From: Greg Kroah-Hartman Date: Tue, 20 Sep 2016 12:11:15 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v4.4.22~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eadd1ff71ddc867c0403ab71e1f53680bc92604c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: drm-msm-protect-against-faults-from-copy_from_user-in-submit-ioctl.patch fscrypto-require-write-access-to-mount-to-set-encryption-policy.patch mips-kvm-check-for-pfn-noslot-case.patch --- diff --git a/queue-4.7/drm-msm-protect-against-faults-from-copy_from_user-in-submit-ioctl.patch b/queue-4.7/drm-msm-protect-against-faults-from-copy_from_user-in-submit-ioctl.patch new file mode 100644 index 00000000000..eca9baff15a --- /dev/null +++ b/queue-4.7/drm-msm-protect-against-faults-from-copy_from_user-in-submit-ioctl.patch @@ -0,0 +1,81 @@ +From d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 Mon Sep 17 00:00:00 2001 +From: Rob Clark +Date: Mon, 22 Aug 2016 15:28:38 -0400 +Subject: drm/msm: protect against faults from copy_from_user() in submit ioctl + +From: Rob Clark + +commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream. + +An evil userspace could try to cause deadlock by passing an unfaulted-in +GEM bo as submit->bos (or submit->cmds) table. Which will trigger +msm_gem_fault() while we already hold struct_mutex. See: + +https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c + +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/gpu/drm/msm/msm_drv.h | 6 ++++++ + drivers/gpu/drm/msm/msm_gem.c | 9 +++++++++ + drivers/gpu/drm/msm/msm_gem_submit.c | 2 ++ + 3 files changed, 17 insertions(+) + +--- a/drivers/gpu/drm/msm/msm_drv.h ++++ b/drivers/gpu/drm/msm/msm_drv.h +@@ -148,6 +148,12 @@ struct msm_drm_private { + } vram; + + struct msm_vblank_ctrl vblank_ctrl; ++ ++ /* task holding struct_mutex.. currently only used in submit path ++ * to detect and reject faults from copy_from_user() for submit ++ * ioctl. ++ */ ++ struct task_struct *struct_mutex_task; + }; + + struct msm_format { +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -196,11 +196,20 @@ int msm_gem_fault(struct vm_area_struct + { + struct drm_gem_object *obj = vma->vm_private_data; + struct drm_device *dev = obj->dev; ++ struct msm_drm_private *priv = dev->dev_private; + struct page **pages; + unsigned long pfn; + pgoff_t pgoff; + int ret; + ++ /* This should only happen if userspace tries to pass a mmap'd ++ * but unfaulted gem bo vaddr into submit ioctl, triggering ++ * a page fault while struct_mutex is already held. This is ++ * not a valid use-case so just bail. ++ */ ++ if (priv->struct_mutex_task == current) ++ return VM_FAULT_SIGBUS; ++ + /* Make sure we don't parallel update on a fault, nor move or remove + * something from beneath our feet + */ +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -394,6 +394,7 @@ int msm_ioctl_gem_submit(struct drm_devi + return -ENOMEM; + + mutex_lock(&dev->struct_mutex); ++ priv->struct_mutex_task = current; + + ret = submit_lookup_objects(submit, args, file); + if (ret) +@@ -479,6 +480,7 @@ out: + submit_cleanup(submit); + if (ret) + msm_gem_submit_free(submit); ++ priv->struct_mutex_task = NULL; + mutex_unlock(&dev->struct_mutex); + return ret; + } diff --git a/queue-4.7/fscrypto-require-write-access-to-mount-to-set-encryption-policy.patch b/queue-4.7/fscrypto-require-write-access-to-mount-to-set-encryption-policy.patch new file mode 100644 index 00000000000..50f3836e9d5 --- /dev/null +++ b/queue-4.7/fscrypto-require-write-access-to-mount-to-set-encryption-policy.patch @@ -0,0 +1,42 @@ +From ba63f23d69a3a10e7e527a02702023da68ef8a6d Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 8 Sep 2016 14:20:38 -0700 +Subject: fscrypto: require write access to mount to set encryption policy + +From: Eric Biggers + +commit ba63f23d69a3a10e7e527a02702023da68ef8a6d upstream. + +Since setting an encryption policy requires writing metadata to the +filesystem, it should be guarded by mnt_want_write/mnt_drop_write. +Otherwise, a user could cause a write to a frozen or readonly +filesystem. This was handled correctly by f2fs but not by ext4. Make +fscrypt_process_policy() handle it rather than relying on the filesystem +to get it right. + +Signed-off-by: Eric Biggers +Cc: stable@vger.kernel.org # 4.1+; check fs/{ext4,f2fs} +Signed-off-by: Theodore Ts'o +Acked-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -782,7 +782,13 @@ resizefs_out: + goto encryption_policy_out; + } + ++ err = mnt_want_write_file(filp); ++ if (err) ++ goto encryption_policy_out; ++ + err = ext4_process_policy(&policy, inode); ++ ++ mnt_drop_write_file(filp); + encryption_policy_out: + return err; + #else diff --git a/queue-4.7/mips-kvm-check-for-pfn-noslot-case.patch b/queue-4.7/mips-kvm-check-for-pfn-noslot-case.patch new file mode 100644 index 00000000000..ba8891388d6 --- /dev/null +++ b/queue-4.7/mips-kvm-check-for-pfn-noslot-case.patch @@ -0,0 +1,53 @@ +From ba913e4f72fc9cfd03dad968dfb110eb49211d80 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 19 Aug 2016 14:30:29 +0100 +Subject: MIPS: KVM: Check for pfn noslot case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Hogan + +commit ba913e4f72fc9cfd03dad968dfb110eb49211d80 upstream. + +When mapping a page into the guest we error check using is_error_pfn(), +however this doesn't detect a value of KVM_PFN_NOSLOT, indicating an +error HVA for the page. This can only happen on MIPS right now due to +unusual memslot management (e.g. being moved / removed / resized), or +with an Enhanced Virtual Memory (EVA) configuration where the default +KVM_HVA_ERR_* and kvm_is_error_hva() definitions are unsuitable (fixed +in a later patch). This case will be treated as a pfn of zero, mapping +the first page of physical memory into the guest. + +It would appear the MIPS KVM port wasn't updated prior to being merged +(in v3.10) to take commit 81c52c56e2b4 ("KVM: do not treat noslot pfn as +a error pfn") into account (merged v3.8), which converted a bunch of +is_error_pfn() calls to is_error_noslot_pfn(). Switch to using +is_error_noslot_pfn() instead to catch this case properly. + +Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.") +Signed-off-by: James Hogan +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +[james.hogan@imgtec.com: Backport to v4.7.y] +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/kvm/tlb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kvm/tlb.c ++++ b/arch/mips/kvm/tlb.c +@@ -159,7 +159,7 @@ static int kvm_mips_map_page(struct kvm + srcu_idx = srcu_read_lock(&kvm->srcu); + pfn = kvm_mips_gfn_to_pfn(kvm, gfn); + +- if (kvm_mips_is_error_pfn(pfn)) { ++ if (is_error_noslot_pfn(pfn)) { + kvm_err("Couldn't get pfn for gfn %#" PRIx64 "!\n", gfn); + err = -EFAULT; + goto out; diff --git a/queue-4.7/series b/queue-4.7/series index b5988a897b2..dd097a9fe9e 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -1 +1,4 @@ clocksource-drivers-sun4i-clear-interrupts-after-stopping-timer-in-probe-function.patch +mips-kvm-check-for-pfn-noslot-case.patch +fscrypto-require-write-access-to-mount-to-set-encryption-policy.patch +drm-msm-protect-against-faults-from-copy_from_user-in-submit-ioctl.patch