From: Greg Kroah-Hartman Date: Mon, 27 Nov 2017 12:40:57 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.85~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=027d2bbca13649426f0bd82fd2e31c8b51903094;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch arm64-implement-arch-specific-pte_access_permitted.patch mips-ralink-fix-mt7628-pinmux.patch mips-ralink-fix-typo-in-mt7628-pinmux-function.patch x86-decoder-add-new-test-instruction-pattern.patch x86-entry-64-add-missing-irqflags-tracing-to-native_load_gs_index.patch --- diff --git a/queue-4.9/arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch b/queue-4.9/arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch new file mode 100644 index 00000000000..20e78a89f83 --- /dev/null +++ b/queue-4.9/arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch @@ -0,0 +1,55 @@ +From 3b0c0c922ff4be275a8beb87ce5657d16f355b54 Mon Sep 17 00:00:00 2001 +From: Philip Derrin +Date: Tue, 14 Nov 2017 00:55:26 +0100 +Subject: ARM: 8721/1: mm: dump: check hardware RO bit for LPAE + +From: Philip Derrin + +commit 3b0c0c922ff4be275a8beb87ce5657d16f355b54 upstream. + +When CONFIG_ARM_LPAE is set, the PMD dump relies on the software +read-only bit to determine whether a page is writable. This +concealed a bug which left the kernel text section writable +(AP2=0) while marked read-only in the software bit. + +In a kernel with the AP2 bug, the dump looks like this: + + ---[ Kernel Mapping ]--- + 0xc0000000-0xc0200000 2M RW NX SHD + 0xc0200000-0xc0600000 4M ro x SHD + 0xc0600000-0xc0800000 2M ro NX SHD + 0xc0800000-0xc4800000 64M RW NX SHD + +The fix is to check that the software and hardware bits are both +set before displaying "ro". The dump then shows the true perms: + + ---[ Kernel Mapping ]--- + 0xc0000000-0xc0200000 2M RW NX SHD + 0xc0200000-0xc0600000 4M RW x SHD + 0xc0600000-0xc0800000 2M RW NX SHD + 0xc0800000-0xc4800000 64M RW NX SHD + +Fixes: ded947798469 ("ARM: 8109/1: mm: Modify pte_write and pmd_write logic for LPAE") +Signed-off-by: Philip Derrin +Tested-by: Neil Dick +Reviewed-by: Kees Cook +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/dump.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mm/dump.c ++++ b/arch/arm/mm/dump.c +@@ -126,8 +126,8 @@ static const struct prot_bits section_bi + .val = PMD_SECT_USER, + .set = "USR", + }, { +- .mask = L_PMD_SECT_RDONLY, +- .val = L_PMD_SECT_RDONLY, ++ .mask = L_PMD_SECT_RDONLY | PMD_SECT_AP2, ++ .val = L_PMD_SECT_RDONLY | PMD_SECT_AP2, + .set = "ro", + .clear = "RW", + #elif __LINUX_ARM_ARCH__ >= 6 diff --git a/queue-4.9/arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch b/queue-4.9/arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch new file mode 100644 index 00000000000..28cf25d69b7 --- /dev/null +++ b/queue-4.9/arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch @@ -0,0 +1,48 @@ +From 400eeffaffc7232c0ae1134fe04e14ae4fb48d8c Mon Sep 17 00:00:00 2001 +From: Philip Derrin +Date: Tue, 14 Nov 2017 00:55:25 +0100 +Subject: ARM: 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE + +From: Philip Derrin + +commit 400eeffaffc7232c0ae1134fe04e14ae4fb48d8c upstream. + +Currently, for ARM kernels with CONFIG_ARM_LPAE and +CONFIG_STRICT_KERNEL_RWX enabled, the 2MiB pages mapping the +kernel code and rodata are writable. They are marked read-only in +a software bit (L_PMD_SECT_RDONLY) but the hardware read-only bit +is not set (PMD_SECT_AP2). + +For user mappings, the logic that propagates the software bit +to the hardware bit is in set_pmd_at(); but for the kernel, +section_update() writes the PMDs directly, skipping this logic. + +The fix is to set PMD_SECT_AP2 for read-only sections in +section_update(), at the same time as L_PMD_SECT_RDONLY. + +Fixes: 1e3479225acb ("ARM: 8275/1: mm: fix PMD_SECT_RDONLY undeclared compile error") +Signed-off-by: Philip Derrin +Reported-by: Neil Dick +Tested-by: Neil Dick +Tested-by: Laura Abbott +Reviewed-by: Kees Cook +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -619,8 +619,8 @@ static struct section_perm ro_perms[] = + .start = (unsigned long)_stext, + .end = (unsigned long)__init_begin, + #ifdef CONFIG_ARM_LPAE +- .mask = ~L_PMD_SECT_RDONLY, +- .prot = L_PMD_SECT_RDONLY, ++ .mask = ~(L_PMD_SECT_RDONLY | PMD_SECT_AP2), ++ .prot = L_PMD_SECT_RDONLY | PMD_SECT_AP2, + #else + .mask = ~(PMD_SECT_APX | PMD_SECT_AP_WRITE), + .prot = PMD_SECT_APX | PMD_SECT_AP_WRITE, diff --git a/queue-4.9/arm64-implement-arch-specific-pte_access_permitted.patch b/queue-4.9/arm64-implement-arch-specific-pte_access_permitted.patch new file mode 100644 index 00000000000..3dfaf4e5205 --- /dev/null +++ b/queue-4.9/arm64-implement-arch-specific-pte_access_permitted.patch @@ -0,0 +1,59 @@ +From 6218f96c58dbf44a06aeaf767aab1f54fc397838 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Thu, 26 Oct 2017 18:36:47 +0100 +Subject: arm64: Implement arch-specific pte_access_permitted() + +From: Catalin Marinas + +commit 6218f96c58dbf44a06aeaf767aab1f54fc397838 upstream. + +The generic pte_access_permitted() implementation only checks for +pte_present() (together with the write permission where applicable). +However, for both kernel ptes and PROT_NONE mappings pte_present() also +returns true on arm64 even though such mappings are not user accessible. +Additionally, arm64 now supports execute-only user permission +(PROT_EXEC) which is implemented by clearing the PTE_USER bit. + +With this patch the arm64 implementation of pte_access_permitted() +checks for the PTE_VALID and PTE_USER bits together with writable access +if applicable. + +Reported-by: Al Viro +Signed-off-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/pgtable.h | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -91,6 +91,8 @@ extern unsigned long empty_zero_page[PAG + ((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN)) + #define pte_valid_young(pte) \ + ((pte_val(pte) & (PTE_VALID | PTE_AF)) == (PTE_VALID | PTE_AF)) ++#define pte_valid_user(pte) \ ++ ((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER)) + + /* + * Could the pte be present in the TLB? We must check mm_tlb_flush_pending +@@ -100,6 +102,18 @@ extern unsigned long empty_zero_page[PAG + #define pte_accessible(mm, pte) \ + (mm_tlb_flush_pending(mm) ? pte_present(pte) : pte_valid_young(pte)) + ++/* ++ * p??_access_permitted() is true for valid user mappings (subject to the ++ * write permission check) other than user execute-only which do not have the ++ * PTE_USER bit set. PROT_NONE mappings do not have the PTE_VALID bit set. ++ */ ++#define pte_access_permitted(pte, write) \ ++ (pte_valid_user(pte) && (!(write) || pte_write(pte))) ++#define pmd_access_permitted(pmd, write) \ ++ (pte_access_permitted(pmd_pte(pmd), (write))) ++#define pud_access_permitted(pud, write) \ ++ (pte_access_permitted(pud_pte(pud), (write))) ++ + static inline pte_t clear_pte_bit(pte_t pte, pgprot_t prot) + { + pte_val(pte) &= ~pgprot_val(prot); diff --git a/queue-4.9/mips-ralink-fix-mt7628-pinmux.patch b/queue-4.9/mips-ralink-fix-mt7628-pinmux.patch new file mode 100644 index 00000000000..59aac82e18d --- /dev/null +++ b/queue-4.9/mips-ralink-fix-mt7628-pinmux.patch @@ -0,0 +1,38 @@ +From 8ef4b43cd3794d63052d85898e42424fd3b14d24 Mon Sep 17 00:00:00 2001 +From: Mathias Kresin +Date: Thu, 11 May 2017 08:11:14 +0200 +Subject: MIPS: ralink: Fix MT7628 pinmux + +From: Mathias Kresin + +commit 8ef4b43cd3794d63052d85898e42424fd3b14d24 upstream. + +According to the datasheet the REFCLK pin is shared with GPIO#37 and +the PERST pin is shared with GPIO#36. + +Fixes: 53263a1c6852 ("MIPS: ralink: add mt7628an support") +Signed-off-by: Mathias Kresin +Acked-by: John Crispin +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16046/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/ralink/mt7620.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/ralink/mt7620.c ++++ b/arch/mips/ralink/mt7620.c +@@ -141,8 +141,8 @@ static struct rt2880_pmx_func i2c_grp_mt + FUNC("i2c", 0, 4, 2), + }; + +-static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("reclk", 0, 36, 1) }; +-static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 37, 1) }; ++static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("reclk", 0, 37, 1) }; ++static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 36, 1) }; + static struct rt2880_pmx_func wdt_grp_mt7628[] = { FUNC("wdt", 0, 38, 1) }; + static struct rt2880_pmx_func spi_grp_mt7628[] = { FUNC("spi", 0, 7, 4) }; + diff --git a/queue-4.9/mips-ralink-fix-typo-in-mt7628-pinmux-function.patch b/queue-4.9/mips-ralink-fix-typo-in-mt7628-pinmux-function.patch new file mode 100644 index 00000000000..3bc491c17a9 --- /dev/null +++ b/queue-4.9/mips-ralink-fix-typo-in-mt7628-pinmux-function.patch @@ -0,0 +1,36 @@ +From 05a67cc258e75ac9758e6f13d26337b8be51162a Mon Sep 17 00:00:00 2001 +From: Mathias Kresin +Date: Thu, 11 May 2017 08:11:15 +0200 +Subject: MIPS: ralink: Fix typo in mt7628 pinmux function + +From: Mathias Kresin + +commit 05a67cc258e75ac9758e6f13d26337b8be51162a upstream. + +There is a typo inside the pinmux setup code. The function is called +refclk and not reclk. + +Fixes: 53263a1c6852 ("MIPS: ralink: add mt7628an support") +Signed-off-by: Mathias Kresin +Acked-by: John Crispin +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16047/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/ralink/mt7620.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/ralink/mt7620.c ++++ b/arch/mips/ralink/mt7620.c +@@ -141,7 +141,7 @@ static struct rt2880_pmx_func i2c_grp_mt + FUNC("i2c", 0, 4, 2), + }; + +-static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("reclk", 0, 37, 1) }; ++static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("refclk", 0, 37, 1) }; + static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 36, 1) }; + static struct rt2880_pmx_func wdt_grp_mt7628[] = { FUNC("wdt", 0, 38, 1) }; + static struct rt2880_pmx_func spi_grp_mt7628[] = { FUNC("spi", 0, 7, 4) }; diff --git a/queue-4.9/series b/queue-4.9/series index 5da297831a6..6debcbdddb3 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -8,3 +8,10 @@ ipv6-only-call-ip6_route_dev_notify-once-for-netdev_unregister.patch vsock-use-new-wait-api-for-vsock_stream_sendmsg.patch sched-make-resched_cpu-unconditional.patch lib-mpi-call-cond_resched-from-mpi_powm-loop.patch +x86-decoder-add-new-test-instruction-pattern.patch +x86-entry-64-add-missing-irqflags-tracing-to-native_load_gs_index.patch +arm64-implement-arch-specific-pte_access_permitted.patch +arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch +arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch +mips-ralink-fix-mt7628-pinmux.patch +mips-ralink-fix-typo-in-mt7628-pinmux-function.patch diff --git a/queue-4.9/x86-decoder-add-new-test-instruction-pattern.patch b/queue-4.9/x86-decoder-add-new-test-instruction-pattern.patch new file mode 100644 index 00000000000..c97946e71da --- /dev/null +++ b/queue-4.9/x86-decoder-add-new-test-instruction-pattern.patch @@ -0,0 +1,58 @@ +From 12a78d43de767eaf8fb272facb7a7b6f2dc6a9df Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Fri, 24 Nov 2017 13:56:30 +0900 +Subject: x86/decoder: Add new TEST instruction pattern + +From: Masami Hiramatsu + +commit 12a78d43de767eaf8fb272facb7a7b6f2dc6a9df upstream. + +The kbuild test robot reported this build warning: + + Warning: arch/x86/tools/test_get_len found difference at :ffffffff8103dd2c + + Warning: ffffffff8103dd82: f6 09 d8 testb $0xd8,(%rcx) + Warning: objdump says 3 bytes, but insn_get_length() says 2 + Warning: decoded and checked 1569014 instructions with 1 warnings + +This sequence seems to be a new instruction not in the opcode map in the Intel SDM. + +The instruction sequence is "F6 09 d8", means Group3(F6), MOD(00)REG(001)RM(001), and 0xd8. +Intel SDM vol2 A.4 Table A-6 said the table index in the group is "Encoding of Bits 5,4,3 of +the ModR/M Byte (bits 2,1,0 in parenthesis)" + +In that table, opcodes listed by the index REG bits as: + + 000 001 010 011 100 101 110 111 + TEST Ib/Iz,(undefined),NOT,NEG,MUL AL/rAX,IMUL AL/rAX,DIV AL/rAX,IDIV AL/rAX + +So, it seems TEST Ib is assigned to 001. + +Add the new pattern. + +Reported-by: kbuild test robot +Signed-off-by: Masami Hiramatsu +Cc: Greg Kroah-Hartman +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/lib/x86-opcode-map.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -896,7 +896,7 @@ EndTable + + GrpTable: Grp3_1 + 0: TEST Eb,Ib +-1: ++1: TEST Eb,Ib + 2: NOT Eb + 3: NEG Eb + 4: MUL AL,Eb diff --git a/queue-4.9/x86-entry-64-add-missing-irqflags-tracing-to-native_load_gs_index.patch b/queue-4.9/x86-entry-64-add-missing-irqflags-tracing-to-native_load_gs_index.patch new file mode 100644 index 00000000000..1d8010b6b74 --- /dev/null +++ b/queue-4.9/x86-entry-64-add-missing-irqflags-tracing-to-native_load_gs_index.patch @@ -0,0 +1,95 @@ +From ca37e57bbe0cf1455ea3e84eb89ed04a132d59e1 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 22 Nov 2017 20:39:16 -0800 +Subject: x86/entry/64: Add missing irqflags tracing to native_load_gs_index() + +From: Andy Lutomirski + +commit ca37e57bbe0cf1455ea3e84eb89ed04a132d59e1 upstream. + +Running this code with IRQs enabled (where dummy_lock is a spinlock): + +static void check_load_gs_index(void) +{ + /* This will fail. */ + load_gs_index(0xffff); + + spin_lock(&dummy_lock); + spin_unlock(&dummy_lock); +} + +Will generate a lockdep warning. The issue is that the actual write +to %gs would cause an exception with IRQs disabled, and the exception +handler would, as an inadvertent side effect, update irqflag tracing +to reflect the IRQs-off status. native_load_gs_index() would then +turn IRQs back on and return with irqflag tracing still thinking that +IRQs were off. The dummy lock-and-unlock causes lockdep to notice the +error and warn. + +Fix it by adding the missing tracing. + +Apparently nothing did this in a context where it mattered. I haven't +tried to find a code path that would actually exhibit the warning if +appropriately nasty user code were running. + +I suspect that the security impact of this bug is very, very low -- +production systems don't run with lockdep enabled, and the warning is +mostly harmless anyway. + +Found during a quick audit of the entry code to try to track down an +unrelated bug that Ingo found in some still-in-development code. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/e1aeb0e6ba8dd430ec36c8a35e63b429698b4132.1511411918.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64.S | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -54,15 +54,19 @@ ENTRY(native_usergs_sysret64) + ENDPROC(native_usergs_sysret64) + #endif /* CONFIG_PARAVIRT */ + +-.macro TRACE_IRQS_IRETQ ++.macro TRACE_IRQS_FLAGS flags:req + #ifdef CONFIG_TRACE_IRQFLAGS +- bt $9, EFLAGS(%rsp) /* interrupts off? */ ++ bt $9, \flags /* interrupts off? */ + jnc 1f + TRACE_IRQS_ON + 1: + #endif + .endm + ++.macro TRACE_IRQS_IRETQ ++ TRACE_IRQS_FLAGS EFLAGS(%rsp) ++.endm ++ + /* + * When dynamic function tracer is enabled it will add a breakpoint + * to all locations that it is about to modify, sync CPUs, update +@@ -868,11 +872,13 @@ idtentry simd_coprocessor_error do_simd + ENTRY(native_load_gs_index) + pushfq + DISABLE_INTERRUPTS(CLBR_ANY & ~CLBR_RDI) ++ TRACE_IRQS_OFF + SWAPGS + .Lgs_change: + movl %edi, %gs + 2: ALTERNATIVE "", "mfence", X86_BUG_SWAPGS_FENCE + SWAPGS ++ TRACE_IRQS_FLAGS (%rsp) + popfq + ret + END(native_load_gs_index)