diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-02-20 10:51:58 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-02-20 10:51:58 +0100 |
commit | 7d4cb521fc370933695dc6c523a22b2c2eae08a5 (patch) | |
tree | 98f033452691b0758ca3200f1a89d8f5625a2698 | |
parent | dc1b5b9646b3970bb5fa6052f80431cb15e80509 (diff) | |
parent | bb99dec73f4b1e220aa12ed9949494775a8fdbc4 (diff) | |
download | kernel-7d4cb521fc370933695dc6c523a22b2c2eae08a5.tar.gz kernel-7d4cb521fc370933695dc6c523a22b2c2eae08a5.tar.xz kernel-7d4cb521fc370933695dc6c523a22b2c2eae08a5.zip |
Merge remote-tracking branch 'origin/f29' into f29-user-thl-vanilla-fedora
-rw-r--r-- | arm-omap4-fix-lack-of-time-interupts-after-hotplug.patch | 75 | ||||
-rw-r--r-- | arm-omap4-fix-omap4_dsi_mux_pads-uninitialized-variable.patch | 44 | ||||
-rw-r--r-- | kernel.spec | 13 | ||||
-rw-r--r-- | net-crypto-set-sk-to-NULL-when-af_alg_release.patch | 127 |
4 files changed, 259 insertions, 0 deletions
diff --git a/arm-omap4-fix-lack-of-time-interupts-after-hotplug.patch b/arm-omap4-fix-lack-of-time-interupts-after-hotplug.patch new file mode 100644 index 000000000..8a2e8751b --- /dev/null +++ b/arm-omap4-fix-lack-of-time-interupts-after-hotplug.patch @@ -0,0 +1,75 @@ +From 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b Mon Sep 17 00:00:00 2001 +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Wed, 12 Dec 2018 11:49:47 +0000 +Subject: ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug + +If we have a kernel configured for periodic timer interrupts, and we +have cpuidle enabled, then we end up with CPU1 losing timer interupts +after a hotplug. + +This can manifest itself in RCU stall warnings, or userspace becoming +unresponsive. + +The problem is that the kernel initially wants to use the TWD timer +for interrupts, but the TWD loses context when we enter the C3 cpuidle +state. Nothing reprograms the TWD after idle. + +We have solved this in the past by switching to broadcast timer ticks, +and cpuidle44xx switches to that mode at boot time. However, there is +nothing to switch from periodic mode local timers after a hotplug +operation. + +We call tick_broadcast_enter() in omap_enter_idle_coupled(), which one +would expect would take care of the issue, but internally this only +deals with one-shot local timers - tick_broadcast_enable() on the other +hand only deals with periodic local timers. So, we need to call both. + +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +[tony@atomide.com: just standardized the subject line] +Signed-off-by: Tony Lindgren <tony@atomide.com> +--- + arch/arm/mach-omap2/cpuidle44xx.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c +index a8b291f00109..dae514c8276a 100644 +--- a/arch/arm/mach-omap2/cpuidle44xx.c ++++ b/arch/arm/mach-omap2/cpuidle44xx.c +@@ -152,6 +152,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + mpuss_can_lose_context = (cx->mpu_state == PWRDM_POWER_RET) && + (cx->mpu_logic_state == PWRDM_POWER_OFF); + ++ /* Enter broadcast mode for periodic timers */ ++ tick_broadcast_enable(); ++ ++ /* Enter broadcast mode for one-shot timers */ + tick_broadcast_enter(); + + /* +@@ -218,15 +222,6 @@ fail: + return index; + } + +-/* +- * For each cpu, setup the broadcast timer because local timers +- * stops for the states above C1. +- */ +-static void omap_setup_broadcast_timer(void *arg) +-{ +- tick_broadcast_enable(); +-} +- + static struct cpuidle_driver omap4_idle_driver = { + .name = "omap4_idle", + .owner = THIS_MODULE, +@@ -319,8 +314,5 @@ int __init omap4_idle_init(void) + if (!cpu_clkdm[0] || !cpu_clkdm[1]) + return -ENODEV; + +- /* Configure the broadcast timer on each cpu */ +- on_each_cpu(omap_setup_broadcast_timer, NULL, 1); +- + return cpuidle_register(idle_driver, cpu_online_mask); + } +-- +cgit 1.2-0.3.lf.el7 diff --git a/arm-omap4-fix-omap4_dsi_mux_pads-uninitialized-variable.patch b/arm-omap4-fix-omap4_dsi_mux_pads-uninitialized-variable.patch new file mode 100644 index 000000000..1b5bdc30c --- /dev/null +++ b/arm-omap4-fix-omap4_dsi_mux_pads-uninitialized-variable.patch @@ -0,0 +1,44 @@ +From dc30e70391376ba3987aeb856ae6d9c0706534f1 Mon Sep 17 00:00:00 2001 +From: Yizhuo <yzhai003@ucr.edu> +Date: Fri, 25 Jan 2019 22:32:20 -0800 +Subject: ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be + uninitialized + +In function omap4_dsi_mux_pads(), local variable "reg" could +be uninitialized if function regmap_read() returns -EINVAL. +However, it will be used directly in the later context, which +is potentially unsafe. + +Signed-off-by: Yizhuo <yzhai003@ucr.edu> +Signed-off-by: Tony Lindgren <tony@atomide.com> +--- + arch/arm/mach-omap2/display.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c +index f86b72d1d59e..1444b4b4bd9f 100644 +--- a/arch/arm/mach-omap2/display.c ++++ b/arch/arm/mach-omap2/display.c +@@ -83,6 +83,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + u32 enable_mask, enable_shift; + u32 pipd_mask, pipd_shift; + u32 reg; ++ int ret; + + if (dsi_id == 0) { + enable_mask = OMAP4_DSI1_LANEENABLE_MASK; +@@ -98,7 +99,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + return -ENODEV; + } + +- regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, ®); ++ ret = regmap_read(omap4_dsi_mux_syscon, ++ OMAP4_DSIPHY_SYSCON_OFFSET, ++ ®); ++ if (ret) ++ return ret; + + reg &= ~enable_mask; + reg &= ~pipd_mask; +-- +cgit 1.2-0.3.lf.el7 diff --git a/kernel.spec b/kernel.spec index 679dfb0bc..927f6c6c7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -600,6 +600,10 @@ Patch307: wlcore-sdio-Fixup-power-on-off-sequence.patch # https://patchwork.kernel.org/patch/10778815/ Patch308: drm-enable-uncached-DMA-optimization-for-ARM-and-arm64.patch +# omap4 fixes +Patch309: arm-omap4-fix-lack-of-time-interupts-after-hotplug.patch +Patch310: arm-omap4-fix-omap4_dsi_mux_pads-uninitialized-variable.patch + # https://patchwork.kernel.org/patch/10686407/ Patch331: raspberrypi-Fix-firmware-calls-with-large-buffers.patch @@ -650,6 +654,9 @@ Patch507: CVE-2019-3459-and-CVE-2019-3460.patch # rhbz 1663613 patch merged into 5.0-rc# Patch508: 0001-drm-nouveau-register-backlight-on-pascal-and-newer.patch +# CVE-2019-8912 rhbz 1678685 1678686 +Patch509: net-crypto-set-sk-to-NULL-when-af_alg_release.patch + # END OF PATCH DEFINITIONS %endif @@ -1924,6 +1931,12 @@ fi # # %changelog +* Tue Feb 19 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-8912 (rhbz 1678685 1678686) + +* Fri Feb 15 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.10-200 +- Linux v4.20.10 + * Tue Feb 12 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.8-200 - Linux v4.20.8 - Fixes CVE-2019-7221 (rhbz 1671904 1673676) diff --git a/net-crypto-set-sk-to-NULL-when-af_alg_release.patch b/net-crypto-set-sk-to-NULL-when-af_alg_release.patch new file mode 100644 index 000000000..dffeac0bb --- /dev/null +++ b/net-crypto-set-sk-to-NULL-when-af_alg_release.patch @@ -0,0 +1,127 @@ +From patchwork Fri Feb 15 14:24:15 2019 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [net-next] net: crypto set sk to NULL when af_alg_release. +X-Patchwork-Submitter: Mao Wenan <maowenan@huawei.com> +X-Patchwork-Id: 1042902 +X-Patchwork-Delegate: davem@davemloft.net +Message-Id: <20190215142415.149153-1-maowenan@huawei.com> +To: <netdev@vger.kernel.org>, <davem@davemloft.net>, + <xiyou.wangcong@gmail.com>, <linux-kernel@vger.kernel.org> +Date: Fri, 15 Feb 2019 22:24:15 +0800 +From: Mao Wenan <maowenan@huawei.com> +List-Id: <netdev.vger.kernel.org> + +KASAN has found use-after-free in sockfs_setattr. +The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close() +and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore +that crypto module forgets to set the sk to NULL after af_alg_release. + +KASAN report details as below: +BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150 +Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186 + +CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.10.2-1ubuntu1 04/01/2014 +Call Trace: + dump_stack+0xca/0x13e + print_address_description+0x79/0x330 + ? vprintk_func+0x5e/0xf0 + kasan_report+0x18a/0x2e0 + ? sockfs_setattr+0x120/0x150 + sockfs_setattr+0x120/0x150 + ? sock_register+0x2d0/0x2d0 + notify_change+0x90c/0xd40 + ? chown_common+0x2ef/0x510 + chown_common+0x2ef/0x510 + ? chmod_common+0x3b0/0x3b0 + ? __lock_is_held+0xbc/0x160 + ? __sb_start_write+0x13d/0x2b0 + ? __mnt_want_write+0x19a/0x250 + do_fchownat+0x15c/0x190 + ? __ia32_sys_chmod+0x80/0x80 + ? trace_hardirqs_on_thunk+0x1a/0x1c + __x64_sys_fchownat+0xbf/0x160 + ? lockdep_hardirqs_on+0x39a/0x5e0 + do_syscall_64+0xc8/0x580 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462589 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 +f7 48 89 d6 48 89 +ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 +48 c7 c1 bc ff ff +ff f7 d8 64 89 01 48 +RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104 +RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589 +RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007 +RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc +R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff + +Allocated by task 4185: + kasan_kmalloc+0xa0/0xd0 + __kmalloc+0x14a/0x350 + sk_prot_alloc+0xf6/0x290 + sk_alloc+0x3d/0xc00 + af_alg_accept+0x9e/0x670 + hash_accept+0x4a3/0x650 + __sys_accept4+0x306/0x5c0 + __x64_sys_accept4+0x98/0x100 + do_syscall_64+0xc8/0x580 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 4184: + __kasan_slab_free+0x12e/0x180 + kfree+0xeb/0x2f0 + __sk_destruct+0x4e6/0x6a0 + sk_destruct+0x48/0x70 + __sk_free+0xa9/0x270 + sk_free+0x2a/0x30 + af_alg_release+0x5c/0x70 + __sock_release+0xd3/0x280 + sock_close+0x1a/0x20 + __fput+0x27f/0x7f0 + task_work_run+0x136/0x1b0 + exit_to_usermode_loop+0x1a7/0x1d0 + do_syscall_64+0x461/0x580 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Syzkaller reproducer: +r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, +0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, +0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, +0xffffffffffffffff, 0x0) +r1 = socket$alg(0x26, 0x5, 0x0) +getrusage(0x0, 0x0) +bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0, +'sha256-ssse3\x00'}, 0x80) +r2 = accept(r1, 0x0, 0x0) +r3 = accept4$unix(r2, 0x0, 0x0, 0x0) +r4 = dup3(r3, r0, 0x0) +fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000) + +Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()") +Signed-off-by: Mao Wenan <maowenan@huawei.com> +--- + crypto/af_alg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 17eb09d222ff..ec78a04eb136 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private) + + int af_alg_release(struct socket *sock) + { +- if (sock->sk) ++ if (sock->sk) { + sock_put(sock->sk); ++ sock->sk = NULL; ++ } + return 0; + } + EXPORT_SYMBOL_GPL(af_alg_release); |