From 33d954533da9b8591a4e350c85d9ba4c38a51ac9 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 7 Sep 2020 09:03:08 -0500 Subject: Linux v5.8.7 Signed-off-by: Justin M. Forbes --- kernel.spec | 13 ++- memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch | 113 +++++++++++++++++++++ net-packet-fix-overflow-in-tpacket_rcv.patch | 59 +++++++++++ sources | 2 +- 4 files changed, 184 insertions(+), 3 deletions(-) create mode 100644 memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch create mode 100644 net-packet-fix-overflow-in-tpacket_rcv.patch diff --git a/kernel.spec b/kernel.spec index a42c2164e..fdb7a16b5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -80,7 +80,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -92,7 +92,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -870,6 +870,11 @@ Patch107: 0001-drivers-perf-xgene_pmu-Fix-uninitialized-resource-st.patch # CVE-2020-14385 rhbz 1874800 1874811 Patch108: 0001-xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch +# CVE-2020-14386 rhbz 1875699 1876349 +Patch109: net-packet-fix-overflow-in-tpacket_rcv.patch + +Patch110: memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch + # END OF PATCH DEFINITIONS %endif @@ -2974,6 +2979,10 @@ fi # # %changelog +* Mon Sep 07 2020 Justin M. Forbes - 5.8.7-300 +- Linux v5.8.7 +- Fix CVE-2020-14386 (rhbz 1875699 1876349) + * Thu Sep 03 2020 Justin M. Forbes - 5.8.6-301 - Linux v5.8.6 - Fix CVE-2020-14385 (rhbz 1874800 1874811) diff --git a/memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch b/memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch new file mode 100644 index 000000000..7b30b78b2 --- /dev/null +++ b/memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch @@ -0,0 +1,113 @@ +From patchwork Tue Sep 1 15:32:48 2020 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Thierry Reding +X-Patchwork-Id: 1355200 +Return-Path: +X-Original-To: incoming@patchwork.ozlabs.org +Delivered-To: patchwork-incoming@bilbo.ozlabs.org +Authentication-Results: ozlabs.org; + spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org + (client-ip=23.128.96.18; helo=vger.kernel.org; + envelope-from=linux-tegra-owner@vger.kernel.org; receiver=) +Authentication-Results: ozlabs.org; + dmarc=pass (p=none dis=none) header.from=gmail.com +Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; + unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 + header.s=20161025 header.b=InCwqcJT; dkim-atps=neutral +Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) + by ozlabs.org (Postfix) with ESMTP id 4BgrgN1Rpfz9sWM + for ; Wed, 2 Sep 2020 01:33:04 +1000 (AEST) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1729968AbgIAPdC (ORCPT ); + Tue, 1 Sep 2020 11:33:02 -0400 +Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54580 "EHLO + lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1729209AbgIAPc4 (ORCPT + ); Tue, 1 Sep 2020 11:32:56 -0400 +Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com + [IPv6:2a00:1450:4864:20::642]) + by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7BF6C061244; + Tue, 1 Sep 2020 08:32:54 -0700 (PDT) +Received: by mail-ej1-x642.google.com with SMTP id d11so2241288ejt.13; + Tue, 01 Sep 2020 08:32:54 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; + h=from:to:cc:subject:date:message-id:mime-version + :content-transfer-encoding; + bh=zEPKP0AU97R+PVYnTVD02jf9E8X+9qMRm9ouiwdoWWA=; + b=InCwqcJTR/4A4+EuZFsM5xaKx0nFq9NH/7wDwaCpNHNzYmfW1s67o66afdrgjeT+42 + 3/IBsOzuQmvbcTIMqzeilMo8jynJopsDvJ04YORoFPrNoteMPeOR9CGnYRn5sTCTx/F8 + MExLqETfRiiBnfdt5p4S8Fw+UhsQjMtDLGVO+SktivIJKL0jgOtiulaSQfPNJxhuvalA + YnMxjXkFrVLYsf7Q9rHbGANzrB4pQCOFOXTTolGhIm/OgJ1H1t2modzQdKwRXUsADB8L + Wr95PT8IW7Kyqe+GrX2iD2azK1Ul6M6Ln7WgHWIYOkYGFRrhvMpSiRjMe9w0F1HwAjjO + 5qzQ== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version + :content-transfer-encoding; + bh=zEPKP0AU97R+PVYnTVD02jf9E8X+9qMRm9ouiwdoWWA=; + b=kZZAjUtuN3hiPdfltUcr+jhnrz7c9rru5yMEq/CkI9aBm/ETez84EH3hV1B78K5P7L + hNmGrJSHJ5IWuxDnUZQfaEPySWbcOwFUhahKgCeHLV/pbdTdosT0dhbnN1YfuCqO0dzc + iPOvOI7WM/A19xKHKPCspaPpluPkBiUabwFLCWWVb06ZBUUNgVhy/7Dx7Ju8GP3kNUaA + Pt0XvSw/Mp/rm2gKvnuDO9QKteP66lw5hvCUTUEIh76d8jMRMY8378JiysKz2wdaz8Fd + BYHMvMGbdRy6TAA/Uez3CT9nV1OyhEST03ttXC1lJTpyHbNiA34oKyeRtqCxxOXza5yA + k22g== +X-Gm-Message-State: AOAM5312YM/x/KVL6Su0HEVLMkmVlAUpCOSazQK4PIdtRtPsaThSHihn + RPsOkzFPKcz36DsW5eZOFaE= +X-Google-Smtp-Source: ABdhPJx8pgbFxwX4+nQIkeKINcUC4+itTbYvBBHcPVcN6ZtaYmSEFVcT5J21t8xvkFqrlVQX3t3VOg== +X-Received: by 2002:a17:907:9c3:: with SMTP id + bx3mr2005039ejc.164.1598974373583; + Tue, 01 Sep 2020 08:32:53 -0700 (PDT) +Received: from localhost ([62.96.65.119]) by smtp.gmail.com with ESMTPSA id + r23sm1371455edt.57.2020.09.01.08.32.52 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Tue, 01 Sep 2020 08:32:52 -0700 (PDT) +From: Thierry Reding +To: Krzysztof Kozlowski , + Thierry Reding +Cc: Jonathan Hunter , Dmitry Osipenko , + linux-tegra@vger.kernel.org, linux-kernel@vger.kernel.org, + Matias Zuniga +Subject: [PATCH] memory: tegra: Remove GPU from DRM IOMMU group +Date: Tue, 1 Sep 2020 17:32:48 +0200 +Message-Id: <20200901153248.1831263-1-thierry.reding@gmail.com> +X-Mailer: git-send-email 2.28.0 +MIME-Version: 1.0 +Sender: linux-tegra-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-tegra@vger.kernel.org + +From: Thierry Reding + +Commit 63a613fdb16c ("memory: tegra: Add gr2d and gr3d to DRM IOMMU +group") added the GPU to the DRM IOMMU group, which doesn't make any +sense. This causes problems when Nouveau tries to attach to the SMMU +and causes it to fall back to using the DMA API. + +Remove the GPU from the DRM groups to restore the old behaviour. The +GPU should always have its own IOMMU domain to make sure it can map +buffers into contiguous chunks (for big page support) without getting +in the way of mappings from the DRM group. + +Fixes: 63a613fdb16c ("memory: tegra: Add gr2d and gr3d to DRM IOMMU group") +Reported-by: Matias Zuniga +Signed-off-by: Thierry Reding +Reviewed-by: Dmitry Osipenko +--- + drivers/memory/tegra/tegra124.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/memory/tegra/tegra124.c b/drivers/memory/tegra/tegra124.c +index 493b5dc3a4b3..0cede24479bf 100644 +--- a/drivers/memory/tegra/tegra124.c ++++ b/drivers/memory/tegra/tegra124.c +@@ -957,7 +957,6 @@ static const struct tegra_smmu_swgroup tegra124_swgroups[] = { + static const unsigned int tegra124_group_drm[] = { + TEGRA_SWGROUP_DC, + TEGRA_SWGROUP_DCB, +- TEGRA_SWGROUP_GPU, + TEGRA_SWGROUP_VIC, + }; + diff --git a/net-packet-fix-overflow-in-tpacket_rcv.patch b/net-packet-fix-overflow-in-tpacket_rcv.patch new file mode 100644 index 000000000..6c6868f5c --- /dev/null +++ b/net-packet-fix-overflow-in-tpacket_rcv.patch @@ -0,0 +1,59 @@ +From 00c393ea14d12a4ef490a6aedf0fa6bfc2bfe8c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 21:05:28 -0700 +Subject: net/packet: fix overflow in tpacket_rcv + +From: Or Cohen + +[ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ] + +Using tp_reserve to calculate netoff can overflow as +tp_reserve is unsigned int and netoff is unsigned short. + +This may lead to macoff receving a smaller value then +sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr +is set, an out-of-bounds write will occur when +calling virtio_net_hdr_from_skb. + +The bug is fixed by converting netoff to unsigned int +and checking if it exceeds USHRT_MAX. + +This addresses CVE-2020-14386 + +Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") +Signed-off-by: Or Cohen +Signed-off-by: Eric Dumazet +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 301f41d4929bd..82f7802983797 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2170,7 +2170,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + int skb_len = skb->len; + unsigned int snaplen, res; + unsigned long status = TP_STATUS_USER; +- unsigned short macoff, netoff, hdrlen; ++ unsigned short macoff, hdrlen; ++ unsigned int netoff; + struct sk_buff *copy_skb = NULL; + struct timespec64 ts; + __u32 ts_status; +@@ -2239,6 +2240,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + } + macoff = netoff - maclen; + } ++ if (netoff > USHRT_MAX) { ++ atomic_inc(&po->tp_drops); ++ goto drop_n_restore; ++ } + if (po->tp_version <= TPACKET_V2) { + if (macoff + snaplen > po->rx_ring.frame_size) { + if (po->copy_thresh && +-- +2.25.1 + diff --git a/sources b/sources index 9562156b6..ef20ca39c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.8.tar.xz) = 19c8694bda4533464877e2d976aca95f48c2c40c11efcc1dce0ca91cc5f9826110e277c7de2a49ff99af8ae1c76e275b7c463abf71fbf410956d63066dc4ee53 -SHA512 (patch-5.8.6.xz) = 88d4572a91c8adec1cbae72e46d97872285691e82416511487455e9fe45dbcf9cb35a55360fe1c429a8ebdee42b5ee892a45148f2624578ad9f2767571848168 +SHA512 (patch-5.8.7.xz) = f637d548e9b0419f7c65807d25c9d7547c956b211b680f6b13fd7cae636c3f3f4ef688bdaefb17956ab8290faf41420d76caf57f573a448f93e3267a620ffbf2 -- cgit