Commits · 50f090e8089195a9df8f9c690103268caa88a7f3 · Summer2022 / 22b970497

Apr 20, 2022

x86/speculation: Warn about Spectre v2 LFENCE mitigation · 50f090e8

Josh Poimboeuf authored 2 years ago

stable inclusion
from stable-v4.19.234
commit 8bfdba77595aee5c3e83ed1c9994c35d6d409605
category: bugfix
bugzilla: 186453, https://gitee.com/src-openeuler/kernel/issues/I50WBM


CVE: CVE-2022-0001

--------------------------------

commit eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678 upstream.

With:

  f8a66d608a3e ("x86,bugs: Unconditionally allow spectre_v2=retpoline,amd")

it became possible to enable the LFENCE "retpoline" on Intel. However,
Intel doesn't recommend it, as it has some weaknesses compared to
retpoline.

Now AMD doesn't recommend it either.

It can still be left available as a cmdline option. It's faster than
retpoline but is weaker in certain scenarios -- particularly SMT, but
even non-SMT may be vulnerable in some cases.

So just unconditionally warn if the user requests it on the cmdline.

  [ bp: Massage commit message. ]

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

50f090e8

x86/speculation: Update link to AMD speculation whitepaper · de9842d5

Kim Phillips authored 2 years ago

stable inclusion
from stable-v4.19.234
commit c034d344e733a3ac574dd09e39e911a50025c607
category: bugfix
bugzilla: 186453, https://gitee.com/src-openeuler/kernel/issues/I50WBM


CVE: CVE-2022-0001

--------------------------------

commit e9b6013a7ce31535b04b02ba99babefe8a8599fa upstream.

Update the link to the "Software Techniques for Managing Speculation
on AMD Processors" whitepaper.

Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

de9842d5

x86/speculation: Use generic retpoline by default on AMD · 802b5d02

Kim Phillips authored 2 years ago

stable inclusion
from stable-v4.19.234
commit d3cb3a6927222268a10b2f12dfb8c9444f7cc39e
category: bugfix
bugzilla: 186453, https://gitee.com/src-openeuler/kernel/issues/I50WBM


CVE: CVE-2022-0001

--------------------------------

commit 244d00b5dd4755f8df892c86cab35fb2cfd4f14b upstream.

AMD retpoline may be susceptible to speculation. The speculation
execution window for an incorrect indirect branch prediction using
LFENCE/JMP sequence may potentially be large enough to allow
exploitation using Spectre V2.

By default, don't use retpoline,lfence on AMD.  Instead, use the
generic retpoline.

Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

802b5d02

x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting · 8fbdf654

Josh Poimboeuf authored 2 years ago

stable inclusion
from stable-v4.19.234
commit 995629e1d8e6751936c6e2b738f70b392b0461de
category: bugfix
bugzilla: 186453, https://gitee.com/src-openeuler/kernel/issues/I50WBM


CVE: CVE-2022-0001

--------------------------------

commit 44a3918c8245ab10c6c9719dd12e7a8d291980d8 upstream.

With unprivileged eBPF enabled, eIBRS (without retpoline) is vulnerable
to Spectre v2 BHB-based attacks.

When both are enabled, print a warning message and report it in the
'spectre_v2' sysfs vulnerabilities file.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
[fllinden@amazon.com: backported to 4.19]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Conflicts:
    kernel/sysctl.c

Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

8fbdf654

Documentation/hw-vuln: Update spectre doc · f72da20e

Peter Zijlstra authored 2 years ago

stable inclusion
from stable-v4.19.234
commit 7af95ef3ec6248696300fce5c68f6c8c4f50e4a4
category: bugfix
bugzilla: 186453, https://gitee.com/src-openeuler/kernel/issues/I50WBM


CVE: CVE-2022-0001

--------------------------------

commit 5ad3eb1132453b9795ce5fd4572b1c18b292cca9 upstream.

Update the doc with the new fun.

  [ bp: Massage commit message. ]

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
[fllinden@amazon.com: backported to 4.19]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

f72da20e

x86/speculation: Add eIBRS + Retpoline options · 5aa35f5d

Peter Zijlstra authored 2 years ago

stable inclusion
from stable-v4.19.234
commit 3f66bedb96ff4c064a819e68499f79b38297ba26
category: bugfix
bugzilla: 186453, https://gitee.com/src-openeuler/kernel/issues/I50WBM


CVE: CVE-2022-0001

--------------------------------

commit 1e19da8522c81bf46b335f84137165741e0d82b7 upstream.

Thanks to the chaps at VUsec it is now clear that eIBRS is not
sufficient, therefore allow enabling of retpolines along with eIBRS.

Add spectre_v2=eibrs, spectre_v2=eibrs,lfence and
spectre_v2=eibrs,retpoline options to explicitly pick your preferred
means of mitigation.

Since there's new mitigations there's also user visible changes in
/sys/devices/system/cpu/vulnerabilities/spectre_v2 to reflect these
new mitigations.

  [ bp: Massage commit message, trim error messages,
    do more precise eIBRS mode checking. ]

Co-developed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Patrick Colp <patrick.colp@oracle.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
[fllinden@amazon.com: backported to 4.19 (no Hygon)]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Conflicts:
    arch/x85/kernel/cpu/bugs.c

Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

5aa35f5d

x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE · 827e6afa

Peter Zijlstra (Intel) authored 2 years ago

stable inclusion
from stable-v4.19.234
commit 25440a8c77dd2fde6a8e9cfc0c616916febf408e
category: bugfix
bugzilla: 186453, https://gitee.com/src-openeuler/kernel/issues/I50WBM


CVE: CVE-2022-0001

--------------------------------

commit d45476d9832409371537013ebdd8dc1a7781f97a upstream.

The RETPOLINE_AMD name is unfortunate since it isn't necessarily
AMD only, in fact Hygon also uses it. Furthermore it will likely be
sufficient for some Intel processors. Therefore rename the thing to
RETPOLINE_LFENCE to better describe what it is.

Add the spectre_v2=retpoline,lfence option as an alias to
spectre_v2=retpoline,amd to preserve existing setups. However, the output
of /sys/devices/system/cpu/vulnerabilities/spectre_v2 will be changed.

  [ bp: Fix typos, massage. ]

Co-developed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
[fllinden@amazon.com: backported to 4.19]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Conflicts:
    arch/x85/kernel/cpu/bugs.c

Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

827e6afa

x86,bugs: Unconditionally allow spectre_v2=retpoline,amd · 989c0a1d

Peter Zijlstra authored 2 years ago

stable inclusion
from stable-v4.19.234
commit 1dd7efcfcccee59c974f56848739d4f5a5a570c7
category: bugfix
bugzilla: 186453, https://gitee.com/src-openeuler/kernel/issues/I50WBM


CVE: CVE-2022-0001

--------------------------------

commit f8a66d608a3e471e1202778c2a36cbdc96bae73b upstream.

Currently Linux prevents usage of retpoline,amd on !AMD hardware, this
is unfriendly and gets in the way of testing. Remove this restriction.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Borislav Petkov <bp@suse.de>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Tested-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/r/20211026120310.487348118@infradead.org


[fllinden@amazon.com: backported to 4.19 (no Hygon in 4.19)]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Conflicts:
    arch/x85/kernel/cpu/bugs.c

Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

989c0a1d

x86/speculation: Merge one test in spectre_v2_user_select_mitigation() · b5aab4b8

Borislav Petkov authored 2 years ago

stable inclusion
from stable-v4.19.234
commit d86fc674172edc0794f84198405f59f00b71512a
category: bugfix
bugzilla: 186453, https://gitee.com/src-openeuler/kernel/issues/I50WBM


CVE: CVE-2022-0001

--------------------------------

commit a5ce9f2b upstream.

Merge the test whether the CPU supports STIBP into the test which
determines whether STIBP is required. Thus try to simplify what is
already an insane logic.

Remove a superfluous newline in a comment, while at it.

Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Anthony Steinhauser <asteinhauser@google.com>
Link: https://lkml.kernel.org/r/20200615065806.GB14668@zn.tnic


[fllinden@amazon.com: fixed contextual conflict (comment) for 4.19]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Conflicts:
    arch/x85/kernel/cpu/bugs.c

Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

b5aab4b8

mm/memory.c: fix clear_gigantic_page_chunk · 2a98e82a

Liu Shixin authored 2 years ago

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I5323R


CVE: NA

--------------------------------

Patch "mm: parallelize clear_gigantic_page" put mem_map_next() after
clear_user_highpage but not modify the parameter i. So it's actually the
previous page being cleared in each loop. As a result, the last page has
not been cleared. Fix it by put mem_map_next() back to the original
position.

Fixes: ae0cd4d4 ("mm: parallelize clear_gigantic_page")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Reviewed-by: Wei Li <liwei391@huawei.com>
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

2a98e82a

Apr 19, 2022

ext4: fix fs corruption when tring to remove a non-empty directory with IO error · 5ac69702

Ye Bin authored 2 years ago

mainline inclusion
from mainline-v5.18-rc1
commit 7aab5c84a0f6ec2290e2ba4a6b245178b1bf949a
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I52WOM


CVE: NA

--------------------------------

We inject IO error when rmdir non empty direcory, then got issue as follows:
step1: mkfs.ext4 -F /dev/sda
step2: mount /dev/sda  test
step3: cd test
step4: mkdir -p 1/2
step5: rmdir 1
	[  110.920551] ext4_empty_dir: inject fault
	[  110.921926] EXT4-fs warning (device sda): ext4_rmdir:3113: inode #12:
	comm rmdir: empty directory '1' has too many links (3)
step6: cd ..
step7: umount test
step8: fsck.ext4 -f /dev/sda
	e2fsck 1.42.9 (28-Dec-2013)
	Pass 1: Checking inodes, blocks, and sizes
	Pass 2: Checking directory structure
	Entry '..' in .../??? (13) has deleted/unused inode 12.  Clear<y>? yes
	Pass 3: Checking directory connectivity
	Unconnected directory inode 13 (...)
	Connect to /lost+found<y>? yes
	Pass 4: Checking reference counts
	Inode 13 ref count is 3, should be 2.  Fix<y>? yes
	Pass 5: Checking group summary information

	/dev/sda: ***** FILE SYSTEM WAS MODIFIED *****
	/dev/sda: 12/131072 files (0.0% non-contiguous), 26157/524288 blocks

ext4_rmdir
	if (!ext4_empty_dir(inode))
		goto end_rmdir;
ext4_empty_dir
	bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE);
	if (IS_ERR(bh))
		return true;
Now if read directory block failed, 'ext4_empty_dir' will return true, assume
directory is empty. Obviously, it will lead to above issue.
To solve this issue, if read directory block failed 'ext4_empty_dir' just
return false. To avoid making things worse when file system is already
corrupted, 'ext4_empty_dir' also return false.

Signed-off-by: Ye Bin <yebin10@huawei.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20220228024815.3952506-1-yebin10@huawei.com


Signed-off-by: Theodore Ts'o <tytso@mit.edu>

conflicts:
fs/ext4/namei.c

Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

4.19.90-2204.3.0

5ac69702

Revert "ext4: fix file system corrupted when rmdir non empty directory with IO error" · b759debf

Ye Bin authored 2 years ago

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I52WOM


CVE: NA

--------------------------------

This reverts commit 35bd50bc.

Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

b759debf

sched: Fix yet more sched_fork() races · af98db5f

Peter Zijlstra authored 2 years ago

mainline inclusion
from mainline-v5.17-rc5
commit b1e8206582f9d680cff7d04828708c8b6ab32957
category: bugfix
bugzilla: 186609, https://gitee.com/openeuler/kernel/issues/I532B0


CVE: NA

--------------------------------

Where commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an
invalid sched_task_group") fixed a fork race vs cgroup, it opened up a
race vs syscalls by not placing the task on the runqueue before it
gets exposed through the pidhash.

Commit 13765de8148f ("sched/fair: Fix fault in reweight_entity") is
trying to fix a single instance of this, instead fix the whole class
of issues, effectively reverting this commit.

Fixes: 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid sched_task_group")
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Tested-by: Zhang Qiao <zhangqiao22@huawei.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Link: https://lkml.kernel.org/r/YgoeCbwj5mbCR0qA@hirez.programming.kicks-ass.net



conflict:
	include/linux/sched/task.h
	kernel/fork.c
	kernel/sched/core.c

Signed-off-by: Zhang Qiao <zhangqiao22@huawei.com>
Reviewed-by: Chen Hui <judy.chenhui@huawei.com>
Reviewed-by: Wang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

af98db5f

sched/fair: Fix wrong cpu selecting from isolated domain · 742a0b5b

Xunlei Pang authored 2 years ago

mainline inclusion
from mainline-v5.10-rc1
commit df3cb4ea
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I52QKB


CVE: NA

--------------------------------

We've met problems that occasionally tasks with full cpumask
(e.g. by putting it into a cpuset or setting to full affinity)
were migrated to our isolated cpus in production environment.

After some analysis, we found that it is due to the current
select_idle_smt() not considering the sched_domain mask.

Steps to reproduce on my 31-CPU hyperthreads machine:
1. with boot parameter: "isolcpus=domain,2-31"
   (thread lists: 0,16 and 1,17)
2. cgcreate -g cpu:test; cgexec -g cpu:test "test_threads"
3. some threads will be migrated to the isolated cpu16~17.

Fix it by checking the valid domain mask in select_idle_smt().

Fixes: 10e2f1ac ("sched/core: Rewrite and improve select_idle_siblings())
Reported-by: Wetp Zhang <wetp.zy@linux.alibaba.com>
Signed-off-by: Xunlei Pang <xlpang@linux.alibaba.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Jiang Biao <benbjiang@tencent.com>
Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
Link: https://lkml.kernel.org/r/1600930127-76857-1-git-send-email-xlpang@linux.alibaba.com



Conflicts:
	kernel/sched/fair.c

Signed-off-by: Yu jiahua <yujiahua1@huawei.com>
Reviewed-by: zheng zucheng <zhengzucheng@huawei.com>
Reviewed-by: zheng zucheng <zhengzucheng@huawei.com>
Reviewed-by: Zhang Qiao <zhangqiao22@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

742a0b5b

Apr 18, 2022

netfilter: nf_tables: initialize registers in nft_do_chain() · d9c6a251

Pablo Neira Ayuso authored 2 years ago

mainline inclusion
from mainline-v5.18-rc1
commit 4c905f6740a365464e91467aa50916555b28213d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I50WAZ


CVE: CVE-2022-1016

-------------------------------------------------

Initialize registers to avoid stack leak into userspace.

Fixes: 96518518 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

conflict:
	net/netfilter/nf_tables_core.c

Signed-off-by: Lu Wei <luwei32@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

d9c6a251

Apr 16, 2022

nbd: fix possible overflow on 'first_minor' in nbd_dev_add() · d138b107

Zhang Wensheng authored 2 years ago

hulk inclusion
category: bugfix, https://gitee.com/openeuler/kernel/issues/I51ABL


bugzilla: 186386
CVE: NA

--------------------------------

When 'index' is a big numbers, it may become negative which forced
to 'int'. then 'index << part_shift' might overflow to a positive
value that is not greater than '0xfffff', then sysfs might complains
about duplicate creation. Because of this, move the 'index' judgment
to the front will fix it and be better.

Fixes: b0d9111a ("nbd: use an idr to keep track of nbd devices")
Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()")
Signed-off-by: Zhang Wensheng <zhangwensheng5@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

d138b107

net: sched: adapt Qdisc kabi · fe484adc

Zhengchao Shao authored 2 years ago


hulk inclusion
category: bugfix
CVE: CVE-2021-39713

--------------------------------

To adapt to KABI, put rcu before gso_skb for 64-bit kernel. RCU will use
16 Bytes, and the space is enough. It's unuse for 32-bit kernel.

Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

fe484adc

net_sched: fix a crash in tc_new_tfilter() · 90aafa08

Cong Wang authored 2 years ago


stable inclusion
from linux-4.19.221
commit f9ff09e266ca70c801b9911280f6ae64c9183d85
category: bugfix
CVE: CVE-2021-39713

--------------------------------

commit 460b3601 upstream.

When tcf_block_find() fails, it already rollbacks the qdisc refcnt,
so its caller doesn't need to clean up this again. Avoid calling
qdisc_put() again by resetting qdisc to NULL for callers.

Reported-by:  <syzbot+37b8770e6d5a8220a039@syzkaller.appspotmail.com>
Fixes: e368fdb6 ("net: sched: use Qdisc rcu API instead of relying on rtnl lock")
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Conflict:
	net/sched/cls_api.c
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

90aafa08

net: sched: use Qdisc rcu API instead of relying on rtnl lock · bad618de

Vlad Buslov authored 2 years ago


stable inclusion
from linux-4.19.221
commit ae214e04b95ff64a4b0e9aab6742520bfde6ff0c
category: bugfix
CVE: CVE-2021-39713

--------------------------------

[ Upstream commit e368fdb6 ]

As a preparation from removing rtnl lock dependency from rules update path,
use Qdisc rcu and reference counting capabilities instead of relying on
rtnl lock while working with Qdiscs. Create new tcf_block_release()
function, and use it to free resources taken by tcf_block_find().
Currently, this function only releases Qdisc and it is extended in next
patches in this series.

Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Lee: Sent to Stable]
Link: https://syzkaller.appspot.com/bug?id=d7e411c5472dd5da33d8cc921ccadc747743a568


Reported-by:  <syzbot+5f229e48cccc804062c0@syzkaller.appspotmail.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Conflict:
	net/sched/cls_api.c
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

bad618de

net: sched: add helper function to take reference to Qdisc · 823b2cfc

Vlad Buslov authored 2 years ago


stable inclusion
from linux-4.19.221
commit da1d324088c40fa0a382224c466175fc5c704106
category: bugfix
CVE: CVE-2021-39713

--------------------------------

[ Upstream commit 9d7e82ce ]

Implement function to take reference to Qdisc that relies on rcu read lock
instead of rtnl mutex. Function only takes reference to Qdisc if reference
counter isn't zero. Intended to be used by unlocked cls API.

Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Lee: Sent to Stable]
Link: https://syzkaller.appspot.com/bug?id=d7e411c5472dd5da33d8cc921ccadc747743a568


Reported-by:  <syzbot+5f229e48cccc804062c0@syzkaller.appspotmail.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

823b2cfc

net: sched: extend Qdisc with rcu · 5a1704c7

Vlad Buslov authored 2 years ago


stable inclusion
from linux-4.19.221
commit f602ed9f8574512e7ea1ab65c3db7ba71053bf27
category: bugfix
CVE: CVE-2021-39713

--------------------------------

[ Upstream commit 3a7d0d07 ]

Currently, Qdisc API functions assume that users have rtnl lock taken. To
implement rtnl unlocked classifiers update interface, Qdisc API must be
extended with functions that do not require rtnl lock.

Extend Qdisc structure with rcu. Implement special version of put function
qdisc_put_unlocked() that is called without rtnl lock taken. This function
only takes rtnl lock if Qdisc reference counter reached zero and is
intended to be used as optimization.

Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Lee: Sent to Stable]
Link: https://syzkaller.appspot.com/bug?id=d7e411c5472dd5da33d8cc921ccadc747743a568


Reported-by:  <syzbot+5f229e48cccc804062c0@syzkaller.appspotmail.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Conflict:
	net/sched/sch_generic.c
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

5a1704c7

net: core: netlink: add helper refcount dec and lock function · dd9f1295

Vlad Buslov authored 2 years ago


stable inclusion
from linux-4.19.221
commit cd25f1099284a0cbe916344fc1e6c1ffed6c5306
category: bugfix
CVE: CVE-2021-39713

--------------------------------

[ Upstream commit 6f99528e ]

Rtnl lock is encapsulated in netlink and cannot be accessed by other
modules directly. This means that reference counted objects that rely on
rtnl lock cannot use it with refcounter helper function that atomically
releases decrements reference and obtains mutex.

This patch implements simple wrapper function around refcount_dec_and_lock
that obtains rtnl lock if reference counter value reached 0.

Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Lee: Sent to Stable]
Link: https://syzkaller.appspot.com/bug?id=d7e411c5472dd5da33d8cc921ccadc747743a568


Reported-by:  <syzbot+5f229e48cccc804062c0@syzkaller.appspotmail.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

dd9f1295

Apr 15, 2022

xen/netfront: react properly to failing gnttab_end_foreign_access_ref() · 5dc64083

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit c307029d811e03546d18d0e512fe295b3103b8e5

--------------------------------

Commit 66e3531b33ee51dad17c463b4d9c9f52e341503d upstream.

When calling gnttab_end_foreign_access_ref() the returned value must
be tested and the reaction to that value should be appropriate.

In case of failure in xennet_get_responses() the reaction should not be
to crash the system, but to disable the network device.

The calls in setup_netfront() can be replaced by calls of
gnttab_end_foreign_access(). While at it avoid double free of ring
pages and grant references via xennet_disconnect_backend() in this case.

This is CVE-2022-23042 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

5dc64083

xen/gnttab: fix gnttab_end_foreign_access() without page specified · ca1d0828

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit 92dc0e4a219602242407dedd987dc9c8263c959b

--------------------------------

Commit 42baefac638f06314298087394b982ead9ec444b upstream.

gnttab_end_foreign_access() is used to free a grant reference and
optionally to free the associated page. In case the grant is still in
use by the other side processing is being deferred. This leads to a
problem in case no page to be freed is specified by the caller: the
caller doesn't know that the page is still mapped by the other side
and thus should not be used for other purposes.

The correct way to handle this situation is to take an additional
reference to the granted page in case handling is being deferred and
to drop that reference when the grant reference could be freed
finally.

This requires that there are no users of gnttab_end_foreign_access()
left directly repurposing the granted page after the call, as this
might result in clobbered data or information leaks via the not yet
freed grant reference.

This is part of CVE-2022-23041 / XSA-396.

Reported-by: Simon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

ca1d0828

xen/pvcalls: use alloc/free_pages_exact() · 6b310e72

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit f85d03f0f482cc28a2ee15a1fed2ae57ae359412

--------------------------------

Commit b0576cc9c6b843d99c6982888d59a56209341888 upstream.

Instead of __get_free_pages() and free_pages() use alloc_pages_exact()
and free_pages_exact(). This is in preparation of a change of
gnttab_end_foreign_access() which will prohibit use of high-order
pages.

This is part of CVE-2022-23041 / XSA-396.

Reported-by: Simon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

6b310e72

xen/9p: use alloc/free_pages_exact() · b0e5fec4

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit 2466bed361f3274e3e0ca9d8e539532481c06fea

--------------------------------

Commit 5cadd4bb1d7fc9ab201ac14620d1a478357e4ebd upstream.

Instead of __get_free_pages() and free_pages() use alloc_pages_exact()
and free_pages_exact(). This is in preparation of a change of
gnttab_end_foreign_access() which will prohibit use of high-order
pages.

By using the local variable "order" instead of ring->intf->ring_order
in the error path of xen_9pfs_front_alloc_dataring() another bug is
fixed, as the error path can be entered before ring->intf->ring_order
is being set.

By using alloc_pages_exact() the size in bytes is specified for the
allocation, which fixes another bug for the case of
order < (PAGE_SHIFT - XEN_PAGE_SHIFT).

This is part of CVE-2022-23041 / XSA-396.

Reported-by: Simon Gaiser <simon@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

b0e5fec4

xen: remove gnttab_query_foreign_access() · c16dd2ae

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit c900f34fc134cc75de431e16546f37bf7804a012

--------------------------------

Commit 1dbd11ca75fe664d3e54607547771d021f531f59 upstream.

Remove gnttab_query_foreign_access(), as it is unused and unsafe to
use.

All previous use cases assumed a grant would not be in use after
gnttab_query_foreign_access() returned 0. This information is useless
in best case, as it only refers to a situation in the past, which could
have changed already.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

c16dd2ae

xen/gntalloc: don't use gnttab_query_foreign_access() · f0006464

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit fbc57368ea527dcfa909908fc47a851a56e4e5ce

--------------------------------

Commit d3b6372c5881cb54925212abb62c521df8ba4809 upstream.

Using gnttab_query_foreign_access() is unsafe, as it is racy by design.

The use case in the gntalloc driver is not needed at all. While at it
replace the call of gnttab_end_foreign_access_ref() with a call of
gnttab_end_foreign_access(), which is what is really wanted there. In
case the grant wasn't used due to an allocation failure, just free the
grant via gnttab_free_grant_reference().

This is CVE-2022-23039 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

f0006464

xen/scsifront: don't use gnttab_query_foreign_access() for mapped status · 4ba1e7c0

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit 62a696c15cfcfd32527f81ca3d94f2bde57475dc

--------------------------------

Commit 33172ab50a53578a95691310f49567c9266968b0 upstream.

It isn't enough to check whether a grant is still being in use by
calling gnttab_query_foreign_access(), as a mapping could be realized
by the other side just after having called that function.

In case the call was done in preparation of revoking a grant it is
better to do so via gnttab_try_end_foreign_access() and check the
success of that operation instead.

This is CVE-2022-23038 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

4ba1e7c0

xen/netfront: don't use gnttab_query_foreign_access() for mapped status · e63e775c

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit 927e4eb8ddf4968b6a33be992b28063f84552c72

--------------------------------

Commit 31185df7e2b1d2fa1de4900247a12d7b9c7087eb upstream.

It isn't enough to check whether a grant is still being in use by
calling gnttab_query_foreign_access(), as a mapping could be realized
by the other side just after having called that function.

In case the call was done in preparation of revoking a grant it is
better to do so via gnttab_end_foreign_access_ref() and check the
success of that operation instead.

This is CVE-2022-23037 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

e63e775c

xen/blkfront: don't use gnttab_query_foreign_access() for mapped status · 3b5b044d

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit 423a3a50dce9a48d10d2d2a70cd2f78064c13703

--------------------------------

Commit abf1fd5919d6238ee3bc5eb4a9b6c3947caa6638 upstream.

It isn't enough to check whether a grant is still being in use by
calling gnttab_query_foreign_access(), as a mapping could be realized
by the other side just after having called that function.

In case the call was done in preparation of revoking a grant it is
better to do so via gnttab_end_foreign_access_ref() and check the
success of that operation instead.

For the ring allocation use alloc_pages_exact() in order to avoid
high order pages in case of a multi-page ring.

If a grant wasn't unmapped by the backend without persistent grants
being used, set the device state to "error".

This is CVE-2022-23036 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

3b5b044d

xen/grant-table: add gnttab_try_end_foreign_access() · efdc8ee2

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit 17659846fe336366b1663194f5669d10f5947f53

--------------------------------

Commit 6b1775f26a2da2b05a6dc8ec2b5d14e9a4701a1a upstream.

Add a new grant table function gnttab_try_end_foreign_access(), which
will remove and free a grant if it is not in use.

Its main use case is to either free a grant if it is no longer in use,
or to take some other action if it is still in use. This other action
can be an error exit, or (e.g. in the case of blkfront persistent grant
feature) some special handling.

This is CVE-2022-23036, CVE-2022-23038 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

efdc8ee2

xen/xenbus: don't let xenbus_grant_ring() remove grants in error case · 85586d4f

Juergen Gross authored 3 years ago


stable inclusion
from linux-4.19.234
commit 8d521d960aef22781ff499e16899c30af899de8d

--------------------------------

Commit 3777ea7bac3113005b7180e6b9dadf16d19a5827 upstream.

Letting xenbus_grant_ring() tear down grants in the error case is
problematic, as the other side could already have used these grants.
Calling gnttab_end_foreign_access_ref() without checking success is
resulting in an unclear situation for any caller of xenbus_grant_ring()
as in the error case the memory pages of the ring page might be
partially mapped. Freeing them would risk unwanted foreign access to
them, while not freeing them would leak memory.

In order to remove the need to undo any gnttab_grant_foreign_access()
calls, use gnttab_alloc_grant_references() to make sure no further
error can occur in the loop granting access to the ring pages.

It should be noted that this way of handling removes leaking of
grant entries in the error case, too.

This is CVE-2022-23040 / part of XSA-396.

Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

85586d4f

xen/xenbus: Fix granting of vmalloc'd memory · 4fd62a05

Simon Leiner authored 3 years ago


stable inclusion
from linux-4.19.144
commit 47eb291ba65bfade197e73ee13610d97809cb087

--------------------------------

[ Upstream commit d742db70 ]

On some architectures (like ARM), virt_to_gfn cannot be used for
vmalloc'd memory because of its reliance on virt_to_phys. This patch
introduces a check for vmalloc'd addresses and obtains the PFN using
vmalloc_to_pfn in that case.

Signed-off-by: Simon Leiner <simon@leiner.me>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Link: https://lore.kernel.org/r/20200825093153.35500-1-simon@leiner.me


Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

4fd62a05

binder: fix test regression due to sender_euid change · a88267d5

Todd Kjos authored 3 years ago


stable inclusion
from linux-4.19.219
commit c3b9f29fca6682550d731c80745b421415c1e0af

--------------------------------

commit c21a80ca0684ec2910344d72556c816cb8940c01 upstream.

This is a partial revert of commit
29bc22ac5e5b ("binder: use euid from cred instead of using task").
Setting sender_euid using proc->cred caused some Android system test
regressions that need further investigation. It is a partial
reversion because subsequent patches rely on proc->cred.

Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task")
Cc: stable@vger.kernel.org # 4.4+
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66
Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

a88267d5

binder: use cred instead of task for selinux checks · d1b9a677

Todd Kjos authored 3 years ago


stable inclusion
from linux-4.19.218
commit e82f3f9638f17d58e9a217bce127e2376aefcb9d

--------------------------------

commit 52f88693378a58094c538662ba652aff0253c4fe upstream.

Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.

Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.

Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes: 79af7307 ("Add security hooks to binder and implement the hooks for SELinux.")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
conflicts:
	drivers/android/binder.c
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

d1b9a677

binder: use euid from cred instead of using task · 94e056c8

Todd Kjos authored 3 years ago


stable inclusion
from linux-4.19.218
commit 5d40061285b81a7e213dc9b37acc4a0545eedf32

--------------------------------

commit 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b upstream.

Save the 'struct cred' associated with a binder process
at initial open to avoid potential race conditions
when converting to an euid.

Set a transaction's sender_euid from the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.

Cc: stable@vger.kernel.org # 4.4+
Fixes: 457b9a6f ("Staging: android: add binder driver")
Signed-off-by: Todd Kjos <tkjos@google.com>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Suggested-by: Jann Horn <jannh@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>

94e056c8

Apr 14, 2022

svm: Change svm to modules · 8f226987

Lijun Fang authored 3 years ago

ascend inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4UR5Y


CVE: NA

--------------------

Change svm to modules by default.

Signed-off-by: Lijun Fang <fanglijun3@huawei.com>
Reviewed-by: Weilong Chen <chenweilong@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

8f226987

svm: Delete unused svm_get_unmapped_area ops · 0e5d94f9

Lijun Fang authored 3 years ago

ascend inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4UR5Y


CVE: NA

--------------------

svm_get_unmapped_area will be no longer used.

Signed-off-by: Lijun Fang <fanglijun3@huawei.com>
Reviewed-by: Weilong Chen <chenweilong@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

0e5d94f9

ascend: mm: Add MAP_ALIGN flag to map aligned va · 492bf18e

Lijun Fang authored 3 years ago

ascend inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4UR5Y


CVE: NA

--------------------

svm module use svm_get_unmapped_area ops to map an aligned va, which
used by mapping l2buf memory. The svm_get_unmapped_area use a lot of
duplicated codes, we add MAP_ALIGN to adjust mapinfo alignmask.

Signed-off-by: Lijun Fang <fanglijun3@huawei.com>
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Weilong Chen <chenweilong@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

492bf18e