Update to 4.16.10
This commit is contained in:
parent
c2dbc30362
commit
b1a9e2470a
|
@ -1,4 +1,4 @@
|
|||
linux (4.16.8-1) UNRELEASED; urgency=medium
|
||||
linux (4.16.10-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.6
|
||||
|
@ -244,6 +244,128 @@ linux (4.16.8-1) UNRELEASED; urgency=medium
|
|||
- clocksource: Initialize cs->wd_list
|
||||
- clocksource: Consistent de-rate when marking unstable
|
||||
- tracing: Fix bad use of igrab in trace_uprobe.c
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.9
|
||||
- ipvs: fix rtnl_lock lockups caused by start_sync_thread
|
||||
- netfilter: ebtables: don't attempt to allocate 0-sized compat array
|
||||
- clk: ti: fix flag space conflict with clkctrl clocks
|
||||
- rds: tcp: must use spin_lock_irq* and not spin_lock_bh with
|
||||
rds_tcp_conn_lock
|
||||
- crypto: af_alg - fix possible uninit-value in alg_bind()
|
||||
- netlink: fix uninit-value in netlink_sendmsg
|
||||
- net: fix rtnh_ok()
|
||||
- net: initialize skb->peeked when cloning
|
||||
- net: fix uninit-value in __hw_addr_add_ex()
|
||||
- dccp: initialize ireq->ir_mark
|
||||
- ipv4: fix uninit-value in ip_route_output_key_hash_rcu()
|
||||
- soreuseport: initialise timewait reuseport field
|
||||
- inetpeer: fix uninit-value in inet_getpeer
|
||||
- bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog
|
||||
- memcg: fix per_node_info cleanup
|
||||
- perf: Remove superfluous allocation error check
|
||||
- i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr()
|
||||
- tcp: fix TCP_REPAIR_QUEUE bound checking
|
||||
- bdi: wake up concurrent wb_shutdown() callers.
|
||||
- bdi: Fix use after free bug in debugfs_remove()
|
||||
- bdi: Fix oops in wb_workfn()
|
||||
- compat: fix 4-byte infoleak via uninitialized struct field
|
||||
- gpioib: do not free unrequested descriptors
|
||||
- gpio: fix error path in lineevent_create
|
||||
- rfkill: gpio: fix memory leak in probe error path
|
||||
- libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
|
||||
- dm integrity: use kvfree for kvmalloc'd memory
|
||||
- tracing: Fix regex_match_front() to not over compare the test string
|
||||
- mm: sections are not offlined during memory hotremove
|
||||
- mm, oom: fix concurrent munlock and oom reaper unmap (CVE-2018-1000200)
|
||||
- ceph: fix rsize/wsize capping in ceph_direct_read_write()
|
||||
- can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()
|
||||
- [armhf,arm64] drm/vc4: Fix scaling of uni-planar formats
|
||||
- drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages
|
||||
- [x86] drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log
|
||||
- [x86] drm/i915: Adjust eDP's logical vco in a reliable place.
|
||||
- drm/nouveau: Fix deadlock in nv50_mstm_register_connector()
|
||||
(Closes: #898825)
|
||||
- drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client
|
||||
- drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear()
|
||||
- drm/atomic: Clean private obj old_state/new_state in
|
||||
drm_atomic_state_default_clear()
|
||||
- net: atm: Fix potential Spectre v1
|
||||
- atm: zatm: Fix potential Spectre v1
|
||||
- PCI / PM: Always check PME wakeup capability for runtime wakeup support
|
||||
- PCI / PM: Check device_may_wakeup() in pci_enable_wake()
|
||||
- cpufreq: schedutil: Avoid using invalid next_freq
|
||||
- Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174"
|
||||
- [x86] Bluetooth: btusb: Add Dell XPS 13 9360 to
|
||||
btusb_needs_reset_resume_table
|
||||
- Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome
|
||||
chipsets
|
||||
- [armhf] thermal: exynos: Reading temperature makes sense only when TMU is
|
||||
turned on
|
||||
- [armhf] thermal: exynos: Propagate error value from tmu_read()
|
||||
- nvme: add quirk to force medium priority for SQ creation
|
||||
- nvme: Fix sync controller reset return
|
||||
- smb3: directory sync should not return an error
|
||||
- swiotlb: silent unwanted warning "buffer is full"
|
||||
- sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[]
|
||||
- sched/autogroup: Fix possible Spectre-v1 indexing for
|
||||
sched_prio_to_weight[]
|
||||
- tracing/uprobe_event: Fix strncpy corner case
|
||||
- [x86] perf: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
|
||||
- [x86] perf/cstate: Fix possible Spectre-v1 indexing for pkg_msr
|
||||
- [x86] perf/msr: Fix possible Spectre-v1 indexing in the MSR driver
|
||||
- perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
|
||||
- [x86] perf: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.10
|
||||
- 8139too: Use disable_irq_nosync() in rtl8139_poll_controller()
|
||||
- bridge: check iface upper dev when setting master via ioctl
|
||||
- dccp: fix tasklet usage
|
||||
- ipv4: fix fnhe usage by non-cached routes
|
||||
- ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
|
||||
- llc: better deal with too small mtu
|
||||
- net: ethernet: sun: niu set correct packet size in skb
|
||||
- [armhf] net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode
|
||||
- net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()'
|
||||
- net/mlx4_en: Verify coalescing parameters are in range
|
||||
- net/mlx5e: Err if asked to offload TC match on frag being first
|
||||
- net/mlx5: E-Switch, Include VF RDMA stats in vport statistics
|
||||
- net sched actions: fix refcnt leak in skbmod
|
||||
- net_sched: fq: take care of throttled flows before reuse
|
||||
- net: support compat 64-bit time in {s,g}etsockopt
|
||||
- openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is
|
||||
found
|
||||
- qmi_wwan: do not steal interfaces from class drivers
|
||||
- r8169: fix powering up RTL8168h
|
||||
- rds: do not leak kernel memory to user land
|
||||
- sctp: delay the authentication for the duplicated cookie-echo chunk
|
||||
- sctp: fix the issue that the cookie-ack with auth can't get processed
|
||||
- sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
|
||||
- sctp: remove sctp_chunk_put from fail_mark err path in
|
||||
sctp_ulpevent_make_rcvmsg
|
||||
- sctp: use the old asoc when making the cookie-ack chunk in dupcook_d
|
||||
- tcp_bbr: fix to zero idle_restart only upon S/ACKed data
|
||||
- tcp: ignore Fast Open on repair mode
|
||||
- tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
|
||||
- bonding: do not allow rlb updates to invalid mac
|
||||
- bonding: send learning packets for vlans on slave
|
||||
- net: sched: fix error path in tcf_proto_create() when modules are not
|
||||
configured
|
||||
- net/mlx5e: TX, Use correct counter in dma_map error flow
|
||||
- net/mlx5: Avoid cleaning flow steering table twice during error flow
|
||||
- [x86] hv_netvsc: set master device
|
||||
- ipv6: fix uninit-value in ip6_multipath_l3_keys()
|
||||
- net/mlx5e: Allow offloading ipv4 header re-write for icmp
|
||||
- udp: fix SO_BINDTODEVICE
|
||||
- net/mlx5e: DCBNL fix min inline header size for dscp
|
||||
- sctp: clear the new asoc's stream outcnt in sctp_stream_update
|
||||
- tcp: restore autocorking
|
||||
- tipc: fix one byte leak in tipc_sk_set_orig_addr()
|
||||
- [x86] hv_netvsc: Fix net device attach on older Windows hosts
|
||||
- ipv4: reset fnhe_mtu_locked after cache route flushed
|
||||
- net/mlx5: Fix mlx5_get_vector_affinity function
|
||||
- net: phy: sfp: fix the BR,min computation
|
||||
- net/smc: keep clcsock reference in smc_tcp_listen_work()
|
||||
- scsi: aacraid: Correct hba_send to include iu_type
|
||||
- proc: do not access cmdline nor environ from file-backed areas
|
||||
(CVE-2018-1120)
|
||||
|
||||
[ Romain Perier ]
|
||||
* [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204)
|
||||
|
@ -257,9 +379,6 @@ linux (4.16.8-1) UNRELEASED; urgency=medium
|
|||
* [rt] Update to 4.16.7-rt1 and reenable
|
||||
* [rt] certs: Reference certificate for test key used in Debian signing
|
||||
service
|
||||
* mm, oom: fix concurrent munlock and oom reaper unmap (CVE-2018-1000200)
|
||||
* proc: do not access cmdline nor environ from file-backed areas
|
||||
(CVE-2018-1120)
|
||||
|
||||
-- Vagrant Cascadian <vagrant@debian.org> Mon, 30 Apr 2018 11:23:15 -0700
|
||||
|
||||
|
|
|
@ -1,242 +0,0 @@
|
|||
From: David Rientjes <rientjes@google.com>
|
||||
Date: Fri, 11 May 2018 16:02:04 -0700
|
||||
Subject: mm, oom: fix concurrent munlock and oom reaper unmap, v3
|
||||
Origin: https://git.kernel.org/linus/27ae357fa82be5ab73b2ef8d39dcb8ca2563483a
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000200
|
||||
|
||||
Since exit_mmap() is done without the protection of mm->mmap_sem, it is
|
||||
possible for the oom reaper to concurrently operate on an mm until
|
||||
MMF_OOM_SKIP is set.
|
||||
|
||||
This allows munlock_vma_pages_all() to concurrently run while the oom
|
||||
reaper is operating on a vma. Since munlock_vma_pages_range() depends
|
||||
on clearing VM_LOCKED from vm_flags before actually doing the munlock to
|
||||
determine if any other vmas are locking the same memory, the check for
|
||||
VM_LOCKED in the oom reaper is racy.
|
||||
|
||||
This is especially noticeable on architectures such as powerpc where
|
||||
clearing a huge pmd requires serialize_against_pte_lookup(). If the pmd
|
||||
is zapped by the oom reaper during follow_page_mask() after the check
|
||||
for pmd_none() is bypassed, this ends up deferencing a NULL ptl or a
|
||||
kernel oops.
|
||||
|
||||
Fix this by manually freeing all possible memory from the mm before
|
||||
doing the munlock and then setting MMF_OOM_SKIP. The oom reaper can not
|
||||
run on the mm anymore so the munlock is safe to do in exit_mmap(). It
|
||||
also matches the logic that the oom reaper currently uses for
|
||||
determining when to set MMF_OOM_SKIP itself, so there's no new risk of
|
||||
excessive oom killing.
|
||||
|
||||
This issue fixes CVE-2018-1000200.
|
||||
|
||||
Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1804241526320.238665@chino.kir.corp.google.com
|
||||
Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently")
|
||||
Signed-off-by: David Rientjes <rientjes@google.com>
|
||||
Suggested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
||||
Acked-by: Michal Hocko <mhocko@suse.com>
|
||||
Cc: Andrea Arcangeli <aarcange@redhat.com>
|
||||
Cc: <stable@vger.kernel.org> [4.14+]
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
[carnil: Backport to 4.16: adjust context]
|
||||
---
|
||||
include/linux/oom.h | 2 +
|
||||
mm/mmap.c | 44 ++++++++++++++++------------
|
||||
mm/oom_kill.c | 81 +++++++++++++++++++++++++++-------------------------
|
||||
3 files changed, 71 insertions(+), 56 deletions(-)
|
||||
|
||||
--- a/include/linux/oom.h
|
||||
+++ b/include/linux/oom.h
|
||||
@@ -95,6 +95,8 @@ static inline int check_stable_address_s
|
||||
return 0;
|
||||
}
|
||||
|
||||
+void __oom_reap_task_mm(struct mm_struct *mm);
|
||||
+
|
||||
extern unsigned long oom_badness(struct task_struct *p,
|
||||
struct mem_cgroup *memcg, const nodemask_t *nodemask,
|
||||
unsigned long totalpages);
|
||||
--- a/mm/mmap.c
|
||||
+++ b/mm/mmap.c
|
||||
@@ -2997,6 +2997,32 @@ void exit_mmap(struct mm_struct *mm)
|
||||
/* mm's last user has gone, and its about to be pulled down */
|
||||
mmu_notifier_release(mm);
|
||||
|
||||
+ if (unlikely(mm_is_oom_victim(mm))) {
|
||||
+ /*
|
||||
+ * Manually reap the mm to free as much memory as possible.
|
||||
+ * Then, as the oom reaper does, set MMF_OOM_SKIP to disregard
|
||||
+ * this mm from further consideration. Taking mm->mmap_sem for
|
||||
+ * write after setting MMF_OOM_SKIP will guarantee that the oom
|
||||
+ * reaper will not run on this mm again after mmap_sem is
|
||||
+ * dropped.
|
||||
+ *
|
||||
+ * Nothing can be holding mm->mmap_sem here and the above call
|
||||
+ * to mmu_notifier_release(mm) ensures mmu notifier callbacks in
|
||||
+ * __oom_reap_task_mm() will not block.
|
||||
+ *
|
||||
+ * This needs to be done before calling munlock_vma_pages_all(),
|
||||
+ * which clears VM_LOCKED, otherwise the oom reaper cannot
|
||||
+ * reliably test it.
|
||||
+ */
|
||||
+ mutex_lock(&oom_lock);
|
||||
+ __oom_reap_task_mm(mm);
|
||||
+ mutex_unlock(&oom_lock);
|
||||
+
|
||||
+ set_bit(MMF_OOM_SKIP, &mm->flags);
|
||||
+ down_write(&mm->mmap_sem);
|
||||
+ up_write(&mm->mmap_sem);
|
||||
+ }
|
||||
+
|
||||
if (mm->locked_vm) {
|
||||
vma = mm->mmap;
|
||||
while (vma) {
|
||||
@@ -3018,24 +3044,6 @@ void exit_mmap(struct mm_struct *mm)
|
||||
/* update_hiwater_rss(mm) here? but nobody should be looking */
|
||||
/* Use -1 here to ensure all VMAs in the mm are unmapped */
|
||||
unmap_vmas(&tlb, vma, 0, -1);
|
||||
-
|
||||
- if (unlikely(mm_is_oom_victim(mm))) {
|
||||
- /*
|
||||
- * Wait for oom_reap_task() to stop working on this
|
||||
- * mm. Because MMF_OOM_SKIP is already set before
|
||||
- * calling down_read(), oom_reap_task() will not run
|
||||
- * on this "mm" post up_write().
|
||||
- *
|
||||
- * mm_is_oom_victim() cannot be set from under us
|
||||
- * either because victim->mm is already set to NULL
|
||||
- * under task_lock before calling mmput and oom_mm is
|
||||
- * set not NULL by the OOM killer only if victim->mm
|
||||
- * is found not NULL while holding the task_lock.
|
||||
- */
|
||||
- set_bit(MMF_OOM_SKIP, &mm->flags);
|
||||
- down_write(&mm->mmap_sem);
|
||||
- up_write(&mm->mmap_sem);
|
||||
- }
|
||||
free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, USER_PGTABLES_CEILING);
|
||||
tlb_finish_mmu(&tlb, 0, -1);
|
||||
|
||||
--- a/mm/oom_kill.c
|
||||
+++ b/mm/oom_kill.c
|
||||
@@ -474,7 +474,6 @@ bool process_shares_mm(struct task_struc
|
||||
return false;
|
||||
}
|
||||
|
||||
-
|
||||
#ifdef CONFIG_MMU
|
||||
/*
|
||||
* OOM Reaper kernel thread which tries to reap the memory used by the OOM
|
||||
@@ -485,16 +484,54 @@ static DECLARE_WAIT_QUEUE_HEAD(oom_reape
|
||||
static struct task_struct *oom_reaper_list;
|
||||
static DEFINE_SPINLOCK(oom_reaper_lock);
|
||||
|
||||
-static bool __oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm)
|
||||
+void __oom_reap_task_mm(struct mm_struct *mm)
|
||||
{
|
||||
- struct mmu_gather tlb;
|
||||
struct vm_area_struct *vma;
|
||||
+
|
||||
+ /*
|
||||
+ * Tell all users of get_user/copy_from_user etc... that the content
|
||||
+ * is no longer stable. No barriers really needed because unmapping
|
||||
+ * should imply barriers already and the reader would hit a page fault
|
||||
+ * if it stumbled over a reaped memory.
|
||||
+ */
|
||||
+ set_bit(MMF_UNSTABLE, &mm->flags);
|
||||
+
|
||||
+ for (vma = mm->mmap ; vma; vma = vma->vm_next) {
|
||||
+ if (!can_madv_dontneed_vma(vma))
|
||||
+ continue;
|
||||
+
|
||||
+ /*
|
||||
+ * Only anonymous pages have a good chance to be dropped
|
||||
+ * without additional steps which we cannot afford as we
|
||||
+ * are OOM already.
|
||||
+ *
|
||||
+ * We do not even care about fs backed pages because all
|
||||
+ * which are reclaimable have already been reclaimed and
|
||||
+ * we do not want to block exit_mmap by keeping mm ref
|
||||
+ * count elevated without a good reason.
|
||||
+ */
|
||||
+ if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) {
|
||||
+ const unsigned long start = vma->vm_start;
|
||||
+ const unsigned long end = vma->vm_end;
|
||||
+ struct mmu_gather tlb;
|
||||
+
|
||||
+ tlb_gather_mmu(&tlb, mm, start, end);
|
||||
+ mmu_notifier_invalidate_range_start(mm, start, end);
|
||||
+ unmap_page_range(&tlb, vma, start, end, NULL);
|
||||
+ mmu_notifier_invalidate_range_end(mm, start, end);
|
||||
+ tlb_finish_mmu(&tlb, start, end);
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static bool oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm)
|
||||
+{
|
||||
bool ret = true;
|
||||
|
||||
/*
|
||||
* We have to make sure to not race with the victim exit path
|
||||
* and cause premature new oom victim selection:
|
||||
- * __oom_reap_task_mm exit_mm
|
||||
+ * oom_reap_task_mm exit_mm
|
||||
* mmget_not_zero
|
||||
* mmput
|
||||
* atomic_dec_and_test
|
||||
@@ -539,39 +576,8 @@ static bool __oom_reap_task_mm(struct ta
|
||||
|
||||
trace_start_task_reaping(tsk->pid);
|
||||
|
||||
- /*
|
||||
- * Tell all users of get_user/copy_from_user etc... that the content
|
||||
- * is no longer stable. No barriers really needed because unmapping
|
||||
- * should imply barriers already and the reader would hit a page fault
|
||||
- * if it stumbled over a reaped memory.
|
||||
- */
|
||||
- set_bit(MMF_UNSTABLE, &mm->flags);
|
||||
-
|
||||
- for (vma = mm->mmap ; vma; vma = vma->vm_next) {
|
||||
- if (!can_madv_dontneed_vma(vma))
|
||||
- continue;
|
||||
+ __oom_reap_task_mm(mm);
|
||||
|
||||
- /*
|
||||
- * Only anonymous pages have a good chance to be dropped
|
||||
- * without additional steps which we cannot afford as we
|
||||
- * are OOM already.
|
||||
- *
|
||||
- * We do not even care about fs backed pages because all
|
||||
- * which are reclaimable have already been reclaimed and
|
||||
- * we do not want to block exit_mmap by keeping mm ref
|
||||
- * count elevated without a good reason.
|
||||
- */
|
||||
- if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) {
|
||||
- const unsigned long start = vma->vm_start;
|
||||
- const unsigned long end = vma->vm_end;
|
||||
-
|
||||
- tlb_gather_mmu(&tlb, mm, start, end);
|
||||
- mmu_notifier_invalidate_range_start(mm, start, end);
|
||||
- unmap_page_range(&tlb, vma, start, end, NULL);
|
||||
- mmu_notifier_invalidate_range_end(mm, start, end);
|
||||
- tlb_finish_mmu(&tlb, start, end);
|
||||
- }
|
||||
- }
|
||||
pr_info("oom_reaper: reaped process %d (%s), now anon-rss:%lukB, file-rss:%lukB, shmem-rss:%lukB\n",
|
||||
task_pid_nr(tsk), tsk->comm,
|
||||
K(get_mm_counter(mm, MM_ANONPAGES)),
|
||||
@@ -592,13 +598,12 @@ static void oom_reap_task(struct task_st
|
||||
struct mm_struct *mm = tsk->signal->oom_mm;
|
||||
|
||||
/* Retry the down_read_trylock(mmap_sem) a few times */
|
||||
- while (attempts++ < MAX_OOM_REAP_RETRIES && !__oom_reap_task_mm(tsk, mm))
|
||||
+ while (attempts++ < MAX_OOM_REAP_RETRIES && !oom_reap_task_mm(tsk, mm))
|
||||
schedule_timeout_idle(HZ/10);
|
||||
|
||||
if (attempts <= MAX_OOM_REAP_RETRIES)
|
||||
goto done;
|
||||
|
||||
-
|
||||
pr_info("oom_reaper: unable to reap pid:%d (%s)\n",
|
||||
task_pid_nr(tsk), tsk->comm);
|
||||
debug_show_all_locks();
|
|
@ -1,106 +0,0 @@
|
|||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Fri, 11 May 2018 08:11:44 +0200
|
||||
Subject: proc: do not access cmdline nor environ from file-backed areas
|
||||
Origin: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1120
|
||||
|
||||
proc_pid_cmdline_read() and environ_read() directly access the target
|
||||
process' VM to retrieve the command line and environment. If this
|
||||
process remaps these areas onto a file via mmap(), the requesting
|
||||
process may experience various issues such as extra delays if the
|
||||
underlying device is slow to respond.
|
||||
|
||||
Let's simply refuse to access file-backed areas in these functions.
|
||||
For this we add a new FOLL_ANON gup flag that is passed to all calls
|
||||
to access_remote_vm(). The code already takes care of such failures
|
||||
(including unmapped areas). Accesses via /proc/pid/mem were not
|
||||
changed though.
|
||||
|
||||
This was assigned CVE-2018-1120.
|
||||
|
||||
Note for stable backports: the patch may apply to kernels prior to 4.11
|
||||
but silently miss one location; it must be checked that no call to
|
||||
access_remote_vm() keeps zero as the last argument.
|
||||
|
||||
Reported-by: Qualys Security Advisory <qsa@qualys.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Andy Lutomirski <luto@amacapital.net>
|
||||
Cc: Oleg Nesterov <oleg@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/proc/base.c | 8 ++++----
|
||||
include/linux/mm.h | 1 +
|
||||
mm/gup.c | 3 +++
|
||||
3 files changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/fs/proc/base.c b/fs/proc/base.c
|
||||
index 1b2ede6abcdf..1a76d751cf3c 100644
|
||||
--- a/fs/proc/base.c
|
||||
+++ b/fs/proc/base.c
|
||||
@@ -261,7 +261,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
|
||||
* Inherently racy -- command line shares address space
|
||||
* with code and data.
|
||||
*/
|
||||
- rv = access_remote_vm(mm, arg_end - 1, &c, 1, 0);
|
||||
+ rv = access_remote_vm(mm, arg_end - 1, &c, 1, FOLL_ANON);
|
||||
if (rv <= 0)
|
||||
goto out_free_page;
|
||||
|
||||
@@ -279,7 +279,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
|
||||
int nr_read;
|
||||
|
||||
_count = min3(count, len, PAGE_SIZE);
|
||||
- nr_read = access_remote_vm(mm, p, page, _count, 0);
|
||||
+ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);
|
||||
if (nr_read < 0)
|
||||
rv = nr_read;
|
||||
if (nr_read <= 0)
|
||||
@@ -325,7 +325,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
|
||||
bool final;
|
||||
|
||||
_count = min3(count, len, PAGE_SIZE);
|
||||
- nr_read = access_remote_vm(mm, p, page, _count, 0);
|
||||
+ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);
|
||||
if (nr_read < 0)
|
||||
rv = nr_read;
|
||||
if (nr_read <= 0)
|
||||
@@ -946,7 +946,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
|
||||
max_len = min_t(size_t, PAGE_SIZE, count);
|
||||
this_len = min(max_len, this_len);
|
||||
|
||||
- retval = access_remote_vm(mm, (env_start + src), page, this_len, 0);
|
||||
+ retval = access_remote_vm(mm, (env_start + src), page, this_len, FOLL_ANON);
|
||||
|
||||
if (retval <= 0) {
|
||||
ret = retval;
|
||||
diff --git a/include/linux/mm.h b/include/linux/mm.h
|
||||
index 1ac1f06a4be6..c080af584ddd 100644
|
||||
--- a/include/linux/mm.h
|
||||
+++ b/include/linux/mm.h
|
||||
@@ -2493,6 +2493,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
|
||||
#define FOLL_MLOCK 0x1000 /* lock present pages */
|
||||
#define FOLL_REMOTE 0x2000 /* we are working on non-current tsk/mm */
|
||||
#define FOLL_COW 0x4000 /* internal GUP flag */
|
||||
+#define FOLL_ANON 0x8000 /* don't do file mappings */
|
||||
|
||||
static inline int vm_fault_to_errno(int vm_fault, int foll_flags)
|
||||
{
|
||||
diff --git a/mm/gup.c b/mm/gup.c
|
||||
index 76af4cfeaf68..541904a7c60f 100644
|
||||
--- a/mm/gup.c
|
||||
+++ b/mm/gup.c
|
||||
@@ -544,6 +544,9 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
|
||||
if (vm_flags & (VM_IO | VM_PFNMAP))
|
||||
return -EFAULT;
|
||||
|
||||
+ if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma))
|
||||
+ return -EFAULT;
|
||||
+
|
||||
if (write) {
|
||||
if (!(vm_flags & VM_WRITE)) {
|
||||
if (!(gup_flags & FOLL_FORCE))
|
||||
--
|
||||
2.17.0
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
From: Ingo Molnar <mingo@elte.hu>
|
||||
Date: Fri, 3 Jul 2009 08:29:24 -0500
|
||||
Subject: drivers/net: Use disable_irq_nosync() in 8139too
|
||||
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.16/older/patches-4.16.7-rt1.tar.xz
|
||||
|
||||
upstream commit af3e0fcf78879f718c5f73df0814951bd7057d34
|
||||
|
||||
Use disable_irq_nosync() instead of disable_irq() as this might be
|
||||
called in atomic context with netpoll.
|
||||
|
||||
Signed-off-by: Ingo Molnar <mingo@elte.hu>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
|
||||
---
|
||||
drivers/net/ethernet/realtek/8139too.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/net/ethernet/realtek/8139too.c
|
||||
+++ b/drivers/net/ethernet/realtek/8139too.c
|
||||
@@ -2224,7 +2224,7 @@ static void rtl8139_poll_controller(stru
|
||||
struct rtl8139_private *tp = netdev_priv(dev);
|
||||
const int irq = tp->pci_dev->irq;
|
||||
|
||||
- disable_irq(irq);
|
||||
+ disable_irq_nosync(irq);
|
||||
rtl8139_interrupt(irq, dev);
|
||||
enable_irq(irq);
|
||||
}
|
|
@ -142,8 +142,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/xfs-enhance-dinode-verifier.patch
|
||||
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
|
||||
bugfix/all/mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap-v.patch
|
||||
bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
|
@ -88,7 +88,6 @@ features/all/rt/0048-selftests-ftrace-Add-inter-event-hist-triggers-testc.patch
|
|||
features/all/rt/locking-rtmutex-Handle-non-enqueued-waiters-graceful.patch
|
||||
features/all/rt/sched-Remove-TASK_ALL.patch
|
||||
features/all/rt/rxrpc-remove-unused-static-variables.patch
|
||||
features/all/rt/drivers-net-8139-disable-irq-nosync.patch
|
||||
features/all/rt/delayacct-use-raw_spinlocks.patch
|
||||
features/all/rt/stop-machine-raw-lock.patch
|
||||
features/all/rt/mmci-remove-bogus-irq-save.patch
|
||||
|
|
Loading…
Reference in New Issue