If we don't call drm_connector_cleanup() manually in
panel_bridge_detach(), the connector will be cleaned up with the other
DRM objects in the call to drm_mode_config_cleanup(). However, since our
drm_connector is devm-allocated, by the time drm_mode_config_cleanup()
will be called, our connector will be long gone. Therefore, the
connector must be cleaned up when the bridge is detached to avoid
use-after-free conditions.
v2: Cleanup connector only if it was created
Fixes: 13dfc0540a57 ("drm/bridge: Refactor out the panel wrapper from the lvds-encoder bridge.")
Cc: <stable(a)vger.kernel.org> # 4.12+
Cc: Andrzej Hajda <a.hajda(a)samsung.com>
Cc: Neil Armstrong <narmstrong(a)baylibre.com>
Cc: Laurent Pinchart <Laurent.pinchart(a)ideasonboard.com>
Cc: Jonas Karlman <jonas(a)kwiboo.se>
Cc: Jernej Skrabec <jernej.skrabec(a)siol.net>
Signed-off-by: Paul Cercueil <paul(a)crapouillou.net>
---
drivers/gpu/drm/bridge/panel.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/bridge/panel.c b/drivers/gpu/drm/bridge/panel.c
index 0ddc37551194..df86b0ee0549 100644
--- a/drivers/gpu/drm/bridge/panel.c
+++ b/drivers/gpu/drm/bridge/panel.c
@@ -87,6 +87,12 @@ static int panel_bridge_attach(struct drm_bridge *bridge,
static void panel_bridge_detach(struct drm_bridge *bridge)
{
+ struct panel_bridge *panel_bridge = drm_bridge_to_panel_bridge(bridge);
+ struct drm_connector *connector = &panel_bridge->connector;
+
+ /* Cleanup the connector if we know it was initialized */
+ if (!!panel_bridge->connector.dev)
+ drm_connector_cleanup(connector);
}
static void panel_bridge_pre_enable(struct drm_bridge *bridge)
--
2.29.2
Even though the JZ4740 did not have the OSD mode, it had (according to
the documentation) two DMA channels, but there is absolutely no
information about how to select the second DMA channel.
Make the ingenic-drm driver work in non-OSD mode by using the
foreground0 plane (which is bound to the DMA0 channel) as the primary
plane, instead of the foreground1 plane, which is the primary plane
when in OSD mode.
Fixes: 3c9bea4ef32b ("drm/ingenic: Add support for OSD mode")
Cc: <stable(a)vger.kernel.org> # v5.8+
Signed-off-by: Paul Cercueil <paul(a)crapouillou.net>
Acked-by: Daniel Vetter <daniel.vetter(a)ffwll.ch>
---
drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
index b23011c1c5d9..59ce43862e16 100644
--- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
+++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
@@ -554,7 +554,7 @@ static void ingenic_drm_plane_atomic_update(struct drm_plane *plane,
height = state->src_h >> 16;
cpp = state->fb->format->cpp[0];
- if (priv->soc_info->has_osd && plane->type == DRM_PLANE_TYPE_OVERLAY)
+ if (!priv->soc_info->has_osd || plane->type == DRM_PLANE_TYPE_OVERLAY)
hwdesc = &priv->dma_hwdescs->hwdesc_f0;
else
hwdesc = &priv->dma_hwdescs->hwdesc_f1;
@@ -826,6 +826,7 @@ static int ingenic_drm_bind(struct device *dev, bool has_components)
const struct jz_soc_info *soc_info;
struct ingenic_drm *priv;
struct clk *parent_clk;
+ struct drm_plane *primary;
struct drm_bridge *bridge;
struct drm_panel *panel;
struct drm_encoder *encoder;
@@ -940,9 +941,11 @@ static int ingenic_drm_bind(struct device *dev, bool has_components)
if (soc_info->has_osd)
priv->ipu_plane = drm_plane_from_index(drm, 0);
- drm_plane_helper_add(&priv->f1, &ingenic_drm_plane_helper_funcs);
+ primary = priv->soc_info->has_osd ? &priv->f1 : &priv->f0;
- ret = drm_universal_plane_init(drm, &priv->f1, 1,
+ drm_plane_helper_add(primary, &ingenic_drm_plane_helper_funcs);
+
+ ret = drm_universal_plane_init(drm, primary, 1,
&ingenic_drm_primary_plane_funcs,
priv->soc_info->formats_f1,
priv->soc_info->num_formats_f1,
@@ -954,7 +957,7 @@ static int ingenic_drm_bind(struct device *dev, bool has_components)
drm_crtc_helper_add(&priv->crtc, &ingenic_drm_crtc_helper_funcs);
- ret = drm_crtc_init_with_planes(drm, &priv->crtc, &priv->f1,
+ ret = drm_crtc_init_with_planes(drm, &priv->crtc, primary,
NULL, &ingenic_drm_crtc_funcs, NULL);
if (ret) {
dev_err(dev, "Failed to init CRTC: %i\n", ret);
--
2.29.2
Since the encoders have been devm-allocated, they will be freed way
before drm_mode_config_cleanup() is called. To avoid use-after-free
conditions, we then must ensure that drm_encoder_cleanup() is called
before the encoders are freed.
v2: Use the new __drmm_simple_encoder_alloc() function
v3: Use the new drmm_plain_simple_encoder_alloc() macro
Fixes: c369cb27c267 ("drm/ingenic: Support multiple panels/bridges")
Cc: <stable(a)vger.kernel.org> # 5.8+
Signed-off-by: Paul Cercueil <paul(a)crapouillou.net>
---
Notes:
Use the V1 of this patch to fix v5.11 and older kernels. This V3 only
applies on the current drm-misc-next branch.
drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
index 7bb31fbee29d..b23011c1c5d9 100644
--- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
+++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
@@ -1014,20 +1014,17 @@ static int ingenic_drm_bind(struct device *dev, bool has_components)
bridge = devm_drm_panel_bridge_add_typed(dev, panel,
DRM_MODE_CONNECTOR_DPI);
- encoder = devm_kzalloc(dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_plain_simple_encoder_alloc(drm, DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder)) {
+ ret = PTR_ERR(encoder);
+ dev_err(dev, "Failed to init encoder: %d\n", ret);
+ return ret;
+ }
encoder->possible_crtcs = 1;
drm_encoder_helper_add(encoder, &ingenic_drm_encoder_helper_funcs);
- ret = drm_simple_encoder_init(drm, encoder, DRM_MODE_ENCODER_DPI);
- if (ret) {
- dev_err(dev, "Failed to init encoder: %d\n", ret);
- return ret;
- }
-
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
if (ret) {
dev_err(dev, "Unable to attach bridge\n");
--
2.29.2
If we don't call drm_connector_cleanup() manually in
panel_bridge_detach(), the connector will be cleaned up with the other
DRM objects in the call to drm_mode_config_cleanup(). However, since our
drm_connector is devm-allocated, by the time drm_mode_config_cleanup()
will be called, our connector will be long gone. Therefore, the
connector must be cleaned up when the bridge is detached to avoid
use-after-free conditions.
v2: Cleanup connector only if it was created
v3: Add FIXME
Fixes: 13dfc0540a57 ("drm/bridge: Refactor out the panel wrapper from the lvds-encoder bridge.")
Cc: <stable(a)vger.kernel.org> # 4.12+
Cc: Andrzej Hajda <a.hajda(a)samsung.com>
Cc: Neil Armstrong <narmstrong(a)baylibre.com>
Cc: Laurent Pinchart <Laurent.pinchart(a)ideasonboard.com>
Cc: Jonas Karlman <jonas(a)kwiboo.se>
Cc: Jernej Skrabec <jernej.skrabec(a)siol.net>
Signed-off-by: Paul Cercueil <paul(a)crapouillou.net>
---
drivers/gpu/drm/bridge/panel.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/bridge/panel.c b/drivers/gpu/drm/bridge/panel.c
index 0ddc37551194..5959e8183cd0 100644
--- a/drivers/gpu/drm/bridge/panel.c
+++ b/drivers/gpu/drm/bridge/panel.c
@@ -87,6 +87,18 @@ static int panel_bridge_attach(struct drm_bridge *bridge,
static void panel_bridge_detach(struct drm_bridge *bridge)
{
+ struct panel_bridge *panel_bridge = drm_bridge_to_panel_bridge(bridge);
+ struct drm_connector *connector = &panel_bridge->connector;
+
+ /*
+ * Cleanup the connector if we know it was initialized.
+ *
+ * FIXME: This wouldn't be needed if the panel_bridge structure was
+ * allocated with drmm_kzalloc(). This might be tricky since the
+ * drm_device pointer can only be retrieved when the bridge is attached.
+ */
+ if (!!panel_bridge->connector.dev)
+ drm_connector_cleanup(connector);
}
static void panel_bridge_pre_enable(struct drm_bridge *bridge)
--
2.29.2
We can get a crash when disconnecting the iSCSI session,
the call trace like this:
[ffff00002a00fb70] kfree at ffff00000830e224
[ffff00002a00fba0] ses_intf_remove at ffff000001f200e4
[ffff00002a00fbd0] device_del at ffff0000086b6a98
[ffff00002a00fc50] device_unregister at ffff0000086b6d58
[ffff00002a00fc70] __scsi_remove_device at ffff00000870608c
[ffff00002a00fca0] scsi_remove_device at ffff000008706134
[ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4
[ffff00002a00fd10] scsi_remove_target at ffff0000087064c0
[ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4
[ffff00002a00fdb0] process_one_work at ffff00000810f35c
[ffff00002a00fe00] worker_thread at ffff00000810f648
[ffff00002a00fe70] kthread at ffff000008116e98
In ses_intf_add, components count could be 0, and kcalloc 0 size scomp,
but not saved in edev->component[i].scratch
In this situation, edev->component[0].scratch is an invalid pointer,
when kfree it in ses_intf_remove_enclosure, a crash like above would happen
The call trace also could be other random cases when kfree cannot catch
the invalid pointer
We should not use edev->component[] array when the components count is 0
We also need check index when use edev->component[] array in
ses_enclosure_data_process
Tested-by: Zeng Zhicong <timmyzeng(a)163.com>
Cc: stable <stable(a)vger.kernel.org> # 2.6.25+
Signed-off-by: Ding Hui <dinghui(a)sangfor.com.cn>
---
drivers/scsi/ses.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
index c2afba2a5414..f5ef0a91f0eb 100644
--- a/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -477,9 +477,6 @@ static int ses_enclosure_find_by_addr(struct enclosure_device *edev,
int i;
struct ses_component *scomp;
- if (!edev->component[0].scratch)
- return 0;
-
for (i = 0; i < edev->components; i++) {
scomp = edev->component[i].scratch;
if (scomp->addr != efd->addr)
@@ -565,8 +562,10 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
components++,
type_ptr[0],
name);
- else
+ else if (components < edev->components)
ecomp = &edev->component[components++];
+ else
+ ecomp = ERR_PTR(-EINVAL);
if (!IS_ERR(ecomp)) {
if (addl_desc_ptr)
@@ -731,9 +730,11 @@ static int ses_intf_add(struct device *cdev,
buf = NULL;
}
page2_not_supported:
- scomp = kcalloc(components, sizeof(struct ses_component), GFP_KERNEL);
- if (!scomp)
- goto err_free;
+ if (components > 0) {
+ scomp = kcalloc(components, sizeof(struct ses_component), GFP_KERNEL);
+ if (!scomp)
+ goto err_free;
+ }
edev = enclosure_register(cdev->parent, dev_name(&sdev->sdev_gendev),
components, &ses_enclosure_callbacks);
@@ -813,7 +814,8 @@ static void ses_intf_remove_enclosure(struct scsi_device *sdev)
kfree(ses_dev->page2);
kfree(ses_dev);
- kfree(edev->component[0].scratch);
+ if (edev->components > 0)
+ kfree(edev->component[0].scratch);
put_device(&edev->edev);
enclosure_unregister(edev);
--
2.17.1
When public_key_verify_signature() is called from
asymmetric_key_verify_signature(), the pkey_algo field of struct
public_key_signature will be NULL, which causes a NULL pointer dereference
in the strcmp() check. Fix this by adding a NULL check.
One visible manifestation of this is that userspace programs (such as the
'iwd' WiFi daemon) will be killed when trying to verify a TLS key using the
keyctl(2) interface.
Cc: stable(a)vger.kernel.org
Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification")
Signed-off-by: Toke Høiland-Jørgensen <toke(a)redhat.com>
---
crypto/asymmetric_keys/public_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 8892908ad58c..35b09e95a870 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -356,7 +356,7 @@ int public_key_verify_signature(const struct public_key *pkey,
if (ret)
goto error_free_key;
- if (strcmp(sig->pkey_algo, "sm2") == 0 && sig->data_size) {
+ if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 && sig->data_size) {
ret = cert_sig_digest_update(sig, tfm);
if (ret)
goto error_free_key;
--
2.30.0
This is the start of the stable review cycle for the 4.14.217 release.
There are 50 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun, 24 Jan 2021 13:57:23 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.217-r…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 4.14.217-rc1
Michael Hennerich <michael.hennerich(a)analog.com>
spi: cadence: cache reference clock rate during probe
Aya Levin <ayal(a)nvidia.com>
net: ipv6: Validate GSO SKB before finish IPv6 processing
Jason A. Donenfeld <Jason(a)zx2c4.com>
net: skbuff: disambiguate argument and member for skb_list_walk_safe helper
Jason A. Donenfeld <Jason(a)zx2c4.com>
net: introduce skb_list_walk_safe for skb segment walking
Edward Cree <ecree(a)solarflare.com>
net: use skb_list_del_init() to remove from RX sublists
Hoang Le <hoang.h.le(a)dektech.com.au>
tipc: fix NULL deref in tipc_link_xmit()
David Howells <dhowells(a)redhat.com>
rxrpc: Fix handling of an unsupported token type in rxrpc_read()
Eric Dumazet <edumazet(a)google.com>
net: avoid 32 x truesize under-estimation for tiny skbs
Jakub Kicinski <kuba(a)kernel.org>
net: sit: unregister_netdevice on newlink's error path
David Wu <david.wu(a)rock-chips.com>
net: stmmac: Fixed mtu channged by cache aligned
Petr Machata <petrm(a)nvidia.com>
net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
Petr Machata <me(a)pmachata.org>
net: dcb: Validate netlink message in DCB handler
Willem de Bruijn <willemb(a)google.com>
esp: avoid unneeded kmap_atomic call
Andrey Zhizhikin <andrey.zhizhikin(a)leica-geosystems.com>
rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request
Manish Chopra <manishc(a)marvell.com>
netxen_nic: fix MSI/MSI-x interrupts
J. Bruce Fields <bfields(a)redhat.com>
nfsd4: readdirplus shouldn't return parent of export
Will Deacon <will(a)kernel.org>
compiler.h: Raise minimum version of GCC to 5.1 for arm64
Hamish Martin <hamish.martin(a)alliedtelesis.co.nz>
usb: ohci: Make distrust_firmware param default to false
Jesper Dangaard Brouer <brouer(a)redhat.com>
netfilter: conntrack: fix reading nf_conntrack_buckets
Geert Uytterhoeven <geert+renesas(a)glider.be>
ALSA: fireface: Fix integer overflow in transmit_midi_msg()
Geert Uytterhoeven <geert+renesas(a)glider.be>
ALSA: firewire-tascam: Fix integer overflow in midi_port_work()
Mike Snitzer <snitzer(a)redhat.com>
dm: eliminate potential source of excessive kernel log noise
j.nixdorf(a)avm.de <j.nixdorf(a)avm.de>
net: sunrpc: interpret the return value of kstrtou32 correctly
Jann Horn <jannh(a)google.com>
mm, slub: consider rest of partial list if acquire_slab() fails
Dinghao Liu <dinghao.liu(a)zju.edu.cn>
RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp
Jan Kara <jack(a)suse.cz>
ext4: fix superblock checksum failure when setting password salt
Trond Myklebust <trond.myklebust(a)hammerspace.com>
NFS: nfs_igrab_and_active must first reference the superblock
Trond Myklebust <trond.myklebust(a)hammerspace.com>
pNFS: Mark layout for return if return-on-close was not sent
Dave Wysochanski <dwysocha(a)redhat.com>
NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock
Dan Carpenter <dan.carpenter(a)oracle.com>
ASoC: Intel: fix error code cnl_set_dsp_D0()
Al Viro <viro(a)zeniv.linux.org.uk>
dump_common_audit_data(): fix racy accesses to ->d_name
Arnd Bergmann <arnd(a)arndb.de>
ARM: picoxcell: fix missing interrupt-parent properties
Shawn Guo <shawn.guo(a)linaro.org>
ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI
Michael Ellerman <mpe(a)ellerman.id.au>
net: ethernet: fs_enet: Add missing MODULE_LICENSE
Arnd Bergmann <arnd(a)arndb.de>
misdn: dsp: select CONFIG_BITREVERSE
Randy Dunlap <rdunlap(a)infradead.org>
arch/arc: add copy_user_page() to <asm/page.h> to fix build error on ARC
Rasmus Villemoes <rasmus.villemoes(a)prevas.dk>
ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram
Filipe Manana <fdmanana(a)suse.com>
btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan
Masahiro Yamada <masahiroy(a)kernel.org>
ARC: build: add boot_targets to PHONY
Masahiro Yamada <masahiroy(a)kernel.org>
ARC: build: add uImage.lzma to the top-level target
Masahiro Yamada <masahiroy(a)kernel.org>
ARC: build: remove non-existing bootpImage from KBUILD_IMAGE
yangerkun <yangerkun(a)huawei.com>
ext4: fix bug for rename with RENAME_WHITEOUT
Leon Schuermann <leon(a)is.currently.online>
r8152: Add Lenovo Powered USB-C Travel Hub
Akilesh Kailash <akailash(a)google.com>
dm snapshot: flush merged data before committing metadata
Miaohe Lin <linmiaohe(a)huawei.com>
mm/hugetlb: fix potential missing huge page size info
Dexuan Cui <decui(a)microsoft.com>
ACPI: scan: Harden acpi_device_add() against device ID overflows
Alexander Lobakin <alobakin(a)pm.me>
MIPS: relocatable: fix possible boot hangup with KASLR enabled
Al Viro <viro(a)zeniv.linux.org.uk>
MIPS: Fix malformed NT_FILE and NT_SIGINFO in 32bit coredumps
Paul Cercueil <paul(a)crapouillou.net>
MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB
Thomas Hebb <tommyhebb(a)gmail.com>
ASoC: dapm: remove widget from dirty list on free
-------------
Diffstat:
Makefile | 4 +--
arch/arc/Makefile | 9 ++---
arch/arc/include/asm/page.h | 1 +
arch/arm/boot/dts/picoxcell-pc3x2.dtsi | 4 +++
arch/mips/boot/compressed/decompress.c | 3 +-
arch/mips/kernel/binfmt_elfn32.c | 7 ++++
arch/mips/kernel/binfmt_elfo32.c | 7 ++++
arch/mips/kernel/relocate.c | 10 ++++--
drivers/acpi/internal.h | 2 +-
drivers/acpi/scan.c | 15 +++++++-
drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 3 ++
drivers/isdn/mISDN/Kconfig | 1 +
drivers/md/dm-snap.c | 24 +++++++++++++
drivers/md/dm.c | 2 +-
.../net/ethernet/freescale/fs_enet/mii-bitbang.c | 1 +
drivers/net/ethernet/freescale/fs_enet/mii-fec.c | 1 +
drivers/net/ethernet/freescale/ucc_geth.h | 9 ++++-
.../net/ethernet/qlogic/netxen/netxen_nic_main.c | 7 +---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 +-
drivers/net/usb/cdc_ether.c | 7 ++++
drivers/net/usb/r8152.c | 1 +
drivers/net/usb/rndis_host.c | 2 +-
drivers/spi/spi-cadence.c | 6 ++--
drivers/usb/host/ohci-hcd.c | 2 +-
fs/btrfs/qgroup.c | 13 +++++--
fs/btrfs/super.c | 8 +++++
fs/ext4/ioctl.c | 3 ++
fs/ext4/namei.c | 16 +++++----
fs/nfs/internal.h | 12 ++++---
fs/nfs/nfs4proc.c | 2 +-
fs/nfs/pnfs.c | 6 ++++
fs/nfsd/nfs3xdr.c | 7 +++-
include/linux/acpi.h | 7 ++++
include/linux/compiler-gcc.h | 6 ++++
include/linux/skbuff.h | 16 +++++++++
mm/hugetlb.c | 2 +-
mm/slub.c | 2 +-
net/core/skbuff.c | 9 +++--
net/dcb/dcbnl.c | 2 ++
net/ipv4/esp4.c | 7 +---
net/ipv6/esp6.c | 7 +---
net/ipv6/ip6_output.c | 40 +++++++++++++++++++++-
net/ipv6/sit.c | 5 ++-
net/netfilter/nf_conntrack_standalone.c | 3 ++
net/rxrpc/key.c | 6 ++--
net/sunrpc/addr.c | 2 +-
net/tipc/link.c | 9 +++--
security/lsm_audit.c | 7 ++--
sound/firewire/fireface/ff-transaction.c | 2 +-
sound/firewire/tascam/tascam-transaction.c | 2 +-
sound/soc/intel/skylake/cnl-sst.c | 1 +
sound/soc/soc-dapm.c | 1 +
52 files changed, 263 insertions(+), 71 deletions(-)
On Tue, Jan 26, 2021 at 5:52 AM 'Michal Hocko' via kernel-team
<kernel-team(a)android.com> wrote:
>
> On Wed 20-01-21 14:17:39, Jann Horn wrote:
> > On Wed, Jan 13, 2021 at 3:22 PM Michal Hocko <mhocko(a)suse.com> wrote:
> > > On Tue 12-01-21 09:51:24, Suren Baghdasaryan wrote:
> > > > On Tue, Jan 12, 2021 at 9:45 AM Oleg Nesterov <oleg(a)redhat.com> wrote:
> > > > >
> > > > > On 01/12, Michal Hocko wrote:
> > > > > >
> > > > > > On Mon 11-01-21 09:06:22, Suren Baghdasaryan wrote:
> > > > > >
> > > > > > > What we want is the ability for one process to influence another process
> > > > > > > in order to optimize performance across the entire system while leaving
> > > > > > > the security boundary intact.
> > > > > > > Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ
> > > > > > > and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata
> > > > > > > and CAP_SYS_NICE for influencing process performance.
> > > > > >
> > > > > > I have to say that ptrace modes are rather obscure to me. So I cannot
> > > > > > really judge whether MODE_READ is sufficient. My understanding has
> > > > > > always been that this is requred to RO access to the address space. But
> > > > > > this operation clearly has a visible side effect. Do we have any actual
> > > > > > documentation for the existing modes?
> > > > > >
> > > > > > I would be really curious to hear from Jann and Oleg (now Cced).
> > > > >
> > > > > Can't comment, sorry. I never understood these security checks and never tried.
> > > > > IIUC only selinux/etc can treat ATTACH/READ differently and I have no idea what
> > > > > is the difference.
> >
> > Yama in particular only does its checks on ATTACH and ignores READ,
> > that's the difference you're probably most likely to encounter on a
> > normal desktop system, since some distros turn Yama on by default.
> > Basically the idea there is that running "gdb -p $pid" or "strace -p
> > $pid" as a normal user will usually fail, but reading /proc/$pid/maps
> > still works; so you can see things like detailed memory usage
> > information and such, but you're not supposed to be able to directly
> > peek into a running SSH client and inject data into the existing SSH
> > connection, or steal the cryptographic keys for the current
> > connection, or something like that.
> >
> > > > I haven't seen a written explanation on ptrace modes but when I
> > > > consulted Jann his explanation was:
> > > >
> > > > PTRACE_MODE_READ means you can inspect metadata about processes with
> > > > the specified domain, across UID boundaries.
> > > > PTRACE_MODE_ATTACH means you can fully impersonate processes with the
> > > > specified domain, across UID boundaries.
> > >
> > > Maybe this would be a good start to document expectations. Some more
> > > practical examples where the difference is visible would be great as
> > > well.
> >
> > Before documenting the behavior, it would be a good idea to figure out
> > what to do with perf_event_open(). That one's weird in that it only
> > requires PTRACE_MODE_READ, but actually allows you to sample stuff
> > like userspace stack and register contents (if perf_event_paranoid is
> > 1 or 2). Maybe for SELinux things (and maybe also for Yama), there
> > should be a level in between that allows fully inspecting the process
> > (for purposes like profiling) but without the ability to corrupt its
> > memory or registers or things like that. Or maybe perf_event_open()
> > should just use the ATTACH mode.
>
> Thanks for the clarification. I still cannot say I would have a good
> mental picture. Having something in Documentation/core-api/ sounds
> really needed. Wrt to perf_event_open it sounds really odd it can do
> more than other places restrict indeed. Something for the respective
> maintainer but I strongly suspect people simply copy the pattern from
> other places because the expected semantic is not really clear.
>
Sorry, back to the matters of this patch. Are there any actionable
items for me to take care of before it can be accepted? The only
request from Andrew to write a man page is being worked on at
https://lore.kernel.org/linux-mm/20210120202337.1481402-1-surenb@google.com/
and I'll follow up with the next version. I also CC'ed stable@ for
this to be included into 5.10 per Andrew's request. That CC was lost
at some point, so CC'ing again.
I do not see anything else on this patch to fix. Please chime in if
there are any more concerns, otherwise I would ask Andrew to take it
into mm-tree and stable@ to apply it to 5.10.
Thanks!
> --
> Michal Hocko
> SUSE Labs
>
> --
> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe(a)android.com.
>