From cda74bcdaa88fecdf36b38478efa1f83d214e005 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 11 Jun 2020 21:39:57 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...c-silence-undersized-packet-warnings.patch | 49 ++++++ ...nsitive-for-freeing-sensitive-data-o.patch | 161 ++++++++++++++++++ ...t-the-instance-number-of-kretprobe-e.patch | 70 ++++++++ ...ar-the-page-tables-for-the-esb-io-ma.patch | 74 ++++++++ queue-4.14/series | 4 + 5 files changed, 358 insertions(+) create mode 100644 queue-4.14/ath9k_htc-silence-undersized-packet-warnings.patch create mode 100644 queue-4.14/mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch create mode 100644 queue-4.14/perf-probe-accept-the-instance-number-of-kretprobe-e.patch create mode 100644 queue-4.14/powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch diff --git a/queue-4.14/ath9k_htc-silence-undersized-packet-warnings.patch b/queue-4.14/ath9k_htc-silence-undersized-packet-warnings.patch new file mode 100644 index 00000000000..314e8ca645a --- /dev/null +++ b/queue-4.14/ath9k_htc-silence-undersized-packet-warnings.patch @@ -0,0 +1,49 @@ +From 8550852f1015e51d7c6d35fc74239170201bc2ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 06:44:43 +0900 +Subject: ath9k_htc: Silence undersized packet warnings + +From: Masashi Honma + +[ Upstream commit 450edd2805982d14ed79733a82927d2857b27cac ] + +Some devices like TP-Link TL-WN722N produces this kind of messages +frequently. + +kernel: ath: phy0: Short RX data len, dropping (dlen: 4) + +This warning is useful for developers to recognize that the device +(Wi-Fi dongle or USB hub etc) is noisy but not for general users. So +this patch make this warning to debug message. + +Reported-By: Denis +Ref: https://bugzilla.kernel.org/show_bug.cgi?id=207539 +Fixes: cd486e627e67 ("ath9k_htc: Discard undersized packets") +Signed-off-by: Masashi Honma +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200504214443.4485-1-masashi.honma@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index 4748f557c753..11d06021b5e4 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -999,9 +999,9 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + * which are not PHY_ERROR (short radar pulses have a length of 3) + */ + if (unlikely(!rs_datalen || (rs_datalen < 10 && !is_phyerr))) { +- ath_warn(common, +- "Short RX data len, dropping (dlen: %d)\n", +- rs_datalen); ++ ath_dbg(common, ANY, ++ "Short RX data len, dropping (dlen: %d)\n", ++ rs_datalen); + goto rx_next; + } + +-- +2.25.1 + diff --git a/queue-4.14/mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch b/queue-4.14/mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch new file mode 100644 index 00000000000..4f381700818 --- /dev/null +++ b/queue-4.14/mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch @@ -0,0 +1,161 @@ +From 002105f4d71ff66e6660a7a6cbc147f3857bbdf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:48:21 -0700 +Subject: mm: add kvfree_sensitive() for freeing sensitive data objects + +From: Waiman Long + +[ Upstream commit d4eaa2837851db2bfed572898bfc17f9a9f9151e ] + +For kvmalloc'ed data object that contains sensitive information like +cryptographic keys, we need to make sure that the buffer is always cleared +before freeing it. Using memset() alone for buffer clearing may not +provide certainty as the compiler may compile it away. To be sure, the +special memzero_explicit() has to be used. + +This patch introduces a new kvfree_sensitive() for freeing those sensitive +data objects allocated by kvmalloc(). The relevant places where +kvfree_sensitive() can be used are modified to use it. + +Fixes: 4f0882491a14 ("KEYS: Avoid false positive ENOMEM error on key read") +Suggested-by: Linus Torvalds +Signed-off-by: Waiman Long +Signed-off-by: Andrew Morton +Reviewed-by: Eric Biggers +Acked-by: David Howells +Cc: Jarkko Sakkinen +Cc: James Morris +Cc: "Serge E. Hallyn" +Cc: Joe Perches +Cc: Matthew Wilcox +Cc: David Rientjes +Cc: Uladzislau Rezki +Link: http://lkml.kernel.org/r/20200407200318.11711-1-longman@redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/mm.h | 1 + + mm/util.c | 18 ++++++++++++++++++ + security/keys/internal.h | 11 ----------- + security/keys/keyctl.c | 16 +++++----------- + 4 files changed, 24 insertions(+), 22 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 6f852d5fbada..156940758fc5 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -548,6 +548,7 @@ static inline void *kvmalloc_array(size_t n, size_t size, gfp_t flags) + } + + extern void kvfree(const void *addr); ++extern void kvfree_sensitive(const void *addr, size_t len); + + /* + * Mapcount of compound page as a whole, does not include mapped sub-pages. +diff --git a/mm/util.c b/mm/util.c +index 842ba5fb662e..f0d773c719a1 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -417,6 +417,24 @@ void kvfree(const void *addr) + } + EXPORT_SYMBOL(kvfree); + ++/** ++ * kvfree_sensitive - Free a data object containing sensitive information. ++ * @addr: address of the data object to be freed. ++ * @len: length of the data object. ++ * ++ * Use the special memzero_explicit() function to clear the content of a ++ * kvmalloc'ed object containing sensitive data to make sure that the ++ * compiler won't optimize out the data clearing. ++ */ ++void kvfree_sensitive(const void *addr, size_t len) ++{ ++ if (likely(!ZERO_OR_NULL_PTR(addr))) { ++ memzero_explicit((void *)addr, len); ++ kvfree(addr); ++ } ++} ++EXPORT_SYMBOL(kvfree_sensitive); ++ + static inline void *__page_rmapping(struct page *page) + { + unsigned long mapping; +diff --git a/security/keys/internal.h b/security/keys/internal.h +index 124273e500cf..d479ca71137e 100644 +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -306,15 +306,4 @@ static inline void key_check(const struct key *key) + #define key_check(key) do {} while(0) + + #endif +- +-/* +- * Helper function to clear and free a kvmalloc'ed memory object. +- */ +-static inline void __kvzfree(const void *addr, size_t len) +-{ +- if (addr) { +- memset((void *)addr, 0, len); +- kvfree(addr); +- } +-} + #endif /* _INTERNAL_H */ +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index c07c2e2b2478..9394d72a77e8 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -133,10 +133,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type, + + key_ref_put(keyring_ref); + error3: +- if (payload) { +- memzero_explicit(payload, plen); +- kvfree(payload); +- } ++ kvfree_sensitive(payload, plen); + error2: + kfree(description); + error: +@@ -351,7 +348,7 @@ long keyctl_update_key(key_serial_t id, + + key_ref_put(key_ref); + error2: +- __kvzfree(payload, plen); ++ kvfree_sensitive(payload, plen); + error: + return ret; + } +@@ -859,7 +856,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + */ + if (ret > key_data_len) { + if (unlikely(key_data)) +- __kvzfree(key_data, key_data_len); ++ kvfree_sensitive(key_data, key_data_len); + key_data_len = ret; + continue; /* Allocate buffer */ + } +@@ -868,7 +865,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + ret = -EFAULT; + break; + } +- __kvzfree(key_data, key_data_len); ++ kvfree_sensitive(key_data, key_data_len); + + key_put_out: + key_put(key); +@@ -1170,10 +1167,7 @@ long keyctl_instantiate_key_common(key_serial_t id, + keyctl_change_reqkey_auth(NULL); + + error2: +- if (payload) { +- memzero_explicit(payload, plen); +- kvfree(payload); +- } ++ kvfree_sensitive(payload, plen); + error: + return ret; + } +-- +2.25.1 + diff --git a/queue-4.14/perf-probe-accept-the-instance-number-of-kretprobe-e.patch b/queue-4.14/perf-probe-accept-the-instance-number-of-kretprobe-e.patch new file mode 100644 index 00000000000..ff676f8b569 --- /dev/null +++ b/queue-4.14/perf-probe-accept-the-instance-number-of-kretprobe-e.patch @@ -0,0 +1,70 @@ +From 6d55d005ac84c5ed73c63f23cc41aa8484707123 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 23:29:12 +0900 +Subject: perf probe: Accept the instance number of kretprobe event + +From: Masami Hiramatsu + +[ Upstream commit c6aab66a728b6518772c74bd9dff66e1a1c652fd ] + +Since the commit 6a13a0d7b4d1 ("ftrace/kprobe: Show the maxactive number +on kprobe_events") introduced to show the instance number of kretprobe +events, the length of the 1st format of the kprobe event will not 1, but +it can be longer. This caused a parser error in perf-probe. + +Skip the length check the 1st format of the kprobe event to accept this +instance number. + +Without this fix: + + # perf probe -a vfs_read%return + Added new event: + probe:vfs_read__return (on vfs_read%return) + + You can now use it in all perf tools, such as: + + perf record -e probe:vfs_read__return -aR sleep 1 + + # perf probe -l + Semantic error :Failed to parse event name: r16:probe/vfs_read__return + Error: Failed to show event list. + +And with this fixes: + + # perf probe -a vfs_read%return + ... + # perf probe -l + probe:vfs_read__return (on vfs_read%return) + +Fixes: 6a13a0d7b4d1 ("ftrace/kprobe: Show the maxactive number on kprobe_events") +Reported-by: Yuxuan Shui +Signed-off-by: Masami Hiramatsu +Tested-by: Yuxuan Shui +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: stable@vger.kernel.org +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207587 +Link: http://lore.kernel.org/lkml/158877535215.26469.1113127926699134067.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-event.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c +index 6670e12a2bb3..6062ae817ff7 100644 +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -1762,8 +1762,7 @@ int parse_probe_trace_command(const char *cmd, struct probe_trace_event *tev) + fmt1_str = strtok_r(argv0_str, ":", &fmt); + fmt2_str = strtok_r(NULL, "/", &fmt); + fmt3_str = strtok_r(NULL, " \t", &fmt); +- if (fmt1_str == NULL || strlen(fmt1_str) != 1 || fmt2_str == NULL +- || fmt3_str == NULL) { ++ if (fmt1_str == NULL || fmt2_str == NULL || fmt3_str == NULL) { + semantic_error("Failed to parse event name: %s\n", argv[0]); + ret = -EINVAL; + goto out; +-- +2.25.1 + diff --git a/queue-4.14/powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch b/queue-4.14/powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch new file mode 100644 index 00000000000..eb8f2e2f458 --- /dev/null +++ b/queue-4.14/powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch @@ -0,0 +1,74 @@ +From 81ed5232d51593559c9260d58970dfd09435dd81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 09:51:20 +0200 +Subject: powerpc/xive: Clear the page tables for the ESB IO mapping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cédric Le Goater + +[ Upstream commit a101950fcb78b0ba20cd487be6627dea58d55c2b ] + +Commit 1ca3dec2b2df ("powerpc/xive: Prevent page fault issues in the +machine crash handler") fixed an issue in the FW assisted dump of +machines using hash MMU and the XIVE interrupt mode under the POWER +hypervisor. It forced the mapping of the ESB page of interrupts being +mapped in the Linux IRQ number space to make sure the 'crash kexec' +sequence worked during such an event. But it didn't handle the +un-mapping. + +This mapping is now blocking the removal of a passthrough IO adapter +under the POWER hypervisor because it expects the guest OS to have +cleared all page table entries related to the adapter. If some are +still present, the RTAS call which isolates the PCI slot returns error +9001 "valid outstanding translations". + +Remove these mapping in the IRQ data cleanup routine. + +Under KVM, this cleanup is not required because the ESB pages for the +adapter interrupts are un-mapped from the guest by the hypervisor in +the KVM XIVE native device. This is now redundant but it's harmless. + +Fixes: 1ca3dec2b2df ("powerpc/xive: Prevent page fault issues in the machine crash handler") +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Cédric Le Goater +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200429075122.1216388-2-clg@kaod.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xive/common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/powerpc/sysdev/xive/common.c b/arch/powerpc/sysdev/xive/common.c +index b7ae5a027714..f8181c8af32d 100644 +--- a/arch/powerpc/sysdev/xive/common.c ++++ b/arch/powerpc/sysdev/xive/common.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -932,12 +933,16 @@ EXPORT_SYMBOL_GPL(is_xive_irq); + void xive_cleanup_irq_data(struct xive_irq_data *xd) + { + if (xd->eoi_mmio) { ++ unmap_kernel_range((unsigned long)xd->eoi_mmio, ++ 1u << xd->esb_shift); + iounmap(xd->eoi_mmio); + if (xd->eoi_mmio == xd->trig_mmio) + xd->trig_mmio = NULL; + xd->eoi_mmio = NULL; + } + if (xd->trig_mmio) { ++ unmap_kernel_range((unsigned long)xd->trig_mmio, ++ 1u << xd->esb_shift); + iounmap(xd->trig_mmio); + xd->trig_mmio = NULL; + } +-- +2.25.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 80180bc9756..fe0e4fa738c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -11,3 +11,7 @@ arm-8977-1-ptrace-fix-mask-for-thumb-breakpoint-hook.patch sched-fair-don-t-numa-balance-for-kthreads.patch input-synaptics-add-a-second-working-pnp_id-for-leno.patch drivers-net-ibmvnic-update-vnic-protocol-version-rep.patch +powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch +ath9k_htc-silence-undersized-packet-warnings.patch +perf-probe-accept-the-instance-number-of-kretprobe-e.patch +mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch -- 2.47.2