Linux v5.8.15
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
This commit is contained in:
parent
4373d1a2e4
commit
b84b27ed88
|
@ -0,0 +1,305 @@
|
|||
From MAILER-DAEMON Wed Oct 14 16:34:37 2020
|
||||
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
||||
To: netdev@vger.kernel.org
|
||||
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, "Alexander A. Klimov" <grandmaster@al2klimov.de>, Kees Cook <keescook@chromium.org>, Eric Dumazet <edumazet@google.com>, Alexey Kodanev <alexey.kodanev@oracle.com>, dccp@vger.kernel.org, linux-kernel@vger.kernel.org
|
||||
Subject: [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock
|
||||
Date: Tue, 13 Oct 2020 19:18:48 +0200
|
||||
Message-Id: <20201013171849.236025-2-kleber.souza@canonical.com>
|
||||
In-Reply-To: <20201013171849.236025-1-kleber.souza@canonical.com>
|
||||
References: <20201013171849.236025-1-kleber.souza@canonical.com>
|
||||
List-ID: <linux-kernel.vger.kernel.org>
|
||||
X-Mailing-List: linux-kernel@vger.kernel.org
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
Content-Transfer-Encoding: 7bit
|
||||
|
||||
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||||
|
||||
When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason
|
||||
del_timer_sync can't be used is because this relies on keeping a reference
|
||||
to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that
|
||||
during disconnect, the timer should really belong to struct dccp_sock.
|
||||
|
||||
This addresses CVE-2020-16119.
|
||||
|
||||
Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup())
|
||||
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
||||
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||||
Acked-bd: Richard Sailer <richard_siegfried@systemli.org>
|
||||
---
|
||||
include/linux/dccp.h | 2 ++
|
||||
net/dccp/ccids/ccid2.c | 32 +++++++++++++++++++-------------
|
||||
net/dccp/ccids/ccid3.c | 30 ++++++++++++++++++++----------
|
||||
3 files changed, 41 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/include/linux/dccp.h b/include/linux/dccp.h
|
||||
index 07e547c02fd8..504afa1a4be6 100644
|
||||
--- a/include/linux/dccp.h
|
||||
+++ b/include/linux/dccp.h
|
||||
@@ -259,6 +259,7 @@ struct dccp_ackvec;
|
||||
* @dccps_sync_scheduled - flag which signals "send out-of-band message soon"
|
||||
* @dccps_xmitlet - tasklet scheduled by the TX CCID to dequeue data packets
|
||||
* @dccps_xmit_timer - used by the TX CCID to delay sending (rate-based pacing)
|
||||
+ * @dccps_ccid_timer - used by the CCIDs
|
||||
* @dccps_syn_rtt - RTT sample from Request/Response exchange (in usecs)
|
||||
*/
|
||||
struct dccp_sock {
|
||||
@@ -303,6 +304,7 @@ struct dccp_sock {
|
||||
__u8 dccps_sync_scheduled:1;
|
||||
struct tasklet_struct dccps_xmitlet;
|
||||
struct timer_list dccps_xmit_timer;
|
||||
+ struct timer_list dccps_ccid_timer;
|
||||
};
|
||||
|
||||
static inline struct dccp_sock *dccp_sk(const struct sock *sk)
|
||||
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
|
||||
index 3da1f77bd039..dbca1f1e2449 100644
|
||||
--- a/net/dccp/ccids/ccid2.c
|
||||
+++ b/net/dccp/ccids/ccid2.c
|
||||
@@ -126,21 +126,26 @@ static void dccp_tasklet_schedule(struct sock *sk)
|
||||
|
||||
static void ccid2_hc_tx_rto_expire(struct timer_list *t)
|
||||
{
|
||||
- struct ccid2_hc_tx_sock *hc = from_timer(hc, t, tx_rtotimer);
|
||||
- struct sock *sk = hc->sk;
|
||||
- const bool sender_was_blocked = ccid2_cwnd_network_limited(hc);
|
||||
+ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer);
|
||||
+ struct sock *sk = (struct sock *)dp;
|
||||
+ struct ccid2_hc_tx_sock *hc;
|
||||
+ bool sender_was_blocked;
|
||||
|
||||
bh_lock_sock(sk);
|
||||
+
|
||||
+ if (inet_sk_state_load(sk) == DCCP_CLOSED)
|
||||
+ goto out;
|
||||
+
|
||||
+ hc = ccid_priv(dp->dccps_hc_tx_ccid);
|
||||
+ sender_was_blocked = ccid2_cwnd_network_limited(hc);
|
||||
+
|
||||
if (sock_owned_by_user(sk)) {
|
||||
- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + HZ / 5);
|
||||
+ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + HZ / 5);
|
||||
goto out;
|
||||
}
|
||||
|
||||
ccid2_pr_debug("RTO_EXPIRE\n");
|
||||
|
||||
- if (sk->sk_state == DCCP_CLOSED)
|
||||
- goto out;
|
||||
-
|
||||
/* back-off timer */
|
||||
hc->tx_rto <<= 1;
|
||||
if (hc->tx_rto > DCCP_RTO_MAX)
|
||||
@@ -166,7 +171,7 @@ static void ccid2_hc_tx_rto_expire(struct timer_list *t)
|
||||
if (sender_was_blocked)
|
||||
dccp_tasklet_schedule(sk);
|
||||
/* restart backed-off timer */
|
||||
- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto);
|
||||
+ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto);
|
||||
out:
|
||||
bh_unlock_sock(sk);
|
||||
sock_put(sk);
|
||||
@@ -330,7 +335,7 @@ static void ccid2_hc_tx_packet_sent(struct sock *sk, unsigned int len)
|
||||
}
|
||||
#endif
|
||||
|
||||
- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto);
|
||||
+ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto);
|
||||
|
||||
#ifdef CONFIG_IP_DCCP_CCID2_DEBUG
|
||||
do {
|
||||
@@ -700,9 +705,9 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
|
||||
|
||||
/* restart RTO timer if not all outstanding data has been acked */
|
||||
if (hc->tx_pipe == 0)
|
||||
- sk_stop_timer(sk, &hc->tx_rtotimer);
|
||||
+ sk_stop_timer(sk, &dp->dccps_ccid_timer);
|
||||
else
|
||||
- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto);
|
||||
+ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto);
|
||||
done:
|
||||
/* check if incoming Acks allow pending packets to be sent */
|
||||
if (sender_was_blocked && !ccid2_cwnd_network_limited(hc))
|
||||
@@ -737,17 +742,18 @@ static int ccid2_hc_tx_init(struct ccid *ccid, struct sock *sk)
|
||||
hc->tx_last_cong = hc->tx_lsndtime = hc->tx_cwnd_stamp = ccid2_jiffies32;
|
||||
hc->tx_cwnd_used = 0;
|
||||
hc->sk = sk;
|
||||
- timer_setup(&hc->tx_rtotimer, ccid2_hc_tx_rto_expire, 0);
|
||||
+ timer_setup(&dp->dccps_ccid_timer, ccid2_hc_tx_rto_expire, 0);
|
||||
INIT_LIST_HEAD(&hc->tx_av_chunks);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void ccid2_hc_tx_exit(struct sock *sk)
|
||||
{
|
||||
+ struct dccp_sock *dp = dccp_sk(sk);
|
||||
struct ccid2_hc_tx_sock *hc = ccid2_hc_tx_sk(sk);
|
||||
int i;
|
||||
|
||||
- sk_stop_timer(sk, &hc->tx_rtotimer);
|
||||
+ sk_stop_timer(sk, &dp->dccps_ccid_timer);
|
||||
|
||||
for (i = 0; i < hc->tx_seqbufc; i++)
|
||||
kfree(hc->tx_seqbuf[i]);
|
||||
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
|
||||
index b9ee1a4a8955..685f4d046c0d 100644
|
||||
--- a/net/dccp/ccids/ccid3.c
|
||||
+++ b/net/dccp/ccids/ccid3.c
|
||||
@@ -184,17 +184,24 @@ static inline void ccid3_hc_tx_update_win_count(struct ccid3_hc_tx_sock *hc,
|
||||
|
||||
static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t)
|
||||
{
|
||||
- struct ccid3_hc_tx_sock *hc = from_timer(hc, t, tx_no_feedback_timer);
|
||||
- struct sock *sk = hc->sk;
|
||||
+ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer);
|
||||
+ struct ccid3_hc_tx_sock *hc;
|
||||
+ struct sock *sk = (struct sock *)dp;
|
||||
unsigned long t_nfb = USEC_PER_SEC / 5;
|
||||
|
||||
bh_lock_sock(sk);
|
||||
+
|
||||
+ if (inet_sk_state_load(sk) == DCCP_CLOSED)
|
||||
+ goto out;
|
||||
+
|
||||
if (sock_owned_by_user(sk)) {
|
||||
/* Try again later. */
|
||||
/* XXX: set some sensible MIB */
|
||||
goto restart_timer;
|
||||
}
|
||||
|
||||
+ hc = ccid_priv(dp->dccps_hc_tx_ccid);
|
||||
+
|
||||
ccid3_pr_debug("%s(%p, state=%s) - entry\n", dccp_role(sk), sk,
|
||||
ccid3_tx_state_name(hc->tx_state));
|
||||
|
||||
@@ -250,8 +257,8 @@ static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t)
|
||||
t_nfb = max(hc->tx_t_rto, 2 * hc->tx_t_ipi);
|
||||
|
||||
restart_timer:
|
||||
- sk_reset_timer(sk, &hc->tx_no_feedback_timer,
|
||||
- jiffies + usecs_to_jiffies(t_nfb));
|
||||
+ sk_reset_timer(sk, &dp->dccps_ccid_timer,
|
||||
+ jiffies + usecs_to_jiffies(t_nfb));
|
||||
out:
|
||||
bh_unlock_sock(sk);
|
||||
sock_put(sk);
|
||||
@@ -280,7 +287,7 @@ static int ccid3_hc_tx_send_packet(struct sock *sk, struct sk_buff *skb)
|
||||
return -EBADMSG;
|
||||
|
||||
if (hc->tx_state == TFRC_SSTATE_NO_SENT) {
|
||||
- sk_reset_timer(sk, &hc->tx_no_feedback_timer, (jiffies +
|
||||
+ sk_reset_timer(sk, &dp->dccps_ccid_timer, (jiffies +
|
||||
usecs_to_jiffies(TFRC_INITIAL_TIMEOUT)));
|
||||
hc->tx_last_win_count = 0;
|
||||
hc->tx_t_last_win_count = now;
|
||||
@@ -354,6 +361,7 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, unsigned int len)
|
||||
static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
|
||||
{
|
||||
struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk);
|
||||
+ struct dccp_sock *dp = dccp_sk(sk);
|
||||
struct tfrc_tx_hist_entry *acked;
|
||||
ktime_t now;
|
||||
unsigned long t_nfb;
|
||||
@@ -420,7 +428,7 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
|
||||
(unsigned int)(hc->tx_x >> 6));
|
||||
|
||||
/* unschedule no feedback timer */
|
||||
- sk_stop_timer(sk, &hc->tx_no_feedback_timer);
|
||||
+ sk_stop_timer(sk, &dp->dccps_ccid_timer);
|
||||
|
||||
/*
|
||||
* As we have calculated new ipi, delta, t_nom it is possible
|
||||
@@ -445,8 +453,8 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
|
||||
"expire in %lu jiffies (%luus)\n",
|
||||
dccp_role(sk), sk, usecs_to_jiffies(t_nfb), t_nfb);
|
||||
|
||||
- sk_reset_timer(sk, &hc->tx_no_feedback_timer,
|
||||
- jiffies + usecs_to_jiffies(t_nfb));
|
||||
+ sk_reset_timer(sk, &dp->dccps_ccid_timer,
|
||||
+ jiffies + usecs_to_jiffies(t_nfb));
|
||||
}
|
||||
|
||||
static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type,
|
||||
@@ -488,21 +496,23 @@ static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type,
|
||||
|
||||
static int ccid3_hc_tx_init(struct ccid *ccid, struct sock *sk)
|
||||
{
|
||||
+ struct dccp_sock *dp = dccp_sk(sk);
|
||||
struct ccid3_hc_tx_sock *hc = ccid_priv(ccid);
|
||||
|
||||
hc->tx_state = TFRC_SSTATE_NO_SENT;
|
||||
hc->tx_hist = NULL;
|
||||
hc->sk = sk;
|
||||
- timer_setup(&hc->tx_no_feedback_timer,
|
||||
+ timer_setup(&dp->dccps_ccid_timer,
|
||||
ccid3_hc_tx_no_feedback_timer, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void ccid3_hc_tx_exit(struct sock *sk)
|
||||
{
|
||||
+ struct dccp_sock *dp = dccp_sk(sk);
|
||||
struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk);
|
||||
|
||||
- sk_stop_timer(sk, &hc->tx_no_feedback_timer);
|
||||
+ sk_stop_timer(sk, &dp->dccps_ccid_timer);
|
||||
tfrc_tx_hist_purge(&hc->tx_hist);
|
||||
}
|
||||
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
||||
From MAILER-DAEMON Wed Oct 14 16:34:37 2020
|
||||
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
||||
To: netdev@vger.kernel.org
|
||||
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, "Alexander A. Klimov" <grandmaster@al2klimov.de>, Kees Cook <keescook@chromium.org>, Eric Dumazet <edumazet@google.com>, Alexey Kodanev <alexey.kodanev@oracle.com>, dccp@vger.kernel.org, linux-kernel@vger.kernel.org
|
||||
Subject: [PATCH 2/2] Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()"
|
||||
Date: Tue, 13 Oct 2020 19:18:49 +0200
|
||||
Message-Id: <20201013171849.236025-3-kleber.souza@canonical.com>
|
||||
In-Reply-To: <20201013171849.236025-1-kleber.souza@canonical.com>
|
||||
References: <20201013171849.236025-1-kleber.souza@canonical.com>
|
||||
List-ID: <linux-kernel.vger.kernel.org>
|
||||
X-Mailing-List: linux-kernel@vger.kernel.org
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
Content-Transfer-Encoding: 7bit
|
||||
|
||||
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||||
|
||||
This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1.
|
||||
|
||||
This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be
|
||||
kept, allowing the socket to be reused as a listener socket, and the cloned
|
||||
socket will free its dccps_hc_tx_ccid, leading to a later use after free,
|
||||
when the listener socket is closed.
|
||||
|
||||
This addresses CVE-2020-16119.
|
||||
|
||||
Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect())
|
||||
Reported-by: Hadar Manor
|
||||
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
||||
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||||
Acked-by: Richard Sailer <richard_siegfried@systemli.org>
|
||||
---
|
||||
net/dccp/proto.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
|
||||
index 6d705d90c614..359e848dba6c 100644
|
||||
--- a/net/dccp/proto.c
|
||||
+++ b/net/dccp/proto.c
|
||||
@@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags)
|
||||
|
||||
dccp_clear_xmit_timers(sk);
|
||||
ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
|
||||
+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
|
||||
dp->dccps_hc_rx_ccid = NULL;
|
||||
+ dp->dccps_hc_tx_ccid = NULL;
|
||||
|
||||
__skb_queue_purge(&sk->sk_receive_queue);
|
||||
__skb_queue_purge(&sk->sk_write_queue);
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
@ -1,149 +0,0 @@
|
|||
From patchwork Tue Oct 6 16:33:26 2020
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
X-Patchwork-Submitter: Jeremy Linton <jeremy.linton@arm.com>
|
||||
X-Patchwork-Id: 11818995
|
||||
Return-Path:
|
||||
<SRS0=j42+=DN=lists.infradead.org=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@kernel.org>
|
||||
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
|
||||
[172.30.200.123])
|
||||
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 90CE859D
|
||||
for <patchwork-linux-arm@patchwork.kernel.org>;
|
||||
Tue, 6 Oct 2020 16:35:07 +0000 (UTC)
|
||||
Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134])
|
||||
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
|
||||
(No client certificate requested)
|
||||
by mail.kernel.org (Postfix) with ESMTPS id 5D82E206D4
|
||||
for <patchwork-linux-arm@patchwork.kernel.org>;
|
||||
Tue, 6 Oct 2020 16:35:07 +0000 (UTC)
|
||||
Authentication-Results: mail.kernel.org;
|
||||
dkim=pass (2048-bit key) header.d=lists.infradead.org
|
||||
header.i=@lists.infradead.org header.b="f/oUq3JQ"
|
||||
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5D82E206D4
|
||||
Authentication-Results: mail.kernel.org;
|
||||
dmarc=fail (p=none dis=none) header.from=arm.com
|
||||
Authentication-Results: mail.kernel.org;
|
||||
spf=none
|
||||
smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
|
||||
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
|
||||
d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
|
||||
Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
|
||||
List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From:
|
||||
Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
|
||||
:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;
|
||||
bh=zNs0I+g5JjqBvhvT5+mF98XNJ/hK7N5NCEi/ndGYagE=; b=f/oUq3JQxCkOkX7IQrzLh7mHuM
|
||||
vBXmyTI3BhMnGo6oaWvcF/dYeUpO4wAmEHlqyFf6zHzUv8Gwtm5IDH4l0csTqkTEYUdkwD6A9MGX2
|
||||
RHpylWVrErZCvcV4kRqENP+0w7j8Ry+ZE4+NZZFcUB/ecGYhJxD3/4Gc5ycmENUkRIAsJrQOPWW+b
|
||||
SIKpmegcjtJ1AIv7+Y+7II37IhmF579qQoghCSgFaGp6WAEIv80wcrswEnEDc9nsbBMIC1XjlN6g3
|
||||
8PclJ+oXlsNPMLkhu1gJclvRBWzN3OjXVvwAvQuLBW2CqpdTxvYIE6g26kpEbUdGOVaGlieYcN0pd
|
||||
RrspfWkQ==;
|
||||
Received: from localhost ([::1] helo=merlin.infradead.org)
|
||||
by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
|
||||
id 1kPpu9-0007rB-Rx; Tue, 06 Oct 2020 16:33:33 +0000
|
||||
Received: from foss.arm.com ([217.140.110.172])
|
||||
by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
|
||||
id 1kPpu6-0007qe-MX
|
||||
for linux-arm-kernel@lists.infradead.org; Tue, 06 Oct 2020 16:33:31 +0000
|
||||
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
|
||||
by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 69DBBD6E;
|
||||
Tue, 6 Oct 2020 09:33:27 -0700 (PDT)
|
||||
Received: from mammon-tx2.austin.arm.com (mammon-tx2.austin.arm.com
|
||||
[10.118.28.62])
|
||||
by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 608393F66B;
|
||||
Tue, 6 Oct 2020 09:33:27 -0700 (PDT)
|
||||
From: Jeremy Linton <jeremy.linton@arm.com>
|
||||
To: linux-arm-kernel@lists.infradead.org
|
||||
Subject: [BUG][PATCH v3] crypto: arm64: Use x16 with indirect branch to bti_c
|
||||
Date: Tue, 6 Oct 2020 11:33:26 -0500
|
||||
Message-Id: <20201006163326.2780619-1-jeremy.linton@arm.com>
|
||||
X-Mailer: git-send-email 2.25.4
|
||||
MIME-Version: 1.0
|
||||
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3
|
||||
X-CRM114-CacheID: sfid-20201006_123330_788327_AA367CD9
|
||||
X-CRM114-Status: GOOD ( 11.54 )
|
||||
X-Spam-Score: -2.3 (--)
|
||||
X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary:
|
||||
Content analysis details: (-2.3 points)
|
||||
pts rule name description
|
||||
---- ----------------------
|
||||
--------------------------------------------------
|
||||
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,
|
||||
medium trust [217.140.110.172 listed in list.dnswl.org]
|
||||
-0.0 SPF_PASS SPF: sender matches SPF record
|
||||
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
|
||||
X-BeenThere: linux-arm-kernel@lists.infradead.org
|
||||
X-Mailman-Version: 2.1.29
|
||||
Precedence: list
|
||||
List-Id: <linux-arm-kernel.lists.infradead.org>
|
||||
List-Unsubscribe:
|
||||
<http://lists.infradead.org/mailman/options/linux-arm-kernel>,
|
||||
<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
|
||||
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
|
||||
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
|
||||
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
|
||||
List-Subscribe:
|
||||
<http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
|
||||
<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
|
||||
Cc: herbert@gondor.apana.org.au, catalin.marinas@arm.com,
|
||||
linux-kernel@vger.kernel.org, Jeremy Linton <jeremy.linton@arm.com>,
|
||||
ardb@kernel.org, broonie@kernel.org, linux-crypto@vger.kernel.org,
|
||||
will@kernel.org, davem@davemloft.net, dave.martin@arm.com
|
||||
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
|
||||
Errors-To:
|
||||
linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
|
||||
|
||||
The AES code uses a 'br x7' as part of a function called by
|
||||
a macro. That branch needs a bti_j as a target. This results
|
||||
in a panic as seen below. Using x16 (or x17) with an indirect
|
||||
branch keeps the target bti_c.
|
||||
|
||||
Bad mode in Synchronous Abort handler detected on CPU1, code 0x34000003 -- BTI
|
||||
CPU: 1 PID: 265 Comm: cryptomgr_test Not tainted 5.8.11-300.fc33.aarch64 #1
|
||||
pstate: 20400c05 (nzCv daif +PAN -UAO BTYPE=j-)
|
||||
pc : aesbs_encrypt8+0x0/0x5f0 [aes_neon_bs]
|
||||
lr : aesbs_xts_encrypt+0x48/0xe0 [aes_neon_bs]
|
||||
sp : ffff80001052b730
|
||||
|
||||
aesbs_encrypt8+0x0/0x5f0 [aes_neon_bs]
|
||||
__xts_crypt+0xb0/0x2dc [aes_neon_bs]
|
||||
xts_encrypt+0x28/0x3c [aes_neon_bs]
|
||||
crypto_skcipher_encrypt+0x50/0x84
|
||||
simd_skcipher_encrypt+0xc8/0xe0
|
||||
crypto_skcipher_encrypt+0x50/0x84
|
||||
test_skcipher_vec_cfg+0x224/0x5f0
|
||||
test_skcipher+0xbc/0x120
|
||||
alg_test_skcipher+0xa0/0x1b0
|
||||
alg_test+0x3dc/0x47c
|
||||
cryptomgr_test+0x38/0x60
|
||||
|
||||
Fixes: 0e89640b640d ("crypto: arm64 - Use modern annotations for assembly functions")
|
||||
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
|
||||
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
|
||||
Reviewed-by: Mark Brown <broonie@kernel.org>
|
||||
---
|
||||
arch/arm64/crypto/aes-neonbs-core.S | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/arm64/crypto/aes-neonbs-core.S b/arch/arm64/crypto/aes-neonbs-core.S
|
||||
index b357164379f6..63a52ad9a75c 100644
|
||||
--- a/arch/arm64/crypto/aes-neonbs-core.S
|
||||
+++ b/arch/arm64/crypto/aes-neonbs-core.S
|
||||
@@ -788,7 +788,7 @@ SYM_FUNC_START_LOCAL(__xts_crypt8)
|
||||
|
||||
0: mov bskey, x21
|
||||
mov rounds, x22
|
||||
- br x7
|
||||
+ br x16
|
||||
SYM_FUNC_END(__xts_crypt8)
|
||||
|
||||
.macro __xts_crypt, do8, o0, o1, o2, o3, o4, o5, o6, o7
|
||||
@@ -806,7 +806,7 @@ SYM_FUNC_END(__xts_crypt8)
|
||||
uzp1 v30.4s, v30.4s, v25.4s
|
||||
ld1 {v25.16b}, [x24]
|
||||
|
||||
-99: adr x7, \do8
|
||||
+99: adr x16, \do8
|
||||
bl __xts_crypt8
|
||||
|
||||
ldp q16, q17, [sp, #.Lframe_local_offset]
|
14
kernel.spec
14
kernel.spec
|
@ -92,7 +92,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 14
|
||||
%define stable_update 15
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -875,9 +875,6 @@ Patch109: mmc-sdhci-iproc-Enable-eMMC-DDR-3.3V-support-for-bcm2711.patch
|
|||
|
||||
Patch112: memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch
|
||||
|
||||
# rhbz 1875339 1875828 1876997
|
||||
Patch115: pdx86-SW_TABLET_MODE-fixes.patch
|
||||
|
||||
# https://patchwork.kernel.org/patch/11796255/
|
||||
Patch116: arm64-dts-rockchip-disable-USB-type-c-DisplayPort.patch
|
||||
|
||||
|
@ -891,8 +888,9 @@ Patch119: arm64-tegra-enable-dfll-on-jetson-nano.patch
|
|||
# https://www.spinics.net/lists/linux-tegra/msg53605.html
|
||||
Patch120: iommu-tegra-smmu-Fix-TLB-line-for-Tegra210.patch
|
||||
|
||||
# https://patchwork.kernel.org/patch/11818995
|
||||
Patch121: arm64-BUG-crypto-arm64-Use-x16-with-indirect-branch-to-bti_c.patch
|
||||
# CVE-2020-16119 rhbz 1886374 1888083
|
||||
Patch121: CVE-2020-16119-DCCP-CCID-structure-use-after-free.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -3006,6 +3004,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Oct 14 11:29:34 CDT 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.15-300
|
||||
- Linux v5.8.15
|
||||
- Fix CVE-2020-16119 (rhbz 1886374 1888083)
|
||||
|
||||
* Wed Oct 7 07:21:34 CDT 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.14-300
|
||||
- Linux v5.8.14
|
||||
|
||||
|
|
|
@ -1,212 +0,0 @@
|
|||
From 9126d28cf4e537ef5e77006c51b1a24ad8e8170b Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Fri, 11 Sep 2020 13:34:42 +0200
|
||||
Subject: [PATCH 1/2] platform/x86: intel-vbtn: Fix SW_TABLET_MODE always
|
||||
reporting 1 on the HP Pavilion 11 x360
|
||||
|
||||
Commit cfae58ed681c ("platform/x86: intel-vbtn: Only blacklist
|
||||
SW_TABLET_MODE on the 9 / "Laptop" chasis-type") restored SW_TABLET_MODE
|
||||
reporting on the HP stream x360 11 series on which it was previously broken
|
||||
by commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet
|
||||
mode switch on 2-in-1's").
|
||||
|
||||
It turns out that enabling SW_TABLET_MODE reporting on devices with a
|
||||
chassis-type of 10 ("Notebook") causes SW_TABLET_MODE to always report 1
|
||||
at boot on the HP Pavilion 11 x360, which causes libinput to disable the
|
||||
kbd and touchpad.
|
||||
|
||||
The HP Pavilion 11 x360's ACPI VGBS method sets bit 4 instead of bit 6 when
|
||||
NOT in tablet mode at boot. Inspecting all the DSDTs in my DSDT collection
|
||||
shows only one other model, the Medion E1239T ever setting bit 4 and it
|
||||
always sets this together with bit 6.
|
||||
|
||||
So lets treat bit 4 as a second bit which when set indicates the device not
|
||||
being in tablet-mode, as we already do for bit 6.
|
||||
|
||||
While at it also prefix all VGBS constant defines with "VGBS_".
|
||||
|
||||
Fixes: cfae58ed681c ("platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / "Laptop" chasis-type")
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
drivers/platform/x86/intel-vbtn.c | 12 ++++++++----
|
||||
1 file changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
|
||||
index e85d8e58320c..f443619e1e7e 100644
|
||||
--- a/drivers/platform/x86/intel-vbtn.c
|
||||
+++ b/drivers/platform/x86/intel-vbtn.c
|
||||
@@ -15,9 +15,13 @@
|
||||
#include <linux/platform_device.h>
|
||||
#include <linux/suspend.h>
|
||||
|
||||
+/* Returned when NOT in tablet mode on some HP Stream x360 11 models */
|
||||
+#define VGBS_TABLET_MODE_FLAG_ALT 0x10
|
||||
/* When NOT in tablet mode, VGBS returns with the flag 0x40 */
|
||||
-#define TABLET_MODE_FLAG 0x40
|
||||
-#define DOCK_MODE_FLAG 0x80
|
||||
+#define VGBS_TABLET_MODE_FLAG 0x40
|
||||
+#define VGBS_DOCK_MODE_FLAG 0x80
|
||||
+
|
||||
+#define VGBS_TABLET_MODE_FLAGS (VGBS_TABLET_MODE_FLAG | VGBS_TABLET_MODE_FLAG_ALT)
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("AceLan Kao");
|
||||
@@ -72,9 +76,9 @@ static void detect_tablet_mode(struct platform_device *device)
|
||||
if (ACPI_FAILURE(status))
|
||||
return;
|
||||
|
||||
- m = !(vgbs & TABLET_MODE_FLAG);
|
||||
+ m = !(vgbs & VGBS_TABLET_MODE_FLAGS);
|
||||
input_report_switch(priv->input_dev, SW_TABLET_MODE, m);
|
||||
- m = (vgbs & DOCK_MODE_FLAG) ? 1 : 0;
|
||||
+ m = (vgbs & VGBS_DOCK_MODE_FLAG) ? 1 : 0;
|
||||
input_report_switch(priv->input_dev, SW_DOCK, m);
|
||||
}
|
||||
|
||||
--
|
||||
2.28.0
|
||||
|
||||
From d26d82852e926fee13b5fa71cc004da391aaa5e3 Mon Sep 17 00:00:00 2001
|
||||
From: Hans de Goede <hdegoede@redhat.com>
|
||||
Date: Wed, 16 Sep 2020 16:14:39 +0200
|
||||
Subject: [PATCH 2/2] platform/x86: asus-wmi: Fix SW_TABLET_MODE always
|
||||
reporting 1 on many different models
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Commit b0dbd97de1f1 ("platform/x86: asus-wmi: Add support for
|
||||
SW_TABLET_MODE") added support for reporting SW_TABLET_MODE using the
|
||||
Asus 0x00120063 WMI-device-id to see if various transformer models were
|
||||
docked into their keyboard-dock (SW_TABLET_MODE=0) or if they were
|
||||
being used as a tablet.
|
||||
|
||||
The new SW_TABLET_MODE support (naively?) assumed that non Transformer
|
||||
devices would either not support the 0x00120063 WMI-device-id at all,
|
||||
or would NOT set ASUS_WMI_DSTS_PRESENCE_BIT in their reply when querying
|
||||
the device-id.
|
||||
|
||||
Unfortunately this is not true and we have received many bug reports about
|
||||
this change causing the asus-wmi driver to always report SW_TABLET_MODE=1
|
||||
on non Transformer devices. This causes libinput to think that these are
|
||||
360 degree hinges style 2-in-1s folded into tablet-mode. Making libinput
|
||||
suppress keyboard and touchpad events from the builtin keyboard and
|
||||
touchpad. So effectively this causes the keyboard and touchpad to not work
|
||||
on many non Transformer Asus models.
|
||||
|
||||
This commit fixes this by using the existing DMI based quirk mechanism in
|
||||
asus-nb-wmi.c to allow using the 0x00120063 device-id for reporting
|
||||
SW_TABLET_MODE on Transformer models and ignoring it on all other models.
|
||||
|
||||
Fixes: b0dbd97de1f1 ("platform/x86: asus-wmi: Add support for SW_TABLET_MODE")
|
||||
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=209011
|
||||
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1875339
|
||||
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1875828
|
||||
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1876997
|
||||
Reported-by: Samuel Čavoj <samuel@cavoj.net>
|
||||
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||
---
|
||||
drivers/platform/x86/asus-nb-wmi.c | 32 ++++++++++++++++++++++++++++++
|
||||
drivers/platform/x86/asus-wmi.c | 16 ++++++++-------
|
||||
drivers/platform/x86/asus-wmi.h | 1 +
|
||||
3 files changed, 42 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
|
||||
index 680c3640e013..1d9fbabd02fb 100644
|
||||
--- a/drivers/platform/x86/asus-nb-wmi.c
|
||||
+++ b/drivers/platform/x86/asus-nb-wmi.c
|
||||
@@ -115,6 +115,10 @@ static struct quirk_entry quirk_asus_vendor_backlight = {
|
||||
.wmi_backlight_set_devstate = true,
|
||||
};
|
||||
|
||||
+static struct quirk_entry quirk_asus_use_kbd_dock_devid = {
|
||||
+ .use_kbd_dock_devid = true,
|
||||
+};
|
||||
+
|
||||
static int dmi_matched(const struct dmi_system_id *dmi)
|
||||
{
|
||||
pr_info("Identified laptop model '%s'\n", dmi->ident);
|
||||
@@ -488,6 +492,34 @@ static const struct dmi_system_id asus_quirks[] = {
|
||||
},
|
||||
.driver_data = &quirk_asus_ga502i,
|
||||
},
|
||||
+ {
|
||||
+ .callback = dmi_matched,
|
||||
+ .ident = "Asus Transformer T100TA / T100HA / T100CHI",
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
|
||||
+ /* Match *T100* */
|
||||
+ DMI_MATCH(DMI_PRODUCT_NAME, "T100"),
|
||||
+ },
|
||||
+ .driver_data = &quirk_asus_use_kbd_dock_devid,
|
||||
+ },
|
||||
+ {
|
||||
+ .callback = dmi_matched,
|
||||
+ .ident = "Asus Transformer T101HA",
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
|
||||
+ DMI_MATCH(DMI_PRODUCT_NAME, "T101HA"),
|
||||
+ },
|
||||
+ .driver_data = &quirk_asus_use_kbd_dock_devid,
|
||||
+ },
|
||||
+ {
|
||||
+ .callback = dmi_matched,
|
||||
+ .ident = "Asus Transformer T200TA",
|
||||
+ .matches = {
|
||||
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
|
||||
+ DMI_MATCH(DMI_PRODUCT_NAME, "T200TA"),
|
||||
+ },
|
||||
+ .driver_data = &quirk_asus_use_kbd_dock_devid,
|
||||
+ },
|
||||
{},
|
||||
};
|
||||
|
||||
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
|
||||
index 8f4acdc06b13..ae6289d37faf 100644
|
||||
--- a/drivers/platform/x86/asus-wmi.c
|
||||
+++ b/drivers/platform/x86/asus-wmi.c
|
||||
@@ -365,12 +365,14 @@ static int asus_wmi_input_init(struct asus_wmi *asus)
|
||||
if (err)
|
||||
goto err_free_dev;
|
||||
|
||||
- result = asus_wmi_get_devstate_simple(asus, ASUS_WMI_DEVID_KBD_DOCK);
|
||||
- if (result >= 0) {
|
||||
- input_set_capability(asus->inputdev, EV_SW, SW_TABLET_MODE);
|
||||
- input_report_switch(asus->inputdev, SW_TABLET_MODE, !result);
|
||||
- } else if (result != -ENODEV) {
|
||||
- pr_err("Error checking for keyboard-dock: %d\n", result);
|
||||
+ if (asus->driver->quirks->use_kbd_dock_devid) {
|
||||
+ result = asus_wmi_get_devstate_simple(asus, ASUS_WMI_DEVID_KBD_DOCK);
|
||||
+ if (result >= 0) {
|
||||
+ input_set_capability(asus->inputdev, EV_SW, SW_TABLET_MODE);
|
||||
+ input_report_switch(asus->inputdev, SW_TABLET_MODE, !result);
|
||||
+ } else if (result != -ENODEV) {
|
||||
+ pr_err("Error checking for keyboard-dock: %d\n", result);
|
||||
+ }
|
||||
}
|
||||
|
||||
err = input_register_device(asus->inputdev);
|
||||
@@ -2114,7 +2116,7 @@ static void asus_wmi_handle_event_code(int code, struct asus_wmi *asus)
|
||||
return;
|
||||
}
|
||||
|
||||
- if (code == NOTIFY_KBD_DOCK_CHANGE) {
|
||||
+ if (asus->driver->quirks->use_kbd_dock_devid && code == NOTIFY_KBD_DOCK_CHANGE) {
|
||||
result = asus_wmi_get_devstate_simple(asus,
|
||||
ASUS_WMI_DEVID_KBD_DOCK);
|
||||
if (result >= 0) {
|
||||
diff --git a/drivers/platform/x86/asus-wmi.h b/drivers/platform/x86/asus-wmi.h
|
||||
index 4f31b68642a0..1a95c172f94b 100644
|
||||
--- a/drivers/platform/x86/asus-wmi.h
|
||||
+++ b/drivers/platform/x86/asus-wmi.h
|
||||
@@ -33,6 +33,7 @@ struct quirk_entry {
|
||||
bool wmi_backlight_native;
|
||||
bool wmi_backlight_set_devstate;
|
||||
bool wmi_force_als_set;
|
||||
+ bool use_kbd_dock_devid;
|
||||
int wapf;
|
||||
/*
|
||||
* For machines with AMD graphic chips, it will send out WMI event
|
||||
--
|
||||
2.28.0
|
||||
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-5.8.tar.xz) = 19c8694bda4533464877e2d976aca95f48c2c40c11efcc1dce0ca91cc5f9826110e277c7de2a49ff99af8ae1c76e275b7c463abf71fbf410956d63066dc4ee53
|
||||
SHA512 (patch-5.8.14.xz) = 41a75b2b2f02f3412be9327a54688830396e66bd2bf6ca5535ba7a20bef8b8619b5939b7fbea70ed54e895480be99b6cf1484403a4da44f3500349349a8e14fc
|
||||
SHA512 (patch-5.8.15.xz) = 885f25aae3f4598ccee765f3ecaf68a6694041c5540c212d5782560f9f2abe581737033cc9e9f16a24b999eb6f30a5bf8ed8f9a975e6fd8ac8649a0e84ddbae9
|
||||
|
|
Loading…
Reference in New Issue