diff options
| -rw-r--r-- | kernel.spec | 9 | ||||
| -rw-r--r-- | memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch | 113 | ||||
| -rw-r--r-- | net-packet-fix-overflow-in-tpacket_rcv.patch | 59 |
3 files changed, 181 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 3e203b02d..4f1908906 100644 --- a/kernel.spec +++ b/kernel.spec @@ -888,6 +888,11 @@ Patch107: 0001-drivers-perf-xgene_pmu-Fix-uninitialized-resource-st.patch # CVE-2020-14385 rhbz 1874800 1874811 Patch108: 0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch +# CVE-2020-14386 rhbz 1875699 1876349 +Patch109: net-packet-fix-overflow-in-tpacket_rcv.patch + +Patch110: memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch + # END OF PATCH DEFINITIONS %endif @@ -2995,6 +3000,10 @@ fi # # %changelog +* Mon Sep 07 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.7-300 +- Linux v5.8.7 +- Fix CVE-2020-14386 (rhbz 1875699 1876349) + * Thu Sep 03 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.6-301 - Linux v5.8.6 - Fix CVE-2020-14385 (rhbz 1874800 1874811) diff --git a/memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch b/memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch new file mode 100644 index 000000000..7b30b78b2 --- /dev/null +++ b/memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch @@ -0,0 +1,113 @@ +From patchwork Tue Sep 1 15:32:48 2020 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Thierry Reding <thierry.reding@gmail.com> +X-Patchwork-Id: 1355200 +Return-Path: <linux-tegra-owner@vger.kernel.org> +X-Original-To: incoming@patchwork.ozlabs.org +Delivered-To: patchwork-incoming@bilbo.ozlabs.org +Authentication-Results: ozlabs.org; + spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org + (client-ip=23.128.96.18; helo=vger.kernel.org; + envelope-from=linux-tegra-owner@vger.kernel.org; receiver=<UNKNOWN>) +Authentication-Results: ozlabs.org; + dmarc=pass (p=none dis=none) header.from=gmail.com +Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; + unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 + header.s=20161025 header.b=InCwqcJT; dkim-atps=neutral +Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) + by ozlabs.org (Postfix) with ESMTP id 4BgrgN1Rpfz9sWM + for <incoming@patchwork.ozlabs.org>; Wed, 2 Sep 2020 01:33:04 +1000 (AEST) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1729968AbgIAPdC (ORCPT <rfc822;incoming@patchwork.ozlabs.org>); + Tue, 1 Sep 2020 11:33:02 -0400 +Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54580 "EHLO + lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1729209AbgIAPc4 (ORCPT + <rfc822;linux-tegra@vger.kernel.org>); Tue, 1 Sep 2020 11:32:56 -0400 +Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com + [IPv6:2a00:1450:4864:20::642]) + by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7BF6C061244; + Tue, 1 Sep 2020 08:32:54 -0700 (PDT) +Received: by mail-ej1-x642.google.com with SMTP id d11so2241288ejt.13; + Tue, 01 Sep 2020 08:32:54 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; + h=from:to:cc:subject:date:message-id:mime-version + :content-transfer-encoding; + bh=zEPKP0AU97R+PVYnTVD02jf9E8X+9qMRm9ouiwdoWWA=; + b=InCwqcJTR/4A4+EuZFsM5xaKx0nFq9NH/7wDwaCpNHNzYmfW1s67o66afdrgjeT+42 + 3/IBsOzuQmvbcTIMqzeilMo8jynJopsDvJ04YORoFPrNoteMPeOR9CGnYRn5sTCTx/F8 + MExLqETfRiiBnfdt5p4S8Fw+UhsQjMtDLGVO+SktivIJKL0jgOtiulaSQfPNJxhuvalA + YnMxjXkFrVLYsf7Q9rHbGANzrB4pQCOFOXTTolGhIm/OgJ1H1t2modzQdKwRXUsADB8L + Wr95PT8IW7Kyqe+GrX2iD2azK1Ul6M6Ln7WgHWIYOkYGFRrhvMpSiRjMe9w0F1HwAjjO + 5qzQ== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version + :content-transfer-encoding; + bh=zEPKP0AU97R+PVYnTVD02jf9E8X+9qMRm9ouiwdoWWA=; + b=kZZAjUtuN3hiPdfltUcr+jhnrz7c9rru5yMEq/CkI9aBm/ETez84EH3hV1B78K5P7L + hNmGrJSHJ5IWuxDnUZQfaEPySWbcOwFUhahKgCeHLV/pbdTdosT0dhbnN1YfuCqO0dzc + iPOvOI7WM/A19xKHKPCspaPpluPkBiUabwFLCWWVb06ZBUUNgVhy/7Dx7Ju8GP3kNUaA + Pt0XvSw/Mp/rm2gKvnuDO9QKteP66lw5hvCUTUEIh76d8jMRMY8378JiysKz2wdaz8Fd + BYHMvMGbdRy6TAA/Uez3CT9nV1OyhEST03ttXC1lJTpyHbNiA34oKyeRtqCxxOXza5yA + k22g== +X-Gm-Message-State: AOAM5312YM/x/KVL6Su0HEVLMkmVlAUpCOSazQK4PIdtRtPsaThSHihn + RPsOkzFPKcz36DsW5eZOFaE= +X-Google-Smtp-Source: ABdhPJx8pgbFxwX4+nQIkeKINcUC4+itTbYvBBHcPVcN6ZtaYmSEFVcT5J21t8xvkFqrlVQX3t3VOg== +X-Received: by 2002:a17:907:9c3:: with SMTP id + bx3mr2005039ejc.164.1598974373583; + Tue, 01 Sep 2020 08:32:53 -0700 (PDT) +Received: from localhost ([62.96.65.119]) by smtp.gmail.com with ESMTPSA id + r23sm1371455edt.57.2020.09.01.08.32.52 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Tue, 01 Sep 2020 08:32:52 -0700 (PDT) +From: Thierry Reding <thierry.reding@gmail.com> +To: Krzysztof Kozlowski <krzk@kernel.org>, + Thierry Reding <thierry.reding@gmail.com> +Cc: Jonathan Hunter <jonathanh@nvidia.com>, Dmitry Osipenko <digetx@gmail.com>, + linux-tegra@vger.kernel.org, linux-kernel@vger.kernel.org, + Matias Zuniga <matias.nicolas.zc@gmail.com> +Subject: [PATCH] memory: tegra: Remove GPU from DRM IOMMU group +Date: Tue, 1 Sep 2020 17:32:48 +0200 +Message-Id: <20200901153248.1831263-1-thierry.reding@gmail.com> +X-Mailer: git-send-email 2.28.0 +MIME-Version: 1.0 +Sender: linux-tegra-owner@vger.kernel.org +Precedence: bulk +List-ID: <linux-tegra.vger.kernel.org> +X-Mailing-List: linux-tegra@vger.kernel.org + +From: Thierry Reding <treding@nvidia.com> + +Commit 63a613fdb16c ("memory: tegra: Add gr2d and gr3d to DRM IOMMU +group") added the GPU to the DRM IOMMU group, which doesn't make any +sense. This causes problems when Nouveau tries to attach to the SMMU +and causes it to fall back to using the DMA API. + +Remove the GPU from the DRM groups to restore the old behaviour. The +GPU should always have its own IOMMU domain to make sure it can map +buffers into contiguous chunks (for big page support) without getting +in the way of mappings from the DRM group. + +Fixes: 63a613fdb16c ("memory: tegra: Add gr2d and gr3d to DRM IOMMU group") +Reported-by: Matias Zuniga <matias.nicolas.zc@gmail.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> +Reviewed-by: Dmitry Osipenko <digetx@gmail.com> +--- + drivers/memory/tegra/tegra124.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/memory/tegra/tegra124.c b/drivers/memory/tegra/tegra124.c +index 493b5dc3a4b3..0cede24479bf 100644 +--- a/drivers/memory/tegra/tegra124.c ++++ b/drivers/memory/tegra/tegra124.c +@@ -957,7 +957,6 @@ static const struct tegra_smmu_swgroup tegra124_swgroups[] = { + static const unsigned int tegra124_group_drm[] = { + TEGRA_SWGROUP_DC, + TEGRA_SWGROUP_DCB, +- TEGRA_SWGROUP_GPU, + TEGRA_SWGROUP_VIC, + }; + diff --git a/net-packet-fix-overflow-in-tpacket_rcv.patch b/net-packet-fix-overflow-in-tpacket_rcv.patch new file mode 100644 index 000000000..6c6868f5c --- /dev/null +++ b/net-packet-fix-overflow-in-tpacket_rcv.patch @@ -0,0 +1,59 @@ +From 00c393ea14d12a4ef490a6aedf0fa6bfc2bfe8c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 3 Sep 2020 21:05:28 -0700 +Subject: net/packet: fix overflow in tpacket_rcv + +From: Or Cohen <orcohen@paloaltonetworks.com> + +[ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ] + +Using tp_reserve to calculate netoff can overflow as +tp_reserve is unsigned int and netoff is unsigned short. + +This may lead to macoff receving a smaller value then +sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr +is set, an out-of-bounds write will occur when +calling virtio_net_hdr_from_skb. + +The bug is fixed by converting netoff to unsigned int +and checking if it exceeds USHRT_MAX. + +This addresses CVE-2020-14386 + +Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") +Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/packet/af_packet.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 301f41d4929bd..82f7802983797 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2170,7 +2170,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + int skb_len = skb->len; + unsigned int snaplen, res; + unsigned long status = TP_STATUS_USER; +- unsigned short macoff, netoff, hdrlen; ++ unsigned short macoff, hdrlen; ++ unsigned int netoff; + struct sk_buff *copy_skb = NULL; + struct timespec64 ts; + __u32 ts_status; +@@ -2239,6 +2240,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + } + macoff = netoff - maclen; + } ++ if (netoff > USHRT_MAX) { ++ atomic_inc(&po->tp_drops); ++ goto drop_n_restore; ++ } + if (po->tp_version <= TPACKET_V2) { + if (macoff + snaplen > po->rx_ring.frame_size) { + if (po->copy_thresh && +-- +2.25.1 + |