From: Greg Kroah-Hartman Date: Thu, 13 Sep 2018 07:19:32 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.156~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=294985d61553024bd36b6591bf5f7e7baaac8ef8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch kvm-x86-set-highest-physical-address-bits-in-non-present-reserved-sptes.patch revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch s390-lib-use-expoline-for-all-bcr-instructions.patch x86-kvm-avoid-unused-variable-warning.patch --- diff --git a/queue-4.14/irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch b/queue-4.14/irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch new file mode 100644 index 00000000000..b38cb202f22 --- /dev/null +++ b/queue-4.14/irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch @@ -0,0 +1,43 @@ +From tyhicks@canonical.com Thu Sep 13 09:00:58 2018 +From: Tyler Hicks +Date: Tue, 4 Sep 2018 15:24:04 +0000 +Subject: irda: Fix memory leak caused by repeated binds of irda socket +To: stable@vger.kernel.org +Message-ID: <1536074645-14160-2-git-send-email-tyhicks@canonical.com> + +From: Tyler Hicks + +The irda_bind() function allocates memory for self->ias_obj without +checking to see if the socket is already bound. A userspace process +could repeatedly bind the socket, have each new object added into the +LM-IAS database, and lose the reference to the old object assigned to +the socket to exhaust memory resources. This patch errors out of the +bind operation when self->ias_obj is already assigned. + +CVE-2018-6554 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tyler Hicks +Reviewed-by: Seth Arnold +Reviewed-by: Stefan Bader +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/irda/net/af_irda.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/staging/irda/net/af_irda.c ++++ b/drivers/staging/irda/net/af_irda.c +@@ -775,6 +775,13 @@ static int irda_bind(struct socket *sock + return -EINVAL; + + lock_sock(sk); ++ ++ /* Ensure that the socket is not already bound */ ++ if (self->ias_obj) { ++ err = -EINVAL; ++ goto out; ++ } ++ + #ifdef CONFIG_IRDA_ULTRA + /* Special care for Ultra sockets */ + if ((sk->sk_type == SOCK_DGRAM) && diff --git a/queue-4.14/irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch b/queue-4.14/irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch new file mode 100644 index 00000000000..a21fa94eea3 --- /dev/null +++ b/queue-4.14/irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch @@ -0,0 +1,44 @@ +From tyhicks@canonical.com Thu Sep 13 09:02:40 2018 +From: Tyler Hicks +Date: Tue, 4 Sep 2018 15:24:05 +0000 +Subject: irda: Only insert new objects into the global database via setsockopt +To: stable@vger.kernel.org +Message-ID: <1536074645-14160-3-git-send-email-tyhicks@canonical.com> + +From: Tyler Hicks + +The irda_setsockopt() function conditionally allocates memory for a new +self->ias_object or, in some cases, reuses the existing +self->ias_object. Existing objects were incorrectly reinserted into the +LM_IAS database which corrupted the doubly linked list used for the +hashbin implementation of the LM_IAS database. When combined with a +memory leak in irda_bind(), this issue could be leveraged to create a +use-after-free vulnerability in the hashbin list. This patch fixes the +issue by only inserting newly allocated objects into the database. + +CVE-2018-6555 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tyler Hicks +Reviewed-by: Seth Arnold +Reviewed-by: Stefan Bader +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/irda/net/af_irda.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/staging/irda/net/af_irda.c ++++ b/drivers/staging/irda/net/af_irda.c +@@ -2019,7 +2019,11 @@ static int irda_setsockopt(struct socket + err = -EINVAL; + goto out; + } +- irias_insert_object(ias_obj); ++ ++ /* Only insert newly allocated objects */ ++ if (free_ias) ++ irias_insert_object(ias_obj); ++ + kfree(ias_opt); + break; + case IRLMP_IAS_DEL: diff --git a/queue-4.14/kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch b/queue-4.14/kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch new file mode 100644 index 00000000000..f55e6427433 --- /dev/null +++ b/queue-4.14/kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch @@ -0,0 +1,55 @@ +From 914b087ff9e0e9a399a4927fa30793064afc0178 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 28 Aug 2018 12:59:10 -0700 +Subject: kbuild: make missing $DEPMOD a Warning instead of an Error + +From: Randy Dunlap + +commit 914b087ff9e0e9a399a4927fa30793064afc0178 upstream. + +When $DEPMOD is not found, only print a warning instead of exiting +with an error message and error status: + +Warning: 'make modules_install' requires /sbin/depmod. Please install it. +This is probably in the kmod package. + +Change the Error to a Warning because "not all build hosts for cross +compiling Linux are Linux systems and are able to provide a working +port of depmod, especially at the file patch /sbin/depmod." + +I.e., "make modules_install" may be used to copy/install the +loadable modules files to a target directory on a build system and +then transferred to an embedded device where /sbin/depmod is run +instead of it being run on the build system. + +Fixes: 934193a654c1 ("kbuild: verify that $DEPMOD is installed") +Signed-off-by: Randy Dunlap +Reported-by: H. Nikolaus Schaller +Cc: stable@vger.kernel.org +Cc: Lucas De Marchi +Cc: Lucas De Marchi +Cc: Michal Marek +Cc: Jessica Yu +Cc: Chih-Wei Huang +Signed-off-by: Masahiro Yamada +Signed-off-by: Maxim Zhukov +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/depmod.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/scripts/depmod.sh ++++ b/scripts/depmod.sh +@@ -16,9 +16,9 @@ if ! test -r System.map ; then + fi + + if [ -z $(command -v $DEPMOD) ]; then +- echo "'make modules_install' requires $DEPMOD. Please install it." >&2 ++ echo "Warning: 'make modules_install' requires $DEPMOD. Please install it." >&2 + echo "This is probably in the kmod package." >&2 +- exit 1 ++ exit 0 + fi + + # older versions of depmod don't support -P diff --git a/queue-4.14/kvm-x86-set-highest-physical-address-bits-in-non-present-reserved-sptes.patch b/queue-4.14/kvm-x86-set-highest-physical-address-bits-in-non-present-reserved-sptes.patch new file mode 100644 index 00000000000..a3b245587e5 --- /dev/null +++ b/queue-4.14/kvm-x86-set-highest-physical-address-bits-in-non-present-reserved-sptes.patch @@ -0,0 +1,133 @@ +From 28a1f3ac1d0c8558ee4453d9634dad891a6e922e Mon Sep 17 00:00:00 2001 +From: Junaid Shahid +Date: Tue, 14 Aug 2018 10:15:34 -0700 +Subject: kvm: x86: Set highest physical address bits in non-present/reserved SPTEs + +From: Junaid Shahid + +commit 28a1f3ac1d0c8558ee4453d9634dad891a6e922e upstream. + +Always set the 5 upper-most supported physical address bits to 1 for SPTEs +that are marked as non-present or reserved, to make them unusable for +L1TF attacks from the guest. Currently, this just applies to MMIO SPTEs. +(We do not need to mark PTEs that are completely 0 as physical page 0 +is already reserved.) + +This allows mitigation of L1TF without disabling hyper-threading by using +shadow paging mode instead of EPT. + +Signed-off-by: Junaid Shahid +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 43 ++++++++++++++++++++++++++++++++++++++----- + arch/x86/kvm/x86.c | 8 ++++++-- + 2 files changed, 44 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -220,6 +220,17 @@ static const u64 shadow_acc_track_saved_ + PT64_EPT_EXECUTABLE_MASK; + static const u64 shadow_acc_track_saved_bits_shift = PT64_SECOND_AVAIL_BITS_SHIFT; + ++/* ++ * This mask must be set on all non-zero Non-Present or Reserved SPTEs in order ++ * to guard against L1TF attacks. ++ */ ++static u64 __read_mostly shadow_nonpresent_or_rsvd_mask; ++ ++/* ++ * The number of high-order 1 bits to use in the mask above. ++ */ ++static const u64 shadow_nonpresent_or_rsvd_mask_len = 5; ++ + static void mmu_spte_set(u64 *sptep, u64 spte); + static void mmu_free_roots(struct kvm_vcpu *vcpu); + +@@ -308,9 +319,13 @@ static void mark_mmio_spte(struct kvm_vc + { + unsigned int gen = kvm_current_mmio_generation(vcpu); + u64 mask = generation_mmio_spte_mask(gen); ++ u64 gpa = gfn << PAGE_SHIFT; + + access &= ACC_WRITE_MASK | ACC_USER_MASK; +- mask |= shadow_mmio_value | access | gfn << PAGE_SHIFT; ++ mask |= shadow_mmio_value | access; ++ mask |= gpa | shadow_nonpresent_or_rsvd_mask; ++ mask |= (gpa & shadow_nonpresent_or_rsvd_mask) ++ << shadow_nonpresent_or_rsvd_mask_len; + + trace_mark_mmio_spte(sptep, gfn, access, gen); + mmu_spte_set(sptep, mask); +@@ -323,8 +338,14 @@ static bool is_mmio_spte(u64 spte) + + static gfn_t get_mmio_spte_gfn(u64 spte) + { +- u64 mask = generation_mmio_spte_mask(MMIO_GEN_MASK) | shadow_mmio_mask; +- return (spte & ~mask) >> PAGE_SHIFT; ++ u64 mask = generation_mmio_spte_mask(MMIO_GEN_MASK) | shadow_mmio_mask | ++ shadow_nonpresent_or_rsvd_mask; ++ u64 gpa = spte & ~mask; ++ ++ gpa |= (spte >> shadow_nonpresent_or_rsvd_mask_len) ++ & shadow_nonpresent_or_rsvd_mask; ++ ++ return gpa >> PAGE_SHIFT; + } + + static unsigned get_mmio_spte_access(u64 spte) +@@ -381,7 +402,7 @@ void kvm_mmu_set_mask_ptes(u64 user_mask + } + EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes); + +-void kvm_mmu_clear_all_pte_masks(void) ++static void kvm_mmu_reset_all_pte_masks(void) + { + shadow_user_mask = 0; + shadow_accessed_mask = 0; +@@ -391,6 +412,18 @@ void kvm_mmu_clear_all_pte_masks(void) + shadow_mmio_mask = 0; + shadow_present_mask = 0; + shadow_acc_track_mask = 0; ++ ++ /* ++ * If the CPU has 46 or less physical address bits, then set an ++ * appropriate mask to guard against L1TF attacks. Otherwise, it is ++ * assumed that the CPU is not vulnerable to L1TF. ++ */ ++ if (boot_cpu_data.x86_phys_bits < ++ 52 - shadow_nonpresent_or_rsvd_mask_len) ++ shadow_nonpresent_or_rsvd_mask = ++ rsvd_bits(boot_cpu_data.x86_phys_bits - ++ shadow_nonpresent_or_rsvd_mask_len, ++ boot_cpu_data.x86_phys_bits - 1); + } + + static int is_cpuid_PSE36(void) +@@ -5473,7 +5506,7 @@ static void mmu_destroy_caches(void) + + int kvm_mmu_module_init(void) + { +- kvm_mmu_clear_all_pte_masks(); ++ kvm_mmu_reset_all_pte_masks(); + + pte_list_desc_cache = kmem_cache_create("pte_list_desc", + sizeof(struct pte_list_desc), +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6194,8 +6194,12 @@ static void kvm_set_mmio_spte_mask(void) + * Set the reserved bits and the present bit of an paging-structure + * entry to generate page fault with PFER.RSV = 1. + */ +- /* Mask the reserved physical address bits. */ +- mask = rsvd_bits(maxphyaddr, 51); ++ ++ /* ++ * Mask the uppermost physical address bit, which would be reserved as ++ * long as the supported physical address width is less than 52. ++ */ ++ mask = 1ull << 51; + + /* Set the present bit. */ + mask |= 1ull; diff --git a/queue-4.14/revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch b/queue-4.14/revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch new file mode 100644 index 00000000000..ea6a532523a --- /dev/null +++ b/queue-4.14/revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch @@ -0,0 +1,41 @@ +From festevam@gmail.com Thu Sep 13 09:04:45 2018 +From: Fabio Estevam +Date: Mon, 3 Sep 2018 10:39:17 -0300 +Subject: Revert "ARM: imx_v6_v7_defconfig: Select ULPI support" +To: stable@vger.kernel.org +Cc: shawnguo@kernel.org, rasmus.villemoes@prevas.dk, gregkh@linuxfoundation.org, Fabio Estevam +Message-ID: <1535981957-28688-1-git-send-email-festevam@gmail.com> + +From: Fabio Estevam + +This reverts commit 2059e527a659cf16d6bb709f1c8509f7a7623fc4. + +This commit causes reboot to fail on imx6 wandboard, so let's +revert it. + +Cc: #4.14 +Reported-by: Rasmus Villemoes +Signed-off-by: Fabio Estevam +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/configs/imx_v6_v7_defconfig | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/arm/configs/imx_v6_v7_defconfig ++++ b/arch/arm/configs/imx_v6_v7_defconfig +@@ -289,7 +289,6 @@ CONFIG_USB_STORAGE=y + CONFIG_USB_CHIPIDEA=y + CONFIG_USB_CHIPIDEA_UDC=y + CONFIG_USB_CHIPIDEA_HOST=y +-CONFIG_USB_CHIPIDEA_ULPI=y + CONFIG_USB_SERIAL=m + CONFIG_USB_SERIAL_GENERIC=y + CONFIG_USB_SERIAL_FTDI_SIO=m +@@ -326,7 +325,6 @@ CONFIG_USB_GADGETFS=m + CONFIG_USB_FUNCTIONFS=m + CONFIG_USB_MASS_STORAGE=m + CONFIG_USB_G_SERIAL=m +-CONFIG_USB_ULPI_BUS=y + CONFIG_MMC=y + CONFIG_MMC_SDHCI=y + CONFIG_MMC_SDHCI_PLTFM=y diff --git a/queue-4.14/s390-lib-use-expoline-for-all-bcr-instructions.patch b/queue-4.14/s390-lib-use-expoline-for-all-bcr-instructions.patch new file mode 100644 index 00000000000..68e2d9554c0 --- /dev/null +++ b/queue-4.14/s390-lib-use-expoline-for-all-bcr-instructions.patch @@ -0,0 +1,91 @@ +From 5eda25b10297684c1f46a14199ec00210f3c346e Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 6 Aug 2018 13:49:47 +0200 +Subject: s390/lib: use expoline for all bcr instructions + +From: Martin Schwidefsky + +commit 5eda25b10297684c1f46a14199ec00210f3c346e upstream. + +The memove, memset, memcpy, __memset16, __memset32 and __memset64 +function have an additional indirect return branch in form of a +"bzr" instruction. These need to use expolines as well. + +Cc: # v4.17+ +Fixes: 97489e0663 ("s390/lib: use expoline for indirect branches") +Reviewed-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/lib/mem.S | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/s390/lib/mem.S ++++ b/arch/s390/lib/mem.S +@@ -17,7 +17,7 @@ + ENTRY(memmove) + ltgr %r4,%r4 + lgr %r1,%r2 +- bzr %r14 ++ jz .Lmemmove_exit + aghi %r4,-1 + clgr %r2,%r3 + jnh .Lmemmove_forward +@@ -36,6 +36,7 @@ ENTRY(memmove) + .Lmemmove_forward_remainder: + larl %r5,.Lmemmove_mvc + ex %r4,0(%r5) ++.Lmemmove_exit: + BR_EX %r14 + .Lmemmove_reverse: + ic %r0,0(%r4,%r3) +@@ -65,7 +66,7 @@ EXPORT_SYMBOL(memmove) + */ + ENTRY(memset) + ltgr %r4,%r4 +- bzr %r14 ++ jz .Lmemset_exit + ltgr %r3,%r3 + jnz .Lmemset_fill + aghi %r4,-1 +@@ -80,12 +81,13 @@ ENTRY(memset) + .Lmemset_clear_remainder: + larl %r3,.Lmemset_xc + ex %r4,0(%r3) ++.Lmemset_exit: + BR_EX %r14 + .Lmemset_fill: + stc %r3,0(%r2) + cghi %r4,1 + lgr %r1,%r2 +- ber %r14 ++ je .Lmemset_fill_exit + aghi %r4,-2 + srlg %r3,%r4,8 + ltgr %r3,%r3 +@@ -97,6 +99,7 @@ ENTRY(memset) + .Lmemset_fill_remainder: + larl %r3,.Lmemset_mvc + ex %r4,0(%r3) ++.Lmemset_fill_exit: + BR_EX %r14 + .Lmemset_xc: + xc 0(1,%r1),0(%r1) +@@ -111,7 +114,7 @@ EXPORT_SYMBOL(memset) + */ + ENTRY(memcpy) + ltgr %r4,%r4 +- bzr %r14 ++ jz .Lmemcpy_exit + aghi %r4,-1 + srlg %r5,%r4,8 + ltgr %r5,%r5 +@@ -120,6 +123,7 @@ ENTRY(memcpy) + .Lmemcpy_remainder: + larl %r5,.Lmemcpy_mvc + ex %r4,0(%r5) ++.Lmemcpy_exit: + BR_EX %r14 + .Lmemcpy_loop: + mvc 0(256,%r1),0(%r3) diff --git a/queue-4.14/series b/queue-4.14/series index 7c38abd7c7b..bc49e4cb639 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -102,3 +102,10 @@ usb-dwc3-core-fix-ulpi-phys-and-prevent-phy_get-ulpi_init-during-suspend-resume. x86-pae-use-64-bit-atomic-xchg-function-in-native_ptep_get_and_clear.patch x86-xen-don-t-write-ptes-directly-in-32-bit-pv-guests.patch drm-i915-increase-lspcon-timeout.patch +kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch +s390-lib-use-expoline-for-all-bcr-instructions.patch +irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch +irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch +revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch +kvm-x86-set-highest-physical-address-bits-in-non-present-reserved-sptes.patch +x86-kvm-avoid-unused-variable-warning.patch diff --git a/queue-4.14/x86-kvm-avoid-unused-variable-warning.patch b/queue-4.14/x86-kvm-avoid-unused-variable-warning.patch new file mode 100644 index 00000000000..f55e97f5f63 --- /dev/null +++ b/queue-4.14/x86-kvm-avoid-unused-variable-warning.patch @@ -0,0 +1,46 @@ +From 7288bde1f9df6c1475675419bdd7725ce84dec56 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 20 Aug 2018 23:37:50 +0200 +Subject: x86: kvm: avoid unused variable warning + +From: Arnd Bergmann + +commit 7288bde1f9df6c1475675419bdd7725ce84dec56 upstream. + +Removing one of the two accesses of the maxphyaddr variable led to +a harmless warning: + +arch/x86/kvm/x86.c: In function 'kvm_set_mmio_spte_mask': +arch/x86/kvm/x86.c:6563:6: error: unused variable 'maxphyaddr' [-Werror=unused-variable] + +Removing the #ifdef seems to be the nicest workaround, as it +makes the code look cleaner than adding another #ifdef. + +Fixes: 28a1f3ac1d0c ("kvm: x86: Set highest physical address bits in non-present/reserved SPTEs") +Signed-off-by: Arnd Bergmann +Cc: stable@vger.kernel.org # L1TF +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6204,14 +6204,12 @@ static void kvm_set_mmio_spte_mask(void) + /* Set the present bit. */ + mask |= 1ull; + +-#ifdef CONFIG_X86_64 + /* + * If reserved bit is not supported, clear the present bit to disable + * mmio page fault. + */ +- if (maxphyaddr == 52) ++ if (IS_ENABLED(CONFIG_X86_64) && maxphyaddr == 52) + mask &= ~1ull; +-#endif + + kvm_mmu_set_mmio_spte_mask(mask, mask); + }