January 2020 - Linux-stable-mirror

FAILED: patch "[PATCH] USB: serial: io_edgeport: handle unbound ports on URB" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From e37d1aeda737a20b1846a91a3da3f8b0f00cf690 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan(a)kernel.org> Date: Fri, 17 Jan 2020 10:50:23 +0100 Subject: [PATCH] USB: serial: io_edgeport: handle unbound ports on URB completion Check for NULL port data in the shared interrupt and bulk completion callbacks to avoid dereferencing a NULL pointer in case a device sends data for a port device which isn't bound to a driver (e.g. due to a malicious device having unexpected endpoints or after an allocation failure on port probe). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable(a)vger.kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 9690a5f4b9d6..0582d78bdb1d 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -716,7 +716,7 @@ static void edge_interrupt_callback(struct urb *urb) if (txCredits) { port = edge_serial->serial->port[portNumber]; edge_port = usb_get_serial_port_data(port); - if (edge_port->open) { + if (edge_port && edge_port->open) { spin_lock_irqsave(&edge_port->ep_lock, flags); edge_port->txCredits += txCredits; @@ -1825,7 +1825,7 @@ static void process_rcvd_data(struct edgeport_serial *edge_serial, port = edge_serial->serial->port[ edge_serial->rxPort]; edge_port = usb_get_serial_port_data(port); - if (edge_port->open) { + if (edge_port && edge_port->open) { dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n", __func__, rxLen, edge_serial->rxPort);

4 years, 11 months

1
0
0 0

FAILED: patch "[PATCH] USB: serial: io_edgeport: handle unbound ports on URB" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From e37d1aeda737a20b1846a91a3da3f8b0f00cf690 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan(a)kernel.org> Date: Fri, 17 Jan 2020 10:50:23 +0100 Subject: [PATCH] USB: serial: io_edgeport: handle unbound ports on URB completion Check for NULL port data in the shared interrupt and bulk completion callbacks to avoid dereferencing a NULL pointer in case a device sends data for a port device which isn't bound to a driver (e.g. due to a malicious device having unexpected endpoints or after an allocation failure on port probe). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable(a)vger.kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 9690a5f4b9d6..0582d78bdb1d 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -716,7 +716,7 @@ static void edge_interrupt_callback(struct urb *urb) if (txCredits) { port = edge_serial->serial->port[portNumber]; edge_port = usb_get_serial_port_data(port); - if (edge_port->open) { + if (edge_port && edge_port->open) { spin_lock_irqsave(&edge_port->ep_lock, flags); edge_port->txCredits += txCredits; @@ -1825,7 +1825,7 @@ static void process_rcvd_data(struct edgeport_serial *edge_serial, port = edge_serial->serial->port[ edge_serial->rxPort]; edge_port = usb_get_serial_port_data(port); - if (edge_port->open) { + if (edge_port && edge_port->open) { dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n", __func__, rxLen, edge_serial->rxPort);

4 years, 11 months

1
0
0 0

FAILED: patch "[PATCH] iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From fb4fbc8904e786537e29329d791147389e1465a2 Mon Sep 17 00:00:00 2001 From: Stephan Gerhold <stephan(a)gerhold.net> Date: Mon, 16 Dec 2019 13:41:20 +0100 Subject: [PATCH] iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID At the moment, attempting to probe a device with ST_LSM6DS3_ID (e.g. using the st,lsm6ds3 compatible) fails with: st_lsm6dsx_i2c 1-006b: unsupported whoami [69] ... even though 0x69 is the whoami listed for ST_LSM6DS3_ID. This happens because st_lsm6dsx_check_whoami() also attempts to match unspecified (zero-initialized) entries in the "id" array. ST_LSM6DS3_ID = 0 will therefore match any entry in st_lsm6dsx_sensor_settings (here: the first), because none of them actually have all 12 entries listed in the "id" array. Avoid this by additionally checking if "name" is set, which is only set for valid entries in the "id" array. Note: Although the problem was introduced earlier it did not surface until commit 52f4b1f19679 ("iio: imu: st_lsm6dsx: add support for accel/gyro unit of lsm9ds1") because ST_LSM6DS3_ID was the first entry in st_lsm6dsx_sensor_settings. Fixes: d068e4a0f921 ("iio: imu: st_lsm6dsx: add support to multiple devices with the same settings") Cc: <stable(a)vger.kernel.org> # 5.4 Acked-by: Lorenzo Bianconi <lorenzo(a)kernel.org> Signed-off-by: Stephan Gerhold <stephan(a)gerhold.net> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c index a7d40c02ce6b..b921dd9e108f 100644 --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c @@ -1301,7 +1301,8 @@ static int st_lsm6dsx_check_whoami(struct st_lsm6dsx_hw *hw, int id, for (i = 0; i < ARRAY_SIZE(st_lsm6dsx_sensor_settings); i++) { for (j = 0; j < ST_LSM6DSX_MAX_ID; j++) { - if (id == st_lsm6dsx_sensor_settings[i].id[j].hw_id) + if (st_lsm6dsx_sensor_settings[i].id[j].name && + id == st_lsm6dsx_sensor_settings[i].id[j].hw_id) break; } if (j < ST_LSM6DSX_MAX_ID)

4 years, 11 months

1
0
0 0

[PATCH, v5.4] perf: Correctly handle failed perf_get_aux_event()

by Ingo Molnar

* Vince Weaver <vincent.weaver(a)maine.edu> wrote: > On Mon, 6 Jan 2020, Vince Weaver wrote: > > > On Mon, 6 Jan 2020, Mark Rutland wrote: > > > > > On Thu, Jan 02, 2020 at 02:22:47PM -0500, Vince Weaver wrote: > > > > On Thu, 2 Jan 2020, Vince Weaver wrote: > > > > > > > Vince, does the below (untested) patch work for you? > > > > > > yes, this patch fixes things for me. > > > > Tested-by: Vince Weaver <vincent.weaver(a)maine.edu> > > > > is this patch going to make it upstream? It's a fairly major correctness > bug with perf_event_open(). I just sent it to Linus. In hindsight this should have been marked Cc: stable for v5.4 - we should forward it to Greg once Linus has pulled it: da9ec3d3dd0f: ("perf: Correctly handle failed perf_get_aux_event()") Note that in the v5.4 cherry-pick there's a conflict due to interaction with another recent commit - I've attached the ported fix against v5.4, but have only test built it. Thanks, Ingo ==============> >From 703595681c934d2a88a91e8a41f7f63eeb1573e0 Mon Sep 17 00:00:00 2001 From: Ingo Molnar <mingo(a)kernel.org> Date: Sat, 18 Jan 2020 19:03:55 +0100 Subject: [PATCH] perf: Correctly handle failed perf_get_aux_event() Vince reports a worrying issue: | so I was tracking down some odd behavior in the perf_fuzzer which turns | out to be because perf_even_open() sometimes returns 0 (indicating a file | descriptor of 0) even though as far as I can tell stdin is still open. ... and further the cause: | error is triggered if aux_sample_size has non-zero value. | | seems to be this line in kernel/events/core.c: | | if (perf_need_aux_event(event) && !perf_get_aux_event(event, group_leader)) | goto err_locked; | | (note, err is never set) This seems to be a thinko in commit: ab43762ef010967e ("perf: Allow normal events to output AUX data") ... and we should probably return -EINVAL here, as this should only happen when the new event is mis-configured or does not have a compatible aux_event group leader. Fixes: ab43762ef010967e ("perf: Allow normal events to output AUX data") Reported-by: Vince Weaver <vincent.weaver(a)maine.edu> Signed-off-by: Mark Rutland <mark.rutland(a)arm.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Acked-by: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Tested-by: Vince Weaver <vincent.weaver(a)maine.edu> (cherry picked from commit da9ec3d3dd0f1240a48920be063448a2242dbd90) --- kernel/events/core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index 00a014670ed0..291fe3e2165f 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -11184,8 +11184,10 @@ SYSCALL_DEFINE5(perf_event_open, } } - if (event->attr.aux_output && !perf_get_aux_event(event, group_leader)) + if (event->attr.aux_output && !perf_get_aux_event(event, group_leader)) { + err = -EINVAL; goto err_locked; + } /* * Must be under the same ctx::mutex as perf_install_in_context(),

4 years, 11 months

2
1
0 0

[char-misc] mei: me: add comet point (lake) H device ids

by Tomas Winkler

Add Comet Point device IDs for Comet Lake H platforms. Cc: <stable(a)vger.kernel.org> Signed-off-by: Tomas Winkler <tomas.winkler(a)intel.com> --- drivers/misc/mei/hw-me-regs.h | 4 ++++ drivers/misc/mei/pci-me.c | 2 ++ 2 files changed, 6 insertions(+) diff --git a/drivers/misc/mei/hw-me-regs.h b/drivers/misc/mei/hw-me-regs.h index 7cd67fb2365d..9d24db38e8bc 100644 --- a/drivers/misc/mei/hw-me-regs.h +++ b/drivers/misc/mei/hw-me-regs.h @@ -81,8 +81,12 @@ #define MEI_DEV_ID_CMP_LP 0x02e0 /* Comet Point LP */ #define MEI_DEV_ID_CMP_LP_3 0x02e4 /* Comet Point LP 3 (iTouch) */ + #define MEI_DEV_ID_CMP_V 0xA3BA /* Comet Point Lake V */ +#define MEI_DEV_ID_CMP_H 0x06e0 /* Comet Lake H */ +#define MEI_DEV_ID_CMP_H_3 0x06e4 /* Comet Lake H 3 (iTouch) */ + #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */ #define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */ diff --git a/drivers/misc/mei/pci-me.c b/drivers/misc/mei/pci-me.c index c845b7e40f26..c14261d735db 100644 --- a/drivers/misc/mei/pci-me.c +++ b/drivers/misc/mei/pci-me.c @@ -99,6 +99,8 @@ static const struct pci_device_id mei_me_pci_tbl[] = { {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP, MEI_ME_PCH12_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP_3, MEI_ME_PCH8_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_V, MEI_ME_PCH12_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H, MEI_ME_PCH12_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H_3, MEI_ME_PCH8_CFG)}, {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)}, -- 2.21.1

4 years, 11 months

1
0
0 0

+ mm-move_pages-fix-the-return-value-if-there-are-not-migrated-pages.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/migrate.c: move_pages: fix the return value if there are not-migrated pages has been added to the -mm tree. Its filename is mm-move_pages-fix-the-return-value-if-there-are-not-migrated-pages.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-move_pages-fix-the-return-value… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-move_pages-fix-the-return-value… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Yang Shi <yang.shi(a)linux.alibaba.com> Subject: mm/migrate.c: move_pages: fix the return value if there are not-migrated pages do_move_pages_to_node() might return > 0 value, the number of pages that are not migrated, then the value will be returned to userspace directly. But, move_pages() syscall would just return 0 or errno. So, we need reset the return value to 0 for such case as pre-v4.17 did. Link: http://lkml.kernel.org/r/1579325203-16405-1-git-send-email-yang.shi@linux.a… Fixes: a49bd4d71637 ("mm, numa: rework do_pages_move") Signed-off-by: Yang Shi <yang.shi(a)linux.alibaba.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Wei Yang <richardw.yang(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> [4.17+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/migrate.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/mm/migrate.c~mm-move_pages-fix-the-return-value-if-there-are-not-migrated-pages +++ a/mm/migrate.c @@ -1659,8 +1659,11 @@ static int do_pages_move(struct mm_struc goto out_flush; err = do_move_pages_to_node(mm, &pagelist, current_node); - if (err) + if (err) { + if (err > 0) + err = 0; goto out; + } if (i > start) { err = store_status(status, start, current_node, i - start); if (err) _ Patches currently in -mm which might be from yang.shi(a)linux.alibaba.com are mm-move_pages-fix-the-return-value-if-there-are-not-migrated-pages.patch

4 years, 11 months

2
1
0 0

+ mm-thp-remove-the-defer-list-related-code-since-this-will-not-happen.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm: thp: don't need care deferred split queue in memcg charge move path has been added to the -mm tree. Its filename is mm-thp-remove-the-defer-list-related-code-since-this-will-not-happen.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-thp-remove-the-defer-list-relat… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-thp-remove-the-defer-list-relat… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Wei Yang <richardw.yang(a)linux.intel.com> Subject: mm: thp: don't need care deferred split queue in memcg charge move path If compound is true, this means it is a PMD mapped THP. Which implies the page is not linked to any defer list. So the first code chunk will not be executed. Also with this reason, it would not be proper to add this page to a defer list. So the second code chunk is not correct. Based on this, we should remove the defer list related code. [yang.shi(a)linux.alibaba.com: better patch title] Link: http://lkml.kernel.org/r/20200117233836.3434-1-richardw.yang@linux.intel.com Fixes: 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware") Signed-off-by: Wei Yang <richardw.yang(a)linux.intel.com> Suggested-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Acked-by: Yang Shi <yang.shi(a)linux.alibaba.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Vladimir Davydov <vdavydov.dev(a)gmail.com> Cc: <stable(a)vger.kernel.org> [5.4+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 18 ------------------ 1 file changed, 18 deletions(-) --- a/mm/memcontrol.c~mm-thp-remove-the-defer-list-related-code-since-this-will-not-happen +++ a/mm/memcontrol.c @@ -5340,14 +5340,6 @@ static int mem_cgroup_move_account(struc __mod_lruvec_state(to_vec, NR_WRITEBACK, nr_pages); } -#ifdef CONFIG_TRANSPARENT_HUGEPAGE - if (compound && !list_empty(page_deferred_list(page))) { - spin_lock(&from->deferred_split_queue.split_queue_lock); - list_del_init(page_deferred_list(page)); - from->deferred_split_queue.split_queue_len--; - spin_unlock(&from->deferred_split_queue.split_queue_lock); - } -#endif /* * It is safe to change page->mem_cgroup here because the page * is referenced, charged, and isolated - we can't race with @@ -5357,16 +5349,6 @@ static int mem_cgroup_move_account(struc /* caller should have done css_get */ page->mem_cgroup = to; -#ifdef CONFIG_TRANSPARENT_HUGEPAGE - if (compound && list_empty(page_deferred_list(page))) { - spin_lock(&to->deferred_split_queue.split_queue_lock); - list_add_tail(page_deferred_list(page), - &to->deferred_split_queue.split_queue); - to->deferred_split_queue.split_queue_len++; - spin_unlock(&to->deferred_split_queue.split_queue_lock); - } -#endif - spin_unlock_irqrestore(&from->move_lock, flags); ret = 0; _ Patches currently in -mm which might be from richardw.yang(a)linux.intel.com are mm-thp-remove-the-defer-list-related-code-since-this-will-not-happen.patch mm-gupc-use-is_vm_hugetlb_page-to-check-whether-to-follow-huge.patch mm-huge_memoryc-use-head-to-check-huge-zero-page.patch mm-huge_memoryc-use-head-to-emphasize-the-purpose-of-page.patch mm-huge_memoryc-reduce-critical-section-protected-by-split_queue_lock.patch mm-remove-dead-code-totalram_pages_set.patch

4 years, 11 months

1
0
0 0

[to-be-updated] mm-thp-grab-the-lock-before-manipulation-defer-list.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm: thp: grab the lock before manipulating defer list has been removed from the -mm tree. Its filename was mm-thp-grab-the-lock-before-manipulation-defer-list.patch This patch was dropped because an updated version will be merged ------------------------------------------------------ From: Wei Yang <richardw.yang(a)linux.intel.com> Subject: mm: thp: grab the lock before manipulating defer list As all the other places, we grab the lock before manipulate the defer list. Current implementation may face a race condition. For example, the potential race would be: CPU1 CPU2 mem_cgroup_move_account deferred_split_huge_page list_empty lock list_empty list_add_tail unlock lock # list_empty might not hold anymore list_add_tail unlock When this sequence happens, the list_add_tail() in mem_cgroup_move_account() corrupt the list since which is already been added to some split_queue in split_huge_page_to_list(). Besides this, David Rientjes points out the split_queue_len would be in a wrong state, which would be a significant issue for shrinkers. Link: http://lkml.kernel.org/r/20200109143054.13203-1-richardw.yang@linux.intel.c… Fixes: 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware") Signed-off-by: Wei Yang <richardw.yang(a)linux.intel.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Vladimir Davydov <vdavydov.dev(a)gmail.com> Cc: <stable(a)vger.kernel.org> [5.4+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) --- a/mm/memcontrol.c~mm-thp-grab-the-lock-before-manipulation-defer-list +++ a/mm/memcontrol.c @@ -5341,10 +5341,12 @@ static int mem_cgroup_move_account(struc } #ifdef CONFIG_TRANSPARENT_HUGEPAGE - if (compound && !list_empty(page_deferred_list(page))) { + if (compound) { spin_lock(&from->deferred_split_queue.split_queue_lock); - list_del_init(page_deferred_list(page)); - from->deferred_split_queue.split_queue_len--; + if (!list_empty(page_deferred_list(page))) { + list_del_init(page_deferred_list(page)); + from->deferred_split_queue.split_queue_len--; + } spin_unlock(&from->deferred_split_queue.split_queue_lock); } #endif @@ -5358,11 +5360,13 @@ static int mem_cgroup_move_account(struc page->mem_cgroup = to; #ifdef CONFIG_TRANSPARENT_HUGEPAGE - if (compound && list_empty(page_deferred_list(page))) { + if (compound) { spin_lock(&to->deferred_split_queue.split_queue_lock); - list_add_tail(page_deferred_list(page), - &to->deferred_split_queue.split_queue); - to->deferred_split_queue.split_queue_len++; + if (list_empty(page_deferred_list(page))) { + list_add_tail(page_deferred_list(page), + &to->deferred_split_queue.split_queue); + to->deferred_split_queue.split_queue_len++; + } spin_unlock(&to->deferred_split_queue.split_queue_lock); } #endif _ Patches currently in -mm which might be from richardw.yang(a)linux.intel.com are mm-thp-remove-the-defer-list-related-code-since-this-will-not-happen.patch mm-gupc-use-is_vm_hugetlb_page-to-check-whether-to-follow-huge.patch mm-huge_memoryc-use-head-to-check-huge-zero-page.patch mm-huge_memoryc-use-head-to-emphasize-the-purpose-of-page.patch mm-huge_memoryc-reduce-critical-section-protected-by-split_queue_lock.patch mm-remove-dead-code-totalram_pages_set.patch

4 years, 11 months

1
0
0 0

[GIT PULL] thread fixes v5.5-rc7

by Christian Brauner

Hey Linus, /* Summary */ Here is an urgent fix for ptrace_may_access() permission checking. Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") introduced the ability to opt out of audit messages for accesses to various proc files since they are not violations of policy. While doing so it switched the check from ns_capable() to has_ns_capability{_noaudit}(). That means it switched from checking the subjective credentials (ktask->cred) of the task to using the objective credentials (ktask->real_cred). This is appears to be wrong. ptrace_has_cap() is currently only used in ptrace_may_access() And is used to check whether the calling task (subject) has the CAP_SYS_PTRACE capability in the provided user namespace to operate on the target task (object). According to the cred.h comments this means the subjective credentials of the calling task need to be used. With this pr we switch ptrace_has_cap() to use security_capable() and thus back to using the subjective credentials. As one example where this might be particularly problematic, Jann pointed out that in combination with the upcoming IORING_OP_OPENAT{2} feature, this bug might allow unprivileged users to bypass the capability checks while asynchronously opening files like /proc/*/mem, because the capability checks for this would be performed against kernel credentials. To illustrate on the former point about this being exploitable: When io_uring creates a new context it records the subjective credentials of the caller. Later on, when it starts to do work it creates a kernel thread and registers a callback. The callback runs with kernel creds for ktask->real_cred and ktask->cred. To prevent this from becoming a full-blown 0-day io_uring will call override_cred() and override ktask->cred with the subjective credentials of the creator of the io_uring instance. With ptrace_has_cap() currently looking at ktask->real_cred this override will be ineffective and the caller will be able to open arbitray proc files as mentioned above. Luckily, this is currently not exploitable but will turn into a 0-day once IORING_OP_OPENAT{2} land in v5.6. Let's fix it now. To minimize potential regressions I successfully ran the criu testsuite. criu makes heavy use of ptrace() and extensively hits ptrace_may_access() codepaths and has a good change of detecting any regressions. Additionally, I succesfully ran the ptrace and seccomp kernel tests. /* Testing */ All patches have seen exposure in linux-next and are based on v5.5-rc6. As mentioned above, the criu test-suite which is one of the test-suits make massive use of ptrace and hitting ptrace_may_access() codepaths successfully passed on a kernel with this fix: ################## ALL TEST(S) PASSED (TOTAL 178/SKIPPED 16) ################### I've posted the full test-log at: https://gitlab.com/snippets/1931214 Additionally, I succesfully ran the ptrace and seccomp kernel tests. We also will add a regression test once IO_URING_OPENAT{2} has landed for v5.6 since this gives us a really easy test. /* Conflicts */ At the time of creating this PR no merge conflicts were reported from linux-next. The following changes since commit b3a987b0264d3ddbb24293ebff10eddfc472f653: Linux 5.5-rc6 (2020-01-12 16:55:08 -0800) are available in the Git repository at: git@gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux tags/for-linus-2020-01-18 for you to fetch changes up to 6b3ad6649a4c75504edeba242d3fd36b3096a57f: ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() (2020-01-18 13:51:39 +0100) Please consider pulling these changes from the signed for-linus-2020-01-18 tag. Thanks! Christian ---------------------------------------------------------------- for-linus-2020-01-18 ---------------------------------------------------------------- Christian Brauner (1): ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() kernel/ptrace.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)

4 years, 11 months

2
1
0 0

[PATCH v2 10/13] KVM: x86: Protect memory accesses from Spectre-v1/L1TF attacks in x86.c

by Marios Pomonis

This fixes Spectre-v1/L1TF vulnerabilities in vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(), vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). These functions contain index computations based on the (attacker-influenced) segment value. Fixes: commit 2fb92db1ec08 ("KVM: VMX: Cache vmcs segment fields") Signed-off-by: Nick Finco <nifi(a)google.com> Signed-off-by: Marios Pomonis <pomonis(a)google.com> Reviewed-by: Andrew Honig <ahonig(a)google.com> Cc: stable(a)vger.kernel.org --- arch/x86/kvm/vmx/vmx.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index d39475e2d44e..82b25f1812aa 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -753,7 +753,9 @@ static bool vmx_segment_cache_test_set(struct vcpu_vmx *vmx, unsigned seg, static u16 vmx_read_guest_seg_selector(struct vcpu_vmx *vmx, unsigned seg) { - u16 *p = &vmx->segment_cache.seg[seg].selector; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + u16 *p = &vmx->segment_cache.seg[index].selector; if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_SEL)) *p = vmcs_read16(kvm_vmx_segment_fields[seg].selector); @@ -762,7 +764,9 @@ static u16 vmx_read_guest_seg_selector(struct vcpu_vmx *vmx, unsigned seg) static ulong vmx_read_guest_seg_base(struct vcpu_vmx *vmx, unsigned seg) { - ulong *p = &vmx->segment_cache.seg[seg].base; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + ulong *p = &vmx->segment_cache.seg[index].base; if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_BASE)) *p = vmcs_readl(kvm_vmx_segment_fields[seg].base); @@ -771,7 +775,9 @@ static ulong vmx_read_guest_seg_base(struct vcpu_vmx *vmx, unsigned seg) static u32 vmx_read_guest_seg_limit(struct vcpu_vmx *vmx, unsigned seg) { - u32 *p = &vmx->segment_cache.seg[seg].limit; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + u32 *p = &vmx->segment_cache.seg[index].limit; if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_LIMIT)) *p = vmcs_read32(kvm_vmx_segment_fields[seg].limit); @@ -780,7 +786,9 @@ static u32 vmx_read_guest_seg_limit(struct vcpu_vmx *vmx, unsigned seg) static u32 vmx_read_guest_seg_ar(struct vcpu_vmx *vmx, unsigned seg) { - u32 *p = &vmx->segment_cache.seg[seg].ar; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + u32 *p = &vmx->segment_cache.seg[index].ar; if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_AR)) *p = vmcs_read32(kvm_vmx_segment_fields[seg].ar_bytes); -- 2.24.0.525.g8f36a354ae-goog

4 years, 11 months

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2020