Merge remote-tracking branch 'origin/f30' into f30-user-thl-vanilla-fedora

3 files changed, 217 insertions, 0 deletions

diff --git a/arm64-revert-support-for-execute-only-user-mappings.patch b/arm64-revert-support-for-execute-only-user-mappings.patch
new file mode 100644
index 000000000..8ca23e6c9
--- /dev/null
+++ b/arm64-revert-support-for-execute-only-user-mappings.patch
@@ -0,0 +1,119 @@
+From 24cecc37746393432d994c0dbc251fb9ac7c5d72 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Mon, 6 Jan 2020 14:35:39 +0000
+Subject: arm64: Revert support for execute-only user mappings
+
+The ARMv8 64-bit architecture supports execute-only user permissions by
+clearing the PTE_USER and PTE_UXN bits, practically making it a mostly
+privileged mapping but from which user running at EL0 can still execute.
+
+The downside, however, is that the kernel at EL1 inadvertently reading
+such mapping would not trip over the PAN (privileged access never)
+protection.
+
+Revert the relevant bits from commit cab15ce604e5 ("arm64: Introduce
+execute-only page access permissions") so that PROT_EXEC implies
+PROT_READ (and therefore PTE_USER) until the architecture gains proper
+support for execute-only user mappings.
+
+Fixes: cab15ce604e5 ("arm64: Introduce execute-only page access permissions")
+Cc: <stable@vger.kernel.org> # 4.9.x-
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ arch/arm64/include/asm/pgtable-prot.h |  5 ++---
+ arch/arm64/include/asm/pgtable.h      | 10 +++-------
+ arch/arm64/mm/fault.c                 |  2 +-
+ mm/mmap.c                             |  6 ------
+ 4 files changed, 6 insertions(+), 17 deletions(-)
+
+diff --git a/arch/arm64/include/asm/pgtable-prot.h b/arch/arm64/include/asm/pgtable-prot.h
+index 8dc6c5c..baf52ba 100644
+--- a/arch/arm64/include/asm/pgtable-prot.h
++++ b/arch/arm64/include/asm/pgtable-prot.h
+@@ -85,13 +85,12 @@
+ #define PAGE_SHARED_EXEC	__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE)
+ #define PAGE_READONLY		__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN)
+ #define PAGE_READONLY_EXEC	__pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN)
+-#define PAGE_EXECONLY		__pgprot(_PAGE_DEFAULT | PTE_RDONLY | PTE_NG | PTE_PXN)
+ 
+ #define __P000  PAGE_NONE
+ #define __P001  PAGE_READONLY
+ #define __P010  PAGE_READONLY
+ #define __P011  PAGE_READONLY
+-#define __P100  PAGE_EXECONLY
++#define __P100  PAGE_READONLY_EXEC
+ #define __P101  PAGE_READONLY_EXEC
+ #define __P110  PAGE_READONLY_EXEC
+ #define __P111  PAGE_READONLY_EXEC
+@@ -100,7 +99,7 @@
+ #define __S001  PAGE_READONLY
+ #define __S010  PAGE_SHARED
+ #define __S011  PAGE_SHARED
+-#define __S100  PAGE_EXECONLY
++#define __S100  PAGE_READONLY_EXEC
+ #define __S101  PAGE_READONLY_EXEC
+ #define __S110  PAGE_SHARED_EXEC
+ #define __S111  PAGE_SHARED_EXEC
+diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
+index 5d15b47..cd5de0e 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -96,12 +96,8 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)];
+ #define pte_dirty(pte)		(pte_sw_dirty(pte) || pte_hw_dirty(pte))
+ 
+ #define pte_valid(pte)		(!!(pte_val(pte) & PTE_VALID))
+-/*
+- * Execute-only user mappings do not have the PTE_USER bit set. All valid
+- * kernel mappings have the PTE_UXN bit set.
+- */
+ #define pte_valid_not_user(pte) \
+-	((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN))
++	((pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID)
+ #define pte_valid_young(pte) \
+ 	((pte_val(pte) & (PTE_VALID | PTE_AF)) == (PTE_VALID | PTE_AF))
+ #define pte_valid_user(pte) \
+@@ -117,8 +113,8 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)];
+ 
+ /*
+  * p??_access_permitted() is true for valid user mappings (subject to the
+- * write permission check) other than user execute-only which do not have the
+- * PTE_USER bit set. PROT_NONE mappings do not have the PTE_VALID bit set.
++ * write permission check). PROT_NONE mappings do not have the PTE_VALID bit
++ * set.
+  */
+ #define pte_access_permitted(pte, write) \
+ 	(pte_valid_user(pte) && (!(write) || pte_write(pte)))
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index 077b02a..85566d3 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -445,7 +445,7 @@ static int __kprobes do_page_fault(unsigned long addr, unsigned int esr,
+ 	const struct fault_info *inf;
+ 	struct mm_struct *mm = current->mm;
+ 	vm_fault_t fault, major = 0;
+-	unsigned long vm_flags = VM_READ | VM_WRITE;
++	unsigned long vm_flags = VM_READ | VM_WRITE | VM_EXEC;
+ 	unsigned int mm_flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
+ 
+ 	if (kprobe_page_fault(regs, esr))
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 9c64852..71e4ffc 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -90,12 +90,6 @@ static void unmap_region(struct mm_struct *mm,
+  * MAP_PRIVATE	r: (no) no	r: (yes) yes	r: (no) yes	r: (no) yes
+  *		w: (no) no	w: (no) no	w: (copy) copy	w: (no) no
+  *		x: (no) no	x: (no) yes	x: (no) yes	x: (yes) yes
+- *
+- * On arm64, PROT_EXEC has the following behaviour for both MAP_SHARED and
+- * MAP_PRIVATE:
+- *								r: (no) no
+- *								w: (no) no
+- *								x: (yes) yes
+  */
+ pgprot_t protection_map[16] __ro_after_init = {
+ 	__P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
+-- 
+cgit v1.1
diff --git a/kernel.spec b/kernel.spec
index ab6f65138..7f73abc86 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -616,6 +616,9 @@ Patch531: 0001-crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch
 # CVE-2019-18809 rhbz 1777449 1777451
 Patch532: 0001-media-usb-fix-memory-leak-in-af9005_identify_state.patch
 
+# Arm64 regression fix - rhbz 1788624
+Patch533: arm64-revert-support-for-execute-only-user-mappings.patch
+
 # ALSA code from v5.5 (Intel ASoC Sound Open Firmware driver support)
 Patch600: alsa-5.5.patch
 
@@ -629,6 +632,9 @@ Patch609: 0002-drm-nouveau-Fix-drm-core-using-atomic-code-paths-on-.patch
 # rhbz 1781288
 Patch610: 0001-tracing-Do-not-create-directories-if-lockdown-is-in-.patch
 
+# rhbz 1788653
+Patch611: tpm-handle-negative-priv--response_len-in-tpm_common_read.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1869,6 +1875,9 @@ fi
 #
 #
 %changelog
+* Mon Jan 06 2020 Laura Abbott <labbott@redhat.com>
+- Fix for tpm usercopy (rhbz 1788653)
+
 * Mon Jan 06 2020 Hans de Goede <hdegoede@redhat.com>
 - Make the MFD Intel LPSS driver builtin, some devices require this to be
   available early during boot (rhbz#1787997)
diff --git a/tpm-handle-negative-priv--response_len-in-tpm_common_read.patch b/tpm-handle-negative-priv--response_len-in-tpm_common_read.patch
new file mode 100644
index 000000000..40df117ff
--- /dev/null
+++ b/tpm-handle-negative-priv--response_len-in-tpm_common_read.patch
@@ -0,0 +1,89 @@
+From patchwork Tue Jan  7 22:04:48 2020
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Tadeusz Struk <tadeusz.struk@intel.com>
+X-Patchwork-Id: 1176682
+Return-Path: <SRS0=facv=24=vger.kernel.org=linux-kernel-owner@kernel.org>
+Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
+	by smtp.lore.kernel.org (Postfix) with ESMTP id 5846CC3F68F
+	for <linux-kernel@archiver.kernel.org>; Tue,  7 Jan 2020 22:04:42 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.kernel.org (Postfix) with ESMTP id 207982073D
+	for <linux-kernel@archiver.kernel.org>; Tue,  7 Jan 2020 22:04:42 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1727451AbgAGWEl (ORCPT
+        <rfc822;linux-kernel@archiver.kernel.org>);
+        Tue, 7 Jan 2020 17:04:41 -0500
+Received: from mga11.intel.com ([192.55.52.93]:40523 "EHLO mga11.intel.com"
+        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+        id S1727080AbgAGWEk (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
+        Tue, 7 Jan 2020 17:04:40 -0500
+X-Amp-Result: SKIPPED(no attachment in message)
+X-Amp-File-Uploaded: False
+Received: from fmsmga007.fm.intel.com ([10.253.24.52])
+  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
+ 07 Jan 2020 14:04:40 -0800
+X-ExtLoop1: 1
+X-IronPort-AV: E=Sophos;i="5.69,407,1571727600";
+   d="scan'208";a="217317989"
+Received: from tstruk-mobl1.jf.intel.com (HELO [127.0.1.1]) ([10.7.196.67])
+  by fmsmga007.fm.intel.com with ESMTP; 07 Jan 2020 14:04:39 -0800
+Subject: [PATCH] tpm: handle negative priv->response_len in tpm_common_read
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+To: jarkko.sakkinen@linux.intel.com
+Cc: keescook@chromium.org, tadeusz.struk@intel.com,
+        linux-kernel@vger.kernel.org, stable@vger.kernel.org,
+        linux-integrity@vger.kernel.org, labbott@redhat.com
+Date: Tue, 07 Jan 2020 14:04:48 -0800
+Message-ID: <157843468820.24718.10808226634364669421.stgit@tstruk-mobl1>
+In-Reply-To: <b85fa669-d3aa-f6c9-9631-988ae47e392c@redhat.com>
+References: <b85fa669-d3aa-f6c9-9631-988ae47e392c@redhat.com>
+User-Agent: StGit/0.17.1-dirty
+MIME-Version: 1.0
+Sender: linux-kernel-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List: linux-kernel@vger.kernel.org
+
+The priv->responce_length can hold the size of an response or
+an negative error code, and the tpm_common_read() needs to handle
+both cases correctly. Changed the type of responce_length to
+signed and accounted for negative value in tpm_common_read()
+
+Cc: stable@vger.kernel.org
+Fixes: d23d12484307 ("tpm: fix invalid locking in NONBLOCKING mode")
+Reported-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+---
+ drivers/char/tpm/tpm-dev-common.c |    2 +-
+ drivers/char/tpm/tpm-dev.h        |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
+index b23b0b999232..87f449340202 100644
+--- a/drivers/char/tpm/tpm-dev-common.c
++++ b/drivers/char/tpm/tpm-dev-common.c
+@@ -130,7 +130,7 @@ ssize_t tpm_common_read(struct file *file, char __user *buf,
+ 		priv->response_read = true;
+ 
+ 		ret_size = min_t(ssize_t, size, priv->response_length);
+-		if (!ret_size) {
++		if (ret_size <= 0) {
+ 			priv->response_length = 0;
+ 			goto out;
+ 		}
+diff --git a/drivers/char/tpm/tpm-dev.h b/drivers/char/tpm/tpm-dev.h
+index 1089fc0bb290..f3742bcc73e3 100644
+--- a/drivers/char/tpm/tpm-dev.h
++++ b/drivers/char/tpm/tpm-dev.h
+@@ -14,7 +14,7 @@ struct file_priv {
+ 	struct work_struct timeout_work;
+ 	struct work_struct async_work;
+ 	wait_queue_head_t async_wait;
+-	size_t response_length;
++	ssize_t response_length;
+ 	bool response_read;
+ 	bool command_enqueued;
+