Home Home > GIT Browse > openSUSE-42.3
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Koutný <mkoutny@suse.com>2019-01-14 19:35:39 +0100
committerMichal Koutný <mkoutny@suse.com>2019-01-14 19:59:08 +0100
commitd040276f14b68eef780999c3a5f414f12ce4b94b (patch)
tree367b38005cd35a96b99ad04ed5dbcc59a4eef47f
parent243d24a224a348768bd5786fc7cdd293ea929253 (diff)
parent896d0f8108f9c58ec97735ed5c06242c819cd3c9 (diff)
Merge remote-tracking branch 'origin/cve/linux-4.4' into users/mkoutny/cve/linux-4.4/sorted-series
Conflicts: series.conf - USB patches into sorted section - sunrpc patches into NFS section to match already merged SLE12-SP3 - re-sort patches in sorted section
-rw-r--r--patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch71
-rw-r--r--patches.fixes/ipsec-Fix-aborted-xfrm-policy-dump-crash.patch47
-rw-r--r--patches.fixes/mm-cleancache-fix-corruption-on-missed-inode-invalid.patch72
-rw-r--r--patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch53
-rw-r--r--patches.fixes/sunrpc-use-after-free-in-svc_process_common.patch122
-rw-r--r--patches.kabi/sunrpc-use-after-free-in-svc_process_common.patch30
-rw-r--r--patches.suse/0001-USB-check-usb_get_extra_descriptor-for-proper-size-F.patch115
-rw-r--r--series.conf10
8 files changed, 520 insertions, 0 deletions
diff --git a/patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch b/patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
new file mode 100644
index 0000000000..b37f019f89
--- /dev/null
+++ b/patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
@@ -0,0 +1,71 @@
+From 5146f95df782b0ac61abde36567e718692725c89 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Wed, 12 Dec 2018 12:42:24 +0100
+Subject: [PATCH] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
+Git-commit: 5146f95df782b0ac61abde36567e718692725c89
+Patch-mainline: v4.20
+References: CVE-2018-19985,bsc#1120743
+
+The function hso_probe reads if_num from the USB device (as an u8) and uses
+it without a length check to index an array, resulting in an OOB memory read
+in hso_probe or hso_get_config_data.
+
+Add a length check for both locations and updated hso_probe to bail on
+error.
+
+This issue has been assigned CVE-2018-19985.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/usb/hso.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
+index 184c24baca15..d6916f787fce 100644
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface)
+ return -EIO;
+ }
+
++ /* check if we have a valid interface */
++ if (if_num > 16) {
++ kfree(config_data);
++ return -EINVAL;
++ }
++
+ switch (config_data[if_num]) {
+ case 0x0:
+ result = 0;
+@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface,
+
+ /* Get the interface/port specification from either driver_info or from
+ * the device itself */
+- if (id->driver_info)
++ if (id->driver_info) {
++ /* if_num is controlled by the device, driver_info is a 0 terminated
++ * array. Make sure, the access is in bounds! */
++ for (i = 0; i <= if_num; ++i)
++ if (((u32 *)(id->driver_info))[i] == 0)
++ goto exit;
+ port_spec = ((u32 *)(id->driver_info))[if_num];
+- else
++ } else {
+ port_spec = hso_get_config_data(interface);
++ if (port_spec < 0)
++ goto exit;
++ }
+
+ /* Check if we need to switch to alt interfaces prior to port
+ * configuration */
+--
+2.20.1
+
diff --git a/patches.fixes/ipsec-Fix-aborted-xfrm-policy-dump-crash.patch b/patches.fixes/ipsec-Fix-aborted-xfrm-policy-dump-crash.patch
new file mode 100644
index 0000000000..9c6e1fe4e2
--- /dev/null
+++ b/patches.fixes/ipsec-Fix-aborted-xfrm-policy-dump-crash.patch
@@ -0,0 +1,47 @@
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 19 Oct 2017 20:51:10 +0800
+Subject: ipsec: Fix aborted xfrm policy dump crash
+Patch-mainline: v4.14-rc7
+Git-commit: 1137b5e2529a8f5ca8ee709288ecba3e68044df2
+References: CVE-2017-16939 bsc#1069702 bsc#1120260
+
+An independent security researcher, Mohamed Ghannam, has reported
+this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
+program.
+
+The xfrm_dump_policy_done function expects xfrm_dump_policy to
+have been called at least once or it will crash. This can be
+triggered if a dump fails because the target socket's receive
+buffer is full.
+
+This patch fixes it by using the cb->start mechanism to ensure that
+the initialisation is always done regardless of the buffer situation.
+
+Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+
+SLE12: as cb->start callback wasn't added until 4.5-rc1, different
+approach is taken: preserve the use of cb->args[0] as a flag indicating
+the walk structure has been initialized (which is already used to work
+around the missing start callback) and call xfrm_policy_walk_done() only
+when it is set. (Credit for the idea to Nicolai Stange.)
+
+---
+ net/xfrm/xfrm_user.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1655,7 +1655,9 @@ static int xfrm_dump_policy_done(struct netlink_callback *cb)
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct net *net = sock_net(cb->skb->sk);
+
+- xfrm_policy_walk_done(walk, net);
++ /* cb->args[0] is set when walk is initialized */
++ if (cb->args[0])
++ xfrm_policy_walk_done(walk, net);
+ return 0;
+ }
+
diff --git a/patches.fixes/mm-cleancache-fix-corruption-on-missed-inode-invalid.patch b/patches.fixes/mm-cleancache-fix-corruption-on-missed-inode-invalid.patch
new file mode 100644
index 0000000000..73154fa646
--- /dev/null
+++ b/patches.fixes/mm-cleancache-fix-corruption-on-missed-inode-invalid.patch
@@ -0,0 +1,72 @@
+From 6ff38bd40230af35e446239396e5fc8ebd6a5248 Mon Sep 17 00:00:00 2001
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Date: Fri, 30 Nov 2018 14:09:00 -0800
+Subject: [PATCH] mm: cleancache: fix corruption on missed inode invalidation
+Git-commit: 6ff38bd40230af35e446239396e5fc8ebd6a5248
+Patch-mainline: v4.20-rc5
+References: bsc#1117186 CVE-2018-16862
+
+If all pages are deleted from the mapping by memory reclaim and also
+moved to the cleancache:
+
+__delete_from_page_cache
+ (no shadow case)
+ unaccount_page_cache_page
+ cleancache_put_page
+ page_cache_delete
+ mapping->nrpages -= nr
+ (nrpages becomes 0)
+
+We don't clean the cleancache for an inode after final file truncation
+(removal).
+
+truncate_inode_pages_final
+ check (nrpages || nrexceptional) is false
+ no truncate_inode_pages
+ no cleancache_invalidate_inode(mapping)
+
+These way when reading the new file created with same inode we may get
+these trash leftover pages from cleancache and see wrong data instead of
+the contents of the new file.
+
+Fix it by always doing truncate_inode_pages which is already ready for
+nrpages == 0 && nrexceptional == 0 case and just invalidates inode.
+
+[akpm@linux-foundation.org: add comment, per Jan]
+Link: http://lkml.kernel.org/r/20181112095734.17979-1-ptikhomirov@virtuozzo.com
+Fixes: commit 91b0abe36a7b ("mm + fs: store shadow entries in page cache")
+Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Reviewed-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ mm/truncate.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/truncate.c
++++ b/mm/truncate.c
+@@ -524,9 +524,13 @@ void truncate_inode_pages_final(struct a
+ */
+ spin_lock_irq(&mapping->tree_lock);
+ spin_unlock_irq(&mapping->tree_lock);
+-
+- truncate_inode_pages(mapping, 0);
+ }
++
++ /*
++ * Cleancache needs notification even if there are no pages or shadow
++ * entries.
++ */
++ truncate_inode_pages(mapping, 0);
+ }
+ EXPORT_SYMBOL(truncate_inode_pages_final);
+
diff --git a/patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch b/patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch
new file mode 100644
index 0000000000..ba4231c4ba
--- /dev/null
+++ b/patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch
@@ -0,0 +1,53 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 24 Dec 2018 14:44:42 +0300
+Subject: [PATCH] sunrpc: use SVC_NET() in svcauth_gss_* functions
+Patch-mainline: Submitted, Mon, 24 Dec 2018 14:44:42 +0300 - linux-nfs@vger.kernel.org
+References: bsc#1119946 CVE-2018-16884
+
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1104,7 +1104,7 @@ static int svcauth_gss_legacy_init(struc
+ struct kvec *resv = &rqstp->rq_res.head[0];
+ struct rsi *rsip, rsikey;
+ int ret;
+- struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net, sunrpc_net_id);
++ struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
+
+ memset(&rsikey, 0, sizeof(rsikey));
+ ret = gss_read_verf(gc, argv, authp,
+@@ -1215,7 +1215,7 @@ static int svcauth_gss_proxy_init(struct
+ uint64_t handle;
+ int status;
+ int ret;
+- struct net *net = rqstp->rq_xprt->xpt_net;
++ struct net *net = SVC_NET(rqstp);
+ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
+
+ memset(&ud, 0, sizeof(ud));
+@@ -1405,7 +1405,7 @@ svcauth_gss_accept(struct svc_rqst *rqst
+ __be32 *rpcstart;
+ __be32 *reject_stat = resv->iov_base + resv->iov_len;
+ int ret;
+- struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net, sunrpc_net_id);
++ struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
+
+ dprintk("RPC: svcauth_gss: argv->iov_len = %zd\n",
+ argv->iov_len);
+@@ -1693,7 +1693,7 @@ svcauth_gss_release(struct svc_rqst *rqs
+ struct rpc_gss_wire_cred *gc = &gsd->clcred;
+ struct xdr_buf *resbuf = &rqstp->rq_res;
+ int stat = -EINVAL;
+- struct sunrpc_net *sn = net_generic(rqstp->rq_xprt->xpt_net, sunrpc_net_id);
++ struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
+
+ if (gc->gc_proc != RPC_GSS_PROC_DATA)
+ goto out;
diff --git a/patches.fixes/sunrpc-use-after-free-in-svc_process_common.patch b/patches.fixes/sunrpc-use-after-free-in-svc_process_common.patch
new file mode 100644
index 0000000000..1adedb3348
--- /dev/null
+++ b/patches.fixes/sunrpc-use-after-free-in-svc_process_common.patch
@@ -0,0 +1,122 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Mon, 24 Dec 2018 14:44:52 +0300
+Subject: [PATCH] sunrpc: use-after-free in svc_process_common()
+Patch-mainline: Submitted, Mon, 24 Dec 2018 14:44:42 +0300 - linux-nfs@vger.kernel.org
+References: bsc#1119946 CVE-2018-16884
+
+
+if node have NFSv41+ mounts inside several net namespaces
+it can lead to use-after-free in svc_process_common()
+
+svc_process_common()
+ /* Setup reply header */
+ rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE
+
+svc_process_common() can use incorrect rqstp->rq_xprt,
+its caller function bc_svc_process() takes it from serv->sv_bc_xprt.
+The problem is that serv is global structure but sv_bc_xprt
+is assigned per-netnamespace.
+
+According to Trond, the whole "let's set up rqstp->rq_xprt
+for the back channel" is nothing but a giant hack in order
+to work around the fact that svc_process_common() uses it
+to find the xpt_ops, and perform a couple of (meaningless
+for the back channel) tests of xpt_flags.
+
+All we really need in svc_process_common() is to be able to run
+rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr()
+
+Bruce J Fields points that this xpo_prep_reply_hdr() call
+is an awfully roundabout way just to do "svc_putnl(resv, 0);"
+in the tcp case.
+
+This patch does not initialiuze rqstp->rq_xprt in bc_svc_process(),
+now it calls svc_process_common() with rqstp->rq_xprt = NULL.
+
+To adjust reply header svc_process_common() just check
+rqstp->rq_prot and calls svc_tcp_prep_reply_hdr() for tcp case.
+
+To handle rqstp->rq_xprt = NULL case in functions called from
+svc_process_common() patch intruduces net namespace pointer
+svc_rqst->rq_bc_net and adjust SVC_NET() definition.
+Some other function was also adopted to properly handle described case.
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ include/linux/sunrpc/svc.h | 5 ++++-
+ net/sunrpc/svc.c | 11 ++++++++---
+ net/sunrpc/svc_xprt.c | 5 +++--
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+--- a/include/linux/sunrpc/svc.h
++++ b/include/linux/sunrpc/svc.h
+@@ -290,9 +290,12 @@ struct svc_rqst {
+ struct svc_cacherep * rq_cacherep; /* cache info */
+ struct task_struct *rq_task; /* service thread */
+ spinlock_t rq_lock; /* per-request lock */
++ struct net *rq_bc_net; /* pointer to backchannel's
++ * net namespace
++ */
+ };
+
+-#define SVC_NET(svc_rqst) (svc_rqst->rq_xprt->xpt_net)
++#define SVC_NET(rqst) (rqst->rq_xprt ? rqst->rq_xprt->xpt_net : rqst->rq_bc_net)
+
+ /*
+ * Rigorous type checking on sockaddr type conversions
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1091,7 +1091,12 @@ svc_process_common(struct svc_rqst *rqst
+ clear_bit(RQ_DROPME, &rqstp->rq_flags);
+
+ /* Setup reply header */
+- rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp);
++ if (rqstp->rq_prot == IPPROTO_TCP) {
++ struct kvec *resv = &rqstp->rq_res.head[0];
++
++ /* tcp needs a space for the record length... */
++ svc_putnl(resv, 0);
++ }
+
+ svc_putu32(resv, rqstp->rq_xid);
+
+@@ -1138,7 +1143,7 @@ svc_process_common(struct svc_rqst *rqst
+ case SVC_DENIED:
+ goto err_bad_auth;
+ case SVC_CLOSE:
+- if (test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags))
++ if (rqstp->rq_xprt && test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags))
+ svc_close_xprt(rqstp->rq_xprt);
+ case SVC_DROP:
+ goto dropit;
+@@ -1360,10 +1365,10 @@ bc_svc_process(struct svc_serv *serv, st
+ dprintk("svc: %s(%p)\n", __func__, req);
+
+ /* Build the svc_rqst used by the common processing routine */
+- rqstp->rq_xprt = serv->sv_bc_xprt;
+ rqstp->rq_xid = req->rq_xid;
+ rqstp->rq_prot = req->rq_xprt->prot;
+ rqstp->rq_server = serv;
++ rqstp->rq_bc_net = req->rq_xprt->xprt_net;
+
+ rqstp->rq_addrlen = sizeof(req->rq_xprt->addr);
+ memcpy(&rqstp->rq_addr, &req->rq_xprt->addr, rqstp->rq_addrlen);
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -454,10 +454,11 @@ out:
+ */
+ void svc_reserve(struct svc_rqst *rqstp, int space)
+ {
++ struct svc_xprt *xprt = rqstp->rq_xprt;
++
+ space += rqstp->rq_res.head[0].iov_len;
+
+- if (space < rqstp->rq_reserved) {
+- struct svc_xprt *xprt = rqstp->rq_xprt;
++ if (xprt && space < rqstp->rq_reserved) {
+ atomic_sub((rqstp->rq_reserved - space), &xprt->xpt_reserved);
+ rqstp->rq_reserved = space;
+
diff --git a/patches.kabi/sunrpc-use-after-free-in-svc_process_common.patch b/patches.kabi/sunrpc-use-after-free-in-svc_process_common.patch
new file mode 100644
index 0000000000..71a99c318d
--- /dev/null
+++ b/patches.kabi/sunrpc-use-after-free-in-svc_process_common.patch
@@ -0,0 +1,30 @@
+From: NeilBrown <neilb@suse.com>
+Subject: kabi fix for sunrpc-use-after-free-in-svc_process_common.patch
+Patch-mainline: never, kabi
+References: bsc#1119946 CVE-2018-16884
+
+'struct svc_rqst' is visible to modules - auth_gss in particular,
+so changes must be hidden for kabi stability.
+The new field is not useful to an auth module, so hiding it
+won't hurt.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+
+---
+ include/linux/sunrpc/svc.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/sunrpc/svc.h
++++ b/include/linux/sunrpc/svc.h
+@@ -290,9 +290,11 @@ struct svc_rqst {
+ struct svc_cacherep * rq_cacherep; /* cache info */
+ struct task_struct *rq_task; /* service thread */
+ spinlock_t rq_lock; /* per-request lock */
++#ifndef __GENKSYMS__
+ struct net *rq_bc_net; /* pointer to backchannel's
+ * net namespace
+ */
++#endif
+ };
+
+ #define SVC_NET(rqst) (rqst->rq_xprt ? rqst->rq_xprt->xpt_net : rqst->rq_bc_net)
diff --git a/patches.suse/0001-USB-check-usb_get_extra_descriptor-for-proper-size-F.patch b/patches.suse/0001-USB-check-usb_get_extra_descriptor-for-proper-size-F.patch
new file mode 100644
index 0000000000..8e5ce8228b
--- /dev/null
+++ b/patches.suse/0001-USB-check-usb_get_extra_descriptor-for-proper-size-F.patch
@@ -0,0 +1,115 @@
+From a5bbd694fa41d1117c6fec90a72e4baa67572d58 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 18 Dec 2018 14:52:56 +0100
+Subject: [PATCH] USB: check usb_get_extra_descriptor for proper size (For
+ SUSE)
+Patch-mainline: Never (the upstream version breaks kABI)
+References: bsc#1119714 CVE-2018-20169
+
+This is an adaptation of the upstream fix:
+
+commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf
+Author: Mathias Payer <mathias.payer@nebelwelt.net>
+Date: Wed Dec 5 21:19:59 2018 +0100
+
+ USB: check usb_get_extra_descriptor for proper size
+
+ When reading an extra descriptor, we need to properly check the minimum
+ and maximum size allowed, to prevent from invalid data being sent by a
+ device.
+
+As it relies on changing a macro we cannot use it as such. Old code
+must keep running and compiling, albeit at the unavoidable drawback
+of keeping the system vulnerable.
+Hence the old buggy version is kept and a clean _suse_ version is
+introduced.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/core/hub.c | 4 ++--
+ drivers/usb/core/usb.c | 32 +++++++++++++++++++++++++++++++-
+ include/linux/usb.h | 6 ++++--
+ 3 files changed, 37 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2216,9 +2216,9 @@ static int usb_enumerate_device_otg(stru
+ unsigned port1 = udev->portnum;
+
+ /* descriptor may appear anywhere in config */
+- err = __usb_get_extra_descriptor(udev->rawdescriptors[0],
++ err = __usb_suse_get_extra_descriptor(udev->rawdescriptors[0],
+ le16_to_cpu(udev->config[0].desc.wTotalLength),
+- USB_DT_OTG, (void **) &desc);
++ USB_DT_OTG, (void **) &desc, sizeof(*desc));
+ if (err || !(desc->bmAttributes & USB_OTG_HNP))
+ return 0;
+
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -693,10 +693,11 @@ int __usb_get_extra_descriptor(char *buf
+ {
+ struct usb_descriptor_header *header;
+
++ WARN_ONCE(1, KERN_CRIT"An external module is leaving this system open to CVE-2018-20169\n ");
+ while (size >= sizeof(struct usb_descriptor_header)) {
+ header = (struct usb_descriptor_header *)buffer;
+
+- if (header->bLength < 2) {
++ if (header->bLength < 2 || header->bLength > size) {
+ printk(KERN_ERR
+ "%s: bogus descriptor, type %d length %d\n",
+ usbcore_name,
+@@ -1130,6 +1131,35 @@ static void __exit usb_exit(void)
+ idr_destroy(&usb_bus_idr);
+ }
+
++int __usb_suse_get_extra_descriptor(char *buffer, unsigned size,
++ unsigned char type, void **ptr, size_t minsize)
++{
++ struct usb_descriptor_header *header;
++
++ while (size >= sizeof(struct usb_descriptor_header)) {
++ header = (struct usb_descriptor_header *)buffer;
++
++ if (header->bLength < 2 || header->bLength > size) {
++ printk(KERN_ERR
++ "%s: bogus descriptor, type %d length %d\n",
++ usbcore_name,
++ header->bDescriptorType,
++ header->bLength);
++ return -1;
++ }
++
++ if (header->bDescriptorType == type && header->bLength >= minsize) {
++ *ptr = header;
++ return 0;
++ }
++
++ buffer += header->bLength;
++ size -= header->bLength;
++ }
++ return -1;
++}
++EXPORT_SYMBOL_GPL(__usb_suse_get_extra_descriptor);
++
+ subsys_initcall(usb_init);
+ module_exit(usb_exit);
+ MODULE_LICENSE("GPL");
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -338,10 +338,12 @@ struct usb_host_bos {
+
+ int __usb_get_extra_descriptor(char *buffer, unsigned size,
+ unsigned char type, void **ptr);
++int __usb_suse_get_extra_descriptor(char *buffer, unsigned size,
++ unsigned char type, void **ptr, size_t min);
+ #define usb_get_extra_descriptor(ifpoint, type, ptr) \
+- __usb_get_extra_descriptor((ifpoint)->extra, \
++ __usb_suse_get_extra_descriptor((ifpoint)->extra, \
+ (ifpoint)->extralen, \
+- type, (void **)ptr)
++ type, (void **)ptr, sizeof(**(ptr)))
+
+ /* ----------------------------------------------------------------------- */
+
diff --git a/series.conf b/series.conf
index 7e5f6d6343..fa237e1c31 100644
--- a/series.conf
+++ b/series.conf
@@ -6336,6 +6336,7 @@
patches.drivers/0005-dt-add-pinctrl-group-to-uart1-rpi3.patch
patches.drivers/0001-dt-assign-uart0-to-BT-and-uart1-to-pin-headers.patch
patches.fixes/0001-NFS-flush-data-when-locking-a-file-to-ensure-cache-c.patch
+ patches.fixes/ipsec-Fix-aborted-xfrm-policy-dump-crash.patch
patches.drivers/qla2xxx-0040-Add-module-parameter-for-interrupt-mode.patch
patches.fixes/scsi_devinfo-fixup-string-compare.patch
patches.fixes/scsi-Add-AIX-VDASD-to-blacklist.patch
@@ -6369,10 +6370,16 @@
patches.arch/powerpc-tm-Avoid-possible-userspace-r1-corruption-on.patch
patches.fixes/mremap-properly-flush-TLB-before-releasing-the-page.patch
patches.fixes/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch
+ patches.fixes/mm-cleancache-fix-corruption-on-missed-inode-invalid.patch
+ patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
+
+ # out-of-tree patches
+ patches.suse/0001-USB-check-usb_get_extra_descriptor-for-proper-size-F.patch
########################################################
# end of sorted patches
########################################################
+
########################################################
# Scheduler / Core
######################################################
@@ -7004,6 +7011,9 @@
patches.fixes/0001-NFSv4-don-t-let-hanging-mounts-block-other-mounts.patch
+ patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch
+ patches.fixes/sunrpc-use-after-free-in-svc_process_common.patch
+ patches.kabi/sunrpc-use-after-free-in-svc_process_common.patch
########################################################
# cifs patches