From: Greg Kroah-Hartman Date: Wed, 15 May 2019 08:44:24 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v3.18.140~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=451d5f96b0f25027b5bb56e9431d9dbbc7961e9f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch powerpc-booke64-set-ri-in-default-msr.patch powerpc-powernv-idle-restore-iamr-after-idle.patch --- diff --git a/queue-4.14/drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch b/queue-4.14/drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch new file mode 100644 index 00000000000..2f9d92ae0c3 --- /dev/null +++ b/queue-4.14/drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch @@ -0,0 +1,104 @@ +From c8ea3663f7a8e6996d44500ee818c9330ac4fd88 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 14 May 2019 15:47:00 -0700 +Subject: drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl + +From: Dan Carpenter + +commit c8ea3663f7a8e6996d44500ee818c9330ac4fd88 upstream. + +strndup_user() returns error pointers on error, and then in the error +handling we pass the error pointers to kfree(). It will cause an Oops. + +Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Andrew Morton +Cc: Timur Tabi +Cc: Mihai Caraman +Cc: Kumar Gala +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virt/fsl_hypervisor.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_i + struct fsl_hv_ioctl_prop param; + char __user *upath, *upropname; + void __user *upropval; +- char *path = NULL, *propname = NULL; +- void *propval = NULL; ++ char *path, *propname; ++ void *propval; + int ret = 0; + + /* Get the parameters from the user. */ +@@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_i + upropval = (void __user *)(uintptr_t)param.propval; + + path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN); +- if (IS_ERR(path)) { +- ret = PTR_ERR(path); +- goto out; +- } ++ if (IS_ERR(path)) ++ return PTR_ERR(path); + + propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN); + if (IS_ERR(propname)) { + ret = PTR_ERR(propname); +- goto out; ++ goto err_free_path; + } + + if (param.proplen > FH_DTPROP_MAX_PROPLEN) { + ret = -EINVAL; +- goto out; ++ goto err_free_propname; + } + + propval = kmalloc(param.proplen, GFP_KERNEL); + if (!propval) { + ret = -ENOMEM; +- goto out; ++ goto err_free_propname; + } + + if (set) { + if (copy_from_user(propval, upropval, param.proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + + param.ret = fh_partition_set_dtprop(param.handle, +@@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_i + if (copy_to_user(upropval, propval, param.proplen) || + put_user(param.proplen, &p->proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + } + } +@@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_i + if (put_user(param.ret, &p->ret)) + ret = -EFAULT; + +-out: +- kfree(path); ++err_free_propval: + kfree(propval); ++err_free_propname: + kfree(propname); ++err_free_path: ++ kfree(path); + + return ret; + } diff --git a/queue-4.14/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch b/queue-4.14/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch new file mode 100644 index 00000000000..b064ad8b89e --- /dev/null +++ b/queue-4.14/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch @@ -0,0 +1,46 @@ +From 6a024330650e24556b8a18cc654ad00cfecf6c6c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 14 May 2019 15:47:03 -0700 +Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl + +From: Dan Carpenter + +commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream. + +The "param.count" value is a u64 thatcomes from the user. The code +later in the function assumes that param.count is at least one and if +it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR. + +Also the addition can have an integer overflow which would lead us to +allocate a smaller "pages" array than required. I can't immediately +tell what the possible run times implications are, but it's safest to +prevent the overflow. + +Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Andrew Morton +Cc: Timur Tabi +Cc: Mihai Caraman +Cc: Kumar Gala +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virt/fsl_hypervisor.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i + * hypervisor. + */ + lb_offset = param.local_vaddr & (PAGE_SIZE - 1); ++ if (param.count == 0 || ++ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1) ++ return -EINVAL; + num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT; + + /* Allocate the buffers we need */ diff --git a/queue-4.14/powerpc-booke64-set-ri-in-default-msr.patch b/queue-4.14/powerpc-booke64-set-ri-in-default-msr.patch new file mode 100644 index 00000000000..b6d3689ac25 --- /dev/null +++ b/queue-4.14/powerpc-booke64-set-ri-in-default-msr.patch @@ -0,0 +1,34 @@ +From 5266e58d6cd90ac85c187d673093ad9cb649e16d Mon Sep 17 00:00:00 2001 +From: Laurentiu Tudor +Date: Mon, 15 Apr 2019 14:52:11 +0300 +Subject: powerpc/booke64: set RI in default MSR + +From: Laurentiu Tudor + +commit 5266e58d6cd90ac85c187d673093ad9cb649e16d upstream. + +Set RI in the default kernel's MSR so that the architected way of +detecting unrecoverable machine check interrupts has a chance to work. +This is inline with the MSR setup of the rest of booke powerpc +architectures configured here. + +Signed-off-by: Laurentiu Tudor +Cc: stable@vger.kernel.org +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg_booke.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/reg_booke.h ++++ b/arch/powerpc/include/asm/reg_booke.h +@@ -41,7 +41,7 @@ + #if defined(CONFIG_PPC_BOOK3E_64) + #define MSR_64BIT MSR_CM + +-#define MSR_ (MSR_ME | MSR_CE) ++#define MSR_ (MSR_ME | MSR_RI | MSR_CE) + #define MSR_KERNEL (MSR_ | MSR_64BIT) + #define MSR_USER32 (MSR_ | MSR_PR | MSR_EE) + #define MSR_USER64 (MSR_USER32 | MSR_64BIT) diff --git a/queue-4.14/powerpc-powernv-idle-restore-iamr-after-idle.patch b/queue-4.14/powerpc-powernv-idle-restore-iamr-after-idle.patch new file mode 100644 index 00000000000..d71ad054f94 --- /dev/null +++ b/queue-4.14/powerpc-powernv-idle-restore-iamr-after-idle.patch @@ -0,0 +1,79 @@ +From a3f3072db6cad40895c585dce65e36aab997f042 Mon Sep 17 00:00:00 2001 +From: Russell Currey +Date: Thu, 18 Apr 2019 16:51:16 +1000 +Subject: powerpc/powernv/idle: Restore IAMR after idle + +From: Russell Currey + +commit a3f3072db6cad40895c585dce65e36aab997f042 upstream. + +Without restoring the IAMR after idle, execution prevention on POWER9 +with Radix MMU is overwritten and the kernel can freely execute +userspace without faulting. + +This is necessary when returning from any stop state that modifies +user state, as well as hypervisor state. + +To test how this fails without this patch, load the lkdtm driver and +do the following: + + $ echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT + +which won't fault, then boot the kernel with powersave=off, where it +will fault. Applying this patch will fix this. + +Fixes: 3b10d0095a1e ("powerpc/mm/radix: Prevent kernel execution of user space") +Cc: stable@vger.kernel.org # v4.10+ +Signed-off-by: Russell Currey +Reviewed-by: Akshay Adiga +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/idle_book3s.S | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/arch/powerpc/kernel/idle_book3s.S ++++ b/arch/powerpc/kernel/idle_book3s.S +@@ -163,6 +163,9 @@ core_idle_lock_held: + bne- core_idle_lock_held + blr + ++/* Reuse an unused pt_regs slot for IAMR */ ++#define PNV_POWERSAVE_IAMR _DAR ++ + /* + * Pass requested state in r3: + * r3 - PNV_THREAD_NAP/SLEEP/WINKLE in POWER8 +@@ -193,6 +196,12 @@ pnv_powersave_common: + /* Continue saving state */ + SAVE_GPR(2, r1) + SAVE_NVGPRS(r1) ++ ++BEGIN_FTR_SECTION ++ mfspr r5, SPRN_IAMR ++ std r5, PNV_POWERSAVE_IAMR(r1) ++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) ++ + mfcr r5 + std r5,_CCR(r1) + std r1,PACAR1(r13) +@@ -940,6 +949,17 @@ BEGIN_FTR_SECTION + END_FTR_SECTION_IFSET(CPU_FTR_HVMODE) + REST_NVGPRS(r1) + REST_GPR(2, r1) ++ ++BEGIN_FTR_SECTION ++ /* IAMR was saved in pnv_powersave_common() */ ++ ld r5, PNV_POWERSAVE_IAMR(r1) ++ mtspr SPRN_IAMR, r5 ++ /* ++ * We don't need an isync here because the upcoming mtmsrd is ++ * execution synchronizing. ++ */ ++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) ++ + ld r4,PACAKMSR(r13) + ld r5,_LINK(r1) + ld r6,_CCR(r1) diff --git a/queue-4.14/series b/queue-4.14/series index a2e28587c4a..cd997965094 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -109,3 +109,7 @@ packet-fix-error-path-in-packet_init.patch vlan-disable-siocshwtstamp-in-container.patch vrf-sit-mtu-should-not-be-updated-when-vrf-netdev-is-the-link.patch tipc-fix-hanging-clients-using-poll-with-epollout-flag.patch +drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch +drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch +powerpc-powernv-idle-restore-iamr-after-idle.patch +powerpc-booke64-set-ri-in-default-msr.patch