From c78bb81ae52c2a5b77f6526a66e62215636749b2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 1 Aug 2020 15:14:57 +0200 Subject: [PATCH] 4.14-stable patches added patches: arm-8986-1-hw_breakpoint-don-t-invoke-overflow-handler-on-uaccess-watchpoints.patch arm-percpu.h-fix-build-error.patch random32-update-the-net-random-state-on-interrupt-and-activity.patch --- ...rflow-handler-on-uaccess-watchpoints.patch | 81 +++++++++++++ queue-4.14/arm-percpu.h-fix-build-error.patch | 46 ++++++++ ...ndom-state-on-interrupt-and-activity.patch | 109 ++++++++++++++++++ queue-4.14/series | 3 + 4 files changed, 239 insertions(+) create mode 100644 queue-4.14/arm-8986-1-hw_breakpoint-don-t-invoke-overflow-handler-on-uaccess-watchpoints.patch create mode 100644 queue-4.14/arm-percpu.h-fix-build-error.patch create mode 100644 queue-4.14/random32-update-the-net-random-state-on-interrupt-and-activity.patch diff --git a/queue-4.14/arm-8986-1-hw_breakpoint-don-t-invoke-overflow-handler-on-uaccess-watchpoints.patch b/queue-4.14/arm-8986-1-hw_breakpoint-don-t-invoke-overflow-handler-on-uaccess-watchpoints.patch new file mode 100644 index 00000000000..932d4c80423 --- /dev/null +++ b/queue-4.14/arm-8986-1-hw_breakpoint-don-t-invoke-overflow-handler-on-uaccess-watchpoints.patch @@ -0,0 +1,81 @@ +From eec13b42d41b0f3339dcf0c4da43734427c68620 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 18 Jun 2020 11:16:45 +0100 +Subject: ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints + +From: Will Deacon + +commit eec13b42d41b0f3339dcf0c4da43734427c68620 upstream. + +Unprivileged memory accesses generated by the so-called "translated" +instructions (e.g. LDRT) in kernel mode can cause user watchpoints to fire +unexpectedly. In such cases, the hw_breakpoint logic will invoke the user +overflow handler which will typically raise a SIGTRAP back to the current +task. This is futile when returning back to the kernel because (a) the +signal won't have been delivered and (b) userspace can't handle the thing +anyway. + +Avoid invoking the user overflow handler for watchpoints triggered by +kernel uaccess routines, and instead single-step over the faulting +instruction as we would if no overflow handler had been installed. + +Cc: +Fixes: f81ef4a920c8 ("ARM: 6356/1: hw-breakpoint: add ARM backend for the hw-breakpoint framework") +Reported-by: Luis Machado +Tested-by: Luis Machado +Signed-off-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/hw_breakpoint.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -688,6 +688,12 @@ static void disable_single_step(struct p + arch_install_hw_breakpoint(bp); + } + ++static int watchpoint_fault_on_uaccess(struct pt_regs *regs, ++ struct arch_hw_breakpoint *info) ++{ ++ return !user_mode(regs) && info->ctrl.privilege == ARM_BREAKPOINT_USER; ++} ++ + static void watchpoint_handler(unsigned long addr, unsigned int fsr, + struct pt_regs *regs) + { +@@ -747,16 +753,27 @@ static void watchpoint_handler(unsigned + } + + pr_debug("watchpoint fired: address = 0x%x\n", info->trigger); ++ ++ /* ++ * If we triggered a user watchpoint from a uaccess routine, ++ * then handle the stepping ourselves since userspace really ++ * can't help us with this. ++ */ ++ if (watchpoint_fault_on_uaccess(regs, info)) ++ goto step; ++ + perf_bp_event(wp, regs); + + /* +- * If no overflow handler is present, insert a temporary +- * mismatch breakpoint so we can single-step over the +- * watchpoint trigger. ++ * Defer stepping to the overflow handler if one is installed. ++ * Otherwise, insert a temporary mismatch breakpoint so that ++ * we can single-step over the watchpoint trigger. + */ +- if (is_default_overflow_handler(wp)) +- enable_single_step(wp, instruction_pointer(regs)); ++ if (!is_default_overflow_handler(wp)) ++ goto unlock; + ++step: ++ enable_single_step(wp, instruction_pointer(regs)); + unlock: + rcu_read_unlock(); + } diff --git a/queue-4.14/arm-percpu.h-fix-build-error.patch b/queue-4.14/arm-percpu.h-fix-build-error.patch new file mode 100644 index 00000000000..588ad9ec5b4 --- /dev/null +++ b/queue-4.14/arm-percpu.h-fix-build-error.patch @@ -0,0 +1,46 @@ +From aa54ea903abb02303bf55855fb51e3fcee135d70 Mon Sep 17 00:00:00 2001 +From: Grygorii Strashko +Date: Thu, 30 Jul 2020 22:05:01 +0300 +Subject: ARM: percpu.h: fix build error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Grygorii Strashko + +commit aa54ea903abb02303bf55855fb51e3fcee135d70 upstream. + +Fix build error for the case: + defined(CONFIG_SMP) && !defined(CONFIG_CPU_V6) + +config: keystone_defconfig + + CC arch/arm/kernel/signal.o + In file included from ../include/linux/random.h:14, + from ../arch/arm/kernel/signal.c:8: + ../arch/arm/include/asm/percpu.h: In function ‘__my_cpu_offset’: + ../arch/arm/include/asm/percpu.h:29:34: error: ‘current_stack_pointer’ undeclared (first use in this function); did you mean ‘user_stack_pointer’? + : "Q" (*(const unsigned long *)current_stack_pointer)); + ^~~~~~~~~~~~~~~~~~~~~ + user_stack_pointer + +Fixes: f227e3ec3b5c ("random32: update the net random state on interrupt and activity") +Signed-off-by: Grygorii Strashko +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/percpu.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/include/asm/percpu.h ++++ b/arch/arm/include/asm/percpu.h +@@ -16,6 +16,8 @@ + #ifndef _ASM_ARM_PERCPU_H_ + #define _ASM_ARM_PERCPU_H_ + ++#include ++ + /* + * Same as asm-generic/percpu.h, except that we store the per cpu offset + * in the TPIDRPRW. TPIDRPRW only exists on V6K and V7 diff --git a/queue-4.14/random32-update-the-net-random-state-on-interrupt-and-activity.patch b/queue-4.14/random32-update-the-net-random-state-on-interrupt-and-activity.patch new file mode 100644 index 00000000000..be0b9059e4b --- /dev/null +++ b/queue-4.14/random32-update-the-net-random-state-on-interrupt-and-activity.patch @@ -0,0 +1,109 @@ +From f227e3ec3b5cad859ad15666874405e8c1bbc1d4 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Fri, 10 Jul 2020 15:23:19 +0200 +Subject: random32: update the net random state on interrupt and activity + +From: Willy Tarreau + +commit f227e3ec3b5cad859ad15666874405e8c1bbc1d4 upstream. + +This modifies the first 32 bits out of the 128 bits of a random CPU's +net_rand_state on interrupt or CPU activity to complicate remote +observations that could lead to guessing the network RNG's internal +state. + +Note that depending on some network devices' interrupt rate moderation +or binding, this re-seeding might happen on every packet or even almost +never. + +In addition, with NOHZ some CPUs might not even get timer interrupts, +leaving their local state rarely updated, while they are running +networked processes making use of the random state. For this reason, we +also perform this update in update_process_times() in order to at least +update the state when there is user or system activity, since it's the +only case we care about. + +Reported-by: Amit Klein +Suggested-by: Linus Torvalds +Cc: Eric Dumazet +Cc: "Jason A. Donenfeld" +Cc: Andy Lutomirski +Cc: Kees Cook +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Cc: +Signed-off-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 1 + + include/linux/random.h | 3 +++ + kernel/time/timer.c | 8 ++++++++ + lib/random32.c | 2 +- + 4 files changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1246,6 +1246,7 @@ void add_interrupt_randomness(int irq, i + + fast_mix(fast_pool); + add_interrupt_bench(cycles); ++ this_cpu_add(net_rand_state.s1, fast_pool->pool[cycles & 3]); + + if (unlikely(crng_init == 0)) { + if ((fast_pool->count >= 64) && +--- a/include/linux/random.h ++++ b/include/linux/random.h +@@ -9,6 +9,7 @@ + + #include + #include ++#include + + #include + +@@ -116,6 +117,8 @@ struct rnd_state { + __u32 s1, s2, s3, s4; + }; + ++DECLARE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy; ++ + u32 prandom_u32_state(struct rnd_state *state); + void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes); + void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state); +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1595,6 +1596,13 @@ void update_process_times(int user_tick) + scheduler_tick(); + if (IS_ENABLED(CONFIG_POSIX_TIMERS)) + run_posix_cpu_timers(p); ++ ++ /* The current CPU might make use of net randoms without receiving IRQs ++ * to renew them often enough. Let's update the net_rand_state from a ++ * non-constant value that's not affine to the number of calls to make ++ * sure it's updated when there's some activity (we don't care in idle). ++ */ ++ this_cpu_add(net_rand_state.s1, rol32(jiffies, 24) + user_tick); + } + + /** +--- a/lib/random32.c ++++ b/lib/random32.c +@@ -48,7 +48,7 @@ static inline void prandom_state_selftes + } + #endif + +-static DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy; ++DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy; + + /** + * prandom_u32_state - seeded pseudo-random number generator. diff --git a/queue-4.14/series b/queue-4.14/series index eb4405008bd..7ad8ec31d29 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -8,3 +8,6 @@ ath9k-release-allocated-buffer-if-timed-out.patch x86-kvm-be-careful-not-to-clear-kvm_vcpu_flush_tlb-b.patch pci-aspm-disable-aspm-on-asmedia-asm1083-1085-pcie-to-pci-bridge.patch wireless-use-offsetof-instead-of-custom-macro.patch +arm-8986-1-hw_breakpoint-don-t-invoke-overflow-handler-on-uaccess-watchpoints.patch +random32-update-the-net-random-state-on-interrupt-and-activity.patch +arm-percpu.h-fix-build-error.patch -- 2.47.3