From: Greg Kroah-Hartman Date: Sat, 4 Aug 2018 08:12:29 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.17.13~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=815b520c0241eb44e30c2ac23b274a80ab95dae9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch crypto-padlock-aes-fix-nano-workaround-data-corruption.patch kvm-x86-vmx-fix-vpid-leak.patch net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch scsi-sg-fix-minor-memory-leak-in-error-path.patch squashfs-more-metadata-hardening.patch squashfs-more-metadata-hardenings.patch virtio_balloon-fix-another-race-between-migration-and-ballooning.patch --- diff --git a/queue-4.4/can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch b/queue-4.4/can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch new file mode 100644 index 00000000000..6ba619903a2 --- /dev/null +++ b/queue-4.4/can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch @@ -0,0 +1,33 @@ +From 72c05f32f4a5055c9c8fe889bb6903ec959c0aad Mon Sep 17 00:00:00 2001 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 18:50:42 +0300 +Subject: can: ems_usb: Fix memory leak on ems_usb_disconnect() + +From: Anton Vasilyev + +commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream. + +ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there +is no its deallocation in ems_usb_disconnect(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Cc: +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/ems_usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -1078,6 +1078,7 @@ static void ems_usb_disconnect(struct us + usb_free_urb(dev->intr_urb); + + kfree(dev->intr_in_buffer); ++ kfree(dev->tx_msg_buffer); + } + } + diff --git a/queue-4.4/crypto-padlock-aes-fix-nano-workaround-data-corruption.patch b/queue-4.4/crypto-padlock-aes-fix-nano-workaround-data-corruption.patch new file mode 100644 index 00000000000..acd0eaf5b48 --- /dev/null +++ b/queue-4.4/crypto-padlock-aes-fix-nano-workaround-data-corruption.patch @@ -0,0 +1,71 @@ +From 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 13 Jul 2018 16:12:32 +0800 +Subject: crypto: padlock-aes - Fix Nano workaround data corruption + +From: Herbert Xu + +commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream. + +This was detected by the self-test thanks to Ard's chunking patch. + +I finally got around to testing this out on my ancient Via box. It +turns out that the workaround got the assembly wrong and we end up +doing count + initial cycles of the loop instead of just count. + +This obviously causes corruption, either by overwriting the source +that is yet to be processed, or writing over the end of the buffer. + +On CPUs that don't require the workaround only ECB is affected. +On Nano CPUs both ECB and CBC are affected. + +This patch fixes it by doing the subtraction prior to the assembly. + +Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...") +Cc: +Reported-by: Jamie Heilman +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/padlock-aes.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/padlock-aes.c ++++ b/drivers/crypto/padlock-aes.c +@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co + return; + } + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co + + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +- : "d"(control_word), "b"(key), "c"(count - initial)); ++ : "d"(control_word), "b"(key), "c"(count)); + } + + static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, +@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con + if (count < cbc_fetch_blocks) + return cbc_crypt(input, output, key, iv, control_word, count); + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con + + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +- : "d" (control_word), "b" (key), "c" (count-initial)); ++ : "d" (control_word), "b" (key), "c" (count)); + return iv; + } + diff --git a/queue-4.4/kvm-x86-vmx-fix-vpid-leak.patch b/queue-4.4/kvm-x86-vmx-fix-vpid-leak.patch new file mode 100644 index 00000000000..04af1c6f72e --- /dev/null +++ b/queue-4.4/kvm-x86-vmx-fix-vpid-leak.patch @@ -0,0 +1,64 @@ +From 63aff65573d73eb8dda4732ad4ef222dd35e4862 Mon Sep 17 00:00:00 2001 +From: Roman Kagan +Date: Thu, 19 Jul 2018 21:59:07 +0300 +Subject: kvm: x86: vmx: fix vpid leak + +From: Roman Kagan + +commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream. + +VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested +vmx is turned on with the module parameter. + +However, it's only freed if the L1 guest has executed VMXON which is not +a given. + +As a result, on a system with nested==on every creation+deletion of an +L1 vcpu without running an L2 guest results in leaking one vpid. Since +the total number of vpids is limited to 64k, they can eventually get +exhausted, preventing L2 from starting. + +Delay allocation of the L2 vpid until VMXON emulation, thus matching its +freeing. + +Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0 +Cc: stable@vger.kernel.org +Signed-off-by: Roman Kagan +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6843,6 +6843,8 @@ static int handle_vmon(struct kvm_vcpu * + HRTIMER_MODE_REL); + vmx->nested.preemption_timer.function = vmx_preemption_timer_fn; + ++ vmx->nested.vpid02 = allocate_vpid(); ++ + vmx->nested.vmxon = true; + + skip_emulated_instruction(vcpu); +@@ -8887,10 +8889,8 @@ static struct kvm_vcpu *vmx_create_vcpu( + goto free_vmcs; + } + +- if (nested) { ++ if (nested) + nested_vmx_setup_ctls_msrs(vmx); +- vmx->nested.vpid02 = allocate_vpid(); +- } + + vmx->nested.posted_intr_nv = -1; + vmx->nested.current_vmptr = -1ull; +@@ -8899,7 +8899,6 @@ static struct kvm_vcpu *vmx_create_vcpu( + return &vmx->vcpu; + + free_vmcs: +- free_vpid(vmx->nested.vpid02); + free_loaded_vmcs(vmx->loaded_vmcs); + free_msrs: + kfree(vmx->guest_msrs); diff --git a/queue-4.4/net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch b/queue-4.4/net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch new file mode 100644 index 00000000000..1f69829c407 --- /dev/null +++ b/queue-4.4/net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch @@ -0,0 +1,45 @@ +From c8e8cd579bb4265651df8223730105341e61a2d1 Mon Sep 17 00:00:00 2001 +From: Jeremy Cline +Date: Fri, 27 Jul 2018 22:43:01 +0000 +Subject: net: socket: fix potential spectre v1 gadget in socketcall + +From: Jeremy Cline + +commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream. + +'call' is a user-controlled value, so sanitize the array index after the +bounds check to avoid speculating past the bounds of the 'nargs' array. + +Found with the help of Smatch: + +net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue +'nargs' [r] (local cap) + +Cc: Josh Poimboeuf +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Cline +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -89,6 +89,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2324,6 +2325,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u + + if (call < 1 || call > SYS_SENDMMSG) + return -EINVAL; ++ call = array_index_nospec(call, SYS_SENDMMSG + 1); + + len = nargs[call]; + if (len > sizeof(a)) diff --git a/queue-4.4/scsi-sg-fix-minor-memory-leak-in-error-path.patch b/queue-4.4/scsi-sg-fix-minor-memory-leak-in-error-path.patch new file mode 100644 index 00000000000..5ec1f256ac7 --- /dev/null +++ b/queue-4.4/scsi-sg-fix-minor-memory-leak-in-error-path.patch @@ -0,0 +1,33 @@ +From c170e5a8d222537e98aa8d4fddb667ff7a2ee114 Mon Sep 17 00:00:00 2001 +From: Tony Battersby +Date: Thu, 12 Jul 2018 16:30:45 -0400 +Subject: scsi: sg: fix minor memory leak in error path + +From: Tony Battersby + +commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream. + +Fix a minor memory leak when there is an error opening a /dev/sg device. + +Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling") +Cc: +Reviewed-by: Ewan D. Milne +Signed-off-by: Tony Battersby +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -2195,6 +2195,7 @@ sg_add_sfp(Sg_device * sdp) + write_lock_irqsave(&sdp->sfd_lock, iflags); + if (atomic_read(&sdp->detaching)) { + write_unlock_irqrestore(&sdp->sfd_lock, iflags); ++ kfree(sfp); + return ERR_PTR(-ENODEV); + } + list_add_tail(&sfp->sfd_siblings, &sdp->sfds); diff --git a/queue-4.4/series b/queue-4.4/series index 9b9ca3925c1..866803fad0a 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -114,3 +114,11 @@ tcp-add-one-more-quick-ack-after-after-ecn-events.patch inet-frag-enforce-memory-limits-earlier.patch net-dsa-do-not-suspend-resume-closed-slave_dev.patch netlink-fix-spectre-v1-gadget-in-netlink_create.patch +squashfs-more-metadata-hardening.patch +squashfs-more-metadata-hardenings.patch +can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch +net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch +virtio_balloon-fix-another-race-between-migration-and-ballooning.patch +kvm-x86-vmx-fix-vpid-leak.patch +crypto-padlock-aes-fix-nano-workaround-data-corruption.patch +scsi-sg-fix-minor-memory-leak-in-error-path.patch diff --git a/queue-4.4/squashfs-more-metadata-hardening.patch b/queue-4.4/squashfs-more-metadata-hardening.patch new file mode 100644 index 00000000000..727b64bf970 --- /dev/null +++ b/queue-4.4/squashfs-more-metadata-hardening.patch @@ -0,0 +1,37 @@ +From d512584780d3e6a7cacb2f482834849453d444a1 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 30 Jul 2018 14:27:15 -0700 +Subject: squashfs: more metadata hardening + +From: Linus Torvalds + +commit d512584780d3e6a7cacb2f482834849453d444a1 upstream. + +Anatoly reports another squashfs fuzzing issue, where the decompression +parameters themselves are in a compressed block. + +This causes squashfs_read_data() to be called in order to read the +decompression options before the decompression stream having been set +up, making squashfs go sideways. + +Reported-by: Anatoly Trosinenko +Acked-by: Phillip Lougher +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/squashfs/block.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/squashfs/block.c ++++ b/fs/squashfs/block.c +@@ -166,6 +166,8 @@ int squashfs_read_data(struct super_bloc + } + + if (compressed) { ++ if (!msblk->stream) ++ goto read_failure; + length = squashfs_decompress(msblk, bh, b, offset, length, + output); + if (length < 0) diff --git a/queue-4.4/squashfs-more-metadata-hardenings.patch b/queue-4.4/squashfs-more-metadata-hardenings.patch new file mode 100644 index 00000000000..ce054e5bf51 --- /dev/null +++ b/queue-4.4/squashfs-more-metadata-hardenings.patch @@ -0,0 +1,93 @@ +From 71755ee5350b63fb1f283de8561cdb61b47f4d1d Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 2 Aug 2018 08:43:35 -0700 +Subject: squashfs: more metadata hardening +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream. + +The squashfs fragment reading code doesn't actually verify that the +fragment is inside the fragment table. The end result _is_ verified to +be inside the image when actually reading the fragment data, but before +that is done, we may end up taking a page fault because the fragment +table itself might not even exist. + +Another report from Anatoly and his endless squashfs image fuzzing. + +Reported-by: Анатолий Тросиненко +Acked-by:: Phillip Lougher , +Cc: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/squashfs/fragment.c | 13 +++++++++---- + fs/squashfs/squashfs_fs_sb.h | 1 + + fs/squashfs/super.c | 5 +++-- + 3 files changed, 13 insertions(+), 6 deletions(-) + +--- a/fs/squashfs/fragment.c ++++ b/fs/squashfs/fragment.c +@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_bl + u64 *fragment_block) + { + struct squashfs_sb_info *msblk = sb->s_fs_info; +- int block = SQUASHFS_FRAGMENT_INDEX(fragment); +- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); +- u64 start_block = le64_to_cpu(msblk->fragment_index[block]); ++ int block, offset, size; + struct squashfs_fragment_entry fragment_entry; +- int size; ++ u64 start_block; ++ ++ if (fragment >= msblk->fragments) ++ return -EIO; ++ block = SQUASHFS_FRAGMENT_INDEX(fragment); ++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); ++ ++ start_block = le64_to_cpu(msblk->fragment_index[block]); + + size = squashfs_read_metadata(sb, &fragment_entry, &start_block, + &offset, sizeof(fragment_entry)); +--- a/fs/squashfs/squashfs_fs_sb.h ++++ b/fs/squashfs/squashfs_fs_sb.h +@@ -75,6 +75,7 @@ struct squashfs_sb_info { + unsigned short block_log; + long long bytes_used; + unsigned int inodes; ++ unsigned int fragments; + int xattr_ids; + }; + #endif +--- a/fs/squashfs/super.c ++++ b/fs/squashfs/super.c +@@ -176,6 +176,7 @@ static int squashfs_fill_super(struct su + msblk->inode_table = le64_to_cpu(sblk->inode_table_start); + msblk->directory_table = le64_to_cpu(sblk->directory_table_start); + msblk->inodes = le32_to_cpu(sblk->inodes); ++ msblk->fragments = le32_to_cpu(sblk->fragments); + flags = le16_to_cpu(sblk->flags); + + TRACE("Found valid superblock on %s\n", bdevname(sb->s_bdev, b)); +@@ -186,7 +187,7 @@ static int squashfs_fill_super(struct su + TRACE("Filesystem size %lld bytes\n", msblk->bytes_used); + TRACE("Block size %d\n", msblk->block_size); + TRACE("Number of inodes %d\n", msblk->inodes); +- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments)); ++ TRACE("Number of fragments %d\n", msblk->fragments); + TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids)); + TRACE("sblk->inode_table_start %llx\n", msblk->inode_table); + TRACE("sblk->directory_table_start %llx\n", msblk->directory_table); +@@ -273,7 +274,7 @@ allocate_id_index_table: + sb->s_export_op = &squashfs_export_ops; + + handle_fragments: +- fragments = le32_to_cpu(sblk->fragments); ++ fragments = msblk->fragments; + if (fragments == 0) + goto check_directory_table; + diff --git a/queue-4.4/virtio_balloon-fix-another-race-between-migration-and-ballooning.patch b/queue-4.4/virtio_balloon-fix-another-race-between-migration-and-ballooning.patch new file mode 100644 index 00000000000..db0f734b758 --- /dev/null +++ b/queue-4.4/virtio_balloon-fix-another-race-between-migration-and-ballooning.patch @@ -0,0 +1,64 @@ +From 89da619bc18d79bca5304724c11d4ba3b67ce2c6 Mon Sep 17 00:00:00 2001 +From: Jiang Biao +Date: Wed, 18 Jul 2018 10:29:28 +0800 +Subject: virtio_balloon: fix another race between migration and ballooning + +From: Jiang Biao + +commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream. + +Kernel panic when with high memory pressure, calltrace looks like, + +PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java" + #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb + #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942 + #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30 + #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8 + #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46 + #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc + #6 [ffff881ec7ed7838] __node_set at ffffffff81680300 + #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f + #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5 + #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8 + [exception RIP: _raw_spin_lock_irqsave+47] + RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046 + RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8 + RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008 + RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098 + R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + +It happens in the pagefault and results in double pagefault +during compacting pages when memory allocation fails. + +Analysed the vmcore, the page leads to second pagefault is corrupted +with _mapcount=-256, but private=0. + +It's caused by the race between migration and ballooning, and lock +missing in virtballoon_migratepage() of virtio_balloon driver. +This patch fix the bug. + +Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages") +Cc: stable@vger.kernel.org +Signed-off-by: Jiang Biao +Signed-off-by: Huang Chong +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -479,7 +479,9 @@ static int virtballoon_migratepage(struc + tell_host(vb, vb->inflate_vq); + + /* balloon's page migration 2nd step -- deflate "page" */ ++ spin_lock_irqsave(&vb_dev_info->pages_lock, flags); + balloon_page_delete(page); ++ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags); + vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE; + set_page_pfns(vb, vb->pfns, page); + tell_host(vb, vb->deflate_vq);