October 2024 - Linux-stable-mirror

[PATCH net] net: pcs: xpcs: fix the wrong register that was written back

by Jiawen Wu

The value is read from the register TXGBE_RX_GEN_CTL3, and it should be written back to TXGBE_RX_GEN_CTL3 when it changes some fields. Cc: stable(a)vger.kernel.org Fixes: f629acc6f210 ("net: pcs: xpcs: support to switch mode for Wangxun NICs") Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- drivers/net/pcs/pcs-xpcs-wx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/pcs/pcs-xpcs-wx.c b/drivers/net/pcs/pcs-xpcs-wx.c index 19c75886f070..5f5cd3596cb8 100644 --- a/drivers/net/pcs/pcs-xpcs-wx.c +++ b/drivers/net/pcs/pcs-xpcs-wx.c @@ -109,7 +109,7 @@ static void txgbe_pma_config_1g(struct dw_xpcs *xpcs) txgbe_write_pma(xpcs, TXGBE_DFE_TAP_CTL0, 0); val = txgbe_read_pma(xpcs, TXGBE_RX_GEN_CTL3); val = u16_replace_bits(val, 0x4, TXGBE_RX_GEN_CTL3_LOS_TRSHLD0); - txgbe_write_pma(xpcs, TXGBE_RX_EQ_ATTN_CTL, val); + txgbe_write_pma(xpcs, TXGBE_RX_GEN_CTL3, val); txgbe_write_pma(xpcs, TXGBE_MPLLA_CTL0, 0x20); txgbe_write_pma(xpcs, TXGBE_MPLLA_CTL3, 0x46); -- 2.27.0

8 months

3
2
0 0

Re: Patch "usb: dwc2: Skip clock gating on Broadcom SoCs" has been added to the 6.11-stable tree

by Stefan Wahren

Hi Sasha, Am 01.10.24 um 01:26 schrieb Sasha Levin: > This is a note to let you know that I've just added the patch titled > > usb: dwc2: Skip clock gating on Broadcom SoCs > > to the 6.11-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > usb-dwc2-skip-clock-gating-on-broadcom-socs.patch > and it can be found in the queue-6.11 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. please do not apply this patch to any stable branch yet. Recently i discovered a critical issue [1] which is revealed by this change. This needs to be investigated and fixed before this patch can be applied. Regards Stefan [1] - https://lore.kernel.org/linux-usb/a4cb3fe4-3d0f-4bf9-a2b1-7f422ba277c8@gmx.… > > > commit f2e9c654eb420e15992ef1e6f5e0ceaca92aacbb > Author: Stefan Wahren <wahrenst(a)gmx.net> > Date: Sun Jul 28 15:00:26 2024 +0200 > > usb: dwc2: Skip clock gating on Broadcom SoCs > > [ Upstream commit d483f034f03261c8c8450d106aa243837122b5f0 ] > > On resume of the Raspberry Pi the dwc2 driver fails to enable > HCD_FLAG_HW_ACCESSIBLE before re-enabling the interrupts. > This causes a situation where both handler ignore a incoming port > interrupt and force the upper layers to disable the dwc2 interrupt line. > This leaves the USB interface in a unusable state: > > irq 66: nobody cared (try booting with the "irqpoll" option) > CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.10.0-rc3 > Hardware name: BCM2835 > Call trace: > unwind_backtrace from show_stack+0x10/0x14 > show_stack from dump_stack_lvl+0x50/0x64 > dump_stack_lvl from __report_bad_irq+0x38/0xc0 > __report_bad_irq from note_interrupt+0x2ac/0x2f4 > note_interrupt from handle_irq_event+0x88/0x8c > handle_irq_event from handle_level_irq+0xb4/0x1ac > handle_level_irq from generic_handle_domain_irq+0x24/0x34 > generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28 > bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34 > generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44 > generic_handle_arch_irq from __irq_svc+0x88/0xb0 > Exception stack(0xc1b01f20 to 0xc1b01f68) > 1f20: 0005c0d4 00000001 00000000 00000000 c1b09780 c1d6b32c c1b04e54 c1a5eae8 > 1f40: c1b04e90 00000000 00000000 00000000 c1d6a8a0 c1b01f70 c11d2da8 c11d4160 > 1f60: 60000013 ffffffff > __irq_svc from default_idle_call+0x1c/0xb0 > default_idle_call from do_idle+0x21c/0x284 > do_idle from cpu_startup_entry+0x28/0x2c > cpu_startup_entry from kernel_init+0x0/0x12c > handlers: > [<f539e0f4>] dwc2_handle_common_intr > [<75cd278b>] usb_hcd_irq > Disabling IRQ #66 > > Disabling clock gating workaround this issue. > > Fixes: 0112b7ce68ea ("usb: dwc2: Update dwc2_handle_usb_suspend_intr function.") > Link: https://lore.kernel.org/linux-usb/3fd0c2fb-4752-45b3-94eb-42352703e1fd@gmx.… > Link: https://lore.kernel.org/all/5e8cbce0-3260-2971-484f-fc73a3b2bd28@synopsys.c… > Signed-off-by: Stefan Wahren <wahrenst(a)gmx.net> > Acked-by: Minas Harutyunyan <hminas(a)synopsys.com> > Link: https://lore.kernel.org/r/20240728130029.78279-5-wahrenst@gmx.net > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c > index a937eadbc9b3e..214dca7044163 100644 > --- a/drivers/usb/dwc2/params.c > +++ b/drivers/usb/dwc2/params.c > @@ -23,6 +23,7 @@ static void dwc2_set_bcm_params(struct dwc2_hsotg *hsotg) > p->max_transfer_size = 65535; > p->max_packet_count = 511; > p->ahbcfg = 0x10; > + p->no_clock_gating = true; > } > > static void dwc2_set_his_params(struct dwc2_hsotg *hsotg)

8 months

2
1
0 0

Re: Patch "xen: tolerate ACPI NVS memory overlapping with Xen allocated memory" has been added to the 6.11-stable tree

by Jürgen Groß

On 01.10.24 01:15, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > xen: tolerate ACPI NVS memory overlapping with Xen allocated memory > > to the 6.11-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch > and it can be found in the queue-6.11 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 8302ac200e3fb2e8b669b96d7c36cdc266e47138 > Author: Juergen Gross <jgross(a)suse.com> > Date: Fri Aug 2 20:14:22 2024 +0200 > > xen: tolerate ACPI NVS memory overlapping with Xen allocated memory > > [ Upstream commit be35d91c8880650404f3bf813573222dfb106935 ] For this patch to have the desired effect there are the following prerequisite patches missing: c4498ae316da ("xen: move checks for e820 conflicts further up") 9221222c717d ("xen: allow mapping ACPI data using a different physical address") Please add those to the stable trees, too. Juergen

8 months

2
1
0 0

[PATCH 5.10.y] mptcp: fix sometimes-uninitialized warning

by Matthieu Baerts (NGI0)

Nathan reported this issue: $ make -skj"$(nproc)" ARCH=x86_64 LLVM=1 LLVM_IAS=1 mrproper allmodconfig net/mptcp/subflow.o net/mptcp/subflow.c:877:6: warning: variable 'incr' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] 877 | if (WARN_ON_ONCE(offset > skb->len)) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/asm-generic/bug.h:101:33: note: expanded from macro 'WARN_ON_ONCE' 101 | #define WARN_ON_ONCE(condition) ({ \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 102 | int __ret_warn_on = !!(condition); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 103 | if (unlikely(__ret_warn_on)) \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 104 | __WARN_FLAGS(BUGFLAG_ONCE | \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 105 | BUGFLAG_TAINT(TAINT_WARN)); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 106 | unlikely(__ret_warn_on); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 107 | }) | ~~ net/mptcp/subflow.c:893:6: note: uninitialized use occurs here 893 | if (incr) | ^~~~ net/mptcp/subflow.c:877:2: note: remove the 'if' if its condition is always false 877 | if (WARN_ON_ONCE(offset > skb->len)) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 878 | goto out; | ~~~~~~~~ net/mptcp/subflow.c:874:18: note: initialize the variable 'incr' to silence this warning 874 | u32 offset, incr, avail_len; | ^ | = 0 1 warning generated. As mentioned by Nathan, this issue is present because 5.10 does not include commit ea4ca586b16f ("mptcp: refine MPTCP-level ack scheduling"), which removed the use of 'incr' in the error path added by this change. This other commit does not really look suitable for stable, hence this dedicated patch for 5.10. Fixes: e93fa44f0714 ("mptcp: fix duplicate data handling") Reported-by: Nathan Chancellor <nathan(a)kernel.org> Closes: https://lore.kernel.org/20240928175524.GA1713144@thelio-3990X Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/subflow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 8a0ef50c307c..843c61ebd421 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -871,7 +871,7 @@ static void mptcp_subflow_discard_data(struct sock *ssk, struct sk_buff *skb, struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); bool fin = TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN; struct tcp_sock *tp = tcp_sk(ssk); - u32 offset, incr, avail_len; + u32 offset, incr = 0, avail_len; offset = tp->copied_seq - TCP_SKB_CB(skb)->seq; if (WARN_ON_ONCE(offset > skb->len)) -- 2.45.2

8 months

2
1
0 0

[PATCH 5.10 v2 0/3] Re-adapt "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches"

by Pu Lehui

Commit 70294d8bc31f ("bpf: Eliminate rlimit-based memory accounting for devmap maps") relies on the v5.11+ basic mechanism of memcg-based memory accounting [0]. The commit cannot be independently backported to the 5.10 stable branch, otherwise the related memory when creating devmap will be unrestricted and the associated bpf selftest map_ptr will fail. Let's roll back to rlimit-based memory accounting mode for devmap and re-adapt the commit 225da02acdc9 ("bpf: Fix DEVMAP_HASH overflow check on 32-bit arches") to the 5.10 stable branch. Link: https://lore.kernel.org/bpf/20201201215900.3569844-1-guro@fb.com [0] Pu Lehui (2): Revert "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches" Revert "bpf: Eliminate rlimit-based memory accounting for devmap maps" Toke Høiland-Jørgensen (1): bpf: Fix DEVMAP_HASH overflow check on 32-bit arches kernel/bpf/devmap.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) -- 2.34.1

8 months

2
4
0 0

[PATCH 5.10.y 0/3] x86: Complete backports for x86_match_cpu()

by Ricardo Neri

Hi, Upstream commit 93022482b294 ("x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL") introduced a flags member to struct x86_cpu_id. Bit 0 of x86_cpu.id.flags must be set to 1 for x86_match_cpu() to work correctly. This upstream commit has been backported to 5.10.y. Callers that use the X86_MATCH_*() family of macros to compose the argument of x86_match_cpu() function correctly. Callers that use their own custom mechanisms may not work if they fail to set x86_cpu_id.flags correctly. There are three remaining callers in 5.10.y that use their own mechanisms: a) setup_pcid(), b) rapl_msr_probe(), and c) goodix_add_acpi_gpio_ mappings(). a) caused a regression that Thomas Lindroth reported in [1]. b) works by luck but it still populates its x86_cpu_id[] array incorrectly. I am not aware of any reports on c), but inspecting the code reveals that it will fail to identify INTEL_FAM6_ATOM_SILVERMONT for the reason described above. I backported three patches that fix these bugs in mainline. Hopefully the authors and/or maintainers can ack the backports? I tested patches 2/3 and 3/3 on Tiger Lake, Alder Lake, and Meteor Lake systems as the two involved callers behave differently on these systems. I wrote the testing details in each patch separately. I could not test patch 1/3 because I do not have access to Bay Trail hardware. Thanks and BR, Ricardo [1]. https://lore.kernel.org/all/eb709d67-2a8d-412f-905d-f3777d897bfa@gmail.com/ Hans de Goede (1): Input: goodix - use the new soc_intel_is_byt() helper Sumeet Pawnikar (1): powercap: RAPL: fix invalid initialization for pl4_supported field Tony Luck (1): x86/mm: Switch to new Intel CPU model defines arch/x86/mm/init.c | 16 ++++++---------- drivers/input/touchscreen/goodix.c | 18 ++---------------- drivers/powercap/intel_rapl_msr.c | 2 +- 3 files changed, 9 insertions(+), 27 deletions(-) -- 2.34.1

8 months

2
4
0 0

Fix regression from "drm/amd/display: Fix MST BW calculation Regression"

by Mario Limonciello

Hello, The commit 338567d17627 ("drm/amd/display: Fix MST BW calculation Regression") caused a regression with some MST displays due to a mistake. For 6.11.y here is the series of commits that fixes it: commit 4599aef0c97b ("drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination") commit ecc4038ec1de ("drm/amd/display: Add DSC Debug Log") commit b2b4afb9cf07 ("drm/amdgpu/display: Fix a mistake in revert commit") Can you please bring them back to 6.11.y? Thanks!

8 months

2
3
0 0

FAILED: patch "[PATCH] mm: call the security_mmap_file() LSM hook in" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100103-banish-batboy-00df@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") 592b5fad1677 ("mm: Re-introduce vm_flags to do_mmap()") 183654ce26a5 ("mmap: change do_mas_munmap and do_mas_aligned_munmap() to use vma iterator") 0378c0a0e9e4 ("mm/mmap: remove preallocation from do_mas_align_munmap()") 92fed82047d7 ("mm/mmap: convert brk to use vma iterator") baabcfc93d3b ("mm/mmap: fix typo in comment") c5d5546ea065 ("maple_tree: remove the parameter entry of mas_preallocate") 675eaca1f441 ("mm/mmap: properly unaccount memory on mas_preallocate() failure") 6c28ca6485dd ("mmap: fix do_brk_flags() modifying obviously incorrect VMAs") f5ad5083404b ("mm: do not BUG_ON missing brk mapping, because userspace can unmap it") cc674ab3c018 ("mm/mmap: fix memory leak in mmap_region()") 120b116208a0 ("maple_tree: reorganize testing to restore module testing") a57b70519d1f ("mm/mmap: fix MAP_FIXED address return on VMA merge") 5789151e48ac ("mm/mmap: undo ->mmap() when mas_preallocate() fails") deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") 28c5609fb236 ("mm/mmap: preallocate maple nodes for brk vma expansion") 763ecb035029 ("mm: remove the vma linked list") 8220543df148 ("nommu: remove uses of VMA linked list") 67e7c16764c3 ("mm/mmap: change do_brk_munmap() to use do_mas_align_munmap()") 11f9a21ab655 ("mm/mmap: reorganize munmap to use maple states") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001 From: Shu Han <ebpqwerty472123(a)gmail.com> Date: Tue, 17 Sep 2024 17:41:04 +0800 Subject: [PATCH] mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) Link: https://project-zero.issues.chromium.org/issues/42452389 [1] Cc: stable(a)vger.kernel.org Signed-off-by: Shu Han <ebpqwerty472123(a)gmail.com> Acked-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> [PM: subject line tweaks] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/mm/mmap.c b/mm/mmap.c index d0dfc85b209b..18fddcce03b8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3198,8 +3198,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, flags |= MAP_LOCKED; file = get_file(vma->vm_file); + ret = security_mmap_file(vma->vm_file, prot, flags); + if (ret) + goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); +out_fput: fput(file); out: mmap_write_unlock(mm);

8 months

1
0
0 0

FAILED: patch "[PATCH] mm: call the security_mmap_file() LSM hook in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100157-unpeeled-surprise-8138@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") 592b5fad1677 ("mm: Re-introduce vm_flags to do_mmap()") 183654ce26a5 ("mmap: change do_mas_munmap and do_mas_aligned_munmap() to use vma iterator") 0378c0a0e9e4 ("mm/mmap: remove preallocation from do_mas_align_munmap()") 92fed82047d7 ("mm/mmap: convert brk to use vma iterator") baabcfc93d3b ("mm/mmap: fix typo in comment") c5d5546ea065 ("maple_tree: remove the parameter entry of mas_preallocate") 675eaca1f441 ("mm/mmap: properly unaccount memory on mas_preallocate() failure") 6c28ca6485dd ("mmap: fix do_brk_flags() modifying obviously incorrect VMAs") f5ad5083404b ("mm: do not BUG_ON missing brk mapping, because userspace can unmap it") cc674ab3c018 ("mm/mmap: fix memory leak in mmap_region()") 120b116208a0 ("maple_tree: reorganize testing to restore module testing") a57b70519d1f ("mm/mmap: fix MAP_FIXED address return on VMA merge") 5789151e48ac ("mm/mmap: undo ->mmap() when mas_preallocate() fails") deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") 28c5609fb236 ("mm/mmap: preallocate maple nodes for brk vma expansion") 763ecb035029 ("mm: remove the vma linked list") 8220543df148 ("nommu: remove uses of VMA linked list") 67e7c16764c3 ("mm/mmap: change do_brk_munmap() to use do_mas_align_munmap()") 11f9a21ab655 ("mm/mmap: reorganize munmap to use maple states") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001 From: Shu Han <ebpqwerty472123(a)gmail.com> Date: Tue, 17 Sep 2024 17:41:04 +0800 Subject: [PATCH] mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) Link: https://project-zero.issues.chromium.org/issues/42452389 [1] Cc: stable(a)vger.kernel.org Signed-off-by: Shu Han <ebpqwerty472123(a)gmail.com> Acked-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> [PM: subject line tweaks] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/mm/mmap.c b/mm/mmap.c index d0dfc85b209b..18fddcce03b8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3198,8 +3198,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, flags |= MAP_LOCKED; file = get_file(vma->vm_file); + ret = security_mmap_file(vma->vm_file, prot, flags); + if (ret) + goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); +out_fput: fput(file); out: mmap_write_unlock(mm);

8 months

1
0
0 0

FAILED: patch "[PATCH] mm: call the security_mmap_file() LSM hook in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100151-evolution-apache-87b3@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") 592b5fad1677 ("mm: Re-introduce vm_flags to do_mmap()") 183654ce26a5 ("mmap: change do_mas_munmap and do_mas_aligned_munmap() to use vma iterator") 0378c0a0e9e4 ("mm/mmap: remove preallocation from do_mas_align_munmap()") 92fed82047d7 ("mm/mmap: convert brk to use vma iterator") baabcfc93d3b ("mm/mmap: fix typo in comment") c5d5546ea065 ("maple_tree: remove the parameter entry of mas_preallocate") 675eaca1f441 ("mm/mmap: properly unaccount memory on mas_preallocate() failure") 6c28ca6485dd ("mmap: fix do_brk_flags() modifying obviously incorrect VMAs") f5ad5083404b ("mm: do not BUG_ON missing brk mapping, because userspace can unmap it") cc674ab3c018 ("mm/mmap: fix memory leak in mmap_region()") 120b116208a0 ("maple_tree: reorganize testing to restore module testing") a57b70519d1f ("mm/mmap: fix MAP_FIXED address return on VMA merge") 5789151e48ac ("mm/mmap: undo ->mmap() when mas_preallocate() fails") deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") 28c5609fb236 ("mm/mmap: preallocate maple nodes for brk vma expansion") 763ecb035029 ("mm: remove the vma linked list") 8220543df148 ("nommu: remove uses of VMA linked list") 67e7c16764c3 ("mm/mmap: change do_brk_munmap() to use do_mas_align_munmap()") 11f9a21ab655 ("mm/mmap: reorganize munmap to use maple states") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001 From: Shu Han <ebpqwerty472123(a)gmail.com> Date: Tue, 17 Sep 2024 17:41:04 +0800 Subject: [PATCH] mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) Link: https://project-zero.issues.chromium.org/issues/42452389 [1] Cc: stable(a)vger.kernel.org Signed-off-by: Shu Han <ebpqwerty472123(a)gmail.com> Acked-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> [PM: subject line tweaks] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/mm/mmap.c b/mm/mmap.c index d0dfc85b209b..18fddcce03b8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3198,8 +3198,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, flags |= MAP_LOCKED; file = get_file(vma->vm_file); + ret = security_mmap_file(vma->vm_file, prot, flags); + if (ret) + goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); +out_fput: fput(file); out: mmap_write_unlock(mm);

8 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2024