From: Greg Kroah-Hartman Date: Sun, 19 Jan 2020 15:44:48 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.211~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b7822f72658adec8e68de87e1d2de475899d973;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: btrfs-fix-memory-leak-in-qgroup-accounting.patch mm-page-writeback.c-avoid-potential-division-by-zero-in-wb_min_max_ratio.patch mm-shmem.c-thp-shmem-fix-conflict-of-above-47bit-hint-address-and-pmd-alignment.patch net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch net-stmmac-enable-16kb-buffer-size.patch perf-hists-fix-variable-name-s-inconsistency-in-hists__for_each-macro.patch perf-report-fix-incorrectly-added-dimensions-as-switch-perf-data-file.patch ptrace-reintroduce-usage-of-subjective-credentials-in-ptrace_has_cap.patch usb-core-hub-improved-device-recognition-on-remote-wakeup.patch x86-efistub-disable-paging-at-mixed-mode-entry.patch x86-resctrl-fix-an-imbalance-in-domain_remove_cpu.patch --- diff --git a/queue-4.14/btrfs-fix-memory-leak-in-qgroup-accounting.patch b/queue-4.14/btrfs-fix-memory-leak-in-qgroup-accounting.patch new file mode 100644 index 00000000000..3b6db567fb1 --- /dev/null +++ b/queue-4.14/btrfs-fix-memory-leak-in-qgroup-accounting.patch @@ -0,0 +1,80 @@ +From 26ef8493e1ab771cb01d27defca2fa1315dc3980 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Wed, 8 Jan 2020 21:07:32 +0900 +Subject: btrfs: fix memory leak in qgroup accounting + +From: Johannes Thumshirn + +commit 26ef8493e1ab771cb01d27defca2fa1315dc3980 upstream. + +When running xfstests on the current btrfs I get the following splat from +kmemleak: + +unreferenced object 0xffff88821b2404e0 (size 32): + comm "kworker/u4:7", pid 26663, jiffies 4295283698 (age 8.776s) + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 10 ff fd 26 82 88 ff ff ...........&.... + 10 ff fd 26 82 88 ff ff 20 ff fd 26 82 88 ff ff ...&.... ..&.... + backtrace: + [<00000000f94fd43f>] ulist_alloc+0x25/0x60 [btrfs] + [<00000000fd023d99>] btrfs_find_all_roots_safe+0x41/0x100 [btrfs] + [<000000008f17bd32>] btrfs_find_all_roots+0x52/0x70 [btrfs] + [<00000000b7660afb>] btrfs_qgroup_rescan_worker+0x343/0x680 [btrfs] + [<0000000058e66778>] btrfs_work_helper+0xac/0x1e0 [btrfs] + [<00000000f0188930>] process_one_work+0x1cf/0x350 + [<00000000af5f2f8e>] worker_thread+0x28/0x3c0 + [<00000000b55a1add>] kthread+0x109/0x120 + [<00000000f88cbd17>] ret_from_fork+0x35/0x40 + +This corresponds to: + + (gdb) l *(btrfs_find_all_roots_safe+0x41) + 0x8d7e1 is in btrfs_find_all_roots_safe (fs/btrfs/backref.c:1413). + 1408 + 1409 tmp = ulist_alloc(GFP_NOFS); + 1410 if (!tmp) + 1411 return -ENOMEM; + 1412 *roots = ulist_alloc(GFP_NOFS); + 1413 if (!*roots) { + 1414 ulist_free(tmp); + 1415 return -ENOMEM; + 1416 } + 1417 + +Following the lifetime of the allocated 'roots' ulist, it gets freed +again in btrfs_qgroup_account_extent(). + +But this does not happen if the function is called with the +'BTRFS_FS_QUOTA_ENABLED' flag cleared, then btrfs_qgroup_account_extent() +does a short leave and directly returns. + +Instead of directly returning we should jump to the 'out_free' in order to +free all resources as expected. + +CC: stable@vger.kernel.org # 4.14+ +Reviewed-by: Qu Wenruo +Signed-off-by: Johannes Thumshirn +[ add comment ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/qgroup.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -1928,8 +1928,12 @@ btrfs_qgroup_account_extent(struct btrfs + u64 nr_old_roots = 0; + int ret = 0; + ++ /* ++ * If quotas get disabled meanwhile, the resouces need to be freed and ++ * we can't just exit here. ++ */ + if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) +- return 0; ++ goto out_free; + + if (new_roots) { + if (!maybe_fs_roots(new_roots)) diff --git a/queue-4.14/mm-page-writeback.c-avoid-potential-division-by-zero-in-wb_min_max_ratio.patch b/queue-4.14/mm-page-writeback.c-avoid-potential-division-by-zero-in-wb_min_max_ratio.patch new file mode 100644 index 00000000000..459b8e5019d --- /dev/null +++ b/queue-4.14/mm-page-writeback.c-avoid-potential-division-by-zero-in-wb_min_max_ratio.patch @@ -0,0 +1,79 @@ +From 6d9e8c651dd979aa666bee15f086745f3ea9c4b3 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 13 Jan 2020 16:29:23 -0800 +Subject: mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() + +From: Wen Yang + +commit 6d9e8c651dd979aa666bee15f086745f3ea9c4b3 upstream. + +Patch series "use div64_ul() instead of div_u64() if the divisor is +unsigned long". + +We were first inspired by commit b0ab99e7736a ("sched: Fix possible divide +by zero in avg_atom () calculation"), then refer to the recently analyzed +mm code, we found this suspicious place. + + 201 if (min) { + 202 min *= this_bw; + 203 do_div(min, tot_bw); + 204 } + +And we also disassembled and confirmed it: + + /usr/src/debug/kernel-4.9.168-016.ali3000/linux-4.9.168-016.ali3000.alios7.x86_64/mm/page-writeback.c: 201 + 0xffffffff811c37da <__wb_calc_thresh+234>: xor %r10d,%r10d + 0xffffffff811c37dd <__wb_calc_thresh+237>: test %rax,%rax + 0xffffffff811c37e0 <__wb_calc_thresh+240>: je 0xffffffff811c3800 <__wb_calc_thresh+272> + /usr/src/debug/kernel-4.9.168-016.ali3000/linux-4.9.168-016.ali3000.alios7.x86_64/mm/page-writeback.c: 202 + 0xffffffff811c37e2 <__wb_calc_thresh+242>: imul %r8,%rax + /usr/src/debug/kernel-4.9.168-016.ali3000/linux-4.9.168-016.ali3000.alios7.x86_64/mm/page-writeback.c: 203 + 0xffffffff811c37e6 <__wb_calc_thresh+246>: mov %r9d,%r10d ---> truncates it to 32 bits here + 0xffffffff811c37e9 <__wb_calc_thresh+249>: xor %edx,%edx + 0xffffffff811c37eb <__wb_calc_thresh+251>: div %r10 + 0xffffffff811c37ee <__wb_calc_thresh+254>: imul %rbx,%rax + 0xffffffff811c37f2 <__wb_calc_thresh+258>: shr $0x2,%rax + 0xffffffff811c37f6 <__wb_calc_thresh+262>: mul %rcx + 0xffffffff811c37f9 <__wb_calc_thresh+265>: shr $0x2,%rdx + 0xffffffff811c37fd <__wb_calc_thresh+269>: mov %rdx,%r10 + +This series uses div64_ul() instead of div_u64() if the divisor is +unsigned long, to avoid truncation to 32-bit on 64-bit platforms. + +This patch (of 3): + +The variables 'min' and 'max' are unsigned long and do_div truncates +them to 32 bits, which means it can test non-zero and be truncated to +zero for division. Fix this issue by using div64_ul() instead. + +Link: http://lkml.kernel.org/r/20200102081442.8273-2-wenyang@linux.alibaba.com +Fixes: 693108a8a667 ("writeback: make bdi->min/max_ratio handling cgroup writeback aware") +Signed-off-by: Wen Yang +Reviewed-by: Andrew Morton +Cc: Qian Cai +Cc: Tejun Heo +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page-writeback.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -201,11 +201,11 @@ static void wb_min_max_ratio(struct bdi_ + if (this_bw < tot_bw) { + if (min) { + min *= this_bw; +- do_div(min, tot_bw); ++ min = div64_ul(min, tot_bw); + } + if (max < 100) { + max *= this_bw; +- do_div(max, tot_bw); ++ max = div64_ul(max, tot_bw); + } + } + diff --git a/queue-4.14/mm-shmem.c-thp-shmem-fix-conflict-of-above-47bit-hint-address-and-pmd-alignment.patch b/queue-4.14/mm-shmem.c-thp-shmem-fix-conflict-of-above-47bit-hint-address-and-pmd-alignment.patch new file mode 100644 index 00000000000..d65c61d49b8 --- /dev/null +++ b/queue-4.14/mm-shmem.c-thp-shmem-fix-conflict-of-above-47bit-hint-address-and-pmd-alignment.patch @@ -0,0 +1,74 @@ +From 991589974d9c9ecb24ee3799ec8c415c730598a2 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Mon, 13 Jan 2020 16:29:13 -0800 +Subject: mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment + +From: Kirill A. Shutemov + +commit 991589974d9c9ecb24ee3799ec8c415c730598a2 upstream. + +Shmem/tmpfs tries to provide THP-friendly mappings if huge pages are +enabled. But it doesn't work well with above-47bit hint address. + +Normally, the kernel doesn't create userspace mappings above 47-bit, +even if the machine allows this (such as with 5-level paging on x86-64). +Not all user space is ready to handle wide addresses. It's known that +at least some JIT compilers use higher bits in pointers to encode their +information. + +Userspace can ask for allocation from full address space by specifying +hint address (with or without MAP_FIXED) above 47-bits. If the +application doesn't need a particular address, but wants to allocate +from whole address space it can specify -1 as a hint address. + +Unfortunately, this trick breaks THP alignment in shmem/tmp: +shmem_get_unmapped_area() would not try to allocate PMD-aligned area if +*any* hint address specified. + +This can be fixed by requesting the aligned area if the we failed to +allocated at user-specified hint address. The request with inflated +length will also take the user-specified hint address. This way we will +not lose an allocation request from the full address space. + +[kirill@shutemov.name: fold in a fixup] + Link: http://lkml.kernel.org/r/20191223231309.t6bh5hkbmokihpfu@box +Link: http://lkml.kernel.org/r/20191220142548.7118-3-kirill.shutemov@linux.intel.com +Fixes: b569bab78d8d ("x86/mm: Prepare to expose larger address space to userspace") +Signed-off-by: Kirill A. Shutemov +Cc: "Willhalm, Thomas" +Cc: Dan Williams +Cc: "Bruggeman, Otto G" +Cc: "Aneesh Kumar K . V" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/shmem.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2052,9 +2052,10 @@ unsigned long shmem_get_unmapped_area(st + /* + * Our priority is to support MAP_SHARED mapped hugely; + * and support MAP_PRIVATE mapped hugely too, until it is COWed. +- * But if caller specified an address hint, respect that as before. ++ * But if caller specified an address hint and we allocated area there ++ * successfully, respect that as before. + */ +- if (uaddr) ++ if (uaddr == addr) + return addr; + + if (shmem_huge != SHMEM_HUGE_FORCE) { +@@ -2088,7 +2089,7 @@ unsigned long shmem_get_unmapped_area(st + if (inflated_len < len) + return addr; + +- inflated_addr = get_area(NULL, 0, inflated_len, 0, flags); ++ inflated_addr = get_area(NULL, uaddr, inflated_len, 0, flags); + if (IS_ERR_VALUE(inflated_addr)) + return addr; + if (inflated_addr & ~PAGE_MASK) diff --git a/queue-4.14/net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch b/queue-4.14/net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch new file mode 100644 index 00000000000..080626398b7 --- /dev/null +++ b/queue-4.14/net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch @@ -0,0 +1,34 @@ +From 8605131747e7e1fd8f6c9f97a00287aae2b2c640 Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Wed, 18 Dec 2019 11:17:41 +0100 +Subject: net: stmmac: 16KB buffer must be 16 byte aligned + +From: Jose Abreu + +commit 8605131747e7e1fd8f6c9f97a00287aae2b2c640 upstream. + +The 16KB RX Buffer must also be 16 byte aligned. Fix it. + +Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver") +Signed-off-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/stmicro/stmmac/common.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/common.h ++++ b/drivers/net/ethernet/stmicro/stmmac/common.h +@@ -338,9 +338,8 @@ struct dma_features { + unsigned int rx_fifo_size; + }; + +-/* GMAC TX FIFO is 8K, Rx FIFO is 16K */ +-#define BUF_SIZE_16KiB 16384 +-/* RX Buffer size must be < 8191 and multiple of 4/8/16 bytes */ ++/* RX Buffer size must be multiple of 4/8/16 bytes */ ++#define BUF_SIZE_16KiB 16368 + #define BUF_SIZE_8KiB 8188 + #define BUF_SIZE_4KiB 4096 + #define BUF_SIZE_2KiB 2048 diff --git a/queue-4.14/net-stmmac-enable-16kb-buffer-size.patch b/queue-4.14/net-stmmac-enable-16kb-buffer-size.patch new file mode 100644 index 00000000000..7969617340d --- /dev/null +++ b/queue-4.14/net-stmmac-enable-16kb-buffer-size.patch @@ -0,0 +1,34 @@ +From b2f3a481c4cd62f78391b836b64c0a6e72b503d2 Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Wed, 18 Dec 2019 11:17:42 +0100 +Subject: net: stmmac: Enable 16KB buffer size + +From: Jose Abreu + +commit b2f3a481c4cd62f78391b836b64c0a6e72b503d2 upstream. + +XGMAC supports maximum MTU that can go to 16KB. Lets add this check in +the calculation of RX buffer size. + +Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver") +Signed-off-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1043,7 +1043,9 @@ static int stmmac_set_bfsize(int mtu, in + { + int ret = bufsize; + +- if (mtu >= BUF_SIZE_4KiB) ++ if (mtu >= BUF_SIZE_8KiB) ++ ret = BUF_SIZE_16KiB; ++ else if (mtu >= BUF_SIZE_4KiB) + ret = BUF_SIZE_8KiB; + else if (mtu >= BUF_SIZE_2KiB) + ret = BUF_SIZE_4KiB; diff --git a/queue-4.14/perf-hists-fix-variable-name-s-inconsistency-in-hists__for_each-macro.patch b/queue-4.14/perf-hists-fix-variable-name-s-inconsistency-in-hists__for_each-macro.patch new file mode 100644 index 00000000000..d2ce3da3098 --- /dev/null +++ b/queue-4.14/perf-hists-fix-variable-name-s-inconsistency-in-hists__for_each-macro.patch @@ -0,0 +1,45 @@ +From 55347ec340af401437680fd0e88df6739a967f9f Mon Sep 17 00:00:00 2001 +From: Yuya Fujita +Date: Thu, 19 Dec 2019 08:08:32 +0000 +Subject: perf hists: Fix variable name's inconsistency in hists__for_each() macro + +From: Yuya Fujita + +commit 55347ec340af401437680fd0e88df6739a967f9f upstream. + +Variable names are inconsistent in hists__for_each macro(). + +Due to this inconsistency, the macro replaces its second argument with +"fmt" regardless of its original name. + +So far it works because only "fmt" is passed to the second argument. +However, this behavior is not expected and should be fixed. + +Fixes: f0786af536bb ("perf hists: Introduce hists__for_each_format macro") +Fixes: aa6f50af822a ("perf hists: Introduce hists__for_each_sort_list macro") +Signed-off-by: Yuya Fujita +Acked-by: Jiri Olsa +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/OSAPR01MB1588E1C47AC22043175DE1B2E8520@OSAPR01MB1588.jpnprd01.prod.outlook.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/hist.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -317,10 +317,10 @@ static inline void perf_hpp__prepend_sor + list_for_each_entry_safe(format, tmp, &(_list)->sorts, sort_list) + + #define hists__for_each_format(hists, format) \ +- perf_hpp_list__for_each_format((hists)->hpp_list, fmt) ++ perf_hpp_list__for_each_format((hists)->hpp_list, format) + + #define hists__for_each_sort_list(hists, format) \ +- perf_hpp_list__for_each_sort_list((hists)->hpp_list, fmt) ++ perf_hpp_list__for_each_sort_list((hists)->hpp_list, format) + + extern struct perf_hpp_fmt perf_hpp__format[]; + diff --git a/queue-4.14/perf-report-fix-incorrectly-added-dimensions-as-switch-perf-data-file.patch b/queue-4.14/perf-report-fix-incorrectly-added-dimensions-as-switch-perf-data-file.patch new file mode 100644 index 00000000000..0f24e06ffc4 --- /dev/null +++ b/queue-4.14/perf-report-fix-incorrectly-added-dimensions-as-switch-perf-data-file.patch @@ -0,0 +1,69 @@ +From 0feba17bd7ee3b7e03d141f119049dcc23efa94e Mon Sep 17 00:00:00 2001 +From: Jin Yao +Date: Fri, 20 Dec 2019 09:37:19 +0800 +Subject: perf report: Fix incorrectly added dimensions as switch perf data file + +From: Jin Yao + +commit 0feba17bd7ee3b7e03d141f119049dcc23efa94e upstream. + +We observed an issue that was some extra columns displayed after switching +perf data file in browser. The steps to reproduce: + +1. perf record -a -e cycles,instructions -- sleep 3 +2. perf report --group +3. In browser, we use hotkey 's' to switch to another perf.data +4. Now in browser, the extra columns 'Self' and 'Children' are displayed. + +The issue is setup_sorting() executed again after repeat path, so dimensions +are added again. + +This patch checks the last key returned from __cmd_report(). If it's +K_SWITCH_INPUT_DATA, skips the setup_sorting(). + +Fixes: ad0de0971b7f ("perf report: Enable the runtime switching of perf data file") +Signed-off-by: Jin Yao +Tested-by: Arnaldo Carvalho de Melo +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Feng Tang +Cc: Jin Yao +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20191220013722.20592-1-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/builtin-report.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -742,6 +742,7 @@ int cmd_report(int argc, const char **ar + struct stat st; + bool has_br_stack = false; + int branch_mode = -1; ++ int last_key = 0; + bool branch_call_mode = false; + char callchain_default_opt[] = CALLCHAIN_DEFAULT_OPT; + const char * const report_usage[] = { +@@ -1048,7 +1049,8 @@ repeat: + else + use_browser = 0; + +- if (setup_sorting(session->evlist) < 0) { ++ if ((last_key != K_SWITCH_INPUT_DATA) && ++ (setup_sorting(session->evlist) < 0)) { + if (sort_order) + parse_options_usage(report_usage, options, "s", 1); + if (field_order) +@@ -1108,6 +1110,7 @@ repeat: + ret = __cmd_report(&report); + if (ret == K_SWITCH_INPUT_DATA) { + perf_session__delete(session); ++ last_key = K_SWITCH_INPUT_DATA; + goto repeat; + } else + ret = 0; diff --git a/queue-4.14/ptrace-reintroduce-usage-of-subjective-credentials-in-ptrace_has_cap.patch b/queue-4.14/ptrace-reintroduce-usage-of-subjective-credentials-in-ptrace_has_cap.patch new file mode 100644 index 00000000000..1222ae4171e --- /dev/null +++ b/queue-4.14/ptrace-reintroduce-usage-of-subjective-credentials-in-ptrace_has_cap.patch @@ -0,0 +1,100 @@ +From 6b3ad6649a4c75504edeba242d3fd36b3096a57f Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 15 Jan 2020 14:42:34 +0100 +Subject: ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() + +From: Christian Brauner + +commit 6b3ad6649a4c75504edeba242d3fd36b3096a57f upstream. + +Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") +introduced the ability to opt out of audit messages for accesses to various +proc files since they are not violations of policy. While doing so it +somehow switched the check from ns_capable() to +has_ns_capability{_noaudit}(). That means it switched from checking the +subjective credentials of the task to using the objective credentials. This +is wrong since. ptrace_has_cap() is currently only used in +ptrace_may_access() And is used to check whether the calling task (subject) +has the CAP_SYS_PTRACE capability in the provided user namespace to operate +on the target task (object). According to the cred.h comments this would +mean the subjective credentials of the calling task need to be used. +This switches ptrace_has_cap() to use security_capable(). Because we only +call ptrace_has_cap() in ptrace_may_access() and in there we already have a +stable reference to the calling task's creds under rcu_read_lock() there's +no need to go through another series of dereferences and rcu locking done +in ns_capable{_noaudit}(). + +As one example where this might be particularly problematic, Jann pointed +out that in combination with the upcoming IORING_OP_OPENAT feature, this +bug might allow unprivileged users to bypass the capability checks while +asynchronously opening files like /proc/*/mem, because the capability +checks for this would be performed against kernel credentials. + +To illustrate on the former point about this being exploitable: When +io_uring creates a new context it records the subjective credentials of the +caller. Later on, when it starts to do work it creates a kernel thread and +registers a callback. The callback runs with kernel creds for +ktask->real_cred and ktask->cred. To prevent this from becoming a +full-blown 0-day io_uring will call override_cred() and override +ktask->cred with the subjective credentials of the creator of the io_uring +instance. With ptrace_has_cap() currently looking at ktask->real_cred this +override will be ineffective and the caller will be able to open arbitray +proc files as mentioned above. +Luckily, this is currently not exploitable but will turn into a 0-day once +IORING_OP_OPENAT{2} land in v5.6. Fix it now! + +Cc: Oleg Nesterov +Cc: Eric Paris +Cc: stable@vger.kernel.org +Reviewed-by: Kees Cook +Reviewed-by: Serge Hallyn +Reviewed-by: Jann Horn +Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/ptrace.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -258,12 +258,17 @@ static int ptrace_check_attach(struct ta + return ret; + } + +-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) ++static bool ptrace_has_cap(const struct cred *cred, struct user_namespace *ns, ++ unsigned int mode) + { ++ int ret; ++ + if (mode & PTRACE_MODE_NOAUDIT) +- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); ++ ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NOAUDIT); + else +- return has_ns_capability(current, ns, CAP_SYS_PTRACE); ++ ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NONE); ++ ++ return ret == 0; + } + + /* Returns 0 on success, -errno on denial. */ +@@ -315,7 +320,7 @@ static int __ptrace_may_access(struct ta + gid_eq(caller_gid, tcred->sgid) && + gid_eq(caller_gid, tcred->gid)) + goto ok; +- if (ptrace_has_cap(tcred->user_ns, mode)) ++ if (ptrace_has_cap(cred, tcred->user_ns, mode)) + goto ok; + rcu_read_unlock(); + return -EPERM; +@@ -334,7 +339,7 @@ ok: + mm = task->mm; + if (mm && + ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) ++ !ptrace_has_cap(cred, mm->user_ns, mode))) + return -EPERM; + + return security_ptrace_access_check(task, mode); diff --git a/queue-4.14/series b/queue-4.14/series index 10fe4311643..e1488105a98 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -17,3 +17,14 @@ usb-serial-keyspan-handle-unbound-ports.patch usb-serial-quatech2-handle-unbound-ports.patch scsi-fnic-fix-invalid-stack-access.patch scsi-mptfusion-fix-double-fetch-bug-in-ioctl.patch +ptrace-reintroduce-usage-of-subjective-credentials-in-ptrace_has_cap.patch +usb-core-hub-improved-device-recognition-on-remote-wakeup.patch +x86-resctrl-fix-an-imbalance-in-domain_remove_cpu.patch +x86-efistub-disable-paging-at-mixed-mode-entry.patch +perf-hists-fix-variable-name-s-inconsistency-in-hists__for_each-macro.patch +perf-report-fix-incorrectly-added-dimensions-as-switch-perf-data-file.patch +mm-shmem.c-thp-shmem-fix-conflict-of-above-47bit-hint-address-and-pmd-alignment.patch +btrfs-fix-memory-leak-in-qgroup-accounting.patch +mm-page-writeback.c-avoid-potential-division-by-zero-in-wb_min_max_ratio.patch +net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch +net-stmmac-enable-16kb-buffer-size.patch diff --git a/queue-4.14/usb-core-hub-improved-device-recognition-on-remote-wakeup.patch b/queue-4.14/usb-core-hub-improved-device-recognition-on-remote-wakeup.patch new file mode 100644 index 00000000000..acc6930fd41 --- /dev/null +++ b/queue-4.14/usb-core-hub-improved-device-recognition-on-remote-wakeup.patch @@ -0,0 +1,65 @@ +From 9c06ac4c83df6d6fbdbf7488fbad822b4002ba19 Mon Sep 17 00:00:00 2001 +From: Keiya Nobuta +Date: Thu, 9 Jan 2020 14:14:48 +0900 +Subject: usb: core: hub: Improved device recognition on remote wakeup + +From: Keiya Nobuta + +commit 9c06ac4c83df6d6fbdbf7488fbad822b4002ba19 upstream. + +If hub_activate() is called before D+ has stabilized after remote +wakeup, the following situation might occur: + + __ ___________________ + / \ / +D+ __/ \__/ + +Hub _______________________________ + | ^ ^ ^ + | | | | +Host _____v__|___|___________|______ + | | | | + | | | \-- Interrupt Transfer (*3) + | | \-- ClearPortFeature (*2) + | \-- GetPortStatus (*1) + \-- Host detects remote wakeup + +- D+ goes high, Host starts running by remote wakeup +- D+ is not stable, goes low +- Host requests GetPortStatus at (*1) and gets the following hub status: + - Current Connect Status bit is 0 + - Connect Status Change bit is 1 +- D+ stabilizes, goes high +- Host requests ClearPortFeature and thus Connect Status Change bit is + cleared at (*2) +- After waiting 100 ms, Host starts the Interrupt Transfer at (*3) +- Since the Connect Status Change bit is 0, Hub returns NAK. + +In this case, port_event() is not called in hub_event() and Host cannot +recognize device. To solve this issue, flag change_bits even if only +Connect Status Change bit is 1 when got in the first GetPortStatus. + +This issue occurs rarely because it only if D+ changes during a very +short time between GetPortStatus and ClearPortFeature. However, it is +fatal if it occurs in embedded system. + +Signed-off-by: Keiya Nobuta +Cc: stable +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20200109051448.28150-1-nobuta.keiya@fujitsu.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1164,6 +1164,7 @@ static void hub_activate(struct usb_hub + * PORT_OVER_CURRENT is not. So check for any of them. + */ + if (udev || (portstatus & USB_PORT_STAT_CONNECTION) || ++ (portchange & USB_PORT_STAT_C_CONNECTION) || + (portstatus & USB_PORT_STAT_OVERCURRENT) || + (portchange & USB_PORT_STAT_C_OVERCURRENT)) + set_bit(port1, hub->change_bits); diff --git a/queue-4.14/x86-efistub-disable-paging-at-mixed-mode-entry.patch b/queue-4.14/x86-efistub-disable-paging-at-mixed-mode-entry.patch new file mode 100644 index 00000000000..e33946967e6 --- /dev/null +++ b/queue-4.14/x86-efistub-disable-paging-at-mixed-mode-entry.patch @@ -0,0 +1,46 @@ +From 4911ee401b7ceff8f38e0ac597cbf503d71e690c Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Tue, 24 Dec 2019 14:29:09 +0100 +Subject: x86/efistub: Disable paging at mixed mode entry + +From: Ard Biesheuvel + +commit 4911ee401b7ceff8f38e0ac597cbf503d71e690c upstream. + +The EFI mixed mode entry code goes through the ordinary startup_32() +routine before jumping into the kernel's EFI boot code in 64-bit +mode. The 32-bit startup code must be entered with paging disabled, +but this is not documented as a requirement for the EFI handover +protocol, and so we should disable paging explicitly when entering +the kernel from 32-bit EFI firmware. + +Signed-off-by: Ard Biesheuvel +Cc: +Cc: Arvind Sankar +Cc: Hans de Goede +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191224132909.102540-4-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/compressed/head_64.S | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -227,6 +227,11 @@ ENTRY(efi32_stub_entry) + leal efi32_config(%ebp), %eax + movl %eax, efi_config(%ebp) + ++ /* Disable paging */ ++ movl %cr0, %eax ++ btrl $X86_CR0_PG_BIT, %eax ++ movl %eax, %cr0 ++ + jmp startup_32 + ENDPROC(efi32_stub_entry) + #endif diff --git a/queue-4.14/x86-resctrl-fix-an-imbalance-in-domain_remove_cpu.patch b/queue-4.14/x86-resctrl-fix-an-imbalance-in-domain_remove_cpu.patch new file mode 100644 index 00000000000..cf4968f6b52 --- /dev/null +++ b/queue-4.14/x86-resctrl-fix-an-imbalance-in-domain_remove_cpu.patch @@ -0,0 +1,75 @@ +From e278af89f1ba0a9ef20947db6afc2c9afa37e85b Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 10 Dec 2019 22:30:42 -0500 +Subject: x86/resctrl: Fix an imbalance in domain_remove_cpu() + +From: Qian Cai + +commit e278af89f1ba0a9ef20947db6afc2c9afa37e85b upstream. + +A system that supports resource monitoring may have multiple resources +while not all of these resources are capable of monitoring. Monitoring +related state is initialized only for resources that are capable of +monitoring and correspondingly this state should subsequently only be +removed from these resources that are capable of monitoring. + +domain_add_cpu() calls domain_setup_mon_state() only when r->mon_capable +is true where it will initialize d->mbm_over. However, +domain_remove_cpu() calls cancel_delayed_work(&d->mbm_over) without +checking r->mon_capable resulting in an attempt to cancel d->mbm_over on +all resources, even those that never initialized d->mbm_over because +they are not capable of monitoring. Hence, it triggers a debugobjects +warning when offlining CPUs because those timer debugobjects are never +initialized: + + ODEBUG: assert_init not available (active state 0) object type: + timer_list hint: 0x0 + WARNING: CPU: 143 PID: 789 at lib/debugobjects.c:484 + debug_print_object + Hardware name: HP Synergy 680 Gen9/Synergy 680 Gen9 Compute Module, BIOS I40 05/23/2018 + RIP: 0010:debug_print_object + Call Trace: + debug_object_assert_init + del_timer + try_to_grab_pending + cancel_delayed_work + resctrl_offline_cpu + cpuhp_invoke_callback + cpuhp_thread_fun + smpboot_thread_fn + kthread + ret_from_fork + +Fixes: e33026831bdb ("x86/intel_rdt/mbm: Handle counter overflow") +Signed-off-by: Qian Cai +Signed-off-by: Borislav Petkov +Acked-by: Reinette Chatre +Cc: Fenghua Yu +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: john.stultz@linaro.org +Cc: sboyd@kernel.org +Cc: +Cc: Thomas Gleixner +Cc: tj@kernel.org +Cc: Tony Luck +Cc: Vikas Shivappa +Cc: x86-ml +Link: https://lkml.kernel.org/r/20191211033042.2188-1-cai@lca.pw +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/intel_rdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/intel_rdt.c ++++ b/arch/x86/kernel/cpu/intel_rdt.c +@@ -526,7 +526,7 @@ static void domain_remove_cpu(int cpu, s + if (static_branch_unlikely(&rdt_mon_enable_key)) + rmdir_mondata_subdir_allrdtgrp(r, d->id); + list_del(&d->list); +- if (is_mbm_enabled()) ++ if (r->mon_capable && is_mbm_enabled()) + cancel_delayed_work(&d->mbm_over); + if (is_llc_occupancy_enabled() && has_busy_rmid(r, d)) { + /*