[4.4] Security fixes

[4.4] Security fixes

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 705 bytes --]

I've backported fixes for I²C and media controller devices, dealing
with the lifetime of related cdev and struct device instances and some
similar race conditions.  Fixing the lifetime issue for watchdog
devices looks impractical for 4.4, as it depends on a big refactoring
in 4.5.

All but one of these are already included in or queued for the later
stable branches.  You dropped the I²C lifetime fix for 4.9, but I hope 
my previous replies persuaded you that it is valid.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

[-- Attachment #2: 4.4-security.mboxz --]
[-- Type: application/mbox, Size: 54022 bytes --]

Re: [4.4] Security fixes

[Sasha Levin]

On Thu, May 21, 2020 at 11:20:01PM +0100, Ben Hutchings wrote:
>I've backported fixes for I²C and media controller devices, dealing
>with the lifetime of related cdev and struct device instances and some
>similar race conditions.  Fixing the lifetime issue for watchdog
>devices looks impractical for 4.4, as it depends on a big refactoring
>in 4.5.
>
>All but one of these are already included in or queued for the later
>stable branches.  You dropped the I²C lifetime fix for 4.9, but I hope
>my previous replies persuaded you that it is valid.

Ignore what I said in my previous mail, I've backed out my changes and
took yours, thanks!

-- 
Thanks,
Sasha

Re: [4.4] Security fixes

[Greg Kroah-Hartman]

On Thu, May 30, 2019 at 03:22:19PM +0100, Ben Hutchings wrote:
> I've attached the following fixes to 4.4, as an mbox:
> 
> - binder: Replace "%p" with "%pK" for stable
> - binder: replace "%p" with "%pK"
> - net: create skb_gso_validate_mac_len()
> - bnx2x: disable GSO where gso_size is too big for hardware
> - brcmfmac: Add length checks on firmware events
> - brcmfmac: screening firmware event packet
> - brcmfmac: revise handling events in receive path
> - brcmfmac: fix incorrect event channel deduction
> - brcmfmac: add length checks in scheduled scan result handler
> - brcmfmac: add subtype check for event handling in data path
> - userfaultfd: don't pin the user memory in userfaultfd_file_create()
> - coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
> 
> The userfaultfd commit might not be a security fix but the next one
> depends on it.

All now applied, thanks.

greg k-h

[4.4] Security fixes

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1022 bytes --]

I've attached the following fixes to 4.4, as an mbox:

- binder: Replace "%p" with "%pK" for stable
- binder: replace "%p" with "%pK"
- net: create skb_gso_validate_mac_len()
- bnx2x: disable GSO where gso_size is too big for hardware
- brcmfmac: Add length checks on firmware events
- brcmfmac: screening firmware event packet
- brcmfmac: revise handling events in receive path
- brcmfmac: fix incorrect event channel deduction
- brcmfmac: add length checks in scheduled scan result handler
- brcmfmac: add subtype check for event handling in data path
- userfaultfd: don't pin the user memory in userfaultfd_file_create()
- coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping

The userfaultfd commit might not be a security fix but the next one
depends on it.

Ben.

-- 
Ben Hutchings, Software Developer                         Codethink Ltd
https://www.codethink.co.uk/                 Dale House, 35 Dale Street
                                     Manchester, M1 2HF, United Kingdom

[-- Attachment #2: security-4.4.mbox --]
[-- Type: application/mbox, Size: 66319 bytes --]