Linux v4.14.14
This commit is contained in:
parent
630c6b6884
commit
a73de38919
|
@ -1,66 +0,0 @@
|
|||
From e4d0e84e490790798691aaa0f2e598637f1867ec Mon Sep 17 00:00:00 2001
|
||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Date: Mon, 8 Jan 2018 16:09:21 -0600
|
||||
Subject: [PATCH 1/2] x86/cpu/AMD: Make LFENCE a serializing instruction
|
||||
|
||||
To aid in speculation control, make LFENCE a serializing instruction
|
||||
since it has less overhead than MFENCE. This is done by setting bit 1
|
||||
of MSR 0xc0011029 (DE_CFG). Some families that support LFENCE do not
|
||||
have this MSR. For these families, the LFENCE instruction is already
|
||||
serializing.
|
||||
|
||||
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Reviewed-by: Reviewed-by: Borislav Petkov <bp@suse.de>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Tim Chen <tim.c.chen@linux.intel.com>
|
||||
Cc: Dave Hansen <dave.hansen@intel.com>
|
||||
Cc: Borislav Petkov <bp@alien8.de>
|
||||
Cc: Dan Williams <dan.j.williams@intel.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
|
||||
Cc: David Woodhouse <dwmw@amazon.co.uk>
|
||||
Cc: Paul Turner <pjt@google.com>
|
||||
Link: https://lkml.kernel.org/r/20180108220921.12580.71694.stgit@tlendack-t1.amdoffice.net
|
||||
---
|
||||
arch/x86/include/asm/msr-index.h | 2 ++
|
||||
arch/x86/kernel/cpu/amd.c | 10 ++++++++++
|
||||
2 files changed, 12 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
|
||||
index ab022618a50a..1e7d710fef43 100644
|
||||
--- a/arch/x86/include/asm/msr-index.h
|
||||
+++ b/arch/x86/include/asm/msr-index.h
|
||||
@@ -352,6 +352,8 @@
|
||||
#define FAM10H_MMIO_CONF_BASE_MASK 0xfffffffULL
|
||||
#define FAM10H_MMIO_CONF_BASE_SHIFT 20
|
||||
#define MSR_FAM10H_NODE_ID 0xc001100c
|
||||
+#define MSR_F10H_DECFG 0xc0011029
|
||||
+#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT 1
|
||||
|
||||
/* K8 MSRs */
|
||||
#define MSR_K8_TOP_MEM1 0xc001001a
|
||||
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
|
||||
index bcb75dc97d44..5b438d81beb2 100644
|
||||
--- a/arch/x86/kernel/cpu/amd.c
|
||||
+++ b/arch/x86/kernel/cpu/amd.c
|
||||
@@ -829,6 +829,16 @@ static void init_amd(struct cpuinfo_x86 *c)
|
||||
set_cpu_cap(c, X86_FEATURE_K8);
|
||||
|
||||
if (cpu_has(c, X86_FEATURE_XMM2)) {
|
||||
+ /*
|
||||
+ * A serializing LFENCE has less overhead than MFENCE, so
|
||||
+ * use it for execution serialization. On families which
|
||||
+ * don't have that MSR, LFENCE is already serializing.
|
||||
+ * msr_set_bit() uses the safe accessors, too, even if the MSR
|
||||
+ * is not present.
|
||||
+ */
|
||||
+ msr_set_bit(MSR_F10H_DECFG,
|
||||
+ MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
|
||||
+
|
||||
/* MFENCE stops RDTSC speculation */
|
||||
set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
|
||||
}
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -1,58 +0,0 @@
|
|||
From 99c6fa2511d8a683e61468be91b83f85452115fa Mon Sep 17 00:00:00 2001
|
||||
From: David Woodhouse <dwmw@amazon.co.uk>
|
||||
Date: Sat, 6 Jan 2018 11:49:23 +0000
|
||||
Subject: [PATCH 1/2] x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
|
||||
|
||||
Add the bug bits for spectre v1/2 and force them unconditionally for all
|
||||
cpus.
|
||||
|
||||
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: gnomes@lxorguk.ukuu.org.uk
|
||||
Cc: Rik van Riel <riel@redhat.com>
|
||||
Cc: Andi Kleen <ak@linux.intel.com>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Jiri Kosina <jikos@kernel.org>
|
||||
Cc: Andy Lutomirski <luto@amacapital.net>
|
||||
Cc: Dave Hansen <dave.hansen@intel.com>
|
||||
Cc: Kees Cook <keescook@google.com>
|
||||
Cc: Tim Chen <tim.c.chen@linux.intel.com>
|
||||
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
|
||||
Cc: Paul Turner <pjt@google.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: https://lkml.kernel.org/r/1515239374-23361-2-git-send-email-dwmw@amazon.co.uk
|
||||
---
|
||||
arch/x86/include/asm/cpufeatures.h | 2 ++
|
||||
arch/x86/kernel/cpu/common.c | 3 +++
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
|
||||
index 21ac898df2d8..1641c2f96363 100644
|
||||
--- a/arch/x86/include/asm/cpufeatures.h
|
||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
||||
@@ -342,5 +342,7 @@
|
||||
#define X86_BUG_MONITOR X86_BUG(12) /* IPI required to wake up remote CPU */
|
||||
#define X86_BUG_AMD_E400 X86_BUG(13) /* CPU is among the affected by Erratum 400 */
|
||||
#define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
|
||||
+#define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
|
||||
+#define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
|
||||
|
||||
#endif /* _ASM_X86_CPUFEATURES_H */
|
||||
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
|
||||
index 2d3bd2215e5b..372ba3fb400f 100644
|
||||
--- a/arch/x86/kernel/cpu/common.c
|
||||
+++ b/arch/x86/kernel/cpu/common.c
|
||||
@@ -902,6 +902,9 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
|
||||
if (c->x86_vendor != X86_VENDOR_AMD)
|
||||
setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
|
||||
|
||||
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
|
||||
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
|
||||
+
|
||||
fpu__init_system(c);
|
||||
|
||||
#ifdef CONFIG_X86_32
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -1,154 +0,0 @@
|
|||
From 87590ce6e373d1a5401f6539f0c59ef92dd924a9 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Gleixner <tglx@linutronix.de>
|
||||
Date: Sun, 7 Jan 2018 22:48:00 +0100
|
||||
Subject: [PATCH 2/2] sysfs/cpu: Add vulnerability folder
|
||||
|
||||
As the meltdown/spectre problem affects several CPU architectures, it makes
|
||||
sense to have common way to express whether a system is affected by a
|
||||
particular vulnerability or not. If affected the way to express the
|
||||
mitigation should be common as well.
|
||||
|
||||
Create /sys/devices/system/cpu/vulnerabilities folder and files for
|
||||
meltdown, spectre_v1 and spectre_v2.
|
||||
|
||||
Allow architectures to override the show function.
|
||||
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Will Deacon <will.deacon@arm.com>
|
||||
Cc: Dave Hansen <dave.hansen@intel.com>
|
||||
Cc: Linus Torvalds <torvalds@linuxfoundation.org>
|
||||
Cc: Borislav Petkov <bp@alien8.de>
|
||||
Cc: David Woodhouse <dwmw@amazon.co.uk>
|
||||
Link: https://lkml.kernel.org/r/20180107214913.096657732@linutronix.de
|
||||
---
|
||||
Documentation/ABI/testing/sysfs-devices-system-cpu | 16 ++++++++
|
||||
drivers/base/Kconfig | 3 ++
|
||||
drivers/base/cpu.c | 48 ++++++++++++++++++++++
|
||||
include/linux/cpu.h | 7 ++++
|
||||
4 files changed, 74 insertions(+)
|
||||
|
||||
diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
|
||||
index f3d5817c4ef0..bd3a88e16d8b 100644
|
||||
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
|
||||
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
|
||||
@@ -373,3 +373,19 @@ Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
|
||||
Description: information about CPUs heterogeneity.
|
||||
|
||||
cpu_capacity: capacity of cpu#.
|
||||
+
|
||||
+What: /sys/devices/system/cpu/vulnerabilities
|
||||
+ /sys/devices/system/cpu/vulnerabilities/meltdown
|
||||
+ /sys/devices/system/cpu/vulnerabilities/spectre_v1
|
||||
+ /sys/devices/system/cpu/vulnerabilities/spectre_v2
|
||||
+Date: Januar 2018
|
||||
+Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
|
||||
+Description: Information about CPU vulnerabilities
|
||||
+
|
||||
+ The files are named after the code names of CPU
|
||||
+ vulnerabilities. The output of those files reflects the
|
||||
+ state of the CPUs in the system. Possible output values:
|
||||
+
|
||||
+ "Not affected" CPU is not affected by the vulnerability
|
||||
+ "Vulnerable" CPU is affected and no mitigation in effect
|
||||
+ "Mitigation: $M" CPU is affetcted and mitigation $M is in effect
|
||||
diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
|
||||
index 2f6614c9a229..37a71fd9043f 100644
|
||||
--- a/drivers/base/Kconfig
|
||||
+++ b/drivers/base/Kconfig
|
||||
@@ -235,6 +235,9 @@ config GENERIC_CPU_DEVICES
|
||||
config GENERIC_CPU_AUTOPROBE
|
||||
bool
|
||||
|
||||
+config GENERIC_CPU_VULNERABILITIES
|
||||
+ bool
|
||||
+
|
||||
config SOC_BUS
|
||||
bool
|
||||
select GLOB
|
||||
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
|
||||
index 321cd7b4d817..825964efda1d 100644
|
||||
--- a/drivers/base/cpu.c
|
||||
+++ b/drivers/base/cpu.c
|
||||
@@ -501,10 +501,58 @@ static void __init cpu_dev_register_generic(void)
|
||||
#endif
|
||||
}
|
||||
|
||||
+#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES
|
||||
+
|
||||
+ssize_t __weak cpu_show_meltdown(struct device *dev,
|
||||
+ struct device_attribute *attr, char *buf)
|
||||
+{
|
||||
+ return sprintf(buf, "Not affected\n");
|
||||
+}
|
||||
+
|
||||
+ssize_t __weak cpu_show_spectre_v1(struct device *dev,
|
||||
+ struct device_attribute *attr, char *buf)
|
||||
+{
|
||||
+ return sprintf(buf, "Not affected\n");
|
||||
+}
|
||||
+
|
||||
+ssize_t __weak cpu_show_spectre_v2(struct device *dev,
|
||||
+ struct device_attribute *attr, char *buf)
|
||||
+{
|
||||
+ return sprintf(buf, "Not affected\n");
|
||||
+}
|
||||
+
|
||||
+static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
|
||||
+static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
|
||||
+static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
|
||||
+
|
||||
+static struct attribute *cpu_root_vulnerabilities_attrs[] = {
|
||||
+ &dev_attr_meltdown.attr,
|
||||
+ &dev_attr_spectre_v1.attr,
|
||||
+ &dev_attr_spectre_v2.attr,
|
||||
+ NULL
|
||||
+};
|
||||
+
|
||||
+static const struct attribute_group cpu_root_vulnerabilities_group = {
|
||||
+ .name = "vulnerabilities",
|
||||
+ .attrs = cpu_root_vulnerabilities_attrs,
|
||||
+};
|
||||
+
|
||||
+static void __init cpu_register_vulnerabilities(void)
|
||||
+{
|
||||
+ if (sysfs_create_group(&cpu_subsys.dev_root->kobj,
|
||||
+ &cpu_root_vulnerabilities_group))
|
||||
+ pr_err("Unable to register CPU vulnerabilities\n");
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+static inline void cpu_register_vulnerabilities(void) { }
|
||||
+#endif
|
||||
+
|
||||
void __init cpu_dev_init(void)
|
||||
{
|
||||
if (subsys_system_register(&cpu_subsys, cpu_root_attr_groups))
|
||||
panic("Failed to register CPU subsystem");
|
||||
|
||||
cpu_dev_register_generic();
|
||||
+ cpu_register_vulnerabilities();
|
||||
}
|
||||
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
|
||||
index 938ea8ae0ba4..c816e6f2730c 100644
|
||||
--- a/include/linux/cpu.h
|
||||
+++ b/include/linux/cpu.h
|
||||
@@ -47,6 +47,13 @@ extern void cpu_remove_dev_attr(struct device_attribute *attr);
|
||||
extern int cpu_add_dev_attr_group(struct attribute_group *attrs);
|
||||
extern void cpu_remove_dev_attr_group(struct attribute_group *attrs);
|
||||
|
||||
+extern ssize_t cpu_show_meltdown(struct device *dev,
|
||||
+ struct device_attribute *attr, char *buf);
|
||||
+extern ssize_t cpu_show_spectre_v1(struct device *dev,
|
||||
+ struct device_attribute *attr, char *buf);
|
||||
+extern ssize_t cpu_show_spectre_v2(struct device *dev,
|
||||
+ struct device_attribute *attr, char *buf);
|
||||
+
|
||||
extern __printf(4, 5)
|
||||
struct device *cpu_device_create(struct device *parent, void *drvdata,
|
||||
const struct attribute_group **groups,
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -1,82 +0,0 @@
|
|||
From 9c6a73c75864ad9fa49e5fa6513e4c4071c0e29f Mon Sep 17 00:00:00 2001
|
||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Date: Mon, 8 Jan 2018 16:09:32 -0600
|
||||
Subject: [PATCH 2/2] x86/cpu/AMD: Use LFENCE_RDTSC in preference to
|
||||
MFENCE_RDTSC
|
||||
|
||||
With LFENCE now a serializing instruction, use LFENCE_RDTSC in preference
|
||||
to MFENCE_RDTSC. However, since the kernel could be running under a
|
||||
hypervisor that does not support writing that MSR, read the MSR back and
|
||||
verify that the bit has been set successfully. If the MSR can be read
|
||||
and the bit is set, then set the LFENCE_RDTSC feature, otherwise set the
|
||||
MFENCE_RDTSC feature.
|
||||
|
||||
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Reviewed-by: Reviewed-by: Borislav Petkov <bp@suse.de>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: Tim Chen <tim.c.chen@linux.intel.com>
|
||||
Cc: Dave Hansen <dave.hansen@intel.com>
|
||||
Cc: Borislav Petkov <bp@alien8.de>
|
||||
Cc: Dan Williams <dan.j.williams@intel.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
|
||||
Cc: David Woodhouse <dwmw@amazon.co.uk>
|
||||
Cc: Paul Turner <pjt@google.com>
|
||||
Link: https://lkml.kernel.org/r/20180108220932.12580.52458.stgit@tlendack-t1.amdoffice.net
|
||||
---
|
||||
arch/x86/include/asm/msr-index.h | 1 +
|
||||
arch/x86/kernel/cpu/amd.c | 18 ++++++++++++++++--
|
||||
2 files changed, 17 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
|
||||
index 1e7d710fef43..fa11fb1fa570 100644
|
||||
--- a/arch/x86/include/asm/msr-index.h
|
||||
+++ b/arch/x86/include/asm/msr-index.h
|
||||
@@ -354,6 +354,7 @@
|
||||
#define MSR_FAM10H_NODE_ID 0xc001100c
|
||||
#define MSR_F10H_DECFG 0xc0011029
|
||||
#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT 1
|
||||
+#define MSR_F10H_DECFG_LFENCE_SERIALIZE BIT_ULL(MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT)
|
||||
|
||||
/* K8 MSRs */
|
||||
#define MSR_K8_TOP_MEM1 0xc001001a
|
||||
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
|
||||
index 5b438d81beb2..ea831c858195 100644
|
||||
--- a/arch/x86/kernel/cpu/amd.c
|
||||
+++ b/arch/x86/kernel/cpu/amd.c
|
||||
@@ -829,6 +829,9 @@ static void init_amd(struct cpuinfo_x86 *c)
|
||||
set_cpu_cap(c, X86_FEATURE_K8);
|
||||
|
||||
if (cpu_has(c, X86_FEATURE_XMM2)) {
|
||||
+ unsigned long long val;
|
||||
+ int ret;
|
||||
+
|
||||
/*
|
||||
* A serializing LFENCE has less overhead than MFENCE, so
|
||||
* use it for execution serialization. On families which
|
||||
@@ -839,8 +842,19 @@ static void init_amd(struct cpuinfo_x86 *c)
|
||||
msr_set_bit(MSR_F10H_DECFG,
|
||||
MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
|
||||
|
||||
- /* MFENCE stops RDTSC speculation */
|
||||
- set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
|
||||
+ /*
|
||||
+ * Verify that the MSR write was successful (could be running
|
||||
+ * under a hypervisor) and only then assume that LFENCE is
|
||||
+ * serializing.
|
||||
+ */
|
||||
+ ret = rdmsrl_safe(MSR_F10H_DECFG, &val);
|
||||
+ if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) {
|
||||
+ /* A serializing LFENCE stops RDTSC speculation */
|
||||
+ set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);
|
||||
+ } else {
|
||||
+ /* MFENCE stops RDTSC speculation */
|
||||
+ set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From c095508770aebf1b9218e77026e48345d719b17c Mon Sep 17 00:00:00 2001
|
||||
From: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Date: Tue, 2 Jan 2018 19:44:34 +0000
|
||||
Subject: [PATCH] RDS: Heap OOB write in rds_message_alloc_sgs()
|
||||
|
||||
When args->nr_local is 0, nr_pages gets also 0 due some size
|
||||
calculation via rds_rm_size(), which is later used to allocate
|
||||
pages for DMA, this bug produces a heap Out-Of-Bound write access
|
||||
to a specific memory region.
|
||||
|
||||
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/rds/rdma.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
|
||||
index bc2f1e0977d6..94729d9da437 100644
|
||||
--- a/net/rds/rdma.c
|
||||
+++ b/net/rds/rdma.c
|
||||
@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
|
||||
|
||||
local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
|
||||
|
||||
+ if (args->nr_local == 0)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
/* figure out the number of pages in the vector */
|
||||
for (i = 0; i < args->nr_local; i++) {
|
||||
if (copy_from_user(&vec, &local_vec[i],
|
||||
--
|
||||
2.15.1
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
From 7d11f77f84b27cef452cee332f4e469503084737 Mon Sep 17 00:00:00 2001
|
||||
From: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Date: Wed, 3 Jan 2018 21:06:06 +0000
|
||||
Subject: [PATCH] RDS: null pointer dereference in rds_atomic_free_op
|
||||
|
||||
set rm->atomic.op_active to 0 when rds_pin_pages() fails
|
||||
or the user supplied address is invalid,
|
||||
this prevents a NULL pointer usage in rds_atomic_free_op()
|
||||
|
||||
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/rds/rdma.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
|
||||
index 94729d9da437..634cfcb7bba6 100644
|
||||
--- a/net/rds/rdma.c
|
||||
+++ b/net/rds/rdma.c
|
||||
@@ -877,6 +877,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
|
||||
err:
|
||||
if (page)
|
||||
put_page(page);
|
||||
+ rm->atomic.op_active = 0;
|
||||
kfree(rm->atomic.op_notifier);
|
||||
|
||||
return ret;
|
||||
--
|
||||
2.15.1
|
||||
|
|
@ -1,132 +0,0 @@
|
|||
From patchwork Wed Dec 20 15:13:31 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [cgroup/for-4.15-fixes] cgroup: fix css_task_iter crash on
|
||||
CSS_TASK_ITER_PROC
|
||||
From: Tejun Heo <tj@kernel.org>
|
||||
X-Patchwork-Id: 10125801
|
||||
Message-Id: <20171220151331.GA3413940@devbig577.frc2.facebook.com>
|
||||
To: Laura Abbott <labbott@redhat.com>
|
||||
Cc: Zefan Li <lizefan@huawei.com>, linux-kernel@vger.kernel.org,
|
||||
cgroups@vger.kernel.org, regressions@leemhuis.info,
|
||||
Bronek Kozicki <brok@incorrekt.com>, George Amanakis <gamanakis@gmail.com>
|
||||
Date: Wed, 20 Dec 2017 07:13:31 -0800
|
||||
|
||||
Hello,
|
||||
|
||||
Applied the following to cgroup/for-4.15-fixes. Will push out to
|
||||
linus later this week. I could reproduce the problem reliably and am
|
||||
pretty sure this is the right fix but I'd greatly appreciate if you
|
||||
guys can confirm the fix too.
|
||||
|
||||
Thank you very much.
|
||||
|
||||
------ 8< ------
|
||||
>From 74d0833c659a8a54735e5efdd44f4b225af68586 Mon Sep 17 00:00:00 2001
|
||||
From: Tejun Heo <tj@kernel.org>
|
||||
Date: Wed, 20 Dec 2017 07:09:19 -0800
|
||||
|
||||
While teaching css_task_iter to handle skipping over tasks which
|
||||
aren't group leaders, bc2fb7ed089f ("cgroup: add @flags to
|
||||
css_task_iter_start() and implement CSS_TASK_ITER_PROCS") introduced a
|
||||
silly bug.
|
||||
|
||||
CSS_TASK_ITER_PROCS is implemented by repeating
|
||||
css_task_iter_advance() while the advanced cursor is pointing to a
|
||||
non-leader thread. However, the cursor variable, @l, wasn't updated
|
||||
when the iteration has to advance to the next css_set and the
|
||||
following repetition would operate on the terminal @l from the
|
||||
previous iteration which isn't pointing to a valid task leading to
|
||||
oopses like the following or infinite looping.
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000254
|
||||
IP: __task_pid_nr_ns+0xc7/0xf0
|
||||
PGD 0 P4D 0
|
||||
Oops: 0000 [#1] SMP
|
||||
...
|
||||
CPU: 2 PID: 1 Comm: systemd Not tainted 4.14.4-200.fc26.x86_64 #1
|
||||
Hardware name: System manufacturer System Product Name/PRIME B350M-A, BIOS 3203 11/09/2017
|
||||
task: ffff88c4baee8000 task.stack: ffff96d5c3158000
|
||||
RIP: 0010:__task_pid_nr_ns+0xc7/0xf0
|
||||
RSP: 0018:ffff96d5c315bd50 EFLAGS: 00010206
|
||||
RAX: 0000000000000000 RBX: ffff88c4b68c6000 RCX: 0000000000000250
|
||||
RDX: ffffffffa5e47960 RSI: 0000000000000000 RDI: ffff88c490f6ab00
|
||||
RBP: ffff96d5c315bd50 R08: 0000000000001000 R09: 0000000000000005
|
||||
R10: ffff88c4be006b80 R11: ffff88c42f1b8004 R12: ffff96d5c315bf18
|
||||
R13: ffff88c42d7dd200 R14: ffff88c490f6a510 R15: ffff88c4b68c6000
|
||||
FS: 00007f9446f8ea00(0000) GS:ffff88c4be680000(0000) knlGS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
CR2: 0000000000000254 CR3: 00000007f956f000 CR4: 00000000003406e0
|
||||
Call Trace:
|
||||
cgroup_procs_show+0x19/0x30
|
||||
cgroup_seqfile_show+0x4c/0xb0
|
||||
kernfs_seq_show+0x21/0x30
|
||||
seq_read+0x2ec/0x3f0
|
||||
kernfs_fop_read+0x134/0x180
|
||||
__vfs_read+0x37/0x160
|
||||
? security_file_permission+0x9b/0xc0
|
||||
vfs_read+0x8e/0x130
|
||||
SyS_read+0x55/0xc0
|
||||
entry_SYSCALL_64_fastpath+0x1a/0xa5
|
||||
RIP: 0033:0x7f94455f942d
|
||||
RSP: 002b:00007ffe81ba2d00 EFLAGS: 00000293 ORIG_RAX: 0000000000000000
|
||||
RAX: ffffffffffffffda RBX: 00005574e2233f00 RCX: 00007f94455f942d
|
||||
RDX: 0000000000001000 RSI: 00005574e2321a90 RDI: 000000000000002b
|
||||
RBP: 0000000000000000 R08: 00005574e2321a90 R09: 00005574e231de60
|
||||
R10: 00007f94458c8b38 R11: 0000000000000293 R12: 00007f94458c8ae0
|
||||
R13: 00007ffe81ba3800 R14: 0000000000000000 R15: 00005574e2116560
|
||||
Code: 04 74 0e 89 f6 48 8d 04 76 48 8d 04 c5 f0 05 00 00 48 8b bf b8 05 00 00 48 01 c7 31 c0 48 8b 0f 48 85 c9 74 18 8b b2 30 08 00 00 <3b> 71 04 77 0d 48 c1 e6 05 48 01 f1 48 3b 51 38 74 09 5d c3 8b
|
||||
RIP: __task_pid_nr_ns+0xc7/0xf0 RSP: ffff96d5c315bd50
|
||||
|
||||
Fix it by moving the initialization of the cursor below the repeat
|
||||
label. While at it, rename it to @next for readability.
|
||||
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
Fixes: bc2fb7ed089f ("cgroup: add @flags to css_task_iter_start() and implement CSS_TASK_ITER_PROCS")
|
||||
Cc: stable@vger.kernel.org # v4.14+
|
||||
Reported-by: Laura Abbott <labbott@redhat.com>
|
||||
Reported-by: Bronek Kozicki <brok@incorrekt.com>
|
||||
Reported-by: George Amanakis <gamanakis@gmail.com>
|
||||
Signed-off-by: Tejun Heo <tj@kernel.org>
|
||||
---
|
||||
kernel/cgroup/cgroup.c | 14 ++++++--------
|
||||
1 file changed, 6 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
|
||||
index f4c2f8c..2cf06c2 100644
|
||||
--- a/kernel/cgroup/cgroup.c
|
||||
+++ b/kernel/cgroup/cgroup.c
|
||||
@@ -4125,26 +4125,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it)
|
||||
|
||||
static void css_task_iter_advance(struct css_task_iter *it)
|
||||
{
|
||||
- struct list_head *l = it->task_pos;
|
||||
+ struct list_head *next;
|
||||
|
||||
lockdep_assert_held(&css_set_lock);
|
||||
- WARN_ON_ONCE(!l);
|
||||
-
|
||||
repeat:
|
||||
/*
|
||||
* Advance iterator to find next entry. cset->tasks is consumed
|
||||
* first and then ->mg_tasks. After ->mg_tasks, we move onto the
|
||||
* next cset.
|
||||
*/
|
||||
- l = l->next;
|
||||
+ next = it->task_pos->next;
|
||||
|
||||
- if (l == it->tasks_head)
|
||||
- l = it->mg_tasks_head->next;
|
||||
+ if (next == it->tasks_head)
|
||||
+ next = it->mg_tasks_head->next;
|
||||
|
||||
- if (l == it->mg_tasks_head)
|
||||
+ if (next == it->mg_tasks_head)
|
||||
css_task_iter_advance_css_set(it);
|
||||
else
|
||||
- it->task_pos = l;
|
||||
+ it->task_pos = next;
|
||||
|
||||
/* if PROCS, skip over tasks which aren't group leaders */
|
||||
if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
|
|
@ -1,70 +0,0 @@
|
|||
From patchwork Mon Dec 11 07:26:40 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
|
||||
From: Benjamin Poirier <bpoirier@suse.com>
|
||||
X-Patchwork-Id: 10104349
|
||||
Message-Id: <20171211072640.7935-1-bpoirier@suse.com>
|
||||
To: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
|
||||
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>,
|
||||
Christian Hesse <list@eworm.de>, Gabriel C <nix.or.die@gmail.com>,
|
||||
intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
|
||||
linux-kernel@vger.kernel.org, stable@vger.kernel.org
|
||||
Date: Mon, 11 Dec 2017 16:26:40 +0900
|
||||
|
||||
e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
|
||||
are the two functions that may be assigned to mac.ops.check_for_link when
|
||||
phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
|
||||
Separate signaling for link check/link up") changed the meaning of the
|
||||
return value of check_for_link for copper media but only adjusted the first
|
||||
function. This patch adjusts the second function likewise.
|
||||
|
||||
Reported-by: Christian Hesse <list@eworm.de>
|
||||
Reported-by: Gabriel C <nix.or.die@gmail.com>
|
||||
Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
|
||||
Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
|
||||
Tested-by: Christian Hesse <list@eworm.de>
|
||||
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
|
||||
---
|
||||
drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
|
||||
index d6d4ed7acf03..31277d3bb7dc 100644
|
||||
--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
|
||||
+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
|
||||
@@ -1367,6 +1367,9 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force)
|
||||
* Checks to see of the link status of the hardware has changed. If a
|
||||
* change in link status has been detected, then we read the PHY registers
|
||||
* to get the current speed/duplex if link exists.
|
||||
+ *
|
||||
+ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
|
||||
+ * up).
|
||||
**/
|
||||
static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
|
||||
{
|
||||
@@ -1382,7 +1385,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
|
||||
* Change or Rx Sequence Error interrupt.
|
||||
*/
|
||||
if (!mac->get_link_status)
|
||||
- return 0;
|
||||
+ return 1;
|
||||
|
||||
/* First we want to see if the MII Status Register reports
|
||||
* link. If so, then we want to get the current speed/duplex
|
||||
@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
|
||||
* different link partner.
|
||||
*/
|
||||
ret_val = e1000e_config_fc_after_link_up(hw);
|
||||
- if (ret_val)
|
||||
+ if (ret_val) {
|
||||
e_dbg("Error configuring flow control\n");
|
||||
+ return ret_val;
|
||||
+ }
|
||||
|
||||
- return ret_val;
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
|
26
kernel.spec
26
kernel.spec
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 13
|
||||
%define stable_update 14
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -640,26 +640,11 @@ Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch
|
|||
# rhbz 1525768 1525769
|
||||
Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
|
||||
|
||||
# rhbz 1525523
|
||||
# https://patchwork.kernel.org/patch/10104349/
|
||||
Patch506: e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch
|
||||
|
||||
# CVE-2018-5344 rhbz 1533909 1533911
|
||||
Patch507: loop-fix-concurrent-lo_open-lo_release.patch
|
||||
|
||||
# CVE-2018-5332 rhbz 1533890 1533895
|
||||
Patch508: RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
|
||||
|
||||
# CVE-2018-5333 rhbz 1533891 1533895
|
||||
Patch509: RDS-null-pointer-dereference-in-rds_atomic_free_op.patch
|
||||
|
||||
# 550-600 Meltdown and Spectre Fixes
|
||||
Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch
|
||||
Patch551: 0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
|
||||
Patch552: 0002-sysfs-cpu-Add-vulnerability-folder.patch
|
||||
Patch553: 0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
|
||||
Patch554: 0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
|
||||
Patch555: retpoline.patch
|
||||
|
||||
# 600 - Patches for improved Bay and Cherry Trail device support
|
||||
# Below patches are submitted upstream, awaiting review / merging
|
||||
|
@ -685,11 +670,6 @@ Patch627: qxl-fixes.patch
|
|||
# rhbz 1462175
|
||||
Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
|
||||
|
||||
# CVE-2017-17741 rhbz 1527112 1527113
|
||||
Patch630: v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
|
||||
|
||||
Patch631: cgroup-for-4.15-fixes-cgroup-fix-css_task_iter-crash-on-CSS_TASK_ITER_PROC.patch
|
||||
|
||||
# rhbz1514969
|
||||
Patch633: 0001-platform-x86-dell-laptop-Filter-out-spurious-keyboar.patch
|
||||
|
||||
|
@ -2252,6 +2232,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Jan 17 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.14-300
|
||||
- Linux v4.14.14
|
||||
- Fixes (rhbz 1532458)
|
||||
|
||||
* Fri Jan 12 2018 Jeremy Cline <jeremy@jcline.org>
|
||||
- Fix for CVE-2018-5344 (rhbz 1533909 1533911)
|
||||
- Fix for CVE-2018-5332 (rhbz 1533890 1533895)
|
||||
|
|
1480
retpoline.patch
1480
retpoline.patch
File diff suppressed because it is too large
Load Diff
2
sources
2
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-4.14.tar.xz) = 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
|
||||
SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
|
||||
SHA512 (patch-4.14.13.xz) = 6ae473fbed193a2997e9d3f02ef9c1b5a1bc6f2464ef32a4bc22306659f5d978ab64e531b3488bf8266732043868f1b14183e463c17020d1dc95c8cf70343415
|
||||
SHA512 (patch-4.14.14.xz) = abc13c99eb85b2bd25f3ac07fccdad52a801118a86d3cd153a8ca6254730e5604e34261e98945352b23cf0e0a0317074a5008701d1240cc958ef4199bffd1ab6
|
||||
|
|
|
@ -1,215 +0,0 @@
|
|||
From patchwork Fri Dec 15 01:40:50 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Subject: [v4] KVM: Fix stack-out-of-bounds read in write_mmio
|
||||
From: Wanpeng Li <kernellwp@gmail.com>
|
||||
X-Patchwork-Id: 10113513
|
||||
Message-Id: <1513302050-14253-1-git-send-email-wanpeng.li@hotmail.com>
|
||||
To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>,
|
||||
=?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
|
||||
Wanpeng Li <wanpeng.li@hotmail.com>, Marc Zyngier <marc.zyngier@arm.com>,
|
||||
Christoffer Dall <christoffer.dall@linaro.org>
|
||||
Date: Thu, 14 Dec 2017 17:40:50 -0800
|
||||
|
||||
From: Wanpeng Li <wanpeng.li@hotmail.com>
|
||||
|
||||
Reported by syzkaller:
|
||||
|
||||
BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
|
||||
Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
|
||||
|
||||
CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18
|
||||
Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
|
||||
Call Trace:
|
||||
dump_stack+0xab/0xe1
|
||||
print_address_description+0x6b/0x290
|
||||
kasan_report+0x28a/0x370
|
||||
write_mmio+0x11e/0x270 [kvm]
|
||||
emulator_read_write_onepage+0x311/0x600 [kvm]
|
||||
emulator_read_write+0xef/0x240 [kvm]
|
||||
emulator_fix_hypercall+0x105/0x150 [kvm]
|
||||
em_hypercall+0x2b/0x80 [kvm]
|
||||
x86_emulate_insn+0x2b1/0x1640 [kvm]
|
||||
x86_emulate_instruction+0x39a/0xb90 [kvm]
|
||||
handle_exception+0x1b4/0x4d0 [kvm_intel]
|
||||
vcpu_enter_guest+0x15a0/0x2640 [kvm]
|
||||
kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
|
||||
kvm_vcpu_ioctl+0x479/0x880 [kvm]
|
||||
do_vfs_ioctl+0x142/0x9a0
|
||||
SyS_ioctl+0x74/0x80
|
||||
entry_SYSCALL_64_fastpath+0x23/0x9a
|
||||
|
||||
The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
|
||||
to the guest memory, however, write_mmio tracepoint always prints 8 bytes
|
||||
through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
|
||||
can result in stack-out-of-bounds read due to access the extra 5 bytes.
|
||||
This patch fixes it by just accessing the bytes which we operates on.
|
||||
|
||||
Before patch:
|
||||
|
||||
syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
|
||||
|
||||
After patch:
|
||||
|
||||
syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Cc: Radim Krčmář <rkrcmar@redhat.com>
|
||||
Cc: Marc Zyngier <marc.zyngier@arm.com>
|
||||
Cc: Christoffer Dall <christoffer.dall@linaro.org>
|
||||
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
|
||||
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
|
||||
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
|
||||
---
|
||||
v3 -> v4:
|
||||
* fix the arm tracepoint
|
||||
v2 -> v3:
|
||||
* fix sparse warning
|
||||
v1 -> v2:
|
||||
* do the memcpy in kvm_mmio tracepoint
|
||||
|
||||
arch/x86/kvm/x86.c | 8 ++++----
|
||||
include/trace/events/kvm.h | 6 ++++--
|
||||
virt/kvm/arm/mmio.c | 6 +++---
|
||||
3 files changed, 11 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
||||
index 0f82e2c..c7071e7 100644
|
||||
--- a/arch/x86/kvm/x86.c
|
||||
+++ b/arch/x86/kvm/x86.c
|
||||
@@ -4456,7 +4456,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v)
|
||||
addr, n, v))
|
||||
&& kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
|
||||
break;
|
||||
- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
|
||||
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
|
||||
handled += n;
|
||||
addr += n;
|
||||
len -= n;
|
||||
@@ -4715,7 +4715,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
|
||||
{
|
||||
if (vcpu->mmio_read_completed) {
|
||||
trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
|
||||
- vcpu->mmio_fragments[0].gpa, *(u64 *)val);
|
||||
+ vcpu->mmio_fragments[0].gpa, val);
|
||||
vcpu->mmio_read_completed = 0;
|
||||
return 1;
|
||||
}
|
||||
@@ -4737,14 +4737,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
|
||||
|
||||
static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
|
||||
{
|
||||
- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
|
||||
+ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
|
||||
return vcpu_mmio_write(vcpu, gpa, bytes, val);
|
||||
}
|
||||
|
||||
static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
|
||||
void *val, int bytes)
|
||||
{
|
||||
- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
|
||||
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
|
||||
return X86EMUL_IO_NEEDED;
|
||||
}
|
||||
|
||||
diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
|
||||
index e4b0b8e..dfd2170 100644
|
||||
--- a/include/trace/events/kvm.h
|
||||
+++ b/include/trace/events/kvm.h
|
||||
@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq,
|
||||
{ KVM_TRACE_MMIO_WRITE, "write" }
|
||||
|
||||
TRACE_EVENT(kvm_mmio,
|
||||
- TP_PROTO(int type, int len, u64 gpa, u64 val),
|
||||
+ TP_PROTO(int type, int len, u64 gpa, void *val),
|
||||
TP_ARGS(type, len, gpa, val),
|
||||
|
||||
TP_STRUCT__entry(
|
||||
@@ -225,7 +225,9 @@ TRACE_EVENT(kvm_mmio,
|
||||
__entry->type = type;
|
||||
__entry->len = len;
|
||||
__entry->gpa = gpa;
|
||||
- __entry->val = val;
|
||||
+ __entry->val = 0;
|
||||
+ if (val)
|
||||
+ memcpy(&__entry->val, val, min(8, len));
|
||||
),
|
||||
|
||||
TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
|
||||
diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
|
||||
index b6e715f..dac7ceb 100644
|
||||
--- a/virt/kvm/arm/mmio.c
|
||||
+++ b/virt/kvm/arm/mmio.c
|
||||
@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
|
||||
}
|
||||
|
||||
trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
|
||||
- data);
|
||||
+ &data);
|
||||
data = vcpu_data_host_to_guest(vcpu, data, len);
|
||||
vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
|
||||
}
|
||||
@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
|
||||
data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
|
||||
len);
|
||||
|
||||
- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
|
||||
+ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
|
||||
kvm_mmio_write_buf(data_buf, len, data);
|
||||
|
||||
ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
|
||||
data_buf);
|
||||
} else {
|
||||
trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
|
||||
- fault_ipa, 0);
|
||||
+ fault_ipa, NULL);
|
||||
|
||||
ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
|
||||
data_buf);
|
||||
From patchwork Mon Dec 18 11:55:05 2017
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [v4] KVM: Fix stack-out-of-bounds read in write_mmio
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
X-Patchwork-Id: 10118879
|
||||
Message-Id: <17d27b8d-908b-a740-1d2d-e92a8507f25b@redhat.com>
|
||||
To: Marc Zyngier <marc.zyngier@arm.com>,
|
||||
Wanpeng Li <kernellwp@gmail.com>, linux-kernel@vger.kernel.org,
|
||||
kvm@vger.kernel.org
|
||||
Cc: =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
|
||||
Wanpeng Li <wanpeng.li@hotmail.com>,
|
||||
Christoffer Dall <christoffer.dall@linaro.org>
|
||||
Date: Mon, 18 Dec 2017 12:55:05 +0100
|
||||
|
||||
On 15/12/2017 12:06, Marc Zyngier wrote:
|
||||
> Assuming you address the above:
|
||||
>
|
||||
> Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
|
||||
> Tested-by: Marc Zyngier <marc.zyngier@arm.com>
|
||||
|
||||
Done as follows:
|
||||
|
||||
|
||||
Thanks,
|
||||
|
||||
Paolo
|
||||
|
||||
diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
|
||||
index dfd21708694f..0a016bd14c2d 100644
|
||||
--- a/include/trace/events/kvm.h
|
||||
+++ b/include/trace/events/kvm.h
|
||||
@@ -227,7 +227,8 @@
|
||||
__entry->gpa = gpa;
|
||||
__entry->val = 0;
|
||||
if (val)
|
||||
- memcpy(&__entry->val, val, min(8, len));
|
||||
+ memcpy(&__entry->val, val,
|
||||
+ min_t(u32, sizeof(__entry->val), len));
|
||||
),
|
||||
|
||||
TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
|
Loading…
Reference in New Issue