119 loff_t unmap_start = round_up(offset, PAGE_SIZE);
120 loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
121
122+ shmem_falloc.start = unmap_start >> PAGE_SHIFT;
123+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
124+ spin_lock(&inode->i_lock);
125+ inode->i_private = &shmem_falloc;
126+ spin_unlock(&inode->i_lock);
127+
128 if ((u64)unmap_end > (u64)unmap_start)
129 unmap_mapping_range(mapping, unmap_start,
130 1 + unmap_end - unmap_start, 0);
131 shmem_truncate_range(inode, offset, offset + len - 1);
132 /* No need to unmap again: hole-punching leaves COWed pages */
133 error = 0;
134- goto out;
135+ goto undone;
136 }
137
138 /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
139--
1401.9.1
141
diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch
deleted file mode 100644
index 8612d74..0000000
--- a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch
+++ /dev/null
@@ -1,92 +0,0 @@
1From 0bf595fd311aa4d6e82c43879f2c0d0650e83271 Mon Sep 17 00:00:00 2001
2From: Lars-Peter Clausen <lars@metafoo.de>
3Date: Wed, 18 Jun 2014 13:32:33 +0200
4Subject: [PATCH] ALSA: control: Don't access controls outside of protected
5 regions
6
7commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d upstream.
8
9A control that is visible on the card->controls list can be freed at any time.
10This means we must not access any of its memory while not holding the
11controls_rw_lock. Otherwise we risk a use after free access.
12
13This fixes CVE-2014-4653
14Upstream-Status: Backport
15
16Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
17Acked-by: Jaroslav Kysela <perex@perex.cz>
18Signed-off-by: Takashi Iwai <tiwai@suse.de>
19Signed-off-by: Jiri Slaby <jslaby@suse.cz>
20Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
21---
22 sound/core/control.c | 15 ++++++++++-----
23 1 file changed, 10 insertions(+), 5 deletions(-)
24
25diff --git a/sound/core/control.c b/sound/core/control.c
26index 15bc844..d4a597f 100644
27--- a/sound/core/control.c
28+++ b/sound/core/control.c
29@@ -331,6 +331,7 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
30 {
31 struct snd_ctl_elem_id id;
32 unsigned int idx;
33+ unsigned int count;
34 int err = -EINVAL;
35
36 if (! kcontrol)
37@@ -359,8 +360,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
38 card->controls_count += kcontrol->count;
39 kcontrol->id.numid = card->last_numid + 1;
40 card->last_numid += kcontrol->count;
41+ count = kcontrol->count;
42 up_write(&card->controls_rwsem);
43- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
44+ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
45 snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
46 return 0;
47
48@@ -389,6 +391,7 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
49 bool add_on_replace)
50 {
51 struct snd_ctl_elem_id id;
52+ unsigned int count;
53 unsigned int idx;
54 struct snd_kcontrol *old;
55 int ret;
56@@ -424,8 +427,9 @@ add:
57 card->controls_count += kcontrol->count;
58 kcontrol->id.numid = card->last_numid + 1;
59 card->last_numid += kcontrol->count;
60+ count = kcontrol->count;
61 up_write(&card->controls_rwsem);
62- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
63+ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
64 snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
65 return 0;
66
67@@ -898,9 +902,9 @@ static int snd_ctl_elem_write(struct snd_card *card, struct snd_ctl_file *file,
68 result = kctl->put(kctl, control);
69 }
70 if (result > 0) {
71+ struct snd_ctl_elem_id id = control->id;
72 up_read(&card->controls_rwsem);
73- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE,
74- &control->id);
75+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE, &id);
76 return 0;
77 }
78 }
79@@ -1334,8 +1338,9 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
80 }
81 err = kctl->tlv.c(kctl, op_flag, tlv.length, _tlv->tlv);
82 if (err > 0) {
83+ struct snd_ctl_elem_id id = kctl->id;
84 up_read(&card->controls_rwsem);
85- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &kctl->id);
86+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &id);
87 return 0;
88 }
89 } else {
90--
911.9.1
92
diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
deleted file mode 100644
index 2065780..0000000
--- a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001
2From: Lars-Peter Clausen <lars@metafoo.de>
3Date: Wed, 18 Jun 2014 13:32:34 +0200
4Subject: [PATCH] ALSA: control: Handle numid overflow
5
6commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream.
7
8Each control gets automatically assigned its numids when the control is created.
9The allocation is done by incrementing the numid by the amount of allocated
10numids per allocation. This means that excessive creation and destruction of
11controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
12eventually overflow. Currently when this happens for the control that caused the
13overflow kctl->id.numid + kctl->count will also over flow causing it to be
14smaller than kctl->id.numid. Most of the code assumes that this is something
15that can not happen, so we need to make sure that it won't happen
16
17Fixes CVE-2014-4656
18Upstream-Status: Backport
19
20Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
21Acked-by: Jaroslav Kysela <perex@perex.cz>
22Signed-off-by: Takashi Iwai <tiwai@suse.de>
23Signed-off-by: Jiri Slaby <jslaby@suse.cz>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 sound/core/control.c | 4 ++++
27 1 file changed, 4 insertions(+)
28
29diff --git a/sound/core/control.c b/sound/core/control.c
30index d4a597f..93215b4 100644
31--- a/sound/core/control.c
32+++ b/sound/core/control.c
33@@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card,
34 {
35 struct snd_kcontrol *kctl;
36
37+ /* Make sure that the ids assigned to the control do not wrap around */
38+ if (card->last_numid >= UINT_MAX - count)
39+ card->last_numid = 0;
40+
41 list_for_each_entry(kctl, &card->controls, list) {
42 if (kctl->id.numid < card->last_numid + 1 + count &&
43 kctl->id.numid + kctl->count > card->last_numid + 1) {
44--
451.9.1
46
diff --git a/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch b/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
deleted file mode 100644
index a90d079..0000000
--- a/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch
+++ /dev/null
@@ -1,65 +0,0 @@
1From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001
2From: Jiri Kosina <jkosina@suse.cz>
3Date: Thu, 21 Aug 2014 09:57:17 -0500
4Subject: [PATCH] HID: logitech: perform bounds checking on device_id early
5 enough
6
7device_index is a char type and the size of paired_dj_deivces is 7
8elements, therefore proper bounds checking has to be applied to
9device_index before it is used.
10
11We are currently performing the bounds checking in
12logi_dj_recv_add_djhid_device(), which is too late, as malicious device
13could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
14problem in one of the report forwarding functions called from
15logi_dj_raw_event().
16
17Fix this by performing the check at the earliest possible ocasion in
18logi_dj_raw_event().
19
20This fixes CVE-2014-3182
21Upstream-Status: Backport
22
23Cc: stable@vger.kernel.org
24Reported-by: Ben Hawkes <hawkes@google.com>
25Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
26Signed-off-by: Jiri Kosina <jkosina@suse.cz>
27Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
28---
29 drivers/hid/hid-logitech-dj.c | 13 ++++++-------
30 1 file changed, 6 insertions(+), 7 deletions(-)
31
32diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
33index ca0ab51..b7ba829 100644
34--- a/drivers/hid/hid-logitech-dj.c
35+++ b/drivers/hid/hid-logitech-dj.c
36@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
37 return;
38 }
39
40- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
41- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
42- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
43- __func__, dj_report->device_index);
44- return;
45- }
46-
47 if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
48 /* The device is already known. No need to reallocate it. */
49 dbg_hid("%s: device is already known\n", __func__);
50@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
51 * device (via hid_input_report() ) and return 1 so hid-core does not do
52 * anything else with it.
53 */
54+ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
55+ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
56+ dev_err(&hdev->dev, "%s: invalid device index:%d\n",
57+ __func__, dj_report->device_index);
58+ return false;
59+ }
60
61 spin_lock_irqsave(&djrcv_dev->lock, flags);
62 if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
63--
641.9.1
65
diff --git a/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch b/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
deleted file mode 100644
index e43771c..0000000
--- a/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch
+++ /dev/null
@@ -1,86 +0,0 @@
1From 248541357433e3035d954435dafcdb9e70afee4e Mon Sep 17 00:00:00 2001
2From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
3Date: Fri, 17 Oct 2014 22:55:59 +0200
4Subject: [PATCH] kvm: fix excessive pages un-pinning in kvm_iommu_map error
5 path.
6
7commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream.
8
9The third parameter of kvm_unpin_pages() when called from
10kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
11and not the page size.
12
13This error was facilitated with an inconsistent API: kvm_pin_pages() takes
14a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
15by matching the two.
16
17This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
18of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
19un-pinning for pages intended to be un-pinned (i.e. memory leak) but
20unfortunately potentially aggravated the number of pages we un-pin that
21should have stayed pinned. As far as I understand though, the same
22practical mitigations apply.
23
24This issue was found during review of Red Hat 6.6 patches to prepare
25Ksplice rebootless updates.
26
27Thanks to Vegard for his time on a late Friday evening to help me in
28understanding this code.
29
30Fix for CVE-2014-8369
31
32Upstream-Status: Backport
33
34Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
35Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
36Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
37Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
38Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
39Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
40Signed-off-by: Jiri Slaby <jslaby@suse.cz>
41Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
42---
43 virt/kvm/iommu.c | 8 ++++----
44 1 file changed, 4 insertions(+), 4 deletions(-)
45
46diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
47index dec9971..a650aa4 100644
48--- a/virt/kvm/iommu.c
49+++ b/virt/kvm/iommu.c
50@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
51 gfn_t base_gfn, unsigned long npages);
52
53 static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
54- unsigned long size)
55+ unsigned long npages)
56 {
57 gfn_t end_gfn;
58 pfn_t pfn;
59
60 pfn = gfn_to_pfn_memslot(slot, gfn);
61- end_gfn = gfn + (size >> PAGE_SHIFT);
62+ end_gfn = gfn + npages;
63 gfn += 1;
64
65 if (is_error_noslot_pfn(pfn))
66@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
67 * Pin all pages we are about to map in memory. This is
68 * important because we unmap and unpin in 4kb steps later.
69 */
70- pfn = kvm_pin_pages(slot, gfn, page_size);
71+ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
72 if (is_error_noslot_pfn(pfn)) {
73 gfn += 1;
74 continue;
75@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
76 if (r) {
77 printk(KERN_ERR "kvm_iommu_map_address:"
78 "iommu failed to map pfn=%llx\n", pfn);
79- kvm_unpin_pages(kvm, pfn, page_size);
80+ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
81 goto unmap_pages;
82 }
83
84--
851.9.1
86
diff --git a/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index b08f217..0000000
--- a/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,62 +0,0 @@
1From cab259f821fad20afa688d3fbeb47356447ac20b Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 17:10:56 -0700
4Subject: [PATCH] mnt: Move the test for MNT_LOCK_READONLY from
5 change_mount_flags into do_remount
6
7commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream.
8
9There are no races as locked mount flags are guaranteed to never change.
10
11Moving the test into do_remount makes it more visible, and ensures all
12filesystem remounts pass the MNT_LOCK_READONLY permission check. This
13second case is not an issue today as filesystem remounts are guarded
14by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
15mount namespaces, but it could become an issue in the future.
16
17Fix for CVE-2014-5206 and CVE-2014-5207
18Upstream-Status: backport
19
20Cc: stable@vger.kernel.org
21Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
22Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
23Signed-off-by: Jiri Slaby <jslaby@suse.cz>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 fs/namespace.c | 13 ++++++++++---
27 1 file changed, 10 insertions(+), 3 deletions(-)
28
29diff --git a/fs/namespace.c b/fs/namespace.c
30index 34fa7a5..8e90b03 100644
31--- a/fs/namespace.c
32+++ b/fs/namespace.c
33@@ -1806,9 +1806,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags)
34 if (readonly_request == __mnt_is_readonly(mnt))
35 return 0;
36
37- if (mnt->mnt_flags & MNT_LOCK_READONLY)
38- return -EPERM;
39-
40 if (readonly_request)
41 error = mnt_make_readonly(real_mount(mnt));
42 else
43@@ -1834,6 +1831,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
44 if (path->dentry != path->mnt->mnt_root)
45 return -EINVAL;
46
47+ /* Don't allow changing of locked mnt flags.
48+ *
49+ * No locks need to be held here while testing the various
50+ * MNT_LOCK flags because those flags can never be cleared
51+ * once they are set.
52+ */
53+ if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) &&
54+ !(mnt_flags & MNT_READONLY)) {
55+ return -EPERM;
56+ }
57 err = security_sb_remount(sb, data);
58 if (err)
59 return err;
60--
611.9.1
62
diff --git a/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch b/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch
deleted file mode 100644
index b05aaf2..0000000
--- a/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch
+++ /dev/null
@@ -1,102 +0,0 @@
1From a723db0be941b8aebaa1a98b33d17a91b16603e4 Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <dborkman@redhat.com>
3Date: Thu, 9 Oct 2014 22:55:32 +0200
4Subject: [PATCH] net: sctp: fix panic on duplicate ASCONF chunks
5
6commit b69040d8e39f20d5215a03502a8e8b4c6ab78395 upstream.
7
8When receiving a e.g. semi-good formed connection scan in the
9form of ...
10
11 -------------- INIT[ASCONF; ASCONF_ACK] ------------->
12 <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
13 -------------------- COOKIE-ECHO -------------------->
14 <-------------------- COOKIE-ACK ---------------------
15 ---------------- ASCONF_a; ASCONF_b ----------------->
16
17... where ASCONF_a equals ASCONF_b chunk (at least both serials
18need to be equal), we panic an SCTP server!
19
20The problem is that good-formed ASCONF chunks that we reply with
21ASCONF_ACK chunks are cached per serial. Thus, when we receive a
22same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
23not need to process them again on the server side (that was the
24idea, also proposed in the RFC). Instead, we know it was cached
25and we just resend the cached chunk instead. So far, so good.
26
27Where things get nasty is in SCTP's side effect interpreter, that
28is, sctp_cmd_interpreter():
29
30While incoming ASCONF_a (chunk = event_arg) is being marked
31!end_of_packet and !singleton, and we have an association context,
32we do not flush the outqueue the first time after processing the
33ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
34queued up, although we set local_cork to 1. Commit 2e3216cd54b1
35changed the precedence, so that as long as we get bundled, incoming
36chunks we try possible bundling on outgoing queue as well. Before
37this commit, we would just flush the output queue.
38
39Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
40continue to process the same ASCONF_b chunk from the packet. As
41we have cached the previous ASCONF_ACK, we find it, grab it and
42do another SCTP_CMD_REPLY command on it. So, effectively, we rip
43the chunk->list pointers and requeue the same ASCONF_ACK chunk
44another time. Since we process ASCONF_b, it's correctly marked
45with end_of_packet and we enforce an uncork, and thus flush, thus
46crashing the kernel.
47
48Fix it by testing if the ASCONF_ACK is currently pending and if
49that is the case, do not requeue it. When flushing the output
50queue we may relink the chunk for preparing an outgoing packet,
51but eventually unlink it when it's copied into the skb right
52before transmission.
53
54Joint work with Vlad Yasevich.
55
56Fixes CVE-2014-3687
57Upstream-Status: Backport
58
59Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
60Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
61Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
62Signed-off-by: David S. Miller <davem@davemloft.net>
63Cc: Josh Boyer <jwboyer@fedoraproject.org>
64Signed-off-by: Jiri Slaby <jslaby@suse.cz>
65Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
66---
67 include/net/sctp/sctp.h | 5 +++++
68 net/sctp/associola.c | 2 ++
69 2 files changed, 7 insertions(+)
70
71diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
72index 3794c5a..3848934 100644
73--- a/include/net/sctp/sctp.h
74+++ b/include/net/sctp/sctp.h
75@@ -454,6 +454,11 @@ static inline void sctp_assoc_pending_pmtu(struct sock *sk, struct sctp_associat
76 asoc->pmtu_pending = 0;
77 }
78
79+static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk)
80+{
81+ return !list_empty(&chunk->list);
82+}
83+
84 /* Walk through a list of TLV parameters. Don't trust the
85 * individual parameter lengths and instead depend on
86 * the chunk length to indicate when to stop. Make sure
87diff --git a/net/sctp/associola.c b/net/sctp/associola.c
88index ad5cd6f..737050f 100644
89--- a/net/sctp/associola.c
90+++ b/net/sctp/associola.c
91@@ -1645,6 +1645,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
92 * ack chunk whose serial number matches that of the request.
93 */
94 list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) {
95+ if (sctp_chunk_pending(ack))
96+ continue;
97 if (ack->subh.addip_hdr->serial == serial) {
98 sctp_chunk_hold(ack);
99 return ack;
100--
1011.9.1
102
diff --git a/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch b/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch
deleted file mode 100644
index a43b895..0000000
--- a/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch
+++ /dev/null
@@ -1,200 +0,0 @@
1From 38d05809df1ea5272a658e7f4d5f2a3027ad2fd2 Mon Sep 17 00:00:00 2001
2From: Hugh Dickins <hughd@google.com>
3Date: Wed, 23 Jul 2014 14:00:10 -0700
4Subject: [PATCH 2/3] shmem: fix faulting into a hole, not taking i_mutex
5
6commit 8e205f779d1443a94b5ae81aa359cb535dd3021e upstream.
7
8Commit f00cdc6df7d7 ("shmem: fix faulting into a hole while it's
9punched") was buggy: Sasha sent a lockdep report to remind us that
10grabbing i_mutex in the fault path is a no-no (write syscall may already
11hold i_mutex while faulting user buffer).
12
13We tried a completely different approach (see following patch) but that
14proved inadequate: good enough for a rational workload, but not good
15enough against trinity - which forks off so many mappings of the object
16that contention on i_mmap_mutex while hole-puncher holds i_mutex builds
17into serious starvation when concurrent faults force the puncher to fall
18back to single-page unmap_mapping_range() searches of the i_mmap tree.
19
20So return to the original umbrella approach, but keep away from i_mutex
21this time. We really don't want to bloat every shmem inode with a new
22mutex or completion, just to protect this unlikely case from trinity.
23So extend the original with wait_queue_head on stack at the hole-punch
24end, and wait_queue item on the stack at the fault end.
25
26This involves further use of i_lock to guard against the races: lockdep
27has been happy so far, and I see fs/inode.c:unlock_new_inode() holds
28i_lock around wake_up_bit(), which is comparable to what we do here.
29i_lock is more convenient, but we could switch to shmem's info->lock.
30
31This issue has been tagged with CVE-2014-4171, which will require commit
32f00cdc6df7d7 and this and the following patch to be backported: we
33suggest to 3.1+, though in fact the trinity forkbomb effect might go
34back as far as 2.6.16, when madvise(,,MADV_REMOVE) came in - or might
35not, since much has changed, with i_mmap_mutex a spinlock before 3.0.
36Anyone running trinity on 3.0 and earlier? I don't think we need care.
37
38Upstream-Status: Backport
39
40Signed-off-by: Hugh Dickins <hughd@google.com>
41Reported-by: Sasha Levin <sasha.levin@oracle.com>
42Tested-by: Sasha Levin <sasha.levin@oracle.com>
43Cc: Vlastimil Babka <vbabka@suse.cz>
44Cc: Konstantin Khlebnikov <koct9i@gmail.com>
45Cc: Johannes Weiner <hannes@cmpxchg.org>
46Cc: Lukas Czerner <lczerner@redhat.com>
47Cc: Dave Jones <davej@redhat.com>
48Cc: <stable@vger.kernel.org> [3.1+]
49Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
50Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
51Signed-off-by: Jiri Slaby <jslaby@suse.cz>
52Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
53---
54 mm/shmem.c | 78 +++++++++++++++++++++++++++++++++++++++++---------------------
55 1 file changed, 52 insertions(+), 26 deletions(-)
56
57diff --git a/mm/shmem.c b/mm/shmem.c
58index 00d412f..6f5626f 100644
59--- a/mm/shmem.c
60+++ b/mm/shmem.c
61@@ -85,7 +85,7 @@ static struct vfsmount *shm_mnt;
62 * a time): we would prefer not to enlarge the shmem inode just for that.
63 */
64 struct shmem_falloc {
65- int mode; /* FALLOC_FL mode currently operating */
66+ wait_queue_head_t *waitq; /* faults into hole wait for punch to end */
67 pgoff_t start; /* start of range currently being fallocated */
68 pgoff_t next; /* the next page offset to be fallocated */
69 pgoff_t nr_falloced; /* how many new pages have been fallocated */
70@@ -827,7 +827,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
71 spin_lock(&inode->i_lock);
72 shmem_falloc = inode->i_private;
73 if (shmem_falloc &&
74- !shmem_falloc->mode &&
75+ !shmem_falloc->waitq &&
76 index >= shmem_falloc->start &&
77 index < shmem_falloc->next)
78 shmem_falloc->nr_unswapped++;
79@@ -1306,38 +1306,58 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
80 * Trinity finds that probing a hole which tmpfs is punching can
81 * prevent the hole-punch from ever completing: which in turn
82 * locks writers out with its hold on i_mutex. So refrain from
83- * faulting pages into the hole while it's being punched, and
84- * wait on i_mutex to be released if vmf->flags permits.
85+ * faulting pages into the hole while it's being punched. Although
86+ * shmem_undo_range() does remove the additions, it may be unable to
87+ * keep up, as each new page needs its own unmap_mapping_range() call,
88+ * and the i_mmap tree grows ever slower to scan if new vmas are added.
89+ *
90+ * It does not matter if we sometimes reach this check just before the
91+ * hole-punch begins, so that one fault then races with the punch:
92+ * we just need to make racing faults a rare case.
93+ *
94+ * The implementation below would be much simpler if we just used a
95+ * standard mutex or completion: but we cannot take i_mutex in fault,
96+ * and bloating every shmem inode for this unlikely case would be sad.
97 */
98 if (unlikely(inode->i_private)) {
99 struct shmem_falloc *shmem_falloc;
100
101 spin_lock(&inode->i_lock);
102 shmem_falloc = inode->i_private;
103- if (!shmem_falloc ||
104- shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE ||
105- vmf->pgoff < shmem_falloc->start ||
106- vmf->pgoff >= shmem_falloc->next)
107- shmem_falloc = NULL;
108- spin_unlock(&inode->i_lock);
109- /*
110- * i_lock has protected us from taking shmem_falloc seriously
111- * once return from shmem_fallocate() went back up that stack.
112- * i_lock does not serialize with i_mutex at all, but it does
113- * not matter if sometimes we wait unnecessarily, or sometimes
114- * miss out on waiting: we just need to make those cases rare.
115- */
116- if (shmem_falloc) {
117+ if (shmem_falloc &&
118+ shmem_falloc->waitq &&
119+ vmf->pgoff >= shmem_falloc->start &&
120+ vmf->pgoff < shmem_falloc->next) {
121+ wait_queue_head_t *shmem_falloc_waitq;
122+ DEFINE_WAIT(shmem_fault_wait);
123+
124+ ret = VM_FAULT_NOPAGE;
125 if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
126 !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
127+ /* It's polite to up mmap_sem if we can */
128 up_read(&vma->vm_mm->mmap_sem);
129- mutex_lock(&inode->i_mutex);
130- mutex_unlock(&inode->i_mutex);
131- return VM_FAULT_RETRY;
132+ ret = VM_FAULT_RETRY;
133 }
134- /* cond_resched? Leave that to GUP or return to user */
135- return VM_FAULT_NOPAGE;
136+
137+ shmem_falloc_waitq = shmem_falloc->waitq;
138+ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
139+ TASK_UNINTERRUPTIBLE);
140+ spin_unlock(&inode->i_lock);
141+ schedule();
142+
143+ /*
144+ * shmem_falloc_waitq points into the shmem_fallocate()
145+ * stack of the hole-punching task: shmem_falloc_waitq
146+ * is usually invalid by the time we reach here, but
147+ * finish_wait() does not dereference it in that case;
148+ * though i_lock needed lest racing with wake_up_all().
149+ */
150+ spin_lock(&inode->i_lock);
151+ finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
152+ spin_unlock(&inode->i_lock);
153+ return ret;
154 }
155+ spin_unlock(&inode->i_lock);
156 }
157
158 error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret);
159@@ -1855,13 +1875,13 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
160
161 mutex_lock(&inode->i_mutex);
162
163- shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE;
164-
165 if (mode & FALLOC_FL_PUNCH_HOLE) {
166 struct address_space *mapping = file->f_mapping;
167 loff_t unmap_start = round_up(offset, PAGE_SIZE);
168 loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
169+ DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
170
171+ shmem_falloc.waitq = &shmem_falloc_waitq;
172 shmem_falloc.start = unmap_start >> PAGE_SHIFT;
173 shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
174 spin_lock(&inode->i_lock);
175@@ -1873,8 +1893,13 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
176 1 + unmap_end - unmap_start, 0);
177 shmem_truncate_range(inode, offset, offset + len - 1);
178 /* No need to unmap again: hole-punching leaves COWed pages */
179+
180+ spin_lock(&inode->i_lock);
181+ inode->i_private = NULL;
182+ wake_up_all(&shmem_falloc_waitq);
183+ spin_unlock(&inode->i_lock);
184 error = 0;
185- goto undone;
186+ goto out;
187 }
188
189 /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
190@@ -1890,6 +1915,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
191 goto out;
192 }
193
194+ shmem_falloc.waitq = NULL;
195 shmem_falloc.start = start;
196 shmem_falloc.next = start;
197 shmem_falloc.nr_falloced = 0;
198--
1991.9.1
200
diff --git a/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
deleted file mode 100644
index f58b2f0..0000000
--- a/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch
+++ /dev/null
@@ -1,114 +0,0 @@
1From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001
2From: Jiri Kosina <jkosina@suse.cz>
3Date: Thu, 21 Aug 2014 09:57:48 -0500
4Subject: [PATCH] HID: fix a couple of off-by-ones
5
6There are a few very theoretical off-by-one bugs in report descriptor size
7checking when performing a pre-parsing fixup. Fix those.
8
9This fixes CVE-2014-3184
10Upstream-Status: Backport
11
12Cc: stable@vger.kernel.org
13Reported-by: Ben Hawkes <hawkes@google.com>
14Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
15Signed-off-by: Jiri Kosina <jkosina@suse.cz>
16Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
17---
18 drivers/hid/hid-cherry.c | 2 +-
19 drivers/hid/hid-kye.c | 2 +-
20 drivers/hid/hid-lg.c | 4 ++--
21 drivers/hid/hid-monterey.c | 2 +-
22 drivers/hid/hid-petalynx.c | 2 +-
23 drivers/hid/hid-sunplus.c | 2 +-
24 6 files changed, 7 insertions(+), 7 deletions(-)
25
26diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
27index 1bdcccc..f745d2c 100644
28--- a/drivers/hid/hid-cherry.c
29+++ b/drivers/hid/hid-cherry.c
30@@ -28,7 +28,7 @@
31 static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
32 unsigned int *rsize)
33 {
34- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
35+ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
36 hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
37 rdesc[11] = rdesc[16] = 0xff;
38 rdesc[12] = rdesc[17] = 0x03;
39diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
40index e776963..b92bf01 100644
41--- a/drivers/hid/hid-kye.c
42+++ b/drivers/hid/hid-kye.c
43@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
44 * - change the button usage range to 4-7 for the extra
45 * buttons
46 */
47- if (*rsize >= 74 &&
48+ if (*rsize >= 75 &&
49 rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
50 rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
51 rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
52diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
53index a976f48..f91ff14 100644
54--- a/drivers/hid/hid-lg.c
55+++ b/drivers/hid/hid-lg.c
56@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
57 struct usb_device_descriptor *udesc;
58 __u16 bcdDevice, rev_maj, rev_min;
59
60- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
61+ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
62 rdesc[84] == 0x8c && rdesc[85] == 0x02) {
63 hid_info(hdev,
64 "fixing up Logitech keyboard report descriptor\n");
65 rdesc[84] = rdesc[89] = 0x4d;
66 rdesc[85] = rdesc[90] = 0x10;
67 }
68- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
69+ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
70 rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
71 rdesc[49] == 0x81 && rdesc[50] == 0x06) {
72 hid_info(hdev,
73diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
74index 9e14c00..25daf28 100644
75--- a/drivers/hid/hid-monterey.c
76+++ b/drivers/hid/hid-monterey.c
77@@ -24,7 +24,7 @@
78 static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
79 unsigned int *rsize)
80 {
81- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
82+ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
83 hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
84 rdesc[30] = 0x0c;
85 }
86diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
87index 736b250..6aca4f2 100644
88--- a/drivers/hid/hid-petalynx.c
89+++ b/drivers/hid/hid-petalynx.c
90@@ -25,7 +25,7 @@
91 static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
92 unsigned int *rsize)
93 {
94- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
95+ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
96 rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
97 rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
98 hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
99diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
100index 87fc91e..91072fa 100644
101--- a/drivers/hid/hid-sunplus.c
102+++ b/drivers/hid/hid-sunplus.c
103@@ -24,7 +24,7 @@
104 static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
105 unsigned int *rsize)
106 {
107- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
108+ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
109 rdesc[106] == 0x03) {
110 hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
111 rdesc[105] = rdesc[110] = 0x03;
112--
1131.9.1
114
diff --git a/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index aa5ca1b..0000000
--- a/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,137 +0,0 @@
1From 8b18c0adbc5d0cb1530692e72bcfb88fd7bb77bb Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 17:26:07 -0700
4Subject: [PATCH] mnt: Correct permission checks in do_remount
5
6commit 9566d6742852c527bf5af38af5cbb878dad75705 upstream.
7
8While invesgiating the issue where in "mount --bind -oremount,ro ..."
9would result in later "mount --bind -oremount,rw" succeeding even if
10the mount started off locked I realized that there are several
11additional mount flags that should be locked and are not.
12
13In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime
14flags in addition to MNT_READONLY should all be locked. These
15flags are all per superblock, can all be changed with MS_BIND,
16and should not be changable if set by a more privileged user.
17
18The following additions to the current logic are added in this patch.
19- nosuid may not be clearable by a less privileged user.
20- nodev may not be clearable by a less privielged user.
21- noexec may not be clearable by a less privileged user.
22- atime flags may not be changeable by a less privileged user.
23
24The logic with atime is that always setting atime on access is a
25global policy and backup software and auditing software could break if
26atime bits are not updated (when they are configured to be updated),
27and serious performance degradation could result (DOS attack) if atime
28updates happen when they have been explicitly disabled. Therefore an
29unprivileged user should not be able to mess with the atime bits set
30by a more privileged user.
31
32The additional restrictions are implemented with the addition of
33MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME
34mnt flags.
35
36Taken together these changes and the fixes for MNT_LOCK_READONLY
37should make it safe for an unprivileged user to create a user
38namespace and to call "mount --bind -o remount,... ..." without
39the danger of mount flags being changed maliciously.
40
41Fix for CVE-2014-5206 and CVE-2014-5207
42Upstream-Status: backport
43
44Cc: stable@vger.kernel.org
45Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
46Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
47Signed-off-by: Jiri Slaby <jslaby@suse.cz>
48Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
49---
50 fs/namespace.c | 36 +++++++++++++++++++++++++++++++++---
51 include/linux/mount.h | 5 +++++
52 2 files changed, 38 insertions(+), 3 deletions(-)
53
54diff --git a/fs/namespace.c b/fs/namespace.c
55index 8e90b03..7c67de8 100644
56--- a/fs/namespace.c
57+++ b/fs/namespace.c
58@@ -827,8 +827,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
59
60 mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~MNT_WRITE_HOLD;
61 /* Don't allow unprivileged users to change mount flags */
62- if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
63- mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
64+ if (flag & CL_UNPRIVILEGED) {
65+ mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
66+
67+ if (mnt->mnt.mnt_flags & MNT_READONLY)
68+ mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
69+
70+ if (mnt->mnt.mnt_flags & MNT_NODEV)
71+ mnt->mnt.mnt_flags |= MNT_LOCK_NODEV;
72+
73+ if (mnt->mnt.mnt_flags & MNT_NOSUID)
74+ mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID;
75+
76+ if (mnt->mnt.mnt_flags & MNT_NOEXEC)
77+ mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC;
78+ }
79
80 /* Don't allow unprivileged users to reveal what is under a mount */
81 if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))
82@@ -1841,6 +1854,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
83 !(mnt_flags & MNT_READONLY)) {
84 return -EPERM;
85 }
86+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
87+ !(mnt_flags & MNT_NODEV)) {
88+ return -EPERM;
89+ }
90+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
91+ !(mnt_flags & MNT_NOSUID)) {
92+ return -EPERM;
93+ }
94+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
95+ !(mnt_flags & MNT_NOEXEC)) {
96+ return -EPERM;
97+ }
98+ if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
99+ ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
100+ return -EPERM;
101+ }
102+
103 err = security_sb_remount(sb, data);
104 if (err)
105 return err;
106@@ -2043,7 +2073,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
107 */
108 if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {
109 flags |= MS_NODEV;
110- mnt_flags |= MNT_NODEV;
111+ mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV;
112 }
113 }
114
115diff --git a/include/linux/mount.h b/include/linux/mount.h
116index 8707c9e..22e5b96 100644
117--- a/include/linux/mount.h
118+++ b/include/linux/mount.h
119@@ -45,10 +45,15 @@ struct mnt_namespace;
120 #define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
121 | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
122 | MNT_READONLY)
123+#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME )
124
125
126 #define MNT_INTERNAL 0x4000
127
128+#define MNT_LOCK_ATIME 0x040000
129+#define MNT_LOCK_NOEXEC 0x080000
130+#define MNT_LOCK_NOSUID 0x100000
131+#define MNT_LOCK_NODEV 0x200000
132 #define MNT_LOCK_READONLY 0x400000
133 #define MNT_LOCKED 0x800000
134
135--
1361.9.1
137
diff --git a/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch b/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch
deleted file mode 100644
index 1b4716d..0000000
--- a/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch
+++ /dev/null
@@ -1,160 +0,0 @@
1From e476841415c1b7b54e4118d8a219f5db71878675 Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <dborkman@redhat.com>
3Date: Thu, 9 Oct 2014 22:55:33 +0200
4Subject: [PATCH] net: sctp: fix remote memory pressure from excessive queueing
5
6commit 26b87c7881006311828bb0ab271a551a62dcceb4 upstream.
7
8This scenario is not limited to ASCONF, just taken as one
9example triggering the issue. When receiving ASCONF probes
10in the form of ...
11
12 -------------- INIT[ASCONF; ASCONF_ACK] ------------->
13 <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
14 -------------------- COOKIE-ECHO -------------------->
15 <-------------------- COOKIE-ACK ---------------------
16 ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
17 [...]
18 ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
19
20... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
21ASCONFs and have increasing serial numbers, we process such
22ASCONF chunk(s) marked with !end_of_packet and !singleton,
23since we have not yet reached the SCTP packet end. SCTP does
24only do verification on a chunk by chunk basis, as an SCTP
25packet is nothing more than just a container of a stream of
26chunks which it eats up one by one.
27
28We could run into the case that we receive a packet with a
29malformed tail, above marked as trailing JUNK. All previous
30chunks are here goodformed, so the stack will eat up all
31previous chunks up to this point. In case JUNK does not fit
32into a chunk header and there are no more other chunks in
33the input queue, or in case JUNK contains a garbage chunk
34header, but the encoded chunk length would exceed the skb
35tail, or we came here from an entirely different scenario
36and the chunk has pdiscard=1 mark (without having had a flush
37point), it will happen, that we will excessively queue up
38the association's output queue (a correct final chunk may
39then turn it into a response flood when flushing the
40queue ;)): I ran a simple script with incremental ASCONF
41serial numbers and could see the server side consuming
42excessive amount of RAM [before/after: up to 2GB and more].
43
44The issue at heart is that the chunk train basically ends
45with !end_of_packet and !singleton markers and since commit
462e3216cd54b1 ("sctp: Follow security requirement of responding
47with 1 packet") therefore preventing an output queue flush
48point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
49chunk (chunk = event_arg) even though local_cork is set,
50but its precedence has changed since then. In the normal
51case, the last chunk with end_of_packet=1 would trigger the
52queue flush to accommodate possible outgoing bundling.
53
54In the input queue, sctp_inq_pop() seems to do the right thing
55in terms of discarding invalid chunks. So, above JUNK will
56not enter the state machine and instead be released and exit
57the sctp_assoc_bh_rcv() chunk processing loop. It's simply
58the flush point being missing at loop exit. Adding a try-flush
59approach on the output queue might not work as the underlying
60infrastructure might be long gone at this point due to the
61side-effect interpreter run.
62
63One possibility, albeit a bit of a kludge, would be to defer
64invalid chunk freeing into the state machine in order to
65possibly trigger packet discards and thus indirectly a queue
66flush on error. It would surely be better to discard chunks
67as in the current, perhaps better controlled environment, but
68going back and forth, it's simply architecturally not possible.
69I tried various trailing JUNK attack cases and it seems to
70look good now.
71
72Joint work with Vlad Yasevich.
73
74Fixes CVE-2014-3688
75Upstream-Status: Backport
76
77Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
78Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
79Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
80Signed-off-by: David S. Miller <davem@davemloft.net>
81Cc: Josh Boyer <jwboyer@fedoraproject.org>
82Signed-off-by: Jiri Slaby <jslaby@suse.cz>
83Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
84---
85 net/sctp/inqueue.c | 33 +++++++--------------------------
86 net/sctp/sm_statefuns.c | 3 +++
87 2 files changed, 10 insertions(+), 26 deletions(-)
88
89diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
90index 5856932..560cd41 100644
91--- a/net/sctp/inqueue.c
92+++ b/net/sctp/inqueue.c
93@@ -141,18 +141,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
94 } else {
95 /* Nothing to do. Next chunk in the packet, please. */
96 ch = (sctp_chunkhdr_t *) chunk->chunk_end;
97-
98 /* Force chunk->skb->data to chunk->chunk_end. */
99- skb_pull(chunk->skb,
100- chunk->chunk_end - chunk->skb->data);
101-
102- /* Verify that we have at least chunk headers
103- * worth of buffer left.
104- */
105- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
106- sctp_chunk_free(chunk);
107- chunk = queue->in_progress = NULL;
108- }
109+ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
110+ /* We are guaranteed to pull a SCTP header. */
111 }
112 }
113
114@@ -188,24 +179,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
115 skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
116 chunk->subh.v = NULL; /* Subheader is no longer valid. */
117
118- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
119+ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
120+ skb_tail_pointer(chunk->skb)) {
121 /* This is not a singleton */
122 chunk->singleton = 0;
123 } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
124- /* RFC 2960, Section 6.10 Bundling
125- *
126- * Partial chunks MUST NOT be placed in an SCTP packet.
127- * If the receiver detects a partial chunk, it MUST drop
128- * the chunk.
129- *
130- * Since the end of the chunk is past the end of our buffer
131- * (which contains the whole packet, we can freely discard
132- * the whole packet.
133- */
134- sctp_chunk_free(chunk);
135- chunk = queue->in_progress = NULL;
136-
137- return NULL;
138+ /* Discard inside state machine. */
139+ chunk->pdiscard = 1;
140+ chunk->chunk_end = skb_tail_pointer(chunk->skb);
141 } else {
142 /* We are at the end of the packet, so mark the chunk
143 * in case we need to send a SACK.
144diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
145index 1dbcc6a..62623cc 100644
146--- a/net/sctp/sm_statefuns.c
147+++ b/net/sctp/sm_statefuns.c
148@@ -171,6 +171,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk,
149 {
150 __u16 chunk_length = ntohs(chunk->chunk_hdr->length);
151
152+ /* Previously already marked? */
153+ if (unlikely(chunk->pdiscard))
154+ return 0;
155 if (unlikely(chunk_length < required_length))
156 return 0;
157
158--
1591.9.1
160
diff --git a/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch b/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch
deleted file mode 100644
index 2b70ec1..0000000
--- a/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch
+++ /dev/null
@@ -1,134 +0,0 @@
1From a428dc008e435c5a36b1288fb5b8c4b58472e28c Mon Sep 17 00:00:00 2001
2From: Hugh Dickins <hughd@google.com>
3Date: Wed, 23 Jul 2014 14:00:13 -0700
4Subject: [PATCH 3/3] shmem: fix splicing from a hole while it's punched
5
6commit b1a366500bd537b50c3aad26dc7df083ec03a448 upstream.
7
8shmem_fault() is the actual culprit in trinity's hole-punch starvation,
9and the most significant cause of such problems: since a page faulted is
10one that then appears page_mapped(), needing unmap_mapping_range() and
11i_mmap_mutex to be unmapped again.
12
13But it is not the only way in which a page can be brought into a hole in
14the radix_tree while that hole is being punched; and Vlastimil's testing
15implies that if enough other processors are busy filling in the hole,
16then shmem_undo_range() can be kept from completing indefinitely.
17
18shmem_file_splice_read() is the main other user of SGP_CACHE, which can
19instantiate shmem pagecache pages in the read-only case (without holding
20i_mutex, so perhaps concurrently with a hole-punch). Probably it's
21silly not to use SGP_READ already (using the ZERO_PAGE for holes): which
22ought to be safe, but might bring surprises - not a change to be rushed.
23
24shmem_read_mapping_page_gfp() is an internal interface used by
25drivers/gpu/drm GEM (and next by uprobes): it should be okay. And
26shmem_file_read_iter() uses the SGP_DIRTY variant of SGP_CACHE, when
27called internally by the kernel (perhaps for a stacking filesystem,
28which might rely on holes to be reserved): it's unclear whether it could
29be provoked to keep hole-punch busy or not.
30
31We could apply the same umbrella as now used in shmem_fault() to
32shmem_file_splice_read() and the others; but it looks ugly, and use over
33a range raises questions - should it actually be per page? can these get
34starved themselves?
35
36The origin of this part of the problem is my v3.1 commit d0823576bf4b
37("mm: pincer in truncate_inode_pages_range"), once it was duplicated
38into shmem.c. It seemed like a nice idea at the time, to ensure
39(barring RCU lookup fuzziness) that there's an instant when the entire
40hole is empty; but the indefinitely repeated scans to ensure that make
41it vulnerable.
42
43Revert that "enhancement" to hole-punch from shmem_undo_range(), but
44retain the unproblematic rescanning when it's truncating; add a couple
45of comments there.
46
47Remove the "indices[0] >= end" test: that is now handled satisfactorily
48by the inner loop, and mem_cgroup_uncharge_start()/end() are too light
49to be worth avoiding here.
50
51But if we do not always loop indefinitely, we do need to handle the case
52of swap swizzled back to page before shmem_free_swap() gets it: add a
53retry for that case, as suggested by Konstantin Khlebnikov; and for the
54case of page swizzled back to swap, as suggested by Johannes Weiner.
55
56Upstream-Status: Backport
57
58Signed-off-by: Hugh Dickins <hughd@google.com>
59Reported-by: Sasha Levin <sasha.levin@oracle.com>
60Suggested-by: Vlastimil Babka <vbabka@suse.cz>
61Cc: Konstantin Khlebnikov <koct9i@gmail.com>
62Cc: Johannes Weiner <hannes@cmpxchg.org>
63Cc: Lukas Czerner <lczerner@redhat.com>
64Cc: Dave Jones <davej@redhat.com>
65Cc: <stable@vger.kernel.org> [3.1+]
66Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
67Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
68Signed-off-by: Jiri Slaby <jslaby@suse.cz>
69Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
70---
71 mm/shmem.c | 24 +++++++++++++++---------
72 1 file changed, 15 insertions(+), 9 deletions(-)
73
74diff --git a/mm/shmem.c b/mm/shmem.c
75index 6f5626f..0da81aa 100644
76--- a/mm/shmem.c
77+++ b/mm/shmem.c
78@@ -534,22 +534,19 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
79 return;
80
81 index = start;
82- for ( ; ; ) {
83+ while (index < end) {
84 cond_resched();
85 pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
86 min(end - index, (pgoff_t)PAGEVEC_SIZE),
87 pvec.pages, indices);
88 if (!pvec.nr) {
89- if (index == start || unfalloc)
90+ /* If all gone or hole-punch or unfalloc, we're done */
91+ if (index == start || end != -1)
92 break;
93+ /* But if truncating, restart to make sure all gone */
94 index = start;
95 continue;
96 }
97- if ((index == start || unfalloc) && indices[0] >= end) {
98- shmem_deswap_pagevec(&pvec);
99- pagevec_release(&pvec);
100- break;
101- }
102 mem_cgroup_uncharge_start();
103 for (i = 0; i < pagevec_count(&pvec); i++) {
104 struct page *page = pvec.pages[i];
105@@ -561,8 +558,12 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
106 if (radix_tree_exceptional_entry(page)) {
107 if (unfalloc)
108 continue;
109- nr_swaps_freed += !shmem_free_swap(mapping,
110- index, page);
111+ if (shmem_free_swap(mapping, index, page)) {
112+ /* Swap was replaced by page: retry */
113+ index--;
114+ break;
115+ }
116+ nr_swaps_freed++;
117 continue;
118 }
119
120@@ -571,6 +572,11 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
121 if (page->mapping == mapping) {
122 VM_BUG_ON(PageWriteback(page));
123 truncate_inode_page(mapping, page);
124+ } else {
125+ /* Page was replaced by swap: retry */
126+ unlock_page(page);
127+ index--;
128+ break;
129 }
130 }
131 unlock_page(page);
132--
1331.9.1
134
diff --git a/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
deleted file mode 100644
index 0820807..0000000
--- a/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch
+++ /dev/null
@@ -1,51 +0,0 @@
1From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001
2From: James Forshaw <forshaw@google.com>
3Date: Sat, 23 Aug 2014 14:39:48 -0700
4Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command
5 response
6
7This patch fixes a potential security issue in the whiteheat USB driver
8which might allow a local attacker to cause kernel memory corrpution. This
9is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On
10EHCI and XHCI busses it's possible to craft responses greater than 64
11bytes leading a buffer overflow.
12
13This fixes CVE-2014-3185
14Upstream-Status: Backport
15
16Signed-off-by: James Forshaw <forshaw@google.com>
17Cc: stable <stable@vger.kernel.org>
18Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
20---
21 drivers/usb/serial/whiteheat.c | 7 ++++++-
22 1 file changed, 6 insertions(+), 1 deletion(-)
23
24diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
25index e62f2df..6c3734d 100644
26--- a/drivers/usb/serial/whiteheat.c
27+++ b/drivers/usb/serial/whiteheat.c
28@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb)
29 dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__);
30 return;
31 }
32+ if (!urb->actual_length) {
33+ dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__);
34+ return;
35+ }
36 if (status) {
37 dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status);
38 if (status != -ENOENT)
39@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb)
40 /* These are unsolicited reports from the firmware, hence no
41 waiting command to wakeup */
42 dev_dbg(&urb->dev->dev, "%s - event received\n", __func__);
43- } else if (data[0] == WHITEHEAT_GET_DTR_RTS) {
44+ } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) &&
45+ (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) {
46 memcpy(command_info->result_buffer, &data[1],
47 urb->actual_length - 1);
48 command_info->command_finished = WHITEHEAT_CMD_COMPLETE;
49--
501.9.1
51
diff --git a/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index 8cd4b13..0000000
--- a/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,64 +0,0 @@
1From fafbc9412b8f2dae04bc3ca233ae7b49482c8df8 Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Mon, 28 Jul 2014 17:36:04 -0700
4Subject: [PATCH] mnt: Change the default remount atime from relatime to the
5 existing value
6
7commit ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e upstream.
8
9Since March 2009 the kernel has treated the state that if no
10MS_..ATIME flags are passed then the kernel defaults to relatime.
11
12Defaulting to relatime instead of the existing atime state during a
13remount is silly, and causes problems in practice for people who don't
14specify any MS_...ATIME flags and to get the default filesystem atime
15setting. Those users may encounter a permission error because the
16default atime setting does not work.
17
18A default that does not work and causes permission problems is
19ridiculous, so preserve the existing value to have a default
20atime setting that is always guaranteed to work.
21
22Using the default atime setting in this way is particularly
23interesting for applications built to run in restricted userspace
24environments without /proc mounted, as the existing atime mount
25options of a filesystem can not be read from /proc/mounts.
26
27In practice this fixes user space that uses the default atime
28setting on remount that are broken by the permission checks
29keeping less privileged users from changing more privileged users
30atime settings.
31
32Fix for CVE-2014-5206 and CVE-2014-5207
33Upstream-Status: backport
34
35Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
36Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
37Signed-off-by: Jiri Slaby <jslaby@suse.cz>
38Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
39---
40 fs/namespace.c | 8 ++++++++
41 1 file changed, 8 insertions(+)
42
43diff --git a/fs/namespace.c b/fs/namespace.c
44index 7c67de8..4ea2b73 100644
45--- a/fs/namespace.c
46+++ b/fs/namespace.c
47@@ -2391,6 +2391,14 @@ long do_mount(const char *dev_name, const char *dir_name,
48 if (flags & MS_RDONLY)
49 mnt_flags |= MNT_READONLY;
50
51+ /* The default atime for remount is preservation */
52+ if ((flags & MS_REMOUNT) &&
53+ ((flags & (MS_NOATIME | MS_NODIRATIME | MS_RELATIME |
54+ MS_STRICTATIME)) == 0)) {
55+ mnt_flags &= ~MNT_ATIME_MASK;
56+ mnt_flags |= path.mnt->mnt_flags & MNT_ATIME_MASK;
57+ }
58+
59 flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | MS_BORN |
60 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
61 MS_STRICTATIME);
62--
631.9.1
64
diff --git a/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch
deleted file mode 100644
index caa89db..0000000
--- a/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch
+++ /dev/null
@@ -1,324 +0,0 @@
1From 4194b9700ce41ff2f7031aa0c6108c2539028ab5 Mon Sep 17 00:00:00 2001
2From: "Eric W. Biederman" <ebiederm@xmission.com>
3Date: Tue, 29 Jul 2014 15:50:44 -0700
4Subject: [PATCH] mnt: Add tests for unprivileged remount cases that have found
5 to be faulty
6
7commit db181ce011e3c033328608299cd6fac06ea50130 upstream.
8
9Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
10read-only bind mount read-only in a user namespace the
11MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
12to the remount a read-only mount read-write.
13
14Upon review of the code in remount it was discovered that the code allowed
15nosuid, noexec, and nodev to be cleared. It was also discovered that
16the code was allowing the per mount atime flags to be changed.
17
18The first naive patch to fix these issues contained the flaw that using
19default atime settings when remounting a filesystem could be disallowed.
20
21To avoid this problems in the future add tests to ensure unprivileged
22remounts are succeeding and failing at the appropriate times.
23
24Fix for CVE-2014-5206 and CVE-2014-5207
25Upstream-Status: backport
26
27Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
28Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
29Signed-off-by: Jiri Slaby <jslaby@suse.cz>
30Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
31---
32 tools/testing/selftests/Makefile | 1 +
33 tools/testing/selftests/mount/Makefile | 17 ++
34 .../selftests/mount/unprivileged-remount-test.c | 242 +++++++++++++++++++++
35 3 files changed, 260 insertions(+)
36 create mode 100644 tools/testing/selftests/mount/Makefile
37 create mode 100644 tools/testing/selftests/mount/unprivileged-remount-test.c
38
39diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
40index 9f3eae2..2d9ab94 100644
41--- a/tools/testing/selftests/Makefile
42+++ b/tools/testing/selftests/Makefile
43@@ -4,6 +4,7 @@ TARGETS += efivarfs
44 TARGETS += kcmp
45 TARGETS += memory-hotplug
46 TARGETS += mqueue
47+TARGETS += mount
48 TARGETS += net
49 TARGETS += ptrace
50 TARGETS += timers
51diff --git a/tools/testing/selftests/mount/Makefile b/tools/testing/selftests/mount/Makefile
52new file mode 100644
53index 0000000..337d853
54--- /dev/null
55+++ b/tools/testing/selftests/mount/Makefile
56@@ -0,0 +1,17 @@
57+# Makefile for mount selftests.
58+
59+all: unprivileged-remount-test
60+
61+unprivileged-remount-test: unprivileged-remount-test.c
62+ gcc -Wall -O2 unprivileged-remount-test.c -o unprivileged-remount-test
63+
64+# Allow specific tests to be selected.
65+test_unprivileged_remount: unprivileged-remount-test
66+ @if [ -f /proc/self/uid_map ] ; then ./unprivileged-remount-test ; fi
67+
68+run_tests: all test_unprivileged_remount
69+
70+clean:
71+ rm -f unprivileged-remount-test
72+
73+.PHONY: all test_unprivileged_remount
74diff --git a/tools/testing/selftests/mount/unprivileged-remount-test.c b/tools/testing/selftests/mount/unprivileged-remount-test.c
75new file mode 100644
76index 0000000..1b3ff2f
77--- /dev/null
78+++ b/tools/testing/selftests/mount/unprivileged-remount-test.c
79@@ -0,0 +1,242 @@
80+#define _GNU_SOURCE
81+#include <sched.h>
82+#include <stdio.h>
83+#include <errno.h>
84+#include <string.h>
85+#include <sys/types.h>
86+#include <sys/mount.h>
87+#include <sys/wait.h>
88+#include <stdlib.h>
89+#include <unistd.h>
90+#include <fcntl.h>
91+#include <grp.h>
92+#include <stdbool.h>
93+#include <stdarg.h>
94+
95+#ifndef CLONE_NEWNS
96+# define CLONE_NEWNS 0x00020000
97+#endif
98+#ifndef CLONE_NEWUTS
99+# define CLONE_NEWUTS 0x04000000
100+#endif
101+#ifndef CLONE_NEWIPC
102+# define CLONE_NEWIPC 0x08000000
103+#endif
104+#ifndef CLONE_NEWNET
105+# define CLONE_NEWNET 0x40000000
106+#endif
107+#ifndef CLONE_NEWUSER
108+# define CLONE_NEWUSER 0x10000000
109+#endif
110+#ifndef CLONE_NEWPID
111+# define CLONE_NEWPID 0x20000000
112+#endif
113+
114+#ifndef MS_RELATIME
115+#define MS_RELATIME (1 << 21)
116+#endif
117+#ifndef MS_STRICTATIME
118+#define MS_STRICTATIME (1 << 24)
119+#endif
120+
121+static void die(char *fmt, ...)
122+{
123+ va_list ap;
124+ va_start(ap, fmt);
125+ vfprintf(stderr, fmt, ap);
126+ va_end(ap);
127+ exit(EXIT_FAILURE);
128+}
129+
130+static void write_file(char *filename, char *fmt, ...)
131+{
132+ char buf[4096];
133+ int fd;
134+ ssize_t written;
135+ int buf_len;
136+ va_list ap;
137+
138+ va_start(ap, fmt);
139+ buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
140+ va_end(ap);
141+ if (buf_len < 0) {
142+ die("vsnprintf failed: %s\n",
143+ strerror(errno));
144+ }
145+ if (buf_len >= sizeof(buf)) {
146+ die("vsnprintf output truncated\n");
147+ }
148+
149+ fd = open(filename, O_WRONLY);
150+ if (fd < 0) {
151+ die("open of %s failed: %s\n",
152+ filename, strerror(errno));
153+ }
154+ written = write(fd, buf, buf_len);
155+ if (written != buf_len) {
156+ if (written >= 0) {
157+ die("short write to %s\n", filename);
158+ } else {
159+ die("write to %s failed: %s\n",
160+ filename, strerror(errno));
161+ }
162+ }
163+ if (close(fd) != 0) {
164+ die("close of %s failed: %s\n",
165+ filename, strerror(errno));
166+ }
167+}
168+
169+static void create_and_enter_userns(void)
170+{
171+ uid_t uid;
172+ gid_t gid;
173+
174+ uid = getuid();
175+ gid = getgid();
176+
177+ if (unshare(CLONE_NEWUSER) !=0) {
178+ die("unshare(CLONE_NEWUSER) failed: %s\n",
179+ strerror(errno));
180+ }
181+
182+ write_file("/proc/self/uid_map", "0 %d 1", uid);
183+ write_file("/proc/self/gid_map", "0 %d 1", gid);
184+
185+ if (setgroups(0, NULL) != 0) {
186+ die("setgroups failed: %s\n",
187+ strerror(errno));
188+ }
189+ if (setgid(0) != 0) {
190+ die ("setgid(0) failed %s\n",
191+ strerror(errno));
192+ }
193+ if (setuid(0) != 0) {
194+ die("setuid(0) failed %s\n",
195+ strerror(errno));
196+ }
197+}
198+
199+static
200+bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags)
201+{
202+ pid_t child;
203+
204+ child = fork();
205+ if (child == -1) {
206+ die("fork failed: %s\n",
207+ strerror(errno));
208+ }
209+ if (child != 0) { /* parent */
210+ pid_t pid;
211+ int status;
212+ pid = waitpid(child, &status, 0);
213+ if (pid == -1) {
214+ die("waitpid failed: %s\n",
215+ strerror(errno));
216+ }
217+ if (pid != child) {
218+ die("waited for %d got %d\n",
219+ child, pid);
220+ }
221+ if (!WIFEXITED(status)) {
222+ die("child did not terminate cleanly\n");
223+ }
224+ return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false;
225+ }
226+
227+ create_and_enter_userns();
228+ if (unshare(CLONE_NEWNS) != 0) {
229+ die("unshare(CLONE_NEWNS) failed: %s\n",
230+ strerror(errno));
231+ }
232+
233+ if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) {
234+ die("mount of /tmp failed: %s\n",
235+ strerror(errno));
236+ }
237+
238+ create_and_enter_userns();
239+
240+ if (unshare(CLONE_NEWNS) != 0) {
241+ die("unshare(CLONE_NEWNS) failed: %s\n",
242+ strerror(errno));
243+ }
244+
245+ if (mount("/tmp", "/tmp", "none",
246+ MS_REMOUNT | MS_BIND | remount_flags, NULL) != 0) {
247+ /* system("cat /proc/self/mounts"); */
248+ die("remount of /tmp failed: %s\n",
249+ strerror(errno));
250+ }
251+
252+ if (mount("/tmp", "/tmp", "none",
253+ MS_REMOUNT | MS_BIND | invalid_flags, NULL) == 0) {
254+ /* system("cat /proc/self/mounts"); */
255+ die("remount of /tmp with invalid flags "
256+ "succeeded unexpectedly\n");
257+ }
258+ exit(EXIT_SUCCESS);
259+}
260+
261+static bool test_unpriv_remount_simple(int mount_flags)
262+{
263+ return test_unpriv_remount(mount_flags, mount_flags, 0);
264+}
265+
266+static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags)
267+{
268+ return test_unpriv_remount(mount_flags, mount_flags, invalid_flags);
269+}
270+
271+int main(int argc, char **argv)
272+{
273+ if (!test_unpriv_remount_simple(MS_RDONLY|MS_NODEV)) {
274+ die("MS_RDONLY malfunctions\n");
275+ }
276+ if (!test_unpriv_remount_simple(MS_NODEV)) {
277+ die("MS_NODEV malfunctions\n");
278+ }
279+ if (!test_unpriv_remount_simple(MS_NOSUID|MS_NODEV)) {
280+ die("MS_NOSUID malfunctions\n");
281+ }
282+ if (!test_unpriv_remount_simple(MS_NOEXEC|MS_NODEV)) {
283+ die("MS_NOEXEC malfunctions\n");
284+ }
285+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODEV,
286+ MS_NOATIME|MS_NODEV))
287+ {
288+ die("MS_RELATIME malfunctions\n");
289+ }
290+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODEV,
291+ MS_NOATIME|MS_NODEV))
292+ {
293+ die("MS_STRICTATIME malfunctions\n");
294+ }
295+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODEV,
296+ MS_STRICTATIME|MS_NODEV))
297+ {
298+ die("MS_RELATIME malfunctions\n");
299+ }
300+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME|MS_NODEV,
301+ MS_NOATIME|MS_NODEV))
302+ {
303+ die("MS_RELATIME malfunctions\n");
304+ }
305+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME|MS_NODEV,
306+ MS_NOATIME|MS_NODEV))
307+ {
308+ die("MS_RELATIME malfunctions\n");
309+ }
310+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME|MS_NODEV,
311+ MS_STRICTATIME|MS_NODEV))
312+ {
313+ die("MS_RELATIME malfunctions\n");
314+ }
315+ if (!test_unpriv_remount(MS_STRICTATIME|MS_NODEV, MS_NODEV,
316+ MS_NOATIME|MS_NODEV))
317+ {
318+ die("Default atime malfunctions\n");
319+ }
320+ return EXIT_SUCCESS;
321+}
322--
3231.9.1
324
diff --git a/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch b/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch
deleted file mode 100644
index 7d16535..0000000
--- a/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1CVE-2014-5077 Kernel/SCTP: fix a NULL pointer dereference
2
3A NULL pointer dereference flaw was found in the way the
4Linux kernel's Stream Control Transmission Protocol
5(SCTP) implementation handled simultaneous connections
6between the same hosts. A remote attacker could use this
7flaw to crash the system.
8
9Upstream-Status: Backport (from v3.16, commit 1be9a950c646c)
10
11References:
12 - https://access.redhat.com/security/cve/CVE-2014-5077
13 - http://patchwork.ozlabs.org/patch/372475/
14
15Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
16Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
17Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
18Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
19Cc: Vlad Yasevich <vyasevich@gmail.com>
20Acked-by: Vlad Yasevich <vyasevich@gmail.com>
21Signed-off-by: David S. Miller <davem@davemloft.net>
22Signed-off-by: Liviu Gheorghisan <liviu.gheorghisan@enea.com>
23---
24 net/sctp/associola.c | 1 +
25 1 file changed, 1 insertion(+)
26
27diff --git a/net/sctp/associola.c b/net/sctp/associola.c
28index 9de23a2..06a9ee6 100644
29--- a/net/sctp/associola.c
30+++ b/net/sctp/associola.c
31@@ -1097,6 +1097,7 @@ void sctp_assoc_update(struct sctp_association *asoc,
32 asoc->c = new->c;
33 asoc->peer.rwnd = new->peer.rwnd;
34 asoc->peer.sack_needed = new->peer.sack_needed;
35+ asoc->peer.auth_capable = new->peer.auth_capable;
36 asoc->peer.i = new->peer.i;
37 sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
38 asoc->peer.i.initial_tsn, GFP_ATOMIC);
39--
401.9.1
41
diff --git a/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch b/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch
deleted file mode 100644
index 65107d6..0000000
--- a/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch
+++ /dev/null
@@ -1,212 +0,0 @@
1From 4488e1f5ef40441c9846b1d0a29152c208a05e66 Mon Sep 17 00:00:00 2001
2From: Jan Kara <jack@suse.cz>
3Date: Sun, 17 Aug 2014 11:49:57 +0200
4Subject: [PATCH] isofs: Fix unbounded recursion when processing relocated
5 directories
6
7commit 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4 upstream.
8
9We did not check relocated directory in any way when processing Rock
10Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL
11entry pointing to another CL entry leading to possibly unbounded
12recursion in kernel code and thus stack overflow or deadlocks (if there
13is a loop created from CL entries).
14
15Fix the problem by not allowing CL entry to point to a directory entry
16with CL entry (such use makes no good sense anyway) and by checking
17whether CL entry doesn't point to itself.
18
19Upstream status: backported (from v3.12 e4ca8b780c82c04ec0)
20
21Reported-by: Chris Evans <cevans@google.com>
22Signed-off-by: Jan Kara <jack@suse.cz>
23Signed-off-by: Jiri Slaby <jslaby@suse.cz>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 fs/isofs/inode.c | 15 ++++++++-------
27 fs/isofs/isofs.h | 23 +++++++++++++++++++----
28 fs/isofs/rock.c | 39 ++++++++++++++++++++++++++++-----------
29 3 files changed, 55 insertions(+), 22 deletions(-)
30
31diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
32index e5d408a..2e2af97 100644
33--- a/fs/isofs/inode.c
34+++ b/fs/isofs/inode.c
35@@ -61,7 +61,7 @@ static void isofs_put_super(struct super_block *sb)
36 return;
37 }
38
39-static int isofs_read_inode(struct inode *);
40+static int isofs_read_inode(struct inode *, int relocated);
41 static int isofs_statfs (struct dentry *, struct kstatfs *);
42
43 static struct kmem_cache *isofs_inode_cachep;
44@@ -1258,7 +1258,7 @@ out_toomany:
45 goto out;
46 }
47
48-static int isofs_read_inode(struct inode *inode)
49+static int isofs_read_inode(struct inode *inode, int relocated)
50 {
51 struct super_block *sb = inode->i_sb;
52 struct isofs_sb_info *sbi = ISOFS_SB(sb);
53@@ -1403,7 +1403,7 @@ static int isofs_read_inode(struct inode *inode)
54 */
55
56 if (!high_sierra) {
57- parse_rock_ridge_inode(de, inode);
58+ parse_rock_ridge_inode(de, inode, relocated);
59 /* if we want uid/gid set, override the rock ridge setting */
60 if (sbi->s_uid_set)
61 inode->i_uid = sbi->s_uid;
62@@ -1482,9 +1482,10 @@ static int isofs_iget5_set(struct inode *ino, void *data)
63 * offset that point to the underlying meta-data for the inode. The
64 * code below is otherwise similar to the iget() code in
65 * include/linux/fs.h */
66-struct inode *isofs_iget(struct super_block *sb,
67- unsigned long block,
68- unsigned long offset)
69+struct inode *__isofs_iget(struct super_block *sb,
70+ unsigned long block,
71+ unsigned long offset,
72+ int relocated)
73 {
74 unsigned long hashval;
75 struct inode *inode;
76@@ -1506,7 +1507,7 @@ struct inode *isofs_iget(struct super_block *sb,
77 return ERR_PTR(-ENOMEM);
78
79 if (inode->i_state & I_NEW) {
80- ret = isofs_read_inode(inode);
81+ ret = isofs_read_inode(inode, relocated);
82 if (ret < 0) {
83 iget_failed(inode);
84 inode = ERR_PTR(ret);
85diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h
86index 9916723..0ac4c1f 100644
87--- a/fs/isofs/isofs.h
88+++ b/fs/isofs/isofs.h
89@@ -107,7 +107,7 @@ extern int iso_date(char *, int);
90
91 struct inode; /* To make gcc happy */
92
93-extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *);
94+extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated);
95 extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *);
96 extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *);
97
98@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int
99 extern struct buffer_head *isofs_bread(struct inode *, sector_t);
100 extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long);
101
102-extern struct inode *isofs_iget(struct super_block *sb,
103- unsigned long block,
104- unsigned long offset);
105+struct inode *__isofs_iget(struct super_block *sb,
106+ unsigned long block,
107+ unsigned long offset,
108+ int relocated);
109+
110+static inline struct inode *isofs_iget(struct super_block *sb,
111+ unsigned long block,
112+ unsigned long offset)
113+{
114+ return __isofs_iget(sb, block, offset, 0);
115+}
116+
117+static inline struct inode *isofs_iget_reloc(struct super_block *sb,
118+ unsigned long block,
119+ unsigned long offset)
120+{
121+ return __isofs_iget(sb, block, offset, 1);
122+}
123
124 /* Because the inode number is no longer relevant to finding the
125 * underlying meta-data for an inode, we are free to choose a more
126diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
127index c0bf424..f488bba 100644
128--- a/fs/isofs/rock.c
129+++ b/fs/isofs/rock.c
130@@ -288,12 +288,16 @@ eio:
131 goto out;
132 }
133
134+#define RR_REGARD_XA 1
135+#define RR_RELOC_DE 2
136+
137 static int
138 parse_rock_ridge_inode_internal(struct iso_directory_record *de,
139- struct inode *inode, int regard_xa)
140+ struct inode *inode, int flags)
141 {
142 int symlink_len = 0;
143 int cnt, sig;
144+ unsigned int reloc_block;
145 struct inode *reloc;
146 struct rock_ridge *rr;
147 int rootflag;
148@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de,
149
150 init_rock_state(&rs, inode);
151 setup_rock_ridge(de, inode, &rs);
152- if (regard_xa) {
153+ if (flags & RR_REGARD_XA) {
154 rs.chr += 14;
155 rs.len -= 14;
156 if (rs.len < 0)
157@@ -485,12 +489,22 @@ repeat:
158 "relocated directory\n");
159 goto out;
160 case SIG('C', 'L'):
161- ISOFS_I(inode)->i_first_extent =
162- isonum_733(rr->u.CL.location);
163- reloc =
164- isofs_iget(inode->i_sb,
165- ISOFS_I(inode)->i_first_extent,
166- 0);
167+ if (flags & RR_RELOC_DE) {
168+ printk(KERN_ERR
169+ "ISOFS: Recursive directory relocation "
170+ "is not supported\n");
171+ goto eio;
172+ }
173+ reloc_block = isonum_733(rr->u.CL.location);
174+ if (reloc_block == ISOFS_I(inode)->i_iget5_block &&
175+ ISOFS_I(inode)->i_iget5_offset == 0) {
176+ printk(KERN_ERR
177+ "ISOFS: Directory relocation points to "
178+ "itself\n");
179+ goto eio;
180+ }
181+ ISOFS_I(inode)->i_first_extent = reloc_block;
182+ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0);
183 if (IS_ERR(reloc)) {
184 ret = PTR_ERR(reloc);
185 goto out;
186@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit)
187 return rpnt;
188 }
189
190-int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
191+int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode,
192+ int relocated)
193 {
194- int result = parse_rock_ridge_inode_internal(de, inode, 0);
195+ int flags = relocated ? RR_RELOC_DE : 0;
196+ int result = parse_rock_ridge_inode_internal(de, inode, flags);
197
198 /*
199 * if rockridge flag was reset and we didn't look for attributes
200@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
201 */
202 if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1)
203 && (ISOFS_SB(inode->i_sb)->s_rock == 2)) {
204- result = parse_rock_ridge_inode_internal(de, inode, 14);
205+ result = parse_rock_ridge_inode_internal(de, inode,
206+ flags | RR_REGARD_XA);
207 }
208 return result;
209 }
210--
2111.9.1
212
diff --git a/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch b/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
deleted file mode 100644
index 1ae600f..0000000
--- a/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
+++ /dev/null
@@ -1,47 +0,0 @@
1fs: umount on symlink leaks mnt count
2
3commit 295dc39d941dc2ae53d5c170365af4c9d5c16212 upstream.
4
5Currently umount on symlink blocks following umount:
6
7/vz is separate mount
8
9drwxr-xr-x. 2 root root 4096 Jul 19 01:14 testdir
10lrwxrwxrwx. 1 root root 11 Jul 19 01:16 testlink -> /vz/testdir
11umount: /vz/testlink: not mounted (expected)
12
13umount: /vz: device is busy. (unexpected)
14
15In this case mountpoint_last() gets an extra refcount on path->mnt
16
17Upstream-Status: Backport
18
19Signed-off-by: Vasily Averin <vvs@openvz.org>
20Acked-by: Ian Kent <raven@themaw.net>
21Acked-by: Jeff Layton <jlayton@primarydata.com>
22Cc: stable@vger.kernel.org
23Signed-off-by: Christoph Hellwig <hch@lst.de>
24Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
25---
26 fs/namei.c | 3 ++-
27 1 file changed, 2 insertions(+), 1 deletion(-)
28
29diff --git a/fs/namei.c b/fs/namei.c
30index 187cacf..c199dcc 100644
31--- a/fs/namei.c
32+++ b/fs/namei.c
33@@ -2280,9 +2280,10 @@ done:
34 goto out;
35 }
36 path->dentry = dentry;
37- path->mnt = mntget(nd->path.mnt);
38+ path->mnt = nd->path.mnt;
39 if (should_follow_link(dentry->d_inode, nd->flags & LOOKUP_FOLLOW))
40 return 1;
41+ mntget(path->mnt);
42 follow_mount(path);
43 error = 0;
44 out:
45--
461.9.1
47
diff --git a/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch b/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch
deleted file mode 100644
index a0bdc27..0000000
--- a/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch
+++ /dev/null
@@ -1,91 +0,0 @@
1From 6004b0e5ac2e8e9e1bb0f012dc9242e03cca95df Mon Sep 17 00:00:00 2001
2From: Andy Lutomirski <luto@amacapital.net>
3Date: Wed, 28 May 2014 23:09:58 -0400
4Subject: [PATCH] auditsc: audit_krule mask accesses need bounds checking
5
6commit a3c54931199565930d6d84f4c3456f6440aefd41 upstream.
7
8Fixes an easy DoS and possible information disclosure.
9
10This does nothing about the broken state of x32 auditing.
11
12eparis: If the admin has enabled auditd and has specifically loaded
13audit rules. This bug has been around since before git. Wow...
14
15This fixes CVE-2014-3917
16Upstream-Status: Backport
17
18Signed-off-by: Andy Lutomirski <luto@amacapital.net>
19Signed-off-by: Eric Paris <eparis@redhat.com>
20Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
21Signed-off-by: Jiri Slaby <jslaby@suse.cz>
22Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23---
24 kernel/auditsc.c | 27 ++++++++++++++++++---------
25 1 file changed, 18 insertions(+), 9 deletions(-)
26
27diff --git a/kernel/auditsc.c b/kernel/auditsc.c
28index 3b79a47..979c00b 100644
29--- a/kernel/auditsc.c
30+++ b/kernel/auditsc.c
31@@ -733,6 +733,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
32 return AUDIT_BUILD_CONTEXT;
33 }
34
35+static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
36+{
37+ int word, bit;
38+
39+ if (val > 0xffffffff)
40+ return false;
41+
42+ word = AUDIT_WORD(val);
43+ if (word >= AUDIT_BITMASK_SIZE)
44+ return false;
45+
46+ bit = AUDIT_BIT(val);
47+
48+ return rule->mask[word] & bit;
49+}
50+
51 /* At syscall entry and exit time, this filter is called if the
52 * audit_state is not low enough that auditing cannot take place, but is
53 * also not high enough that we already know we have to write an audit
54@@ -750,11 +766,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
55
56 rcu_read_lock();
57 if (!list_empty(list)) {
58- int word = AUDIT_WORD(ctx->major);
59- int bit = AUDIT_BIT(ctx->major);
60-
61 list_for_each_entry_rcu(e, list, list) {
62- if ((e->rule.mask[word] & bit) == bit &&
63+ if (audit_in_mask(&e->rule, ctx->major) &&
64 audit_filter_rules(tsk, &e->rule, ctx, NULL,
65 &state, false)) {
66 rcu_read_unlock();
67@@ -774,20 +787,16 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
68 static int audit_filter_inode_name(struct task_struct *tsk,
69 struct audit_names *n,
70 struct audit_context *ctx) {
71- int word, bit;
72 int h = audit_hash_ino((u32)n->ino);
73 struct list_head *list = &audit_inode_hash[h];
74 struct audit_entry *e;
75 enum audit_state state;
76
77- word = AUDIT_WORD(ctx->major);
78- bit = AUDIT_BIT(ctx->major);
79-
80 if (list_empty(list))
81 return 0;
82
83 list_for_each_entry_rcu(e, list, list) {
84- if ((e->rule.mask[word] & bit) == bit &&
85+ if (audit_in_mask(&e->rule, ctx->major) &&
86 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
87 ctx->current_state = state;
88 return 1;
89--
901.9.1
91
diff --git a/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch b/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
deleted file mode 100644
index 0cd9c95..0000000
--- a/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1From 8ffea99d6f2be99790611282f326da95a84a8cab Mon Sep 17 00:00:00 2001
2From: Michael Halcrow <mhalcrow@google.com>
3Date: Wed, 26 Nov 2014 09:09:16 -0800
4Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name
5 decode routine
6
7commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.
8
9Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
10end of the allocated buffer during encrypted filename decoding. This
11fix corrects the issue by getting rid of the unnecessary 0 write when
12the current bit offset is 2.
13
14Fixes CVE-2014-9683
15Upstream-Status: Backport
16
17Signed-off-by: Michael Halcrow <mhalcrow@google.com>
18Reported-by: Dmitry Chernenkov <dmitryc@google.com>
19Suggested-by: Kees Cook <keescook@chromium.org>
20Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
21Signed-off-by: Jiri Slaby <jslaby@suse.cz>
22Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23---
24 fs/ecryptfs/crypto.c | 1 -
25 1 file changed, 1 deletion(-)
26
27diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
28index 000eae2..bf926f7 100644
29--- a/fs/ecryptfs/crypto.c
30+++ b/fs/ecryptfs/crypto.c
31@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
32 break;
33 case 2:
34 dst[dst_byte_offset++] |= (src_byte);
35- dst[dst_byte_offset] = 0;
36 current_bit_offset = 0;
37 break;
38 }
39--
401.9.1
41
diff --git a/recipes-kernel/linux/files/fs-CVE-2014-4014.patch b/recipes-kernel/linux/files/fs-CVE-2014-4014.patch
deleted file mode 100644
index a61ae4c..0000000
--- a/recipes-kernel/linux/files/fs-CVE-2014-4014.patch
+++ /dev/null
@@ -1,210 +0,0 @@
1From 2246a472bce19c0d373fb5488a0e612e3328ce0a Mon Sep 17 00:00:00 2001
2From: Andy Lutomirski <luto@amacapital.net>
3Date: Tue, 10 Jun 2014 12:45:42 -0700
4Subject: [PATCH] fs,userns: Change inode_capable to capable_wrt_inode_uidgid
5
6commit 23adbe12ef7d3d4195e80800ab36b37bee28cd03 upstream.
7
8The kernel has no concept of capabilities with respect to inodes; inodes
9exist independently of namespaces. For example, inode_capable(inode,
10CAP_LINUX_IMMUTABLE) would be nonsense.
11
12This patch changes inode_capable to check for uid and gid mappings and
13renames it to capable_wrt_inode_uidgid, which should make it more
14obvious what it does.
15
16Fixes CVE-2014-4014.
17Upstream-Status: Backport
18
19Cc: Theodore Ts'o <tytso@mit.edu>
20Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
21Cc: "Eric W. Biederman" <ebiederm@xmission.com>
22Cc: Dave Chinner <david@fromorbit.com>
23Signed-off-by: Andy Lutomirski <luto@amacapital.net>
24Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
25Signed-off-by: Jiri Slaby <jslaby@suse.cz>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 fs/attr.c | 8 ++++----
29 fs/inode.c | 10 +++++++---
30 fs/namei.c | 11 ++++++-----
31 fs/xfs/xfs_ioctl.c | 2 +-
32 include/linux/capability.h | 2 +-
33 kernel/capability.c | 20 ++++++++------------
34 6 files changed, 27 insertions(+), 26 deletions(-)
35
36diff --git a/fs/attr.c b/fs/attr.c
37index 8dd5825..66fa625 100644
38--- a/fs/attr.c
39+++ b/fs/attr.c
40@@ -50,14 +50,14 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)
41 if ((ia_valid & ATTR_UID) &&
42 (!uid_eq(current_fsuid(), inode->i_uid) ||
43 !uid_eq(attr->ia_uid, inode->i_uid)) &&
44- !inode_capable(inode, CAP_CHOWN))
45+ !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
46 return -EPERM;
47
48 /* Make sure caller can chgrp. */
49 if ((ia_valid & ATTR_GID) &&
50 (!uid_eq(current_fsuid(), inode->i_uid) ||
51 (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
52- !inode_capable(inode, CAP_CHOWN))
53+ !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
54 return -EPERM;
55
56 /* Make sure a caller can chmod. */
57@@ -67,7 +67,7 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)
58 /* Also check the setgid bit! */
59 if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
60 inode->i_gid) &&
61- !inode_capable(inode, CAP_FSETID))
62+ !capable_wrt_inode_uidgid(inode, CAP_FSETID))
63 attr->ia_mode &= ~S_ISGID;
64 }
65
66@@ -160,7 +160,7 @@ void setattr_copy(struct inode *inode, const struct iattr *attr)
67 umode_t mode = attr->ia_mode;
68
69 if (!in_group_p(inode->i_gid) &&
70- !inode_capable(inode, CAP_FSETID))
71+ !capable_wrt_inode_uidgid(inode, CAP_FSETID))
72 mode &= ~S_ISGID;
73 inode->i_mode = mode;
74 }
75diff --git a/fs/inode.c b/fs/inode.c
76index b33ba8e..1e6e846 100644
77--- a/fs/inode.c
78+++ b/fs/inode.c
79@@ -1808,14 +1808,18 @@ EXPORT_SYMBOL(inode_init_owner);
80 * inode_owner_or_capable - check current task permissions to inode
81 * @inode: inode being checked
82 *
83- * Return true if current either has CAP_FOWNER to the inode, or
84- * owns the file.
85+ * Return true if current either has CAP_FOWNER in a namespace with the
86+ * inode owner uid mapped, or owns the file.
87 */
88 bool inode_owner_or_capable(const struct inode *inode)
89 {
90+ struct user_namespace *ns;
91+
92 if (uid_eq(current_fsuid(), inode->i_uid))
93 return true;
94- if (inode_capable(inode, CAP_FOWNER))
95+
96+ ns = current_user_ns();
97+ if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid))
98 return true;
99 return false;
100 }
101diff --git a/fs/namei.c b/fs/namei.c
102index 187cacf..338d08b 100644
103--- a/fs/namei.c
104+++ b/fs/namei.c
105@@ -321,10 +321,11 @@ int generic_permission(struct inode *inode, int mask)
106
107 if (S_ISDIR(inode->i_mode)) {
108 /* DACs are overridable for directories */
109- if (inode_capable(inode, CAP_DAC_OVERRIDE))
110+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
111 return 0;
112 if (!(mask & MAY_WRITE))
113- if (inode_capable(inode, CAP_DAC_READ_SEARCH))
114+ if (capable_wrt_inode_uidgid(inode,
115+ CAP_DAC_READ_SEARCH))
116 return 0;
117 return -EACCES;
118 }
119@@ -334,7 +335,7 @@ int generic_permission(struct inode *inode, int mask)
120 * at least one exec bit set.
121 */
122 if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
123- if (inode_capable(inode, CAP_DAC_OVERRIDE))
124+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
125 return 0;
126
127 /*
128@@ -342,7 +343,7 @@ int generic_permission(struct inode *inode, int mask)
129 */
130 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
131 if (mask == MAY_READ)
132- if (inode_capable(inode, CAP_DAC_READ_SEARCH))
133+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
134 return 0;
135
136 return -EACCES;
137@@ -2404,7 +2405,7 @@ static inline int check_sticky(struct inode *dir, struct inode *inode)
138 return 0;
139 if (uid_eq(dir->i_uid, fsuid))
140 return 0;
141- return !inode_capable(inode, CAP_FOWNER);
142+ return !capable_wrt_inode_uidgid(inode, CAP_FOWNER);
143 }
144
145 /*
146diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
147index 8c8ef24..52b5375 100644
148--- a/fs/xfs/xfs_ioctl.c
149+++ b/fs/xfs/xfs_ioctl.c
150@@ -1133,7 +1133,7 @@ xfs_ioctl_setattr(
151 * cleared upon successful return from chown()
152 */
153 if ((ip->i_d.di_mode & (S_ISUID|S_ISGID)) &&
154- !inode_capable(VFS_I(ip), CAP_FSETID))
155+ !capable_wrt_inode_uidgid(VFS_I(ip), CAP_FSETID))
156 ip->i_d.di_mode &= ~(S_ISUID|S_ISGID);
157
158 /*
159diff --git a/include/linux/capability.h b/include/linux/capability.h
160index a6ee1f9..84b13ad 100644
161--- a/include/linux/capability.h
162+++ b/include/linux/capability.h
163@@ -210,7 +210,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t,
164 struct user_namespace *ns, int cap);
165 extern bool capable(int cap);
166 extern bool ns_capable(struct user_namespace *ns, int cap);
167-extern bool inode_capable(const struct inode *inode, int cap);
168+extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
169 extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
170
171 /* audit system wants to get cap info from files as well */
172diff --git a/kernel/capability.c b/kernel/capability.c
173index 4e66bf9..788653b 100644
174--- a/kernel/capability.c
175+++ b/kernel/capability.c
176@@ -433,23 +433,19 @@ bool capable(int cap)
177 EXPORT_SYMBOL(capable);
178
179 /**
180- * inode_capable - Check superior capability over inode
181+ * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
182 * @inode: The inode in question
183 * @cap: The capability in question
184 *
185- * Return true if the current task has the given superior capability
186- * targeted at it's own user namespace and that the given inode is owned
187- * by the current user namespace or a child namespace.
188- *
189- * Currently we check to see if an inode is owned by the current
190- * user namespace by seeing if the inode's owner maps into the
191- * current user namespace.
192- *
193+ * Return true if the current task has the given capability targeted at
194+ * its own user namespace and that the given inode's uid and gid are
195+ * mapped into the current user namespace.
196 */
197-bool inode_capable(const struct inode *inode, int cap)
198+bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
199 {
200 struct user_namespace *ns = current_user_ns();
201
202- return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
203+ return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
204+ kgid_has_mapping(ns, inode->i_gid);
205 }
206-EXPORT_SYMBOL(inode_capable);
207+EXPORT_SYMBOL(capable_wrt_inode_uidgid);
208--
2091.9.1
210
diff --git a/recipes-kernel/linux/files/mm-2014-3122.patch b/recipes-kernel/linux/files/mm-2014-3122.patch
deleted file mode 100644
index 590af0a..0000000
--- a/recipes-kernel/linux/files/mm-2014-3122.patch
+++ /dev/null
@@ -1,98 +0,0 @@
1From 77552735ba84a410447af7e3375625eb4cfd577b Mon Sep 17 00:00:00 2001
2From: Vlastimil Babka <vbabka@suse.cz>
3Date: Mon, 7 Apr 2014 15:37:50 -0700
4Subject: [PATCH] mm: try_to_unmap_cluster() should lock_page() before mlocking
5
6commit 57e68e9cd65b4b8eb4045a1e0d0746458502554c upstream.
7
8A BUG_ON(!PageLocked) was triggered in mlock_vma_page() by Sasha Levin
9fuzzing with trinity. The call site try_to_unmap_cluster() does not lock
10the pages other than its check_page parameter (which is already locked).
11
12The BUG_ON in mlock_vma_page() is not documented and its purpose is
13somewhat unclear, but apparently it serializes against page migration,
14which could otherwise fail to transfer the PG_mlocked flag. This would
15not be fatal, as the page would be eventually encountered again, but
16NR_MLOCK accounting would become distorted nevertheless. This patch adds
17a comment to the BUG_ON in mlock_vma_page() and munlock_vma_page() to that
18effect.
19
20The call site try_to_unmap_cluster() is fixed so that for page !=
21check_page, trylock_page() is attempted (to avoid possible deadlocks as we
22already have check_page locked) and mlock_vma_page() is performed only
23upon success. If the page lock cannot be obtained, the page is left
24without PG_mlocked, which is again not a problem in the whole unevictable
25memory design.
26
27Fixes CVE-2014-3122
28Upstream-Status: Backport
29
30Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
31Signed-off-by: Bob Liu <bob.liu@oracle.com>
32Reported-by: Sasha Levin <sasha.levin@oracle.com>
33Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
34Cc: Michel Lespinasse <walken@google.com>
35Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
36Acked-by: Rik van Riel <riel@redhat.com>
37Cc: David Rientjes <rientjes@google.com>
38Cc: Mel Gorman <mgorman@suse.de>
39Cc: Hugh Dickins <hughd@google.com>
40Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
41Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
42Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
43Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
44Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
45---
46 mm/mlock.c | 2 ++
47 mm/rmap.c | 14 ++++++++++++--
48 2 files changed, 14 insertions(+), 2 deletions(-)
49
50diff --git a/mm/mlock.c b/mm/mlock.c
51index 79b7cf7..713e462 100644
52--- a/mm/mlock.c
53+++ b/mm/mlock.c
54@@ -76,6 +76,7 @@ void clear_page_mlock(struct page *page)
55 */
56 void mlock_vma_page(struct page *page)
57 {
58+ /* Serialize with page migration */
59 BUG_ON(!PageLocked(page));
60
61 if (!TestSetPageMlocked(page)) {
62@@ -106,6 +107,7 @@ unsigned int munlock_vma_page(struct page *page)
63 {
64 unsigned int page_mask = 0;
65
66+ /* For try_to_munlock() and to serialize with page migration */
67 BUG_ON(!PageLocked(page));
68
69 if (TestClearPageMlocked(page)) {
70diff --git a/mm/rmap.c b/mm/rmap.c
71index 3f60774..fbf0040 100644
72--- a/mm/rmap.c
73+++ b/mm/rmap.c
74@@ -1390,9 +1390,19 @@ static int try_to_unmap_cluster(unsigned long cursor, unsigned int *mapcount,
75 BUG_ON(!page || PageAnon(page));
76
77 if (locked_vma) {
78- mlock_vma_page(page); /* no-op if already mlocked */
79- if (page == check_page)
80+ if (page == check_page) {
81+ /* we know we have check_page locked */
82+ mlock_vma_page(page);
83 ret = SWAP_MLOCK;
84+ } else if (trylock_page(page)) {
85+ /*
86+ * If we can lock the page, perform mlock.
87+ * Otherwise leave the page alone, it will be
88+ * eventually encountered again later.
89+ */
90+ mlock_vma_page(page);
91+ unlock_page(page);
92+ }
93 continue; /* don't unmap */
94 }
95
96--
971.9.1
98
diff --git a/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
index 635c2bb..7d109ed 100644
--- a/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
+++ b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
@@ -14,14 +14,13 @@ This has been tested on t1040rdb-64b. .
14 14
15Signed-off-by: Bob Cochran <yocto@mindchasers.com> 15Signed-off-by: Bob Cochran <yocto@mindchasers.com>
16--- 16---
17 arch/powerpc/configs/corenet32_fmanv3_smp_defconfig | 2 +- 17 arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig | 2 +-
18 arch/powerpc/configs/corenet64_fmanv3_smp_defconfig | 2 +- 18 1 files changed, 1 insertions(+), 1 deletions(-)
19 2 files changed, 2 insertions(+), 2 deletions(-)
20 19
21diff --git a/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig b/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig 20diff --git a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig
22index a401e7c..5542248 100644 21index a401e7c..5542248 100644
23--- a/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig 22--- a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig
24+++ b/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig 23+++ b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig
25@@ -1,6 +1,6 @@ 24@@ -1,6 +1,6 @@
26 CONFIG_PPC_85xx=y 25 CONFIG_PPC_85xx=y
27 CONFIG_SMP=y 26 CONFIG_SMP=y
@@ -30,18 +29,5 @@ index a401e7c..5542248 100644
30 CONFIG_EXPERIMENTAL=y 29 CONFIG_EXPERIMENTAL=y
31 CONFIG_SYSVIPC=y 30 CONFIG_SYSVIPC=y
32 CONFIG_POSIX_MQUEUE=y 31 CONFIG_POSIX_MQUEUE=y
33diff --git a/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig b/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig
34index 1b987d9..bc0dacf 100644
35--- a/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig
36+++ b/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig
37@@ -2,7 +2,7 @@ CONFIG_PPC64=y
38 CONFIG_PPC_BOOK3E_64=y
39 CONFIG_ALTIVEC=y
40 CONFIG_SMP=y
41-CONFIG_NR_CPUS=24
42+CONFIG_NR_CPUS=4
43 CONFIG_SYSVIPC=y
44 CONFIG_POSIX_MQUEUE=y
45 CONFIG_IRQ_DOMAIN_DEBUG=y
46-- 32--
471.7.9.5 331.7.9.5
diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
index 6fc5610..ddcb6c5 100644
--- a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
+++ b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
@@ -126,9 +126,9 @@ diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
126index dfe3f36..56ebe71 100644 126index dfe3f36..56ebe71 100644
127--- a/net/sctp/sm_statefuns.c 127--- a/net/sctp/sm_statefuns.c
128+++ b/net/sctp/sm_statefuns.c 128+++ b/net/sctp/sm_statefuns.c
129@@ -759,6 +759,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net, 129@@ -768,6 +768,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
130 struct sctp_chunk auth; 130 return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
131 sctp_ierror_t ret; 131 }
132 132
133+ /* Make sure that we and the peer are AUTH capable */ 133+ /* Make sure that we and the peer are AUTH capable */
134+ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { 134+ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
diff --git a/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch b/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch
deleted file mode 100644
index 2fdcc9f..0000000
--- a/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch
+++ /dev/null
@@ -1,80 +0,0 @@
1From 7998eb3dc700aaf499f93f50b3d77da834ef9e1d Mon Sep 17 00:00:00 2001
2From: Guenter Roeck <linux@roeck-us.net>
3Date: Thu, 15 May 2014 09:33:42 -0700
4Subject: powerpc: Fix 64 bit builds with binutils 2.24
5
6Upstream-Status: Backport
7
8With binutils 2.24, various 64 bit builds fail with relocation errors
9such as
10
11arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
12 (.text+0x165ee): relocation truncated to fit: R_PPC64_ADDR16_HI
13 against symbol `interrupt_base_book3e' defined in .text section
14 in arch/powerpc/kernel/built-in.o
15arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
16 (.text+0x16602): relocation truncated to fit: R_PPC64_ADDR16_HI
17 against symbol `interrupt_end_book3e' defined in .text section
18 in arch/powerpc/kernel/built-in.o
19
20The assembler maintainer says:
21
22 I changed the ABI, something that had to be done but unfortunately
23 happens to break the booke kernel code. When building up a 64-bit
24 value with lis, ori, shl, oris, ori or similar sequences, you now
25 should use @high and @higha in place of @h and @ha. @h and @ha
26 (and their associated relocs R_PPC64_ADDR16_HI and R_PPC64_ADDR16_HA)
27 now report overflow if the value is out of 32-bit signed range.
28 ie. @h and @ha assume you're building a 32-bit value. This is needed
29 to report out-of-range -mcmodel=medium toc pointer offsets in @toc@h
30 and @toc@ha expressions, and for consistency I did the same for all
31 other @h and @ha relocs.
32
33Replacing @h with @high in one strategic location fixes the relocation
34errors. This has to be done conditionally since the assembler either
35supports @h or @high but not both.
36
37Cc: <stable@vger.kernel.org>
38Signed-off-by: Guenter Roeck <linux@roeck-us.net>
39Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
40
41diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
42index 4c0cedf..ce4c68a 100644
43--- a/arch/powerpc/Makefile
44+++ b/arch/powerpc/Makefile
45@@ -150,7 +150,9 @@ endif
46
47 CFLAGS-$(CONFIG_TUNE_CELL) += $(call cc-option,-mtune=cell)
48
49-KBUILD_CPPFLAGS += -Iarch/$(ARCH)
50+asinstr := $(call as-instr,lis 9$(comma)foo@high,-DHAVE_AS_ATHIGH=1)
51+
52+KBUILD_CPPFLAGS += -Iarch/$(ARCH) $(asinstr)
53 KBUILD_AFLAGS += -Iarch/$(ARCH)
54 KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
55 CPP = $(CC) -E $(KBUILD_CFLAGS)
56diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h
57index 6586a40..cded7c1 100644
58--- a/arch/powerpc/include/asm/ppc_asm.h
59+++ b/arch/powerpc/include/asm/ppc_asm.h
60@@ -318,11 +318,16 @@ n:
61 addi reg,reg,(name - 0b)@l;
62
63 #ifdef __powerpc64__
64+#ifdef HAVE_AS_ATHIGH
65+#define __AS_ATHIGH high
66+#else
67+#define __AS_ATHIGH h
68+#endif
69 #define LOAD_REG_IMMEDIATE(reg,expr) \
70 lis reg,(expr)@highest; \
71 ori reg,reg,(expr)@higher; \
72 rldicr reg,reg,32,31; \
73- oris reg,reg,(expr)@h; \
74+ oris reg,reg,(expr)@__AS_ATHIGH; \
75 ori reg,reg,(expr)@l;
76
77 #define LOAD_REG_ADDR(reg,name) \
78--
79cgit v0.10.1
80
diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
deleted file mode 100644
index e7b1228..0000000
--- a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
+++ /dev/null
@@ -1,51 +0,0 @@
1From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001
2From: Xufeng Zhang <xufeng.zhang@windriver.com>
3Date: Thu, 12 Jun 2014 10:53:36 +0800
4Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem
5
6[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]
7
8Consider the scenario:
9For a TCP-style socket, while processing the COOKIE_ECHO chunk in
10sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
11a new association would be created in sctp_unpack_cookie(), but afterwards,
12some processing maybe failed, and sctp_association_free() will be called to
13free the previously allocated association, in sctp_association_free(),
14sk_ack_backlog value is decremented for this socket, since the initial
15value for sk_ack_backlog is 0, after the decrement, it will be 65535,
16a wrap-around problem happens, and if we want to establish new associations
17afterward in the same socket, ABORT would be triggered since sctp deem the
18accept queue as full.
19Fix this issue by only decrementing sk_ack_backlog for associations in
20the endpoint's list.
21
22Fixes CVE-2014-4667
23Upstream-Status: Backport
24
25Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com>
26Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
27Acked-by: Daniel Borkmann <dborkman@redhat.com>
28Acked-by: Vlad Yasevich <vyasevich@gmail.com>
29Signed-off-by: David S. Miller <davem@davemloft.net>
30Signed-off-by: Jiri Slaby <jslaby@suse.cz>
31Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
32---
33 net/sctp/associola.c | 2 +-
34 1 file changed, 1 insertion(+), 1 deletion(-)
35
36diff --git a/net/sctp/associola.c b/net/sctp/associola.c
37index cef5099..f6d6dcd 100644
38--- a/net/sctp/associola.c
39+++ b/net/sctp/associola.c
40@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc)
41 /* Only real associations count against the endpoint, so
42 * don't bother for if this is a temporary association.
43 */
44- if (!asoc->temp) {
45+ if (!list_empty(&asoc->asocs)) {
46 list_del(&asoc->asocs);
47
48 /* Decrement the backlog value for a TCP-style listening
49--
501.9.1
51
diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
deleted file mode 100644
index 0c4beb3..0000000
--- a/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
+++ /dev/null
@@ -1,85 +0,0 @@
1From 4008f1dbe6fea8114e7f79ed2d238e369dc9138f Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <dborkman@redhat.com>
3Date: Mon, 10 Nov 2014 17:54:26 +0100
4Subject: [PATCH] net: sctp: fix NULL pointer dereference in
5 af->from_addr_param on malformed packet
6
7[ Upstream commit e40607cbe270a9e8360907cb1e62ddf0736e4864 ]
8
9An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
10in the form of:
11
12 ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
13
14While the INIT chunk parameter verification dissects through many things
15in order to detect malformed input, it misses to actually check parameters
16inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
17IP address' parameter in ASCONF, which has as a subparameter an address
18parameter.
19
20So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
21or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
22and thus sctp_get_af_specific() returns NULL, too, which we then happily
23dereference unconditionally through af->from_addr_param().
24
25The trace for the log:
26
27BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
28IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
29PGD 0
30Oops: 0000 [#1] SMP
31[...]
32Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
33RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
34[...]
35Call Trace:
36 <IRQ>
37 [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
38 [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
39 [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
40 [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
41 [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
42 [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
43 [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
44 [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
45 [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
46 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
47 [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
48 [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
49[...]
50
51A minimal way to address this is to check for NULL as we do on all
52other such occasions where we know sctp_get_af_specific() could
53possibly return with NULL.
54
55Fix for CVE-2014-7841
56Upstream-Status: Backport
57
58Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
59Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
60Cc: Vlad Yasevich <vyasevich@gmail.com>
61Acked-by: Neil Horman <nhorman@tuxdriver.com>
62Signed-off-by: David S. Miller <davem@davemloft.net>
63Signed-off-by: Jiri Slaby <jslaby@suse.cz>
64Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
65---
66 net/sctp/sm_make_chunk.c | 3 +++
67 1 file changed, 3 insertions(+)
68
69diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
70index 1e06f3b..e342387 100644
71--- a/net/sctp/sm_make_chunk.c
72+++ b/net/sctp/sm_make_chunk.c
73@@ -2622,6 +2622,9 @@ do_addr_param:
74 addr_param = param.v + sizeof(sctp_addip_param_t);
75
76 af = sctp_get_af_specific(param_type2af(param.p->type));
77+ if (af == NULL)
78+ break;
79+
80 af->from_addr_param(&addr, addr_param,
81 htons(asoc->peer.port), 0);
82
83--
841.9.1
85
diff --git a/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch b/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch
deleted file mode 100644
index 573b530..0000000
--- a/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch
+++ /dev/null
@@ -1,53 +0,0 @@
1From a7033e302dcd38bb4333f46b3fdcd930955e402d Mon Sep 17 00:00:00 2001
2From: Sasha Levin <sasha.levin@oracle.com>
3Date: Mon, 29 Dec 2014 09:39:01 -0500
4Subject: [PATCH] KEYS: close race between key lookup and freeing
5
6commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
7
8When a key is being garbage collected, it's key->user would get put before
9the ->destroy() callback is called, where the key is removed from it's
10respective tracking structures.
11
12This leaves a key hanging in a semi-invalid state which leaves a window open
13for a different task to try an access key->user. An example is
14find_keyring_by_name() which would dereference key->user for a key that is
15in the process of being garbage collected (where key->user was freed but
16->destroy() wasn't called yet - so it's still present in the linked list).
17
18This would cause either a panic, or corrupt memory.
19
20Fixes CVE-2014-9529.
21
22Upstream-Status: Backport
23
24Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
25Signed-off-by: David Howells <dhowells@redhat.com>
26Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
27Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
28---
29 security/keys/gc.c | 4 ++--
30 1 file changed, 2 insertions(+), 2 deletions(-)
31
32diff --git a/security/keys/gc.c b/security/keys/gc.c
33index d67c97b..7978186 100644
34--- a/security/keys/gc.c
35+++ b/security/keys/gc.c
36@@ -201,12 +201,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
37 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
38 atomic_dec(&key->user->nikeys);
39
40- key_user_put(key->user);
41-
42 /* now throw away the key memory */
43 if (key->type->destroy)
44 key->type->destroy(key);
45
46+ key_user_put(key->user);
47+
48 kfree(key->description);
49
50 #ifdef KEY_DEBUGGING
51--
521.9.1
53
diff --git a/recipes-kernel/linux/files/target-CVE-2014-4027.patch b/recipes-kernel/linux/files/target-CVE-2014-4027.patch
deleted file mode 100644
index 0f8b49c..0000000
--- a/recipes-kernel/linux/files/target-CVE-2014-4027.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From 186f32e2096c7d9cd9106b8dedd79c596f4c8398 Mon Sep 17 00:00:00 2001
2From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
3Date: Mon, 16 Jun 2014 20:59:52 +0000
4Subject: [PATCH] target: Explicitly clear ramdisk_mcp backend pages
5
6[Note that a different patch to address the same issue went in during
7v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that
8don't strictly apply to fixing the bug]
9
10This patch changes rd_allocate_sgl_table() to explicitly clear
11ramdisk_mcp backend memory pages by passing __GFP_ZERO into
12alloc_pages().
13
14This addresses a potential security issue where reading from a
15ramdisk_mcp could return sensitive information, and follows what
16>= v3.15 does to explicitly clear ramdisk_mcp memory at backend
17device initialization time.
18
19This fixes CVE-2014-4027
20Upstream-Status: Backport
21
22Reported-by: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
23Cc: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
24Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
25Signed-off-by: Jiri Slaby <jslaby@suse.cz>
26Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27---
28 drivers/target/target_core_rd.c | 2 +-
29 1 file changed, 1 insertion(+), 1 deletion(-)
30
31diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c
32index 131327a..9f6bede 100644
33--- a/drivers/target/target_core_rd.c
34+++ b/drivers/target/target_core_rd.c
35@@ -179,7 +179,7 @@ static int rd_build_device_space(struct rd_dev *rd_dev)
36 - 1;
37
38 for (j = 0; j < sg_per_table; j++) {
39- pg = alloc_pages(GFP_KERNEL, 0);
40+ pg = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0);
41 if (!pg) {
42 pr_err("Unable to allocate scatterlist"
43 " pages for struct rd_dev_sg_table\n");
44--
451.9.1
46
diff --git a/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch b/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
deleted file mode 100644
index cc90f7d..0000000
--- a/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
+++ /dev/null
@@ -1,94 +0,0 @@
1From abc07cd01c51fb54088c6bc8ee654d104a5ec7d9 Mon Sep 17 00:00:00 2001
2From: Rabin Vincent <rabin@rab.in>
3Date: Wed, 29 Oct 2014 23:06:58 +0100
4Subject: [PATCH] tracing/syscalls: Ignore numbers outside NR_syscalls' range
5
6commit 086ba77a6db00ed858ff07451bedee197df868c9 upstream.
7
8ARM has some private syscalls (for example, set_tls(2)) which lie
9outside the range of NR_syscalls. If any of these are called while
10syscall tracing is being performed, out-of-bounds array access will
11occur in the ftrace and perf sys_{enter,exit} handlers.
12
13 # trace-cmd record -e raw_syscalls:* true && trace-cmd report
14 ...
15 true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
16 true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264
17 true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
18 true-653 [000] 384.675988: sys_exit: NR 983045 = 0
19 ...
20
21 # trace-cmd record -e syscalls:* true
22 [ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace
23 [ 17.289590] pgd = 9e71c000
24 [ 17.289696] [aaaaaace] *pgd=00000000
25 [ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
26 [ 17.290169] Modules linked in:
27 [ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
28 [ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
29 [ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
30 [ 17.290866] LR is at syscall_trace_enter+0x124/0x184
31
32Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
33
34Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
35added the check for less than zero, but it should have also checked
36for greater than NR_syscalls.
37
38Fixes CVE-2014-7825 and CVE-2014-7826
39Upstream-Status: Backport
40
41Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
42
43Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
44Signed-off-by: Rabin Vincent <rabin@rab.in>
45Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
46Signed-off-by: Jiri Slaby <jslaby@suse.cz>
47Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
48---
49 kernel/trace/trace_syscalls.c | 8 ++++----
50 1 file changed, 4 insertions(+), 4 deletions(-)
51
52diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
53index 559329d..d8ce71b 100644
54--- a/kernel/trace/trace_syscalls.c
55+++ b/kernel/trace/trace_syscalls.c
56@@ -312,7 +312,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id)
57 int size;
58
59 syscall_nr = trace_get_syscall_nr(current, regs);
60- if (syscall_nr < 0)
61+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
62 return;
63 if (!test_bit(syscall_nr, tr->enabled_enter_syscalls))
64 return;
65@@ -354,7 +354,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret)
66 int syscall_nr;
67
68 syscall_nr = trace_get_syscall_nr(current, regs);
69- if (syscall_nr < 0)
70+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
71 return;
72 if (!test_bit(syscall_nr, tr->enabled_exit_syscalls))
73 return;
74@@ -557,7 +557,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
75 int size;
76
77 syscall_nr = trace_get_syscall_nr(current, regs);
78- if (syscall_nr < 0)
79+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
80 return;
81 if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
82 return;
83@@ -631,7 +631,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
84 int size;
85
86 syscall_nr = trace_get_syscall_nr(current, regs);
87- if (syscall_nr < 0)
88+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
89 return;
90 if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
91 return;
92--
931.9.1
94
diff --git a/recipes-kernel/linux/files/udf-CVE-2014-6410.patch b/recipes-kernel/linux/files/udf-CVE-2014-6410.patch
deleted file mode 100644
index 9086e0a..0000000
--- a/recipes-kernel/linux/files/udf-CVE-2014-6410.patch
+++ /dev/null
@@ -1,96 +0,0 @@
1From 07d209bd092d023976fdb881ba6d4b30fe18aebe Mon Sep 17 00:00:00 2001
2From: Jan Kara <jack@suse.cz>
3Date: Thu, 4 Sep 2014 14:06:55 +0200
4Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs
5
6commit c03aa9f6e1f938618e6db2e23afef0574efeeb65 upstream.
7
8We did not implement any bound on number of indirect ICBs we follow when
9loading inode. Thus corrupted medium could cause kernel to go into an
10infinite loop, possibly causing a stack overflow.
11
12Fix the possible stack overflow by removing recursion from
13__udf_read_inode() and limit number of indirect ICBs we follow to avoid
14infinite loops.
15
16Upstream-Status: Backport
17
18Signed-off-by: Jan Kara <jack@suse.cz>
19Cc: Chuck Ebbert <cebbert.lkml@gmail.com>
20Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
21Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
22---
23 fs/udf/inode.c | 35 +++++++++++++++++++++--------------
24 1 file changed, 21 insertions(+), 14 deletions(-)
25
26diff --git a/fs/udf/inode.c b/fs/udf/inode.c
27index b6d15d3..aa02328 100644
28--- a/fs/udf/inode.c
29+++ b/fs/udf/inode.c
30@@ -1270,13 +1270,22 @@ update_time:
31 return 0;
32 }
33
34+/*
35+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
36+ * arbitrary - just that we hopefully don't limit any real use of rewritten
37+ * inode on write-once media but avoid looping for too long on corrupted media.
38+ */
39+#define UDF_MAX_ICB_NESTING 1024
40+
41 static void __udf_read_inode(struct inode *inode)
42 {
43 struct buffer_head *bh = NULL;
44 struct fileEntry *fe;
45 uint16_t ident;
46 struct udf_inode_info *iinfo = UDF_I(inode);
47+ unsigned int indirections = 0;
48
49+reread:
50 /*
51 * Set defaults, but the inode is still incomplete!
52 * Note: get_new_inode() sets the following on a new inode:
53@@ -1313,28 +1322,26 @@ static void __udf_read_inode(struct inode *inode)
54 ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
55 &ident);
56 if (ident == TAG_IDENT_IE && ibh) {
57- struct buffer_head *nbh = NULL;
58 struct kernel_lb_addr loc;
59 struct indirectEntry *ie;
60
61 ie = (struct indirectEntry *)ibh->b_data;
62 loc = lelb_to_cpu(ie->indirectICB.extLocation);
63
64- if (ie->indirectICB.extLength &&
65- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
66- &ident))) {
67- if (ident == TAG_IDENT_FE ||
68- ident == TAG_IDENT_EFE) {
69- memcpy(&iinfo->i_location,
70- &loc,
71- sizeof(struct kernel_lb_addr));
72- brelse(bh);
73- brelse(ibh);
74- brelse(nbh);
75- __udf_read_inode(inode);
76+ if (ie->indirectICB.extLength) {
77+ brelse(bh);
78+ brelse(ibh);
79+ memcpy(&iinfo->i_location, &loc,
80+ sizeof(struct kernel_lb_addr));
81+ if (++indirections > UDF_MAX_ICB_NESTING) {
82+ udf_err(inode->i_sb,
83+ "too many ICBs in ICB hierarchy"
84+ " (max %d supported)\n",
85+ UDF_MAX_ICB_NESTING);
86+ make_bad_inode(inode);
87 return;
88 }
89- brelse(nbh);
90+ goto reread;
91 }
92 }
93 brelse(ibh);
94--
951.9.1
96
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 1e9e476..3e0ab95 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -1,43 +1,7 @@
1require recipes-kernel/linux/linux-qoriq.inc 1require recipes-kernel/linux/linux-qoriq.inc
2 2
3SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ 3SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
4 file://powerpc-Fix-64-bit-builds-with-binutils-2.24.patch \
5 file://Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch \
6 file://Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch \
7 file://Fix-CVE-2014-5471_CVE-2014-5472.patch \
8 file://modify-defconfig-t1040-nr-cpus.patch \ 4 file://modify-defconfig-t1040-nr-cpus.patch \
9 file://0001-mnt-CVE-2014-5206_CVE-2014-5207.patch \
10 file://0002-mnt-CVE-2014-5206_CVE-2014-5207.patch \
11 file://0003-mnt-CVE-2014-5206_CVE-2014-5207.patch \
12 file://0004-mnt-CVE-2014-5206_CVE-2014-5207.patch \
13 file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
14 file://udf-CVE-2014-6410.patch \
15 file://net-sctp-CVE-2014-0101.patch \ 5 file://net-sctp-CVE-2014-0101.patch \
16 file://0001-HID-CVE-2014-3181.patch \
17 file://0002-HID-CVE-2014-3182.patch \
18 file://0003-HID-CVE-2014-3184.patch \
19 file://0004-USB-CVE-2014-3185.patch \
20 file://0001-kvm-iommu-CVE-2014-3601.patch \
21 file://0002-kvm-iommu-CVE-2014-8369.patch \
22 file://0001-net-sctp-CVE-2014-3673.patch \
23 file://0002-net-sctp-CVE-2014-3687.patch \
24 file://0003-net-sctp-CVE-2014-3688.patch \
25 file://auditsc-CVE-2014-3917.patch \
26 file://0001-ALSA-CVE-2014-4652.patch \
27 file://0002-ALSA-CVE-2014-4653.patch \
28 file://sctp-CVE-2014-4667.patch \
29 file://sctp-CVE-2014-7841.patch \
30 file://0001-ALSA-CVE-2014-4656.patch \
31 file://0002-ALSA-CVE-2014-4656.patch \
32 file://target-CVE-2014-4027.patch \
33 file://mm-2014-3122.patch \
34 file://0001-shmem-CVE-2014-4171.patch \
35 file://0002-shmem-CVE-2014-4171.patch \
36 file://0003-shmem-CVE-2014-4171.patch \
37 file://fs-CVE-2014-4014.patch \
38 file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
39 file://security-keys-CVE-2014-9529.patch \
40 file://eCryptfs-CVE-2014-9683.patch \
41" 6"
42SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" 7SRCREV = "f488de6741d5ba805b9fe813d2ddf32368d3a888"
43
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-02 02:49:11 +0000