diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-04-27 11:03:30 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-04-27 11:03:30 +0200 |
commit | 99f0e9370c534e521fc6997ae61735d218f318ea (patch) | |
tree | 1b36f78fdae3d87e54564b56c8559a234cddcebb | |
parent | c9600d6ede1d98360d95de44ebdee06e674cd132 (diff) | |
parent | 20acea15512b040b39438fb5c64602f1c97c0194 (diff) | |
download | kernel-99f0e9370c534e521fc6997ae61735d218f318ea.tar.gz kernel-99f0e9370c534e521fc6997ae61735d218f318ea.tar.xz kernel-99f0e9370c534e521fc6997ae61735d218f318ea.zip |
merge origin
10 files changed, 744 insertions, 145 deletions
diff --git a/0001-Revert-drm-i915-fbdev-Actually-configure-untiled-dis.patch b/0001-Revert-drm-i915-fbdev-Actually-configure-untiled-dis.patch new file mode 100644 index 000000000..b6fa0783c --- /dev/null +++ b/0001-Revert-drm-i915-fbdev-Actually-configure-untiled-dis.patch @@ -0,0 +1,60 @@ +From e90ac616e4b1d49ec9092086b0e10108df12157d Mon Sep 17 00:00:00 2001 +From: Fedora Kernel Team <kernel-team@fedoraproject.org> +Date: Tue, 5 Mar 2019 12:56:35 -0600 +Subject: [PATCH] Revert drm/i915/fbdev: Actually configure untiled displays + +--- + drivers/gpu/drm/i915/intel_fbdev.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c +index e0c02a9..9e2e998 100644 +--- a/drivers/gpu/drm/i915/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/intel_fbdev.c +@@ -336,8 +336,8 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, + bool *enabled, int width, int height) + { + struct drm_i915_private *dev_priv = to_i915(fb_helper->dev); ++ unsigned long conn_configured, conn_seq, mask; + unsigned int count = min(fb_helper->connector_count, BITS_PER_LONG); +- unsigned long conn_configured, conn_seq; + int i, j; + bool *save_enabled; + bool fallback = true, ret = true; +@@ -355,9 +355,10 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, + drm_modeset_backoff(&ctx); + + memcpy(save_enabled, enabled, count); +- conn_seq = GENMASK(count - 1, 0); ++ mask = GENMASK(count - 1, 0); + conn_configured = 0; + retry: ++ conn_seq = conn_configured; + for (i = 0; i < count; i++) { + struct drm_fb_helper_connector *fb_conn; + struct drm_connector *connector; +@@ -370,8 +371,7 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, + if (conn_configured & BIT(i)) + continue; + +- /* First pass, only consider tiled connectors */ +- if (conn_seq == GENMASK(count - 1, 0) && !connector->has_tile) ++ if (conn_seq == 0 && !connector->has_tile) + continue; + + if (connector->status == connector_status_connected) +@@ -475,10 +475,8 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, + conn_configured |= BIT(i); + } + +- if (conn_configured != conn_seq) { /* repeat until no more are found */ +- conn_seq = conn_configured; ++ if ((conn_configured & mask) != mask && conn_configured != conn_seq) + goto retry; +- } + + /* + * If the BIOS didn't enable everything it could, fall back to have the +-- +2.20.1 + diff --git a/0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch b/0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch new file mode 100644 index 000000000..0f2eacbc9 --- /dev/null +++ b/0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch @@ -0,0 +1,105 @@ +From a4176ec356c73a46c07c181c6d04039fafa34a9f Mon Sep 17 00:00:00 2001 +From: Arend van Spriel <arend.vanspriel@broadcom.com> +Date: Thu, 14 Feb 2019 13:43:48 +0100 +Subject: [PATCH] brcmfmac: add subtype check for event handling in data path + +For USB there is no separate channel being used to pass events +from firmware to the host driver and as such are passed over the +data path. In order to detect mock event messages an additional +check is needed on event subtype. This check is added conditionally +using unlikely() keyword. + +Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> +Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> +Reviewed-by: Franky Lin <franky.lin@broadcom.com> +Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + .../wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++-- + .../wireless/broadcom/brcm80211/brcmfmac/fweh.h | 16 ++++++++++++---- + .../broadcom/brcm80211/brcmfmac/msgbuf.c | 2 +- + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index e772c0845638..a368ba6e7344 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -519,7 +519,8 @@ void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event) + } else { + /* Process special event packets */ + if (handle_event) +- brcmf_fweh_process_skb(ifp->drvr, skb); ++ brcmf_fweh_process_skb(ifp->drvr, skb, ++ BCMILCP_SUBTYPE_VENDOR_LONG); + + brcmf_netif_rx(ifp, skb); + } +@@ -536,7 +537,7 @@ void brcmf_rx_event(struct device *dev, struct sk_buff *skb) + if (brcmf_rx_hdrpull(drvr, skb, &ifp)) + return; + +- brcmf_fweh_process_skb(ifp->drvr, skb); ++ brcmf_fweh_process_skb(ifp->drvr, skb, 0); + brcmu_pkt_buf_free_skb(skb); + } + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h +index 31f3e8e83a21..7027243db17e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h +@@ -211,7 +211,7 @@ enum brcmf_fweh_event_code { + */ + #define BRCM_OUI "\x00\x10\x18" + #define BCMILCP_BCM_SUBTYPE_EVENT 1 +- ++#define BCMILCP_SUBTYPE_VENDOR_LONG 32769 + + /** + * struct brcm_ethhdr - broadcom specific ether header. +@@ -334,10 +334,10 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, + void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing); + + static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr, +- struct sk_buff *skb) ++ struct sk_buff *skb, u16 stype) + { + struct brcmf_event *event_packet; +- u16 usr_stype; ++ u16 subtype, usr_stype; + + /* only process events when protocol matches */ + if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL)) +@@ -346,8 +346,16 @@ static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr, + if ((skb->len + ETH_HLEN) < sizeof(*event_packet)) + return; + +- /* check for BRCM oui match */ + event_packet = (struct brcmf_event *)skb_mac_header(skb); ++ ++ /* check subtype if needed */ ++ if (unlikely(stype)) { ++ subtype = get_unaligned_be16(&event_packet->hdr.subtype); ++ if (subtype != stype) ++ return; ++ } ++ ++ /* check for BRCM oui match */ + if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0], + sizeof(event_packet->hdr.oui))) + return; +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +index 4e8397a0cbc8..ee922b052561 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +@@ -1116,7 +1116,7 @@ static void brcmf_msgbuf_process_event(struct brcmf_msgbuf *msgbuf, void *buf) + + skb->protocol = eth_type_trans(skb, ifp->ndev); + +- brcmf_fweh_process_skb(ifp->drvr, skb); ++ brcmf_fweh_process_skb(ifp->drvr, skb, 0); + + exit: + brcmu_pkt_buf_free_skb(skb); +-- +2.20.1 + diff --git a/0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch b/0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch deleted file mode 100644 index e0c6f73a3..000000000 --- a/0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 62c9d2674b31d4c8a674bee86b7edc6da2803aea Mon Sep 17 00:00:00 2001 -From: ZhangXiaoxu <zhangxiaoxu5@huawei.com> -Date: Sat, 2 Mar 2019 09:17:32 +0800 -Subject: [PATCH] inotify: Fix fsnotify_mark refcount leak in - inotify_update_existing_watch() - -Commit 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for -inotify_add_watch()") forgot to call fsnotify_put_mark() with -IN_MASK_CREATE after fsnotify_find_mark() - -Fixes: 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for inotify_add_watch()") -Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com> -Signed-off-by: Jan Kara <jack@suse.cz> ---- - fs/notify/inotify/inotify_user.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c -index e2901fbb9f76..7b53598c8804 100644 ---- a/fs/notify/inotify/inotify_user.c -+++ b/fs/notify/inotify/inotify_user.c -@@ -519,8 +519,10 @@ static int inotify_update_existing_watch(struct fsnotify_group *group, - fsn_mark = fsnotify_find_mark(&inode->i_fsnotify_marks, group); - if (!fsn_mark) - return -ENOENT; -- else if (create) -- return -EEXIST; -+ else if (create) { -+ ret = -EEXIST; -+ goto out; -+ } - - i_mark = container_of(fsn_mark, struct inotify_inode_mark, fsn_mark); - -@@ -548,6 +550,7 @@ static int inotify_update_existing_watch(struct fsnotify_group *group, - /* return the wd */ - ret = i_mark->wd; - -+out: - /* match the get from fsnotify_find_mark() */ - fsnotify_put_mark(fsn_mark); - --- -2.20.1 - diff --git a/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch new file mode 100644 index 000000000..816c4f0ea --- /dev/null +++ b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch @@ -0,0 +1,85 @@ +From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001 +From: Kairui Song <kasong@redhat.com> +Date: Mon, 21 Jan 2019 17:59:28 +0800 +Subject: [PATCH] integrity, KEYS: add a reference to platform keyring + +commit 9dc92c45177a ("integrity: Define a trusted platform keyring") +introduced a .platform keyring for storing preboot keys, used for +verifying kernel image signatures. Currently only IMA-appraisal is able +to use the keyring to verify kernel images that have their signature +stored in xattr. + +This patch exposes the .platform keyring, making it accessible for +verifying PE signed kernel images as well. + +Suggested-by: Mimi Zohar <zohar@linux.ibm.com> +Signed-off-by: Kairui Song <kasong@redhat.com> +Cc: David Howells <dhowells@redhat.com> +[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix] +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> +--- + certs/system_keyring.c | 10 ++++++++++ + include/keys/system_keyring.h | 8 ++++++++ + security/integrity/digsig.c | 3 +++ + 3 files changed, 21 insertions(+) + +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 81728717523d..da055e901df4 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + static struct key *secondary_trusted_keys; + #endif ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++static struct key *platform_trusted_keys; ++#endif + + extern __initconst const u8 system_certificate_list[]; + extern __initconst const unsigned long system_certificate_list_size; +@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len, + EXPORT_SYMBOL_GPL(verify_pkcs7_signature); + + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ ++ ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++void __init set_platform_trusted_keys(struct key *keyring) ++{ ++ platform_trusted_keys = keyring; ++} ++#endif +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index 359c2f936004..42a93eda331c 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void) + } + #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ + ++#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ ++ defined(CONFIG_SYSTEM_TRUSTED_KEYRING) ++extern void __init set_platform_trusted_keys(struct key *keyring); ++#else ++static inline void set_platform_trusted_keys(struct key *keyring) ++{ ++} ++#endif + + #endif /* _KEYS_SYSTEM_KEYRING_H */ +diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c +index f45d6edecf99..e19c2eb72c51 100644 +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, + pr_info("Can't allocate %s keyring (%d)\n", + keyring_name[id], err); + keyring[id] = NULL; ++ } else { ++ if (id == INTEGRITY_KEYRING_PLATFORM) ++ set_platform_trusted_keys(keyring[id]); + } + + return err; +-- +2.20.1 + diff --git a/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch new file mode 100644 index 000000000..af0d926e7 --- /dev/null +++ b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch @@ -0,0 +1,98 @@ +From 278311e417be60f7caef6fcb12bda4da2711ceff Mon Sep 17 00:00:00 2001 +From: Kairui Song <kasong@redhat.com> +Date: Mon, 21 Jan 2019 17:59:29 +0800 +Subject: [PATCH] kexec, KEYS: Make use of platform keyring for signature + verify + +This patch allows the kexec_file_load syscall to verify the PE signed +kernel image signature based on the preboot keys stored in the .platform +keyring, as fall back, if the signature verification failed due to not +finding the public key in the secondary or builtin keyrings. + +This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous +VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature +should verify the signature using platform keyring. Also, decrease +the error message log level when verification failed with -ENOKEY, +so that if called tried multiple time with different keyring it +won't generate extra noises. + +Signed-off-by: Kairui Song <kasong@redhat.com> +Cc: David Howells <dhowells@redhat.com> +Acked-by: Dave Young <dyoung@redhat.com> (for kexec_file_load part) +[zohar@linux.ibm.com: tweaked the first paragraph of the patch description, + and fixed checkpatch warning.] +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> +--- + arch/x86/kernel/kexec-bzimage64.c | 14 +++++++++++--- + certs/system_keyring.c | 13 ++++++++++++- + include/linux/verification.h | 1 + + 3 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 278cd07228dd..e1215a600064 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -531,9 +531,17 @@ static int bzImage64_cleanup(void *loader_data) + #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG + static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) + { +- return verify_pefile_signature(kernel, kernel_len, +- VERIFY_USE_SECONDARY_KEYRING, +- VERIFYING_KEXEC_PE_SIGNATURE); ++ int ret; ++ ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_SECONDARY_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ } ++ return ret; + } + #endif + +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index da055e901df4..c05c29ae4d5d 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -240,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len, + #else + trusted_keys = builtin_trusted_keys; + #endif ++ } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) { ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++ trusted_keys = platform_trusted_keys; ++#else ++ trusted_keys = NULL; ++#endif ++ if (!trusted_keys) { ++ ret = -ENOKEY; ++ pr_devel("PKCS#7 platform keyring is not available\n"); ++ goto error; ++ } + } + ret = pkcs7_validate_trust(pkcs7, trusted_keys); + if (ret < 0) { + if (ret == -ENOKEY) +- pr_err("PKCS#7 signature not signed with a trusted key\n"); ++ pr_devel("PKCS#7 signature not signed with a trusted key\n"); + goto error; + } + +diff --git a/include/linux/verification.h b/include/linux/verification.h +index cfa4730d607a..018fb5f13d44 100644 +--- a/include/linux/verification.h ++++ b/include/linux/verification.h +@@ -17,6 +17,7 @@ + * should be used. + */ + #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) ++#define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL) + + /* + * The use to which an asymmetric key is being put. +-- +2.20.1 + diff --git a/KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch b/KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch deleted file mode 100644 index 1cc1e5370..000000000 --- a/KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch +++ /dev/null @@ -1,95 +0,0 @@ -From fb2ac204a70da565de9ef9a9d6d69a40c2d59727 Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Fri, 5 May 2017 08:21:56 +0100 -Subject: [PATCH] KEYS: Allow unrestricted boot-time addition of keys to - secondary keyring - -Allow keys to be added to the system secondary certificates keyring during -kernel initialisation in an unrestricted fashion. Such keys are implicitly -trusted and don't have their trust chains checked on link. - -This allows keys in the UEFI database to be added in secure boot mode for -the purposes of module signing. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - certs/internal.h | 18 ++++++++++++++++++ - certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++ - 2 files changed, 51 insertions(+) - create mode 100644 certs/internal.h - -diff --git a/certs/internal.h b/certs/internal.h -new file mode 100644 -index 0000000..5dcbefb ---- /dev/null -+++ b/certs/internal.h -@@ -0,0 +1,18 @@ -+/* Internal definitions -+ * -+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+/* -+ * system_keyring.c -+ */ -+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING -+extern void __init add_trusted_secondary_key(const char *source, -+ const void *data, size_t len); -+#endif -diff --git a/certs/system_keyring.c b/certs/system_keyring.c -index 6251d1b..5ac8ba6 100644 ---- a/certs/system_keyring.c -+++ b/certs/system_keyring.c -@@ -18,6 +18,7 @@ - #include <keys/asymmetric-type.h> - #include <keys/system_keyring.h> - #include <crypto/pkcs7.h> -+#include "internal.h" - - static struct key *builtin_trusted_keys; - #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING -@@ -265,3 +266,35 @@ int verify_pkcs7_signature(const void *data, size_t len, - EXPORT_SYMBOL_GPL(verify_pkcs7_signature); - - #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ -+ -+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING -+/** -+ * add_trusted_secondary_key - Add to secondary keyring with no validation -+ * @source: Source of key -+ * @data: The blob holding the key -+ * @len: The length of the data blob -+ * -+ * Add a key to the secondary keyring without checking its trust chain. This -+ * is available only during kernel initialisation. -+ */ -+void __init add_trusted_secondary_key(const char *source, -+ const void *data, size_t len) -+{ -+ key_ref_t key; -+ -+ key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1), -+ "asymmetric", -+ NULL, data, len, -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW, -+ KEY_ALLOC_NOT_IN_QUOTA | -+ KEY_ALLOC_BYPASS_RESTRICTION); -+ -+ if (IS_ERR(key)) -+ pr_err("Problem loading %s X.509 certificate (%ld)\n", -+ source, PTR_ERR(key)); -+ else -+ pr_notice("Loaded %s cert '%s' linked to secondary sys keyring\n", -+ source, key_ref_to_ptr(key)->description); -+} -+#endif /* CONFIG_SECONDARY_TRUSTED_KEYRING */ --- -2.9.3 - diff --git a/KEYS-Make-use-of-platform-keyring-for-module-signature.patch b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch new file mode 100644 index 000000000..a13dcdba5 --- /dev/null +++ b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch @@ -0,0 +1,54 @@ +From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001 +From: Robert Holmes <robeholmes@gmail.com> +Date: Tue, 23 Apr 2019 07:39:29 +0000 +Subject: [PATCH] KEYS: Make use of platform keyring for module signature + verify + +This patch completes commit 278311e417be ("kexec, KEYS: Make use of +platform keyring for signature verify") which, while adding the +platform keyring for bzImage verification, neglected to also add +this keyring for module verification. + +As such, kernel modules signed with keys from the MokList variable +were not successfully verified. + +Signed-off-by: Robert Holmes <robeholmes@gmail.com> +--- + kernel/module_signing.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/kernel/module_signing.c b/kernel/module_signing.c +index 6b9a926fd86b..cf94220e9154 100644 +--- a/kernel/module_signing.c ++++ b/kernel/module_signing.c +@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info) + { + struct module_signature ms; + size_t sig_len, modlen = info->len; ++ int ret; + + pr_devel("==>%s(,%zu)\n", __func__, modlen); + +@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info) + return -EBADMSG; + } + +- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, +- VERIFY_USE_SECONDARY_KEYRING, +- VERIFYING_MODULE_SIGNATURE, +- NULL, NULL); ++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, ++ VERIFY_USE_SECONDARY_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); ++ } ++ return ret; + } +-- +2.21.0 + diff --git a/kernel.spec b/kernel.spec index 6a7f6fb56..df73b8a89 100644 --- a/kernel.spec +++ b/kernel.spec @@ -557,8 +557,6 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch Patch201: efi-lockdown.patch -Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch - # bz 1497559 - Make kernel MODSIGN code not error on missing variables Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch @@ -643,8 +641,8 @@ Patch512: v3-tpm-fix-an-invalid-condition-in-tpm_common_poll.patch # rhbz 1683382 Patch515: nfsv4.1-avoid-false-retries.patch -# CVE-2019-9857 rhbz 1694758 1694759 -Patch516: 0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch +# https://bugs.freedesktop.org/show_bug.cgi?id=109806 +Patch516: 0001-Revert-drm-i915-fbdev-Actually-configure-untiled-dis.patch # CVE-2019-3882 rhbz 1689426 1695571 Patch517: vfio-type1-limit-dma-mappings-per-container.patch @@ -652,6 +650,21 @@ Patch517: vfio-type1-limit-dma-mappings-per-container.patch # CVE-2019-9500 rhbz 1701224 1701226 Patch518: 0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch +# rhbz 1701077 +Patch519: nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch + +# CVE-2019-9503 rhbz 1701842 1701843 +Patch520: 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1701096 +Patch521: 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch +Patch522: 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch +# Submitted upstream at https://lkml.org/lkml/2019/4/23/89 +Patch523: KEYS-Make-use-of-platform-keyring-for-module-signature.patch + +# CVE-2019-3900 rhbz 1698757 1702940 +Patch524: net-vhost_net-fix-possible-infinite-loop.patch + # END OF PATCH DEFINITIONS %endif @@ -1928,8 +1941,24 @@ fi # # %changelog +* Thu Apr 25 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-3900 (rhbz 1698757 1702940) + +* Tue Apr 23 2019 Laura Abbott <labbott@redhat.com> - 5.0.9-301 +- Bring in DRM workaround + +* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com> +- Allow modules signed by keys in the platform keyring (rbhz 1701096) + +* Tue Apr 23 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-9503 rhbz 1701842 1701843 + +* Mon Apr 22 2019 Laura Abbott <labbott@redhat.com> - 5.0.9-300 +- Linux v5.0.9 +- Fix NFS server crash (rhbz 1701077) + * Thu Apr 18 2019 Justin M. Forbes <jforbes@fedoraproject.org> -- Fix CVE-2019-9500 (rhbz 1701224 1701226) +- Fix CVE-2019-9500 (rhbz 1701224 1701225) * Wed Apr 17 2019 Laura Abbott <labbott@redhat.com> - 5.0.8-300 - Linux v5.0.8 diff --git a/net-vhost_net-fix-possible-infinite-loop.patch b/net-vhost_net-fix-possible-infinite-loop.patch new file mode 100644 index 000000000..f45d84bb2 --- /dev/null +++ b/net-vhost_net-fix-possible-infinite-loop.patch @@ -0,0 +1,200 @@ +From patchwork Thu Apr 25 07:33:19 2019 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Jason Wang <jasowang@redhat.com> +X-Patchwork-Id: 10916185 +Return-Path: <kvm-owner@kernel.org> +Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org + [172.30.200.125]) + by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E4F501575 + for <patchwork-kvm@patchwork.kernel.org>; + Thu, 25 Apr 2019 07:33:33 +0000 (UTC) +Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D276828BD7 + for <patchwork-kvm@patchwork.kernel.org>; + Thu, 25 Apr 2019 07:33:33 +0000 (UTC) +Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) + id C64AC28BE1; Thu, 25 Apr 2019 07:33:33 +0000 (UTC) +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + pdx-wl-mail.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, + RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 590B228BD7 + for <patchwork-kvm@patchwork.kernel.org>; + Thu, 25 Apr 2019 07:33:33 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1726957AbfDYHd1 (ORCPT + <rfc822;patchwork-kvm@patchwork.kernel.org>); + Thu, 25 Apr 2019 03:33:27 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:60130 "EHLO mx1.redhat.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1726317AbfDYHd1 (ORCPT <rfc822;kvm@vger.kernel.org>); + Thu, 25 Apr 2019 03:33:27 -0400 +Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com + [10.5.11.22]) + (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) + (No client certificate requested) + by mx1.redhat.com (Postfix) with ESMTPS id C2BCE3002619; + Thu, 25 Apr 2019 07:33:26 +0000 (UTC) +Received: from hp-dl380pg8-02.lab.eng.pek2.redhat.com + (hp-dl380pg8-02.lab.eng.pek2.redhat.com [10.73.8.12]) + by smtp.corp.redhat.com (Postfix) with ESMTP id 5DA021001DDB; + Thu, 25 Apr 2019 07:33:21 +0000 (UTC) +From: Jason Wang <jasowang@redhat.com> +To: mst@redhat.com, jasowang@redhat.com, kvm@vger.kernel.org, + virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, + linux-kernel@vger.kernel.org +Cc: ppandit@redhat.com +Subject: [PATCH net] vhost_net: fix possible infinite loop +Date: Thu, 25 Apr 2019 03:33:19 -0400 +Message-Id: <1556177599-56248-1-git-send-email-jasowang@redhat.com> +X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 +X-Greylist: Sender IP whitelisted, + not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); + Thu, 25 Apr 2019 07:33:26 +0000 (UTC) +Sender: kvm-owner@vger.kernel.org +Precedence: bulk +List-ID: <kvm.vger.kernel.org> +X-Mailing-List: kvm@vger.kernel.org +X-Virus-Scanned: ClamAV using ClamSMTP + +When the rx buffer is too small for a packet, we will discard the vq +descriptor and retry it for the next packet: + +while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk, + &busyloop_intr))) { +... + /* On overrun, truncate and discard */ + if (unlikely(headcount > UIO_MAXIOV)) { + iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1); + err = sock->ops->recvmsg(sock, &msg, + 1, MSG_DONTWAIT | MSG_TRUNC); + pr_debug("Discarded rx packet: len %zd\n", sock_len); + continue; + } +... +} + +This makes it possible to trigger a infinite while..continue loop +through the co-opreation of two VMs like: + +1) Malicious VM1 allocate 1 byte rx buffer and try to slow down the + vhost process as much as possible e.g using indirect descriptors or + other. +2) Malicious VM2 generate packets to VM1 as fast as possible + +Fixing this by checking against weight at the end of RX and TX +loop. This also eliminate other similar cases when: + +- userspace is consuming the packets in the meanwhile +- theoretical TOCTOU attack if guest moving avail index back and forth + to hit the continue after vhost find guest just add new buffers + +This addresses CVE-2019-3900. + +Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") +Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + drivers/vhost/net.c | 41 +++++++++++++++++++++-------------------- + 1 file changed, 21 insertions(+), 20 deletions(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index df51a35..fb46e6b 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -778,8 +778,9 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) + int err; + int sent_pkts = 0; + bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX); ++ bool next_round = false; + +- for (;;) { ++ do { + bool busyloop_intr = false; + + if (nvq->done_idx == VHOST_NET_BATCH) +@@ -845,11 +846,10 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) + vq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head); + vq->heads[nvq->done_idx].len = 0; + ++nvq->done_idx; +- if (vhost_exceeds_weight(++sent_pkts, total_len)) { +- vhost_poll_queue(&vq->poll); +- break; +- } +- } ++ } while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len))); ++ ++ if (next_round) ++ vhost_poll_queue(&vq->poll); + + vhost_tx_batch(net, nvq, sock, &msg); + } +@@ -873,8 +873,9 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) + struct vhost_net_ubuf_ref *uninitialized_var(ubufs); + bool zcopy_used; + int sent_pkts = 0; ++ bool next_round = false; + +- for (;;) { ++ do { + bool busyloop_intr; + + /* Release DMAs done buffers first */ +@@ -951,11 +952,10 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) + else + vhost_zerocopy_signal_used(net, vq); + vhost_net_tx_packet(net); +- if (unlikely(vhost_exceeds_weight(++sent_pkts, total_len))) { +- vhost_poll_queue(&vq->poll); +- break; +- } +- } ++ } while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len))); ++ ++ if (next_round) ++ vhost_poll_queue(&vq->poll); + } + + /* Expects to be always run from workqueue - which acts as +@@ -1134,6 +1134,7 @@ static void handle_rx(struct vhost_net *net) + struct iov_iter fixup; + __virtio16 num_buffers; + int recv_pkts = 0; ++ bool next_round = false; + + mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX); + sock = vq->private_data; +@@ -1153,8 +1154,11 @@ static void handle_rx(struct vhost_net *net) + vq->log : NULL; + mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF); + +- while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk, +- &busyloop_intr))) { ++ do { ++ sock_len = vhost_net_rx_peek_head_len(net, sock->sk, ++ &busyloop_intr); ++ if (!sock_len) ++ break; + sock_len += sock_hlen; + vhost_len = sock_len + vhost_hlen; + headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx, +@@ -1239,12 +1243,9 @@ static void handle_rx(struct vhost_net *net) + vhost_log_write(vq, vq_log, log, vhost_len, + vq->iov, in); + total_len += vhost_len; +- if (unlikely(vhost_exceeds_weight(++recv_pkts, total_len))) { +- vhost_poll_queue(&vq->poll); +- goto out; +- } +- } +- if (unlikely(busyloop_intr)) ++ } while (!(next_round = vhost_exceeds_weight(++recv_pkts, total_len))); ++ ++ if (unlikely(busyloop_intr || next_round)) + vhost_poll_queue(&vq->poll); + else + vhost_net_enable_vq(net, vq); diff --git a/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch b/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch new file mode 100644 index 000000000..0b4cfbe16 --- /dev/null +++ b/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch @@ -0,0 +1,108 @@ +From patchwork Sat Apr 20 10:15:48 2019 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Jeff Layton <jlayton@kernel.org> +X-Patchwork-Id: 10910147 +Return-Path: <linux-nfs-owner@kernel.org> +Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org + [172.30.200.125]) + by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0C1AE14DB + for <patchwork-linux-nfs@patchwork.kernel.org>; + Sat, 20 Apr 2019 10:15:53 +0000 (UTC) +Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E858821FAC + for <patchwork-linux-nfs@patchwork.kernel.org>; + Sat, 20 Apr 2019 10:15:52 +0000 (UTC) +Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) + id D5EA228818; Sat, 20 Apr 2019 10:15:52 +0000 (UTC) +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + pdx-wl-mail.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, + DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham + version=3.3.1 +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BF69021FAC + for <patchwork-linux-nfs@patchwork.kernel.org>; + Sat, 20 Apr 2019 10:15:51 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1726082AbfDTKPu (ORCPT + <rfc822;patchwork-linux-nfs@patchwork.kernel.org>); + Sat, 20 Apr 2019 06:15:50 -0400 +Received: from mail.kernel.org ([198.145.29.99]:36092 "EHLO mail.kernel.org" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1725920AbfDTKPu (ORCPT <rfc822;linux-nfs@vger.kernel.org>); + Sat, 20 Apr 2019 06:15:50 -0400 +Received: from tleilax.poochiereds.net (cpe-71-70-156-158.nc.res.rr.com + [71.70.156.158]) + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) + (No client certificate requested) + by mail.kernel.org (Postfix) with ESMTPSA id 649D32087B; + Sat, 20 Apr 2019 10:15:49 +0000 (UTC) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; + s=default; t=1555755349; + bh=Sqynm2vSbQ1pAh/3FcXrwFTMrJUwFTkrxoodJHFBfA0=; + h=From:To:Cc:Subject:Date:From; + b=TFlYii+F3H67zOX8b/mENa/XRCx1SjMI2/gLtscPnA5l6T0dG8aC/E+FJLvMeNLHo + pu2zlPSdszk+MBMfWQrfUpKGCP7CPqfyk7F1rXRIr6kNYp2tE2gKYyIWvCkVPE45iX + LngnHXERmf/R52j7gg2ENj+yjuOh07AifhxH1J00= +From: Jeff Layton <jlayton@kernel.org> +To: bfields@fieldses.org +Cc: slawek1211@gmail.com, neilb@suse.com, linux-nfs@vger.kernel.org +Subject: [PATCH] nfsd: wake waiters blocked on file_lock before deleting it +Date: Sat, 20 Apr 2019 06:15:48 -0400 +Message-Id: <20190420101548.8552-1-jlayton@kernel.org> +X-Mailer: git-send-email 2.20.1 +MIME-Version: 1.0 +Sender: linux-nfs-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-nfs.vger.kernel.org> +X-Mailing-List: linux-nfs@vger.kernel.org +X-Virus-Scanned: ClamAV using ClamSMTP + +After a blocked nfsd file_lock request is deleted, knfsd will send a +callback to the client and then free the request. Commit 16306a61d3b7 +("fs/locks: always delete_block after waiting.") changed it such that +locks_delete_block is always called on a request after it is awoken, +but that patch missed fixing up blocked nfsd request handling. + +Call locks_delete_block on the block to wake up any locks still blocked +on the nfsd lock request before sending the callback. + +URL: https://bugzilla.kernel.org/show_bug.cgi?id=203363 +Fixes: 16306a61d3b7 ("fs/locks: always delete_block after waiting.") +Reported-by: Slawomir Pryczek <slawek1211@gmail.com> +Cc: Neil Brown <neilb@suse.com> +Signed-off-by: Jeff Layton <jlayton@kernel.org> +--- + fs/nfsd/nfs4state.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 6a45fb00c5fc..1960e8fd9ad1 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -298,6 +298,14 @@ remove_blocked_locks(struct nfs4_lockowner *lo) + } + } + ++static void ++nfsd4_cb_notify_lock_prepare(struct nfsd4_callback *cb) ++{ ++ struct nfsd4_blocked_lock *nbl = container_of(cb, ++ struct nfsd4_blocked_lock, nbl_cb); ++ locks_delete_block(&nbl->nbl_lock); ++} ++ + static int + nfsd4_cb_notify_lock_done(struct nfsd4_callback *cb, struct rpc_task *task) + { +@@ -325,6 +333,7 @@ nfsd4_cb_notify_lock_release(struct nfsd4_callback *cb) + } + + static const struct nfsd4_callback_ops nfsd4_cb_notify_lock_ops = { ++ .prepare = nfsd4_cb_notify_lock_prepare, + .done = nfsd4_cb_notify_lock_done, + .release = nfsd4_cb_notify_lock_release, + }; |