Update to 4.18.12
This updates to 4.18.12, including removal of applied upstream patches. This also disables rt until 4.18.12-rt7 is integrated to this package
This commit is contained in:
parent
eba87a92ee
commit
2c351aeb14
|
@ -1,4 +1,4 @@
|
|||
linux (4.18.11-1) UNRELEASED; urgency=medium
|
||||
linux (4.18.12-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11
|
||||
|
@ -82,6 +82,187 @@ linux (4.18.11-1) UNRELEASED; urgency=medium
|
|||
- sched/fair: Fix vruntime_normalized() for remote non-migration wakeup
|
||||
- [x86] vmw_balloon: include asm/io.h
|
||||
- iw_cxgb4: only allow 1 flush on user qps
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.12
|
||||
- tsl2550: fix lux1_input error in low light
|
||||
- vmci: type promotion bug in qp_host_get_user_memory()
|
||||
- [x86] numa_emulation: Fix emulated-to-physical node mapping
|
||||
- staging: rts5208: fix missing error check on call to rtsx_write_register
|
||||
- [armhf] power: supply: axp288_charger: Fix initial
|
||||
constant_charge_current value
|
||||
- [sh4] serial: sh-sci: Stop RX FIFO timer during port shutdown
|
||||
- [arm64] power: vexpress: fix corruption in notifier registration
|
||||
- [x86] iommu/amd: make sure TLB to be flushed before IOVA freed
|
||||
- Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
|
||||
- USB: serial: kobil_sct: fix modem-status error handling
|
||||
- 6lowpan: iphc: reset mac_header after decompress to fix panic
|
||||
- [s390x] mm: correct allocate_pgste proc_handler callback
|
||||
- power: remove possible deadlock when unregistering power_supply
|
||||
- cxgb4: Fix the condition to check if the card is T5
|
||||
- RDMA/bnxt_re: Fix a couple off by one bugs
|
||||
- RDMA/i40w: Hold read semaphore while looking after VMA
|
||||
- RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c
|
||||
- IB/core: type promotion bug in rdma_rw_init_one_mr()
|
||||
- IB/mlx4: Test port number before querying type.
|
||||
- vhost_net: Avoid tx vring kicks during busyloop
|
||||
- IB/mlx5: Fix GRE flow specification
|
||||
- include/rdma/opa_addr.h: Fix an endianness issue
|
||||
- x86/tsc: Add missing header to tsc_msr.c
|
||||
- ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
|
||||
- [x86] entry/64: Add two more instruction suffixes
|
||||
- scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
|
||||
buffer size
|
||||
- scsi: klist: Make it safe to use klists in atomic context
|
||||
- [powerpc*] scsi: ibmvscsi: Improve strings handling
|
||||
- scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion
|
||||
- usb: wusbcore: security: cast sizeof to int for comparison
|
||||
- ath10k: sdio: use same endpoint id for all packets in a bundle
|
||||
- ath10k: sdio: set skb len for all rx packets
|
||||
- [powerpc*] powerpc/powernv/ioda2: Reduce upper limit for DMA window size
|
||||
- [x86] platform/x86: asus-wireless: Fix uninitialized symbol usage
|
||||
- [x86] ACPI / button: increment wakeup count only when notified
|
||||
- alarmtimer: Prevent overflow for relative nanosleep
|
||||
- [s390x] s390/dasd: correct numa_node in dasd_alloc_queue
|
||||
- [s390x] s390/scm_blk: correct numa_node in scm_blk_dev_setup
|
||||
- posix-timers: Make forward callback return s64
|
||||
- posix-timers: Sanitize overrun handling
|
||||
- [powerpc*] ALSA: snd-aoa: add of_node_put() in error path
|
||||
- ath10k: use locked skb_dequeue for rx completions
|
||||
- [armhf] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial
|
||||
data
|
||||
- staging: android: ashmem: Fix mmap size validation
|
||||
- staging: mt7621-eth: Fix memory leak in mtk_add_mac() error path
|
||||
- [powerpc*, x86, alpha, m68k, hppa] drivers/tty: add error handling for
|
||||
pcmcia_loop_config
|
||||
- [arm64] dts: renesas: salvator-common: Fix adv7482 decimal unit addresses
|
||||
- [x86] media: tm6000: add error handling for dvb_register_adapter
|
||||
- [powerpc*, mips*, arm64, x86, alpha] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME
|
||||
for AMD Raven Ridge
|
||||
- ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
|
||||
- [armhf] drm/sun4i: Enable DW HDMI PHY clock
|
||||
- [armhf] drm/sun4i: Fix releasing node when enumerating enpoints
|
||||
- ath10k: transmit queued frames after processing rx packets
|
||||
- mt76x2: fix mrr idx/count estimation in mt76x2_mac_fill_tx_status()
|
||||
- rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
|
||||
- brcmsmac: fix wrap around in conversion from constant to s16
|
||||
- bitfield: fix *_encode_bits()
|
||||
- [arm64]wlcore: Add missing PM call for
|
||||
wlcore_cmd_wait_for_event_or_timeout()
|
||||
- [armhf] drm/omap: gem: Fix mm_list locking
|
||||
- [armhf] mvebu: declare asm symbols as character arrays in pmsu.c
|
||||
- RDMA/uverbs: Don't overwrite NULL pointer with ZERO_SIZE_PTR
|
||||
- HID: hid-ntrig: add error handling for sysfs_create_group
|
||||
- [x86] HID: i2c-hid: Use devm to allocate i2c_hid struct
|
||||
- [arm64] dts: renesas: Fix VSPD registers range
|
||||
- drm/v3d: Take a lock across GPU scheduler job creation and queuing.
|
||||
- scsi: bnx2i: add error handling for ioremap_nocache
|
||||
- [arm64] scsi: hisi_sas: Fix the conflict between dev gone and host reset
|
||||
- [armhf] spi: orion: fix CS GPIO handling again
|
||||
- scsi: megaraid_sas: Update controller info during resume
|
||||
- [x86] ASoC: Intel: bytcr_rt5640: Fix Acer Iconia 8 over-current detect
|
||||
threshold
|
||||
- [x86] EDAC, i7core: Fix memleaks and use-after-free on probe and remove
|
||||
- [x86, arm64, armhf] ASoC: dapm: Fix potential DAI widget pointer deref
|
||||
when linking DAIs
|
||||
- module: exclude SHN_UNDEF symbols from kallsyms api
|
||||
- nfsd: fix corrupted reply to badly ordered compound
|
||||
- [mips*, arm64, x86] EDAC: Fix memleak in module init error path
|
||||
- ath10k: fix incorrect size of dma_free_coherent in
|
||||
ath10k_ce_alloc_src_ring_64
|
||||
- ath10k: snoc: use correct bus-specific pointer in RX retry
|
||||
- fs/lock: skip lock owner pid translation in case we are in init_pid_ns
|
||||
- ath10k: fix memory leak of tpc_stats
|
||||
- Input: xen-kbdfront - fix multi-touch XenStore node's locations
|
||||
- drm/vc4: Add missing formats to vc4_format_mod_supported().
|
||||
- [armhf] ARM: dts: dra7: fix DCAN node addresses
|
||||
- drm/vc4: plane: Expand the lower bits by repeating the higher bits
|
||||
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
|
||||
- block: fix deadline elevator drain for zoned block devices
|
||||
- [x86] mm: Expand static page table for fixmap space
|
||||
- [armhf] serial: imx: restore handshaking irq for imx1
|
||||
- [arm64] serial: mvebu-uart: Fix reporting of effective CSIZE to userspace
|
||||
- [x86] intel_th: Fix device removal logic
|
||||
- [x86] intel_th: Fix resource handling for ACPI glue layer
|
||||
- spi: tegra20-slink: explicitly enable/disable clock
|
||||
- [mips*, 'arm64', x86, armhf] regulator: fix crash caused by null driver
|
||||
data
|
||||
- [mips*, 'arm64', x86, armhf] regulator: Fix 'do-nothing' value for
|
||||
regulators without suspend state
|
||||
- USB: fix error handling in usb_driver_claim_interface()
|
||||
- USB: handle NULL config in usb_find_alt_setting()
|
||||
- usb: core: safely deal with the dynamic quirk lists
|
||||
- [armhf] usb: musb: dsps: do not disable CPPI41 irq in driver teardown
|
||||
- USB: usbdevfs: sanitize flags more
|
||||
- USB: usbdevfs: restore warning for nonsensical flags
|
||||
- Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in
|
||||
service_outstanding_interrupt()"
|
||||
- USB: remove LPM management from usb_driver_claim_interface()
|
||||
- uaccess: Fix is_source param for check_copy_size() in
|
||||
copy_to_iter_mcsafe()
|
||||
- filesystem-dax: Fix use of zero page
|
||||
- Input: elantech - enable middle button of touchpad on ThinkPad P72
|
||||
- IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
|
||||
- IB/hfi1: Fix SL array bounds check
|
||||
- IB/hfi1: Invalid user input can result in crash
|
||||
- IB/hfi1: Fix context recovery when PBC has an UnsupportedVL
|
||||
- IB/hfi1: Fix destroy_qp hang after a link down
|
||||
- [x86] ACPI / hotplug / PCI: Don't scan for non-hotplug bridges if slot
|
||||
is not bridge
|
||||
- RDMA/uverbs: Atomically flush and mark closed the comp event queue
|
||||
- [arm64] KVM: Tighten guest core register access from userspace
|
||||
- ARM: OMAP2+: Fix null hwmod for ti-sysc debug
|
||||
- ARM: OMAP2+: Fix module address for modules using mpu_rt_idx
|
||||
- bus: ti-sysc: Fix module register ioremap for larger offsets
|
||||
- qed: Wait for ready indication before rereading the shmem
|
||||
- qed: Wait for MCP halt and resume commands to take place
|
||||
- qed: Prevent a possible deadlock during driver load and unload
|
||||
- qed: Avoid sending mailbox commands when MFW is not responsive
|
||||
- thermal: of-thermal: disable passive polling when thermal zone is disabled
|
||||
- isofs: reject hardware sector size > 2048 bytes
|
||||
- mmc: atmel-mci: fix bad logic of sg_copy_{from,to}_buffer conversion
|
||||
- mmc: android-goldfish: fix bad logic of sg_copy_{from,to}_buffer
|
||||
conversion
|
||||
- bus: ti-sysc: Fix no_console_suspend handling
|
||||
- [armhf] dts: omap4-droid4: fix vibrations on Droid 4
|
||||
- bpf, sockmap: fix sock_hash_alloc and reject zero-sized keys
|
||||
- bpf, sockmap: fix sock hash count in alloc_sock_hash_elem
|
||||
- tls: possible hang when do_tcp_sendpages hits sndbuf is full case
|
||||
- bpf: sockmap: write_space events need to be passed to TCP handler
|
||||
- drm/amdgpu: fix VM clearing for the root PD
|
||||
- drm/amdgpu: fix preamble handling
|
||||
- amdgpu: fix multi-process hang issue
|
||||
- net/ncsi: Fixup .dumpit message flags and ID check in Netlink handler
|
||||
- tcp_bbr: add bbr_check_probe_rtt_done() helper
|
||||
- tcp_bbr: in restart from idle, see if we should exit PROBE_RTT
|
||||
- net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
|
||||
- net: hns: fix skb->truesize underestimation
|
||||
- tools: bpftool: return from do_event_pipe() on bad arguments
|
||||
- e1000: check on netif_running() before calling e1000_up()
|
||||
- e1000: ensure to free old tx/rx rings in set_ringparam()
|
||||
- ixgbe: fix driver behaviour after issuing VFLR
|
||||
- i40e: Fix for Tx timeouts when interface is brought up if DCB is enabled
|
||||
- i40e: fix condition of WARN_ONCE for stat strings
|
||||
- [arm64] crypto: cavium/nitrox - fix for command corruption in queue full
|
||||
case with backlog submissions.
|
||||
- hwmon: (ina2xx) fix sysfs shunt resistor read access
|
||||
- hwmon: (adt7475) Make adt7475_read_word() return errors
|
||||
- Revert "ARM: dts: imx7d: Invert legacy PCI irq mapping"
|
||||
- drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode
|
||||
- drm/amdgpu: Update power state at the end of smu hw_init.
|
||||
- ata: ftide010: Add a quirk for SQ201
|
||||
- nvme-fcloop: Fix dropped LS's to removed target port
|
||||
- [armhf] dts: omap4-droid4: Fix emmc errors seen on some devices
|
||||
- drm/amdgpu: Need to set moved to true when evict bo
|
||||
- [arm64, armhf] smccc-1.1: Make return values unsigned long
|
||||
- [arm64, armhf] smccc-1.1: Handle function result as parameters
|
||||
- i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
|
||||
- clk: x86: Set default parent to 48Mhz
|
||||
- [x86] pti: Fix section mismatch warning/error
|
||||
- [powerpc*] KVM: PPC: Book3S HV: Fix guest r11 corruption with POWER9 TM
|
||||
workarounds
|
||||
- [powerpc*] fix csum_ipv6_magic() on little endian platforms
|
||||
- [powerpc*] pkeys: Fix reading of ibm, processor-storage-keys property
|
||||
- [powerpc*] pseries: Fix unitialized timer reset on migration
|
||||
- [arm64] KVM: Sanitize PSTATE.M when being set from userspace
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* linux-perf: Fix BPF feature detection
|
||||
|
|
|
@ -122,7 +122,7 @@ debug-info: true
|
|||
signed-code: false
|
||||
|
||||
[featureset-rt_base]
|
||||
enabled: true
|
||||
enabled: false
|
||||
|
||||
[description]
|
||||
part-long-up: This kernel is not suitable for SMP (multi-processor,
|
||||
|
|
|
@ -1,48 +0,0 @@
|
|||
From: Andy Whitcroft <apw@canonical.com>
|
||||
Date: Thu, 20 Sep 2018 09:09:48 -0600
|
||||
Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
|
||||
Origin: https://git.kernel.org/linus/65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7755
|
||||
|
||||
The final field of a floppy_struct is the field "name", which is a pointer
|
||||
to a string in kernel memory. The kernel pointer should not be copied to
|
||||
user memory. The FDGETPRM ioctl copies a floppy_struct to user memory,
|
||||
including this "name" field. This pointer cannot be used by the user
|
||||
and it will leak a kernel address to user-space, which will reveal the
|
||||
location of kernel code and data and undermine KASLR protection.
|
||||
|
||||
Model this code after the compat ioctl which copies the returned data
|
||||
to a previously cleared temporary structure on the stack (excluding the
|
||||
name pointer) and copy out to userspace from there. As we already have
|
||||
an inparam union with an appropriate member and that memory is already
|
||||
cleared even for read only calls make use of that as a temporary store.
|
||||
|
||||
Based on an initial patch by Brian Belleville.
|
||||
|
||||
CVE-2018-7755
|
||||
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
||||
|
||||
Broke up long line.
|
||||
|
||||
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||
---
|
||||
drivers/block/floppy.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
|
||||
index 48f622728ce6..f2b6f4da1034 100644
|
||||
--- a/drivers/block/floppy.c
|
||||
+++ b/drivers/block/floppy.c
|
||||
@@ -3467,6 +3467,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
|
||||
(struct floppy_struct **)&outparam);
|
||||
if (ret)
|
||||
return ret;
|
||||
+ memcpy(&inparam.g, outparam,
|
||||
+ offsetof(struct floppy_struct, name));
|
||||
+ outparam = &inparam.g;
|
||||
break;
|
||||
case FDMSGON:
|
||||
UDP->flags |= FTD_MSG;
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,58 +0,0 @@
|
|||
From: Marc Zyngier <marc.zyngier@arm.com>
|
||||
Date: Thu, 27 Sep 2018 16:53:22 +0100
|
||||
Subject: arm64: KVM: Sanitize PSTATE.M when being set from userspace
|
||||
Origin: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18021
|
||||
|
||||
Not all execution modes are valid for a guest, and some of them
|
||||
depend on what the HW actually supports. Let's verify that what
|
||||
userspace provides is compatible with both the VM settings and
|
||||
the HW capabilities.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu")
|
||||
Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
|
||||
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Reviewed-by: Dave Martin <Dave.Martin@arm.com>
|
||||
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
|
||||
Signed-off-by: Will Deacon <will.deacon@arm.com>
|
||||
[carnil: Backport for 4.18: Cherrypick directly commit from 4.18.12 /
|
||||
926415e1e4c9]
|
||||
---
|
||||
arch/arm64/kvm/guest.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
|
||||
index 4a177629862b..d5c6bb1562d8 100644
|
||||
--- a/arch/arm64/kvm/guest.c
|
||||
+++ b/arch/arm64/kvm/guest.c
|
||||
@@ -152,17 +152,25 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
|
||||
}
|
||||
|
||||
if (off == KVM_REG_ARM_CORE_REG(regs.pstate)) {
|
||||
- u32 mode = (*(u32 *)valp) & COMPAT_PSR_MODE_MASK;
|
||||
+ u64 mode = (*(u64 *)valp) & COMPAT_PSR_MODE_MASK;
|
||||
switch (mode) {
|
||||
case COMPAT_PSR_MODE_USR:
|
||||
+ if (!system_supports_32bit_el0())
|
||||
+ return -EINVAL;
|
||||
+ break;
|
||||
case COMPAT_PSR_MODE_FIQ:
|
||||
case COMPAT_PSR_MODE_IRQ:
|
||||
case COMPAT_PSR_MODE_SVC:
|
||||
case COMPAT_PSR_MODE_ABT:
|
||||
case COMPAT_PSR_MODE_UND:
|
||||
+ if (!vcpu_el1_is_32bit(vcpu))
|
||||
+ return -EINVAL;
|
||||
+ break;
|
||||
case PSR_MODE_EL0t:
|
||||
case PSR_MODE_EL1t:
|
||||
case PSR_MODE_EL1h:
|
||||
+ if (vcpu_el1_is_32bit(vcpu))
|
||||
+ return -EINVAL;
|
||||
break;
|
||||
default:
|
||||
err = -EINVAL;
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,99 +0,0 @@
|
|||
From: Dave Martin <Dave.Martin@arm.com>
|
||||
Date: Thu, 27 Sep 2018 16:53:21 +0100
|
||||
Subject: arm64: KVM: Tighten guest core register access from userspace
|
||||
Origin: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18021
|
||||
|
||||
We currently allow userspace to access the core register file
|
||||
in about any possible way, including straddling multiple
|
||||
registers and doing unaligned accesses.
|
||||
|
||||
This is not the expected use of the ABI, and nobody is actually
|
||||
using it that way. Let's tighten it by explicitly checking
|
||||
the size and alignment for each field of the register file.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Fixes: 2f4a07c5f9fe ("arm64: KVM: guest one-reg interface")
|
||||
Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
|
||||
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
|
||||
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
|
||||
[maz: rewrote Dave's initial patch to be more easily backported]
|
||||
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
|
||||
Signed-off-by: Will Deacon <will.deacon@arm.com>
|
||||
---
|
||||
arch/arm64/kvm/guest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 45 insertions(+)
|
||||
|
||||
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
|
||||
index 07256b08226c..3088463bafc1 100644
|
||||
--- a/arch/arm64/kvm/guest.c
|
||||
+++ b/arch/arm64/kvm/guest.c
|
||||
@@ -57,6 +57,45 @@ static u64 core_reg_offset_from_id(u64 id)
|
||||
return id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_CORE);
|
||||
}
|
||||
|
||||
+static int validate_core_offset(const struct kvm_one_reg *reg)
|
||||
+{
|
||||
+ u64 off = core_reg_offset_from_id(reg->id);
|
||||
+ int size;
|
||||
+
|
||||
+ switch (off) {
|
||||
+ case KVM_REG_ARM_CORE_REG(regs.regs[0]) ...
|
||||
+ KVM_REG_ARM_CORE_REG(regs.regs[30]):
|
||||
+ case KVM_REG_ARM_CORE_REG(regs.sp):
|
||||
+ case KVM_REG_ARM_CORE_REG(regs.pc):
|
||||
+ case KVM_REG_ARM_CORE_REG(regs.pstate):
|
||||
+ case KVM_REG_ARM_CORE_REG(sp_el1):
|
||||
+ case KVM_REG_ARM_CORE_REG(elr_el1):
|
||||
+ case KVM_REG_ARM_CORE_REG(spsr[0]) ...
|
||||
+ KVM_REG_ARM_CORE_REG(spsr[KVM_NR_SPSR - 1]):
|
||||
+ size = sizeof(__u64);
|
||||
+ break;
|
||||
+
|
||||
+ case KVM_REG_ARM_CORE_REG(fp_regs.vregs[0]) ...
|
||||
+ KVM_REG_ARM_CORE_REG(fp_regs.vregs[31]):
|
||||
+ size = sizeof(__uint128_t);
|
||||
+ break;
|
||||
+
|
||||
+ case KVM_REG_ARM_CORE_REG(fp_regs.fpsr):
|
||||
+ case KVM_REG_ARM_CORE_REG(fp_regs.fpcr):
|
||||
+ size = sizeof(__u32);
|
||||
+ break;
|
||||
+
|
||||
+ default:
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (KVM_REG_SIZE(reg->id) == size &&
|
||||
+ IS_ALIGNED(off, size / sizeof(__u32)))
|
||||
+ return 0;
|
||||
+
|
||||
+ return -EINVAL;
|
||||
+}
|
||||
+
|
||||
static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
|
||||
{
|
||||
/*
|
||||
@@ -76,6 +115,9 @@ static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
|
||||
(off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs)
|
||||
return -ENOENT;
|
||||
|
||||
+ if (validate_core_offset(reg))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (copy_to_user(uaddr, ((u32 *)regs) + off, KVM_REG_SIZE(reg->id)))
|
||||
return -EFAULT;
|
||||
|
||||
@@ -98,6 +140,9 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
|
||||
(off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs)
|
||||
return -ENOENT;
|
||||
|
||||
+ if (validate_core_offset(reg))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (KVM_REG_SIZE(reg->id) > sizeof(tmp))
|
||||
return -EINVAL;
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -142,9 +142,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
||||
bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
|
||||
bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch
|
||||
bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch
|
||||
bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
|
|
Loading…
Reference in New Issue