From: Greg Kroah-Hartman Date: Tue, 28 Jan 2020 08:52:15 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.212~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=efb62c24efd3066fb828bf32471cd9b3b3022f8e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm64-kpti-whitelist-cortex-a-cpus-that-don-t-implement-the-csv3-field.patch bcache-silence-static-checker-warning.patch coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch documentation-document-arm64-kpti-control.patch libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch --- diff --git a/queue-4.9/arm64-kpti-whitelist-cortex-a-cpus-that-don-t-implement-the-csv3-field.patch b/queue-4.9/arm64-kpti-whitelist-cortex-a-cpus-that-don-t-implement-the-csv3-field.patch new file mode 100644 index 00000000000..170e86bb4f5 --- /dev/null +++ b/queue-4.9/arm64-kpti-whitelist-cortex-a-cpus-that-don-t-implement-the-csv3-field.patch @@ -0,0 +1,39 @@ +From 2a355ec25729053bb9a1a89b6c1d1cdd6c3b3fb1 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 13 Dec 2018 13:47:38 +0000 +Subject: arm64: kpti: Whitelist Cortex-A CPUs that don't implement the CSV3 field + +From: Will Deacon + +commit 2a355ec25729053bb9a1a89b6c1d1cdd6c3b3fb1 upstream. + +While the CSV3 field of the ID_AA64_PFR0 CPU ID register can be checked +to see if a CPU is susceptible to Meltdown and therefore requires kpti +to be enabled, existing CPUs do not implement this field. + +We therefore whitelist all unaffected Cortex-A CPUs that do not implement +the CSV3 field. + +Signed-off-by: Will Deacon +[florian: adjust whilelist location and table to stable-4.9.y] +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/cpufeature.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -789,6 +789,11 @@ static bool unmap_kernel_at_el0(const st + switch (read_cpuid_id() & MIDR_CPU_MODEL_MASK) { + case MIDR_CAVIUM_THUNDERX2: + case MIDR_BRCM_VULCAN: ++ case MIDR_CORTEX_A53: ++ case MIDR_CORTEX_A55: ++ case MIDR_CORTEX_A57: ++ case MIDR_CORTEX_A72: ++ case MIDR_CORTEX_A73: + return false; + } + diff --git a/queue-4.9/bcache-silence-static-checker-warning.patch b/queue-4.9/bcache-silence-static-checker-warning.patch new file mode 100644 index 00000000000..55aeed19d81 --- /dev/null +++ b/queue-4.9/bcache-silence-static-checker-warning.patch @@ -0,0 +1,36 @@ +From da22f0eea555baf9b0a84b52afe56db2052cfe8d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 6 Sep 2017 14:26:00 +0800 +Subject: bcache: silence static checker warning + +From: Dan Carpenter + +commit da22f0eea555baf9b0a84b52afe56db2052cfe8d upstream. + +In olden times, closure_return() used to have a hidden return built in. +We removed the hidden return but forgot to add a new return here. If +"c" were NULL we would oops on the next line, but fortunately "c" is +never NULL. Let's just remove the if statement. + +Signed-off-by: Dan Carpenter +Reviewed-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/super.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1398,9 +1398,6 @@ static void cache_set_flush(struct closu + struct btree *b; + unsigned i; + +- if (!c) +- closure_return(cl); +- + bch_cache_accounting_destroy(&c->accounting); + + kobject_put(&c->internal); diff --git a/queue-4.9/coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch b/queue-4.9/coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch new file mode 100644 index 00000000000..7b29e82ea30 --- /dev/null +++ b/queue-4.9/coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch @@ -0,0 +1,45 @@ +From 730766bae3280a25d40ea76a53dc6342e84e6513 Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Thu, 20 Jun 2019 16:12:36 -0600 +Subject: coresight: etb10: Do not call smp_processor_id from preemptible + +From: Suzuki K Poulose + +commit 730766bae3280a25d40ea76a53dc6342e84e6513 upstream. + +During a perf session we try to allocate buffers on the "node" associated +with the CPU the event is bound to. If it is not bound to a CPU, we +use the current CPU node, using smp_processor_id(). However this is unsafe +in a pre-emptible context and could generate the splats as below : + + BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544 + +Use NUMA_NO_NODE hint instead of using the current node for events +not bound to CPUs. + +Fixes: 2997aa4063d97fdb39 ("coresight: etb10: implementing AUX API") +Cc: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Cc: stable # 4.6+ +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20190620221237.3536-5-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/hwtracing/coresight/coresight-etb10.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-etb10.c ++++ b/drivers/hwtracing/coresight/coresight-etb10.c +@@ -279,9 +279,7 @@ static void *etb_alloc_buffer(struct cor + int node; + struct cs_buffers *buf; + +- if (cpu == -1) +- cpu = smp_processor_id(); +- node = cpu_to_node(cpu); ++ node = (cpu == -1) ? NUMA_NO_NODE : cpu_to_node(cpu); + + buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node); + if (!buf) diff --git a/queue-4.9/coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch b/queue-4.9/coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch new file mode 100644 index 00000000000..e0c11ca0d5b --- /dev/null +++ b/queue-4.9/coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch @@ -0,0 +1,63 @@ +From 024c1fd9dbcc1d8a847f1311f999d35783921b7f Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Thu, 20 Jun 2019 16:12:35 -0600 +Subject: coresight: tmc-etf: Do not call smp_processor_id from preemptible + +From: Suzuki K Poulose + +commit 024c1fd9dbcc1d8a847f1311f999d35783921b7f upstream. + +During a perf session we try to allocate buffers on the "node" associated +with the CPU the event is bound to. If it is not bound to a CPU, we +use the current CPU node, using smp_processor_id(). However this is unsafe +in a pre-emptible context and could generate the splats as below : + + BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544 + caller is tmc_alloc_etf_buffer+0x5c/0x60 + CPU: 2 PID: 2544 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344 + Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019 + Call trace: + dump_backtrace+0x0/0x150 + show_stack+0x14/0x20 + dump_stack+0x9c/0xc4 + debug_smp_processor_id+0x10c/0x110 + tmc_alloc_etf_buffer+0x5c/0x60 + etm_setup_aux+0x1c4/0x230 + rb_alloc_aux+0x1b8/0x2b8 + perf_mmap+0x35c/0x478 + mmap_region+0x34c/0x4f0 + do_mmap+0x2d8/0x418 + vm_mmap_pgoff+0xd0/0xf8 + ksys_mmap_pgoff+0x88/0xf8 + __arm64_sys_mmap+0x28/0x38 + el0_svc_handler+0xd8/0x138 + el0_svc+0x8/0xc + +Use NUMA_NO_NODE hint instead of using the current node for events +not bound to CPUs. + +Fixes: 2e499bbc1a929ac ("coresight: tmc: implementing TMC-ETF AUX space API") +Cc: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Cc: stable # 4.7+ +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20190620221237.3536-4-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/coresight/coresight-tmc-etf.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c +@@ -292,9 +292,7 @@ static void *tmc_alloc_etf_buffer(struct + int node; + struct cs_buffers *buf; + +- if (cpu == -1) +- cpu = smp_processor_id(); +- node = cpu_to_node(cpu); ++ node = (cpu == -1) ? NUMA_NO_NODE : cpu_to_node(cpu); + + /* Allocate memory structure for interaction with Perf */ + buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node); diff --git a/queue-4.9/documentation-document-arm64-kpti-control.patch b/queue-4.9/documentation-document-arm64-kpti-control.patch new file mode 100644 index 00000000000..daeb898e065 --- /dev/null +++ b/queue-4.9/documentation-document-arm64-kpti-control.patch @@ -0,0 +1,39 @@ +From de19055564c8f8f9d366f8db3395836da0b2176c Mon Sep 17 00:00:00 2001 +From: Jeremy Linton +Date: Fri, 25 Jan 2019 12:07:00 -0600 +Subject: Documentation: Document arm64 kpti control + +From: Jeremy Linton + +commit de19055564c8f8f9d366f8db3395836da0b2176c upstream. + +For a while Arm64 has been capable of force enabling +or disabling the kpti mitigations. Lets make sure the +documentation reflects that. + +Signed-off-by: Jeremy Linton +Reviewed-by: Andre Przywara +Signed-off-by: Jonathan Corbet +[florian: patch the correct file] +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/kernel-parameters.txt | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -1965,6 +1965,12 @@ bytes respectively. Such letter suffixes + kmemcheck=2 (one-shot mode) + Default: 2 (one-shot mode) + ++ kpti= [ARM64] Control page table isolation of user ++ and kernel address spaces. ++ Default: enabled on cores which need mitigation. ++ 0: force disabled ++ 1: force enabled ++ + kstack=N [X86] Print N words from the kernel stack + in oops dumps. + diff --git a/queue-4.9/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch b/queue-4.9/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch new file mode 100644 index 00000000000..857542c0989 --- /dev/null +++ b/queue-4.9/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch @@ -0,0 +1,68 @@ +From e5e884b42639c74b5b57dc277909915c0aefc8bb Mon Sep 17 00:00:00 2001 +From: Wen Huang +Date: Thu, 28 Nov 2019 18:51:04 +0800 +Subject: libertas: Fix two buffer overflows at parsing bss descriptor + +From: Wen Huang + +commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. + +add_ie_rates() copys rates without checking the length +in bss descriptor from remote AP.when victim connects to +remote attacker, this may trigger buffer overflow. +lbs_ibss_join_existing() copys rates without checking the length +in bss descriptor from remote IBSS node.when victim connects to +remote attacker, this may trigger buffer overflow. +Fix them by putting the length check before performing copy. + +This fix addresses CVE-2019-14896 and CVE-2019-14897. +This also fix build warning of mixed declarations and code. + +Reported-by: kbuild test robot +Signed-off-by: Wen Huang +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/libertas/cfg.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -272,6 +272,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int + int hw, ap, ap_max = ie[1]; + u8 hw_rate; + ++ if (ap_max > MAX_RATES) { ++ lbs_deb_assoc("invalid rates\n"); ++ return tlv; ++ } + /* Advance past IE header */ + ie += 2; + +@@ -1662,6 +1666,9 @@ static int lbs_change_intf(struct wiphy + { + struct lbs_private *priv = wiphy_priv(wiphy); + int ret = 0; ++ int hw, i; ++ u8 rates_max; ++ u8 *rates; + + if (dev == priv->mesh_dev) + return -EOPNOTSUPP; +@@ -1849,9 +1856,12 @@ static int lbs_ibss_join_existing(struct + if (!rates_eid) { + lbs_add_rates(cmd.bss.rates); + } else { +- int hw, i; +- u8 rates_max = rates_eid[1]; +- u8 *rates = cmd.bss.rates; ++ rates_max = rates_eid[1]; ++ if (rates_max > MAX_RATES) { ++ lbs_deb_join("invalid rates"); ++ goto out; ++ } ++ rates = cmd.bss.rates; + for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { + u8 hw_rate = lbs_rates[hw].bitrate / 5; + for (i = 0; i < rates_max; i++) { diff --git a/queue-4.9/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch b/queue-4.9/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch new file mode 100644 index 00000000000..296a0bc9554 --- /dev/null +++ b/queue-4.9/scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch @@ -0,0 +1,109 @@ +From bba340c79bfe3644829db5c852fdfa9e33837d6d Mon Sep 17 00:00:00 2001 +From: Bo Wu +Date: Wed, 20 Nov 2019 13:26:17 +0000 +Subject: scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func + +From: Bo Wu + +commit bba340c79bfe3644829db5c852fdfa9e33837d6d upstream. + +In iscsi_if_rx func, after receiving one request through +iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to +reply to the request in a do-while loop. If the iscsi_if_send_reply +function keeps returning -EAGAIN, a deadlock will occur. + +For example, a client only send msg without calling recvmsg func, then +it will result in the watchdog soft lockup. The details are given as +follows: + + sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI); + retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr); + while (1) { + state_msg = sendmsg(sock_fd, &msg, 0); + //Note: recvmsg(sock_fd, &msg, 0) is not processed here. + } + close(sock_fd); + +watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat: +curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0 +deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq: + TIMER: 992 + SCHED: 8 +Sample irqstat: + irq 2: delta 1003, curr: 3103802, arch_timer +CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G OE +Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +pstate: 40400005 (nZcv daif +PAN -UAO) +pc : __alloc_skb+0x104/0x1b0 +lr : __alloc_skb+0x9c/0x1b0 +sp : ffff000033603a30 +x29: ffff000033603a30 x28: 00000000000002dd +x27: ffff800b34ced810 x26: ffff800ba7569f00 +x25: 00000000ffffffff x24: 0000000000000000 +x23: ffff800f7c43f600 x22: 0000000000480020 +x21: ffff0000091d9000 x20: ffff800b34eff200 +x19: ffff800ba7569f00 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 +x15: 0000000000000000 x14: 0001000101000100 +x13: 0000000101010000 x12: 0101000001010100 +x11: 0001010101010001 x10: 00000000000002dd +x9 : ffff000033603d58 x8 : ffff800b34eff400 +x7 : ffff800ba7569200 x6 : ffff800b34eff400 +x5 : 0000000000000000 x4 : 00000000ffffffff +x3 : 0000000000000000 x2 : 0000000000000001 +x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace: +__alloc_skb+0x104/0x1b0 +iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi] +netlink_unicast+0x1e0/0x258 +netlink_sendmsg+0x310/0x378 +sock_sendmsg+0x4c/0x70 +sock_write_iter+0x90/0xf0 +__vfs_write+0x11c/0x190 +vfs_write+0xac/0x1c0 +ksys_write+0x6c/0xd8 +__arm64_sys_write+0x24/0x30 +el0_svc_common+0x78/0x130 +el0_svc_handler+0x38/0x78 +el0_svc+0x8/0xc + +Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com +Signed-off-by: Bo Wu +Reviewed-by: Zhiqiang Liu +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_transport_iscsi.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -37,6 +37,8 @@ + + #define ISCSI_TRANSPORT_VERSION "2.0-870" + ++#define ISCSI_SEND_MAX_ALLOWED 10 ++ + static int dbg_session; + module_param_named(debug_session, dbg_session, int, + S_IRUGO | S_IWUSR); +@@ -3694,6 +3696,7 @@ iscsi_if_rx(struct sk_buff *skb) + struct nlmsghdr *nlh; + struct iscsi_uevent *ev; + uint32_t group; ++ int retries = ISCSI_SEND_MAX_ALLOWED; + + nlh = nlmsg_hdr(skb); + if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || +@@ -3724,6 +3727,10 @@ iscsi_if_rx(struct sk_buff *skb) + break; + err = iscsi_if_send_reply(group, nlh->nlmsg_seq, + nlh->nlmsg_type, 0, 0, ev, sizeof(*ev)); ++ if (err == -EAGAIN && --retries < 0) { ++ printk(KERN_WARNING "Send reply failed, error %d\n", err); ++ break; ++ } + } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH); + skb_pull(skb, rlen); + } diff --git a/queue-4.9/series b/queue-4.9/series index 987842c8c89..b7d6201190b 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -237,7 +237,6 @@ net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch net-ip6_tunnel-fix-namespaces-move.patch net-ip_tunnel-fix-namespaces-move.patch net_sched-fix-datalen-for-ematch.patch -net-sysfs-fix-reference-count-leak.patch tcp_bbr-improve-arithmetic-division-in-bbr_update_bw.patch net-usb-lan78xx-add-.ndo_features_check.patch gtp-make-sure-only-sock_dgram-udp-sockets-are-accepted.patch @@ -259,3 +258,10 @@ hwmon-nct7802-fix-voltage-limits-to-wrong-registers.patch scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch tracing-xen-ordered-comparison-of-function-pointers.patch do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch +documentation-document-arm64-kpti-control.patch +arm64-kpti-whitelist-cortex-a-cpus-that-don-t-implement-the-csv3-field.patch +coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch +coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch +libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch +bcache-silence-static-checker-warning.patch +scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch