From f813e060fb1fbd48330b0579e59938864554e3a6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 20 Aug 2017 12:04:29 -0700 Subject: [PATCH] 4.4-stable patches added patches: irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch mm-revert-x86_64-and-arm64-elf_et_dyn_base-base-changes.patch x86-asm-64-clear-ac-on-nmi-entries.patch xen-fix-bio-vec-merging.patch --- ...empt-at-fixing-race-creating-a-queue.patch | 18 ++-- ...-of_node_put-in-aic_common_irq_fixup.patch | 32 +++++++ ...refcount-in-aic_common_rtc_irq_fixup.patch | 40 +++++++++ ...fter-free-when-calling-get_mempolicy.patch | 83 +++++++++++++++++++ ...d-arm64-elf_et_dyn_base-base-changes.patch | 82 ++++++++++++++++++ queue-4.4/series | 6 ++ .../x86-asm-64-clear-ac-on-nmi-entries.patch | 41 +++++++++ queue-4.4/xen-fix-bio-vec-merging.patch | 61 ++++++++++++++ 8 files changed, 356 insertions(+), 7 deletions(-) create mode 100644 queue-4.4/irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch create mode 100644 queue-4.4/irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch create mode 100644 queue-4.4/mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch create mode 100644 queue-4.4/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base-changes.patch create mode 100644 queue-4.4/x86-asm-64-clear-ac-on-nmi-entries.patch create mode 100644 queue-4.4/xen-fix-bio-vec-merging.patch diff --git a/queue-4.4/alsa-seq-2nd-attempt-at-fixing-race-creating-a-queue.patch b/queue-4.4/alsa-seq-2nd-attempt-at-fixing-race-creating-a-queue.patch index c02ee2586ac..2b225e2e4c0 100644 --- a/queue-4.4/alsa-seq-2nd-attempt-at-fixing-race-creating-a-queue.patch +++ b/queue-4.4/alsa-seq-2nd-attempt-at-fixing-race-creating-a-queue.patch @@ -44,14 +44,14 @@ Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- - sound/core/seq/seq_clientmgr.c | 9 ++++----- + sound/core/seq/seq_clientmgr.c | 13 ++++--------- sound/core/seq/seq_queue.c | 14 +++++++++----- sound/core/seq/seq_queue.h | 2 +- - 3 files changed, 14 insertions(+), 11 deletions(-) + 3 files changed, 14 insertions(+), 15 deletions(-) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c -@@ -1530,15 +1530,14 @@ static int snd_seq_ioctl_create_queue(st +@@ -1530,19 +1530,14 @@ static int snd_seq_ioctl_create_queue(st void __user *arg) { struct snd_seq_queue_info info; @@ -64,13 +64,17 @@ Signed-off-by: Greg Kroah-Hartman - result = snd_seq_queue_alloc(client->number, info.locked, info.flags); - if (result < 0) - return result; -+ q = snd_seq_queue_alloc(client->number, info->locked, info->flags); +- +- q = queueptr(result); +- if (q == NULL) +- return -EINVAL; ++ q = snd_seq_queue_alloc(client->number, info.locked, info.flags); + if (IS_ERR(q)) + return PTR_ERR(q); - q = queueptr(result); - if (q == NULL) -@@ -1552,7 +1551,7 @@ static int snd_seq_ioctl_create_queue(st + info.queue = q->queue; + info.locked = q->locked; +@@ -1552,7 +1547,7 @@ static int snd_seq_ioctl_create_queue(st if (! info.name[0]) snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue); strlcpy(q->name, info.name, sizeof(q->name)); diff --git a/queue-4.4/irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch b/queue-4.4/irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch new file mode 100644 index 00000000000..fab7fbf67d4 --- /dev/null +++ b/queue-4.4/irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch @@ -0,0 +1,32 @@ +From 469bcef53c546bb792aa66303933272991b7831d Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 4 Jul 2017 11:10:39 +0200 +Subject: irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup() + +From: Boris Brezillon + +commit 469bcef53c546bb792aa66303933272991b7831d upstream. + +aic_common_irq_fixup() is calling twice of_node_put() on the same node +thus leading to an unbalanced refcount on the root node. + +Signed-off-by: Boris Brezillon +Reported-by: Alexandre Belloni +Fixes: b2f579b58e93 ("irqchip: atmel-aic: Add irq fixup infrastructure") +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-atmel-aic-common.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/irqchip/irq-atmel-aic-common.c ++++ b/drivers/irqchip/irq-atmel-aic-common.c +@@ -202,7 +202,6 @@ void __init aic_common_irq_fixup(const s + return; + + match = of_match_node(matches, root); +- of_node_put(root); + + if (match) { + void (*fixup)(struct device_node *) = match->data; diff --git a/queue-4.4/irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch b/queue-4.4/irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch new file mode 100644 index 00000000000..b75a9c21243 --- /dev/null +++ b/queue-4.4/irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch @@ -0,0 +1,40 @@ +From 277867ade8262583f4280cadbe90e0031a3706a7 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 4 Jul 2017 11:10:40 +0200 +Subject: irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup() + +From: Boris Brezillon + +commit 277867ade8262583f4280cadbe90e0031a3706a7 upstream. + +of_find_compatible_node() is calling of_node_put() on its first argument +thus leading to an unbalanced of_node_get/put() issue if the node has not +been retained before that. + +Instead of passing the root node, pass NULL, which does exactly the same: +iterate over all DT nodes, starting from the root node. + +Signed-off-by: Boris Brezillon +Reported-by: Alexandre Belloni +Fixes: 3d61467f9bab ("irqchip: atmel-aic: Implement RTC irq fixup") +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-atmel-aic-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/irqchip/irq-atmel-aic-common.c ++++ b/drivers/irqchip/irq-atmel-aic-common.c +@@ -148,9 +148,9 @@ void __init aic_common_rtc_irq_fixup(str + struct device_node *np; + void __iomem *regs; + +- np = of_find_compatible_node(root, NULL, "atmel,at91rm9200-rtc"); ++ np = of_find_compatible_node(NULL, NULL, "atmel,at91rm9200-rtc"); + if (!np) +- np = of_find_compatible_node(root, NULL, ++ np = of_find_compatible_node(NULL, NULL, + "atmel,at91sam9x5-rtc"); + + if (!np) diff --git a/queue-4.4/mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch b/queue-4.4/mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch new file mode 100644 index 00000000000..c147f5496fb --- /dev/null +++ b/queue-4.4/mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch @@ -0,0 +1,83 @@ +From 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 Mon Sep 17 00:00:00 2001 +From: zhong jiang +Date: Fri, 18 Aug 2017 15:16:24 -0700 +Subject: mm/mempolicy: fix use after free when calling get_mempolicy + +From: zhong jiang + +commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 upstream. + +I hit a use after free issue when executing trinity and repoduced it +with KASAN enabled. The related call trace is as follows. + + BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766 + Read of size 2 by task syz-executor1/798 + + INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799 + __slab_alloc+0x768/0x970 + kmem_cache_alloc+0x2e7/0x450 + mpol_new.part.2+0x74/0x160 + mpol_new+0x66/0x80 + SyS_mbind+0x267/0x9f0 + system_call_fastpath+0x16/0x1b + INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799 + __slab_free+0x495/0x8e0 + kmem_cache_free+0x2f3/0x4c0 + __mpol_put+0x2b/0x40 + SyS_mbind+0x383/0x9f0 + system_call_fastpath+0x16/0x1b + INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080 + INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600 + + Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ + Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk. + Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb ........ + Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ + Memory state around the buggy address: + ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc + +!shared memory policy is not protected against parallel removal by other +thread which is normally protected by the mmap_sem. do_get_mempolicy, +however, drops the lock midway while we can still access it later. + +Early premature up_read is a historical artifact from times when +put_user was called in this path see https://lwn.net/Articles/124754/ +but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_* +layering in the memory policy layer."). but when we have the the +current mempolicy ref count model. The issue was introduced +accordingly. + +Fix the issue by removing the premature release. + +Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com +Signed-off-by: zhong jiang +Acked-by: Michal Hocko +Cc: Minchan Kim +Cc: Vlastimil Babka +Cc: David Rientjes +Cc: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mempolicy.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -894,11 +894,6 @@ static long do_get_mempolicy(int *policy + *policy |= (pol->flags & MPOL_MODE_FLAGS); + } + +- if (vma) { +- up_read(¤t->mm->mmap_sem); +- vma = NULL; +- } +- + err = 0; + if (nmask) { + if (mpol_store_user_nodemask(pol)) { diff --git a/queue-4.4/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base-changes.patch b/queue-4.4/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base-changes.patch new file mode 100644 index 00000000000..623d1312369 --- /dev/null +++ b/queue-4.4/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base-changes.patch @@ -0,0 +1,82 @@ +From c715b72c1ba406f133217b509044c38d8e714a37 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 18 Aug 2017 15:16:31 -0700 +Subject: mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes + +From: Kees Cook + +commit c715b72c1ba406f133217b509044c38d8e714a37 upstream. + +Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000 +broke AddressSanitizer. This is a partial revert of: + + eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE") + 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB") + +The AddressSanitizer tool has hard-coded expectations about where +executable mappings are loaded. + +The motivation for changing the PIE base in the above commits was to +avoid the Stack-Clash CVEs that allowed executable mappings to get too +close to heap and stack. This was mainly a problem on 32-bit, but the +64-bit bases were moved too, in an effort to proactively protect those +systems (proofs of concept do exist that show 64-bit collisions, but +other recent changes to fix stack accounting and setuid behaviors will +minimize the impact). + +The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC +base), so only the 64-bit PIE base needs to be reverted to let x86 and +arm64 ASan binaries run again. Future changes to the 64-bit PIE base on +these architectures can be made optional once a more dynamic method for +dealing with AddressSanitizer is found. (e.g. always loading PIE into +the mmap region for marked binaries.) + +Link: http://lkml.kernel.org/r/20170807201542.GA21271@beast +Fixes: eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE") +Fixes: 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB") +Signed-off-by: Kees Cook +Reported-by: Kostya Serebryany +Acked-by: Will Deacon +Cc: Ingo Molnar +Cc: "H. Peter Anvin" +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/elf.h | 4 ++-- + arch/x86/include/asm/elf.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -121,10 +121,10 @@ typedef struct user_fpsimd_state elf_fpr + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is raised to 4GB to leave the entire 32-bit address ++ * 64-bit, this is above 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ +-#define ELF_ET_DYN_BASE 0x100000000UL ++#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) + + /* + * When the program starts, a1 contains a pointer to a function to be +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -247,11 +247,11 @@ extern int force_personality32; + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is raised to 4GB to leave the entire 32-bit address ++ * 64-bit, this is above 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ + #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ +- 0x100000000UL) ++ (TASK_SIZE / 3 * 2)) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, diff --git a/queue-4.4/series b/queue-4.4/series index a12dd9572f6..fe1f1bc39bf 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -7,3 +7,9 @@ input-elan_i2c-add-antoher-lenovo-acpi-id-for-upcoming-lenovo-nb.patch alsa-seq-2nd-attempt-at-fixing-race-creating-a-queue.patch alsa-usb-audio-apply-sample-rate-quirk-to-sennheiser-headset.patch alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-c-media-devices.patch +mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch +mm-revert-x86_64-and-arm64-elf_et_dyn_base-base-changes.patch +xen-fix-bio-vec-merging.patch +x86-asm-64-clear-ac-on-nmi-entries.patch +irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch +irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch diff --git a/queue-4.4/x86-asm-64-clear-ac-on-nmi-entries.patch b/queue-4.4/x86-asm-64-clear-ac-on-nmi-entries.patch new file mode 100644 index 00000000000..a77a38cf463 --- /dev/null +++ b/queue-4.4/x86-asm-64-clear-ac-on-nmi-entries.patch @@ -0,0 +1,41 @@ +From e93c17301ac55321fc18e0f8316e924e58a83c8c Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Mon, 7 Aug 2017 19:43:13 -0700 +Subject: x86/asm/64: Clear AC on NMI entries + +From: Andy Lutomirski + +commit e93c17301ac55321fc18e0f8316e924e58a83c8c upstream. + +This closes a hole in our SMAP implementation. + +This patch comes from grsecurity. Good catch! + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/314cc9f294e8f14ed85485727556ad4f15bb1659.1502159503.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -1190,6 +1190,8 @@ ENTRY(nmi) + * other IST entries. + */ + ++ ASM_CLAC ++ + /* Use %rdx as our temp variable throughout */ + pushq %rdx + diff --git a/queue-4.4/xen-fix-bio-vec-merging.patch b/queue-4.4/xen-fix-bio-vec-merging.patch new file mode 100644 index 00000000000..c8968b69ee6 --- /dev/null +++ b/queue-4.4/xen-fix-bio-vec-merging.patch @@ -0,0 +1,61 @@ +From 462cdace790ac2ed6aad1b19c9c0af0143b6aab0 Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne +Date: Tue, 18 Jul 2017 15:01:00 +0100 +Subject: xen: fix bio vec merging +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +commit 462cdace790ac2ed6aad1b19c9c0af0143b6aab0 upstream. + +The current test for bio vec merging is not fully accurate and can be +tricked into merging bios when certain grant combinations are used. +The result of these malicious bio merges is a bio that extends past +the memory page used by any of the originating bios. + +Take into account the following scenario, where a guest creates two +grant references that point to the same mfn, ie: grant 1 -> mfn A, +grant 2 -> mfn A. + +These references are then used in a PV block request, and mapped by +the backend domain, thus obtaining two different pfns that point to +the same mfn, pfn B -> mfn A, pfn C -> mfn A. + +If those grants happen to be used in two consecutive sectors of a disk +IO operation becoming two different bios in the backend domain, the +checks in xen_biovec_phys_mergeable will succeed, because bfn1 == bfn2 +(they both point to the same mfn). However due to the bio merging, +the backend domain will end up with a bio that expands past mfn A into +mfn A + 1. + +Fix this by making sure the check in xen_biovec_phys_mergeable takes +into account the offset and the length of the bio, this basically +replicates whats done in __BIOVEC_PHYS_MERGEABLE using mfns (bus +addresses). While there also remove the usage of +__BIOVEC_PHYS_MERGEABLE, since that's already checked by the callers +of xen_biovec_phys_mergeable. + +Reported-by: "Jan H. Schönherr" +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/biomerge.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/xen/biomerge.c ++++ b/drivers/xen/biomerge.c +@@ -10,8 +10,7 @@ bool xen_biovec_phys_mergeable(const str + unsigned long bfn1 = pfn_to_bfn(page_to_pfn(vec1->bv_page)); + unsigned long bfn2 = pfn_to_bfn(page_to_pfn(vec2->bv_page)); + +- return __BIOVEC_PHYS_MERGEABLE(vec1, vec2) && +- ((bfn1 == bfn2) || ((bfn1+1) == bfn2)); ++ return bfn1 + PFN_DOWN(vec1->bv_offset + vec1->bv_len) == bfn2; + #else + /* + * XXX: Add support for merging bio_vec when using different page -- 2.47.3