From 42e6213b6afc2bc7add3222e0a7de85327dea53e Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 14 May 2021 12:32:31 -0500 Subject: kernel-5.12.4-0 * Fri May 14 2021 Justin M. Forbes [5.12.4-0] - can: isotp: prevent race between isotp_bind() and isotp_setsockopt() (Norbert Slusarek) Resolves: rhbz# Signed-off-by: Justin M. Forbes --- Patchlist.changelog | 3 + kernel.spec | 11 +- patch-5.12-redhat.patch | 291 +++++++++++++++++------------------------------- sources | 6 +- 4 files changed, 113 insertions(+), 198 deletions(-) diff --git a/Patchlist.changelog b/Patchlist.changelog index 3e328f443..b6100de64 100644 --- a/Patchlist.changelog +++ b/Patchlist.changelog @@ -1,3 +1,6 @@ +https://gitlab.com/cki-project/kernel-ark/-/commit/6a311b81b6400d1c74b376d8982a08d5ce6f2a3a + 6a311b81b6400d1c74b376d8982a08d5ce6f2a3a can: isotp: prevent race between isotp_bind() and isotp_setsockopt() + https://gitlab.com/cki-project/kernel-ark/-/commit/488a2344e7f9fd32ee8edf24daeceb7956a893fc 488a2344e7f9fd32ee8edf24daeceb7956a893fc io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers diff --git a/kernel.spec b/kernel.spec index 3ea688709..4ac56ee47 100755 --- a/kernel.spec +++ b/kernel.spec @@ -106,7 +106,7 @@ Summary: The Linux kernel %define primary_target rhel %endif -%define rpmversion 5.12.3 +%define rpmversion 5.12.4 %define stableversion 5.12 %define pkgrelease 300 @@ -623,7 +623,7 @@ BuildRequires: clang # exact git commit you can run # # xzcat -qq ${TARBALL} | git get-tar-commit-id -Source0: linux-5.12.3.tar.xz +Source0: linux-5.12.4.tar.xz Source1: Makefile.rhelver @@ -1277,8 +1277,8 @@ ApplyOptionalPatch() fi } -%setup -q -n kernel-5.12.3 -c -mv linux-5.12.3 linux-%{KVERREL} +%setup -q -n kernel-5.12.4 -c +mv linux-5.12.4 linux-%{KVERREL} cd linux-%{KVERREL} cp -a %{SOURCE1} . @@ -2792,6 +2792,9 @@ fi # # %changelog +* Fri May 14 2021 Justin M. Forbes [5.12.4-0] +- can: isotp: prevent race between isotp_bind() and isotp_setsockopt() (Norbert Slusarek) + * Wed May 12 2021 Justin M. Forbes [5.12.3-0] - io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers (Thadeu Lima de Souza Cascardo) - bpf: Prevent writable memory-mapping of read-only ringbuf pages (Andrii Nakryiko) diff --git a/patch-5.12-redhat.patch b/patch-5.12-redhat.patch index f256aada8..07d5e4f65 100644 --- a/patch-5.12-redhat.patch +++ b/patch-5.12-redhat.patch @@ -21,30 +21,26 @@ drivers/hwtracing/coresight/coresight-etm4x-core.c | 19 ++++ drivers/input/rmi4/rmi_driver.c | 124 ++++++++++++--------- drivers/iommu/iommu.c | 22 ++++ - drivers/net/ethernet/sfc/ef10.c | 3 +- drivers/pci/controller/dwc/Makefile | 2 +- drivers/pci/controller/dwc/pcie-tegra194.c | 103 +++++++++++++++++ drivers/pci/quirks.c | 24 ++++ drivers/scsi/smartpqi/smartpqi_init.c | 16 +++ drivers/usb/core/hub.c | 7 ++ - fs/io_uring.c | 4 +- include/linux/efi.h | 22 ++-- include/linux/lsm_hook_defs.h | 2 + include/linux/lsm_hooks.h | 6 + include/linux/pci-ecam.h | 1 + include/linux/rmi.h | 1 + include/linux/security.h | 5 + - kernel/bpf/ringbuf.c | 24 ++-- - kernel/bpf/verifier.c | 22 ++-- kernel/crash_core.c | 28 ++++- kernel/module_signing.c | 9 +- - net/nfc/llcp_sock.c | 4 + + net/can/isotp.c | 49 +++++--- security/integrity/platform_certs/load_uefi.c | 6 +- security/lockdown/Kconfig | 13 +++ security/lockdown/lockdown.c | 1 + security/security.c | 6 + sound/pci/hda/patch_realtek.c | 18 +++ - 46 files changed, 653 insertions(+), 207 deletions(-) + 42 files changed, 659 insertions(+), 193 deletions(-) diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst index 75a9dd98e76e..3ff3291551f9 100644 @@ -69,7 +65,7 @@ index 75a9dd98e76e..3ff3291551f9 100644 Boot into System Kernel diff --git a/Makefile b/Makefile -index 53a4b1cb7bb0..fb79b5a0f827 100644 +index 0b1852621615..a8b738debf11 100644 --- a/Makefile +++ b/Makefile @@ -495,6 +495,7 @@ KBUILD_AFLAGS := -D__ASSEMBLY__ -fno-PIE @@ -147,7 +143,7 @@ index 7a21eca498aa..565f143c9858 100644 + return !!ipl_secure_flag; +} diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c -index 72134f9f6ff5..95970f299ef5 100644 +index 5aab59ad5688..c53572b81c37 100644 --- a/arch/s390/kernel/setup.c +++ b/arch/s390/kernel/setup.c @@ -49,6 +49,7 @@ @@ -950,7 +946,7 @@ index 258d5fe3d395..f7298e3dc8f3 100644 if (data->f01_container->dev.driver) { /* Driver already bound, so enable ATTN now. */ diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c -index d0b0a15dba84..005984e8ef5e 100644 +index e10cfa99057c..8970806f7b61 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -7,6 +7,7 @@ @@ -961,7 +957,7 @@ index d0b0a15dba84..005984e8ef5e 100644 #include #include #include -@@ -3049,6 +3050,27 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle) +@@ -3055,6 +3056,27 @@ u32 iommu_sva_get_pasid(struct iommu_sva *handle) } EXPORT_SYMBOL_GPL(iommu_sva_get_pasid); @@ -989,20 +985,6 @@ index d0b0a15dba84..005984e8ef5e 100644 /* * Changes the default domain of an iommu group that has *only* one device * -diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c -index da6886dcac37..4fa72b573c17 100644 ---- a/drivers/net/ethernet/sfc/ef10.c -+++ b/drivers/net/ethernet/sfc/ef10.c -@@ -2928,8 +2928,7 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event) - - /* Get the transmit queue */ - tx_ev_q_label = EFX_QWORD_FIELD(*event, ESF_DZ_TX_QLABEL); -- tx_queue = efx_channel_get_tx_queue(channel, -- tx_ev_q_label % EFX_MAX_TXQ_PER_CHANNEL); -+ tx_queue = channel->tx_queue + (tx_ev_q_label % EFX_MAX_TXQ_PER_CHANNEL); - - if (!tx_queue->timestamping) { - /* Transmit completion */ diff --git a/drivers/pci/controller/dwc/Makefile b/drivers/pci/controller/dwc/Makefile index a751553fa0db..dbb981876556 100644 --- a/drivers/pci/controller/dwc/Makefile @@ -1233,28 +1215,6 @@ index 404507d1b76f..51ee8f28a60b 100644 /* Lock the device, then check to see if we were * disconnected while waiting for the lock to succeed. */ usb_lock_device(hdev); -diff --git a/fs/io_uring.c b/fs/io_uring.c -index 0b5fbbd969cb..2bdd7eab6c66 100644 ---- a/fs/io_uring.c -+++ b/fs/io_uring.c -@@ -238,7 +238,7 @@ struct fixed_rsrc_data { - struct io_buffer { - struct list_head list; - __u64 addr; -- __s32 len; -+ __u32 len; - __u16 bid; - }; - -@@ -4017,7 +4017,7 @@ static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head) - break; - - buf->addr = addr; -- buf->len = pbuf->len; -+ buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT); - buf->bid = bid; - addr += pbuf->len; - bid++; diff --git a/include/linux/efi.h b/include/linux/efi.h index 6b5d36babfcc..fd4a5d66a9d0 100644 --- a/include/linux/efi.h @@ -1400,111 +1360,6 @@ index 8aeebd6646dc..7737a5d71168 100644 #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) -diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c -index f25b719ac786..84b3b35fc0d0 100644 ---- a/kernel/bpf/ringbuf.c -+++ b/kernel/bpf/ringbuf.c -@@ -221,25 +221,20 @@ static int ringbuf_map_get_next_key(struct bpf_map *map, void *key, - return -ENOTSUPP; - } - --static size_t bpf_ringbuf_mmap_page_cnt(const struct bpf_ringbuf *rb) --{ -- size_t data_pages = (rb->mask + 1) >> PAGE_SHIFT; -- -- /* consumer page + producer page + 2 x data pages */ -- return RINGBUF_POS_PAGES + 2 * data_pages; --} -- - static int ringbuf_map_mmap(struct bpf_map *map, struct vm_area_struct *vma) - { - struct bpf_ringbuf_map *rb_map; -- size_t mmap_sz; - - rb_map = container_of(map, struct bpf_ringbuf_map, map); -- mmap_sz = bpf_ringbuf_mmap_page_cnt(rb_map->rb) << PAGE_SHIFT; -- -- if (vma->vm_pgoff * PAGE_SIZE + (vma->vm_end - vma->vm_start) > mmap_sz) -- return -EINVAL; - -+ if (vma->vm_flags & VM_WRITE) { -+ /* allow writable mapping for the consumer_pos only */ -+ if (vma->vm_pgoff != 0 || vma->vm_end - vma->vm_start != PAGE_SIZE) -+ return -EPERM; -+ } else { -+ vma->vm_flags &= ~VM_MAYWRITE; -+ } -+ /* remap_vmalloc_range() checks size and offset constraints */ - return remap_vmalloc_range(vma, rb_map->rb, - vma->vm_pgoff + RINGBUF_PGOFF); - } -@@ -315,6 +310,9 @@ static void *__bpf_ringbuf_reserve(struct bpf_ringbuf *rb, u64 size) - return NULL; - - len = round_up(size + BPF_RINGBUF_HDR_SZ, 8); -+ if (len > rb->mask + 1) -+ return NULL; -+ - cons_pos = smp_load_acquire(&rb->consumer_pos); - - if (in_nmi()) { -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index a2ed7a7e27e2..4353da444c78 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -6540,11 +6540,10 @@ static void scalar32_min_max_and(struct bpf_reg_state *dst_reg, - s32 smin_val = src_reg->s32_min_value; - u32 umax_val = src_reg->u32_max_value; - -- /* Assuming scalar64_min_max_and will be called so its safe -- * to skip updating register for known 32-bit case. -- */ -- if (src_known && dst_known) -+ if (src_known && dst_known) { -+ __mark_reg32_known(dst_reg, var32_off.value); - return; -+ } - - /* We get our minimum from the var_off, since that's inherently - * bitwise. Our maximum is the minimum of the operands' maxima. -@@ -6564,7 +6563,6 @@ static void scalar32_min_max_and(struct bpf_reg_state *dst_reg, - dst_reg->s32_min_value = dst_reg->u32_min_value; - dst_reg->s32_max_value = dst_reg->u32_max_value; - } -- - } - - static void scalar_min_max_and(struct bpf_reg_state *dst_reg, -@@ -6611,11 +6609,10 @@ static void scalar32_min_max_or(struct bpf_reg_state *dst_reg, - s32 smin_val = src_reg->s32_min_value; - u32 umin_val = src_reg->u32_min_value; - -- /* Assuming scalar64_min_max_or will be called so it is safe -- * to skip updating register for known case. -- */ -- if (src_known && dst_known) -+ if (src_known && dst_known) { -+ __mark_reg32_known(dst_reg, var32_off.value); - return; -+ } - - /* We get our maximum from the var_off, and our minimum is the - * maximum of the operands' minima -@@ -6680,11 +6677,10 @@ static void scalar32_min_max_xor(struct bpf_reg_state *dst_reg, - struct tnum var32_off = tnum_subreg(dst_reg->var_off); - s32 smin_val = src_reg->s32_min_value; - -- /* Assuming scalar64_min_max_xor will be called so it is safe -- * to skip updating register for known case. -- */ -- if (src_known && dst_known) -+ if (src_known && dst_known) { -+ __mark_reg32_known(dst_reg, var32_off.value); - return; -+ } - - /* We get both minimum and maximum from the var32_off. */ - dst_reg->u32_min_value = var32_off.value; diff --git a/kernel/crash_core.c b/kernel/crash_core.c index 825284baaf46..0b2b3f510b16 100644 --- a/kernel/crash_core.c @@ -1591,41 +1446,95 @@ index 8723ae70ea1f..fb2d773498c2 100644 + } + return ret; } -diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c -index a3b46f888803..53dbe733f998 100644 ---- a/net/nfc/llcp_sock.c -+++ b/net/nfc/llcp_sock.c -@@ -109,12 +109,14 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) - GFP_KERNEL); - if (!llcp_sock->service_name) { - nfc_llcp_local_put(llcp_sock->local); -+ llcp_sock->local = NULL; - ret = -ENOMEM; - goto put_dev; - } - llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); - if (llcp_sock->ssap == LLCP_SAP_MAX) { - nfc_llcp_local_put(llcp_sock->local); -+ llcp_sock->local = NULL; - kfree(llcp_sock->service_name); - llcp_sock->service_name = NULL; - ret = -EADDRINUSE; -@@ -709,6 +711,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, - llcp_sock->ssap = nfc_llcp_get_local_ssap(local); - if (llcp_sock->ssap == LLCP_SAP_MAX) { - nfc_llcp_local_put(llcp_sock->local); -+ llcp_sock->local = NULL; - ret = -ENOMEM; - goto put_dev; +diff --git a/net/can/isotp.c b/net/can/isotp.c +index 9f94ad3caee9..253b24417c8e 100644 +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1062,27 +1062,31 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len) + if (len < ISOTP_MIN_NAMELEN) + return -EINVAL; + ++ if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) ++ return -EADDRNOTAVAIL; ++ ++ if (!addr->can_ifindex) ++ return -ENODEV; ++ ++ lock_sock(sk); ++ + /* do not register frame reception for functional addressing */ + if (so->opt.flags & CAN_ISOTP_SF_BROADCAST) + do_rx_reg = 0; + + /* do not validate rx address for functional addressing */ + if (do_rx_reg) { +- if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) +- return -EADDRNOTAVAIL; ++ if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) { ++ err = -EADDRNOTAVAIL; ++ goto out; ++ } + +- if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) +- return -EADDRNOTAVAIL; ++ if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) { ++ err = -EADDRNOTAVAIL; ++ goto out; ++ } } -@@ -756,6 +759,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, - sock_llcp_release: - nfc_llcp_put_ssap(local, llcp_sock->ssap); - nfc_llcp_local_put(llcp_sock->local); -+ llcp_sock->local = NULL; - - put_dev: - nfc_put_device(dev); + +- if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) +- return -EADDRNOTAVAIL; +- +- if (!addr->can_ifindex) +- return -ENODEV; +- +- lock_sock(sk); +- + if (so->bound && addr->can_ifindex == so->ifindex && + addr->can_addr.tp.rx_id == so->rxid && + addr->can_addr.tp.tx_id == so->txid) +@@ -1164,16 +1168,13 @@ static int isotp_getname(struct socket *sock, struct sockaddr *uaddr, int peer) + return ISOTP_MIN_NAMELEN; + } + +-static int isotp_setsockopt(struct socket *sock, int level, int optname, ++static int isotp_setsockopt_locked(struct socket *sock, int level, int optname, + sockptr_t optval, unsigned int optlen) + { + struct sock *sk = sock->sk; + struct isotp_sock *so = isotp_sk(sk); + int ret = 0; + +- if (level != SOL_CAN_ISOTP) +- return -EINVAL; +- + if (so->bound) + return -EISCONN; + +@@ -1248,6 +1249,22 @@ static int isotp_setsockopt(struct socket *sock, int level, int optname, + return ret; + } + ++static int isotp_setsockopt(struct socket *sock, int level, int optname, ++ sockptr_t optval, unsigned int optlen) ++ ++{ ++ struct sock *sk = sock->sk; ++ int ret; ++ ++ if (level != SOL_CAN_ISOTP) ++ return -EINVAL; ++ ++ lock_sock(sk); ++ ret = isotp_setsockopt_locked(sock, level, optname, optval, optlen); ++ release_sock(sk); ++ return ret; ++} ++ + static int isotp_getsockopt(struct socket *sock, int level, int optname, + char __user *optval, int __user *optlen) + { diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index ee4b4c666854..eff9ff593405 100644 --- a/security/integrity/platform_certs/load_uefi.c @@ -1704,10 +1613,10 @@ index 5ac96b16f8fa..fc47d6de57ee 100644 int security_perf_event_open(struct perf_event_attr *attr, int type) { diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index d05d16ddbdf2..3dd6362000a1 100644 +index 8ec57bd351df..213a3311baff 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c -@@ -5688,6 +5688,18 @@ static void alc_fixup_tpt470_dacs(struct hda_codec *codec, +@@ -5717,6 +5717,18 @@ static void alc_fixup_tpt470_dacs(struct hda_codec *codec, spec->gen.preferred_dacs = preferred_pairs; } @@ -1726,7 +1635,7 @@ index d05d16ddbdf2..3dd6362000a1 100644 static void alc_shutup_dell_xps13(struct hda_codec *codec) { struct alc_spec *spec = codec->spec; -@@ -6451,6 +6463,7 @@ enum { +@@ -6481,6 +6493,7 @@ enum { ALC282_FIXUP_ACER_DISABLE_LINEOUT, ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST, ALC256_FIXUP_ACER_HEADSET_MIC, @@ -1734,7 +1643,7 @@ index d05d16ddbdf2..3dd6362000a1 100644 }; static const struct hda_fixup alc269_fixups[] = { -@@ -7939,6 +7952,10 @@ static const struct hda_fixup alc269_fixups[] = { +@@ -7973,6 +7986,10 @@ static const struct hda_fixup alc269_fixups[] = { .chained = true, .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC }, @@ -1745,11 +1654,11 @@ index d05d16ddbdf2..3dd6362000a1 100644 }; static const struct snd_pci_quirk alc269_fixup_tbl[] = { -@@ -8137,6 +8154,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -8171,6 +8188,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_ASUS_ZENBOOK), SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x1740, "ASUS UX430UA", ALC295_FIXUP_ASUS_DACS), SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK), + SND_PCI_QUIRK(0x1043, 0x1881, "ASUS Zephyrus S/M", ALC294_FIXUP_ASUS_GX502_PINS), SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), - SND_PCI_QUIRK(0x1043, 0x18f1, "Asus FX505DT", ALC256_FIXUP_ASUS_HEADSET_MIC), diff --git a/sources b/sources index 499243b32..f51304f1a 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (patch-5.10.6.xz) = 54e74994a27b6a753717c778e5a550fd5db0f4acd24095f9b6e6d7cbb5c914be2f914d34865c9453d85a37873f0575fc5af54374ea1fe6e6d313d978e739d58f -SHA512 (linux-5.12.3.tar.xz) = 7867918936abf9c973f93e41e05cf4eed0e2c62d1477bd1f451e0290c6fee22d5343b615aeb22b1d1b55fa61de043b5cd725afd331eba63657fd9fe733d70384 -SHA512 (kernel-abi-whitelists-5.12.3-300.tar.bz2) = 097da9117616a32e846fbed2946ab9371afa83577bfb70a80507c6e99bc982f5580b304515484d129e623efe5e626b5589e39c3e59986bedd3033dc1986b8a72 -SHA512 (kernel-kabi-dw-5.12.3-300.tar.bz2) = 561d75b056d488b47790e5d7651c596c54f8576d2da5f19a0fd14d36c6ebffcf9edba10b6fd76ffe975e6780660c3fbcc5683190625077c5121d1fa838a89270 +SHA512 (linux-5.12.4.tar.xz) = 89244b2607432e039ec5a7abc83bda52aeef68264e09953eca25f15d94c264b9274547415399b1460d137e6daa167854cd068fe9d3d6a882be07a652796f5a0a +SHA512 (kernel-abi-whitelists-5.12.4-300.tar.bz2) = c80788dde7726f4e3df3840e0f275ccd7a17eb98755a4677f9b922e6fd981117e086490d3f63746c4c777fc4129a8abb25c38ca4771ecaebfc17d062123c110d +SHA512 (kernel-kabi-dw-5.12.4-300.tar.bz2) = d36cae363b14d58bfa1aca6d3719859d8367aca5acf24f7354a1bc0aa2692960c32e15dc5b15c223232af82bcca10c748a2e38806a5928ad12713def1da8c5a7 -- cgit