diff options
-rw-r--r-- | 0001-ACPI-platform-Add-SMB0001-HID-to-forbidden_id_list.patch | 104 | ||||
-rw-r--r-- | CVE-2018-19407.patch | 104 | ||||
-rw-r--r-- | kernel.spec | 16 | ||||
-rw-r--r-- | mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch | 59 | ||||
-rw-r--r-- | sources | 2 |
5 files changed, 176 insertions, 109 deletions
diff --git a/0001-ACPI-platform-Add-SMB0001-HID-to-forbidden_id_list.patch b/0001-ACPI-platform-Add-SMB0001-HID-to-forbidden_id_list.patch deleted file mode 100644 index 822e497af..000000000 --- a/0001-ACPI-platform-Add-SMB0001-HID-to-forbidden_id_list.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 5afcaee5ee71ba730fde8f66da7e320fb7e674d2 Mon Sep 17 00:00:00 2001 -From: Hans de Goede <hdegoede@redhat.com> -Date: Mon, 19 Nov 2018 17:38:59 +0100 -Subject: [PATCH 4.20 regression fix] ACPI / platform: Add SMB0001 HID to - forbidden_id_list - -Many HP AMD based laptops contain an SMB0001 device like this: - -Device (SMBD) -{ - Name (_HID, "SMB0001") // _HID: Hardware ID - Name (_CRS, ResourceTemplate () // _CRS: Current Resource Settings - { - IO (Decode16, - 0x0B20, // Range Minimum - 0x0B20, // Range Maximum - 0x20, // Alignment - 0x20, // Length - ) - IRQ (Level, ActiveLow, Shared, ) - {7} - }) -} - -The legacy style IRQ resource here causes acpi_dev_get_irqresource() to -be called with legacy=true and this message to show in dmesg: -ACPI: IRQ 7 override to edge, high - -This causes issues when later on the AMD0030 GPIO device gets enumerated: - -Device (GPIO) -{ - Name (_HID, "AMDI0030") // _HID: Hardware ID - Name (_CID, "AMDI0030") // _CID: Compatible ID - Name (_UID, Zero) // _UID: Unique ID - Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings - { - Name (RBUF, ResourceTemplate () - { - Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, ) - { - 0x00000007, - } - Memory32Fixed (ReadWrite, - 0xFED81500, // Address Base - 0x00000400, // Address Length - ) - }) - Return (RBUF) /* \_SB_.GPIO._CRS.RBUF */ - } -} - -Now acpi_dev_get_irqresource() gets called with legacy=false, but because -of the earlier override of the trigger-type acpi_register_gsi() returns --EBUSY (because we try to register the same interrupt with a different -trigger-type) and we end up setting IORESOURCE_DISABLED in the flags. - -The setting of IORESOURCE_DISABLED causes platform_get_irq() to call -acpi_irq_get() which is not implemented on x86 and returns -EINVAL. -resulting in the following in dmesg: - -amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22 -amd_gpio: probe of AMDI0030:00 failed with error -22 - -The SMB0001 is a "virtual" device in the sense that the only way the OS -interacts with it is through calling a couple of methods to do SMBus -transfers. As such it is weird that it has IO and IRQ resources at all, -because the driver for it is not expected to ever access the hardware -directly. - -The Linux driver for the SMB0001 device directly binds to the acpi_device -through the acpi_bus, so we do not need to instantiate a platform_device -for this ACPI device. This commit adds the SMB0001 HID to the -forbidden_id_list, avoiding the instantiating of a platform_device for it. -Not instantiating a platform_device means we will no longer call -acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of -the AMDI0030 device failing. - -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013 -BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715 -BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523 -Reported-by: Lukas Kahnert <openproggerfreak@gmail.com> -Tested-by: Marc <suaefar@googlemail.com> -Cc: stable@vger.kernel.org -Signed-off-by: Hans de Goede <hdegoede@redhat.com> ---- - drivers/acpi/acpi_platform.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/acpi/acpi_platform.c b/drivers/acpi/acpi_platform.c -index eaa60c94205a..1f32caa87686 100644 ---- a/drivers/acpi/acpi_platform.c -+++ b/drivers/acpi/acpi_platform.c -@@ -30,6 +30,7 @@ static const struct acpi_device_id forbidden_id_list[] = { - {"PNP0200", 0}, /* AT DMA Controller */ - {"ACPI0009", 0}, /* IOxAPIC */ - {"ACPI000A", 0}, /* IOAPIC */ -+ {"SMB0001", 0}, /* ACPI SMBUS virtual device */ - {"", 0}, - }; - --- -2.19.1 - diff --git a/CVE-2018-19407.patch b/CVE-2018-19407.patch new file mode 100644 index 000000000..9f84db7be --- /dev/null +++ b/CVE-2018-19407.patch @@ -0,0 +1,104 @@ +From: Wanpeng Li <kernellwp@gmail.com> +Date: Tue, 27 Nov 2018 14:01:04 -0500 +Subject: [PATCH] KVM: X86: Fix scan ioapic use-before-initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reported by syzkaller: + + BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8 + PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0 + Oops: 0000 [#1] PREEMPT SMP PTI + CPU: 7 PID: 5059 Comm: debug Tainted: G OE 4.19.0-rc5 #16 + RIP: 0010:__lock_acquire+0x1a6/0x1990 + Call Trace: + lock_acquire+0xdb/0x210 + _raw_spin_lock+0x38/0x70 + kvm_ioapic_scan_entry+0x3e/0x110 [kvm] + vcpu_enter_guest+0x167e/0x1910 [kvm] + kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm] + kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm] + do_vfs_ioctl+0xa5/0x690 + ksys_ioctl+0x6d/0x80 + __x64_sys_ioctl+0x1a/0x20 + do_syscall_64+0x83/0x6e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr +and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. +However, irqchip is not initialized by this simple testcase, ioapic/apic +objects should not be accessed. +This can be triggered by the following program: + + #define _GNU_SOURCE + + #include <endian.h> + #include <stdint.h> + #include <stdio.h> + #include <stdlib.h> + #include <string.h> + #include <sys/syscall.h> + #include <sys/types.h> + #include <unistd.h> + + uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; + + int main(void) + { + syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); + long res = 0; + memcpy((void*)0x20000040, "/dev/kvm", 9); + res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0); + if (res != -1) + r[0] = res; + res = syscall(__NR_ioctl, r[0], 0xae01, 0); + if (res != -1) + r[1] = res; + res = syscall(__NR_ioctl, r[1], 0xae41, 0); + if (res != -1) + r[2] = res; + memcpy( + (void*)0x20000080, + "\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00" + "\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43" + "\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33" + "\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe" + "\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22" + "\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb", + 106); + syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080); + syscall(__NR_ioctl, r[2], 0xae80, 0); + return 0; + } + +This patch fixes it by bailing out scan ioapic if ioapic is not initialized in +kernel. + +Reported-by: Wei Wu <ww9210@gmail.com> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Cc: Radim Krčmář <rkrcmar@redhat.com> +Cc: Wei Wu <ww9210@gmail.com> +Signed-off-by: Wanpeng Li <wanpengli@tencent.com> +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index ca717737347e..89694cbf84cf 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7313,7 +7313,8 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu) + else { + if (vcpu->arch.apicv_active) + kvm_x86_ops->sync_pir_to_irr(vcpu); +- kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); ++ if (ioapic_in_kernel(vcpu->kvm)) ++ kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); + } + + if (is_guest_mode(vcpu)) +-- +2.19.1 + diff --git a/kernel.spec b/kernel.spec index 7d9c88822..8153466f1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -621,15 +621,18 @@ Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch # rhbz 1526312, patch is in 4.20, can be dropped on rebase Patch507: 0001-HID-i2c-hid-override-HID-descriptors-for-certain-dev.patch -# rhbz 1644013, patch pending upstream -Patch509: 0001-ACPI-platform-Add-SMB0001-HID-to-forbidden_id_list.patch - # rhbz 1526312 (accelerometer part of the bug), patches pending upstream Patch510: iio-accel-kxcjk1013-Add-more-hardware-ids.patch # rhbz 1650224, patch in subsystem tree and Cc'd for stable Patch511: drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch +# CVE-2018-16862 (rhbz 1649017 1653122) +Patch512: mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch + +# CVE-2018-19407 (rhbz 1652656 1652658) +Patch513: CVE-2018-19407.patch + # END OF PATCH DEFINITIONS %endif @@ -1881,6 +1884,11 @@ fi # # %changelog +* Tue Nov 27 2018 Jeremy Cline <jcline@redhat.com> - 4.19.5-300 +- Linux v4.19.5 +- Fix CVE-2018-16862 (rhbz 1649017 1653122) +- Fix CVE-2018-19407 (rhbz 1652656 1652658) + * Mon Nov 26 2018 Jeremy Cline <jeremy@jcline.org> - Fixes a null pointer dereference with Nvidia and vmwgfx drivers (rhbz 1650224) diff --git a/mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch b/mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch new file mode 100644 index 000000000..dd6934daf --- /dev/null +++ b/mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch @@ -0,0 +1,59 @@ +From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> +Subject: mm: cleancache: fix corruption on missed inode invalidation + +If all pages are deleted from the mapping by memory reclaim and also +moved to the cleancache: + +__delete_from_page_cache + (no shadow case) + unaccount_page_cache_page + cleancache_put_page + page_cache_delete + mapping->nrpages -= nr + (nrpages becomes 0) + +We don't clean the cleancache for an inode after final file truncation +(removal). + +truncate_inode_pages_final + check (nrpages || nrexceptional) is false + no truncate_inode_pages + no cleancache_invalidate_inode(mapping) + +These way when reading the new file created with same inode we may get +these trash leftover pages from cleancache and see wrong data instead of +the contents of the new file. + +Fix it by always doing truncate_inode_pages which is already ready for +nrpages == 0 && nrexceptional == 0 case and just invalidates inode. + +Link: http://lkml.kernel.org/r/20181112095734.17979-1-ptikhomirov@virtuozzo.com +Fixes: commit 91b0abe36a7b ("mm + fs: store shadow entries in page cache") +Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> +Reviewed-by: Vasily Averin <vvs@virtuozzo.com> +Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Cc: Johannes Weiner <hannes@cmpxchg.org> +Cc: Mel Gorman <mgorman@techsingularity.net> +Cc: Matthew Wilcox <willy@infradead.org> +Cc: Andi Kleen <ak@linux.intel.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +--- + + +--- a/mm/truncate.c~mm-cleancache-fix-corruption-on-missed-inode-invalidation ++++ a/mm/truncate.c +@@ -517,9 +517,9 @@ void truncate_inode_pages_final(struct a + */ + xa_lock_irq(&mapping->i_pages); + xa_unlock_irq(&mapping->i_pages); +- +- truncate_inode_pages(mapping, 0); + } ++ ++ truncate_inode_pages(mapping, 0); + } + EXPORT_SYMBOL(truncate_inode_pages_final); + +_ @@ -1,2 +1,2 @@ SHA512 (linux-4.19.tar.xz) = ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4 -SHA512 (patch-4.19.4.xz) = 247039e297325a5db63df4400844a800e209d1b652512e3640ef4031d7ecad1f3e49477863fddf02b4d1d105530650363d0d03f57e02cd4d70ce4addb2085b34 +SHA512 (patch-4.19.5.xz) = 2d127b9bce3f176732b0a60feec1cf21ace28962ef2a7c468d25332631f87dd766c72706383d72461112f7dfc09742ff3c2092e162aa5923d220f2a1d4a390e4 |