Remove obsolete patches
This commit is contained in:
parent
c064eca42f
commit
62e5e3199d
|
@ -1,134 +0,0 @@
|
||||||
From: Hui Peng <benquike@gmail.com>
|
|
||||||
Date: Thu, 15 Aug 2019 00:31:34 -0400
|
|
||||||
Subject: ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15118
|
|
||||||
Origin: https://git.kernel.org/linus/19bce474c45be69a284ecee660aa12d8f1e88f18
|
|
||||||
|
|
||||||
commit 19bce474c45be69a284ecee660aa12d8f1e88f18 upstream.
|
|
||||||
|
|
||||||
`check_input_term` recursively calls itself with input from
|
|
||||||
device side (e.g., uac_input_terminal_descriptor.bCSourceID)
|
|
||||||
as argument (id). In `check_input_term`, if `check_input_term`
|
|
||||||
is called with the same `id` argument as the caller, it triggers
|
|
||||||
endless recursive call, resulting kernel space stack overflow.
|
|
||||||
|
|
||||||
This patch fixes the bug by adding a bitmap to `struct mixer_build`
|
|
||||||
to keep track of the checked ids and stop the execution if some id
|
|
||||||
has been checked (similar to how parse_audio_unit handles unitid
|
|
||||||
argument).
|
|
||||||
|
|
||||||
Reported-by: Hui Peng <benquike@gmail.com>
|
|
||||||
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
|
|
||||||
Signed-off-by: Hui Peng <benquike@gmail.com>
|
|
||||||
Cc: <stable@vger.kernel.org>
|
|
||||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
sound/usb/mixer.c | 35 +++++++++++++++++++++++++++--------
|
|
||||||
1 file changed, 27 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
|
|
||||||
index 7e1c6c2dc99e..996126a28072 100644
|
|
||||||
--- a/sound/usb/mixer.c
|
|
||||||
+++ b/sound/usb/mixer.c
|
|
||||||
@@ -83,6 +83,7 @@ struct mixer_build {
|
|
||||||
unsigned char *buffer;
|
|
||||||
unsigned int buflen;
|
|
||||||
DECLARE_BITMAP(unitbitmap, MAX_ID_ELEMS);
|
|
||||||
+ DECLARE_BITMAP(termbitmap, MAX_ID_ELEMS);
|
|
||||||
struct usb_audio_term oterm;
|
|
||||||
const struct usbmix_name_map *map;
|
|
||||||
const struct usbmix_selector_map *selector_map;
|
|
||||||
@@ -788,16 +789,25 @@ static int uac_mixer_unit_get_channels(struct mixer_build *state,
|
|
||||||
* parse the source unit recursively until it reaches to a terminal
|
|
||||||
* or a branched unit.
|
|
||||||
*/
|
|
||||||
-static int check_input_term(struct mixer_build *state, int id,
|
|
||||||
+static int __check_input_term(struct mixer_build *state, int id,
|
|
||||||
struct usb_audio_term *term)
|
|
||||||
{
|
|
||||||
int protocol = state->mixer->protocol;
|
|
||||||
int err;
|
|
||||||
void *p1;
|
|
||||||
+ unsigned char *hdr;
|
|
||||||
|
|
||||||
memset(term, 0, sizeof(*term));
|
|
||||||
- while ((p1 = find_audio_control_unit(state, id)) != NULL) {
|
|
||||||
- unsigned char *hdr = p1;
|
|
||||||
+ for (;;) {
|
|
||||||
+ /* a loop in the terminal chain? */
|
|
||||||
+ if (test_and_set_bit(id, state->termbitmap))
|
|
||||||
+ return -EINVAL;
|
|
||||||
+
|
|
||||||
+ p1 = find_audio_control_unit(state, id);
|
|
||||||
+ if (!p1)
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ hdr = p1;
|
|
||||||
term->id = id;
|
|
||||||
|
|
||||||
if (protocol == UAC_VERSION_1 || protocol == UAC_VERSION_2) {
|
|
||||||
@@ -815,7 +825,7 @@ static int check_input_term(struct mixer_build *state, int id,
|
|
||||||
|
|
||||||
/* call recursively to verify that the
|
|
||||||
* referenced clock entity is valid */
|
|
||||||
- err = check_input_term(state, d->bCSourceID, term);
|
|
||||||
+ err = __check_input_term(state, d->bCSourceID, term);
|
|
||||||
if (err < 0)
|
|
||||||
return err;
|
|
||||||
|
|
||||||
@@ -849,7 +859,7 @@ static int check_input_term(struct mixer_build *state, int id,
|
|
||||||
case UAC2_CLOCK_SELECTOR: {
|
|
||||||
struct uac_selector_unit_descriptor *d = p1;
|
|
||||||
/* call recursively to retrieve the channel info */
|
|
||||||
- err = check_input_term(state, d->baSourceID[0], term);
|
|
||||||
+ err = __check_input_term(state, d->baSourceID[0], term);
|
|
||||||
if (err < 0)
|
|
||||||
return err;
|
|
||||||
term->type = UAC3_SELECTOR_UNIT << 16; /* virtual type */
|
|
||||||
@@ -912,7 +922,7 @@ static int check_input_term(struct mixer_build *state, int id,
|
|
||||||
|
|
||||||
/* call recursively to verify that the
|
|
||||||
* referenced clock entity is valid */
|
|
||||||
- err = check_input_term(state, d->bCSourceID, term);
|
|
||||||
+ err = __check_input_term(state, d->bCSourceID, term);
|
|
||||||
if (err < 0)
|
|
||||||
return err;
|
|
||||||
|
|
||||||
@@ -963,7 +973,7 @@ static int check_input_term(struct mixer_build *state, int id,
|
|
||||||
case UAC3_CLOCK_SELECTOR: {
|
|
||||||
struct uac_selector_unit_descriptor *d = p1;
|
|
||||||
/* call recursively to retrieve the channel info */
|
|
||||||
- err = check_input_term(state, d->baSourceID[0], term);
|
|
||||||
+ err = __check_input_term(state, d->baSourceID[0], term);
|
|
||||||
if (err < 0)
|
|
||||||
return err;
|
|
||||||
term->type = UAC3_SELECTOR_UNIT << 16; /* virtual type */
|
|
||||||
@@ -979,7 +989,7 @@ static int check_input_term(struct mixer_build *state, int id,
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
/* call recursively to retrieve the channel info */
|
|
||||||
- err = check_input_term(state, d->baSourceID[0], term);
|
|
||||||
+ err = __check_input_term(state, d->baSourceID[0], term);
|
|
||||||
if (err < 0)
|
|
||||||
return err;
|
|
||||||
|
|
||||||
@@ -997,6 +1007,15 @@ static int check_input_term(struct mixer_build *state, int id,
|
|
||||||
return -ENODEV;
|
|
||||||
}
|
|
||||||
|
|
||||||
+
|
|
||||||
+static int check_input_term(struct mixer_build *state, int id,
|
|
||||||
+ struct usb_audio_term *term)
|
|
||||||
+{
|
|
||||||
+ memset(term, 0, sizeof(*term));
|
|
||||||
+ memset(state->termbitmap, 0, sizeof(state->termbitmap));
|
|
||||||
+ return __check_input_term(state, id, term);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Feature Unit
|
|
||||||
*/
|
|
||||||
--
|
|
||||||
cgit 1.2-0.3.lf.el7
|
|
||||||
|
|
|
@ -1,56 +0,0 @@
|
||||||
From: Hui Peng <benquike@gmail.com>
|
|
||||||
Date: Tue, 13 Aug 2019 22:34:04 -0400
|
|
||||||
Subject: ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15117
|
|
||||||
Origin: https://git.kernel.org/linus/daac07156b330b18eb5071aec4b3ddca1c377f2c
|
|
||||||
|
|
||||||
commit daac07156b330b18eb5071aec4b3ddca1c377f2c upstream.
|
|
||||||
|
|
||||||
The `uac_mixer_unit_descriptor` shown as below is read from the
|
|
||||||
device side. In `parse_audio_mixer_unit`, `baSourceID` field is
|
|
||||||
accessed from index 0 to `bNrInPins` - 1, the current implementation
|
|
||||||
assumes that descriptor is always valid (the length of descriptor
|
|
||||||
is no shorter than 5 + `bNrInPins`). If a descriptor read from
|
|
||||||
the device side is invalid, it may trigger out-of-bound memory
|
|
||||||
access.
|
|
||||||
|
|
||||||
```
|
|
||||||
struct uac_mixer_unit_descriptor {
|
|
||||||
__u8 bLength;
|
|
||||||
__u8 bDescriptorType;
|
|
||||||
__u8 bDescriptorSubtype;
|
|
||||||
__u8 bUnitID;
|
|
||||||
__u8 bNrInPins;
|
|
||||||
__u8 baSourceID[];
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
This patch fixes the bug by add a sanity check on the length of
|
|
||||||
the descriptor.
|
|
||||||
|
|
||||||
Reported-by: Hui Peng <benquike@gmail.com>
|
|
||||||
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
|
|
||||||
Cc: <stable@vger.kernel.org>
|
|
||||||
Signed-off-by: Hui Peng <benquike@gmail.com>
|
|
||||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
sound/usb/mixer.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
|
|
||||||
index 996126a28072..4b3e1c48ca2f 100644
|
|
||||||
--- a/sound/usb/mixer.c
|
|
||||||
+++ b/sound/usb/mixer.c
|
|
||||||
@@ -760,6 +760,8 @@ static int uac_mixer_unit_get_channels(struct mixer_build *state,
|
|
||||||
return -EINVAL;
|
|
||||||
if (!desc->bNrInPins)
|
|
||||||
return -EINVAL;
|
|
||||||
+ if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
|
|
||||||
+ return -EINVAL;
|
|
||||||
|
|
||||||
switch (state->mixer->protocol) {
|
|
||||||
case UAC_VERSION_1:
|
|
||||||
--
|
|
||||||
cgit 1.2-0.3.lf.el7
|
|
||||||
|
|
|
@ -1,79 +0,0 @@
|
||||||
From: Matt Delco <delco@chromium.org>
|
|
||||||
Date: Mon, 16 Sep 2019 14:16:54 -0700
|
|
||||||
Subject: KVM: coalesced_mmio: add bounds checking
|
|
||||||
Origin: https://git.kernel.org/linus/b60fe990c6b07ef6d4df67bc0530c7c90a62623a
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14821
|
|
||||||
|
|
||||||
The first/last indexes are typically shared with a user app.
|
|
||||||
The app can change the 'last' index that the kernel uses
|
|
||||||
to store the next result. This change sanity checks the index
|
|
||||||
before using it for writing to a potentially arbitrary address.
|
|
||||||
|
|
||||||
This fixes CVE-2019-14821.
|
|
||||||
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
|
|
||||||
Signed-off-by: Matt Delco <delco@chromium.org>
|
|
||||||
Signed-off-by: Jim Mattson <jmattson@google.com>
|
|
||||||
Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
|
|
||||||
[Use READ_ONCE. - Paolo]
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
[Salvatore Bonaccorso: backport to 4.19: Adjust for context changes, cherry-pick
|
|
||||||
commit from stable-queue for 4.19.75]
|
|
||||||
---
|
|
||||||
virt/kvm/coalesced_mmio.c | 17 ++++++++++-------
|
|
||||||
1 file changed, 10 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
--- a/virt/kvm/coalesced_mmio.c
|
|
||||||
+++ b/virt/kvm/coalesced_mmio.c
|
|
||||||
@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struc
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
|
|
||||||
+static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
|
|
||||||
{
|
|
||||||
struct kvm_coalesced_mmio_ring *ring;
|
|
||||||
unsigned avail;
|
|
||||||
@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struc
|
|
||||||
* there is always one unused entry in the buffer
|
|
||||||
*/
|
|
||||||
ring = dev->kvm->coalesced_mmio_ring;
|
|
||||||
- avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
|
|
||||||
+ avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
|
|
||||||
if (avail == 0) {
|
|
||||||
/* full */
|
|
||||||
return 0;
|
|
||||||
@@ -67,24 +67,27 @@ static int coalesced_mmio_write(struct k
|
|
||||||
{
|
|
||||||
struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
|
|
||||||
struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
|
|
||||||
+ __u32 insert;
|
|
||||||
|
|
||||||
if (!coalesced_mmio_in_range(dev, addr, len))
|
|
||||||
return -EOPNOTSUPP;
|
|
||||||
|
|
||||||
spin_lock(&dev->kvm->ring_lock);
|
|
||||||
|
|
||||||
- if (!coalesced_mmio_has_room(dev)) {
|
|
||||||
+ insert = READ_ONCE(ring->last);
|
|
||||||
+ if (!coalesced_mmio_has_room(dev, insert) ||
|
|
||||||
+ insert >= KVM_COALESCED_MMIO_MAX) {
|
|
||||||
spin_unlock(&dev->kvm->ring_lock);
|
|
||||||
return -EOPNOTSUPP;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* copy data in first free entry of the ring */
|
|
||||||
|
|
||||||
- ring->coalesced_mmio[ring->last].phys_addr = addr;
|
|
||||||
- ring->coalesced_mmio[ring->last].len = len;
|
|
||||||
- memcpy(ring->coalesced_mmio[ring->last].data, val, len);
|
|
||||||
+ ring->coalesced_mmio[insert].phys_addr = addr;
|
|
||||||
+ ring->coalesced_mmio[insert].len = len;
|
|
||||||
+ memcpy(ring->coalesced_mmio[insert].data, val, len);
|
|
||||||
smp_wmb();
|
|
||||||
- ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
|
|
||||||
+ ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
|
|
||||||
spin_unlock(&dev->kvm->ring_lock);
|
|
||||||
return 0;
|
|
||||||
}
|
|
|
@ -1,120 +0,0 @@
|
||||||
From: Mike Snitzer <snitzer@redhat.com>
|
|
||||||
Date: Wed, 3 Apr 2019 12:23:11 -0400
|
|
||||||
Subject: dm: disable DISCARD if the underlying storage no longer supports it
|
|
||||||
Origin: https://git.kernel.org/linus/bcb44433bba5eaff293888ef22ffa07f1f0347d6
|
|
||||||
Bug-Debian: https://bugs.debian.org/934331
|
|
||||||
|
|
||||||
Storage devices which report supporting discard commands like
|
|
||||||
WRITE_SAME_16 with unmap, but reject discard commands sent to the
|
|
||||||
storage device. This is a clear storage firmware bug but it doesn't
|
|
||||||
change the fact that should a program cause discards to be sent to a
|
|
||||||
multipath device layered on this buggy storage, all paths can end up
|
|
||||||
failed at the same time from the discards, causing possible I/O loss.
|
|
||||||
|
|
||||||
The first discard to a path will fail with Illegal Request, Invalid
|
|
||||||
field in cdb, e.g.:
|
|
||||||
kernel: sd 8:0:8:19: [sdfn] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
|
|
||||||
kernel: sd 8:0:8:19: [sdfn] tag#0 Sense Key : Illegal Request [current]
|
|
||||||
kernel: sd 8:0:8:19: [sdfn] tag#0 Add. Sense: Invalid field in cdb
|
|
||||||
kernel: sd 8:0:8:19: [sdfn] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 a0 08 00 00 00 80 00 00 00
|
|
||||||
kernel: blk_update_request: critical target error, dev sdfn, sector 10487808
|
|
||||||
|
|
||||||
The SCSI layer converts this to the BLK_STS_TARGET error number, the sd
|
|
||||||
device disables its support for discard on this path, and because of the
|
|
||||||
BLK_STS_TARGET error multipath fails the discard without failing any
|
|
||||||
path or retrying down a different path. But subsequent discards can
|
|
||||||
cause path failures. Any discards sent to the path which already failed
|
|
||||||
a discard ends up failing with EIO from blk_cloned_rq_check_limits with
|
|
||||||
an "over max size limit" error since the discard limit was set to 0 by
|
|
||||||
the sd driver for the path. As the error is EIO, this now fails the
|
|
||||||
path and multipath tries to send the discard down the next path. This
|
|
||||||
cycle continues as discards are sent until all paths fail.
|
|
||||||
|
|
||||||
Fix this by training DM core to disable DISCARD if the underlying
|
|
||||||
storage already did so.
|
|
||||||
|
|
||||||
Also, fix branching in dm_done() and clone_endio() to reflect the
|
|
||||||
mutually exclussive nature of the IO operations in question.
|
|
||||||
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Reported-by: David Jeffery <djeffery@redhat.com>
|
|
||||||
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
|
|
||||||
[Salvatore Bonaccorso: backported to 4.19: Adjust for context changes in
|
|
||||||
drivers/md/dm-core.h]
|
|
||||||
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
|
|
||||||
---
|
|
||||||
drivers/md/dm-core.h | 1 +
|
|
||||||
drivers/md/dm-rq.c | 11 +++++++----
|
|
||||||
drivers/md/dm.c | 20 ++++++++++++++++----
|
|
||||||
3 files changed, 24 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
--- a/drivers/md/dm-core.h
|
|
||||||
+++ b/drivers/md/dm-core.h
|
|
||||||
@@ -130,6 +130,7 @@ struct mapped_device {
|
|
||||||
};
|
|
||||||
|
|
||||||
int md_in_flight(struct mapped_device *md);
|
|
||||||
+void disable_discard(struct mapped_device *md);
|
|
||||||
void disable_write_same(struct mapped_device *md);
|
|
||||||
void disable_write_zeroes(struct mapped_device *md);
|
|
||||||
|
|
||||||
--- a/drivers/md/dm-rq.c
|
|
||||||
+++ b/drivers/md/dm-rq.c
|
|
||||||
@@ -295,11 +295,14 @@ static void dm_done(struct request *clon
|
|
||||||
}
|
|
||||||
|
|
||||||
if (unlikely(error == BLK_STS_TARGET)) {
|
|
||||||
- if (req_op(clone) == REQ_OP_WRITE_SAME &&
|
|
||||||
- !clone->q->limits.max_write_same_sectors)
|
|
||||||
+ if (req_op(clone) == REQ_OP_DISCARD &&
|
|
||||||
+ !clone->q->limits.max_discard_sectors)
|
|
||||||
+ disable_discard(tio->md);
|
|
||||||
+ else if (req_op(clone) == REQ_OP_WRITE_SAME &&
|
|
||||||
+ !clone->q->limits.max_write_same_sectors)
|
|
||||||
disable_write_same(tio->md);
|
|
||||||
- if (req_op(clone) == REQ_OP_WRITE_ZEROES &&
|
|
||||||
- !clone->q->limits.max_write_zeroes_sectors)
|
|
||||||
+ else if (req_op(clone) == REQ_OP_WRITE_ZEROES &&
|
|
||||||
+ !clone->q->limits.max_write_zeroes_sectors)
|
|
||||||
disable_write_zeroes(tio->md);
|
|
||||||
}
|
|
||||||
|
|
||||||
--- a/drivers/md/dm.c
|
|
||||||
+++ b/drivers/md/dm.c
|
|
||||||
@@ -910,6 +910,15 @@ static void dec_pending(struct dm_io *io
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+void disable_discard(struct mapped_device *md)
|
|
||||||
+{
|
|
||||||
+ struct queue_limits *limits = dm_get_queue_limits(md);
|
|
||||||
+
|
|
||||||
+ /* device doesn't really support DISCARD, disable it */
|
|
||||||
+ limits->max_discard_sectors = 0;
|
|
||||||
+ blk_queue_flag_clear(QUEUE_FLAG_DISCARD, md->queue);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void disable_write_same(struct mapped_device *md)
|
|
||||||
{
|
|
||||||
struct queue_limits *limits = dm_get_queue_limits(md);
|
|
||||||
@@ -935,11 +944,14 @@ static void clone_endio(struct bio *bio)
|
|
||||||
dm_endio_fn endio = tio->ti->type->end_io;
|
|
||||||
|
|
||||||
if (unlikely(error == BLK_STS_TARGET) && md->type != DM_TYPE_NVME_BIO_BASED) {
|
|
||||||
- if (bio_op(bio) == REQ_OP_WRITE_SAME &&
|
|
||||||
- !bio->bi_disk->queue->limits.max_write_same_sectors)
|
|
||||||
+ if (bio_op(bio) == REQ_OP_DISCARD &&
|
|
||||||
+ !bio->bi_disk->queue->limits.max_discard_sectors)
|
|
||||||
+ disable_discard(md);
|
|
||||||
+ else if (bio_op(bio) == REQ_OP_WRITE_SAME &&
|
|
||||||
+ !bio->bi_disk->queue->limits.max_write_same_sectors)
|
|
||||||
disable_write_same(md);
|
|
||||||
- if (bio_op(bio) == REQ_OP_WRITE_ZEROES &&
|
|
||||||
- !bio->bi_disk->queue->limits.max_write_zeroes_sectors)
|
|
||||||
+ else if (bio_op(bio) == REQ_OP_WRITE_ZEROES &&
|
|
||||||
+ !bio->bi_disk->queue->limits.max_write_zeroes_sectors)
|
|
||||||
disable_write_zeroes(md);
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,90 +0,0 @@
|
||||||
From: Stefano Brivio <sbrivio@redhat.com>
|
|
||||||
Date: Wed, 16 Oct 2019 20:52:09 +0200
|
|
||||||
Subject: ipv4: Return -ENETUNREACH if we can't create route but saddr is valid
|
|
||||||
Origin: https://git.kernel.org/linus/595e0651d0296bad2491a4a29a7a43eae6328b02
|
|
||||||
Bug-Debian: https://bugs.debian.org/945023
|
|
||||||
|
|
||||||
...instead of -EINVAL. An issue was found with older kernel versions
|
|
||||||
while unplugging a NFS client with pending RPCs, and the wrong error
|
|
||||||
code here prevented it from recovering once link is back up with a
|
|
||||||
configured address.
|
|
||||||
|
|
||||||
Incidentally, this is not an issue anymore since commit 4f8943f80883
|
|
||||||
("SUNRPC: Replace direct task wakeups from softirq context"), included
|
|
||||||
in 5.2-rc7, had the effect of decoupling the forwarding of this error
|
|
||||||
by using SO_ERROR in xs_wake_error(), as pointed out by Benjamin
|
|
||||||
Coddington.
|
|
||||||
|
|
||||||
To the best of my knowledge, this isn't currently causing any further
|
|
||||||
issue, but the error code doesn't look appropriate anyway, and we
|
|
||||||
might hit this in other paths as well.
|
|
||||||
|
|
||||||
In detail, as analysed by Gonzalo Siero, once the route is deleted
|
|
||||||
because the interface is down, and can't be resolved and we return
|
|
||||||
-EINVAL here, this ends up, courtesy of inet_sk_rebuild_header(),
|
|
||||||
as the socket error seen by tcp_write_err(), called by
|
|
||||||
tcp_retransmit_timer().
|
|
||||||
|
|
||||||
In turn, tcp_write_err() indirectly calls xs_error_report(), which
|
|
||||||
wakes up the RPC pending tasks with a status of -EINVAL. This is then
|
|
||||||
seen by call_status() in the SUN RPC implementation, which aborts the
|
|
||||||
RPC call calling rpc_exit(), instead of handling this as a
|
|
||||||
potentially temporary condition, i.e. as a timeout.
|
|
||||||
|
|
||||||
Return -EINVAL only if the input parameters passed to
|
|
||||||
ip_route_output_key_hash_rcu() are actually invalid (this is the case
|
|
||||||
if the specified source address is multicast, limited broadcast or
|
|
||||||
all zeroes), but return -ENETUNREACH in all cases where, at the given
|
|
||||||
moment, the given source address doesn't allow resolving the route.
|
|
||||||
|
|
||||||
While at it, drop the initialisation of err to -ENETUNREACH, which
|
|
||||||
was added to __ip_route_output_key() back then by commit
|
|
||||||
0315e3827048 ("net: Fix behaviour of unreachable, blackhole and
|
|
||||||
prohibit routes"), but actually had no effect, as it was, and is,
|
|
||||||
overwritten by the fib_lookup() return code assignment, and anyway
|
|
||||||
ignored in all other branches, including the if (fl4->saddr) one:
|
|
||||||
I find this rather confusing, as it would look like -ENETUNREACH is
|
|
||||||
the "default" error, while that statement has no effect.
|
|
||||||
|
|
||||||
Also note that after commit fc75fc8339e7 ("ipv4: dont create routes
|
|
||||||
on down devices"), we would get -ENETUNREACH if the device is down,
|
|
||||||
but -EINVAL if the source address is specified and we can't resolve
|
|
||||||
the route, and this appears to be rather inconsistent.
|
|
||||||
|
|
||||||
Reported-by: Stefan Walter <walteste@inf.ethz.ch>
|
|
||||||
Analysed-by: Benjamin Coddington <bcodding@redhat.com>
|
|
||||||
Analysed-by: Gonzalo Siero <gsierohu@redhat.com>
|
|
||||||
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
---
|
|
||||||
net/ipv4/route.c | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
|
|
||||||
index 14654876127e..5bc172abd143 100644
|
|
||||||
--- a/net/ipv4/route.c
|
|
||||||
+++ b/net/ipv4/route.c
|
|
||||||
@@ -2470,14 +2470,17 @@ struct rtable *ip_route_output_key_hash_rcu(struct net *net, struct flowi4 *fl4,
|
|
||||||
int orig_oif = fl4->flowi4_oif;
|
|
||||||
unsigned int flags = 0;
|
|
||||||
struct rtable *rth;
|
|
||||||
- int err = -ENETUNREACH;
|
|
||||||
+ int err;
|
|
||||||
|
|
||||||
if (fl4->saddr) {
|
|
||||||
- rth = ERR_PTR(-EINVAL);
|
|
||||||
if (ipv4_is_multicast(fl4->saddr) ||
|
|
||||||
ipv4_is_lbcast(fl4->saddr) ||
|
|
||||||
- ipv4_is_zeronet(fl4->saddr))
|
|
||||||
+ ipv4_is_zeronet(fl4->saddr)) {
|
|
||||||
+ rth = ERR_PTR(-EINVAL);
|
|
||||||
goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rth = ERR_PTR(-ENETUNREACH);
|
|
||||||
|
|
||||||
/* I removed check for oif == dev_out->oif here.
|
|
||||||
It was wrong for two reasons:
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
|
@ -1,49 +0,0 @@
|
||||||
From: Steffen Klassert <steffen.klassert@secunet.com>
|
|
||||||
Date: Thu, 12 Sep 2019 13:01:44 +0200
|
|
||||||
Subject: ixgbe: Fix secpath usage for IPsec TX offload.
|
|
||||||
Origin: https://git.kernel.org/linus/f39b683d35dfa93a58f1b400a8ec0ff81296b37c
|
|
||||||
Bug-Debian: https://bugs.debian.org/930443
|
|
||||||
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=204551
|
|
||||||
|
|
||||||
The ixgbe driver currently does IPsec TX offloading
|
|
||||||
based on an existing secpath. However, the secpath
|
|
||||||
can also come from the RX side, in this case it is
|
|
||||||
misinterpreted for TX offload and the packets are
|
|
||||||
dropped with a "bad sa_idx" error. Fix this by using
|
|
||||||
the xfrm_offload() function to test for TX offload.
|
|
||||||
|
|
||||||
Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload")
|
|
||||||
Reported-by: Michael Marley <michael@michaelmarley.com>
|
|
||||||
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
|
||||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
||||||
[Salvatore Bonaccorso: Backport to 4.19.67: cherry-pick patch from 4.19.74
|
|
||||||
release with adjusted context]
|
|
||||||
---
|
|
||||||
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
|
|
||||||
index 410d5d3aa393..2c3da1516036 100644
|
|
||||||
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
|
|
||||||
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
|
|
||||||
@@ -34,6 +34,7 @@
|
|
||||||
#include <net/tc_act/tc_mirred.h>
|
|
||||||
#include <net/vxlan.h>
|
|
||||||
#include <net/mpls.h>
|
|
||||||
+#include <net/xfrm.h>
|
|
||||||
|
|
||||||
#include "ixgbe.h"
|
|
||||||
#include "ixgbe_common.h"
|
|
||||||
@@ -8599,7 +8600,8 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb,
|
|
||||||
#endif /* IXGBE_FCOE */
|
|
||||||
|
|
||||||
#ifdef CONFIG_XFRM_OFFLOAD
|
|
||||||
- if (skb->sp && !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
|
|
||||||
+ if (xfrm_offload(skb) &&
|
|
||||||
+ !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
|
|
||||||
goto out_drop;
|
|
||||||
#endif
|
|
||||||
tso = ixgbe_tso(tx_ring, first, &hdr_len, &ipsec_tx);
|
|
||||||
--
|
|
||||||
2.23.0
|
|
||||||
|
|
|
@ -1,61 +0,0 @@
|
||||||
From: Dirk Morris <dmorris@metaloft.com>
|
|
||||||
Date: Thu, 8 Aug 2019 13:57:51 -0700
|
|
||||||
Subject: netfilter: conntrack: Use consistent ct id hash calculation
|
|
||||||
Origin: https://git.kernel.org/linus/656c8e9cc1badbc18eefe6ba01d33ebbcae61b9a
|
|
||||||
|
|
||||||
Change ct id hash calculation to only use invariants.
|
|
||||||
|
|
||||||
Currently the ct id hash calculation is based on some fields that can
|
|
||||||
change in the lifetime on a conntrack entry in some corner cases. The
|
|
||||||
current hash uses the whole tuple which contains an hlist pointer which
|
|
||||||
will change when the conntrack is placed on the dying list resulting in
|
|
||||||
a ct id change.
|
|
||||||
|
|
||||||
This patch also removes the reply-side tuple and extension pointer from
|
|
||||||
the hash calculation so that the ct id will will not change from
|
|
||||||
initialization until confirmation.
|
|
||||||
|
|
||||||
Fixes: 3c79107631db1f7 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
|
|
||||||
Signed-off-by: Dirk Morris <dmorris@metaloft.com>
|
|
||||||
Acked-by: Florian Westphal <fw@strlen.de>
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
---
|
|
||||||
net/netfilter/nf_conntrack_core.c | 16 ++++++++--------
|
|
||||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
|
|
||||||
index a542761e90d1..81a8ef42b88d 100644
|
|
||||||
--- a/net/netfilter/nf_conntrack_core.c
|
|
||||||
+++ b/net/netfilter/nf_conntrack_core.c
|
|
||||||
@@ -453,13 +453,12 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
|
|
||||||
* table location, we assume id gets exposed to userspace.
|
|
||||||
*
|
|
||||||
* Following nf_conn items do not change throughout lifetime
|
|
||||||
- * of the nf_conn after it has been committed to main hash table:
|
|
||||||
+ * of the nf_conn:
|
|
||||||
*
|
|
||||||
* 1. nf_conn address
|
|
||||||
- * 2. nf_conn->ext address
|
|
||||||
- * 3. nf_conn->master address (normally NULL)
|
|
||||||
- * 4. tuple
|
|
||||||
- * 5. the associated net namespace
|
|
||||||
+ * 2. nf_conn->master address (normally NULL)
|
|
||||||
+ * 3. the associated net namespace
|
|
||||||
+ * 4. the original direction tuple
|
|
||||||
*/
|
|
||||||
u32 nf_ct_get_id(const struct nf_conn *ct)
|
|
||||||
{
|
|
||||||
@@ -469,9 +468,10 @@ u32 nf_ct_get_id(const struct nf_conn *ct)
|
|
||||||
net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
|
|
||||||
|
|
||||||
a = (unsigned long)ct;
|
|
||||||
- b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
|
|
||||||
- c = (unsigned long)ct->ext;
|
|
||||||
- d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
|
|
||||||
+ b = (unsigned long)ct->master;
|
|
||||||
+ c = (unsigned long)nf_ct_net(ct);
|
|
||||||
+ d = (unsigned long)siphash(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
|
|
||||||
+ sizeof(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple),
|
|
||||||
&ct_id_seed);
|
|
||||||
#ifdef CONFIG_64BIT
|
|
||||||
return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);
|
|
|
@ -1,54 +0,0 @@
|
||||||
From: yongduan <yongduan@tencent.com>
|
|
||||||
Date: Wed, 11 Sep 2019 17:44:24 +0800
|
|
||||||
Subject: vhost: make sure log_num < in_num
|
|
||||||
Origin: https://git.kernel.org/linus/060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14835
|
|
||||||
|
|
||||||
The code assumes log_num < in_num everywhere, and that is true as long as
|
|
||||||
in_num is incremented by descriptor iov count, and log_num by 1. However
|
|
||||||
this breaks if there's a zero sized descriptor.
|
|
||||||
|
|
||||||
As a result, if a malicious guest creates a vring desc with desc.len = 0,
|
|
||||||
it may cause the host kernel to crash by overflowing the log array. This
|
|
||||||
bug can be triggered during the VM migration.
|
|
||||||
|
|
||||||
There's no need to log when desc.len = 0, so just don't increment log_num
|
|
||||||
in this case.
|
|
||||||
|
|
||||||
Fixes: 3a4d5c94e959 ("vhost_net: a kernel-level virtio server")
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Reviewed-by: Lidong Chen <lidongchen@tencent.com>
|
|
||||||
Signed-off-by: ruippan <ruippan@tencent.com>
|
|
||||||
Signed-off-by: yongduan <yongduan@tencent.com>
|
|
||||||
Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
|
||||||
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
|
||||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
||||||
---
|
|
||||||
drivers/vhost/vhost.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
|
|
||||||
index 34ea219936e3..acabf20b069e 100644
|
|
||||||
--- a/drivers/vhost/vhost.c
|
|
||||||
+++ b/drivers/vhost/vhost.c
|
|
||||||
@@ -2180,7 +2180,7 @@ static int get_indirect(struct vhost_virtqueue *vq,
|
|
||||||
/* If this is an input descriptor, increment that count. */
|
|
||||||
if (access == VHOST_ACCESS_WO) {
|
|
||||||
*in_num += ret;
|
|
||||||
- if (unlikely(log)) {
|
|
||||||
+ if (unlikely(log && ret)) {
|
|
||||||
log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
|
|
||||||
log[*log_num].len = vhost32_to_cpu(vq, desc.len);
|
|
||||||
++*log_num;
|
|
||||||
@@ -2321,7 +2321,7 @@ int vhost_get_vq_desc(struct vhost_virtqueue *vq,
|
|
||||||
/* If this is an input descriptor,
|
|
||||||
* increment that count. */
|
|
||||||
*in_num += ret;
|
|
||||||
- if (unlikely(log)) {
|
|
||||||
+ if (unlikely(log && ret)) {
|
|
||||||
log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
|
|
||||||
log[*log_num].len = vhost32_to_cpu(vq, desc.len);
|
|
||||||
++*log_num;
|
|
||||||
--
|
|
||||||
2.23.0
|
|
||||||
|
|
|
@ -1,63 +0,0 @@
|
||||||
From: "Darrick J. Wong" <darrick.wong@oracle.com>
|
|
||||||
Date: Thu, 22 Aug 2019 20:55:28 -0700
|
|
||||||
Subject: xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT
|
|
||||||
Origin: https://git.kernel.org/linus/1fb254aa983bf190cfd685d40c64a480a9bafaee
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15538
|
|
||||||
|
|
||||||
Benjamin Moody reported to Debian that XFS partially wedges when a chgrp
|
|
||||||
fails on account of being out of disk quota. I ran his reproducer
|
|
||||||
script:
|
|
||||||
|
|
||||||
# adduser dummy
|
|
||||||
# adduser dummy plugdev
|
|
||||||
|
|
||||||
# dd if=/dev/zero bs=1M count=100 of=test.img
|
|
||||||
# mkfs.xfs test.img
|
|
||||||
# mount -t xfs -o gquota test.img /mnt
|
|
||||||
# mkdir -p /mnt/dummy
|
|
||||||
# chown -c dummy /mnt/dummy
|
|
||||||
# xfs_quota -xc 'limit -g bsoft=100k bhard=100k plugdev' /mnt
|
|
||||||
|
|
||||||
(and then as user dummy)
|
|
||||||
|
|
||||||
$ dd if=/dev/urandom bs=1M count=50 of=/mnt/dummy/foo
|
|
||||||
$ chgrp plugdev /mnt/dummy/foo
|
|
||||||
|
|
||||||
and saw:
|
|
||||||
|
|
||||||
================================================
|
|
||||||
WARNING: lock held when returning to user space!
|
|
||||||
5.3.0-rc5 #rc5 Tainted: G W
|
|
||||||
------------------------------------------------
|
|
||||||
chgrp/47006 is leaving the kernel with locks still held!
|
|
||||||
1 lock held by chgrp/47006:
|
|
||||||
#0: 000000006664ea2d (&xfs_nondir_ilock_class){++++}, at: xfs_ilock+0xd2/0x290 [xfs]
|
|
||||||
|
|
||||||
...which is clearly caused by xfs_setattr_nonsize failing to unlock the
|
|
||||||
ILOCK after the xfs_qm_vop_chown_reserve call fails. Add the missing
|
|
||||||
unlock.
|
|
||||||
|
|
||||||
Reported-by: benjamin.moody@gmail.com
|
|
||||||
Fixes: 253f4911f297 ("xfs: better xfs_trans_alloc interface")
|
|
||||||
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
|
||||||
Reviewed-by: Dave Chinner <dchinner@redhat.com>
|
|
||||||
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
||||||
---
|
|
||||||
fs/xfs/xfs_iops.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
|
|
||||||
index ff3c1fae5357..fe285d123d69 100644
|
|
||||||
--- a/fs/xfs/xfs_iops.c
|
|
||||||
+++ b/fs/xfs/xfs_iops.c
|
|
||||||
@@ -793,6 +793,7 @@ xfs_setattr_nonsize(
|
|
||||||
|
|
||||||
out_cancel:
|
|
||||||
xfs_trans_cancel(tp);
|
|
||||||
+ xfs_iunlock(ip, XFS_ILOCK_EXCL);
|
|
||||||
out_dqrele:
|
|
||||||
xfs_qm_dqrele(udqp);
|
|
||||||
xfs_qm_dqrele(gdqp);
|
|
||||||
--
|
|
||||||
2.23.0
|
|
||||||
|
|
|
@ -1,96 +0,0 @@
|
||||||
From: Ben Hutchings <ben@decadent.org.uk>
|
|
||||||
Date: Tue, 11 Sep 2018 02:38:36 +0100
|
|
||||||
Subject: tools: x86_energy_perf_policy: Fix "uninitialized variable"
|
|
||||||
warnings at -O2
|
|
||||||
Forwarded: https://marc.info/?l=linux-pm&m=153711035626776
|
|
||||||
|
|
||||||
x86_energy_perf_policy first uses __get_cpuid() to check the maximum
|
|
||||||
CPUID level and exits if it is too low. It then assumes that later
|
|
||||||
calls will succeed (which I think is architecturally guaranteed). It
|
|
||||||
also assumes that CPUID works at all (which is not guaranteed on
|
|
||||||
x86_32).
|
|
||||||
|
|
||||||
If optimisations are enabled, gcc warns about potentially
|
|
||||||
uninitialized variables. Fix this by adding an exit-on-error after
|
|
||||||
every call to __get_cpuid() instead of just checking the maximum
|
|
||||||
level.
|
|
||||||
|
|
||||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
||||||
---
|
|
||||||
.../x86_energy_perf_policy.c | 26 +++++++++++--------
|
|
||||||
1 file changed, 15 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
|
|
||||||
index 65bbe627a425..bbef8bcf44d6 100644
|
|
||||||
--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
|
|
||||||
+++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
|
|
||||||
@@ -1260,6 +1260,15 @@ void probe_dev_msr(void)
|
|
||||||
if (system("/sbin/modprobe msr > /dev/null 2>&1"))
|
|
||||||
err(-5, "no /dev/cpu/0/msr, Try \"# modprobe msr\" ");
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+static void get_cpuid_or_exit(unsigned int leaf,
|
|
||||||
+ unsigned int *eax, unsigned int *ebx,
|
|
||||||
+ unsigned int *ecx, unsigned int *edx)
|
|
||||||
+{
|
|
||||||
+ if (!__get_cpuid(leaf, eax, ebx, ecx, edx))
|
|
||||||
+ errx(1, "Processor not supported\n");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* early_cpuid()
|
|
||||||
* initialize turbo_is_enabled, has_hwp, has_epb
|
|
||||||
@@ -1267,15 +1276,10 @@ void probe_dev_msr(void)
|
|
||||||
*/
|
|
||||||
void early_cpuid(void)
|
|
||||||
{
|
|
||||||
- unsigned int eax, ebx, ecx, edx, max_level;
|
|
||||||
+ unsigned int eax, ebx, ecx, edx;
|
|
||||||
unsigned int fms, family, model;
|
|
||||||
|
|
||||||
- __get_cpuid(0, &max_level, &ebx, &ecx, &edx);
|
|
||||||
-
|
|
||||||
- if (max_level < 6)
|
|
||||||
- errx(1, "Processor not supported\n");
|
|
||||||
-
|
|
||||||
- __get_cpuid(1, &fms, &ebx, &ecx, &edx);
|
|
||||||
+ get_cpuid_or_exit(1, &fms, &ebx, &ecx, &edx);
|
|
||||||
family = (fms >> 8) & 0xf;
|
|
||||||
model = (fms >> 4) & 0xf;
|
|
||||||
if (family == 6 || family == 0xf)
|
|
||||||
@@ -1289,7 +1293,7 @@ void early_cpuid(void)
|
|
||||||
bdx_highest_ratio = msr & 0xFF;
|
|
||||||
}
|
|
||||||
|
|
||||||
- __get_cpuid(0x6, &eax, &ebx, &ecx, &edx);
|
|
||||||
+ get_cpuid_or_exit(0x6, &eax, &ebx, &ecx, &edx);
|
|
||||||
turbo_is_enabled = (eax >> 1) & 1;
|
|
||||||
has_hwp = (eax >> 7) & 1;
|
|
||||||
has_epb = (ecx >> 3) & 1;
|
|
||||||
@@ -1307,7 +1311,7 @@ void parse_cpuid(void)
|
|
||||||
|
|
||||||
eax = ebx = ecx = edx = 0;
|
|
||||||
|
|
||||||
- __get_cpuid(0, &max_level, &ebx, &ecx, &edx);
|
|
||||||
+ get_cpuid_or_exit(0, &max_level, &ebx, &ecx, &edx);
|
|
||||||
|
|
||||||
if (ebx == 0x756e6547 && edx == 0x49656e69 && ecx == 0x6c65746e)
|
|
||||||
genuine_intel = 1;
|
|
||||||
@@ -1316,7 +1320,7 @@ void parse_cpuid(void)
|
|
||||||
fprintf(stderr, "CPUID(0): %.4s%.4s%.4s ",
|
|
||||||
(char *)&ebx, (char *)&edx, (char *)&ecx);
|
|
||||||
|
|
||||||
- __get_cpuid(1, &fms, &ebx, &ecx, &edx);
|
|
||||||
+ get_cpuid_or_exit(1, &fms, &ebx, &ecx, &edx);
|
|
||||||
family = (fms >> 8) & 0xf;
|
|
||||||
model = (fms >> 4) & 0xf;
|
|
||||||
stepping = fms & 0xf;
|
|
||||||
@@ -1341,7 +1345,7 @@ void parse_cpuid(void)
|
|
||||||
errx(1, "CPUID: no MSR");
|
|
||||||
|
|
||||||
|
|
||||||
- __get_cpuid(0x6, &eax, &ebx, &ecx, &edx);
|
|
||||||
+ get_cpuid_or_exit(0x6, &eax, &ebx, &ecx, &edx);
|
|
||||||
/* turbo_is_enabled already set */
|
|
||||||
/* has_hwp already set */
|
|
||||||
has_hwp_notify = eax & (1 << 8);
|
|
|
@ -1,45 +0,0 @@
|
||||||
From: Pavel Tatashin <pasha.tatashin@soleen.com>
|
|
||||||
Date: Sat, 26 Jan 2019 12:49:56 -0500
|
|
||||||
Subject: x86/kvmclock: set offset for kvm unstable clock
|
|
||||||
Origin: https://patchwork.kernel.org/patch/10782557/
|
|
||||||
Bug-Debian: https://bugs.debian.org/918036
|
|
||||||
|
|
||||||
VMs may show incorrect uptime and dmesg printk offsets on hypervisors with
|
|
||||||
unstable clock. The problem is produced when VM is rebooted without exiting
|
|
||||||
from qemu.
|
|
||||||
|
|
||||||
The fix is to calculate clock offset not only for stable clock but for
|
|
||||||
unstable clock as well, and use kvm_sched_clock_read() which substracts
|
|
||||||
the offset for both clocks.
|
|
||||||
|
|
||||||
This is safe, because pvclock_clocksource_read() does the right thing and
|
|
||||||
makes sure that clock always goes forward, so once offset is calculated
|
|
||||||
with unstable clock, we won't get new reads that are smaller than offset,
|
|
||||||
and thus won't get negative results.
|
|
||||||
|
|
||||||
Thank you Jon DeVree for helping to reproduce this issue.
|
|
||||||
|
|
||||||
Fixes: 857baa87b642 ("sched/clock: Enable sched clock early")
|
|
||||||
|
|
||||||
Reported-by: Dominique Martinet <asmadeus@codewreck.org>
|
|
||||||
Signed-off-by: Pavel Tatashin <pasha.tatashin@soleen.com>
|
|
||||||
[carnil: Backport to 4.19 for context changes]
|
|
||||||
---
|
|
||||||
arch/x86/kernel/kvmclock.c | 6 +-----
|
|
||||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/kvmclock.c
|
|
||||||
+++ b/arch/x86/kernel/kvmclock.c
|
|
||||||
@@ -117,11 +117,8 @@ static u64 kvm_sched_clock_read(void)
|
|
||||||
|
|
||||||
static inline void kvm_sched_clock_init(bool stable)
|
|
||||||
{
|
|
||||||
- if (!stable) {
|
|
||||||
- pv_time_ops.sched_clock = kvm_clock_read;
|
|
||||||
+ if (!stable)
|
|
||||||
clear_sched_clock_stable();
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
|
|
||||||
kvm_sched_clock_offset = kvm_clock_read();
|
|
||||||
pv_time_ops.sched_clock = kvm_sched_clock_read;
|
|
|
@ -1,44 +0,0 @@
|
||||||
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
Date: Wed, 4 Sep 2019 12:27:18 +0200
|
|
||||||
Subject: x86/ptrace: fix up botched merge of spectrev1 fix
|
|
||||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=69f692bb7e684592aaba779299bc576626d414b4
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15902
|
|
||||||
|
|
||||||
I incorrectly merged commit 31a2fbb390fe ("x86/ptrace: Fix possible
|
|
||||||
spectre-v1 in ptrace_get_debugreg()") when backporting it, as was
|
|
||||||
graciously pointed out at
|
|
||||||
https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
|
|
||||||
|
|
||||||
Resolve the upstream difference with the stable kernel merge to properly
|
|
||||||
protect things.
|
|
||||||
|
|
||||||
Reported-by: Brad Spengler <spender@grsecurity.net>
|
|
||||||
Cc: Dianzhang Chen <dianzhangchen0@gmail.com>
|
|
||||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Cc: <bp@alien8.de>
|
|
||||||
Cc: <hpa@zytor.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/ptrace.c | 3 +--
|
|
||||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
|
|
||||||
index 8d20fb09722c..7f377f8792aa 100644
|
|
||||||
--- a/arch/x86/kernel/ptrace.c
|
|
||||||
+++ b/arch/x86/kernel/ptrace.c
|
|
||||||
@@ -651,11 +651,10 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n)
|
|
||||||
{
|
|
||||||
struct thread_struct *thread = &tsk->thread;
|
|
||||||
unsigned long val = 0;
|
|
||||||
- int index = n;
|
|
||||||
|
|
||||||
if (n < HBP_NUM) {
|
|
||||||
+ int index = array_index_nospec(n, HBP_NUM);
|
|
||||||
struct perf_event *bp = thread->ptrace_bps[index];
|
|
||||||
- index = array_index_nospec(index, HBP_NUM);
|
|
||||||
|
|
||||||
if (bp)
|
|
||||||
val = bp->hw.info.address;
|
|
||||||
--
|
|
||||||
2.23.0
|
|
||||||
|
|
|
@ -1,43 +0,0 @@
|
||||||
From: Juergen Gross <jgross@suse.com>
|
|
||||||
Date: Mon, 3 Dec 2018 11:38:11 +0100
|
|
||||||
Subject: x86/boot: Clear RSDP address in boot_params for broken loaders
|
|
||||||
Origin: https://git.kernel.org/linus/182ddd16194cd082f25fa1b063dae3c7c5cce384
|
|
||||||
|
|
||||||
Gunnar Krueger reported a systemd-boot failure and bisected it down to:
|
|
||||||
|
|
||||||
e6e094e053af75 ("x86/acpi, x86/boot: Take RSDP address from boot params if available")
|
|
||||||
|
|
||||||
In case a broken boot loader doesn't clear its 'struct boot_params', clear
|
|
||||||
rsdp_addr in sanitize_boot_params().
|
|
||||||
|
|
||||||
Reported-by: Gunnar Krueger <taijian@posteo.de>
|
|
||||||
Tested-by: Gunnar Krueger <taijian@posteo.de>
|
|
||||||
Signed-off-by: Juergen Gross <jgross@suse.com>
|
|
||||||
Cc: H. Peter Anvin <hpa@zytor.com>
|
|
||||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
|
||||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Cc: bp@alien8.de
|
|
||||||
Cc: sstabellini@kernel.org
|
|
||||||
Fixes: e6e094e053af75 ("x86/acpi, x86/boot: Take RSDP address from boot params if available")
|
|
||||||
Link: http://lkml.kernel.org/r/20181203103811.17056-1-jgross@suse.com
|
|
||||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/bootparam_utils.h | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/include/asm/bootparam_utils.h b/arch/x86/include/asm/bootparam_utils.h
|
|
||||||
index a07ffd23e4dd..f6f6ef436599 100644
|
|
||||||
--- a/arch/x86/include/asm/bootparam_utils.h
|
|
||||||
+++ b/arch/x86/include/asm/bootparam_utils.h
|
|
||||||
@@ -36,6 +36,7 @@ static void sanitize_boot_params(struct boot_params *boot_params)
|
|
||||||
*/
|
|
||||||
if (boot_params->sentinel) {
|
|
||||||
/* fields in boot_params are left uninitialized, clear them */
|
|
||||||
+ boot_params->acpi_rsdp_addr = 0;
|
|
||||||
memset(&boot_params->ext_ramdisk_image, 0,
|
|
||||||
(char *)&boot_params->efi_info -
|
|
||||||
(char *)&boot_params->ext_ramdisk_image);
|
|
||||||
--
|
|
||||||
2.19.2
|
|
||||||
|
|
|
@ -76,7 +76,6 @@ bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz
|
||||||
bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
|
bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
|
||||||
bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
|
bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
|
||||||
bugfix/powerpc/powerpc-fix-mcpu-options-for-spe-only-compiler.patch
|
bugfix/powerpc/powerpc-fix-mcpu-options-for-spe-only-compiler.patch
|
||||||
bugfix/x86/x86-kvmclock-set-offset-for-kvm-unstable-clock.patch
|
|
||||||
bugfix/arm/ARM-dts-sun8i-h3-add-sy8106a-to-orange-pi-plus.patch
|
bugfix/arm/ARM-dts-sun8i-h3-add-sy8106a-to-orange-pi-plus.patch
|
||||||
bugfix/arm64/arm64-dts-allwinner-a64-Enable-A64-timer-workaround.patch
|
bugfix/arm64/arm64-dts-allwinner-a64-Enable-A64-timer-workaround.patch
|
||||||
bugfix/mips/MIPS-Loongson-Introduce-and-use-loongson_llsc_mb.patch
|
bugfix/mips/MIPS-Loongson-Introduce-and-use-loongson_llsc_mb.patch
|
||||||
|
@ -91,7 +90,6 @@ features/x86/x86-boot-Add-ACPI-RSDP-address-to-setup_header.patch
|
||||||
features/x86/x86-acpi-x86-boot-Take-RSDP-address-for-boot-params-.patch
|
features/x86/x86-acpi-x86-boot-Take-RSDP-address-for-boot-params-.patch
|
||||||
features/x86/x86-boot-Mostly-revert-commit-ae7e1238e68f2a-Add-ACP.patch
|
features/x86/x86-boot-Mostly-revert-commit-ae7e1238e68f2a-Add-ACP.patch
|
||||||
features/x86/x86-acpi-x86-boot-Take-RSDP-address-from-boot-params.patch
|
features/x86/x86-acpi-x86-boot-Take-RSDP-address-from-boot-params.patch
|
||||||
features/x86/x86-boot-Clear-RSDP-address-in-boot_params-for-broke.patch
|
|
||||||
features/arm64/arm64-dts-allwinner-a64-Add-Pine64-LTS-device-tree-f.patch
|
features/arm64/arm64-dts-allwinner-a64-Add-Pine64-LTS-device-tree-f.patch
|
||||||
|
|
||||||
# Miscellaneous bug fixes
|
# Miscellaneous bug fixes
|
||||||
|
@ -103,10 +101,6 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
||||||
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
|
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
|
||||||
bugfix/all/mt76-use-the-correct-hweight8-function.patch
|
bugfix/all/mt76-use-the-correct-hweight8-function.patch
|
||||||
bugfix/all/rtc-s35390a-set-uie_unsupported.patch
|
bugfix/all/rtc-s35390a-set-uie_unsupported.patch
|
||||||
bugfix/all/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch
|
|
||||||
bugfix/all/xfs-fix-missing-ILOCK-unlock-when-xfs_setattr_nonsiz.patch
|
|
||||||
bugfix/all/ixgbe-Fix-secpath-usage-for-IPsec-TX-offload.patch
|
|
||||||
bugfix/all/ipv4-Return-ENETUNREACH-if-we-can-t-create-route-but.patch
|
|
||||||
|
|
||||||
# Miscellaneous features
|
# Miscellaneous features
|
||||||
|
|
||||||
|
@ -176,7 +170,6 @@ bugfix/all/libcpupower-hide-private-function.patch
|
||||||
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
|
bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
|
||||||
bugfix/all/tools-lib-api-fs-fs.c-fix-misuse-of-strncpy.patch
|
bugfix/all/tools-lib-api-fs-fs.c-fix-misuse-of-strncpy.patch
|
||||||
bugfix/all/usbip-fix-misuse-of-strncpy.patch
|
bugfix/all/usbip-fix-misuse-of-strncpy.patch
|
||||||
bugfix/x86/tools-x86_energy_perf_policy-fix-uninitialized-varia.patch
|
|
||||||
bugfix/x86/tools-turbostat-Add-checks-for-failure-of-fgets-and-.patch
|
bugfix/x86/tools-turbostat-Add-checks-for-failure-of-fgets-and-.patch
|
||||||
bugfix/all/libbpf-add-soname-to-shared-object.patch
|
bugfix/all/libbpf-add-soname-to-shared-object.patch
|
||||||
bugfix/all/libbpf-link-shared-object-with-libelf.patch
|
bugfix/all/libbpf-link-shared-object-with-libelf.patch
|
||||||
|
@ -298,12 +291,6 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
debian/ntfs-mark-it-as-broken.patch
|
debian/ntfs-mark-it-as-broken.patch
|
||||||
bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch
|
|
||||||
bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch
|
|
||||||
bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch
|
|
||||||
bugfix/all/vhost-make-sure-log_num-in_num.patch
|
|
||||||
bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
|
|
||||||
bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch
|
|
||||||
bugfix/x86/taa/0001-KVM-x86-use-Intel-speculation-bugs-and-features-as-d.patch
|
bugfix/x86/taa/0001-KVM-x86-use-Intel-speculation-bugs-and-features-as-d.patch
|
||||||
bugfix/x86/taa/0002-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch
|
bugfix/x86/taa/0002-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch
|
||||||
bugfix/x86/taa/0003-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch
|
bugfix/x86/taa/0003-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch
|
||||||
|
|
Loading…
Reference in New Issue