From 0d298e70b508f90883846cfc82f2918d1a561c0f Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 30 Jul 2018 08:40:14 -0500 Subject: Linux v4.17.11 --- ...u-intel-iommu-Enable-CONFIG_DMA_DIRECT_OP.patch | 125 --------------------- kernel.spec | 13 ++- sources | 2 +- 3 files changed, 10 insertions(+), 130 deletions(-) delete mode 100644 Revert-iommu-intel-iommu-Enable-CONFIG_DMA_DIRECT_OP.patch diff --git a/Revert-iommu-intel-iommu-Enable-CONFIG_DMA_DIRECT_OP.patch b/Revert-iommu-intel-iommu-Enable-CONFIG_DMA_DIRECT_OP.patch deleted file mode 100644 index 46212341f..000000000 --- a/Revert-iommu-intel-iommu-Enable-CONFIG_DMA_DIRECT_OP.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 3c16e0cc4ace8bd838bf234caead5a766b07fe9d Mon Sep 17 00:00:00 2001 -From: Christoph Hellwig -Date: Thu, 5 Jul 2018 13:29:55 -0600 -Subject: [PATCH] Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and - clean up intel_{alloc,free}_coherent()" - -This commit may cause a less than required dma mask to be used for -some allocations, which apparently leads to module load failures for -iwlwifi sometimes. - -This reverts commit d657c5c73ca987214a6f9436e435b34fc60f332a. - -Signed-off-by: Christoph Hellwig -Reported-by: Fabio Coatti -Tested-by: Fabio Coatti -Signed-off-by: Jeremy Cline ---- - drivers/iommu/Kconfig | 1 - - drivers/iommu/intel-iommu.c | 62 +++++++++++++++++++++++++++---------- - 2 files changed, 46 insertions(+), 17 deletions(-) - -diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig -index b38798cc5288..f3a21343e636 100644 ---- a/drivers/iommu/Kconfig -+++ b/drivers/iommu/Kconfig -@@ -142,7 +142,6 @@ config DMAR_TABLE - config INTEL_IOMMU - bool "Support for Intel IOMMU using DMA Remapping Devices" - depends on PCI_MSI && ACPI && (X86 || IA64_GENERIC) -- select DMA_DIRECT_OPS - select IOMMU_API - select IOMMU_IOVA - select DMAR_TABLE -diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c -index 749d8f235346..6392a4964fc5 100644 ---- a/drivers/iommu/intel-iommu.c -+++ b/drivers/iommu/intel-iommu.c -@@ -31,7 +31,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -3709,30 +3708,61 @@ static void *intel_alloc_coherent(struct device *dev, size_t size, - dma_addr_t *dma_handle, gfp_t flags, - unsigned long attrs) - { -- void *vaddr; -+ struct page *page = NULL; -+ int order; - -- vaddr = dma_direct_alloc(dev, size, dma_handle, flags, attrs); -- if (iommu_no_mapping(dev) || !vaddr) -- return vaddr; -+ size = PAGE_ALIGN(size); -+ order = get_order(size); - -- *dma_handle = __intel_map_single(dev, virt_to_phys(vaddr), -- PAGE_ALIGN(size), DMA_BIDIRECTIONAL, -- dev->coherent_dma_mask); -- if (!*dma_handle) -- goto out_free_pages; -- return vaddr; -+ if (!iommu_no_mapping(dev)) -+ flags &= ~(GFP_DMA | GFP_DMA32); -+ else if (dev->coherent_dma_mask < dma_get_required_mask(dev)) { -+ if (dev->coherent_dma_mask < DMA_BIT_MASK(32)) -+ flags |= GFP_DMA; -+ else -+ flags |= GFP_DMA32; -+ } -+ -+ if (gfpflags_allow_blocking(flags)) { -+ unsigned int count = size >> PAGE_SHIFT; -+ -+ page = dma_alloc_from_contiguous(dev, count, order, flags); -+ if (page && iommu_no_mapping(dev) && -+ page_to_phys(page) + size > dev->coherent_dma_mask) { -+ dma_release_from_contiguous(dev, page, count); -+ page = NULL; -+ } -+ } -+ -+ if (!page) -+ page = alloc_pages(flags, order); -+ if (!page) -+ return NULL; -+ memset(page_address(page), 0, size); -+ -+ *dma_handle = __intel_map_single(dev, page_to_phys(page), size, -+ DMA_BIDIRECTIONAL, -+ dev->coherent_dma_mask); -+ if (*dma_handle) -+ return page_address(page); -+ if (!dma_release_from_contiguous(dev, page, size >> PAGE_SHIFT)) -+ __free_pages(page, order); - --out_free_pages: -- dma_direct_free(dev, size, vaddr, *dma_handle, attrs); - return NULL; - } - - static void intel_free_coherent(struct device *dev, size_t size, void *vaddr, - dma_addr_t dma_handle, unsigned long attrs) - { -- if (!iommu_no_mapping(dev)) -- intel_unmap(dev, dma_handle, PAGE_ALIGN(size)); -- dma_direct_free(dev, size, vaddr, dma_handle, attrs); -+ int order; -+ struct page *page = virt_to_page(vaddr); -+ -+ size = PAGE_ALIGN(size); -+ order = get_order(size); -+ -+ intel_unmap(dev, dma_handle, size); -+ if (!dma_release_from_contiguous(dev, page, size >> PAGE_SHIFT)) -+ __free_pages(page, order); - } - - static void intel_unmap_sg(struct device *dev, struct scatterlist *sglist, --- -2.17.1 - diff --git a/kernel.spec b/kernel.spec index 5446d6815..2649f382d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 10 +%define stable_update 11 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -126,6 +126,10 @@ Summary: The Linux kernel # See also 'make debug' and 'make release'. %define debugbuildsenabled 1 +# Kernel headers are being split out into a separate package +%define with_headers 0 +%define with_cross_headers 0 + %if %{with_verbose} %define make_opts V=1 %else @@ -667,9 +671,6 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch # rhbz 1597333 # Patch526: xhci-Fix-perceived-dead-host-due-to-runtime-suspend-.patch -# rbhz 1607092 -Patch528: Revert-iommu-intel-iommu-Enable-CONFIG_DMA_DIRECT_OP.patch - # rhbz 1602971 Patch529: ext4-fix-false-negative-and-false-positives.patch @@ -1922,6 +1923,10 @@ fi # # %changelog +* Mon Jul 30 2018 Justin M. Forbes - 4.17.11-200 +- Linux v4.17.11 +- Turn off kernel-headers for the split + * Wed Jul 25 2018 Justin M. Forbes - 4.17.10-200 - Linux v4.17.10 diff --git a/sources b/sources index 99f6c7c2c..101c9f35a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db -SHA512 (patch-4.17.10.xz) = 4ed5a6d47de7b4153805d937c44cb5eb03628a590d597c38be299afe67047611a6b37b1c13d0a8503de296779fc4ad6337dd4209f06b375c0111400b454b59c7 +SHA512 (patch-4.17.11.xz) = 6cab8f1aecceb0491dca25afa088f9601178c8dfec51551afd34e219600bba54f65f929d9a10948cdb5595e339e096473127b55b1142e6dbe9a818149bec307d -- cgit From 27910d55bed8c9576863acfefb6964062487d0a8 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 30 Jul 2018 09:13:33 -0500 Subject: Fix CVE-2018-14678 (rhbz 1608559 1608560) --- kernel.spec | 4 ++ xsa274-linux-4_17.patch | 127 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 131 insertions(+) create mode 100644 xsa274-linux-4_17.patch diff --git a/kernel.spec b/kernel.spec index 2649f382d..106174750 100644 --- a/kernel.spec +++ b/kernel.spec @@ -674,6 +674,9 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch # rhbz 1602971 Patch529: ext4-fix-false-negative-and-false-positives.patch +# CVE-2018-14678 rhbz 1608559 1608560 +Patch530: xsa274-linux-4_17.patch + # END OF PATCH DEFINITIONS %endif @@ -1926,6 +1929,7 @@ fi * Mon Jul 30 2018 Justin M. Forbes - 4.17.11-200 - Linux v4.17.11 - Turn off kernel-headers for the split +- Fix CVE-2018-14678 (rhbz 1608559 1608560) * Wed Jul 25 2018 Justin M. Forbes - 4.17.10-200 - Linux v4.17.10 diff --git a/xsa274-linux-4_17.patch b/xsa274-linux-4_17.patch new file mode 100644 index 000000000..7a9bbf768 --- /dev/null +++ b/xsa274-linux-4_17.patch @@ -0,0 +1,127 @@ +From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Sun, 22 Jul 2018 11:05:09 -0700 +Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit + +error_entry and error_exit communicate the user vs kernel status of +the frame using %ebx. This is unnecessary -- the information is in +regs->cs. Just use regs->cs. + +This makes error_entry simpler and makes error_exit more robust. + +It also fixes a nasty bug. Before all the Spectre nonsense, The +xen_failsafe_callback entry point returned like this: + + ALLOC_PT_GPREGS_ON_STACK + SAVE_C_REGS + SAVE_EXTRA_REGS + ENCODE_FRAME_POINTER + jmp error_exit + +And it did not go through error_entry. This was bogus: RBX +contained garbage, and error_exit expected a flag in RBX. +Fortunately, it generally contained *nonzero* garbage, so the +correct code path was used. As part of the Spectre fixes, code was +added to clear RBX to mitigate certain speculation attacks. Now, +depending on kernel configuration, RBX got zeroed and, when running +some Wine workloads, the kernel crashes. This was introduced by: + + commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for + exceptions/interrupts, to reduce speculation attack surface") + +With this patch applied, RBX is no longer needed as a flag, and the +problem goes away. + +I suspect that malicious userspace could use this bug to crash the +kernel even without the offending patch applied, though. + +[Historical note: I wrote this patch as a cleanup before I was aware + of the bug it fixed.] + +[Note to stable maintainers: this should probably get applied to all + kernels. If you're nervous about that, a more conservative fix to + add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should + also fix the problem.] + +Cc: Brian Gerst +Cc: Borislav Petkov +Cc: Dominik Brodowski +Cc: Ingo Molnar +Cc: "H. Peter Anvin" +Cc: Thomas Gleixner +Cc: Boris Ostrovsky +Cc: Juergen Gross +Cc: xen-devel@lists.xenproject.org +Cc: x86@kernel.org +Cc: stable@vger.kernel.org +Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") +Reported-and-tested-by: "M. Vefa Bicakci" +Signed-off-by: Andy Lutomirski +--- + arch/x86/entry/entry_64.S | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index 73a522d53b53..8ae7ffda8f98 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -981,7 +981,7 @@ ENTRY(\sym) + + call \do_sym + +- jmp error_exit /* %ebx: no swapgs flag */ ++ jmp error_exit + .endif + END(\sym) + .endm +@@ -1222,7 +1222,6 @@ END(paranoid_exit) + + /* + * Save all registers in pt_regs, and switch GS if needed. +- * Return: EBX=0: came from user mode; EBX=1: otherwise + */ + ENTRY(error_entry) + UNWIND_HINT_FUNC +@@ -1269,7 +1268,6 @@ ENTRY(error_entry) + * for these here too. + */ + .Lerror_kernelspace: +- incl %ebx + leaq native_irq_return_iret(%rip), %rcx + cmpq %rcx, RIP+8(%rsp) + je .Lerror_bad_iret +@@ -1303,28 +1301,20 @@ ENTRY(error_entry) + + /* + * Pretend that the exception came from user mode: set up pt_regs +- * as if we faulted immediately after IRET and clear EBX so that +- * error_exit knows that we will be returning to user mode. ++ * as if we faulted immediately after IRET. + */ + mov %rsp, %rdi + call fixup_bad_iret + mov %rax, %rsp +- decl %ebx + jmp .Lerror_entry_from_usermode_after_swapgs + END(error_entry) + +- +-/* +- * On entry, EBX is a "return to kernel mode" flag: +- * 1: already in kernel mode, don't need SWAPGS +- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode +- */ + ENTRY(error_exit) + UNWIND_HINT_REGS + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +- testl %ebx, %ebx +- jnz retint_kernel ++ testb $3, CS(%rsp) ++ jz retint_kernel + jmp retint_user + END(error_exit) + +-- +2.18.0 + -- cgit From 059f3ba4f27b430040c8c7ea030219004c80e140 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 1 Aug 2018 18:07:54 +0100 Subject: Add fix for lan78xx RX packets (Raspberry Pi 3B+) --- kernel.spec | 6 ++ ...x-rx-handling-before-first-packet-is-send.patch | 97 ++++++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 net-lan78xx-fix-rx-handling-before-first-packet-is-send.patch diff --git a/kernel.spec b/kernel.spec index 106174750..b48b47d8d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -615,6 +615,9 @@ Patch330: bcm2837-rpi-initial-3plus-support.patch Patch332: bcm2837-enable-pmu.patch Patch333: bcm2837-lan78xx-fixes.patch +# https://patchwork.kernel.org/patch/10547897/ +Patch334: net-lan78xx-fix-rx-handling-before-first-packet-is-send.patch + # 400 - IBM (ppc/s390x) patches # 500 - Temp fixes/CVEs etc @@ -1926,6 +1929,9 @@ fi # # %changelog +* Wed Aug 1 2018 Peter Robinson +- Add fix for lan78xx RX packets (Raspberry Pi 3B+) + * Mon Jul 30 2018 Justin M. Forbes - 4.17.11-200 - Linux v4.17.11 - Turn off kernel-headers for the split diff --git a/net-lan78xx-fix-rx-handling-before-first-packet-is-send.patch b/net-lan78xx-fix-rx-handling-before-first-packet-is-send.patch new file mode 100644 index 000000000..d4726ad8f --- /dev/null +++ b/net-lan78xx-fix-rx-handling-before-first-packet-is-send.patch @@ -0,0 +1,97 @@ +From patchwork Sat Jul 28 07:52:10 2018 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +X-Patchwork-Submitter: Stefan Wahren +X-Patchwork-Id: 10547897 +Return-Path: +Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org + [172.30.200.125]) + by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0E30E13BF + for ; + Sat, 28 Jul 2018 07:53:14 +0000 (UTC) +Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0007D28505 + for ; + Sat, 28 Jul 2018 07:53:13 +0000 (UTC) +Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) + id E44B22B5DF; Sat, 28 Jul 2018 07:53:13 +0000 (UTC) +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + pdx-wl-mail.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, + RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5462E28505 + for ; + Sat, 28 Jul 2018 07:53:13 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1726185AbeG1JSf (ORCPT + ); + Sat, 28 Jul 2018 05:18:35 -0400 +Received: from mout.kundenserver.de ([212.227.17.10]:52173 "EHLO + mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1726061AbeG1JSf (ORCPT + ); Sat, 28 Jul 2018 05:18:35 -0400 +Received: from localhost.localdomain ([37.4.249.97]) by + mrelayeu.kundenserver.de (mreue102 [212.227.15.183]) with ESMTPSA (Nemesis) + id 0MUVwx-1fbNw12XvX-00REnE; Sat, 28 Jul 2018 09:52:50 +0200 +From: Stefan Wahren +To: Woojung Huh , + UNGLinuxDriver@microchip.com, + "David S. Miller" +Cc: Greg Kroah-Hartman , + Dave Stevenson , + netdev@vger.kernel.org, linux-usb@vger.kernel.org, + Stefan Wahren +Subject: [PATCH] net: lan78xx: fix rx handling before first packet is send +Date: Sat, 28 Jul 2018 09:52:10 +0200 +Message-Id: <1532764330-14522-1-git-send-email-stefan.wahren@i2se.com> +X-Mailer: git-send-email 2.7.4 +X-Provags-ID: V03:K1:1UgD7xV2Hs3djVASkjGZexXrelNVV9KQ4W/KMZ/6ZAjOD8iCVVb + 8jgtNmA1TZYvTOLPwIOhlB8fkrx6AkSXGQRQtE1q6zNBYDYszenIppRha2tGTSDIR8dnhZs + tmeCWOtaIFiYiDYuCEtYrYgFELx1btCiQS8Ibc237s0SLbaPNnQ369IwfgO4dQdcdOZuixw + Ugo4KTjNh2qR2Hp4FWD7g== +X-UI-Out-Filterresults: notjunk:1;V01:K0:JyYP1ZeZOl0=:98L7zdWnTjAX3Fa+4Pqc+f + T3TiXkUfXJyEJ+QxnkwcBp0LXo+7/LWQ7h4/cZJnHF7Uo8bsvljCcRVGmMhx5Cy46MtNZvUED + CW5cOvXktUAucStGptcPE+qDnRJ6ruaSzDuwc/A7tBqW518YK/KyASr+EwASjmyvcqOYMVd6M + ZAP4in8S1PqQ98w3Ya3wxpz4heiv9J6xbs1HGSjNCBs0T80zp9ufdlNqCz7QBJ/07LlheZPkh + TeMhKHNUoaqIq2wfm/LT2+O9oO4hBPB1kGcwj50z5oPO86MXeJWtoUx8JKU8l+56tWQydlhc7 + PYFqGBnCG+krEz6Eoh1CM+KJIh1CrmlteojK38ny/GllmThwPLrXsVrVaUPoZ38gduQz3Ug5+ + gyOA7CU3L/eamlSo1XevvLRdv8ObDF5V82qTvBANHqEg5ZAW0MIe/hhIGKArtR1jpXSOan4M6 + lY6ejQh3ZBtliMvpjoPCWh3ivl7hQpi+Cm4cQrJeq1DuB1MbGJQfZXCieSBUJkhi7y8YLzuN6 + N2QlDoLCXzmrz2N2Fcx69oKVIKOfWVk9wgXlYKNG7Ovd8KT0jVwG8WpWRKhRTwsJYWvRY9+Rc + MA7jSxJSgtBSA/cs12dACWJ8rkaA9uezD1g8YRFSJDf/IXXUqWmONuPGAh89RtCr+lMQne/oY + da1rqaBklRMhegBeJ1yrYFkyuyoWztMMC7JbjrM7lMHkOfhih49WDkWBTGZvdEwTc+Ps= +Sender: linux-usb-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-usb@vger.kernel.org +X-Virus-Scanned: ClamAV using ClamSMTP + +As long the bh tasklet isn't scheduled once, no packet from the rx path +will be handled. Since the tx path also schedule the same tasklet +this situation only persits until the first packet transmission. +So fix this issue by scheduling the tasklet after link reset. + +Link: https://github.com/raspberrypi/linux/issues/2617 +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet") +Suggested-by: Floris Bos +Signed-off-by: Stefan Wahren +--- + drivers/net/usb/lan78xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index ed10d49..aeca484 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1242,6 +1242,8 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) + mod_timer(&dev->stat_monitor, + jiffies + STAT_UPDATE_TIMER); + } ++ ++ tasklet_schedule(&dev->bh); + } + + return ret; -- cgit