[for-3.18,00/24] Security fixes from 2015 and 2016 android security bulletins

Message ID	1494340968-17152-1-git-send-email-amit.pundir@linaro.org
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; From: Amit Pundir <amit.pundir@linaro.org> To: Greg KH <gregkh@linuxfoundation.org> Cc: stable@vger.kernel.org Subject: [PATCH for-3.18 00/24] Security fixes from 2015 and 2016 android security bulletins Date: Tue, 9 May 2017 20:12:24 +0530 Message-Id: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	Security fixes from 2015 and 2016 android security bulletins \| expand [for-3.18,00/24] Security fixes from 2015 and 2016 android security bulletins [for-3.18,01/24] arm64: make sys_call_table const [for-3.18,02/24] perf: Fix event->ctx locking [for-3.18,03/24] arm64: perf: reject groups spanning multiple HW PMUs [for-3.18,04/24] perf: Fix race in swevent hash [for-3.18,05/24] ASN.1: Fix non-match detection failure on data overrun [for-3.18,06/24] KEYS: Fix ASN.1 indefinite length object parsing [for-3.18,07/24] ext4: fix potential use after free in __ext4_journal_stop [for-3.18,08/24] sg: Fix double-free when drives detach during SG_IO [for-3.18,09/24] tty: Prevent ldisc drivers from re-using stale tty fields [for-3.18,10/24] net/ipv6: add sysctl option accept_ra_min_hop_limit [for-3.18,11/24] ipv6: sctp: add rcu protection around np->opt [for-3.18,12/24] ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() [for-3.18,13/24] af_unix: Guard against other == sk in unix_dgram_sendmsg [for-3.18,14/24] ppp: defer netns reference release for ppp channel [for-3.18,15/24] HID: core: prevent out-of-bound readings [for-3.18,16/24] cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind [for-3.18,17/24] ALSA: seq: Fix race at timer setup and close [for-3.18,18/24] ALSA: timer: Fix race among timer ioctls [for-3.18,19/24] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS [for-3.18,20/24] ALSA: timer: Fix leak in events via snd_timer_user_ccallback [for-3.18,21/24] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt [for-3.18,22/24] sched: panic on corrupted stack end [for-3.18,23/24] xc2028: Fix use-after-free bug properly [for-3.18,24/24] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp

Message ID

1494340968-17152-1-git-send-email-amit.pundir@linaro.org

Headers

Received-SPF: pass (google.com: best guess record for domain of
	stable-owner@vger.kernel.org designates 209.132.180.67 as
	permitted sender) client-ip=209.132.180.67; 
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Subject: [PATCH for-3.18 00/24] Security fixes from 2015 and 2016 android
	security bulletins
Date: Tue,  9 May 2017 20:12:24 +0530
Message-Id: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk

Series

Security fixes from 2015 and 2016 android security bulletins | expand

Message

Amit Pundir May 9, 2017, 2:42 p.m. UTC

Hi Greg,

Please consider following security fixes for linux-3.18.y. This
is a follow up on my previous submission of similar security fixes,
https://www.spinics.net/lists/stable/msg169868.html, picked up from
android security bulletins published in year 2017 so far.

Following are the fixes published in 2015 and 2016 monthly Android
Security Bulletins https://source.android.com/security/bulletin/,
and/or related follow-up fixes from upstream. Cherry-picked and build
tested on v3.18.52 for ARCH=arm/arm64/x86/x86_64/mips + allmodconfig.


Benjamin Tissoires (1):
  HID: core: prevent out-of-bound readings

Bjørn Mork (1):
  cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind

Calvin Owens (1):
  sg: Fix double-free when drives detach during SG_IO

David Howells (2):
  ASN.1: Fix non-match detection failure on data overrun
  KEYS: Fix ASN.1 indefinite length object parsing

Eric Dumazet (2):
  ipv6: sctp: add rcu protection around np->opt
  ipv6: sctp: fix lockdep splat in sctp_v6_get_dst()

Hangbin Liu (1):
  net/ipv6: add sysctl option accept_ra_min_hop_limit

Jann Horn (1):
  sched: panic on corrupted stack end

Kangjie Lu (3):
  ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
  ALSA: timer: Fix leak in events via snd_timer_user_ccallback
  ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt

Keno Fischer (1):
  mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp

Lukas Czerner (1):
  ext4: fix potential use after free in __ext4_journal_stop

Mark Rutland (1):
  arm64: make sys_call_table const

Peter Hurley (1):
  tty: Prevent ldisc drivers from re-using stale tty fields

Peter Zijlstra (2):
  perf: Fix event->ctx locking
  perf: Fix race in swevent hash

Rainer Weikusat (1):
  af_unix: Guard against other == sk in unix_dgram_sendmsg

Suzuki K. Poulose (1):
  arm64: perf: reject groups spanning multiple HW PMUs

Takashi Iwai (3):
  ALSA: seq: Fix race at timer setup and close
  ALSA: timer: Fix race among timer ioctls
  xc2028: Fix use-after-free bug properly

WANG Cong (1):
  ppp: defer netns reference release for ppp channel

 Documentation/networking/ip-sysctl.txt |   8 +
 arch/arm64/kernel/perf_event.c         |  21 ++-
 arch/arm64/kernel/sys.c                |   2 +-
 drivers/hid/hid-core.c                 |   3 +
 drivers/media/tuners/tuner-xc2028.c    |  37 ++---
 drivers/net/ppp/ppp_generic.c          |   5 +-
 drivers/net/usb/cdc_ncm.c              |  20 +--
 drivers/scsi/sg.c                      |   8 +-
 drivers/tty/tty_ldisc.c                |   7 +
 fs/ext4/ext4_jbd2.c                    |   6 +-
 include/linux/ipv6.h                   |   1 +
 include/uapi/linux/ipv6.h              |   1 +
 kernel/events/core.c                   | 264 ++++++++++++++++++++++++++-------
 kernel/sched/core.c                    |   3 +-
 lib/asn1_decoder.c                     |  21 +--
 mm/huge_memory.c                       |  12 +-
 net/ipv6/addrconf.c                    |  10 ++
 net/ipv6/ndisc.c                       |  16 +-
 net/sctp/ipv6.c                        |  16 +-
 net/unix/af_unix.c                     |   7 +-
 sound/core/seq/seq_queue.c             |   2 +
 sound/core/timer.c                     |  35 +++--
 22 files changed, 360 insertions(+), 145 deletions(-)

-- 
2.7.4

Comments

Amit Pundir May 9, 2017, 4:37 p.m. UTC | #1

On 9 May 2017 at 20:12, Amit Pundir <amit.pundir@linaro.org> wrote:
> Hi Greg,

>

> Please consider following security fixes for linux-3.18.y. This

> is a follow up on my previous submission of similar security fixes,

> https://www.spinics.net/lists/stable/msg169868.html, picked up from

> android security bulletins published in year 2017 so far.

>

> Following are the fixes published in 2015 and 2016 monthly Android

> Security Bulletins https://source.android.com/security/bulletin/,

> and/or related follow-up fixes from upstream. Cherry-picked and build

> tested on v3.18.52 for ARCH=arm/arm64/x86/x86_64/mips + allmodconfig.

>


Also, for the record following are the upstream fixes listed in
security bulletins but they didn't apply on linux-3.18.y cleanly and
seem to have non-trivial conflicts. So I skipped them. In one case it
is explicitly targeted for 3.19, so I skipped that one as well though
it applied and built fine on 3.18.y.

f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock")
083ae308280d ("tcp: enable per-socket rate limiting of all 'challenge acks'")
4de930efc23b ("net: validate the range we feed to iov_iter_init() in
sys_sendto/sys_recvfrom")
1c90308e7a77 ("pagemap: hide physical addresses from non-privileged users")
c58d6c93680f ("netfilter: nfnetlink: correctly validate length of
batch messages")
8b8addf891de ("x86/mm/32: Enable full randomization on i386 and X86_32")
38740a5b87d5 ("usb: gadget: f_fs: Fix use-after-free")

Regards,
Amit Pundir

Greg Kroah-Hartman May 18, 2017, 12:22 p.m. UTC | #2

On Tue, May 09, 2017 at 08:12:24PM +0530, Amit Pundir wrote:
> Hi Greg,

> 

> Please consider following security fixes for linux-3.18.y. This

> is a follow up on my previous submission of similar security fixes,

> https://www.spinics.net/lists/stable/msg169868.html, picked up from

> android security bulletins published in year 2017 so far.

> 

> Following are the fixes published in 2015 and 2016 monthly Android

> Security Bulletins https://source.android.com/security/bulletin/,

> and/or related follow-up fixes from upstream. Cherry-picked and build

> tested on v3.18.52 for ARCH=arm/arm64/x86/x86_64/mips + allmodconfig.


Thanks for these, I've applied all but 3, and will wait for those for
the next round of stable kernel releases (because they are needed in
other trees as well...)

greg k-h

Greg Kroah-Hartman May 23, 2017, 2:38 p.m. UTC | #3

On Thu, May 18, 2017 at 02:22:41PM +0200, Greg KH wrote:
> On Tue, May 09, 2017 at 08:12:24PM +0530, Amit Pundir wrote:

> > Hi Greg,

> > 

> > Please consider following security fixes for linux-3.18.y. This

> > is a follow up on my previous submission of similar security fixes,

> > https://www.spinics.net/lists/stable/msg169868.html, picked up from

> > android security bulletins published in year 2017 so far.

> > 

> > Following are the fixes published in 2015 and 2016 monthly Android

> > Security Bulletins https://source.android.com/security/bulletin/,

> > and/or related follow-up fixes from upstream. Cherry-picked and build

> > tested on v3.18.52 for ARCH=arm/arm64/x86/x86_64/mips + allmodconfig.

> 

> Thanks for these, I've applied all but 3, and will wait for those for

> the next round of stable kernel releases (because they are needed in

> other trees as well...)


These other 3 now applied, thanks!

greg k-h