From 0253035a8af7a5be3e2de271cfe47d84543e8a00 Mon Sep 17 00:00:00 2001 From: Ting Liu Date: Fri, 17 Jul 2015 15:17:38 +0800 Subject: [PATCH] linux-qoriq: update to revision f488de6 Minor version update to 3.12.37-rt51 with new features: * e6500 hugepage TLB miss performance improvement * T1023RDB support * T1040D4RDB and T1042D4RDB support * DIU [T1042] * DPAA Ethernet: loadable module * eMMC: DDR mode [T2080] * eTSEC: Gianfar upstream updates and fixes * fmlib: table statistics, stats extension * IEEE802.1AE (MACSEC) and IEEE802.1X (port-based network access control) [T104x, T102x] * IEEE1588 ptpd open source stack includes more DPAA processors: P1023, P2041, P3041, P5020, P5040, T4240, T1023 * LAG SGMII 2.5G ports support - IPv4 traffics forwarding on aggregated 2 x 2.5Gb L2 Switch FMAN ports [1040] * LAG support of IPv6 traffics forwarding and TCP/UDP traffics over IPv6 forwarding (2 x 2.5Gb L2 Switch WAN) [1040] * LAG support of IPv6 traffics forwarding and TCP/UDP traffics over IPv6 forwarding on both 1 G RGMII port and 1G SGMII port [1040] * Power Management: Power off feature for all QDS boards except B9132QDS and B4860QDS * SEC: QI Driver IPSec performance improvement * SGMII 2.5G fixed link [T1024] * USB: Dual UTMI For detailed history, see http://git.freescale.com/git/cgit.cgi/ppc/sdk/linux.git/tag/?id=fsl-sdk-v1.8 Also remove the patches which already merged in 3.12.37-rt51 Signed-off-by: Ting Liu Acked-by: Otavio Salvador Signed-off-by: Otavio Salvador --- .../linux/files/0001-ALSA-CVE-2014-4652.patch | 140 ------- .../linux/files/0001-ALSA-CVE-2014-4656.patch | 43 --- .../linux/files/0001-HID-CVE-2014-3181.patch | 52 --- .../files/0001-kvm-iommu-CVE-2014-3601.patch | 94 ----- ...0001-mnt-CVE-2014-5206_CVE-2014-5207.patch | 62 ---- .../files/0001-net-sctp-CVE-2014-3673.patch | 348 ------------------ .../files/0001-shmem-CVE-2014-4171.patch | 141 ------- .../linux/files/0002-ALSA-CVE-2014-4653.patch | 92 ----- .../linux/files/0002-ALSA-CVE-2014-4656.patch | 46 --- .../linux/files/0002-HID-CVE-2014-3182.patch | 65 ---- .../files/0002-kvm-iommu-CVE-2014-8369.patch | 86 ----- ...0002-mnt-CVE-2014-5206_CVE-2014-5207.patch | 62 ---- .../files/0002-net-sctp-CVE-2014-3687.patch | 102 ----- .../files/0002-shmem-CVE-2014-4171.patch | 200 ---------- .../linux/files/0003-HID-CVE-2014-3184.patch | 114 ------ ...0003-mnt-CVE-2014-5206_CVE-2014-5207.patch | 137 ------- .../files/0003-net-sctp-CVE-2014-3688.patch | 160 -------- .../files/0003-shmem-CVE-2014-4171.patch | 134 ------- .../linux/files/0004-USB-CVE-2014-3185.patch | 51 --- ...0004-mnt-CVE-2014-5206_CVE-2014-5207.patch | 64 ---- ...0005-mnt-CVE-2014-5206_CVE-2014-5207.patch | 324 ---------------- ...erit-auth-capable-on-INIT-collisions.patch | 41 --- .../Fix-CVE-2014-5471_CVE-2014-5472.patch | 212 ----------- ...-2014-5045-fs-umount-on-symlink-leak.patch | 47 --- .../linux/files/auditsc-CVE-2014-3917.patch | 91 ----- .../linux/files/eCryptfs-CVE-2014-9683.patch | 41 --- .../linux/files/fs-CVE-2014-4014.patch | 210 ----------- .../linux/files/mm-2014-3122.patch | 98 ----- .../modify-defconfig-t1040-nr-cpus.patch | 24 +- .../linux/files/net-sctp-CVE-2014-0101.patch | 6 +- ...Fix-64-bit-builds-with-binutils-2.24.patch | 80 ---- .../linux/files/sctp-CVE-2014-4667.patch | 51 --- .../linux/files/sctp-CVE-2014-7841.patch | 85 ----- .../files/security-keys-CVE-2014-9529.patch | 53 --- .../linux/files/target-CVE-2014-4027.patch | 46 --- .../tracing-CVE-2014-7825_CVE-2014-7826.patch | 94 ----- .../linux/files/udf-CVE-2014-6410.patch | 96 ----- .../recipes-kernel/linux/linux-qoriq_3.12.bb | 38 +- 38 files changed, 9 insertions(+), 3821 deletions(-) delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/fs-CVE-2014-4014.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/mm-2014-3122.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch delete mode 100644 meta-fsl-ppc/recipes-kernel/linux/files/udf-CVE-2014-6410.patch diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch deleted file mode 100644 index 01307688..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4652.patch +++ /dev/null @@ -1,140 +0,0 @@ -From ed81e6b21790b717cda5f5bab2bdb07d2ce17ab1 Mon Sep 17 00:00:00 2001 -From: Lars-Peter Clausen -Date: Wed, 18 Jun 2014 13:32:31 +0200 -Subject: [PATCH] ALSA: control: Protect user controls against concurrent - access - -commit 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 upstream. - -The user-control put and get handlers as well as the tlv do not protect against -concurrent access from multiple threads. Since the state of the control is not -updated atomically it is possible that either two write operations or a write -and a read operation race against each other. Both can lead to arbitrary memory -disclosure. This patch introduces a new lock that protects user-controls from -concurrent access. Since applications typically access controls sequentially -than in parallel a single lock per card should be fine. - -This fixes CVE-2014-4652 -Upstream-Status: Backport - -Signed-off-by: Lars-Peter Clausen -Acked-by: Jaroslav Kysela -Signed-off-by: Takashi Iwai -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - include/sound/core.h | 2 ++ - sound/core/control.c | 31 +++++++++++++++++++++++++------ - sound/core/init.c | 1 + - 3 files changed, 28 insertions(+), 6 deletions(-) - -diff --git a/include/sound/core.h b/include/sound/core.h -index 2a14f1f..d6bc961 100644 ---- a/include/sound/core.h -+++ b/include/sound/core.h -@@ -121,6 +121,8 @@ struct snd_card { - int user_ctl_count; /* count of all user controls */ - struct list_head controls; /* all controls for this card */ - struct list_head ctl_files; /* active control files */ -+ struct mutex user_ctl_lock; /* protects user controls against -+ concurrent access */ - - struct snd_info_entry *proc_root; /* root for soundcard specific files */ - struct snd_info_entry *proc_id; /* the card id */ -diff --git a/sound/core/control.c b/sound/core/control.c -index d8aa206..183fab2 100644 ---- a/sound/core/control.c -+++ b/sound/core/control.c -@@ -992,6 +992,7 @@ static int snd_ctl_elem_unlock(struct snd_ctl_file *file, - - struct user_element { - struct snd_ctl_elem_info info; -+ struct snd_card *card; - void *elem_data; /* element data */ - unsigned long elem_data_size; /* size of element data in bytes */ - void *tlv_data; /* TLV data */ -@@ -1035,7 +1036,9 @@ static int snd_ctl_elem_user_get(struct snd_kcontrol *kcontrol, - { - struct user_element *ue = kcontrol->private_data; - -+ mutex_lock(&ue->card->user_ctl_lock); - memcpy(&ucontrol->value, ue->elem_data, ue->elem_data_size); -+ mutex_unlock(&ue->card->user_ctl_lock); - return 0; - } - -@@ -1044,10 +1047,12 @@ static int snd_ctl_elem_user_put(struct snd_kcontrol *kcontrol, - { - int change; - struct user_element *ue = kcontrol->private_data; -- -+ -+ mutex_lock(&ue->card->user_ctl_lock); - change = memcmp(&ucontrol->value, ue->elem_data, ue->elem_data_size) != 0; - if (change) - memcpy(ue->elem_data, &ucontrol->value, ue->elem_data_size); -+ mutex_unlock(&ue->card->user_ctl_lock); - return change; - } - -@@ -1067,19 +1072,32 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol, - new_data = memdup_user(tlv, size); - if (IS_ERR(new_data)) - return PTR_ERR(new_data); -+ mutex_lock(&ue->card->user_ctl_lock); - change = ue->tlv_data_size != size; - if (!change) - change = memcmp(ue->tlv_data, new_data, size); - kfree(ue->tlv_data); - ue->tlv_data = new_data; - ue->tlv_data_size = size; -+ mutex_unlock(&ue->card->user_ctl_lock); - } else { -- if (! ue->tlv_data_size || ! ue->tlv_data) -- return -ENXIO; -- if (size < ue->tlv_data_size) -- return -ENOSPC; -+ int ret = 0; -+ -+ mutex_lock(&ue->card->user_ctl_lock); -+ if (!ue->tlv_data_size || !ue->tlv_data) { -+ ret = -ENXIO; -+ goto err_unlock; -+ } -+ if (size < ue->tlv_data_size) { -+ ret = -ENOSPC; -+ goto err_unlock; -+ } - if (copy_to_user(tlv, ue->tlv_data, ue->tlv_data_size)) -- return -EFAULT; -+ ret = -EFAULT; -+err_unlock: -+ mutex_unlock(&ue->card->user_ctl_lock); -+ if (ret) -+ return ret; - } - return change; - } -@@ -1211,6 +1229,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, - ue = kzalloc(sizeof(struct user_element) + private_size, GFP_KERNEL); - if (ue == NULL) - return -ENOMEM; -+ ue->card = card; - ue->info = *info; - ue->info.access = 0; - ue->elem_data = (char *)ue + sizeof(*ue); -diff --git a/sound/core/init.c b/sound/core/init.c -index d047851..b9268a5 100644 ---- a/sound/core/init.c -+++ b/sound/core/init.c -@@ -215,6 +215,7 @@ int snd_card_create(int idx, const char *xid, - INIT_LIST_HEAD(&card->devices); - init_rwsem(&card->controls_rwsem); - rwlock_init(&card->ctl_files_rwlock); -+ mutex_init(&card->user_ctl_lock); - INIT_LIST_HEAD(&card->controls); - INIT_LIST_HEAD(&card->ctl_files); - spin_lock_init(&card->files_lock); --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch deleted file mode 100644 index 98590252..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7ee7663da07717a1b31ce60d2ebf12d2058ee975 Mon Sep 17 00:00:00 2001 -From: Lars-Peter Clausen -Date: Wed, 18 Jun 2014 13:32:35 +0200 -Subject: [PATCH] ALSA: control: Make sure that id->index does not overflow - -commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream. - -The ALSA control code expects that the range of assigned indices to a control is -continuous and does not overflow. Currently there are no checks to enforce this. -If a control with a overflowing index range is created that control becomes -effectively inaccessible and unremovable since snd_ctl_find_id() will not be -able to find it. This patch adds a check that makes sure that controls with a -overflowing index range can not be created. - -Fixes CVE-2014-4656 -Upstream-Status: Backport - -Signed-off-by: Lars-Peter Clausen -Acked-by: Jaroslav Kysela -Signed-off-by: Takashi Iwai -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - sound/core/control.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/sound/core/control.c b/sound/core/control.c -index 93215b4..98a29b2 100644 ---- a/sound/core/control.c -+++ b/sound/core/control.c -@@ -343,6 +343,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) - if (snd_BUG_ON(!card || !kcontrol->info)) - goto error; - id = kcontrol->id; -+ if (id.index > UINT_MAX - kcontrol->count) -+ goto error; -+ - down_write(&card->controls_rwsem); - if (snd_ctl_find_id(card, &id)) { - up_write(&card->controls_rwsem); --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch deleted file mode 100644 index 4355c68f..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0001-HID-CVE-2014-3181.patch +++ /dev/null @@ -1,52 +0,0 @@ -From c54def7bd64d7c0b6993336abcffb8444795bf38 Mon Sep 17 00:00:00 2001 -From: Jiri Kosina -Date: Wed, 27 Aug 2014 09:12:24 +0200 -Subject: [PATCH] HID: magicmouse: sanity check report size in raw_event() - callback - -The report passed to us from transport driver could potentially be -arbitrarily large, therefore we better sanity-check it so that -magicmouse_emit_touch() gets only valid values of raw_id. - -This fixes CVE-2014-3181 -Upstream-Status: Backport - -Cc: stable@vger.kernel.org -Reported-by: Steven Vittitoe -Signed-off-by: Jiri Kosina -Signed-off-by: Sona Sarmadi ---- - drivers/hid/hid-magicmouse.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c -index ecc2cbf..29a74c1 100644 ---- a/drivers/hid/hid-magicmouse.c -+++ b/drivers/hid/hid-magicmouse.c -@@ -290,6 +290,11 @@ static int magicmouse_raw_event(struct hid_device *hdev, - if (size < 4 || ((size - 4) % 9) != 0) - return 0; - npoints = (size - 4) / 9; -+ if (npoints > 15) { -+ hid_warn(hdev, "invalid size value (%d) for TRACKPAD_REPORT_ID\n", -+ size); -+ return 0; -+ } - msc->ntouches = 0; - for (ii = 0; ii < npoints; ii++) - magicmouse_emit_touch(msc, ii, data + ii * 9 + 4); -@@ -307,6 +312,11 @@ static int magicmouse_raw_event(struct hid_device *hdev, - if (size < 6 || ((size - 6) % 8) != 0) - return 0; - npoints = (size - 6) / 8; -+ if (npoints > 15) { -+ hid_warn(hdev, "invalid size value (%d) for MOUSE_REPORT_ID\n", -+ size); -+ return 0; -+ } - msc->ntouches = 0; - for (ii = 0; ii < npoints; ii++) - magicmouse_emit_touch(msc, ii, data + ii * 8 + 6); --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch deleted file mode 100644 index e19a3c10..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0001-kvm-iommu-CVE-2014-3601.patch +++ /dev/null @@ -1,94 +0,0 @@ -From e35b1e9f17e0567f96502f3a2a31dace727ed3da Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Tue, 19 Aug 2014 19:14:50 +0800 -Subject: [PATCH] kvm: iommu: fix the third parameter of kvm_iommu_put_pages - (CVE-2014-3601) - -commit 350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7 upstream. - -The third parameter of kvm_iommu_put_pages is wrong, -It should be 'gfn - slot->base_gfn'. - -By making gfn very large, malicious guest or userspace can cause kvm to -go to this error path, and subsequently to pass a huge value as size. -Alternatively if gfn is small, then pages would be pinned but never -unpinned, causing host memory leak and local DOS. - -Passing a reasonable but large value could be the most dangerous case, -because it would unpin a page that should have stayed pinned, and thus -allow the device to DMA into arbitrary memory. However, this cannot -happen because of the condition that can trigger the error: - -- out of memory (where you can't allocate even a single page) - should not be possible for the attacker to trigger - -- when exceeding the iommu's address space, guest pages after gfn - will also exceed the iommu's address space, and inside - kvm_iommu_put_pages() the iommu_iova_to_phys() will fail. The - page thus would not be unpinned at all. - -Upstream-Status: Backport - -Reported-by: Jack Morgenstein -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Paolo Bonzini -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - virt/kvm/iommu.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c -index c329c8f..dec9971 100644 ---- a/virt/kvm/iommu.c -+++ b/virt/kvm/iommu.c -@@ -61,6 +61,14 @@ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn, - return pfn; - } - -+static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages) -+{ -+ unsigned long i; -+ -+ for (i = 0; i < npages; ++i) -+ kvm_release_pfn_clean(pfn + i); -+} -+ - int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) - { - gfn_t gfn, end_gfn; -@@ -123,6 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) - if (r) { - printk(KERN_ERR "kvm_iommu_map_address:" - "iommu failed to map pfn=%llx\n", pfn); -+ kvm_unpin_pages(kvm, pfn, page_size); - goto unmap_pages; - } - -@@ -134,7 +143,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) - return 0; - - unmap_pages: -- kvm_iommu_put_pages(kvm, slot->base_gfn, gfn); -+ kvm_iommu_put_pages(kvm, slot->base_gfn, gfn - slot->base_gfn); - return r; - } - -@@ -272,14 +281,6 @@ out_unlock: - return r; - } - --static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages) --{ -- unsigned long i; -- -- for (i = 0; i < npages; ++i) -- kvm_release_pfn_clean(pfn + i); --} -- - static void kvm_iommu_put_pages(struct kvm *kvm, - gfn_t base_gfn, unsigned long npages) - { --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch deleted file mode 100644 index aec89301..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 25c1def33a2f74079f3062b7afdf98fcf9f34e6d Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" -Date: Mon, 28 Jul 2014 16:26:53 -0700 -Subject: [PATCH] mnt: Only change user settable mount flags in remount - -commit a6138db815df5ee542d848318e5dae681590fccd upstream. - -Kenton Varda discovered that by remounting a -read-only bind mount read-only in a user namespace the -MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user -to the remount a read-only mount read-write. - -Correct this by replacing the mask of mount flags to preserve -with a mask of mount flags that may be changed, and preserve -all others. This ensures that any future bugs with this mask and -remount will fail in an easy to detect way where new mount flags -simply won't change. - -Fix for CVE-2014-5206 and CVE-2014-5207 -Upstream-Status: backport - -Cc: stable@vger.kernel.org -Acked-by: Serge E. Hallyn -Signed-off-by: "Eric W. Biederman" -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - fs/namespace.c | 2 +- - include/linux/mount.h | 4 +++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/fs/namespace.c b/fs/namespace.c -index 84447db..34fa7a5 100644 ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -1847,7 +1847,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags, - err = do_remount_sb(sb, flags, data, 0); - if (!err) { - br_write_lock(&vfsmount_lock); -- mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK; -+ mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK; - mnt->mnt.mnt_flags = mnt_flags; - br_write_unlock(&vfsmount_lock); - } -diff --git a/include/linux/mount.h b/include/linux/mount.h -index 38cd98f..8707c9e 100644 ---- a/include/linux/mount.h -+++ b/include/linux/mount.h -@@ -42,7 +42,9 @@ struct mnt_namespace; - * flag, consider how it interacts with shared mounts. - */ - #define MNT_SHARED_MASK (MNT_UNBINDABLE) --#define MNT_PROPAGATION_MASK (MNT_SHARED | MNT_UNBINDABLE) -+#define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \ -+ | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \ -+ | MNT_READONLY) - - - #define MNT_INTERNAL 0x4000 --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch deleted file mode 100644 index 68289f28..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0001-net-sctp-CVE-2014-3673.patch +++ /dev/null @@ -1,348 +0,0 @@ -From bbd951a21e0fd555cd9ede44c7196af09d04d171 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Thu, 9 Oct 2014 22:55:31 +0200 -Subject: [PATCH] net: sctp: fix skb_over_panic when receiving malformed ASCONF - chunks - -commit 9de7922bc709eee2f609cd01d98aaedc4cf5ea74 upstream. - -Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for -ASCONF chunk") added basic verification of ASCONF chunks, however, -it is still possible to remotely crash a server by sending a -special crafted ASCONF chunk, even up to pre 2.6.12 kernels: - -skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768 - head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950 - end:0x440 dev: - ------------[ cut here ]------------ -kernel BUG at net/core/skbuff.c:129! -[...] -Call Trace: - - [] skb_put+0x5c/0x70 - [] sctp_addto_chunk+0x63/0xd0 [sctp] - [] sctp_process_asconf+0x1af/0x540 [sctp] - [] ? _read_unlock_bh+0x15/0x20 - [] sctp_sf_do_asconf+0x168/0x240 [sctp] - [] sctp_do_sm+0x71/0x1210 [sctp] - [] ? fib_rules_lookup+0xad/0xf0 - [] ? sctp_cmp_addr_exact+0x32/0x40 [sctp] - [] sctp_assoc_bh_rcv+0xd3/0x180 [sctp] - [] sctp_inq_push+0x56/0x80 [sctp] - [] sctp_rcv+0x982/0xa10 [sctp] - [] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] - [] ? nf_iterate+0x69/0xb0 - [] ? ip_local_deliver_finish+0x0/0x2d0 - [] ? nf_hook_slow+0x76/0x120 - [] ? ip_local_deliver_finish+0x0/0x2d0 - [] ip_local_deliver_finish+0xdd/0x2d0 - [] ip_local_deliver+0x98/0xa0 - [] ip_rcv_finish+0x12d/0x440 - [] ip_rcv+0x275/0x350 - [] __netif_receive_skb+0x4ab/0x750 - [] netif_receive_skb+0x58/0x60 - -This can be triggered e.g., through a simple scripted nmap -connection scan injecting the chunk after the handshake, for -example, ... - - -------------- INIT[ASCONF; ASCONF_ACK] -------------> - <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------ - -------------------- COOKIE-ECHO --------------------> - <-------------------- COOKIE-ACK --------------------- - ------------------ ASCONF; UNKNOWN ------------------> - -... where ASCONF chunk of length 280 contains 2 parameters ... - - 1) Add IP address parameter (param length: 16) - 2) Add/del IP address parameter (param length: 255) - -... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the -Address Parameter in the ASCONF chunk is even missing, too. -This is just an example and similarly-crafted ASCONF chunks -could be used just as well. - -The ASCONF chunk passes through sctp_verify_asconf() as all -parameters passed sanity checks, and after walking, we ended -up successfully at the chunk end boundary, and thus may invoke -sctp_process_asconf(). Parameter walking is done with -WORD_ROUND() to take padding into account. - -In sctp_process_asconf()'s TLV processing, we may fail in -sctp_process_asconf_param() e.g., due to removal of the IP -address that is also the source address of the packet containing -the ASCONF chunk, and thus we need to add all TLVs after the -failure to our ASCONF response to remote via helper function -sctp_add_asconf_response(), which basically invokes a -sctp_addto_chunk() adding the error parameters to the given -skb. - -When walking to the next parameter this time, we proceed -with ... - - length = ntohs(asconf_param->param_hdr.length); - asconf_param = (void *)asconf_param + length; - -... instead of the WORD_ROUND()'ed length, thus resulting here -in an off-by-one that leads to reading the follow-up garbage -parameter length of 12336, and thus throwing an skb_over_panic -for the reply when trying to sctp_addto_chunk() next time, -which implicitly calls the skb_put() with that length. - -Fix it by using sctp_walk_params() [ which is also used in -INIT parameter processing ] macro in the verification *and* -in ASCONF processing: it will make sure we don't spill over, -that we walk parameters WORD_ROUND()'ed. Moreover, we're being -more defensive and guard against unknown parameter types and -missized addresses. - -Joint work with Vlad Yasevich. - -Fixes CVE-2014-3673 -Upstream-Status: Backport - -Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.") -Signed-off-by: Daniel Borkmann -Signed-off-by: Vlad Yasevich -Acked-by: Neil Horman -Signed-off-by: David S. Miller -Cc: Josh Boyer -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - include/net/sctp/sm.h | 6 +-- - net/sctp/sm_make_chunk.c | 99 +++++++++++++++++++++++++++--------------------- - net/sctp/sm_statefuns.c | 18 +-------- - 3 files changed, 60 insertions(+), 63 deletions(-) - -diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h -index 4ef75af..c91b6f5 100644 ---- a/include/net/sctp/sm.h -+++ b/include/net/sctp/sm.h -@@ -249,9 +249,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *, - int, __be16); - struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc, - union sctp_addr *addr); --int sctp_verify_asconf(const struct sctp_association *asoc, -- struct sctp_paramhdr *param_hdr, void *chunk_end, -- struct sctp_paramhdr **errp); -+bool sctp_verify_asconf(const struct sctp_association *asoc, -+ struct sctp_chunk *chunk, bool addr_param_needed, -+ struct sctp_paramhdr **errp); - struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - struct sctp_chunk *asconf); - int sctp_process_asconf_ack(struct sctp_association *asoc, -diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c -index e342387..d800160 100644 ---- a/net/sctp/sm_make_chunk.c -+++ b/net/sctp/sm_make_chunk.c -@@ -3126,50 +3126,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, - return SCTP_ERROR_NO_ERROR; - } - --/* Verify the ASCONF packet before we process it. */ --int sctp_verify_asconf(const struct sctp_association *asoc, -- struct sctp_paramhdr *param_hdr, void *chunk_end, -- struct sctp_paramhdr **errp) { -- sctp_addip_param_t *asconf_param; -+/* Verify the ASCONF packet before we process it. */ -+bool sctp_verify_asconf(const struct sctp_association *asoc, -+ struct sctp_chunk *chunk, bool addr_param_needed, -+ struct sctp_paramhdr **errp) -+{ -+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr; - union sctp_params param; -- int length, plen; -- -- param.v = (sctp_paramhdr_t *) param_hdr; -- while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) { -- length = ntohs(param.p->length); -- *errp = param.p; -+ bool addr_param_seen = false; - -- if (param.v > chunk_end - length || -- length < sizeof(sctp_paramhdr_t)) -- return 0; -+ sctp_walk_params(param, addip, addip_hdr.params) { -+ size_t length = ntohs(param.p->length); - -+ *errp = param.p; - switch (param.p->type) { -+ case SCTP_PARAM_ERR_CAUSE: -+ break; -+ case SCTP_PARAM_IPV4_ADDRESS: -+ if (length != sizeof(sctp_ipv4addr_param_t)) -+ return false; -+ addr_param_seen = true; -+ break; -+ case SCTP_PARAM_IPV6_ADDRESS: -+ if (length != sizeof(sctp_ipv6addr_param_t)) -+ return false; -+ addr_param_seen = true; -+ break; - case SCTP_PARAM_ADD_IP: - case SCTP_PARAM_DEL_IP: - case SCTP_PARAM_SET_PRIMARY: -- asconf_param = (sctp_addip_param_t *)param.v; -- plen = ntohs(asconf_param->param_hdr.length); -- if (plen < sizeof(sctp_addip_param_t) + -- sizeof(sctp_paramhdr_t)) -- return 0; -+ /* In ASCONF chunks, these need to be first. */ -+ if (addr_param_needed && !addr_param_seen) -+ return false; -+ length = ntohs(param.addip->param_hdr.length); -+ if (length < sizeof(sctp_addip_param_t) + -+ sizeof(sctp_paramhdr_t)) -+ return false; - break; - case SCTP_PARAM_SUCCESS_REPORT: - case SCTP_PARAM_ADAPTATION_LAYER_IND: - if (length != sizeof(sctp_addip_param_t)) -- return 0; -- -+ return false; - break; - default: -- break; -+ /* This is unkown to us, reject! */ -+ return false; - } -- -- param.v += WORD_ROUND(length); - } - -- if (param.v != chunk_end) -- return 0; -+ /* Remaining sanity checks. */ -+ if (addr_param_needed && !addr_param_seen) -+ return false; -+ if (!addr_param_needed && addr_param_seen) -+ return false; -+ if (param.v != chunk->chunk_end) -+ return false; - -- return 1; -+ return true; - } - - /* Process an incoming ASCONF chunk with the next expected serial no. and -@@ -3178,16 +3191,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc, - struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - struct sctp_chunk *asconf) - { -+ sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr; -+ bool all_param_pass = true; -+ union sctp_params param; - sctp_addiphdr_t *hdr; - union sctp_addr_param *addr_param; - sctp_addip_param_t *asconf_param; - struct sctp_chunk *asconf_ack; -- - __be16 err_code; - int length = 0; - int chunk_len; - __u32 serial; -- int all_param_pass = 1; - - chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); - hdr = (sctp_addiphdr_t *)asconf->skb->data; -@@ -3215,9 +3229,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - goto done; - - /* Process the TLVs contained within the ASCONF chunk. */ -- while (chunk_len > 0) { -+ sctp_walk_params(param, addip, addip_hdr.params) { -+ /* Skip preceeding address parameters. */ -+ if (param.p->type == SCTP_PARAM_IPV4_ADDRESS || -+ param.p->type == SCTP_PARAM_IPV6_ADDRESS) -+ continue; -+ - err_code = sctp_process_asconf_param(asoc, asconf, -- asconf_param); -+ param.addip); - /* ADDIP 4.1 A7) - * If an error response is received for a TLV parameter, - * all TLVs with no response before the failed TLV are -@@ -3225,28 +3244,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, - * the failed response are considered unsuccessful unless - * a specific success indication is present for the parameter. - */ -- if (SCTP_ERROR_NO_ERROR != err_code) -- all_param_pass = 0; -- -+ if (err_code != SCTP_ERROR_NO_ERROR) -+ all_param_pass = false; - if (!all_param_pass) -- sctp_add_asconf_response(asconf_ack, -- asconf_param->crr_id, err_code, -- asconf_param); -+ sctp_add_asconf_response(asconf_ack, param.addip->crr_id, -+ err_code, param.addip); - - /* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add - * an IP address sends an 'Out of Resource' in its response, it - * MUST also fail any subsequent add or delete requests bundled - * in the ASCONF. - */ -- if (SCTP_ERROR_RSRC_LOW == err_code) -+ if (err_code == SCTP_ERROR_RSRC_LOW) - goto done; -- -- /* Move to the next ASCONF param. */ -- length = ntohs(asconf_param->param_hdr.length); -- asconf_param = (void *)asconf_param + length; -- chunk_len -= length; - } -- - done: - asoc->peer.addip_serial++; - -diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c -index 62623cc..bf12098 100644 ---- a/net/sctp/sm_statefuns.c -+++ b/net/sctp/sm_statefuns.c -@@ -3595,9 +3595,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net, - struct sctp_chunk *asconf_ack = NULL; - struct sctp_paramhdr *err_param = NULL; - sctp_addiphdr_t *hdr; -- union sctp_addr_param *addr_param; - __u32 serial; -- int length; - - if (!sctp_vtag_verify(chunk, asoc)) { - sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, -@@ -3622,17 +3620,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net, - hdr = (sctp_addiphdr_t *)chunk->skb->data; - serial = ntohl(hdr->serial); - -- addr_param = (union sctp_addr_param *)hdr->params; -- length = ntohs(addr_param->p.length); -- if (length < sizeof(sctp_paramhdr_t)) -- return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, -- (void *)addr_param, commands); -- - /* Verify the ASCONF chunk before processing it. */ -- if (!sctp_verify_asconf(asoc, -- (sctp_paramhdr_t *)((void *)addr_param + length), -- (void *)chunk->chunk_end, -- &err_param)) -+ if (!sctp_verify_asconf(asoc, chunk, true, &err_param)) - return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, - (void *)err_param, commands); - -@@ -3750,10 +3739,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net, - rcvd_serial = ntohl(addip_hdr->serial); - - /* Verify the ASCONF-ACK chunk before processing it. */ -- if (!sctp_verify_asconf(asoc, -- (sctp_paramhdr_t *)addip_hdr->params, -- (void *)asconf_ack->chunk_end, -- &err_param)) -+ if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param)) - return sctp_sf_violation_paramlen(net, ep, asoc, type, arg, - (void *)err_param, commands); - --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch deleted file mode 100644 index 00ead602..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0001-shmem-CVE-2014-4171.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 8685789bd8ec12a02b07ea76df4527b055efbf20 Mon Sep 17 00:00:00 2001 -From: Hugh Dickins -Date: Mon, 23 Jun 2014 13:22:06 -0700 -Subject: [PATCH 1/3] shmem: fix faulting into a hole while it's punched - -commit f00cdc6df7d7cfcabb5b740911e6788cb0802bdb upstream. - -Trinity finds that mmap access to a hole while it's punched from shmem -can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE) -from completing, until the reader chooses to stop; with the puncher's -hold on i_mutex locking out all other writers until it can complete. - -It appears that the tmpfs fault path is too light in comparison with its -hole-punching path, lacking an i_data_sem to obstruct it; but we don't -want to slow down the common case. - -Extend shmem_fallocate()'s existing range notification mechanism, so -shmem_fault() can refrain from faulting pages into the hole while it's -punched, waiting instead on i_mutex (when safe to sleep; or repeatedly -faulting when not). - -Upstream-Status: Backport - -[akpm@linux-foundation.org: coding-style fixes] -Signed-off-by: Hugh Dickins -Reported-by: Sasha Levin -Tested-by: Sasha Levin -Cc: Dave Jones -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds - -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - mm/shmem.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 52 insertions(+), 4 deletions(-) - -diff --git a/mm/shmem.c b/mm/shmem.c -index 8297623..00d412f 100644 ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -80,11 +80,12 @@ static struct vfsmount *shm_mnt; - #define SHORT_SYMLINK_LEN 128 - - /* -- * shmem_fallocate and shmem_writepage communicate via inode->i_private -- * (with i_mutex making sure that it has only one user at a time): -- * we would prefer not to enlarge the shmem inode just for that. -+ * shmem_fallocate communicates with shmem_fault or shmem_writepage via -+ * inode->i_private (with i_mutex making sure that it has only one user at -+ * a time): we would prefer not to enlarge the shmem inode just for that. - */ - struct shmem_falloc { -+ int mode; /* FALLOC_FL mode currently operating */ - pgoff_t start; /* start of range currently being fallocated */ - pgoff_t next; /* the next page offset to be fallocated */ - pgoff_t nr_falloced; /* how many new pages have been fallocated */ -@@ -826,6 +827,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) - spin_lock(&inode->i_lock); - shmem_falloc = inode->i_private; - if (shmem_falloc && -+ !shmem_falloc->mode && - index >= shmem_falloc->start && - index < shmem_falloc->next) - shmem_falloc->nr_unswapped++; -@@ -1300,6 +1302,44 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf) - int error; - int ret = VM_FAULT_LOCKED; - -+ /* -+ * Trinity finds that probing a hole which tmpfs is punching can -+ * prevent the hole-punch from ever completing: which in turn -+ * locks writers out with its hold on i_mutex. So refrain from -+ * faulting pages into the hole while it's being punched, and -+ * wait on i_mutex to be released if vmf->flags permits. -+ */ -+ if (unlikely(inode->i_private)) { -+ struct shmem_falloc *shmem_falloc; -+ -+ spin_lock(&inode->i_lock); -+ shmem_falloc = inode->i_private; -+ if (!shmem_falloc || -+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE || -+ vmf->pgoff < shmem_falloc->start || -+ vmf->pgoff >= shmem_falloc->next) -+ shmem_falloc = NULL; -+ spin_unlock(&inode->i_lock); -+ /* -+ * i_lock has protected us from taking shmem_falloc seriously -+ * once return from shmem_fallocate() went back up that stack. -+ * i_lock does not serialize with i_mutex at all, but it does -+ * not matter if sometimes we wait unnecessarily, or sometimes -+ * miss out on waiting: we just need to make those cases rare. -+ */ -+ if (shmem_falloc) { -+ if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && -+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -+ up_read(&vma->vm_mm->mmap_sem); -+ mutex_lock(&inode->i_mutex); -+ mutex_unlock(&inode->i_mutex); -+ return VM_FAULT_RETRY; -+ } -+ /* cond_resched? Leave that to GUP or return to user */ -+ return VM_FAULT_NOPAGE; -+ } -+ } -+ - error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret); - if (error) - return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS); -@@ -1815,18 +1855,26 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, - - mutex_lock(&inode->i_mutex); - -+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; -+ - if (mode & FALLOC_FL_PUNCH_HOLE) { - struct address_space *mapping = file->f_mapping; - loff_t unmap_start = round_up(offset, PAGE_SIZE); - loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; - -+ shmem_falloc.start = unmap_start >> PAGE_SHIFT; -+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; -+ spin_lock(&inode->i_lock); -+ inode->i_private = &shmem_falloc; -+ spin_unlock(&inode->i_lock); -+ - if ((u64)unmap_end > (u64)unmap_start) - unmap_mapping_range(mapping, unmap_start, - 1 + unmap_end - unmap_start, 0); - shmem_truncate_range(inode, offset, offset + len - 1); - /* No need to unmap again: hole-punching leaves COWed pages */ - error = 0; -- goto out; -+ goto undone; - } - - /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch deleted file mode 100644 index 8612d74a..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4653.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 0bf595fd311aa4d6e82c43879f2c0d0650e83271 Mon Sep 17 00:00:00 2001 -From: Lars-Peter Clausen -Date: Wed, 18 Jun 2014 13:32:33 +0200 -Subject: [PATCH] ALSA: control: Don't access controls outside of protected - regions - -commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d upstream. - -A control that is visible on the card->controls list can be freed at any time. -This means we must not access any of its memory while not holding the -controls_rw_lock. Otherwise we risk a use after free access. - -This fixes CVE-2014-4653 -Upstream-Status: Backport - -Signed-off-by: Lars-Peter Clausen -Acked-by: Jaroslav Kysela -Signed-off-by: Takashi Iwai -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - sound/core/control.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/sound/core/control.c b/sound/core/control.c -index 15bc844..d4a597f 100644 ---- a/sound/core/control.c -+++ b/sound/core/control.c -@@ -331,6 +331,7 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) - { - struct snd_ctl_elem_id id; - unsigned int idx; -+ unsigned int count; - int err = -EINVAL; - - if (! kcontrol) -@@ -359,8 +360,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) - card->controls_count += kcontrol->count; - kcontrol->id.numid = card->last_numid + 1; - card->last_numid += kcontrol->count; -+ count = kcontrol->count; - up_write(&card->controls_rwsem); -- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++) -+ for (idx = 0; idx < count; idx++, id.index++, id.numid++) - snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id); - return 0; - -@@ -389,6 +391,7 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol, - bool add_on_replace) - { - struct snd_ctl_elem_id id; -+ unsigned int count; - unsigned int idx; - struct snd_kcontrol *old; - int ret; -@@ -424,8 +427,9 @@ add: - card->controls_count += kcontrol->count; - kcontrol->id.numid = card->last_numid + 1; - card->last_numid += kcontrol->count; -+ count = kcontrol->count; - up_write(&card->controls_rwsem); -- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++) -+ for (idx = 0; idx < count; idx++, id.index++, id.numid++) - snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id); - return 0; - -@@ -898,9 +902,9 @@ static int snd_ctl_elem_write(struct snd_card *card, struct snd_ctl_file *file, - result = kctl->put(kctl, control); - } - if (result > 0) { -+ struct snd_ctl_elem_id id = control->id; - up_read(&card->controls_rwsem); -- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE, -- &control->id); -+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE, &id); - return 0; - } - } -@@ -1334,8 +1338,9 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file, - } - err = kctl->tlv.c(kctl, op_flag, tlv.length, _tlv->tlv); - if (err > 0) { -+ struct snd_ctl_elem_id id = kctl->id; - up_read(&card->controls_rwsem); -- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &kctl->id); -+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &id); - return 0; - } - } else { --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch deleted file mode 100644 index 2065780f..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001 -From: Lars-Peter Clausen -Date: Wed, 18 Jun 2014 13:32:34 +0200 -Subject: [PATCH] ALSA: control: Handle numid overflow - -commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream. - -Each control gets automatically assigned its numids when the control is created. -The allocation is done by incrementing the numid by the amount of allocated -numids per allocation. This means that excessive creation and destruction of -controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to -eventually overflow. Currently when this happens for the control that caused the -overflow kctl->id.numid + kctl->count will also over flow causing it to be -smaller than kctl->id.numid. Most of the code assumes that this is something -that can not happen, so we need to make sure that it won't happen - -Fixes CVE-2014-4656 -Upstream-Status: Backport - -Signed-off-by: Lars-Peter Clausen -Acked-by: Jaroslav Kysela -Signed-off-by: Takashi Iwai -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - sound/core/control.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/sound/core/control.c b/sound/core/control.c -index d4a597f..93215b4 100644 ---- a/sound/core/control.c -+++ b/sound/core/control.c -@@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card, - { - struct snd_kcontrol *kctl; - -+ /* Make sure that the ids assigned to the control do not wrap around */ -+ if (card->last_numid >= UINT_MAX - count) -+ card->last_numid = 0; -+ - list_for_each_entry(kctl, &card->controls, list) { - if (kctl->id.numid < card->last_numid + 1 + count && - kctl->id.numid + kctl->count > card->last_numid + 1) { --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch deleted file mode 100644 index a90d0799..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0002-HID-CVE-2014-3182.patch +++ /dev/null @@ -1,65 +0,0 @@ -From ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 Mon Sep 17 00:00:00 2001 -From: Jiri Kosina -Date: Thu, 21 Aug 2014 09:57:17 -0500 -Subject: [PATCH] HID: logitech: perform bounds checking on device_id early - enough - -device_index is a char type and the size of paired_dj_deivces is 7 -elements, therefore proper bounds checking has to be applied to -device_index before it is used. - -We are currently performing the bounds checking in -logi_dj_recv_add_djhid_device(), which is too late, as malicious device -could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the -problem in one of the report forwarding functions called from -logi_dj_raw_event(). - -Fix this by performing the check at the earliest possible ocasion in -logi_dj_raw_event(). - -This fixes CVE-2014-3182 -Upstream-Status: Backport - -Cc: stable@vger.kernel.org -Reported-by: Ben Hawkes -Reviewed-by: Benjamin Tissoires -Signed-off-by: Jiri Kosina -Signed-off-by: Sona Sarmadi ---- - drivers/hid/hid-logitech-dj.c | 13 ++++++------- - 1 file changed, 6 insertions(+), 7 deletions(-) - -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index ca0ab51..b7ba829 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -238,13 +238,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, - return; - } - -- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || -- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { -- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n", -- __func__, dj_report->device_index); -- return; -- } -- - if (djrcv_dev->paired_dj_devices[dj_report->device_index]) { - /* The device is already known. No need to reallocate it. */ - dbg_hid("%s: device is already known\n", __func__); -@@ -690,6 +683,12 @@ static int logi_dj_raw_event(struct hid_device *hdev, - * device (via hid_input_report() ) and return 1 so hid-core does not do - * anything else with it. - */ -+ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || -+ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { -+ dev_err(&hdev->dev, "%s: invalid device index:%d\n", -+ __func__, dj_report->device_index); -+ return false; -+ } - - spin_lock_irqsave(&djrcv_dev->lock, flags); - if (dj_report->report_id == REPORT_ID_DJ_SHORT) { --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch deleted file mode 100644 index e43771cc..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0002-kvm-iommu-CVE-2014-8369.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 248541357433e3035d954435dafcdb9e70afee4e Mon Sep 17 00:00:00 2001 -From: Quentin Casasnovas -Date: Fri, 17 Oct 2014 22:55:59 +0200 -Subject: [PATCH] kvm: fix excessive pages un-pinning in kvm_iommu_map error - path. - -commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream. - -The third parameter of kvm_unpin_pages() when called from -kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin -and not the page size. - -This error was facilitated with an inconsistent API: kvm_pin_pages() takes -a size, but kvn_unpin_pages() takes a number of pages, so fix the problem -by matching the two. - -This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter -of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of -un-pinning for pages intended to be un-pinned (i.e. memory leak) but -unfortunately potentially aggravated the number of pages we un-pin that -should have stayed pinned. As far as I understand though, the same -practical mitigations apply. - -This issue was found during review of Red Hat 6.6 patches to prepare -Ksplice rebootless updates. - -Thanks to Vegard for his time on a late Friday evening to help me in -understanding this code. - -Fix for CVE-2014-8369 - -Upstream-Status: Backport - -Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)") -Signed-off-by: Quentin Casasnovas -Signed-off-by: Vegard Nossum -Signed-off-by: Jamie Iles -Reviewed-by: Sasha Levin -Signed-off-by: Paolo Bonzini -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - virt/kvm/iommu.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c -index dec9971..a650aa4 100644 ---- a/virt/kvm/iommu.c -+++ b/virt/kvm/iommu.c -@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm, - gfn_t base_gfn, unsigned long npages); - - static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn, -- unsigned long size) -+ unsigned long npages) - { - gfn_t end_gfn; - pfn_t pfn; - - pfn = gfn_to_pfn_memslot(slot, gfn); -- end_gfn = gfn + (size >> PAGE_SHIFT); -+ end_gfn = gfn + npages; - gfn += 1; - - if (is_error_noslot_pfn(pfn)) -@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) - * Pin all pages we are about to map in memory. This is - * important because we unmap and unpin in 4kb steps later. - */ -- pfn = kvm_pin_pages(slot, gfn, page_size); -+ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT); - if (is_error_noslot_pfn(pfn)) { - gfn += 1; - continue; -@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) - if (r) { - printk(KERN_ERR "kvm_iommu_map_address:" - "iommu failed to map pfn=%llx\n", pfn); -- kvm_unpin_pages(kvm, pfn, page_size); -+ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT); - goto unmap_pages; - } - --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch deleted file mode 100644 index b08f2179..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch +++ /dev/null @@ -1,62 +0,0 @@ -From cab259f821fad20afa688d3fbeb47356447ac20b Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" -Date: Mon, 28 Jul 2014 17:10:56 -0700 -Subject: [PATCH] mnt: Move the test for MNT_LOCK_READONLY from - change_mount_flags into do_remount - -commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream. - -There are no races as locked mount flags are guaranteed to never change. - -Moving the test into do_remount makes it more visible, and ensures all -filesystem remounts pass the MNT_LOCK_READONLY permission check. This -second case is not an issue today as filesystem remounts are guarded -by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged -mount namespaces, but it could become an issue in the future. - -Fix for CVE-2014-5206 and CVE-2014-5207 -Upstream-Status: backport - -Cc: stable@vger.kernel.org -Acked-by: Serge E. Hallyn -Signed-off-by: "Eric W. Biederman" -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - fs/namespace.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/fs/namespace.c b/fs/namespace.c -index 34fa7a5..8e90b03 100644 ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -1806,9 +1806,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags) - if (readonly_request == __mnt_is_readonly(mnt)) - return 0; - -- if (mnt->mnt_flags & MNT_LOCK_READONLY) -- return -EPERM; -- - if (readonly_request) - error = mnt_make_readonly(real_mount(mnt)); - else -@@ -1834,6 +1831,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags, - if (path->dentry != path->mnt->mnt_root) - return -EINVAL; - -+ /* Don't allow changing of locked mnt flags. -+ * -+ * No locks need to be held here while testing the various -+ * MNT_LOCK flags because those flags can never be cleared -+ * once they are set. -+ */ -+ if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) && -+ !(mnt_flags & MNT_READONLY)) { -+ return -EPERM; -+ } - err = security_sb_remount(sb, data); - if (err) - return err; --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch deleted file mode 100644 index b05aaf2b..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0002-net-sctp-CVE-2014-3687.patch +++ /dev/null @@ -1,102 +0,0 @@ -From a723db0be941b8aebaa1a98b33d17a91b16603e4 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Thu, 9 Oct 2014 22:55:32 +0200 -Subject: [PATCH] net: sctp: fix panic on duplicate ASCONF chunks - -commit b69040d8e39f20d5215a03502a8e8b4c6ab78395 upstream. - -When receiving a e.g. semi-good formed connection scan in the -form of ... - - -------------- INIT[ASCONF; ASCONF_ACK] -------------> - <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------ - -------------------- COOKIE-ECHO --------------------> - <-------------------- COOKIE-ACK --------------------- - ---------------- ASCONF_a; ASCONF_b -----------------> - -... where ASCONF_a equals ASCONF_b chunk (at least both serials -need to be equal), we panic an SCTP server! - -The problem is that good-formed ASCONF chunks that we reply with -ASCONF_ACK chunks are cached per serial. Thus, when we receive a -same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do -not need to process them again on the server side (that was the -idea, also proposed in the RFC). Instead, we know it was cached -and we just resend the cached chunk instead. So far, so good. - -Where things get nasty is in SCTP's side effect interpreter, that -is, sctp_cmd_interpreter(): - -While incoming ASCONF_a (chunk = event_arg) is being marked -!end_of_packet and !singleton, and we have an association context, -we do not flush the outqueue the first time after processing the -ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it -queued up, although we set local_cork to 1. Commit 2e3216cd54b1 -changed the precedence, so that as long as we get bundled, incoming -chunks we try possible bundling on outgoing queue as well. Before -this commit, we would just flush the output queue. - -Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we -continue to process the same ASCONF_b chunk from the packet. As -we have cached the previous ASCONF_ACK, we find it, grab it and -do another SCTP_CMD_REPLY command on it. So, effectively, we rip -the chunk->list pointers and requeue the same ASCONF_ACK chunk -another time. Since we process ASCONF_b, it's correctly marked -with end_of_packet and we enforce an uncork, and thus flush, thus -crashing the kernel. - -Fix it by testing if the ASCONF_ACK is currently pending and if -that is the case, do not requeue it. When flushing the output -queue we may relink the chunk for preparing an outgoing packet, -but eventually unlink it when it's copied into the skb right -before transmission. - -Joint work with Vlad Yasevich. - -Fixes CVE-2014-3687 -Upstream-Status: Backport - -Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet") -Signed-off-by: Daniel Borkmann -Signed-off-by: Vlad Yasevich -Signed-off-by: David S. Miller -Cc: Josh Boyer -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - include/net/sctp/sctp.h | 5 +++++ - net/sctp/associola.c | 2 ++ - 2 files changed, 7 insertions(+) - -diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h -index 3794c5a..3848934 100644 ---- a/include/net/sctp/sctp.h -+++ b/include/net/sctp/sctp.h -@@ -454,6 +454,11 @@ static inline void sctp_assoc_pending_pmtu(struct sock *sk, struct sctp_associat - asoc->pmtu_pending = 0; - } - -+static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk) -+{ -+ return !list_empty(&chunk->list); -+} -+ - /* Walk through a list of TLV parameters. Don't trust the - * individual parameter lengths and instead depend on - * the chunk length to indicate when to stop. Make sure -diff --git a/net/sctp/associola.c b/net/sctp/associola.c -index ad5cd6f..737050f 100644 ---- a/net/sctp/associola.c -+++ b/net/sctp/associola.c -@@ -1645,6 +1645,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack( - * ack chunk whose serial number matches that of the request. - */ - list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) { -+ if (sctp_chunk_pending(ack)) -+ continue; - if (ack->subh.addip_hdr->serial == serial) { - sctp_chunk_hold(ack); - return ack; --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch deleted file mode 100644 index a43b8956..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0002-shmem-CVE-2014-4171.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 38d05809df1ea5272a658e7f4d5f2a3027ad2fd2 Mon Sep 17 00:00:00 2001 -From: Hugh Dickins -Date: Wed, 23 Jul 2014 14:00:10 -0700 -Subject: [PATCH 2/3] shmem: fix faulting into a hole, not taking i_mutex - -commit 8e205f779d1443a94b5ae81aa359cb535dd3021e upstream. - -Commit f00cdc6df7d7 ("shmem: fix faulting into a hole while it's -punched") was buggy: Sasha sent a lockdep report to remind us that -grabbing i_mutex in the fault path is a no-no (write syscall may already -hold i_mutex while faulting user buffer). - -We tried a completely different approach (see following patch) but that -proved inadequate: good enough for a rational workload, but not good -enough against trinity - which forks off so many mappings of the object -that contention on i_mmap_mutex while hole-puncher holds i_mutex builds -into serious starvation when concurrent faults force the puncher to fall -back to single-page unmap_mapping_range() searches of the i_mmap tree. - -So return to the original umbrella approach, but keep away from i_mutex -this time. We really don't want to bloat every shmem inode with a new -mutex or completion, just to protect this unlikely case from trinity. -So extend the original with wait_queue_head on stack at the hole-punch -end, and wait_queue item on the stack at the fault end. - -This involves further use of i_lock to guard against the races: lockdep -has been happy so far, and I see fs/inode.c:unlock_new_inode() holds -i_lock around wake_up_bit(), which is comparable to what we do here. -i_lock is more convenient, but we could switch to shmem's info->lock. - -This issue has been tagged with CVE-2014-4171, which will require commit -f00cdc6df7d7 and this and the following patch to be backported: we -suggest to 3.1+, though in fact the trinity forkbomb effect might go -back as far as 2.6.16, when madvise(,,MADV_REMOVE) came in - or might -not, since much has changed, with i_mmap_mutex a spinlock before 3.0. -Anyone running trinity on 3.0 and earlier? I don't think we need care. - -Upstream-Status: Backport - -Signed-off-by: Hugh Dickins -Reported-by: Sasha Levin -Tested-by: Sasha Levin -Cc: Vlastimil Babka -Cc: Konstantin Khlebnikov -Cc: Johannes Weiner -Cc: Lukas Czerner -Cc: Dave Jones -Cc: [3.1+] -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - mm/shmem.c | 78 +++++++++++++++++++++++++++++++++++++++++--------------------- - 1 file changed, 52 insertions(+), 26 deletions(-) - -diff --git a/mm/shmem.c b/mm/shmem.c -index 00d412f..6f5626f 100644 ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -85,7 +85,7 @@ static struct vfsmount *shm_mnt; - * a time): we would prefer not to enlarge the shmem inode just for that. - */ - struct shmem_falloc { -- int mode; /* FALLOC_FL mode currently operating */ -+ wait_queue_head_t *waitq; /* faults into hole wait for punch to end */ - pgoff_t start; /* start of range currently being fallocated */ - pgoff_t next; /* the next page offset to be fallocated */ - pgoff_t nr_falloced; /* how many new pages have been fallocated */ -@@ -827,7 +827,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) - spin_lock(&inode->i_lock); - shmem_falloc = inode->i_private; - if (shmem_falloc && -- !shmem_falloc->mode && -+ !shmem_falloc->waitq && - index >= shmem_falloc->start && - index < shmem_falloc->next) - shmem_falloc->nr_unswapped++; -@@ -1306,38 +1306,58 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf) - * Trinity finds that probing a hole which tmpfs is punching can - * prevent the hole-punch from ever completing: which in turn - * locks writers out with its hold on i_mutex. So refrain from -- * faulting pages into the hole while it's being punched, and -- * wait on i_mutex to be released if vmf->flags permits. -+ * faulting pages into the hole while it's being punched. Although -+ * shmem_undo_range() does remove the additions, it may be unable to -+ * keep up, as each new page needs its own unmap_mapping_range() call, -+ * and the i_mmap tree grows ever slower to scan if new vmas are added. -+ * -+ * It does not matter if we sometimes reach this check just before the -+ * hole-punch begins, so that one fault then races with the punch: -+ * we just need to make racing faults a rare case. -+ * -+ * The implementation below would be much simpler if we just used a -+ * standard mutex or completion: but we cannot take i_mutex in fault, -+ * and bloating every shmem inode for this unlikely case would be sad. - */ - if (unlikely(inode->i_private)) { - struct shmem_falloc *shmem_falloc; - - spin_lock(&inode->i_lock); - shmem_falloc = inode->i_private; -- if (!shmem_falloc || -- shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE || -- vmf->pgoff < shmem_falloc->start || -- vmf->pgoff >= shmem_falloc->next) -- shmem_falloc = NULL; -- spin_unlock(&inode->i_lock); -- /* -- * i_lock has protected us from taking shmem_falloc seriously -- * once return from shmem_fallocate() went back up that stack. -- * i_lock does not serialize with i_mutex at all, but it does -- * not matter if sometimes we wait unnecessarily, or sometimes -- * miss out on waiting: we just need to make those cases rare. -- */ -- if (shmem_falloc) { -+ if (shmem_falloc && -+ shmem_falloc->waitq && -+ vmf->pgoff >= shmem_falloc->start && -+ vmf->pgoff < shmem_falloc->next) { -+ wait_queue_head_t *shmem_falloc_waitq; -+ DEFINE_WAIT(shmem_fault_wait); -+ -+ ret = VM_FAULT_NOPAGE; - if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && - !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -+ /* It's polite to up mmap_sem if we can */ - up_read(&vma->vm_mm->mmap_sem); -- mutex_lock(&inode->i_mutex); -- mutex_unlock(&inode->i_mutex); -- return VM_FAULT_RETRY; -+ ret = VM_FAULT_RETRY; - } -- /* cond_resched? Leave that to GUP or return to user */ -- return VM_FAULT_NOPAGE; -+ -+ shmem_falloc_waitq = shmem_falloc->waitq; -+ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, -+ TASK_UNINTERRUPTIBLE); -+ spin_unlock(&inode->i_lock); -+ schedule(); -+ -+ /* -+ * shmem_falloc_waitq points into the shmem_fallocate() -+ * stack of the hole-punching task: shmem_falloc_waitq -+ * is usually invalid by the time we reach here, but -+ * finish_wait() does not dereference it in that case; -+ * though i_lock needed lest racing with wake_up_all(). -+ */ -+ spin_lock(&inode->i_lock); -+ finish_wait(shmem_falloc_waitq, &shmem_fault_wait); -+ spin_unlock(&inode->i_lock); -+ return ret; - } -+ spin_unlock(&inode->i_lock); - } - - error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret); -@@ -1855,13 +1875,13 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, - - mutex_lock(&inode->i_mutex); - -- shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; -- - if (mode & FALLOC_FL_PUNCH_HOLE) { - struct address_space *mapping = file->f_mapping; - loff_t unmap_start = round_up(offset, PAGE_SIZE); - loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; -+ DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq); - -+ shmem_falloc.waitq = &shmem_falloc_waitq; - shmem_falloc.start = unmap_start >> PAGE_SHIFT; - shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; - spin_lock(&inode->i_lock); -@@ -1873,8 +1893,13 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, - 1 + unmap_end - unmap_start, 0); - shmem_truncate_range(inode, offset, offset + len - 1); - /* No need to unmap again: hole-punching leaves COWed pages */ -+ -+ spin_lock(&inode->i_lock); -+ inode->i_private = NULL; -+ wake_up_all(&shmem_falloc_waitq); -+ spin_unlock(&inode->i_lock); - error = 0; -- goto undone; -+ goto out; - } - - /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ -@@ -1890,6 +1915,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, - goto out; - } - -+ shmem_falloc.waitq = NULL; - shmem_falloc.start = start; - shmem_falloc.next = start; - shmem_falloc.nr_falloced = 0; --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch deleted file mode 100644 index f58b2f0e..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0003-HID-CVE-2014-3184.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 4ab25786c87eb20857bbb715c3ae34ec8fd6a214 Mon Sep 17 00:00:00 2001 -From: Jiri Kosina -Date: Thu, 21 Aug 2014 09:57:48 -0500 -Subject: [PATCH] HID: fix a couple of off-by-ones - -There are a few very theoretical off-by-one bugs in report descriptor size -checking when performing a pre-parsing fixup. Fix those. - -This fixes CVE-2014-3184 -Upstream-Status: Backport - -Cc: stable@vger.kernel.org -Reported-by: Ben Hawkes -Reviewed-by: Benjamin Tissoires -Signed-off-by: Jiri Kosina -Signed-off-by: Sona Sarmadi ---- - drivers/hid/hid-cherry.c | 2 +- - drivers/hid/hid-kye.c | 2 +- - drivers/hid/hid-lg.c | 4 ++-- - drivers/hid/hid-monterey.c | 2 +- - drivers/hid/hid-petalynx.c | 2 +- - drivers/hid/hid-sunplus.c | 2 +- - 6 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c -index 1bdcccc..f745d2c 100644 ---- a/drivers/hid/hid-cherry.c -+++ b/drivers/hid/hid-cherry.c -@@ -28,7 +28,7 @@ - static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc, - unsigned int *rsize) - { -- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { -+ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { - hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n"); - rdesc[11] = rdesc[16] = 0xff; - rdesc[12] = rdesc[17] = 0x03; -diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c -index e776963..b92bf01 100644 ---- a/drivers/hid/hid-kye.c -+++ b/drivers/hid/hid-kye.c -@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, - * - change the button usage range to 4-7 for the extra - * buttons - */ -- if (*rsize >= 74 && -+ if (*rsize >= 75 && - rdesc[61] == 0x05 && rdesc[62] == 0x08 && - rdesc[63] == 0x19 && rdesc[64] == 0x08 && - rdesc[65] == 0x29 && rdesc[66] == 0x0f && -diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c -index a976f48..f91ff14 100644 ---- a/drivers/hid/hid-lg.c -+++ b/drivers/hid/hid-lg.c -@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc, - struct usb_device_descriptor *udesc; - __u16 bcdDevice, rev_maj, rev_min; - -- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 && -+ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 && - rdesc[84] == 0x8c && rdesc[85] == 0x02) { - hid_info(hdev, - "fixing up Logitech keyboard report descriptor\n"); - rdesc[84] = rdesc[89] = 0x4d; - rdesc[85] = rdesc[90] = 0x10; - } -- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 && -+ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 && - rdesc[32] == 0x81 && rdesc[33] == 0x06 && - rdesc[49] == 0x81 && rdesc[50] == 0x06) { - hid_info(hdev, -diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c -index 9e14c00..25daf28 100644 ---- a/drivers/hid/hid-monterey.c -+++ b/drivers/hid/hid-monterey.c -@@ -24,7 +24,7 @@ - static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc, - unsigned int *rsize) - { -- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { -+ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { - hid_info(hdev, "fixing up button/consumer in HID report descriptor\n"); - rdesc[30] = 0x0c; - } -diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c -index 736b250..6aca4f2 100644 ---- a/drivers/hid/hid-petalynx.c -+++ b/drivers/hid/hid-petalynx.c -@@ -25,7 +25,7 @@ - static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc, - unsigned int *rsize) - { -- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && -+ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && - rdesc[41] == 0x00 && rdesc[59] == 0x26 && - rdesc[60] == 0xf9 && rdesc[61] == 0x00) { - hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n"); -diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c -index 87fc91e..91072fa 100644 ---- a/drivers/hid/hid-sunplus.c -+++ b/drivers/hid/hid-sunplus.c -@@ -24,7 +24,7 @@ - static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc, - unsigned int *rsize) - { -- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && -+ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && - rdesc[106] == 0x03) { - hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n"); - rdesc[105] = rdesc[110] = 0x03; --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch deleted file mode 100644 index aa5ca1bc..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0003-mnt-CVE-2014-5206_CVE-2014-5207.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 8b18c0adbc5d0cb1530692e72bcfb88fd7bb77bb Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" -Date: Mon, 28 Jul 2014 17:26:07 -0700 -Subject: [PATCH] mnt: Correct permission checks in do_remount - -commit 9566d6742852c527bf5af38af5cbb878dad75705 upstream. - -While invesgiating the issue where in "mount --bind -oremount,ro ..." -would result in later "mount --bind -oremount,rw" succeeding even if -the mount started off locked I realized that there are several -additional mount flags that should be locked and are not. - -In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime -flags in addition to MNT_READONLY should all be locked. These -flags are all per superblock, can all be changed with MS_BIND, -and should not be changable if set by a more privileged user. - -The following additions to the current logic are added in this patch. -- nosuid may not be clearable by a less privileged user. -- nodev may not be clearable by a less privielged user. -- noexec may not be clearable by a less privileged user. -- atime flags may not be changeable by a less privileged user. - -The logic with atime is that always setting atime on access is a -global policy and backup software and auditing software could break if -atime bits are not updated (when they are configured to be updated), -and serious performance degradation could result (DOS attack) if atime -updates happen when they have been explicitly disabled. Therefore an -unprivileged user should not be able to mess with the atime bits set -by a more privileged user. - -The additional restrictions are implemented with the addition of -MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME -mnt flags. - -Taken together these changes and the fixes for MNT_LOCK_READONLY -should make it safe for an unprivileged user to create a user -namespace and to call "mount --bind -o remount,... ..." without -the danger of mount flags being changed maliciously. - -Fix for CVE-2014-5206 and CVE-2014-5207 -Upstream-Status: backport - -Cc: stable@vger.kernel.org -Acked-by: Serge E. Hallyn -Signed-off-by: "Eric W. Biederman" -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - fs/namespace.c | 36 +++++++++++++++++++++++++++++++++--- - include/linux/mount.h | 5 +++++ - 2 files changed, 38 insertions(+), 3 deletions(-) - -diff --git a/fs/namespace.c b/fs/namespace.c -index 8e90b03..7c67de8 100644 ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -827,8 +827,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root, - - mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~MNT_WRITE_HOLD; - /* Don't allow unprivileged users to change mount flags */ -- if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY)) -- mnt->mnt.mnt_flags |= MNT_LOCK_READONLY; -+ if (flag & CL_UNPRIVILEGED) { -+ mnt->mnt.mnt_flags |= MNT_LOCK_ATIME; -+ -+ if (mnt->mnt.mnt_flags & MNT_READONLY) -+ mnt->mnt.mnt_flags |= MNT_LOCK_READONLY; -+ -+ if (mnt->mnt.mnt_flags & MNT_NODEV) -+ mnt->mnt.mnt_flags |= MNT_LOCK_NODEV; -+ -+ if (mnt->mnt.mnt_flags & MNT_NOSUID) -+ mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID; -+ -+ if (mnt->mnt.mnt_flags & MNT_NOEXEC) -+ mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC; -+ } - - /* Don't allow unprivileged users to reveal what is under a mount */ - if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire)) -@@ -1841,6 +1854,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags, - !(mnt_flags & MNT_READONLY)) { - return -EPERM; - } -+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) && -+ !(mnt_flags & MNT_NODEV)) { -+ return -EPERM; -+ } -+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) && -+ !(mnt_flags & MNT_NOSUID)) { -+ return -EPERM; -+ } -+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) && -+ !(mnt_flags & MNT_NOEXEC)) { -+ return -EPERM; -+ } -+ if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) && -+ ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) { -+ return -EPERM; -+ } -+ - err = security_sb_remount(sb, data); - if (err) - return err; -@@ -2043,7 +2073,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags, - */ - if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) { - flags |= MS_NODEV; -- mnt_flags |= MNT_NODEV; -+ mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV; - } - } - -diff --git a/include/linux/mount.h b/include/linux/mount.h -index 8707c9e..22e5b96 100644 ---- a/include/linux/mount.h -+++ b/include/linux/mount.h -@@ -45,10 +45,15 @@ struct mnt_namespace; - #define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \ - | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \ - | MNT_READONLY) -+#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME ) - - - #define MNT_INTERNAL 0x4000 - -+#define MNT_LOCK_ATIME 0x040000 -+#define MNT_LOCK_NOEXEC 0x080000 -+#define MNT_LOCK_NOSUID 0x100000 -+#define MNT_LOCK_NODEV 0x200000 - #define MNT_LOCK_READONLY 0x400000 - #define MNT_LOCKED 0x800000 - --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch deleted file mode 100644 index 1b4716d0..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0003-net-sctp-CVE-2014-3688.patch +++ /dev/null @@ -1,160 +0,0 @@ -From e476841415c1b7b54e4118d8a219f5db71878675 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Thu, 9 Oct 2014 22:55:33 +0200 -Subject: [PATCH] net: sctp: fix remote memory pressure from excessive queueing - -commit 26b87c7881006311828bb0ab271a551a62dcceb4 upstream. - -This scenario is not limited to ASCONF, just taken as one -example triggering the issue. When receiving ASCONF probes -in the form of ... - - -------------- INIT[ASCONF; ASCONF_ACK] -------------> - <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------ - -------------------- COOKIE-ECHO --------------------> - <-------------------- COOKIE-ACK --------------------- - ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------> - [...] - ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------> - -... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed -ASCONFs and have increasing serial numbers, we process such -ASCONF chunk(s) marked with !end_of_packet and !singleton, -since we have not yet reached the SCTP packet end. SCTP does -only do verification on a chunk by chunk basis, as an SCTP -packet is nothing more than just a container of a stream of -chunks which it eats up one by one. - -We could run into the case that we receive a packet with a -malformed tail, above marked as trailing JUNK. All previous -chunks are here goodformed, so the stack will eat up all -previous chunks up to this point. In case JUNK does not fit -into a chunk header and there are no more other chunks in -the input queue, or in case JUNK contains a garbage chunk -header, but the encoded chunk length would exceed the skb -tail, or we came here from an entirely different scenario -and the chunk has pdiscard=1 mark (without having had a flush -point), it will happen, that we will excessively queue up -the association's output queue (a correct final chunk may -then turn it into a response flood when flushing the -queue ;)): I ran a simple script with incremental ASCONF -serial numbers and could see the server side consuming -excessive amount of RAM [before/after: up to 2GB and more]. - -The issue at heart is that the chunk train basically ends -with !end_of_packet and !singleton markers and since commit -2e3216cd54b1 ("sctp: Follow security requirement of responding -with 1 packet") therefore preventing an output queue flush -point in sctp_do_sm() -> sctp_cmd_interpreter() on the input -chunk (chunk = event_arg) even though local_cork is set, -but its precedence has changed since then. In the normal -case, the last chunk with end_of_packet=1 would trigger the -queue flush to accommodate possible outgoing bundling. - -In the input queue, sctp_inq_pop() seems to do the right thing -in terms of discarding invalid chunks. So, above JUNK will -not enter the state machine and instead be released and exit -the sctp_assoc_bh_rcv() chunk processing loop. It's simply -the flush point being missing at loop exit. Adding a try-flush -approach on the output queue might not work as the underlying -infrastructure might be long gone at this point due to the -side-effect interpreter run. - -One possibility, albeit a bit of a kludge, would be to defer -invalid chunk freeing into the state machine in order to -possibly trigger packet discards and thus indirectly a queue -flush on error. It would surely be better to discard chunks -as in the current, perhaps better controlled environment, but -going back and forth, it's simply architecturally not possible. -I tried various trailing JUNK attack cases and it seems to -look good now. - -Joint work with Vlad Yasevich. - -Fixes CVE-2014-3688 -Upstream-Status: Backport - -Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet") -Signed-off-by: Daniel Borkmann -Signed-off-by: Vlad Yasevich -Signed-off-by: David S. Miller -Cc: Josh Boyer -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - net/sctp/inqueue.c | 33 +++++++-------------------------- - net/sctp/sm_statefuns.c | 3 +++ - 2 files changed, 10 insertions(+), 26 deletions(-) - -diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c -index 5856932..560cd41 100644 ---- a/net/sctp/inqueue.c -+++ b/net/sctp/inqueue.c -@@ -141,18 +141,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) - } else { - /* Nothing to do. Next chunk in the packet, please. */ - ch = (sctp_chunkhdr_t *) chunk->chunk_end; -- - /* Force chunk->skb->data to chunk->chunk_end. */ -- skb_pull(chunk->skb, -- chunk->chunk_end - chunk->skb->data); -- -- /* Verify that we have at least chunk headers -- * worth of buffer left. -- */ -- if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) { -- sctp_chunk_free(chunk); -- chunk = queue->in_progress = NULL; -- } -+ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data); -+ /* We are guaranteed to pull a SCTP header. */ - } - } - -@@ -188,24 +179,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) - skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t)); - chunk->subh.v = NULL; /* Subheader is no longer valid. */ - -- if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) { -+ if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) < -+ skb_tail_pointer(chunk->skb)) { - /* This is not a singleton */ - chunk->singleton = 0; - } else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) { -- /* RFC 2960, Section 6.10 Bundling -- * -- * Partial chunks MUST NOT be placed in an SCTP packet. -- * If the receiver detects a partial chunk, it MUST drop -- * the chunk. -- * -- * Since the end of the chunk is past the end of our buffer -- * (which contains the whole packet, we can freely discard -- * the whole packet. -- */ -- sctp_chunk_free(chunk); -- chunk = queue->in_progress = NULL; -- -- return NULL; -+ /* Discard inside state machine. */ -+ chunk->pdiscard = 1; -+ chunk->chunk_end = skb_tail_pointer(chunk->skb); - } else { - /* We are at the end of the packet, so mark the chunk - * in case we need to send a SACK. -diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c -index 1dbcc6a..62623cc 100644 ---- a/net/sctp/sm_statefuns.c -+++ b/net/sctp/sm_statefuns.c -@@ -171,6 +171,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk, - { - __u16 chunk_length = ntohs(chunk->chunk_hdr->length); - -+ /* Previously already marked? */ -+ if (unlikely(chunk->pdiscard)) -+ return 0; - if (unlikely(chunk_length < required_length)) - return 0; - --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch deleted file mode 100644 index 2b70ec1d..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0003-shmem-CVE-2014-4171.patch +++ /dev/null @@ -1,134 +0,0 @@ -From a428dc008e435c5a36b1288fb5b8c4b58472e28c Mon Sep 17 00:00:00 2001 -From: Hugh Dickins -Date: Wed, 23 Jul 2014 14:00:13 -0700 -Subject: [PATCH 3/3] shmem: fix splicing from a hole while it's punched - -commit b1a366500bd537b50c3aad26dc7df083ec03a448 upstream. - -shmem_fault() is the actual culprit in trinity's hole-punch starvation, -and the most significant cause of such problems: since a page faulted is -one that then appears page_mapped(), needing unmap_mapping_range() and -i_mmap_mutex to be unmapped again. - -But it is not the only way in which a page can be brought into a hole in -the radix_tree while that hole is being punched; and Vlastimil's testing -implies that if enough other processors are busy filling in the hole, -then shmem_undo_range() can be kept from completing indefinitely. - -shmem_file_splice_read() is the main other user of SGP_CACHE, which can -instantiate shmem pagecache pages in the read-only case (without holding -i_mutex, so perhaps concurrently with a hole-punch). Probably it's -silly not to use SGP_READ already (using the ZERO_PAGE for holes): which -ought to be safe, but might bring surprises - not a change to be rushed. - -shmem_read_mapping_page_gfp() is an internal interface used by -drivers/gpu/drm GEM (and next by uprobes): it should be okay. And -shmem_file_read_iter() uses the SGP_DIRTY variant of SGP_CACHE, when -called internally by the kernel (perhaps for a stacking filesystem, -which might rely on holes to be reserved): it's unclear whether it could -be provoked to keep hole-punch busy or not. - -We could apply the same umbrella as now used in shmem_fault() to -shmem_file_splice_read() and the others; but it looks ugly, and use over -a range raises questions - should it actually be per page? can these get -starved themselves? - -The origin of this part of the problem is my v3.1 commit d0823576bf4b -("mm: pincer in truncate_inode_pages_range"), once it was duplicated -into shmem.c. It seemed like a nice idea at the time, to ensure -(barring RCU lookup fuzziness) that there's an instant when the entire -hole is empty; but the indefinitely repeated scans to ensure that make -it vulnerable. - -Revert that "enhancement" to hole-punch from shmem_undo_range(), but -retain the unproblematic rescanning when it's truncating; add a couple -of comments there. - -Remove the "indices[0] >= end" test: that is now handled satisfactorily -by the inner loop, and mem_cgroup_uncharge_start()/end() are too light -to be worth avoiding here. - -But if we do not always loop indefinitely, we do need to handle the case -of swap swizzled back to page before shmem_free_swap() gets it: add a -retry for that case, as suggested by Konstantin Khlebnikov; and for the -case of page swizzled back to swap, as suggested by Johannes Weiner. - -Upstream-Status: Backport - -Signed-off-by: Hugh Dickins -Reported-by: Sasha Levin -Suggested-by: Vlastimil Babka -Cc: Konstantin Khlebnikov -Cc: Johannes Weiner -Cc: Lukas Czerner -Cc: Dave Jones -Cc: [3.1+] -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - mm/shmem.c | 24 +++++++++++++++--------- - 1 file changed, 15 insertions(+), 9 deletions(-) - -diff --git a/mm/shmem.c b/mm/shmem.c -index 6f5626f..0da81aa 100644 ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -534,22 +534,19 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, - return; - - index = start; -- for ( ; ; ) { -+ while (index < end) { - cond_resched(); - pvec.nr = shmem_find_get_pages_and_swap(mapping, index, - min(end - index, (pgoff_t)PAGEVEC_SIZE), - pvec.pages, indices); - if (!pvec.nr) { -- if (index == start || unfalloc) -+ /* If all gone or hole-punch or unfalloc, we're done */ -+ if (index == start || end != -1) - break; -+ /* But if truncating, restart to make sure all gone */ - index = start; - continue; - } -- if ((index == start || unfalloc) && indices[0] >= end) { -- shmem_deswap_pagevec(&pvec); -- pagevec_release(&pvec); -- break; -- } - mem_cgroup_uncharge_start(); - for (i = 0; i < pagevec_count(&pvec); i++) { - struct page *page = pvec.pages[i]; -@@ -561,8 +558,12 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, - if (radix_tree_exceptional_entry(page)) { - if (unfalloc) - continue; -- nr_swaps_freed += !shmem_free_swap(mapping, -- index, page); -+ if (shmem_free_swap(mapping, index, page)) { -+ /* Swap was replaced by page: retry */ -+ index--; -+ break; -+ } -+ nr_swaps_freed++; - continue; - } - -@@ -571,6 +572,11 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, - if (page->mapping == mapping) { - VM_BUG_ON(PageWriteback(page)); - truncate_inode_page(mapping, page); -+ } else { -+ /* Page was replaced by swap: retry */ -+ unlock_page(page); -+ index--; -+ break; - } - } - unlock_page(page); --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch deleted file mode 100644 index 08208076..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0004-USB-CVE-2014-3185.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 6817ae225cd650fb1c3295d769298c38b1eba818 Mon Sep 17 00:00:00 2001 -From: James Forshaw -Date: Sat, 23 Aug 2014 14:39:48 -0700 -Subject: [PATCH] USB: whiteheat: Added bounds checking for bulk command - response - -This patch fixes a potential security issue in the whiteheat USB driver -which might allow a local attacker to cause kernel memory corrpution. This -is due to an unchecked memcpy into a fixed size buffer (of 64 bytes). On -EHCI and XHCI busses it's possible to craft responses greater than 64 -bytes leading a buffer overflow. - -This fixes CVE-2014-3185 -Upstream-Status: Backport - -Signed-off-by: James Forshaw -Cc: stable -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - drivers/usb/serial/whiteheat.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c -index e62f2df..6c3734d 100644 ---- a/drivers/usb/serial/whiteheat.c -+++ b/drivers/usb/serial/whiteheat.c -@@ -514,6 +514,10 @@ static void command_port_read_callback(struct urb *urb) - dev_dbg(&urb->dev->dev, "%s - command_info is NULL, exiting.\n", __func__); - return; - } -+ if (!urb->actual_length) { -+ dev_dbg(&urb->dev->dev, "%s - empty response, exiting.\n", __func__); -+ return; -+ } - if (status) { - dev_dbg(&urb->dev->dev, "%s - nonzero urb status: %d\n", __func__, status); - if (status != -ENOENT) -@@ -534,7 +538,8 @@ static void command_port_read_callback(struct urb *urb) - /* These are unsolicited reports from the firmware, hence no - waiting command to wakeup */ - dev_dbg(&urb->dev->dev, "%s - event received\n", __func__); -- } else if (data[0] == WHITEHEAT_GET_DTR_RTS) { -+ } else if ((data[0] == WHITEHEAT_GET_DTR_RTS) && -+ (urb->actual_length - 1 <= sizeof(command_info->result_buffer))) { - memcpy(command_info->result_buffer, &data[1], - urb->actual_length - 1); - command_info->command_finished = WHITEHEAT_CMD_COMPLETE; --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch deleted file mode 100644 index 8cd4b130..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0004-mnt-CVE-2014-5206_CVE-2014-5207.patch +++ /dev/null @@ -1,64 +0,0 @@ -From fafbc9412b8f2dae04bc3ca233ae7b49482c8df8 Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" -Date: Mon, 28 Jul 2014 17:36:04 -0700 -Subject: [PATCH] mnt: Change the default remount atime from relatime to the - existing value - -commit ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e upstream. - -Since March 2009 the kernel has treated the state that if no -MS_..ATIME flags are passed then the kernel defaults to relatime. - -Defaulting to relatime instead of the existing atime state during a -remount is silly, and causes problems in practice for people who don't -specify any MS_...ATIME flags and to get the default filesystem atime -setting. Those users may encounter a permission error because the -default atime setting does not work. - -A default that does not work and causes permission problems is -ridiculous, so preserve the existing value to have a default -atime setting that is always guaranteed to work. - -Using the default atime setting in this way is particularly -interesting for applications built to run in restricted userspace -environments without /proc mounted, as the existing atime mount -options of a filesystem can not be read from /proc/mounts. - -In practice this fixes user space that uses the default atime -setting on remount that are broken by the permission checks -keeping less privileged users from changing more privileged users -atime settings. - -Fix for CVE-2014-5206 and CVE-2014-5207 -Upstream-Status: backport - -Acked-by: Serge E. Hallyn -Signed-off-by: "Eric W. Biederman" -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - fs/namespace.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/fs/namespace.c b/fs/namespace.c -index 7c67de8..4ea2b73 100644 ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -2391,6 +2391,14 @@ long do_mount(const char *dev_name, const char *dir_name, - if (flags & MS_RDONLY) - mnt_flags |= MNT_READONLY; - -+ /* The default atime for remount is preservation */ -+ if ((flags & MS_REMOUNT) && -+ ((flags & (MS_NOATIME | MS_NODIRATIME | MS_RELATIME | -+ MS_STRICTATIME)) == 0)) { -+ mnt_flags &= ~MNT_ATIME_MASK; -+ mnt_flags |= path.mnt->mnt_flags & MNT_ATIME_MASK; -+ } -+ - flags &= ~(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | MS_BORN | - MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | - MS_STRICTATIME); --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch deleted file mode 100644 index caa89db4..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/0005-mnt-CVE-2014-5206_CVE-2014-5207.patch +++ /dev/null @@ -1,324 +0,0 @@ -From 4194b9700ce41ff2f7031aa0c6108c2539028ab5 Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" -Date: Tue, 29 Jul 2014 15:50:44 -0700 -Subject: [PATCH] mnt: Add tests for unprivileged remount cases that have found - to be faulty - -commit db181ce011e3c033328608299cd6fac06ea50130 upstream. - -Kenton Varda discovered that by remounting a -read-only bind mount read-only in a user namespace the -MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user -to the remount a read-only mount read-write. - -Upon review of the code in remount it was discovered that the code allowed -nosuid, noexec, and nodev to be cleared. It was also discovered that -the code was allowing the per mount atime flags to be changed. - -The first naive patch to fix these issues contained the flaw that using -default atime settings when remounting a filesystem could be disallowed. - -To avoid this problems in the future add tests to ensure unprivileged -remounts are succeeding and failing at the appropriate times. - -Fix for CVE-2014-5206 and CVE-2014-5207 -Upstream-Status: backport - -Acked-by: Serge E. Hallyn -Signed-off-by: "Eric W. Biederman" -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - tools/testing/selftests/Makefile | 1 + - tools/testing/selftests/mount/Makefile | 17 ++ - .../selftests/mount/unprivileged-remount-test.c | 242 +++++++++++++++++++++ - 3 files changed, 260 insertions(+) - create mode 100644 tools/testing/selftests/mount/Makefile - create mode 100644 tools/testing/selftests/mount/unprivileged-remount-test.c - -diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile -index 9f3eae2..2d9ab94 100644 ---- a/tools/testing/selftests/Makefile -+++ b/tools/testing/selftests/Makefile -@@ -4,6 +4,7 @@ TARGETS += efivarfs - TARGETS += kcmp - TARGETS += memory-hotplug - TARGETS += mqueue -+TARGETS += mount - TARGETS += net - TARGETS += ptrace - TARGETS += timers -diff --git a/tools/testing/selftests/mount/Makefile b/tools/testing/selftests/mount/Makefile -new file mode 100644 -index 0000000..337d853 ---- /dev/null -+++ b/tools/testing/selftests/mount/Makefile -@@ -0,0 +1,17 @@ -+# Makefile for mount selftests. -+ -+all: unprivileged-remount-test -+ -+unprivileged-remount-test: unprivileged-remount-test.c -+ gcc -Wall -O2 unprivileged-remount-test.c -o unprivileged-remount-test -+ -+# Allow specific tests to be selected. -+test_unprivileged_remount: unprivileged-remount-test -+ @if [ -f /proc/self/uid_map ] ; then ./unprivileged-remount-test ; fi -+ -+run_tests: all test_unprivileged_remount -+ -+clean: -+ rm -f unprivileged-remount-test -+ -+.PHONY: all test_unprivileged_remount -diff --git a/tools/testing/selftests/mount/unprivileged-remount-test.c b/tools/testing/selftests/mount/unprivileged-remount-test.c -new file mode 100644 -index 0000000..1b3ff2f ---- /dev/null -+++ b/tools/testing/selftests/mount/unprivileged-remount-test.c -@@ -0,0 +1,242 @@ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifndef CLONE_NEWNS -+# define CLONE_NEWNS 0x00020000 -+#endif -+#ifndef CLONE_NEWUTS -+# define CLONE_NEWUTS 0x04000000 -+#endif -+#ifndef CLONE_NEWIPC -+# define CLONE_NEWIPC 0x08000000 -+#endif -+#ifndef CLONE_NEWNET -+# define CLONE_NEWNET 0x40000000 -+#endif -+#ifndef CLONE_NEWUSER -+# define CLONE_NEWUSER 0x10000000 -+#endif -+#ifndef CLONE_NEWPID -+# define CLONE_NEWPID 0x20000000 -+#endif -+ -+#ifndef MS_RELATIME -+#define MS_RELATIME (1 << 21) -+#endif -+#ifndef MS_STRICTATIME -+#define MS_STRICTATIME (1 << 24) -+#endif -+ -+static void die(char *fmt, ...) -+{ -+ va_list ap; -+ va_start(ap, fmt); -+ vfprintf(stderr, fmt, ap); -+ va_end(ap); -+ exit(EXIT_FAILURE); -+} -+ -+static void write_file(char *filename, char *fmt, ...) -+{ -+ char buf[4096]; -+ int fd; -+ ssize_t written; -+ int buf_len; -+ va_list ap; -+ -+ va_start(ap, fmt); -+ buf_len = vsnprintf(buf, sizeof(buf), fmt, ap); -+ va_end(ap); -+ if (buf_len < 0) { -+ die("vsnprintf failed: %s\n", -+ strerror(errno)); -+ } -+ if (buf_len >= sizeof(buf)) { -+ die("vsnprintf output truncated\n"); -+ } -+ -+ fd = open(filename, O_WRONLY); -+ if (fd < 0) { -+ die("open of %s failed: %s\n", -+ filename, strerror(errno)); -+ } -+ written = write(fd, buf, buf_len); -+ if (written != buf_len) { -+ if (written >= 0) { -+ die("short write to %s\n", filename); -+ } else { -+ die("write to %s failed: %s\n", -+ filename, strerror(errno)); -+ } -+ } -+ if (close(fd) != 0) { -+ die("close of %s failed: %s\n", -+ filename, strerror(errno)); -+ } -+} -+ -+static void create_and_enter_userns(void) -+{ -+ uid_t uid; -+ gid_t gid; -+ -+ uid = getuid(); -+ gid = getgid(); -+ -+ if (unshare(CLONE_NEWUSER) !=0) { -+ die("unshare(CLONE_NEWUSER) failed: %s\n", -+ strerror(errno)); -+ } -+ -+ write_file("/proc/self/uid_map", "0 %d 1", uid); -+ write_file("/proc/self/gid_map", "0 %d 1", gid); -+ -+ if (setgroups(0, NULL) != 0) { -+ die("setgroups failed: %s\n", -+ strerror(errno)); -+ } -+ if (setgid(0) != 0) { -+ die ("setgid(0) failed %s\n", -+ strerror(errno)); -+ } -+ if (setuid(0) != 0) { -+ die("setuid(0) failed %s\n", -+ strerror(errno)); -+ } -+} -+ -+static -+bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags) -+{ -+ pid_t child; -+ -+ child = fork(); -+ if (child == -1) { -+ die("fork failed: %s\n", -+ strerror(errno)); -+ } -+ if (child != 0) { /* parent */ -+ pid_t pid; -+ int status; -+ pid = waitpid(child, &status, 0); -+ if (pid == -1) { -+ die("waitpid failed: %s\n", -+ strerror(errno)); -+ } -+ if (pid != child) { -+ die("waited for %d got %d\n", -+ child, pid); -+ } -+ if (!WIFEXITED(status)) { -+ die("child did not terminate cleanly\n"); -+ } -+ return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false; -+ } -+ -+ create_and_enter_userns(); -+ if (unshare(CLONE_NEWNS) != 0) { -+ die("unshare(CLONE_NEWNS) failed: %s\n", -+ strerror(errno)); -+ } -+ -+ if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) { -+ die("mount of /tmp failed: %s\n", -+ strerror(errno)); -+ } -+ -+ create_and_enter_userns(); -+ -+ if (unshare(CLONE_NEWNS) != 0) { -+ die("unshare(CLONE_NEWNS) failed: %s\n", -+ strerror(errno)); -+ } -+ -+ if (mount("/tmp", "/tmp", "none", -+ MS_REMOUNT | MS_BIND | remount_flags, NULL) != 0) { -+ /* system("cat /proc/self/mounts"); */ -+ die("remount of /tmp failed: %s\n", -+ strerror(errno)); -+ } -+ -+ if (mount("/tmp", "/tmp", "none", -+ MS_REMOUNT | MS_BIND | invalid_flags, NULL) == 0) { -+ /* system("cat /proc/self/mounts"); */ -+ die("remount of /tmp with invalid flags " -+ "succeeded unexpectedly\n"); -+ } -+ exit(EXIT_SUCCESS); -+} -+ -+static bool test_unpriv_remount_simple(int mount_flags) -+{ -+ return test_unpriv_remount(mount_flags, mount_flags, 0); -+} -+ -+static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags) -+{ -+ return test_unpriv_remount(mount_flags, mount_flags, invalid_flags); -+} -+ -+int main(int argc, char **argv) -+{ -+ if (!test_unpriv_remount_simple(MS_RDONLY|MS_NODEV)) { -+ die("MS_RDONLY malfunctions\n"); -+ } -+ if (!test_unpriv_remount_simple(MS_NODEV)) { -+ die("MS_NODEV malfunctions\n"); -+ } -+ if (!test_unpriv_remount_simple(MS_NOSUID|MS_NODEV)) { -+ die("MS_NOSUID malfunctions\n"); -+ } -+ if (!test_unpriv_remount_simple(MS_NOEXEC|MS_NODEV)) { -+ die("MS_NOEXEC malfunctions\n"); -+ } -+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODEV, -+ MS_NOATIME|MS_NODEV)) -+ { -+ die("MS_RELATIME malfunctions\n"); -+ } -+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODEV, -+ MS_NOATIME|MS_NODEV)) -+ { -+ die("MS_STRICTATIME malfunctions\n"); -+ } -+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODEV, -+ MS_STRICTATIME|MS_NODEV)) -+ { -+ die("MS_RELATIME malfunctions\n"); -+ } -+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME|MS_NODEV, -+ MS_NOATIME|MS_NODEV)) -+ { -+ die("MS_RELATIME malfunctions\n"); -+ } -+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME|MS_NODEV, -+ MS_NOATIME|MS_NODEV)) -+ { -+ die("MS_RELATIME malfunctions\n"); -+ } -+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME|MS_NODEV, -+ MS_STRICTATIME|MS_NODEV)) -+ { -+ die("MS_RELATIME malfunctions\n"); -+ } -+ if (!test_unpriv_remount(MS_STRICTATIME|MS_NODEV, MS_NODEV, -+ MS_NOATIME|MS_NODEV)) -+ { -+ die("Default atime malfunctions\n"); -+ } -+ return EXIT_SUCCESS; -+} --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch b/meta-fsl-ppc/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch deleted file mode 100644 index 7d165356..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch +++ /dev/null @@ -1,41 +0,0 @@ -CVE-2014-5077 Kernel/SCTP: fix a NULL pointer dereference - -A NULL pointer dereference flaw was found in the way the -Linux kernel's Stream Control Transmission Protocol -(SCTP) implementation handled simultaneous connections -between the same hosts. A remote attacker could use this -flaw to crash the system. - -Upstream-Status: Backport (from v3.16, commit 1be9a950c646c) - -References: - - https://access.redhat.com/security/cve/CVE-2014-5077 - - http://patchwork.ozlabs.org/patch/372475/ - -Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing") -Reported-by: Jason Gunthorpe -Signed-off-by: Daniel Borkmann -Tested-by: Jason Gunthorpe -Cc: Vlad Yasevich -Acked-by: Vlad Yasevich -Signed-off-by: David S. Miller -Signed-off-by: Liviu Gheorghisan ---- - net/sctp/associola.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/sctp/associola.c b/net/sctp/associola.c -index 9de23a2..06a9ee6 100644 ---- a/net/sctp/associola.c -+++ b/net/sctp/associola.c -@@ -1097,6 +1097,7 @@ void sctp_assoc_update(struct sctp_association *asoc, - asoc->c = new->c; - asoc->peer.rwnd = new->peer.rwnd; - asoc->peer.sack_needed = new->peer.sack_needed; -+ asoc->peer.auth_capable = new->peer.auth_capable; - asoc->peer.i = new->peer.i; - sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL, - asoc->peer.i.initial_tsn, GFP_ATOMIC); --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch b/meta-fsl-ppc/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch deleted file mode 100644 index 65107d63..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/Fix-CVE-2014-5471_CVE-2014-5472.patch +++ /dev/null @@ -1,212 +0,0 @@ -From 4488e1f5ef40441c9846b1d0a29152c208a05e66 Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Sun, 17 Aug 2014 11:49:57 +0200 -Subject: [PATCH] isofs: Fix unbounded recursion when processing relocated - directories - -commit 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4 upstream. - -We did not check relocated directory in any way when processing Rock -Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL -entry pointing to another CL entry leading to possibly unbounded -recursion in kernel code and thus stack overflow or deadlocks (if there -is a loop created from CL entries). - -Fix the problem by not allowing CL entry to point to a directory entry -with CL entry (such use makes no good sense anyway) and by checking -whether CL entry doesn't point to itself. - -Upstream status: backported (from v3.12 e4ca8b780c82c04ec0) - -Reported-by: Chris Evans -Signed-off-by: Jan Kara -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - fs/isofs/inode.c | 15 ++++++++------- - fs/isofs/isofs.h | 23 +++++++++++++++++++---- - fs/isofs/rock.c | 39 ++++++++++++++++++++++++++++----------- - 3 files changed, 55 insertions(+), 22 deletions(-) - -diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c -index e5d408a..2e2af97 100644 ---- a/fs/isofs/inode.c -+++ b/fs/isofs/inode.c -@@ -61,7 +61,7 @@ static void isofs_put_super(struct super_block *sb) - return; - } - --static int isofs_read_inode(struct inode *); -+static int isofs_read_inode(struct inode *, int relocated); - static int isofs_statfs (struct dentry *, struct kstatfs *); - - static struct kmem_cache *isofs_inode_cachep; -@@ -1258,7 +1258,7 @@ out_toomany: - goto out; - } - --static int isofs_read_inode(struct inode *inode) -+static int isofs_read_inode(struct inode *inode, int relocated) - { - struct super_block *sb = inode->i_sb; - struct isofs_sb_info *sbi = ISOFS_SB(sb); -@@ -1403,7 +1403,7 @@ static int isofs_read_inode(struct inode *inode) - */ - - if (!high_sierra) { -- parse_rock_ridge_inode(de, inode); -+ parse_rock_ridge_inode(de, inode, relocated); - /* if we want uid/gid set, override the rock ridge setting */ - if (sbi->s_uid_set) - inode->i_uid = sbi->s_uid; -@@ -1482,9 +1482,10 @@ static int isofs_iget5_set(struct inode *ino, void *data) - * offset that point to the underlying meta-data for the inode. The - * code below is otherwise similar to the iget() code in - * include/linux/fs.h */ --struct inode *isofs_iget(struct super_block *sb, -- unsigned long block, -- unsigned long offset) -+struct inode *__isofs_iget(struct super_block *sb, -+ unsigned long block, -+ unsigned long offset, -+ int relocated) - { - unsigned long hashval; - struct inode *inode; -@@ -1506,7 +1507,7 @@ struct inode *isofs_iget(struct super_block *sb, - return ERR_PTR(-ENOMEM); - - if (inode->i_state & I_NEW) { -- ret = isofs_read_inode(inode); -+ ret = isofs_read_inode(inode, relocated); - if (ret < 0) { - iget_failed(inode); - inode = ERR_PTR(ret); -diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h -index 9916723..0ac4c1f 100644 ---- a/fs/isofs/isofs.h -+++ b/fs/isofs/isofs.h -@@ -107,7 +107,7 @@ extern int iso_date(char *, int); - - struct inode; /* To make gcc happy */ - --extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *); -+extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated); - extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *); - extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *); - -@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int - extern struct buffer_head *isofs_bread(struct inode *, sector_t); - extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long); - --extern struct inode *isofs_iget(struct super_block *sb, -- unsigned long block, -- unsigned long offset); -+struct inode *__isofs_iget(struct super_block *sb, -+ unsigned long block, -+ unsigned long offset, -+ int relocated); -+ -+static inline struct inode *isofs_iget(struct super_block *sb, -+ unsigned long block, -+ unsigned long offset) -+{ -+ return __isofs_iget(sb, block, offset, 0); -+} -+ -+static inline struct inode *isofs_iget_reloc(struct super_block *sb, -+ unsigned long block, -+ unsigned long offset) -+{ -+ return __isofs_iget(sb, block, offset, 1); -+} - - /* Because the inode number is no longer relevant to finding the - * underlying meta-data for an inode, we are free to choose a more -diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index c0bf424..f488bba 100644 ---- a/fs/isofs/rock.c -+++ b/fs/isofs/rock.c -@@ -288,12 +288,16 @@ eio: - goto out; - } - -+#define RR_REGARD_XA 1 -+#define RR_RELOC_DE 2 -+ - static int - parse_rock_ridge_inode_internal(struct iso_directory_record *de, -- struct inode *inode, int regard_xa) -+ struct inode *inode, int flags) - { - int symlink_len = 0; - int cnt, sig; -+ unsigned int reloc_block; - struct inode *reloc; - struct rock_ridge *rr; - int rootflag; -@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de, - - init_rock_state(&rs, inode); - setup_rock_ridge(de, inode, &rs); -- if (regard_xa) { -+ if (flags & RR_REGARD_XA) { - rs.chr += 14; - rs.len -= 14; - if (rs.len < 0) -@@ -485,12 +489,22 @@ repeat: - "relocated directory\n"); - goto out; - case SIG('C', 'L'): -- ISOFS_I(inode)->i_first_extent = -- isonum_733(rr->u.CL.location); -- reloc = -- isofs_iget(inode->i_sb, -- ISOFS_I(inode)->i_first_extent, -- 0); -+ if (flags & RR_RELOC_DE) { -+ printk(KERN_ERR -+ "ISOFS: Recursive directory relocation " -+ "is not supported\n"); -+ goto eio; -+ } -+ reloc_block = isonum_733(rr->u.CL.location); -+ if (reloc_block == ISOFS_I(inode)->i_iget5_block && -+ ISOFS_I(inode)->i_iget5_offset == 0) { -+ printk(KERN_ERR -+ "ISOFS: Directory relocation points to " -+ "itself\n"); -+ goto eio; -+ } -+ ISOFS_I(inode)->i_first_extent = reloc_block; -+ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0); - if (IS_ERR(reloc)) { - ret = PTR_ERR(reloc); - goto out; -@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit) - return rpnt; - } - --int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) -+int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode, -+ int relocated) - { -- int result = parse_rock_ridge_inode_internal(de, inode, 0); -+ int flags = relocated ? RR_RELOC_DE : 0; -+ int result = parse_rock_ridge_inode_internal(de, inode, flags); - - /* - * if rockridge flag was reset and we didn't look for attributes -@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) - */ - if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1) - && (ISOFS_SB(inode->i_sb)->s_rock == 2)) { -- result = parse_rock_ridge_inode_internal(de, inode, 14); -+ result = parse_rock_ridge_inode_internal(de, inode, -+ flags | RR_REGARD_XA); - } - return result; - } --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch b/meta-fsl-ppc/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch deleted file mode 100644 index 1ae600fb..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch +++ /dev/null @@ -1,47 +0,0 @@ -fs: umount on symlink leaks mnt count - -commit 295dc39d941dc2ae53d5c170365af4c9d5c16212 upstream. - -Currently umount on symlink blocks following umount: - -/vz is separate mount - -drwxr-xr-x. 2 root root 4096 Jul 19 01:14 testdir -lrwxrwxrwx. 1 root root 11 Jul 19 01:16 testlink -> /vz/testdir -umount: /vz/testlink: not mounted (expected) - -umount: /vz: device is busy. (unexpected) - -In this case mountpoint_last() gets an extra refcount on path->mnt - -Upstream-Status: Backport - -Signed-off-by: Vasily Averin -Acked-by: Ian Kent -Acked-by: Jeff Layton -Cc: stable@vger.kernel.org -Signed-off-by: Christoph Hellwig -Signed-off-by: Sona Sarmadi ---- - fs/namei.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/namei.c b/fs/namei.c -index 187cacf..c199dcc 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -2280,9 +2280,10 @@ done: - goto out; - } - path->dentry = dentry; -- path->mnt = mntget(nd->path.mnt); -+ path->mnt = nd->path.mnt; - if (should_follow_link(dentry->d_inode, nd->flags & LOOKUP_FOLLOW)) - return 1; -+ mntget(path->mnt); - follow_mount(path); - error = 0; - out: --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch b/meta-fsl-ppc/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch deleted file mode 100644 index a0bdc271..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/auditsc-CVE-2014-3917.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 6004b0e5ac2e8e9e1bb0f012dc9242e03cca95df Mon Sep 17 00:00:00 2001 -From: Andy Lutomirski -Date: Wed, 28 May 2014 23:09:58 -0400 -Subject: [PATCH] auditsc: audit_krule mask accesses need bounds checking - -commit a3c54931199565930d6d84f4c3456f6440aefd41 upstream. - -Fixes an easy DoS and possible information disclosure. - -This does nothing about the broken state of x32 auditing. - -eparis: If the admin has enabled auditd and has specifically loaded -audit rules. This bug has been around since before git. Wow... - -This fixes CVE-2014-3917 -Upstream-Status: Backport - -Signed-off-by: Andy Lutomirski -Signed-off-by: Eric Paris -Signed-off-by: Linus Torvalds -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - kernel/auditsc.c | 27 ++++++++++++++++++--------- - 1 file changed, 18 insertions(+), 9 deletions(-) - -diff --git a/kernel/auditsc.c b/kernel/auditsc.c -index 3b79a47..979c00b 100644 ---- a/kernel/auditsc.c -+++ b/kernel/auditsc.c -@@ -733,6 +733,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key) - return AUDIT_BUILD_CONTEXT; - } - -+static int audit_in_mask(const struct audit_krule *rule, unsigned long val) -+{ -+ int word, bit; -+ -+ if (val > 0xffffffff) -+ return false; -+ -+ word = AUDIT_WORD(val); -+ if (word >= AUDIT_BITMASK_SIZE) -+ return false; -+ -+ bit = AUDIT_BIT(val); -+ -+ return rule->mask[word] & bit; -+} -+ - /* At syscall entry and exit time, this filter is called if the - * audit_state is not low enough that auditing cannot take place, but is - * also not high enough that we already know we have to write an audit -@@ -750,11 +766,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, - - rcu_read_lock(); - if (!list_empty(list)) { -- int word = AUDIT_WORD(ctx->major); -- int bit = AUDIT_BIT(ctx->major); -- - list_for_each_entry_rcu(e, list, list) { -- if ((e->rule.mask[word] & bit) == bit && -+ if (audit_in_mask(&e->rule, ctx->major) && - audit_filter_rules(tsk, &e->rule, ctx, NULL, - &state, false)) { - rcu_read_unlock(); -@@ -774,20 +787,16 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, - static int audit_filter_inode_name(struct task_struct *tsk, - struct audit_names *n, - struct audit_context *ctx) { -- int word, bit; - int h = audit_hash_ino((u32)n->ino); - struct list_head *list = &audit_inode_hash[h]; - struct audit_entry *e; - enum audit_state state; - -- word = AUDIT_WORD(ctx->major); -- bit = AUDIT_BIT(ctx->major); -- - if (list_empty(list)) - return 0; - - list_for_each_entry_rcu(e, list, list) { -- if ((e->rule.mask[word] & bit) == bit && -+ if (audit_in_mask(&e->rule, ctx->major) && - audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) { - ctx->current_state = state; - return 1; --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch b/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch deleted file mode 100644 index 0cd9c958..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/eCryptfs-CVE-2014-9683.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 8ffea99d6f2be99790611282f326da95a84a8cab Mon Sep 17 00:00:00 2001 -From: Michael Halcrow -Date: Wed, 26 Nov 2014 09:09:16 -0800 -Subject: [PATCH] eCryptfs: Remove buggy and unnecessary write in file name - decode routine - -commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream. - -Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the -end of the allocated buffer during encrypted filename decoding. This -fix corrects the issue by getting rid of the unnecessary 0 write when -the current bit offset is 2. - -Fixes CVE-2014-9683 -Upstream-Status: Backport - -Signed-off-by: Michael Halcrow -Reported-by: Dmitry Chernenkov -Suggested-by: Kees Cook -Signed-off-by: Tyler Hicks -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - fs/ecryptfs/crypto.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c -index 000eae2..bf926f7 100644 ---- a/fs/ecryptfs/crypto.c -+++ b/fs/ecryptfs/crypto.c -@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size, - break; - case 2: - dst[dst_byte_offset++] |= (src_byte); -- dst[dst_byte_offset] = 0; - current_bit_offset = 0; - break; - } --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/fs-CVE-2014-4014.patch b/meta-fsl-ppc/recipes-kernel/linux/files/fs-CVE-2014-4014.patch deleted file mode 100644 index a61ae4cb..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/fs-CVE-2014-4014.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 2246a472bce19c0d373fb5488a0e612e3328ce0a Mon Sep 17 00:00:00 2001 -From: Andy Lutomirski -Date: Tue, 10 Jun 2014 12:45:42 -0700 -Subject: [PATCH] fs,userns: Change inode_capable to capable_wrt_inode_uidgid - -commit 23adbe12ef7d3d4195e80800ab36b37bee28cd03 upstream. - -The kernel has no concept of capabilities with respect to inodes; inodes -exist independently of namespaces. For example, inode_capable(inode, -CAP_LINUX_IMMUTABLE) would be nonsense. - -This patch changes inode_capable to check for uid and gid mappings and -renames it to capable_wrt_inode_uidgid, which should make it more -obvious what it does. - -Fixes CVE-2014-4014. -Upstream-Status: Backport - -Cc: Theodore Ts'o -Cc: Serge Hallyn -Cc: "Eric W. Biederman" -Cc: Dave Chinner -Signed-off-by: Andy Lutomirski -Signed-off-by: Linus Torvalds -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - fs/attr.c | 8 ++++---- - fs/inode.c | 10 +++++++--- - fs/namei.c | 11 ++++++----- - fs/xfs/xfs_ioctl.c | 2 +- - include/linux/capability.h | 2 +- - kernel/capability.c | 20 ++++++++------------ - 6 files changed, 27 insertions(+), 26 deletions(-) - -diff --git a/fs/attr.c b/fs/attr.c -index 8dd5825..66fa625 100644 ---- a/fs/attr.c -+++ b/fs/attr.c -@@ -50,14 +50,14 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr) - if ((ia_valid & ATTR_UID) && - (!uid_eq(current_fsuid(), inode->i_uid) || - !uid_eq(attr->ia_uid, inode->i_uid)) && -- !inode_capable(inode, CAP_CHOWN)) -+ !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) - return -EPERM; - - /* Make sure caller can chgrp. */ - if ((ia_valid & ATTR_GID) && - (!uid_eq(current_fsuid(), inode->i_uid) || - (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) && -- !inode_capable(inode, CAP_CHOWN)) -+ !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) - return -EPERM; - - /* Make sure a caller can chmod. */ -@@ -67,7 +67,7 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr) - /* Also check the setgid bit! */ - if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid : - inode->i_gid) && -- !inode_capable(inode, CAP_FSETID)) -+ !capable_wrt_inode_uidgid(inode, CAP_FSETID)) - attr->ia_mode &= ~S_ISGID; - } - -@@ -160,7 +160,7 @@ void setattr_copy(struct inode *inode, const struct iattr *attr) - umode_t mode = attr->ia_mode; - - if (!in_group_p(inode->i_gid) && -- !inode_capable(inode, CAP_FSETID)) -+ !capable_wrt_inode_uidgid(inode, CAP_FSETID)) - mode &= ~S_ISGID; - inode->i_mode = mode; - } -diff --git a/fs/inode.c b/fs/inode.c -index b33ba8e..1e6e846 100644 ---- a/fs/inode.c -+++ b/fs/inode.c -@@ -1808,14 +1808,18 @@ EXPORT_SYMBOL(inode_init_owner); - * inode_owner_or_capable - check current task permissions to inode - * @inode: inode being checked - * -- * Return true if current either has CAP_FOWNER to the inode, or -- * owns the file. -+ * Return true if current either has CAP_FOWNER in a namespace with the -+ * inode owner uid mapped, or owns the file. - */ - bool inode_owner_or_capable(const struct inode *inode) - { -+ struct user_namespace *ns; -+ - if (uid_eq(current_fsuid(), inode->i_uid)) - return true; -- if (inode_capable(inode, CAP_FOWNER)) -+ -+ ns = current_user_ns(); -+ if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid)) - return true; - return false; - } -diff --git a/fs/namei.c b/fs/namei.c -index 187cacf..338d08b 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -321,10 +321,11 @@ int generic_permission(struct inode *inode, int mask) - - if (S_ISDIR(inode->i_mode)) { - /* DACs are overridable for directories */ -- if (inode_capable(inode, CAP_DAC_OVERRIDE)) -+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) - return 0; - if (!(mask & MAY_WRITE)) -- if (inode_capable(inode, CAP_DAC_READ_SEARCH)) -+ if (capable_wrt_inode_uidgid(inode, -+ CAP_DAC_READ_SEARCH)) - return 0; - return -EACCES; - } -@@ -334,7 +335,7 @@ int generic_permission(struct inode *inode, int mask) - * at least one exec bit set. - */ - if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) -- if (inode_capable(inode, CAP_DAC_OVERRIDE)) -+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) - return 0; - - /* -@@ -342,7 +343,7 @@ int generic_permission(struct inode *inode, int mask) - */ - mask &= MAY_READ | MAY_WRITE | MAY_EXEC; - if (mask == MAY_READ) -- if (inode_capable(inode, CAP_DAC_READ_SEARCH)) -+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) - return 0; - - return -EACCES; -@@ -2404,7 +2405,7 @@ static inline int check_sticky(struct inode *dir, struct inode *inode) - return 0; - if (uid_eq(dir->i_uid, fsuid)) - return 0; -- return !inode_capable(inode, CAP_FOWNER); -+ return !capable_wrt_inode_uidgid(inode, CAP_FOWNER); - } - - /* -diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c -index 8c8ef24..52b5375 100644 ---- a/fs/xfs/xfs_ioctl.c -+++ b/fs/xfs/xfs_ioctl.c -@@ -1133,7 +1133,7 @@ xfs_ioctl_setattr( - * cleared upon successful return from chown() - */ - if ((ip->i_d.di_mode & (S_ISUID|S_ISGID)) && -- !inode_capable(VFS_I(ip), CAP_FSETID)) -+ !capable_wrt_inode_uidgid(VFS_I(ip), CAP_FSETID)) - ip->i_d.di_mode &= ~(S_ISUID|S_ISGID); - - /* -diff --git a/include/linux/capability.h b/include/linux/capability.h -index a6ee1f9..84b13ad 100644 ---- a/include/linux/capability.h -+++ b/include/linux/capability.h -@@ -210,7 +210,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t, - struct user_namespace *ns, int cap); - extern bool capable(int cap); - extern bool ns_capable(struct user_namespace *ns, int cap); --extern bool inode_capable(const struct inode *inode, int cap); -+extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); - extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); - - /* audit system wants to get cap info from files as well */ -diff --git a/kernel/capability.c b/kernel/capability.c -index 4e66bf9..788653b 100644 ---- a/kernel/capability.c -+++ b/kernel/capability.c -@@ -433,23 +433,19 @@ bool capable(int cap) - EXPORT_SYMBOL(capable); - - /** -- * inode_capable - Check superior capability over inode -+ * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped - * @inode: The inode in question - * @cap: The capability in question - * -- * Return true if the current task has the given superior capability -- * targeted at it's own user namespace and that the given inode is owned -- * by the current user namespace or a child namespace. -- * -- * Currently we check to see if an inode is owned by the current -- * user namespace by seeing if the inode's owner maps into the -- * current user namespace. -- * -+ * Return true if the current task has the given capability targeted at -+ * its own user namespace and that the given inode's uid and gid are -+ * mapped into the current user namespace. - */ --bool inode_capable(const struct inode *inode, int cap) -+bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) - { - struct user_namespace *ns = current_user_ns(); - -- return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid); -+ return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && -+ kgid_has_mapping(ns, inode->i_gid); - } --EXPORT_SYMBOL(inode_capable); -+EXPORT_SYMBOL(capable_wrt_inode_uidgid); --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/mm-2014-3122.patch b/meta-fsl-ppc/recipes-kernel/linux/files/mm-2014-3122.patch deleted file mode 100644 index 590af0a6..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/mm-2014-3122.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 77552735ba84a410447af7e3375625eb4cfd577b Mon Sep 17 00:00:00 2001 -From: Vlastimil Babka -Date: Mon, 7 Apr 2014 15:37:50 -0700 -Subject: [PATCH] mm: try_to_unmap_cluster() should lock_page() before mlocking - -commit 57e68e9cd65b4b8eb4045a1e0d0746458502554c upstream. - -A BUG_ON(!PageLocked) was triggered in mlock_vma_page() by Sasha Levin -fuzzing with trinity. The call site try_to_unmap_cluster() does not lock -the pages other than its check_page parameter (which is already locked). - -The BUG_ON in mlock_vma_page() is not documented and its purpose is -somewhat unclear, but apparently it serializes against page migration, -which could otherwise fail to transfer the PG_mlocked flag. This would -not be fatal, as the page would be eventually encountered again, but -NR_MLOCK accounting would become distorted nevertheless. This patch adds -a comment to the BUG_ON in mlock_vma_page() and munlock_vma_page() to that -effect. - -The call site try_to_unmap_cluster() is fixed so that for page != -check_page, trylock_page() is attempted (to avoid possible deadlocks as we -already have check_page locked) and mlock_vma_page() is performed only -upon success. If the page lock cannot be obtained, the page is left -without PG_mlocked, which is again not a problem in the whole unevictable -memory design. - -Fixes CVE-2014-3122 -Upstream-Status: Backport - -Signed-off-by: Vlastimil Babka -Signed-off-by: Bob Liu -Reported-by: Sasha Levin -Cc: Wanpeng Li -Cc: Michel Lespinasse -Cc: KOSAKI Motohiro -Acked-by: Rik van Riel -Cc: David Rientjes -Cc: Mel Gorman -Cc: Hugh Dickins -Cc: Joonsoo Kim -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - mm/mlock.c | 2 ++ - mm/rmap.c | 14 ++++++++++++-- - 2 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/mm/mlock.c b/mm/mlock.c -index 79b7cf7..713e462 100644 ---- a/mm/mlock.c -+++ b/mm/mlock.c -@@ -76,6 +76,7 @@ void clear_page_mlock(struct page *page) - */ - void mlock_vma_page(struct page *page) - { -+ /* Serialize with page migration */ - BUG_ON(!PageLocked(page)); - - if (!TestSetPageMlocked(page)) { -@@ -106,6 +107,7 @@ unsigned int munlock_vma_page(struct page *page) - { - unsigned int page_mask = 0; - -+ /* For try_to_munlock() and to serialize with page migration */ - BUG_ON(!PageLocked(page)); - - if (TestClearPageMlocked(page)) { -diff --git a/mm/rmap.c b/mm/rmap.c -index 3f60774..fbf0040 100644 ---- a/mm/rmap.c -+++ b/mm/rmap.c -@@ -1390,9 +1390,19 @@ static int try_to_unmap_cluster(unsigned long cursor, unsigned int *mapcount, - BUG_ON(!page || PageAnon(page)); - - if (locked_vma) { -- mlock_vma_page(page); /* no-op if already mlocked */ -- if (page == check_page) -+ if (page == check_page) { -+ /* we know we have check_page locked */ -+ mlock_vma_page(page); - ret = SWAP_MLOCK; -+ } else if (trylock_page(page)) { -+ /* -+ * If we can lock the page, perform mlock. -+ * Otherwise leave the page alone, it will be -+ * eventually encountered again later. -+ */ -+ mlock_vma_page(page); -+ unlock_page(page); -+ } - continue; /* don't unmap */ - } - --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch b/meta-fsl-ppc/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch index 635c2bb5..7d109edb 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch +++ b/meta-fsl-ppc/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch @@ -14,14 +14,13 @@ This has been tested on t1040rdb-64b. . Signed-off-by: Bob Cochran --- - arch/powerpc/configs/corenet32_fmanv3_smp_defconfig | 2 +- - arch/powerpc/configs/corenet64_fmanv3_smp_defconfig | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) + arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) -diff --git a/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig b/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig +diff --git a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig index a401e7c..5542248 100644 ---- a/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig -+++ b/arch/powerpc/configs/corenet32_fmanv3_smp_defconfig +--- a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig ++++ b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig @@ -1,6 +1,6 @@ CONFIG_PPC_85xx=y CONFIG_SMP=y @@ -30,18 +29,5 @@ index a401e7c..5542248 100644 CONFIG_EXPERIMENTAL=y CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y -diff --git a/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig b/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig -index 1b987d9..bc0dacf 100644 ---- a/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig -+++ b/arch/powerpc/configs/corenet64_fmanv3_smp_defconfig -@@ -2,7 +2,7 @@ CONFIG_PPC64=y - CONFIG_PPC_BOOK3E_64=y - CONFIG_ALTIVEC=y - CONFIG_SMP=y --CONFIG_NR_CPUS=24 -+CONFIG_NR_CPUS=4 - CONFIG_SYSVIPC=y - CONFIG_POSIX_MQUEUE=y - CONFIG_IRQ_DOMAIN_DEBUG=y -- 1.7.9.5 diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch b/meta-fsl-ppc/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch index 6fc5610e..ddcb6c5d 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch +++ b/meta-fsl-ppc/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch @@ -126,9 +126,9 @@ diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index dfe3f36..56ebe71 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c -@@ -759,6 +759,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net, - struct sctp_chunk auth; - sctp_ierror_t ret; +@@ -768,6 +768,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net, + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + } + /* Make sure that we and the peer are AUTH capable */ + if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch b/meta-fsl-ppc/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch deleted file mode 100644 index 2fdcc9fb..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/powerpc-Fix-64-bit-builds-with-binutils-2.24.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 7998eb3dc700aaf499f93f50b3d77da834ef9e1d Mon Sep 17 00:00:00 2001 -From: Guenter Roeck -Date: Thu, 15 May 2014 09:33:42 -0700 -Subject: powerpc: Fix 64 bit builds with binutils 2.24 - -Upstream-Status: Backport - -With binutils 2.24, various 64 bit builds fail with relocation errors -such as - -arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e': - (.text+0x165ee): relocation truncated to fit: R_PPC64_ADDR16_HI - against symbol `interrupt_base_book3e' defined in .text section - in arch/powerpc/kernel/built-in.o -arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e': - (.text+0x16602): relocation truncated to fit: R_PPC64_ADDR16_HI - against symbol `interrupt_end_book3e' defined in .text section - in arch/powerpc/kernel/built-in.o - -The assembler maintainer says: - - I changed the ABI, something that had to be done but unfortunately - happens to break the booke kernel code. When building up a 64-bit - value with lis, ori, shl, oris, ori or similar sequences, you now - should use @high and @higha in place of @h and @ha. @h and @ha - (and their associated relocs R_PPC64_ADDR16_HI and R_PPC64_ADDR16_HA) - now report overflow if the value is out of 32-bit signed range. - ie. @h and @ha assume you're building a 32-bit value. This is needed - to report out-of-range -mcmodel=medium toc pointer offsets in @toc@h - and @toc@ha expressions, and for consistency I did the same for all - other @h and @ha relocs. - -Replacing @h with @high in one strategic location fixes the relocation -errors. This has to be done conditionally since the assembler either -supports @h or @high but not both. - -Cc: -Signed-off-by: Guenter Roeck -Signed-off-by: Benjamin Herrenschmidt - -diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile -index 4c0cedf..ce4c68a 100644 ---- a/arch/powerpc/Makefile -+++ b/arch/powerpc/Makefile -@@ -150,7 +150,9 @@ endif - - CFLAGS-$(CONFIG_TUNE_CELL) += $(call cc-option,-mtune=cell) - --KBUILD_CPPFLAGS += -Iarch/$(ARCH) -+asinstr := $(call as-instr,lis 9$(comma)foo@high,-DHAVE_AS_ATHIGH=1) -+ -+KBUILD_CPPFLAGS += -Iarch/$(ARCH) $(asinstr) - KBUILD_AFLAGS += -Iarch/$(ARCH) - KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y) - CPP = $(CC) -E $(KBUILD_CFLAGS) -diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h -index 6586a40..cded7c1 100644 ---- a/arch/powerpc/include/asm/ppc_asm.h -+++ b/arch/powerpc/include/asm/ppc_asm.h -@@ -318,11 +318,16 @@ n: - addi reg,reg,(name - 0b)@l; - - #ifdef __powerpc64__ -+#ifdef HAVE_AS_ATHIGH -+#define __AS_ATHIGH high -+#else -+#define __AS_ATHIGH h -+#endif - #define LOAD_REG_IMMEDIATE(reg,expr) \ - lis reg,(expr)@highest; \ - ori reg,reg,(expr)@higher; \ - rldicr reg,reg,32,31; \ -- oris reg,reg,(expr)@h; \ -+ oris reg,reg,(expr)@__AS_ATHIGH; \ - ori reg,reg,(expr)@l; - - #define LOAD_REG_ADDR(reg,name) \ --- -cgit v0.10.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch deleted file mode 100644 index e7b12283..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001 -From: Xufeng Zhang -Date: Thu, 12 Jun 2014 10:53:36 +0800 -Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem - -[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ] - -Consider the scenario: -For a TCP-style socket, while processing the COOKIE_ECHO chunk in -sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, -a new association would be created in sctp_unpack_cookie(), but afterwards, -some processing maybe failed, and sctp_association_free() will be called to -free the previously allocated association, in sctp_association_free(), -sk_ack_backlog value is decremented for this socket, since the initial -value for sk_ack_backlog is 0, after the decrement, it will be 65535, -a wrap-around problem happens, and if we want to establish new associations -afterward in the same socket, ABORT would be triggered since sctp deem the -accept queue as full. -Fix this issue by only decrementing sk_ack_backlog for associations in -the endpoint's list. - -Fixes CVE-2014-4667 -Upstream-Status: Backport - -Fix-suggested-by: Neil Horman -Signed-off-by: Xufeng Zhang -Acked-by: Daniel Borkmann -Acked-by: Vlad Yasevich -Signed-off-by: David S. Miller -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - net/sctp/associola.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/sctp/associola.c b/net/sctp/associola.c -index cef5099..f6d6dcd 100644 ---- a/net/sctp/associola.c -+++ b/net/sctp/associola.c -@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc) - /* Only real associations count against the endpoint, so - * don't bother for if this is a temporary association. - */ -- if (!asoc->temp) { -+ if (!list_empty(&asoc->asocs)) { - list_del(&asoc->asocs); - - /* Decrement the backlog value for a TCP-style listening --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch b/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch deleted file mode 100644 index 0c4beb31..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 4008f1dbe6fea8114e7f79ed2d238e369dc9138f Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Mon, 10 Nov 2014 17:54:26 +0100 -Subject: [PATCH] net: sctp: fix NULL pointer dereference in - af->from_addr_param on malformed packet - -[ Upstream commit e40607cbe270a9e8360907cb1e62ddf0736e4864 ] - -An SCTP server doing ASCONF will panic on malformed INIT ping-of-death -in the form of: - - ------------ INIT[PARAM: SET_PRIMARY_IP] ------------> - -While the INIT chunk parameter verification dissects through many things -in order to detect malformed input, it misses to actually check parameters -inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary -IP address' parameter in ASCONF, which has as a subparameter an address -parameter. - -So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS -or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0 -and thus sctp_get_af_specific() returns NULL, too, which we then happily -dereference unconditionally through af->from_addr_param(). - -The trace for the log: - -BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 -IP: [] sctp_process_init+0x492/0x990 [sctp] -PGD 0 -Oops: 0000 [#1] SMP -[...] -Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs -RIP: 0010:[] [] sctp_process_init+0x492/0x990 [sctp] -[...] -Call Trace: - - [] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp] - [] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp] - [] sctp_do_sm+0x71/0x1210 [sctp] - [] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp] - [] sctp_endpoint_bh_rcv+0x116/0x230 [sctp] - [] sctp_inq_push+0x56/0x80 [sctp] - [] sctp_rcv+0x982/0xa10 [sctp] - [] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] - [] ? nf_iterate+0x69/0xb0 - [] ? ip_local_deliver_finish+0x0/0x2d0 - [] ? nf_hook_slow+0x76/0x120 - [] ? ip_local_deliver_finish+0x0/0x2d0 -[...] - -A minimal way to address this is to check for NULL as we do on all -other such occasions where we know sctp_get_af_specific() could -possibly return with NULL. - -Fix for CVE-2014-7841 -Upstream-Status: Backport - -Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT") -Signed-off-by: Daniel Borkmann -Cc: Vlad Yasevich -Acked-by: Neil Horman -Signed-off-by: David S. Miller -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - net/sctp/sm_make_chunk.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c -index 1e06f3b..e342387 100644 ---- a/net/sctp/sm_make_chunk.c -+++ b/net/sctp/sm_make_chunk.c -@@ -2622,6 +2622,9 @@ do_addr_param: - addr_param = param.v + sizeof(sctp_addip_param_t); - - af = sctp_get_af_specific(param_type2af(param.p->type)); -+ if (af == NULL) -+ break; -+ - af->from_addr_param(&addr, addr_param, - htons(asoc->peer.port), 0); - --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch b/meta-fsl-ppc/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch deleted file mode 100644 index 573b5300..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/security-keys-CVE-2014-9529.patch +++ /dev/null @@ -1,53 +0,0 @@ -From a7033e302dcd38bb4333f46b3fdcd930955e402d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Dec 2014 09:39:01 -0500 -Subject: [PATCH] KEYS: close race between key lookup and freeing - -commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream. - -When a key is being garbage collected, it's key->user would get put before -the ->destroy() callback is called, where the key is removed from it's -respective tracking structures. - -This leaves a key hanging in a semi-invalid state which leaves a window open -for a different task to try an access key->user. An example is -find_keyring_by_name() which would dereference key->user for a key that is -in the process of being garbage collected (where key->user was freed but -->destroy() wasn't called yet - so it's still present in the linked list). - -This would cause either a panic, or corrupt memory. - -Fixes CVE-2014-9529. - -Upstream-Status: Backport - -Signed-off-by: Sasha Levin -Signed-off-by: David Howells -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - security/keys/gc.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/security/keys/gc.c b/security/keys/gc.c -index d67c97b..7978186 100644 ---- a/security/keys/gc.c -+++ b/security/keys/gc.c -@@ -201,12 +201,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys) - if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) - atomic_dec(&key->user->nikeys); - -- key_user_put(key->user); -- - /* now throw away the key memory */ - if (key->type->destroy) - key->type->destroy(key); - -+ key_user_put(key->user); -+ - kfree(key->description); - - #ifdef KEY_DEBUGGING --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch b/meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch deleted file mode 100644 index 0f8b49c1..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/target-CVE-2014-4027.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 186f32e2096c7d9cd9106b8dedd79c596f4c8398 Mon Sep 17 00:00:00 2001 -From: "Nicholas A. Bellinger" -Date: Mon, 16 Jun 2014 20:59:52 +0000 -Subject: [PATCH] target: Explicitly clear ramdisk_mcp backend pages - -[Note that a different patch to address the same issue went in during -v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that -don't strictly apply to fixing the bug] - -This patch changes rd_allocate_sgl_table() to explicitly clear -ramdisk_mcp backend memory pages by passing __GFP_ZERO into -alloc_pages(). - -This addresses a potential security issue where reading from a -ramdisk_mcp could return sensitive information, and follows what ->= v3.15 does to explicitly clear ramdisk_mcp memory at backend -device initialization time. - -This fixes CVE-2014-4027 -Upstream-Status: Backport - -Reported-by: Jorge Daniel Sequeira Matias -Cc: Jorge Daniel Sequeira Matias -Signed-off-by: Nicholas Bellinger -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - drivers/target/target_core_rd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c -index 131327a..9f6bede 100644 ---- a/drivers/target/target_core_rd.c -+++ b/drivers/target/target_core_rd.c -@@ -179,7 +179,7 @@ static int rd_build_device_space(struct rd_dev *rd_dev) - - 1; - - for (j = 0; j < sg_per_table; j++) { -- pg = alloc_pages(GFP_KERNEL, 0); -+ pg = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0); - if (!pg) { - pr_err("Unable to allocate scatterlist" - " pages for struct rd_dev_sg_table\n"); --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch b/meta-fsl-ppc/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch deleted file mode 100644 index cc90f7de..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch +++ /dev/null @@ -1,94 +0,0 @@ -From abc07cd01c51fb54088c6bc8ee654d104a5ec7d9 Mon Sep 17 00:00:00 2001 -From: Rabin Vincent -Date: Wed, 29 Oct 2014 23:06:58 +0100 -Subject: [PATCH] tracing/syscalls: Ignore numbers outside NR_syscalls' range - -commit 086ba77a6db00ed858ff07451bedee197df868c9 upstream. - -ARM has some private syscalls (for example, set_tls(2)) which lie -outside the range of NR_syscalls. If any of these are called while -syscall tracing is being performed, out-of-bounds array access will -occur in the ftrace and perf sys_{enter,exit} handlers. - - # trace-cmd record -e raw_syscalls:* true && trace-cmd report - ... - true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0) - true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264 - true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1) - true-653 [000] 384.675988: sys_exit: NR 983045 = 0 - ... - - # trace-cmd record -e syscalls:* true - [ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace - [ 17.289590] pgd = 9e71c000 - [ 17.289696] [aaaaaace] *pgd=00000000 - [ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM - [ 17.290169] Modules linked in: - [ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21 - [ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000 - [ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8 - [ 17.290866] LR is at syscall_trace_enter+0x124/0x184 - -Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers. - -Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" -added the check for less than zero, but it should have also checked -for greater than NR_syscalls. - -Fixes CVE-2014-7825 and CVE-2014-7826 -Upstream-Status: Backport - -Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in - -Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls" -Signed-off-by: Rabin Vincent -Signed-off-by: Steven Rostedt -Signed-off-by: Jiri Slaby -Signed-off-by: Sona Sarmadi ---- - kernel/trace/trace_syscalls.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c -index 559329d..d8ce71b 100644 ---- a/kernel/trace/trace_syscalls.c -+++ b/kernel/trace/trace_syscalls.c -@@ -312,7 +312,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id) - int size; - - syscall_nr = trace_get_syscall_nr(current, regs); -- if (syscall_nr < 0) -+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) - return; - if (!test_bit(syscall_nr, tr->enabled_enter_syscalls)) - return; -@@ -354,7 +354,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret) - int syscall_nr; - - syscall_nr = trace_get_syscall_nr(current, regs); -- if (syscall_nr < 0) -+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) - return; - if (!test_bit(syscall_nr, tr->enabled_exit_syscalls)) - return; -@@ -557,7 +557,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id) - int size; - - syscall_nr = trace_get_syscall_nr(current, regs); -- if (syscall_nr < 0) -+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) - return; - if (!test_bit(syscall_nr, enabled_perf_enter_syscalls)) - return; -@@ -631,7 +631,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret) - int size; - - syscall_nr = trace_get_syscall_nr(current, regs); -- if (syscall_nr < 0) -+ if (syscall_nr < 0 || syscall_nr >= NR_syscalls) - return; - if (!test_bit(syscall_nr, enabled_perf_exit_syscalls)) - return; --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/udf-CVE-2014-6410.patch b/meta-fsl-ppc/recipes-kernel/linux/files/udf-CVE-2014-6410.patch deleted file mode 100644 index 9086e0a1..00000000 --- a/meta-fsl-ppc/recipes-kernel/linux/files/udf-CVE-2014-6410.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 07d209bd092d023976fdb881ba6d4b30fe18aebe Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Thu, 4 Sep 2014 14:06:55 +0200 -Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs - -commit c03aa9f6e1f938618e6db2e23afef0574efeeb65 upstream. - -We did not implement any bound on number of indirect ICBs we follow when -loading inode. Thus corrupted medium could cause kernel to go into an -infinite loop, possibly causing a stack overflow. - -Fix the possible stack overflow by removing recursion from -__udf_read_inode() and limit number of indirect ICBs we follow to avoid -infinite loops. - -Upstream-Status: Backport - -Signed-off-by: Jan Kara -Cc: Chuck Ebbert -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi ---- - fs/udf/inode.c | 35 +++++++++++++++++++++-------------- - 1 file changed, 21 insertions(+), 14 deletions(-) - -diff --git a/fs/udf/inode.c b/fs/udf/inode.c -index b6d15d3..aa02328 100644 ---- a/fs/udf/inode.c -+++ b/fs/udf/inode.c -@@ -1270,13 +1270,22 @@ update_time: - return 0; - } - -+/* -+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is -+ * arbitrary - just that we hopefully don't limit any real use of rewritten -+ * inode on write-once media but avoid looping for too long on corrupted media. -+ */ -+#define UDF_MAX_ICB_NESTING 1024 -+ - static void __udf_read_inode(struct inode *inode) - { - struct buffer_head *bh = NULL; - struct fileEntry *fe; - uint16_t ident; - struct udf_inode_info *iinfo = UDF_I(inode); -+ unsigned int indirections = 0; - -+reread: - /* - * Set defaults, but the inode is still incomplete! - * Note: get_new_inode() sets the following on a new inode: -@@ -1313,28 +1322,26 @@ static void __udf_read_inode(struct inode *inode) - ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1, - &ident); - if (ident == TAG_IDENT_IE && ibh) { -- struct buffer_head *nbh = NULL; - struct kernel_lb_addr loc; - struct indirectEntry *ie; - - ie = (struct indirectEntry *)ibh->b_data; - loc = lelb_to_cpu(ie->indirectICB.extLocation); - -- if (ie->indirectICB.extLength && -- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0, -- &ident))) { -- if (ident == TAG_IDENT_FE || -- ident == TAG_IDENT_EFE) { -- memcpy(&iinfo->i_location, -- &loc, -- sizeof(struct kernel_lb_addr)); -- brelse(bh); -- brelse(ibh); -- brelse(nbh); -- __udf_read_inode(inode); -+ if (ie->indirectICB.extLength) { -+ brelse(bh); -+ brelse(ibh); -+ memcpy(&iinfo->i_location, &loc, -+ sizeof(struct kernel_lb_addr)); -+ if (++indirections > UDF_MAX_ICB_NESTING) { -+ udf_err(inode->i_sb, -+ "too many ICBs in ICB hierarchy" -+ " (max %d supported)\n", -+ UDF_MAX_ICB_NESTING); -+ make_bad_inode(inode); - return; - } -- brelse(nbh); -+ goto reread; - } - } - brelse(ibh); --- -1.9.1 - diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb index 1e9e4761..3e0ab954 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -1,43 +1,7 @@ require recipes-kernel/linux/linux-qoriq.inc SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ - file://powerpc-Fix-64-bit-builds-with-binutils-2.24.patch \ - file://Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch \ - file://Fix-CVE-2014-5077-sctp-inherit-auth-capable-on-INIT-collisions.patch \ - file://Fix-CVE-2014-5471_CVE-2014-5472.patch \ file://modify-defconfig-t1040-nr-cpus.patch \ - file://0001-mnt-CVE-2014-5206_CVE-2014-5207.patch \ - file://0002-mnt-CVE-2014-5206_CVE-2014-5207.patch \ - file://0003-mnt-CVE-2014-5206_CVE-2014-5207.patch \ - file://0004-mnt-CVE-2014-5206_CVE-2014-5207.patch \ - file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \ - file://udf-CVE-2014-6410.patch \ file://net-sctp-CVE-2014-0101.patch \ - file://0001-HID-CVE-2014-3181.patch \ - file://0002-HID-CVE-2014-3182.patch \ - file://0003-HID-CVE-2014-3184.patch \ - file://0004-USB-CVE-2014-3185.patch \ - file://0001-kvm-iommu-CVE-2014-3601.patch \ - file://0002-kvm-iommu-CVE-2014-8369.patch \ - file://0001-net-sctp-CVE-2014-3673.patch \ - file://0002-net-sctp-CVE-2014-3687.patch \ - file://0003-net-sctp-CVE-2014-3688.patch \ - file://auditsc-CVE-2014-3917.patch \ - file://0001-ALSA-CVE-2014-4652.patch \ - file://0002-ALSA-CVE-2014-4653.patch \ - file://sctp-CVE-2014-4667.patch \ - file://sctp-CVE-2014-7841.patch \ - file://0001-ALSA-CVE-2014-4656.patch \ - file://0002-ALSA-CVE-2014-4656.patch \ - file://target-CVE-2014-4027.patch \ - file://mm-2014-3122.patch \ - file://0001-shmem-CVE-2014-4171.patch \ - file://0002-shmem-CVE-2014-4171.patch \ - file://0003-shmem-CVE-2014-4171.patch \ - file://fs-CVE-2014-4014.patch \ - file://tracing-CVE-2014-7825_CVE-2014-7826.patch \ - file://security-keys-CVE-2014-9529.patch \ - file://eCryptfs-CVE-2014-9683.patch \ " -SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" - +SRCREV = "f488de6741d5ba805b9fe813d2ddf32368d3a888" -- 2.40.1