This is a backport of 2a3f93459d689d990b3ecfbe782fec89b97d3279
("arm64: KVM: Sanitize PSTATE.M when being set from userspace") to
4.4-stable.
It requires a backport of 042446a31e3803d81c7e618dd80928dc3dce70c5
("arm64: cpufeature: Track 32bit EL0 support") as a dependency.
Marc Zyngier (1):
arm64: KVM: Sanitize PSTATE.M when being set from userspace
Suzuki K Poulose (1):
arm64: cpufeature: Track 32bit EL0 support
arch/arm64/include/asm/cpufeature.h | 8 +++++++-
arch/arm64/include/asm/kvm_emulate.h | 5 +++++
arch/arm64/include/asm/sysreg.h | 1 +
arch/arm64/kernel/cpufeature.c | 8 ++++++++
arch/arm64/kvm/guest.c | 10 +++++++++-
5 files changed, 30 insertions(+), 2 deletions(-)
--
2.19.0
From: Robb Glasser <rglasser(a)google.com>
sg_ioctl could be spammed by requests, leading to a double free in
__free_pages. This protects the entry points of sg_ioctl where the
memory could be corrupted by a double call to __free_pages if multiple
requests are happening concurrently.
Signed-off-by: Robb Glasser <rglasser(a)google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers(a)google.com>
Signed-off-by: Evan Green <evgreen(a)chromium.org>
Cc: stable(a)vger.kernel.org
---
Reposting this patch from last summer, as it looks like it fell in between
the cracks.
drivers/scsi/sg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 8a254bb46a9b..25579d8a16b5 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -924,8 +924,10 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
return -ENXIO;
if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))
return -EFAULT;
+ mutex_lock(&sfp->parentdp->open_rel_lock);
result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,
1, read_only, 1, &srp);
+ mutex_unlock(&sfp->parentdp->open_rel_lock);
if (result < 0)
return result;
result = wait_event_interruptible(sfp->read_wait,
--
2.19.0.605.g01d371f741-goog
commit 2a3f93459d689d990b3ecfbe782fec89b97d3279 upstream.
Not all execution modes are valid for a guest, and some of them
depend on what the HW actually supports. Let's verify that what
userspace provides is compatible with both the VM settings and
the HW capabilities.
Cc: <stable(a)vger.kernel.org>
Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu")
Reviewed-by: Christoffer Dall <christoffer.dall(a)arm.com>
Reviewed-by: Mark Rutland <mark.rutland(a)arm.com>
Reviewed-by: Dave Martin <Dave.Martin(a)arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com>
Signed-off-by: Will Deacon <will.deacon(a)arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com>
---
arch/arm64/kvm/guest.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 4a177629862b..d5c6bb1562d8 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -152,17 +152,25 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
}
if (off == KVM_REG_ARM_CORE_REG(regs.pstate)) {
- u32 mode = (*(u32 *)valp) & COMPAT_PSR_MODE_MASK;
+ u64 mode = (*(u64 *)valp) & COMPAT_PSR_MODE_MASK;
switch (mode) {
case COMPAT_PSR_MODE_USR:
+ if (!system_supports_32bit_el0())
+ return -EINVAL;
+ break;
case COMPAT_PSR_MODE_FIQ:
case COMPAT_PSR_MODE_IRQ:
case COMPAT_PSR_MODE_SVC:
case COMPAT_PSR_MODE_ABT:
case COMPAT_PSR_MODE_UND:
+ if (!vcpu_el1_is_32bit(vcpu))
+ return -EINVAL;
+ break;
case PSR_MODE_EL0t:
case PSR_MODE_EL1t:
case PSR_MODE_EL1h:
+ if (vcpu_el1_is_32bit(vcpu))
+ return -EINVAL;
break;
default:
err = -EINVAL;
--
2.19.0
The patch below does not apply to the 4.9-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
>From 8604895a34d92f5e186ceb931b0d1b384030ea3d Mon Sep 17 00:00:00 2001
From: Michael Bringmann <mwb(a)linux.vnet.ibm.com>
Date: Thu, 20 Sep 2018 11:45:13 -0500
Subject: [PATCH] powerpc/pseries: Fix unitialized timer reset on migration
After migration of a powerpc LPAR, the kernel executes code to
update the system state to reflect new platform characteristics.
Such changes include modifications to device tree properties provided
to the system by PHYP. Property notifications received by the
post_mobility_fixup() code are passed along to the kernel in general
through a call to of_update_property() which in turn passes such
events back to all modules through entries like the '.notifier_call'
function within the NUMA module.
When the NUMA module updates its state, it resets its event timer. If
this occurs after a previous call to stop_topology_update() or on a
system without VPHN enabled, the code runs into an unitialized timer
structure and crashes. This patch adds a safety check along this path
toward the problem code.
An example crash log is as follows.
ibmvscsi 30000081: Re-enabling adapter!
------------[ cut here ]------------
kernel BUG at kernel/time/timer.c:958!
Oops: Exception in kernel mode, sig: 5 [#1]
LE SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: nfsv3 nfs_acl nfs tcp_diag udp_diag inet_diag lockd unix_diag af_packet_diag netlink_diag grace fscache sunrpc xts vmx_crypto pseries_rng sg binfmt_misc ip_tables xfs libcrc32c sd_mod ibmvscsi ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod
CPU: 11 PID: 3067 Comm: drmgr Not tainted 4.17.0+ #179
...
NIP mod_timer+0x4c/0x400
LR reset_topology_timer+0x40/0x60
Call Trace:
0xc0000003f9407830 (unreliable)
reset_topology_timer+0x40/0x60
dt_update_callback+0x100/0x120
notifier_call_chain+0x90/0x100
__blocking_notifier_call_chain+0x60/0x90
of_property_notify+0x90/0xd0
of_update_property+0x104/0x150
update_dt_property+0xdc/0x1f0
pseries_devicetree_update+0x2d0/0x510
post_mobility_fixup+0x7c/0xf0
migration_store+0xa4/0xc0
kobj_attr_store+0x30/0x60
sysfs_kf_write+0x64/0xa0
kernfs_fop_write+0x16c/0x240
__vfs_write+0x40/0x200
vfs_write+0xc8/0x240
ksys_write+0x5c/0x100
system_call+0x58/0x6c
Fixes: 5d88aa85c00b ("powerpc/pseries: Update CPU maps when device tree is updated")
Cc: stable(a)vger.kernel.org # v3.10+
Signed-off-by: Michael Bringmann <mwb(a)linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au>
diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
index 35ac5422903a..b5a71baedbc2 100644
--- a/arch/powerpc/mm/numa.c
+++ b/arch/powerpc/mm/numa.c
@@ -1452,7 +1452,8 @@ static struct timer_list topology_timer;
static void reset_topology_timer(void)
{
- mod_timer(&topology_timer, jiffies + topology_timer_secs * HZ);
+ if (vphn_enabled)
+ mod_timer(&topology_timer, jiffies + topology_timer_secs * HZ);
}
#ifdef CONFIG_SMP
The patch below does not apply to the 4.14-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
>From 8604895a34d92f5e186ceb931b0d1b384030ea3d Mon Sep 17 00:00:00 2001
From: Michael Bringmann <mwb(a)linux.vnet.ibm.com>
Date: Thu, 20 Sep 2018 11:45:13 -0500
Subject: [PATCH] powerpc/pseries: Fix unitialized timer reset on migration
After migration of a powerpc LPAR, the kernel executes code to
update the system state to reflect new platform characteristics.
Such changes include modifications to device tree properties provided
to the system by PHYP. Property notifications received by the
post_mobility_fixup() code are passed along to the kernel in general
through a call to of_update_property() which in turn passes such
events back to all modules through entries like the '.notifier_call'
function within the NUMA module.
When the NUMA module updates its state, it resets its event timer. If
this occurs after a previous call to stop_topology_update() or on a
system without VPHN enabled, the code runs into an unitialized timer
structure and crashes. This patch adds a safety check along this path
toward the problem code.
An example crash log is as follows.
ibmvscsi 30000081: Re-enabling adapter!
------------[ cut here ]------------
kernel BUG at kernel/time/timer.c:958!
Oops: Exception in kernel mode, sig: 5 [#1]
LE SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: nfsv3 nfs_acl nfs tcp_diag udp_diag inet_diag lockd unix_diag af_packet_diag netlink_diag grace fscache sunrpc xts vmx_crypto pseries_rng sg binfmt_misc ip_tables xfs libcrc32c sd_mod ibmvscsi ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod
CPU: 11 PID: 3067 Comm: drmgr Not tainted 4.17.0+ #179
...
NIP mod_timer+0x4c/0x400
LR reset_topology_timer+0x40/0x60
Call Trace:
0xc0000003f9407830 (unreliable)
reset_topology_timer+0x40/0x60
dt_update_callback+0x100/0x120
notifier_call_chain+0x90/0x100
__blocking_notifier_call_chain+0x60/0x90
of_property_notify+0x90/0xd0
of_update_property+0x104/0x150
update_dt_property+0xdc/0x1f0
pseries_devicetree_update+0x2d0/0x510
post_mobility_fixup+0x7c/0xf0
migration_store+0xa4/0xc0
kobj_attr_store+0x30/0x60
sysfs_kf_write+0x64/0xa0
kernfs_fop_write+0x16c/0x240
__vfs_write+0x40/0x200
vfs_write+0xc8/0x240
ksys_write+0x5c/0x100
system_call+0x58/0x6c
Fixes: 5d88aa85c00b ("powerpc/pseries: Update CPU maps when device tree is updated")
Cc: stable(a)vger.kernel.org # v3.10+
Signed-off-by: Michael Bringmann <mwb(a)linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au>
diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
index 35ac5422903a..b5a71baedbc2 100644
--- a/arch/powerpc/mm/numa.c
+++ b/arch/powerpc/mm/numa.c
@@ -1452,7 +1452,8 @@ static struct timer_list topology_timer;
static void reset_topology_timer(void)
{
- mod_timer(&topology_timer, jiffies + topology_timer_secs * HZ);
+ if (vphn_enabled)
+ mod_timer(&topology_timer, jiffies + topology_timer_secs * HZ);
}
#ifdef CONFIG_SMP
The patch below does not apply to the 4.14-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
>From 51c3c62b58b357e8d35e4cc32f7b4ec907426fe3 Mon Sep 17 00:00:00 2001
From: Michael Neuling <mikey(a)neuling.org>
Date: Fri, 14 Sep 2018 11:14:11 +1000
Subject: [PATCH] powerpc: Avoid code patching freed init sections
This stops us from doing code patching in init sections after they've
been freed.
In this chain:
kvm_guest_init() ->
kvm_use_magic_page() ->
fault_in_pages_readable() ->
__get_user() ->
__get_user_nocheck() ->
barrier_nospec();
We have a code patching location at barrier_nospec() and
kvm_guest_init() is an init function. This whole chain gets inlined,
so when we free the init section (hence kvm_guest_init()), this code
goes away and hence should no longer be patched.
We seen this as userspace memory corruption when using a memory
checker while doing partition migration testing on powervm (this
starts the code patching post migration via
/sys/kernel/mobility/migration). In theory, it could also happen when
using /sys/kernel/debug/powerpc/barrier_nospec.
Cc: stable(a)vger.kernel.org # 4.13+
Signed-off-by: Michael Neuling <mikey(a)neuling.org>
Reviewed-by: Nicholas Piggin <npiggin(a)gmail.com>
Reviewed-by: Christophe Leroy <christophe.leroy(a)c-s.fr>
Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au>
diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h
index 1a951b00465d..1fffbba8d6a5 100644
--- a/arch/powerpc/include/asm/setup.h
+++ b/arch/powerpc/include/asm/setup.h
@@ -9,6 +9,7 @@ extern void ppc_printk_progress(char *s, unsigned short hex);
extern unsigned int rtas_data;
extern unsigned long long memory_limit;
+extern bool init_mem_is_free;
extern unsigned long klimit;
extern void *zalloc_maybe_bootmem(size_t size, gfp_t mask);
diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c
index 850f3b8f4da5..6ae2777c220d 100644
--- a/arch/powerpc/lib/code-patching.c
+++ b/arch/powerpc/lib/code-patching.c
@@ -28,6 +28,12 @@ static int __patch_instruction(unsigned int *exec_addr, unsigned int instr,
{
int err;
+ /* Make sure we aren't patching a freed init section */
+ if (init_mem_is_free && init_section_contains(exec_addr, 4)) {
+ pr_debug("Skipping init section patching addr: 0x%px\n", exec_addr);
+ return 0;
+ }
+
__put_user_size(instr, patch_addr, 4, err);
if (err)
return err;
diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
index 5c8530d0c611..04ccb274a620 100644
--- a/arch/powerpc/mm/mem.c
+++ b/arch/powerpc/mm/mem.c
@@ -63,6 +63,7 @@
#endif
unsigned long long memory_limit;
+bool init_mem_is_free;
#ifdef CONFIG_HIGHMEM
pte_t *kmap_pte;
@@ -396,6 +397,7 @@ void free_initmem(void)
{
ppc_md.progress = ppc_printk_progress;
mark_initmem_nx();
+ init_mem_is_free = true;
free_initmem_default(POISON_FREE_INITMEM);
}
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Greg,
Pleae pull commits for Linux 4.18 .
I've sent a review request for all commits over a week ago and all
comments were addressed.
Thanks,
Sasha
=====
The following changes since commit 2f411a0873a9daa20ae16cf5879d11bbea267582:
Linux 4.18.11 (2018-09-29 02:56:03 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git tags/for-greg-4.18-01102018
for you to fetch changes up to f117a21eb2c294b9c1858bfdcc3323cf1d8256f7:
x86/pti: Fix section mismatch warning/error (2018-09-29 13:00:48 -0400)
- ----------------------------------------------------------------
for-greg-4.18-01102018
- ----------------------------------------------------------------
Akshu Agrawal (1):
clk: x86: Set default parent to 48Mhz
Anirudh Venkataramanan (3):
ice: Fix multiple static analyser warnings
ice: Fix bugs in control queue processing
ice: Fix a few null pointer dereference issues
Anson Huang (1):
thermal: of-thermal: disable passive polling when thermal zone is disabled
Bo Chen (2):
e1000: check on netif_running() before calling e1000_up()
e1000: ensure to free old tx/rx rings in set_ringparam()
Brett Creeley (1):
ice: Set VLAN flags correctly
Christian König (2):
drm/amdgpu: fix VM clearing for the root PD
drm/amdgpu: fix preamble handling
Dan Carpenter (1):
hwmon: (adt7475) Make adt7475_read_word() return errors
Daniel Borkmann (2):
bpf, sockmap: fix sock_hash_alloc and reject zero-sized keys
bpf, sockmap: fix sock hash count in alloc_sock_hash_elem
Emily Deng (2):
amdgpu: fix multi-process hang issue
drm/amdgpu: Need to set moved to true when evict bo
Eric Sandeen (1):
isofs: reject hardware sector size > 2048 bytes
Ganesh Goudar (1):
crypto: chtls - fix null dereference chtls_free_uld()
Huazhong Tan (3):
net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
net: hns: fix skb->truesize underestimation
net: hns3: fix page_offset overflow when CONFIG_ARM64_64K_PAGES
Jacob Keller (3):
ice: Report stats for allocated queues via ethtool stats
ice: Use order_base_2 to calculate higher power of 2
i40e: fix condition of WARN_ONCE for stat strings
James Smart (1):
nvme-fcloop: Fix dropped LS's to removed target port
Jesse Brandeburg (1):
ice: Fix potential return of uninitialized value
John Fastabend (2):
tls: possible hang when do_tcp_sendpages hits sndbuf is full case
bpf: sockmap: write_space events need to be passed to TCP handler
Kevin Yang (2):
tcp_bbr: add bbr_check_probe_rtt_done() helper
tcp_bbr: in restart from idle, see if we should exit PROBE_RTT
Leonard Crestez (1):
Revert "ARM: dts: imx7d: Invert legacy PCI irq mapping"
Linus Walleij (1):
ata: ftide010: Add a quirk for SQ201
Lothar Felten (1):
hwmon: (ina2xx) fix sysfs shunt resistor read access
Ludovic Desroches (2):
mmc: atmel-mci: fix bad logic of sg_copy_{from,to}_buffer conversion
mmc: android-goldfish: fix bad logic of sg_copy_{from,to}_buffer conversion
Marc Zyngier (2):
arm/arm64: smccc-1.1: Make return values unsigned long
arm/arm64: smccc-1.1: Handle function result as parameters
Martyna Szapar (1):
i40e: Fix for Tx timeouts when interface is brought up if DCB is enabled
Mika Westerberg (1):
i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
Pavel Machek (1):
ARM: dts: omap4-droid4: fix vibrations on Droid 4
Preethi Banala (1):
ice: Clean control queues only when they are initialized
Quentin Monnet (1):
tools: bpftool: return from do_event_pipe() on bad arguments
Randy Dunlap (1):
x86/pti: Fix section mismatch warning/error
Rex Zhu (2):
drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode
drm/amdgpu: Update power state at the end of smu hw_init.
Samuel Mendoza-Jonas (1):
net/ncsi: Fixup .dumpit message flags and ID check in Netlink handler
Sebastian Basierski (1):
ixgbe: fix driver behaviour after issuing VFLR
Srikanth Jampala (1):
crypto: cavium/nitrox - fix for command corruption in queue full case with backlog submissions.
Tomer Tayar (4):
qed: Wait for ready indication before rereading the shmem
qed: Wait for MCP halt and resume commands to take place
qed: Prevent a possible deadlock during driver load and unload
qed: Avoid sending mailbox commands when MFW is not responsive
Tony Lindgren (5):
ARM: OMAP2+: Fix null hwmod for ti-sysc debug
ARM: OMAP2+: Fix module address for modules using mpu_rt_idx
bus: ti-sysc: Fix module register ioremap for larger offsets
bus: ti-sysc: Fix no_console_suspend handling
ARM: dts: omap4-droid4: Fix emmc errors seen on some devices
Documentation/hwmon/ina2xx | 2 +-
arch/arm/boot/dts/imx7d.dtsi | 12 +-
arch/arm/boot/dts/omap4-droid4-xt894.dts | 20 +--
arch/arm/mach-omap2/omap_hwmod.c | 39 ++++-
arch/x86/mm/pti.c | 2 +-
drivers/ata/pata_ftide010.c | 27 ++--
drivers/bus/ti-sysc.c | 37 +++--
drivers/clk/x86/clk-st.c | 2 +-
drivers/crypto/cavium/nitrox/nitrox_dev.h | 3 +-
drivers/crypto/cavium/nitrox/nitrox_lib.c | 1 +
drivers/crypto/cavium/nitrox/nitrox_reqmgr.c | 57 ++++---
drivers/crypto/chelsio/chtls/chtls.h | 5 +
drivers/crypto/chelsio/chtls/chtls_main.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 16 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 3 +-
drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 11 +-
drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 4 +-
drivers/gpu/drm/amd/amdgpu/si_dpm.c | 3 +-
drivers/hwmon/adt7475.c | 14 +-
drivers/hwmon/ina2xx.c | 13 +-
drivers/i2c/busses/i2c-i801.c | 9 +-
drivers/mmc/host/android-goldfish.c | 4 +-
drivers/mmc/host/atmel-mci.c | 12 +-
drivers/net/ethernet/hisilicon/hns/hnae.h | 6 +-
drivers/net/ethernet/hisilicon/hns/hns_enet.c | 2 +-
drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 6 +-
drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 7 +-
drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 2 +-
drivers/net/ethernet/intel/i40e/i40e_main.c | 15 +-
drivers/net/ethernet/intel/ice/ice.h | 7 +
drivers/net/ethernet/intel/ice/ice_adminq_cmd.h | 25 +--
drivers/net/ethernet/intel/ice/ice_common.c | 27 ++--
drivers/net/ethernet/intel/ice/ice_controlq.c | 29 ++--
drivers/net/ethernet/intel/ice/ice_ethtool.c | 52 +++++--
drivers/net/ethernet/intel/ice/ice_main.c | 98 +++++++-----
drivers/net/ethernet/intel/ice/ice_switch.c | 4 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 26 ++++
drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 1 +
drivers/net/ethernet/qlogic/qed/qed_mcp.c | 187 +++++++++++++++++++----
drivers/net/ethernet/qlogic/qed/qed_mcp.h | 27 ++--
drivers/net/ethernet/qlogic/qed/qed_reg_addr.h | 2 +
drivers/nvme/target/fcloop.c | 3 +-
drivers/thermal/of-thermal.c | 7 +-
fs/isofs/inode.c | 7 +
include/linux/arm-smccc.h | 38 +++--
include/linux/platform_data/ina2xx.h | 2 +-
kernel/bpf/sockmap.c | 11 +-
net/ipv4/tcp_bbr.c | 38 +++--
net/ncsi/ncsi-netlink.c | 4 +-
net/tls/tls_main.c | 9 +-
tools/bpf/bpftool/map_perf_ring.c | 5 +-
52 files changed, 662 insertions(+), 291 deletions(-)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAluywpsACgkQ3qZv95d3
LNx9WBAAvcn2Gvpjl2YxDGayv1KJBfdF1pT4HGnuqc8IvasHy8gC2xlQOArwtuHw
OUE6h2Qk7ysGUpSGa4nfCVGfWRBxLMThW7028Uyd8SxUschbHH0YNuxi9uRZiGot
C8Ukc2q5MNs8R59aWX9lBIhW+dJUtLrwdKnqDeRujP5k3ufOOo6S/IobQCnoP3Cj
DHZClDCjtpaGgvpuYInlAOysEjUst6dV5NKb8th8dUTNoj+aQ9SUevbepIZfeoxx
Qt79dyx97S3LW7ULCFt5PlUwtcYZ1l/nXvj3RMnu3t644iT/SWO8M/mljwgPznu5
EwSiaHnu3vylI93/t9t3W77UcS54KeyjtIQ4hctaoN8vVK98uIA0cjFBfj/ZkOeZ
2nmAoKxsLImB5dApVqdUiURXtqHKn06Ql4AtgJ4Y+5nyjDz7bCS1jBcIcS77zjNT
0Ac6dhfHoWQTQR4JaEVCft3tOxA3962sN7gIAJgGOFBYB4nUpjtfo2tCqTH+ybYj
zIhLbI09p5xWUEVs3LDvNIlATf55b6K5Bgt2dakV+RycJNl5XvqXiTvh/Yfa40U/
7XzE+pH6/QULkwRX68XbRpKnnIen3lxJ7dAT9jmd+U2xSOcL38vWmQb3oFY38SbM
/JJZywrt0+oxIEJ4TlDXynA1MoaPA30z3IR4ZAFzQYlSCTjv3Is=
=XHyP
-----END PGP SIGNATURE-----
Hi,
On Sat, Sep 29, 2018 at 2:10 PM <gregkh(a)linuxfoundation.org> wrote:
> This is a note to let you know that I've just added the patch titled
>
> audit: Fix extended comparison of GID/EGID
>
> to the 4.18-stable tree which can be found at:
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
>
> The filename of the patch is:
> audit-fix-extended-comparison-of-gid-egid.patch
> and it can be found in the queue-4.18 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable(a)vger.kernel.org> know about it.
IIRC Paul didn't want this patch to go to stable (he asked me to
remove the Cc: stable@... line), since the bug has been there for a
long time and any user affected by it either doesn't care or might
actually (maybe unknowingly) rely on it. I still kept the Fixes: line
so it is clear which commit introduced the bug.
Paul, any comments?
In any case, if you decide to push this patch into stable (note that
it is queued also for 4.14, 4.9, 4.4, and 3.18), then make sure to
include also commit 4b09791ba059 ("cred: conditionally declare
groups-related functions") to avoid build errors with
CONFIG_MULTIUSER=n and CONFIG_AUDIT_SYSCALL=y. It is a non-functional
commit for the rest of the kernel.
>
>
> From foo@baz Sat Sep 29 04:24:28 PDT 2018
> From: "Ondrej Mosnáček" <omosnace(a)redhat.com>
> Date: Tue, 5 Jun 2018 11:00:10 +0200
> Subject: audit: Fix extended comparison of GID/EGID
>
> From: "Ondrej Mosnáček" <omosnace(a)redhat.com>
>
> [ Upstream commit af85d1772e31fed34165a1b3decef340cf4080c0 ]
>
> The audit_filter_rules() function in auditsc.c used the in_[e]group_p()
> functions to check GID/EGID match, but these functions use the current
> task's credentials, while the comparison should use the credentials of
> the task given to audit_filter_rules() as a parameter (tsk).
>
> Note that we can use group_search(cred->group_info, ...) as a
> replacement for both in_group_p and in_egroup_p as these functions only
> compare the parameter to cred->fsgid/egid and then call group_search.
>
> In fact, the usage of in_group_p was even more incorrect: it compares to
> cred->fsgid (which is usually equal to cred->egid) and not cred->gid.
>
> GitHub issue:
> https://github.com/linux-audit/audit-kernel/issues/82
>
> Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic")
> Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
> Signed-off-by: Paul Moore <paul(a)paul-moore.com>
> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
> ---
> kernel/auditsc.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -494,20 +494,20 @@ static int audit_filter_rules(struct tas
> result = audit_gid_comparator(cred->gid, f->op, f->gid);
> if (f->op == Audit_equal) {
> if (!result)
> - result = in_group_p(f->gid);
> + result = groups_search(cred->group_info, f->gid);
> } else if (f->op == Audit_not_equal) {
> if (result)
> - result = !in_group_p(f->gid);
> + result = !groups_search(cred->group_info, f->gid);
> }
> break;
> case AUDIT_EGID:
> result = audit_gid_comparator(cred->egid, f->op, f->gid);
> if (f->op == Audit_equal) {
> if (!result)
> - result = in_egroup_p(f->gid);
> + result = groups_search(cred->group_info, f->gid);
> } else if (f->op == Audit_not_equal) {
> if (result)
> - result = !in_egroup_p(f->gid);
> + result = !groups_search(cred->group_info, f->gid);
> }
> break;
> case AUDIT_SGID:
>
>
> Patches currently in stable-queue which might be from omosnace(a)redhat.com are
>
> queue-4.18/audit-fix-extended-comparison-of-gid-egid.patch
Thanks,
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.