--- /dev/null
+From ebiggers@kernel.org Thu Jan 10 20:09:51 2019
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Mon, 7 Jan 2019 15:15:59 -0800
+Subject: crypto: x86/chacha20 - avoid sleeping with preemption disabled
+To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-crypto@vger.kernel.org, Martin Willi <martin@strongswan.org>, Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Message-ID: <20190107231559.13357-1-ebiggers@kernel.org>
+
+
+From: Eric Biggers <ebiggers@google.com>
+
+In chacha20-simd, clear the MAY_SLEEP flag in the blkcipher_desc to
+prevent sleeping with preemption disabled, under kernel_fpu_begin().
+
+This was fixed upstream incidentally by a large refactoring,
+commit 9ae433bc79f9 ("crypto: chacha20 - convert generic and x86
+versions to skcipher"). But syzkaller easily trips over this when
+running on older kernels, as it's easily reachable via AF_ALG.
+Therefore, this patch makes the minimal fix for older kernels.
+
+Fixes: c9320b6dcb89 ("crypto: chacha20 - Add a SSSE3 SIMD variant for x86_64")
+Cc: linux-crypto@vger.kernel.org
+Cc: Martin Willi <martin@strongswan.org>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/crypto/chacha20_glue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/crypto/chacha20_glue.c
++++ b/arch/x86/crypto/chacha20_glue.c
+@@ -77,6 +77,7 @@ static int chacha20_simd(struct blkciphe
+
+ blkcipher_walk_init(&walk, dst, src, nbytes);
+ err = blkcipher_walk_virt_block(desc, &walk, CHACHA20_BLOCK_SIZE);
++ desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
+
+ crypto_chacha20_init(state, crypto_blkcipher_ctx(desc->tfm), walk.iv);
+
--- /dev/null
+From dbc2970caef74e8ff41923d302aa6fb5a4812d0e Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Wed, 28 Nov 2018 10:19:36 -0800
+Subject: IB/hfi1: Incorrect sizing of sge for PIO will OOPs
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit dbc2970caef74e8ff41923d302aa6fb5a4812d0e upstream.
+
+An incorrect sge sizing in the HFI PIO path will cause an OOPs similar to
+this:
+
+BUG: unable to handle kernel NULL pointer dereference at (null)
+IP: [] hfi1_verbs_send_pio+0x3d8/0x530 [hfi1]
+PGD 0
+Oops: 0000 1 SMP
+ Call Trace:
+ ? hfi1_verbs_send_dma+0xad0/0xad0 [hfi1]
+ hfi1_verbs_send+0xdf/0x250 [hfi1]
+ ? make_rc_ack+0xa80/0xa80 [hfi1]
+ hfi1_do_send+0x192/0x430 [hfi1]
+ hfi1_do_send_from_rvt+0x10/0x20 [hfi1]
+ rvt_post_send+0x369/0x820 [rdmavt]
+ ib_uverbs_post_send+0x317/0x570 [ib_uverbs]
+ ib_uverbs_write+0x26f/0x420 [ib_uverbs]
+ ? security_file_permission+0x21/0xa0
+ vfs_write+0xbd/0x1e0
+ ? mntput+0x24/0x40
+ SyS_write+0x7f/0xe0
+ system_call_fastpath+0x16/0x1b
+
+Fix by adding the missing sizing check to correctly determine the sge
+length.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/verbs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/hfi1/verbs.c
++++ b/drivers/infiniband/hw/hfi1/verbs.c
+@@ -1088,6 +1088,8 @@ int hfi1_verbs_send_pio(struct rvt_qp *q
+
+ if (slen > len)
+ slen = len;
++ if (slen > ss->sge.sge_length)
++ slen = ss->sge.sge_length;
+ update_sge(ss, slen);
+ seg_pio_copy_mid(pbuf, addr, slen);
+ len -= slen;
--- /dev/null
+From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Thu, 20 Dec 2018 17:45:43 +0000
+Subject: MIPS: math-emu: Write-protect delay slot emulation pages
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit adcc81f148d733b7e8e641300c5590a2cdc13bf3 upstream.
+
+Mapping the delay slot emulation page as both writeable & executable
+presents a security risk, in that if an exploit can write to & jump into
+the page then it can be used as an easy way to execute arbitrary code.
+
+Prevent this by mapping the page read-only for userland, and using
+access_process_vm() with the FOLL_FORCE flag to write to it from
+mips_dsemul().
+
+This will likely be less efficient due to copy_to_user_page() performing
+cache maintenance on a whole page, rather than a single line as in the
+previous use of flush_cache_sigtramp(). However this delay slot
+emulation code ought not to be running in any performance critical paths
+anyway so this isn't really a problem, and we can probably do better in
+copy_to_user_page() anyway in future.
+
+A major advantage of this approach is that the fix is small & simple to
+backport to stable kernels.
+
+Reported-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
+Cc: stable@vger.kernel.org # v4.8+
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Rich Felker <dalias@libc.org>
+Cc: David Daney <david.daney@cavium.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/vdso.c | 4 ++--
+ arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
+ 2 files changed, 22 insertions(+), 20 deletions(-)
+
+--- a/arch/mips/kernel/vdso.c
++++ b/arch/mips/kernel/vdso.c
+@@ -111,8 +111,8 @@ int arch_setup_additional_pages(struct l
+
+ /* Map delay slot emulation page */
+ base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
+- VM_READ|VM_WRITE|VM_EXEC|
+- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
++ VM_READ | VM_EXEC |
++ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
+ 0);
+ if (IS_ERR_VALUE(base)) {
+ ret = base;
+--- a/arch/mips/math-emu/dsemul.c
++++ b/arch/mips/math-emu/dsemul.c
+@@ -211,8 +211,9 @@ int mips_dsemul(struct pt_regs *regs, mi
+ {
+ int isa16 = get_isa16_mode(regs->cp0_epc);
+ mips_instruction break_math;
+- struct emuframe __user *fr;
+- int err, fr_idx;
++ unsigned long fr_uaddr;
++ struct emuframe fr;
++ int fr_idx, ret;
+
+ /* NOP is easy */
+ if (ir == 0)
+@@ -247,27 +248,31 @@ int mips_dsemul(struct pt_regs *regs, mi
+ fr_idx = alloc_emuframe();
+ if (fr_idx == BD_EMUFRAME_NONE)
+ return SIGBUS;
+- fr = &dsemul_page()[fr_idx];
+
+ /* Retrieve the appropriately encoded break instruction */
+ break_math = BREAK_MATH(isa16);
+
+ /* Write the instructions to the frame */
+ if (isa16) {
+- err = __put_user(ir >> 16,
+- (u16 __user *)(&fr->emul));
+- err |= __put_user(ir & 0xffff,
+- (u16 __user *)((long)(&fr->emul) + 2));
+- err |= __put_user(break_math >> 16,
+- (u16 __user *)(&fr->badinst));
+- err |= __put_user(break_math & 0xffff,
+- (u16 __user *)((long)(&fr->badinst) + 2));
++ union mips_instruction _emul = {
++ .halfword = { ir >> 16, ir }
++ };
++ union mips_instruction _badinst = {
++ .halfword = { break_math >> 16, break_math }
++ };
++
++ fr.emul = _emul.word;
++ fr.badinst = _badinst.word;
+ } else {
+- err = __put_user(ir, &fr->emul);
+- err |= __put_user(break_math, &fr->badinst);
++ fr.emul = ir;
++ fr.badinst = break_math;
+ }
+
+- if (unlikely(err)) {
++ /* Write the frame to user memory */
++ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
++ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
++ FOLL_FORCE | FOLL_WRITE);
++ if (unlikely(ret != sizeof(fr))) {
+ MIPS_FPU_EMU_INC_STATS(errors);
+ free_emuframe(fr_idx, current->mm);
+ return SIGBUS;
+@@ -279,10 +284,7 @@ int mips_dsemul(struct pt_regs *regs, mi
+ atomic_set(¤t->thread.bd_emu_frame, fr_idx);
+
+ /* Change user register context to execute the frame */
+- regs->cp0_epc = (unsigned long)&fr->emul | isa16;
+-
+- /* Ensure the icache observes our newly written frame */
+- flush_cache_sigtramp((unsigned long)&fr->emul);
++ regs->cp0_epc = fr_uaddr | isa16;
+
+ return 0;
+ }
mm-devm_memremap_pages-kill-mapping-system-ram-support.patch
sunrpc-fix-cache_head-leak-due-to-queued-request.patch
sunrpc-use-svc_net-in-svcauth_gss_-functions.patch
+mips-math-emu-write-protect-delay-slot-emulation-pages.patch
+crypto-x86-chacha20-avoid-sleeping-with-preemption-disabled.patch
+vhost-vsock-fix-uninitialized-vhost_vsock-guest_cid.patch
+ib-hfi1-incorrect-sizing-of-sge-for-pio-will-oops.patch
--- /dev/null
+From a72b69dc083a931422cc8a5e33841aff7d5312f2 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 9 Nov 2017 13:29:10 +0000
+Subject: vhost/vsock: fix uninitialized vhost_vsock->guest_cid
+
+From: Stefan Hajnoczi <stefanha@redhat.com>
+
+commit a72b69dc083a931422cc8a5e33841aff7d5312f2 upstream.
+
+The vhost_vsock->guest_cid field is uninitialized when /dev/vhost-vsock
+is opened until the VHOST_VSOCK_SET_GUEST_CID ioctl is called.
+
+kvmalloc(..., GFP_KERNEL | __GFP_RETRY_MAYFAIL) does not zero memory.
+All other vhost_vsock fields are initialized explicitly so just
+initialize this field too.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: Daniel Verkamp <dverkamp@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -520,6 +520,8 @@ static int vhost_vsock_dev_open(struct i
+ goto out;
+ }
+
++ vsock->guest_cid = 0; /* no CID assigned yet */
++
+ atomic_set(&vsock->queued_replies, 0);
+
+ vqs[VSOCK_VQ_TX] = &vsock->vqs[VSOCK_VQ_TX];
projects / thirdparty / kernel / stable-queue.git / commitdiff
