[4.9] Security fixes

[4.9] Security fixes

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1053 bytes --]

I've attached the following fixes to 4.9, as an mbox:

- brcmfmac: add length checks in scheduled scan result handler
- brcmfmac: assure SSID length from firmware is limited
- brcmfmac: add subtype check for event handling in data path
- binder: Replace "%p" with "%pK" for stable
- binder: replace "%p" with "%pK"
- fs: prevent page refcount overflow in pipe_buf_get
- mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
- mm, gup: ensure real head page is ref-counted when using hugepages
- mm: prevent get_user_pages() from overflowing page refcount
- mm: make page ref count overflow check tighter and more explicit
- coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping

The first two "mm, gup" commits might not be strictly security fixes
but the next one depends on them.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

[-- Attachment #2: security-4.9.mbox --]
[-- Type: application/mbox, Size: 48001 bytes --]

Re: [4.9] Security fixes

[Greg Kroah-Hartman]

On Thu, May 30, 2019 at 12:52:37PM +0100, Ben Hutchings wrote:
> I've attached the following fixes to 4.9, as an mbox:
> 
> - brcmfmac: add length checks in scheduled scan result handler
> - brcmfmac: assure SSID length from firmware is limited
> - brcmfmac: add subtype check for event handling in data path
> - binder: Replace "%p" with "%pK" for stable
> - binder: replace "%p" with "%pK"
> - fs: prevent page refcount overflow in pipe_buf_get
> - mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
> - mm, gup: ensure real head page is ref-counted when using hugepages
> - mm: prevent get_user_pages() from overflowing page refcount
> - mm: make page ref count overflow check tighter and more explicit
> - coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
> 
> The first two "mm, gup" commits might not be strictly security fixes
> but the next one depends on them.

Thanks for these, I'll queue them up after the current kernels out for
-rc is released.

greg k-h

Re: [4.9] Security fixes

[Greg Kroah-Hartman]

On Thu, May 30, 2019 at 12:52:37PM +0100, Ben Hutchings wrote:
> I've attached the following fixes to 4.9, as an mbox:
> 
> - brcmfmac: add length checks in scheduled scan result handler
> - brcmfmac: assure SSID length from firmware is limited
> - brcmfmac: add subtype check for event handling in data path
> - binder: Replace "%p" with "%pK" for stable
> - binder: replace "%p" with "%pK"
> - fs: prevent page refcount overflow in pipe_buf_get
> - mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
> - mm, gup: ensure real head page is ref-counted when using hugepages
> - mm: prevent get_user_pages() from overflowing page refcount
> - mm: make page ref count overflow check tighter and more explicit
> - coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
> 
> The first two "mm, gup" commits might not be strictly security fixes
> but the next one depends on them.

All now queued up, thanks!

greg k-h