From: Greg Kroah-Hartman Date: Mon, 12 Jun 2017 07:54:13 +0000 (+0200) Subject: 4.11-stable patches X-Git-Tag: v3.18.57~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=049e0fea9161ad54fa5fcb08f8ba8357239ab0dd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.11-stable patches added patches: arm-dts-keystone-k2l-fix-broken-ethernet-due-to-disabled-osr.patch crypto-asymmetric_keys-handle-ebusy-due-to-backlog-correctly.patch crypto-drbg-wait-for-crypto-op-not-signal-safe.patch crypto-gcm-wait-for-crypto-op-not-signal-safe.patch drm-amdgpu-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch efi-bgrt-skip-efi_bgrt_init-in-case-of-non-efi-boot.patch efi-don-t-issue-error-message-when-booted-under-xen.patch gfs2-make-flush-bios-explicitely-sync.patch keys-encrypted-avoid-encrypting-decrypting-stack-buffers.patch keys-fix-dereferencing-null-payload-with-nonzero-length.patch keys-fix-freeing-uninitialized-memory-in-key_update.patch kthread-fix-use-after-free-if-kthread-fork-fails.patch nfsd4-fix-null-dereference-on-replay.patch ovl-fix-creds-leak-in-copy-up-error-path.patch --- diff --git a/queue-4.11/arm-dts-keystone-k2l-fix-broken-ethernet-due-to-disabled-osr.patch b/queue-4.11/arm-dts-keystone-k2l-fix-broken-ethernet-due-to-disabled-osr.patch new file mode 100644 index 00000000000..ddf3bb74c22 --- /dev/null +++ b/queue-4.11/arm-dts-keystone-k2l-fix-broken-ethernet-due-to-disabled-osr.patch @@ -0,0 +1,74 @@ +From 791229f1d530a0f0a680a4c09f98199792485f33 Mon Sep 17 00:00:00 2001 +From: Murali Karicheri +Date: Wed, 29 Mar 2017 16:02:18 +0530 +Subject: ARM: dts: keystone-k2l: fix broken Ethernet due to disabled OSR + +From: Murali Karicheri + +commit 791229f1d530a0f0a680a4c09f98199792485f33 upstream. + +Ethernet networking on K2L has been broken since v4.11-rc1. This was +caused by commit 32a34441a9bd ("ARM: keystone: dts: fix netcp clocks +and add names"). This commit inadvertently moves on-chip static RAM +clock to the end of list of clocks provided for netcp. Since keystone +PM domain support does not have a list of recognized con_ids, only the +first clock in the list comes under runtime PM management. This means +the OSR (On-chip Static RAM) clock remains disabled and that broke +networking on K2L. + +The OSR is used by QMSS on K2L as an external linking RAM. However this +is a standalone RAM that can be used for non-QMSS usage (as well as from +DSP side). So add a SRAM device node for the same and add the OSR clock +to the node. + +Remove the now redundant OSR clock node from netcp. + +To manage all clocks defined for netCP's use by runtime PM needs keystone +generic power domain (genpd) driver support which is under works. +Meanwhile, this patch restores K2L networking and is correct irrespective +of any future genpd work since OSR is an independent module and not part +of NetCP anyway. + +Signed-off-by: Murali Karicheri +Acked-by: Tero Kristo +[nsekhar@ti.com: commit message updates, port to latest mainline] +Signed-off-by: Sekhar Nori +Acked-by: Santosh Shilimkar +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/keystone-k2l-netcp.dtsi | 4 ++-- + arch/arm/boot/dts/keystone-k2l.dtsi | 8 ++++++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/keystone-k2l-netcp.dtsi ++++ b/arch/arm/boot/dts/keystone-k2l-netcp.dtsi +@@ -137,8 +137,8 @@ netcp: netcp@26000000 { + /* NetCP address range */ + ranges = <0 0x26000000 0x1000000>; + +- clocks = <&clkpa>, <&clkcpgmac>, <&chipclk12>, <&clkosr>; +- clock-names = "pa_clk", "ethss_clk", "cpts", "osr_clk"; ++ clocks = <&clkpa>, <&clkcpgmac>, <&chipclk12>; ++ clock-names = "pa_clk", "ethss_clk", "cpts"; + dma-coherent; + + ti,navigator-dmas = <&dma_gbe 0>, +--- a/arch/arm/boot/dts/keystone-k2l.dtsi ++++ b/arch/arm/boot/dts/keystone-k2l.dtsi +@@ -232,6 +232,14 @@ + }; + }; + ++ osr: sram@70000000 { ++ compatible = "mmio-sram"; ++ reg = <0x70000000 0x10000>; ++ #address-cells = <1>; ++ #size-cells = <1>; ++ clocks = <&clkosr>; ++ }; ++ + dspgpio0: keystone_dsp_gpio@02620240 { + compatible = "ti,keystone-dsp-gpio"; + gpio-controller; diff --git a/queue-4.11/crypto-asymmetric_keys-handle-ebusy-due-to-backlog-correctly.patch b/queue-4.11/crypto-asymmetric_keys-handle-ebusy-due-to-backlog-correctly.patch new file mode 100644 index 00000000000..391926af9c8 --- /dev/null +++ b/queue-4.11/crypto-asymmetric_keys-handle-ebusy-due-to-backlog-correctly.patch @@ -0,0 +1,36 @@ +From e68368aed56324e2e38d4f6b044bb8cf82077fc2 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Thu, 18 May 2017 16:29:23 +0300 +Subject: crypto: asymmetric_keys - handle EBUSY due to backlog correctly + +From: Gilad Ben-Yossef + +commit e68368aed56324e2e38d4f6b044bb8cf82077fc2 upstream. + +public_key_verify_signature() was passing the CRYPTO_TFM_REQ_MAY_BACKLOG +flag to akcipher_request_set_callback() but was not handling correctly +the case where a -EBUSY error could be returned from the call to +crypto_akcipher_verify() if backlog was used, possibly casuing +data corruption due to use-after-free of buffers. + +Resolve this by handling -EBUSY correctly. + +Signed-off-by: Gilad Ben-Yossef +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/public_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/asymmetric_keys/public_key.c ++++ b/crypto/asymmetric_keys/public_key.c +@@ -141,7 +141,7 @@ int public_key_verify_signature(const st + * signature and returns that to us. + */ + ret = crypto_akcipher_verify(req); +- if (ret == -EINPROGRESS) { ++ if ((ret == -EINPROGRESS) || (ret == -EBUSY)) { + wait_for_completion(&compl.completion); + ret = compl.err; + } diff --git a/queue-4.11/crypto-drbg-wait-for-crypto-op-not-signal-safe.patch b/queue-4.11/crypto-drbg-wait-for-crypto-op-not-signal-safe.patch new file mode 100644 index 00000000000..ef62b9c3d30 --- /dev/null +++ b/queue-4.11/crypto-drbg-wait-for-crypto-op-not-signal-safe.patch @@ -0,0 +1,39 @@ +From a5dfefb1c3f3db81662556393fd9283511e08430 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Thu, 18 May 2017 16:29:24 +0300 +Subject: crypto: drbg - wait for crypto op not signal safe + +From: Gilad Ben-Yossef + +commit a5dfefb1c3f3db81662556393fd9283511e08430 upstream. + +drbg_kcapi_sym_ctr() was using wait_for_completion_interruptible() to +wait for completion of async crypto op but if a signal occurs it +may return before DMA ops of HW crypto provider finish, thus +corrupting the output buffer. + +Resolve this by using wait_for_completion() instead. + +Reported-by: Eric Biggers +Signed-off-by: Gilad Ben-Yossef +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/drbg.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/crypto/drbg.c ++++ b/crypto/drbg.c +@@ -1768,9 +1768,8 @@ static int drbg_kcapi_sym_ctr(struct drb + break; + case -EINPROGRESS: + case -EBUSY: +- ret = wait_for_completion_interruptible( +- &drbg->ctr_completion); +- if (!ret && !drbg->ctr_async_err) { ++ wait_for_completion(&drbg->ctr_completion); ++ if (!drbg->ctr_async_err) { + reinit_completion(&drbg->ctr_completion); + break; + } diff --git a/queue-4.11/crypto-gcm-wait-for-crypto-op-not-signal-safe.patch b/queue-4.11/crypto-gcm-wait-for-crypto-op-not-signal-safe.patch new file mode 100644 index 00000000000..2d5dfbd4f28 --- /dev/null +++ b/queue-4.11/crypto-gcm-wait-for-crypto-op-not-signal-safe.patch @@ -0,0 +1,40 @@ +From f3ad587070d6bd961ab942b3fd7a85d00dfc934b Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Thu, 18 May 2017 16:29:25 +0300 +Subject: crypto: gcm - wait for crypto op not signal safe + +From: Gilad Ben-Yossef + +commit f3ad587070d6bd961ab942b3fd7a85d00dfc934b upstream. + +crypto_gcm_setkey() was using wait_for_completion_interruptible() to +wait for completion of async crypto op but if a signal occurs it +may return before DMA ops of HW crypto provider finish, thus +corrupting the data buffer that is kfree'ed in this case. + +Resolve this by using wait_for_completion() instead. + +Reported-by: Eric Biggers +Signed-off-by: Gilad Ben-Yossef +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/gcm.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/crypto/gcm.c ++++ b/crypto/gcm.c +@@ -152,10 +152,8 @@ static int crypto_gcm_setkey(struct cryp + + err = crypto_skcipher_encrypt(&data->req); + if (err == -EINPROGRESS || err == -EBUSY) { +- err = wait_for_completion_interruptible( +- &data->result.completion); +- if (!err) +- err = data->result.err; ++ wait_for_completion(&data->result.completion); ++ err = data->result.err; + } + + if (err) diff --git a/queue-4.11/drm-amdgpu-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch b/queue-4.11/drm-amdgpu-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch new file mode 100644 index 00000000000..16d24118b46 --- /dev/null +++ b/queue-4.11/drm-amdgpu-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch @@ -0,0 +1,42 @@ +From 0a646f331db0eb9efc8d3a95a44872036d441d58 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 11 May 2017 13:10:02 -0400 +Subject: drm/amdgpu/ci: disable mclk switching for high refresh rates (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 0a646f331db0eb9efc8d3a95a44872036d441d58 upstream. + +Even if the vblank period would allow it, it still seems to +be problematic on some cards. + +v2: fix logic inversion (Nils) + +bug: https://bugs.freedesktop.org/show_bug.cgi?id=96868 + +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/ci_dpm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/ci_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/ci_dpm.c +@@ -906,6 +906,12 @@ static bool ci_dpm_vblank_too_short(stru + u32 vblank_time = amdgpu_dpm_get_vblank_time(adev); + u32 switch_limit = adev->mc.vram_type == AMDGPU_VRAM_TYPE_GDDR5 ? 450 : 300; + ++ /* disable mclk switching if the refresh is >120Hz, even if the ++ * blanking period would allow it ++ */ ++ if (amdgpu_dpm_get_vrefresh(adev) > 120) ++ return true; ++ + if (vblank_time < switch_limit) + return true; + else diff --git a/queue-4.11/efi-bgrt-skip-efi_bgrt_init-in-case-of-non-efi-boot.patch b/queue-4.11/efi-bgrt-skip-efi_bgrt_init-in-case-of-non-efi-boot.patch new file mode 100644 index 00000000000..8cf3eef5a3b --- /dev/null +++ b/queue-4.11/efi-bgrt-skip-efi_bgrt_init-in-case-of-non-efi-boot.patch @@ -0,0 +1,60 @@ +From 7425826f4f7ac60f2538b06a7f0a5d1006405159 Mon Sep 17 00:00:00 2001 +From: Dave Young +Date: Fri, 26 May 2017 12:36:51 +0100 +Subject: efi/bgrt: Skip efi_bgrt_init() in case of non-EFI boot + +From: Dave Young + +commit 7425826f4f7ac60f2538b06a7f0a5d1006405159 upstream. + +Sabrina Dubroca reported an early panic: + + BUG: unable to handle kernel paging request at ffffffffff240001 + IP: efi_bgrt_init+0xdc/0x134 + + [...] + + ---[ end Kernel panic - not syncing: Attempted to kill the idle task! + +... which was introduced by: + + 7b0a911478c7 ("efi/x86: Move the EFI BGRT init code to early init code") + +The cause is that on this machine the firmware provides the EFI ACPI BGRT +table even on legacy non-EFI bootups - which table should be EFI only. + +The garbage BGRT data causes the efi_bgrt_init() panic. + +Add a check to skip efi_bgrt_init() in case non-EFI bootup to work around +this firmware bug. + +Tested-by: Sabrina Dubroca +Signed-off-by: Dave Young +Signed-off-by: Ard Biesheuvel +Signed-off-by: Matt Fleming +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Fixes: 7b0a911478c7 ("efi/x86: Move the EFI BGRT init code to early init code") +Link: http://lkml.kernel.org/r/20170526113652.21339-6-matt@codeblueprint.co.uk +[ Rewrote the changelog to be more readable. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/platform/efi/efi-bgrt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/platform/efi/efi-bgrt.c ++++ b/arch/x86/platform/efi/efi-bgrt.c +@@ -36,6 +36,9 @@ void __init efi_bgrt_init(struct acpi_ta + if (acpi_disabled) + return; + ++ if (!efi_enabled(EFI_BOOT)) ++ return; ++ + if (table->length < sizeof(bgrt_tab)) { + pr_notice("Ignoring BGRT: invalid length %u (expected %zu)\n", + table->length, sizeof(bgrt_tab)); diff --git a/queue-4.11/efi-don-t-issue-error-message-when-booted-under-xen.patch b/queue-4.11/efi-don-t-issue-error-message-when-booted-under-xen.patch new file mode 100644 index 00000000000..b6d1acaa9e5 --- /dev/null +++ b/queue-4.11/efi-don-t-issue-error-message-when-booted-under-xen.patch @@ -0,0 +1,41 @@ +From 1ea34adb87c969b89dfd83f1905a79161e9ada26 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 26 May 2017 12:36:47 +0100 +Subject: efi: Don't issue error message when booted under Xen + +From: Juergen Gross + +commit 1ea34adb87c969b89dfd83f1905a79161e9ada26 upstream. + +When booted as Xen dom0 there won't be an EFI memmap allocated. Avoid +issuing an error message in this case: + + [ 0.144079] efi: Failed to allocate new EFI memmap + +Signed-off-by: Juergen Gross +Signed-off-by: Matt Fleming +Cc: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20170526113652.21339-2-matt@codeblueprint.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/platform/efi/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/platform/efi/quirks.c ++++ b/arch/x86/platform/efi/quirks.c +@@ -358,6 +358,9 @@ void __init efi_free_boot_services(void) + free_bootmem_late(start, size); + } + ++ if (!num_entries) ++ return; ++ + new_size = efi.memmap.desc_size * num_entries; + new_phys = efi_memmap_alloc(num_entries); + if (!new_phys) { diff --git a/queue-4.11/gfs2-make-flush-bios-explicitely-sync.patch b/queue-4.11/gfs2-make-flush-bios-explicitely-sync.patch new file mode 100644 index 00000000000..476e1abc5d7 --- /dev/null +++ b/queue-4.11/gfs2-make-flush-bios-explicitely-sync.patch @@ -0,0 +1,41 @@ +From 0f0b9b63e14fc3f66e4d342df016c9b071c5abed Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 2 May 2017 13:14:13 +0200 +Subject: gfs2: Make flush bios explicitely sync + +From: Jan Kara + +commit 0f0b9b63e14fc3f66e4d342df016c9b071c5abed upstream. + +Commit b685d3d65ac7 "block: treat REQ_FUA and REQ_PREFLUSH as +synchronous" removed REQ_SYNC flag from WRITE_{FUA|PREFLUSH|...} +definitions. generic_make_request_checks() however strips REQ_FUA and +REQ_PREFLUSH flags from a bio when the storage doesn't report volatile +write cache and thus write effectively becomes asynchronous which can +lead to performance regressions + +Fix the problem by making sure all bios which are synchronous are +properly marked with REQ_SYNC. + +Fixes: b685d3d65ac791406e0dfd8779cc9b3707fea5a3 +CC: Steven Whitehouse +CC: cluster-devel@redhat.com +Acked-by: Bob Peterson +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -659,7 +659,7 @@ static void log_write_header(struct gfs2 + struct gfs2_log_header *lh; + unsigned int tail; + u32 hash; +- int op_flags = REQ_PREFLUSH | REQ_FUA | REQ_META; ++ int op_flags = REQ_PREFLUSH | REQ_FUA | REQ_META | REQ_SYNC; + struct page *page = mempool_alloc(gfs2_page_pool, GFP_NOIO); + enum gfs2_freeze_state state = atomic_read(&sdp->sd_freeze_state); + lh = page_address(page); diff --git a/queue-4.11/keys-encrypted-avoid-encrypting-decrypting-stack-buffers.patch b/queue-4.11/keys-encrypted-avoid-encrypting-decrypting-stack-buffers.patch new file mode 100644 index 00000000000..6ddc3a169c4 --- /dev/null +++ b/queue-4.11/keys-encrypted-avoid-encrypting-decrypting-stack-buffers.patch @@ -0,0 +1,104 @@ +From e9ff56ac352446f55141aaef1553cee662b2e310 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 8 Jun 2017 14:48:10 +0100 +Subject: KEYS: encrypted: avoid encrypting/decrypting stack buffers + +From: Eric Biggers + +commit e9ff56ac352446f55141aaef1553cee662b2e310 upstream. + +Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt +stack buffers because the stack may be virtually mapped. Fix this for +the padding buffers in encrypted-keys by using ZERO_PAGE for the +encryption padding and by allocating a temporary heap buffer for the +decryption padding. + +Tested with CONFIG_DEBUG_SG=y: + keyctl new_session + keyctl add user master "abcdefghijklmnop" @s + keyid=$(keyctl add encrypted desc "new user:master 25" @s) + datablob="$(keyctl pipe $keyid)" + keyctl unlink $keyid + keyid=$(keyctl add encrypted desc "load $datablob" @s) + datablob2="$(keyctl pipe $keyid)" + [ "$datablob" = "$datablob2" ] && echo "Success!" + +Cc: Andy Lutomirski +Cc: Herbert Xu +Cc: Mimi Zohar +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/encrypted-keys/encrypted.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -480,12 +480,9 @@ static int derived_key_encrypt(struct en + struct skcipher_request *req; + unsigned int encrypted_datalen; + u8 iv[AES_BLOCK_SIZE]; +- unsigned int padlen; +- char pad[16]; + int ret; + + encrypted_datalen = roundup(epayload->decrypted_datalen, blksize); +- padlen = encrypted_datalen - epayload->decrypted_datalen; + + req = init_skcipher_req(derived_key, derived_keylen); + ret = PTR_ERR(req); +@@ -493,11 +490,10 @@ static int derived_key_encrypt(struct en + goto out; + dump_decrypted_data(epayload); + +- memset(pad, 0, sizeof pad); + sg_init_table(sg_in, 2); + sg_set_buf(&sg_in[0], epayload->decrypted_data, + epayload->decrypted_datalen); +- sg_set_buf(&sg_in[1], pad, padlen); ++ sg_set_page(&sg_in[1], ZERO_PAGE(0), AES_BLOCK_SIZE, 0); + + sg_init_table(sg_out, 1); + sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen); +@@ -584,9 +580,14 @@ static int derived_key_decrypt(struct en + struct skcipher_request *req; + unsigned int encrypted_datalen; + u8 iv[AES_BLOCK_SIZE]; +- char pad[16]; ++ u8 *pad; + int ret; + ++ /* Throwaway buffer to hold the unused zero padding at the end */ ++ pad = kmalloc(AES_BLOCK_SIZE, GFP_KERNEL); ++ if (!pad) ++ return -ENOMEM; ++ + encrypted_datalen = roundup(epayload->decrypted_datalen, blksize); + req = init_skcipher_req(derived_key, derived_keylen); + ret = PTR_ERR(req); +@@ -594,13 +595,12 @@ static int derived_key_decrypt(struct en + goto out; + dump_encrypted_data(epayload, encrypted_datalen); + +- memset(pad, 0, sizeof pad); + sg_init_table(sg_in, 1); + sg_init_table(sg_out, 2); + sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen); + sg_set_buf(&sg_out[0], epayload->decrypted_data, + epayload->decrypted_datalen); +- sg_set_buf(&sg_out[1], pad, sizeof pad); ++ sg_set_buf(&sg_out[1], pad, AES_BLOCK_SIZE); + + memcpy(iv, epayload->iv, sizeof(iv)); + skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv); +@@ -612,6 +612,7 @@ static int derived_key_decrypt(struct en + goto out; + dump_decrypted_data(epayload); + out: ++ kfree(pad); + return ret; + } + diff --git a/queue-4.11/keys-fix-dereferencing-null-payload-with-nonzero-length.patch b/queue-4.11/keys-fix-dereferencing-null-payload-with-nonzero-length.patch new file mode 100644 index 00000000000..eeec235db50 --- /dev/null +++ b/queue-4.11/keys-fix-dereferencing-null-payload-with-nonzero-length.patch @@ -0,0 +1,48 @@ +From 5649645d725c73df4302428ee4e02c869248b4c5 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 8 Jun 2017 14:48:40 +0100 +Subject: KEYS: fix dereferencing NULL payload with nonzero length + +From: Eric Biggers + +commit 5649645d725c73df4302428ee4e02c869248b4c5 upstream. + +sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a +NULL payload with nonzero length to be passed to the key type's +->preparse(), ->instantiate(), and/or ->update() methods. Various key +types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did +not handle this case, allowing an unprivileged user to trivially cause a +NULL pointer dereference (kernel oops) if one of these key types was +present. Fix it by doing the copy_from_user() when 'plen' is nonzero +rather than when '_payload' is non-NULL, causing the syscall to fail +with EFAULT as expected when an invalid buffer is specified. + +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/keyctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -99,7 +99,7 @@ SYSCALL_DEFINE5(add_key, const char __us + /* pull the payload in if one was supplied */ + payload = NULL; + +- if (_payload) { ++ if (plen) { + ret = -ENOMEM; + payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN); + if (!payload) { +@@ -329,7 +329,7 @@ long keyctl_update_key(key_serial_t id, + + /* pull the payload in if one was supplied */ + payload = NULL; +- if (_payload) { ++ if (plen) { + ret = -ENOMEM; + payload = kmalloc(plen, GFP_KERNEL); + if (!payload) diff --git a/queue-4.11/keys-fix-freeing-uninitialized-memory-in-key_update.patch b/queue-4.11/keys-fix-freeing-uninitialized-memory-in-key_update.patch new file mode 100644 index 00000000000..0cf2a181c18 --- /dev/null +++ b/queue-4.11/keys-fix-freeing-uninitialized-memory-in-key_update.patch @@ -0,0 +1,91 @@ +From 63a0b0509e700717a59f049ec6e4e04e903c7fe2 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 8 Jun 2017 14:48:47 +0100 +Subject: KEYS: fix freeing uninitialized memory in key_update() + +From: Eric Biggers + +commit 63a0b0509e700717a59f049ec6e4e04e903c7fe2 upstream. + +key_update() freed the key_preparsed_payload even if it was not +initialized first. This would cause a crash if userspace called +keyctl_update() on a key with type like "asymmetric" that has a +->preparse() method but not an ->update() method. Possibly it could +even be triggered for other key types by racing with keyctl_setperm() to +make the KEY_NEED_WRITE check fail (the permission was already checked, +so normally it wouldn't fail there). + +Reproducer with key type "asymmetric", given a valid cert.der: + +keyctl new_session +keyid=$(keyctl padd asymmetric desc @s < cert.der) +keyctl setperm $keyid 0x3f000000 +keyctl update $keyid data + +[ 150.686666] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 +[ 150.687601] IP: asymmetric_key_free_kids+0x12/0x30 +[ 150.688139] PGD 38a3d067 +[ 150.688141] PUD 3b3de067 +[ 150.688447] PMD 0 +[ 150.688745] +[ 150.689160] Oops: 0000 [#1] SMP +[ 150.689455] Modules linked in: +[ 150.689769] CPU: 1 PID: 2478 Comm: keyctl Not tainted 4.11.0-rc4-xfstests-00187-ga9f6b6b8cd2f #742 +[ 150.690916] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014 +[ 150.692199] task: ffff88003b30c480 task.stack: ffffc90000350000 +[ 150.692952] RIP: 0010:asymmetric_key_free_kids+0x12/0x30 +[ 150.693556] RSP: 0018:ffffc90000353e58 EFLAGS: 00010202 +[ 150.694142] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000004 +[ 150.694845] RDX: ffffffff81ee3920 RSI: ffff88003d4b0700 RDI: 0000000000000001 +[ 150.697569] RBP: ffffc90000353e60 R08: ffff88003d5d2140 R09: 0000000000000000 +[ 150.702483] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 +[ 150.707393] R13: 0000000000000004 R14: ffff880038a4d2d8 R15: 000000000040411f +[ 150.709720] FS: 00007fcbcee35700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000 +[ 150.711504] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 150.712733] CR2: 0000000000000001 CR3: 0000000039eab000 CR4: 00000000003406e0 +[ 150.714487] Call Trace: +[ 150.714975] asymmetric_key_free_preparse+0x2f/0x40 +[ 150.715907] key_update+0xf7/0x140 +[ 150.716560] ? key_default_cmp+0x20/0x20 +[ 150.717319] keyctl_update_key+0xb0/0xe0 +[ 150.718066] SyS_keyctl+0x109/0x130 +[ 150.718663] entry_SYSCALL_64_fastpath+0x1f/0xc2 +[ 150.719440] RIP: 0033:0x7fcbce75ff19 +[ 150.719926] RSP: 002b:00007ffd5d167088 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa +[ 150.720918] RAX: ffffffffffffffda RBX: 0000000000404d80 RCX: 00007fcbce75ff19 +[ 150.721874] RDX: 00007ffd5d16785e RSI: 000000002866cd36 RDI: 0000000000000002 +[ 150.722827] RBP: 0000000000000006 R08: 000000002866cd36 R09: 00007ffd5d16785e +[ 150.723781] R10: 0000000000000004 R11: 0000000000000206 R12: 0000000000404d80 +[ 150.724650] R13: 00007ffd5d16784d R14: 00007ffd5d167238 R15: 000000000040411f +[ 150.725447] Code: 83 c4 08 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 23 55 48 89 e5 53 48 89 fb <48> 8b 3f e8 06 21 c5 ff 48 8b 7b 08 e8 fd 20 c5 ff 48 89 df e8 +[ 150.727489] RIP: asymmetric_key_free_kids+0x12/0x30 RSP: ffffc90000353e58 +[ 150.728117] CR2: 0000000000000001 +[ 150.728430] ---[ end trace f7f8fe1da2d5ae8d ]--- + +Fixes: 4d8c0250b841 ("KEYS: Call ->free_preparse() even after ->preparse() returns an error") +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/key.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -962,12 +962,11 @@ int key_update(key_ref_t key_ref, const + /* the key must be writable */ + ret = key_permission(key_ref, KEY_NEED_WRITE); + if (ret < 0) +- goto error; ++ return ret; + + /* attempt to update it if supported */ +- ret = -EOPNOTSUPP; + if (!key->type->update) +- goto error; ++ return -EOPNOTSUPP; + + memset(&prep, 0, sizeof(prep)); + prep.data = payload; diff --git a/queue-4.11/kthread-fix-use-after-free-if-kthread-fork-fails.patch b/queue-4.11/kthread-fix-use-after-free-if-kthread-fork-fails.patch new file mode 100644 index 00000000000..4648660ad8e --- /dev/null +++ b/queue-4.11/kthread-fix-use-after-free-if-kthread-fork-fails.patch @@ -0,0 +1,92 @@ +From 4d6501dce079c1eb6bf0b1d8f528a5e81770109e Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Tue, 9 May 2017 09:39:59 +0200 +Subject: kthread: Fix use-after-free if kthread fork fails + +From: Vegard Nossum + +commit 4d6501dce079c1eb6bf0b1d8f528a5e81770109e upstream. + +If a kthread forks (e.g. usermodehelper since commit 1da5c46fa965) but +fails in copy_process() between calling dup_task_struct() and setting +p->set_child_tid, then the value of p->set_child_tid will be inherited +from the parent and get prematurely freed by free_kthread_struct(). + + kthread() + - worker_thread() + - process_one_work() + | - call_usermodehelper_exec_work() + | - kernel_thread() + | - _do_fork() + | - copy_process() + | - dup_task_struct() + | - arch_dup_task_struct() + | - tsk->set_child_tid = current->set_child_tid // implied + | - ... + | - goto bad_fork_* + | - ... + | - free_task(tsk) + | - free_kthread_struct(tsk) + | - kfree(tsk->set_child_tid) + - ... + - schedule() + - __schedule() + - wq_worker_sleeping() + - kthread_data(task)->flags // UAF + +The problem started showing up with commit 1da5c46fa965 since it reused +->set_child_tid for the kthread worker data. + +A better long-term solution might be to get rid of the ->set_child_tid +abuse. The comment in set_kthread_struct() also looks slightly wrong. + +Debugged-by: Jamie Iles +Fixes: 1da5c46fa965 ("kthread: Make struct kthread kmalloc'ed") +Signed-off-by: Vegard Nossum +Acked-by: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Greg Kroah-Hartman +Cc: Andy Lutomirski +Cc: Frederic Weisbecker +Cc: Jamie Iles +Link: http://lkml.kernel.org/r/20170509073959.17858-1-vegard.nossum@oracle.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1552,6 +1552,18 @@ static __latent_entropy struct task_stru + if (!p) + goto fork_out; + ++ /* ++ * This _must_ happen before we call free_task(), i.e. before we jump ++ * to any of the bad_fork_* labels. This is to avoid freeing ++ * p->set_child_tid which is (ab)used as a kthread's data pointer for ++ * kernel threads (PF_KTHREAD). ++ */ ++ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; ++ /* ++ * Clear TID on mm_release()? ++ */ ++ p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL; ++ + ftrace_graph_init_task(p); + + rt_mutex_init_task(p); +@@ -1715,11 +1727,6 @@ static __latent_entropy struct task_stru + } + } + +- p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; +- /* +- * Clear TID on mm_release()? +- */ +- p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL; + #ifdef CONFIG_BLOCK + p->plug = NULL; + #endif diff --git a/queue-4.11/nfsd4-fix-null-dereference-on-replay.patch b/queue-4.11/nfsd4-fix-null-dereference-on-replay.patch new file mode 100644 index 00000000000..b9d972d8178 --- /dev/null +++ b/queue-4.11/nfsd4-fix-null-dereference-on-replay.patch @@ -0,0 +1,82 @@ +From 9a307403d374b993061f5992a6e260c944920d0b Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 23 May 2017 12:24:40 -0400 +Subject: nfsd4: fix null dereference on replay + +From: J. Bruce Fields + +commit 9a307403d374b993061f5992a6e260c944920d0b upstream. + +if we receive a compound such that: + + - the sessionid, slot, and sequence number in the SEQUENCE op + match a cached succesful reply with N ops, and + - the Nth operation of the compound is a PUTFH, PUTPUBFH, + PUTROOTFH, or RESTOREFH, + +then nfsd4_sequence will return 0 and set cstate->status to +nfserr_replay_cache. The current filehandle will not be set. This will +cause us to call check_nfsd_access with first argument NULL. + +To nfsd4_compound it looks like we just succesfully executed an +operation that set a filehandle, but the current filehandle is not set. + +Fix this by moving the nfserr_replay_cache earlier. There was never any +reason to have it after the encode_op label, since the only case where +he hit that is when opdesc->op_func sets it. + +Note that there are two ways we could hit this case: + + - a client is resending a previously sent compound that ended + with one of the four PUTFH-like operations, or + - a client is sending a *new* compound that (incorrectly) shares + sessionid, slot, and sequence number with a previously sent + compound, and the length of the previously sent compound + happens to match the position of a PUTFH-like operation in the + new compound. + +The second is obviously incorrect client behavior. The first is also +very strange--the only purpose of a PUTFH-like operation is to set the +current filehandle to be used by the following operation, so there's no +point in having it as the last in a compound. + +So it's likely this requires a buggy or malicious client to reproduce. + +Reported-by: Scott Mayhew +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4proc.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1769,6 +1769,12 @@ nfsd4_proc_compound(struct svc_rqst *rqs + opdesc->op_get_currentstateid(cstate, &op->u); + op->status = opdesc->op_func(rqstp, cstate, &op->u); + ++ /* Only from SEQUENCE */ ++ if (cstate->status == nfserr_replay_cache) { ++ dprintk("%s NFS4.1 replay from cache\n", __func__); ++ status = op->status; ++ goto out; ++ } + if (!op->status) { + if (opdesc->op_set_currentstateid) + opdesc->op_set_currentstateid(cstate, &op->u); +@@ -1779,14 +1785,7 @@ nfsd4_proc_compound(struct svc_rqst *rqs + if (need_wrongsec_check(rqstp)) + op->status = check_nfsd_access(current_fh->fh_export, rqstp); + } +- + encode_op: +- /* Only from SEQUENCE */ +- if (cstate->status == nfserr_replay_cache) { +- dprintk("%s NFS4.1 replay from cache\n", __func__); +- status = op->status; +- goto out; +- } + if (op->status == nfserr_replay_me) { + op->replay = &cstate->replay_owner->so_replay; + nfsd4_encode_replay(&resp->xdr, op); diff --git a/queue-4.11/ovl-fix-creds-leak-in-copy-up-error-path.patch b/queue-4.11/ovl-fix-creds-leak-in-copy-up-error-path.patch new file mode 100644 index 00000000000..b4628539fb3 --- /dev/null +++ b/queue-4.11/ovl-fix-creds-leak-in-copy-up-error-path.patch @@ -0,0 +1,39 @@ +From 8137ae26d25303e7b5cfb418fd28b976461e5b6e Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Tue, 16 May 2017 08:45:46 +0300 +Subject: ovl: fix creds leak in copy up error path + +From: Amir Goldstein + +commit 8137ae26d25303e7b5cfb418fd28b976461e5b6e upstream. + +Fixes: 42f269b92540 ("ovl: rearrange code in ovl_copy_up_locked()") +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/copy_up.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -269,12 +269,13 @@ static int ovl_copy_up_locked(struct den + temp = ovl_do_tmpfile(upperdir, stat->mode); + else + temp = ovl_lookup_temp(workdir, dentry); +- err = PTR_ERR(temp); +- if (IS_ERR(temp)) +- goto out1; +- + err = 0; +- if (!tmpfile) ++ if (IS_ERR(temp)) { ++ err = PTR_ERR(temp); ++ temp = NULL; ++ } ++ ++ if (!err && !tmpfile) + err = ovl_create_real(wdir, temp, &cattr, NULL, true); + + if (new_creds) { diff --git a/queue-4.11/series b/queue-4.11/series index 2303787c4a9..e0448909b8c 100644 --- a/queue-4.11/series +++ b/queue-4.11/series @@ -33,3 +33,17 @@ serial-exar-fix-stuck-msis.patch serial-ifx6x60-fix-use-after-free-on-module-unload.patch serial-core-fix-crash-in-uart_suspend_port.patch ptrace-properly-initialize-ptracer_cred-on-fork.patch +arm-dts-keystone-k2l-fix-broken-ethernet-due-to-disabled-osr.patch +crypto-asymmetric_keys-handle-ebusy-due-to-backlog-correctly.patch +keys-fix-dereferencing-null-payload-with-nonzero-length.patch +keys-fix-freeing-uninitialized-memory-in-key_update.patch +keys-encrypted-avoid-encrypting-decrypting-stack-buffers.patch +crypto-drbg-wait-for-crypto-op-not-signal-safe.patch +crypto-gcm-wait-for-crypto-op-not-signal-safe.patch +ovl-fix-creds-leak-in-copy-up-error-path.patch +kthread-fix-use-after-free-if-kthread-fork-fails.patch +drm-amdgpu-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch +nfsd4-fix-null-dereference-on-replay.patch +gfs2-make-flush-bios-explicitely-sync.patch +efi-don-t-issue-error-message-when-booted-under-xen.patch +efi-bgrt-skip-efi_bgrt_init-in-case-of-non-efi-boot.patch