Linux v5.8.15

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>

CVE-2020-16119-DCCP-CCID-structure-use-after-free.patch

@@ -0,0 +1,305 @@
+From MAILER-DAEMON Wed Oct 14 16:34:37 2020
+From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
+To: netdev@vger.kernel.org
+Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, "Alexander A. Klimov" <grandmaster@al2klimov.de>, Kees Cook <keescook@chromium.org>, Eric Dumazet <edumazet@google.com>, Alexey Kodanev <alexey.kodanev@oracle.com>, dccp@vger.kernel.org, linux-kernel@vger.kernel.org
+Subject: [PATCH 1/2] dccp: ccid: move timers to struct dccp_sock
+Date: Tue, 13 Oct 2020 19:18:48 +0200
+Message-Id: <20201013171849.236025-2-kleber.souza@canonical.com>
+In-Reply-To: <20201013171849.236025-1-kleber.souza@canonical.com>
+References: <20201013171849.236025-1-kleber.souza@canonical.com>
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List: linux-kernel@vger.kernel.org
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 7bit
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason
+del_timer_sync can't be used is because this relies on keeping a reference
+to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that
+during disconnect, the timer should really belong to struct dccp_sock.
+
+This addresses CVE-2020-16119.
+
+Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup())
+Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Acked-bd: Richard Sailer <richard_siegfried@systemli.org>
+---
+ include/linux/dccp.h   |  2 ++
+ net/dccp/ccids/ccid2.c | 32 +++++++++++++++++++-------------
+ net/dccp/ccids/ccid3.c | 30 ++++++++++++++++++++----------
+ 3 files changed, 41 insertions(+), 23 deletions(-)
+
+diff --git a/include/linux/dccp.h b/include/linux/dccp.h
+index 07e547c02fd8..504afa1a4be6 100644
+--- a/include/linux/dccp.h
++++ b/include/linux/dccp.h
+@@ -259,6 +259,7 @@ struct dccp_ackvec;
+  * @dccps_sync_scheduled - flag which signals "send out-of-band message soon"
+  * @dccps_xmitlet - tasklet scheduled by the TX CCID to dequeue data packets
+  * @dccps_xmit_timer - used by the TX CCID to delay sending (rate-based pacing)
++ * @dccps_ccid_timer - used by the CCIDs
+  * @dccps_syn_rtt - RTT sample from Request/Response exchange (in usecs)
+  */
+ struct dccp_sock {
+@@ -303,6 +304,7 @@ struct dccp_sock {
+ 	__u8				dccps_sync_scheduled:1;
+ 	struct tasklet_struct		dccps_xmitlet;
+ 	struct timer_list		dccps_xmit_timer;
++	struct timer_list		dccps_ccid_timer;
+ };
+ 
+ static inline struct dccp_sock *dccp_sk(const struct sock *sk)
+diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
+index 3da1f77bd039..dbca1f1e2449 100644
+--- a/net/dccp/ccids/ccid2.c
++++ b/net/dccp/ccids/ccid2.c
+@@ -126,21 +126,26 @@ static void dccp_tasklet_schedule(struct sock *sk)
+ 
+ static void ccid2_hc_tx_rto_expire(struct timer_list *t)
+ {
+-	struct ccid2_hc_tx_sock *hc = from_timer(hc, t, tx_rtotimer);
+-	struct sock *sk = hc->sk;
+-	const bool sender_was_blocked = ccid2_cwnd_network_limited(hc);
++	struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer);
++	struct sock *sk = (struct sock *)dp;
++	struct ccid2_hc_tx_sock *hc;
++	bool sender_was_blocked;
+ 
+ 	bh_lock_sock(sk);
++
++	if (inet_sk_state_load(sk) == DCCP_CLOSED)
++		goto out;
++
++	hc = ccid_priv(dp->dccps_hc_tx_ccid);
++	sender_was_blocked = ccid2_cwnd_network_limited(hc);
++
+ 	if (sock_owned_by_user(sk)) {
+-		sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + HZ / 5);
++		sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + HZ / 5);
+ 		goto out;
+ 	}
+ 
+ 	ccid2_pr_debug("RTO_EXPIRE\n");
+ 
+-	if (sk->sk_state == DCCP_CLOSED)
+-		goto out;
+-
+ 	/* back-off timer */
+ 	hc->tx_rto <<= 1;
+ 	if (hc->tx_rto > DCCP_RTO_MAX)
+@@ -166,7 +171,7 @@ static void ccid2_hc_tx_rto_expire(struct timer_list *t)
+ 	if (sender_was_blocked)
+ 		dccp_tasklet_schedule(sk);
+ 	/* restart backed-off timer */
+-	sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto);
++	sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto);
+ out:
+ 	bh_unlock_sock(sk);
+ 	sock_put(sk);
+@@ -330,7 +335,7 @@ static void ccid2_hc_tx_packet_sent(struct sock *sk, unsigned int len)
+ 	}
+ #endif
+ 
+-	sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto);
++	sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto);
+ 
+ #ifdef CONFIG_IP_DCCP_CCID2_DEBUG
+ 	do {
+@@ -700,9 +705,9 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
+ 
+ 	/* restart RTO timer if not all outstanding data has been acked */
+ 	if (hc->tx_pipe == 0)
+-		sk_stop_timer(sk, &hc->tx_rtotimer);
++		sk_stop_timer(sk, &dp->dccps_ccid_timer);
+ 	else
+-		sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto);
++		sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto);
+ done:
+ 	/* check if incoming Acks allow pending packets to be sent */
+ 	if (sender_was_blocked && !ccid2_cwnd_network_limited(hc))
+@@ -737,17 +742,18 @@ static int ccid2_hc_tx_init(struct ccid *ccid, struct sock *sk)
+ 	hc->tx_last_cong = hc->tx_lsndtime = hc->tx_cwnd_stamp = ccid2_jiffies32;
+ 	hc->tx_cwnd_used = 0;
+ 	hc->sk		 = sk;
+-	timer_setup(&hc->tx_rtotimer, ccid2_hc_tx_rto_expire, 0);
++	timer_setup(&dp->dccps_ccid_timer, ccid2_hc_tx_rto_expire, 0);
+ 	INIT_LIST_HEAD(&hc->tx_av_chunks);
+ 	return 0;
+ }
+ 
+ static void ccid2_hc_tx_exit(struct sock *sk)
+ {
++	struct dccp_sock *dp = dccp_sk(sk);
+ 	struct ccid2_hc_tx_sock *hc = ccid2_hc_tx_sk(sk);
+ 	int i;
+ 
+-	sk_stop_timer(sk, &hc->tx_rtotimer);
++	sk_stop_timer(sk, &dp->dccps_ccid_timer);
+ 
+ 	for (i = 0; i < hc->tx_seqbufc; i++)
+ 		kfree(hc->tx_seqbuf[i]);
+diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
+index b9ee1a4a8955..685f4d046c0d 100644
+--- a/net/dccp/ccids/ccid3.c
++++ b/net/dccp/ccids/ccid3.c
+@@ -184,17 +184,24 @@ static inline void ccid3_hc_tx_update_win_count(struct ccid3_hc_tx_sock *hc,
+ 
+ static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t)
+ {
+-	struct ccid3_hc_tx_sock *hc = from_timer(hc, t, tx_no_feedback_timer);
+-	struct sock *sk = hc->sk;
++	struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer);
++	struct ccid3_hc_tx_sock *hc;
++	struct sock *sk = (struct sock *)dp;
+ 	unsigned long t_nfb = USEC_PER_SEC / 5;
+ 
+ 	bh_lock_sock(sk);
++
++	if (inet_sk_state_load(sk) == DCCP_CLOSED)
++		goto out;
++
+ 	if (sock_owned_by_user(sk)) {
+ 		/* Try again later. */
+ 		/* XXX: set some sensible MIB */
+ 		goto restart_timer;
+ 	}
+ 
++	hc = ccid_priv(dp->dccps_hc_tx_ccid);
++
+ 	ccid3_pr_debug("%s(%p, state=%s) - entry\n", dccp_role(sk), sk,
+ 		       ccid3_tx_state_name(hc->tx_state));
+ 
+@@ -250,8 +257,8 @@ static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t)
+ 		t_nfb = max(hc->tx_t_rto, 2 * hc->tx_t_ipi);
+ 
+ restart_timer:
+-	sk_reset_timer(sk, &hc->tx_no_feedback_timer,
+-			   jiffies + usecs_to_jiffies(t_nfb));
++	sk_reset_timer(sk, &dp->dccps_ccid_timer,
++		       jiffies + usecs_to_jiffies(t_nfb));
+ out:
+ 	bh_unlock_sock(sk);
+ 	sock_put(sk);
+@@ -280,7 +287,7 @@ static int ccid3_hc_tx_send_packet(struct sock *sk, struct sk_buff *skb)
+ 		return -EBADMSG;
+ 
+ 	if (hc->tx_state == TFRC_SSTATE_NO_SENT) {
+-		sk_reset_timer(sk, &hc->tx_no_feedback_timer, (jiffies +
++		sk_reset_timer(sk, &dp->dccps_ccid_timer, (jiffies +
+ 			       usecs_to_jiffies(TFRC_INITIAL_TIMEOUT)));
+ 		hc->tx_last_win_count	= 0;
+ 		hc->tx_t_last_win_count = now;
+@@ -354,6 +361,7 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, unsigned int len)
+ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
+ {
+ 	struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk);
++	struct dccp_sock *dp = dccp_sk(sk);
+ 	struct tfrc_tx_hist_entry *acked;
+ 	ktime_t now;
+ 	unsigned long t_nfb;
+@@ -420,7 +428,7 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
+ 			       (unsigned int)(hc->tx_x >> 6));
+ 
+ 	/* unschedule no feedback timer */
+-	sk_stop_timer(sk, &hc->tx_no_feedback_timer);
++	sk_stop_timer(sk, &dp->dccps_ccid_timer);
+ 
+ 	/*
+ 	 * As we have calculated new ipi, delta, t_nom it is possible
+@@ -445,8 +453,8 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
+ 		       "expire in %lu jiffies (%luus)\n",
+ 		       dccp_role(sk), sk, usecs_to_jiffies(t_nfb), t_nfb);
+ 
+-	sk_reset_timer(sk, &hc->tx_no_feedback_timer,
+-			   jiffies + usecs_to_jiffies(t_nfb));
++	sk_reset_timer(sk, &dp->dccps_ccid_timer,
++		       jiffies + usecs_to_jiffies(t_nfb));
+ }
+ 
+ static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type,
+@@ -488,21 +496,23 @@ static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type,
+ 
+ static int ccid3_hc_tx_init(struct ccid *ccid, struct sock *sk)
+ {
++	struct dccp_sock *dp = dccp_sk(sk);
+ 	struct ccid3_hc_tx_sock *hc = ccid_priv(ccid);
+ 
+ 	hc->tx_state = TFRC_SSTATE_NO_SENT;
+ 	hc->tx_hist  = NULL;
+ 	hc->sk	     = sk;
+-	timer_setup(&hc->tx_no_feedback_timer,
++	timer_setup(&dp->dccps_ccid_timer,
+ 		    ccid3_hc_tx_no_feedback_timer, 0);
+ 	return 0;
+ }
+ 
+ static void ccid3_hc_tx_exit(struct sock *sk)
+ {
++	struct dccp_sock *dp = dccp_sk(sk);
+ 	struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk);
+ 
+-	sk_stop_timer(sk, &hc->tx_no_feedback_timer);
++	sk_stop_timer(sk, &dp->dccps_ccid_timer);
+ 	tfrc_tx_hist_purge(&hc->tx_hist);
+ }
+ 
+-- 
+2.25.1
+
+
+From MAILER-DAEMON Wed Oct 14 16:34:37 2020
+From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
+To: netdev@vger.kernel.org
+Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Thadeu Lima de Souza Cascardo <cascardo@canonical.com>, "Gustavo A. R. Silva" <gustavoars@kernel.org>, "Alexander A. Klimov" <grandmaster@al2klimov.de>, Kees Cook <keescook@chromium.org>, Eric Dumazet <edumazet@google.com>, Alexey Kodanev <alexey.kodanev@oracle.com>, dccp@vger.kernel.org, linux-kernel@vger.kernel.org
+Subject: [PATCH 2/2] Revert "dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()"
+Date: Tue, 13 Oct 2020 19:18:49 +0200
+Message-Id: <20201013171849.236025-3-kleber.souza@canonical.com>
+In-Reply-To: <20201013171849.236025-1-kleber.souza@canonical.com>
+References: <20201013171849.236025-1-kleber.souza@canonical.com>
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List: linux-kernel@vger.kernel.org
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 7bit
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1.
+
+This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be
+kept, allowing the socket to be reused as a listener socket, and the cloned
+socket will free its dccps_hc_tx_ccid, leading to a later use after free,
+when the listener socket is closed.
+
+This addresses CVE-2020-16119.
+
+Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect())
+Reported-by: Hadar Manor
+Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Acked-by: Richard Sailer <richard_siegfried@systemli.org>
+---
+ net/dccp/proto.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/dccp/proto.c b/net/dccp/proto.c
+index 6d705d90c614..359e848dba6c 100644
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags)
+ 
+ 	dccp_clear_xmit_timers(sk);
+ 	ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++	ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
+ 	dp->dccps_hc_rx_ccid = NULL;
++	dp->dccps_hc_tx_ccid = NULL;
+ 
+ 	__skb_queue_purge(&sk->sk_receive_queue);
+ 	__skb_queue_purge(&sk->sk_write_queue);
+-- 
+2.25.1
+
+

arm64-BUG-crypto-arm64-Use-x16-with-indirect-branch-to-bti_c.patch

@@ -1,149 +0,0 @@
-From patchwork Tue Oct  6 16:33:26 2020
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Jeremy Linton <jeremy.linton@arm.com>
-X-Patchwork-Id: 11818995
-Return-Path: 
- <SRS0=j42+=DN=lists.infradead.org=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@kernel.org>
-Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
- [172.30.200.123])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 90CE859D
-	for <patchwork-linux-arm@patchwork.kernel.org>;
- Tue,  6 Oct 2020 16:35:07 +0000 (UTC)
-Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134])
-	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
-	(No client certificate requested)
-	by mail.kernel.org (Postfix) with ESMTPS id 5D82E206D4
-	for <patchwork-linux-arm@patchwork.kernel.org>;
- Tue,  6 Oct 2020 16:35:07 +0000 (UTC)
-Authentication-Results: mail.kernel.org;
-	dkim=pass (2048-bit key) header.d=lists.infradead.org
- header.i=@lists.infradead.org header.b="f/oUq3JQ"
-DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5D82E206D4
-Authentication-Results: mail.kernel.org;
- dmarc=fail (p=none dis=none) header.from=arm.com
-Authentication-Results: mail.kernel.org;
- spf=none
- smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
-	d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
-	Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
-	List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From:
-	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
-	:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;
-	bh=zNs0I+g5JjqBvhvT5+mF98XNJ/hK7N5NCEi/ndGYagE=; b=f/oUq3JQxCkOkX7IQrzLh7mHuM
-	vBXmyTI3BhMnGo6oaWvcF/dYeUpO4wAmEHlqyFf6zHzUv8Gwtm5IDH4l0csTqkTEYUdkwD6A9MGX2
-	RHpylWVrErZCvcV4kRqENP+0w7j8Ry+ZE4+NZZFcUB/ecGYhJxD3/4Gc5ycmENUkRIAsJrQOPWW+b
-	SIKpmegcjtJ1AIv7+Y+7II37IhmF579qQoghCSgFaGp6WAEIv80wcrswEnEDc9nsbBMIC1XjlN6g3
-	8PclJ+oXlsNPMLkhu1gJclvRBWzN3OjXVvwAvQuLBW2CqpdTxvYIE6g26kpEbUdGOVaGlieYcN0pd
-	RrspfWkQ==;
-Received: from localhost ([::1] helo=merlin.infradead.org)
-	by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
-	id 1kPpu9-0007rB-Rx; Tue, 06 Oct 2020 16:33:33 +0000
-Received: from foss.arm.com ([217.140.110.172])
- by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
- id 1kPpu6-0007qe-MX
- for linux-arm-kernel@lists.infradead.org; Tue, 06 Oct 2020 16:33:31 +0000
-Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
- by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 69DBBD6E;
- Tue,  6 Oct 2020 09:33:27 -0700 (PDT)
-Received: from mammon-tx2.austin.arm.com (mammon-tx2.austin.arm.com
- [10.118.28.62])
- by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 608393F66B;
- Tue,  6 Oct 2020 09:33:27 -0700 (PDT)
-From: Jeremy Linton <jeremy.linton@arm.com>
-To: linux-arm-kernel@lists.infradead.org
-Subject: [BUG][PATCH v3] crypto: arm64: Use x16 with indirect branch to bti_c
-Date: Tue,  6 Oct 2020 11:33:26 -0500
-Message-Id: <20201006163326.2780619-1-jeremy.linton@arm.com>
-X-Mailer: git-send-email 2.25.4
-MIME-Version: 1.0
-X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
-X-CRM114-CacheID: sfid-20201006_123330_788327_AA367CD9 
-X-CRM114-Status: GOOD (  11.54  )
-X-Spam-Score: -2.3 (--)
-X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary:
- Content analysis details:   (-2.3 points)
- pts rule name              description
- ---- ----------------------
- --------------------------------------------------
- -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
- medium trust [217.140.110.172 listed in list.dnswl.org]
- -0.0 SPF_PASS               SPF: sender matches SPF record
- 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
-X-BeenThere: linux-arm-kernel@lists.infradead.org
-X-Mailman-Version: 2.1.29
-Precedence: list
-List-Id: <linux-arm-kernel.lists.infradead.org>
-List-Unsubscribe: 
- <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
- <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
-List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
-List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
-List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
-List-Subscribe: 
- <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
- <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
-Cc: herbert@gondor.apana.org.au, catalin.marinas@arm.com,
- linux-kernel@vger.kernel.org, Jeremy Linton <jeremy.linton@arm.com>,
- ardb@kernel.org, broonie@kernel.org, linux-crypto@vger.kernel.org,
- will@kernel.org, davem@davemloft.net, dave.martin@arm.com
-Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
-Errors-To: 
- linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
-
-The AES code uses a 'br x7' as part of a function called by
-a macro. That branch needs a bti_j as a target. This results
-in a panic as seen below. Using x16 (or x17) with an indirect
-branch keeps the target bti_c.
-
-  Bad mode in Synchronous Abort handler detected on CPU1, code 0x34000003 -- BTI
-  CPU: 1 PID: 265 Comm: cryptomgr_test Not tainted 5.8.11-300.fc33.aarch64 #1
-  pstate: 20400c05 (nzCv daif +PAN -UAO BTYPE=j-)
-  pc : aesbs_encrypt8+0x0/0x5f0 [aes_neon_bs]
-  lr : aesbs_xts_encrypt+0x48/0xe0 [aes_neon_bs]
-  sp : ffff80001052b730
-
-  aesbs_encrypt8+0x0/0x5f0 [aes_neon_bs]
-   __xts_crypt+0xb0/0x2dc [aes_neon_bs]
-   xts_encrypt+0x28/0x3c [aes_neon_bs]
-  crypto_skcipher_encrypt+0x50/0x84
-  simd_skcipher_encrypt+0xc8/0xe0
-  crypto_skcipher_encrypt+0x50/0x84
-  test_skcipher_vec_cfg+0x224/0x5f0
-  test_skcipher+0xbc/0x120
-  alg_test_skcipher+0xa0/0x1b0
-  alg_test+0x3dc/0x47c
-  cryptomgr_test+0x38/0x60
-
-Fixes: 0e89640b640d ("crypto: arm64 - Use modern annotations for assembly functions")
-Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
-Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
-Reviewed-by: Mark Brown <broonie@kernel.org>
----
- arch/arm64/crypto/aes-neonbs-core.S | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/arm64/crypto/aes-neonbs-core.S b/arch/arm64/crypto/aes-neonbs-core.S
-index b357164379f6..63a52ad9a75c 100644
---- a/arch/arm64/crypto/aes-neonbs-core.S
-+++ b/arch/arm64/crypto/aes-neonbs-core.S
-@@ -788,7 +788,7 @@ SYM_FUNC_START_LOCAL(__xts_crypt8)
- 
- 0:	mov		bskey, x21
- 	mov		rounds, x22
--	br		x7
-+	br		x16
- SYM_FUNC_END(__xts_crypt8)
- 
- 	.macro		__xts_crypt, do8, o0, o1, o2, o3, o4, o5, o6, o7
-@@ -806,7 +806,7 @@ SYM_FUNC_END(__xts_crypt8)
- 	uzp1		v30.4s, v30.4s, v25.4s
- 	ld1		{v25.16b}, [x24]
- 
--99:	adr		x7, \do8
-+99:	adr		x16, \do8
- 	bl		__xts_crypt8
- 
- 	ldp		q16, q17, [sp, #.Lframe_local_offset]

kernel.spec

@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 14
+%define stable_update 15
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -875,9 +875,6 @@ Patch109: mmc-sdhci-iproc-Enable-eMMC-DDR-3.3V-support-for-bcm2711.patch
 
 Patch112: memory-tegra-Remove-GPU-from-DRM-IOMMU-group.patch
 
-# rhbz 1875339 1875828 1876997
-Patch115: pdx86-SW_TABLET_MODE-fixes.patch
-
 # https://patchwork.kernel.org/patch/11796255/
 Patch116: arm64-dts-rockchip-disable-USB-type-c-DisplayPort.patch
 
@@ -891,8 +888,9 @@ Patch119: arm64-tegra-enable-dfll-on-jetson-nano.patch
 # https://www.spinics.net/lists/linux-tegra/msg53605.html
 Patch120: iommu-tegra-smmu-Fix-TLB-line-for-Tegra210.patch
 
-# https://patchwork.kernel.org/patch/11818995
-Patch121: arm64-BUG-crypto-arm64-Use-x16-with-indirect-branch-to-bti_c.patch
+# CVE-2020-16119 rhbz 1886374 1888083
+Patch121: CVE-2020-16119-DCCP-CCID-structure-use-after-free.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -3006,6 +3004,10 @@ fi
 #
 #
 %changelog
+* Wed Oct 14 11:29:34 CDT 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.15-300
+- Linux v5.8.15
+- Fix CVE-2020-16119 (rhbz 1886374 1888083)
+
 * Wed Oct  7 07:21:34 CDT 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.8.14-300
 - Linux v5.8.14
 

pdx86-SW_TABLET_MODE-fixes.patch

@@ -1,212 +0,0 @@
-From 9126d28cf4e537ef5e77006c51b1a24ad8e8170b Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Fri, 11 Sep 2020 13:34:42 +0200
-Subject: [PATCH 1/2] platform/x86: intel-vbtn: Fix SW_TABLET_MODE always
- reporting 1 on the HP Pavilion 11 x360
-
-Commit cfae58ed681c ("platform/x86: intel-vbtn: Only blacklist
-SW_TABLET_MODE on the 9 / "Laptop" chasis-type") restored SW_TABLET_MODE
-reporting on the HP stream x360 11 series on which it was previously broken
-by commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet
-mode switch on 2-in-1's").
-
-It turns out that enabling SW_TABLET_MODE reporting on devices with a
-chassis-type of 10 ("Notebook") causes SW_TABLET_MODE to always report 1
-at boot on the HP Pavilion 11 x360, which causes libinput to disable the
-kbd and touchpad.
-
-The HP Pavilion 11 x360's ACPI VGBS method sets bit 4 instead of bit 6 when
-NOT in tablet mode at boot. Inspecting all the DSDTs in my DSDT collection
-shows only one other model, the Medion E1239T ever setting bit 4 and it
-always sets this together with bit 6.
-
-So lets treat bit 4 as a second bit which when set indicates the device not
-being in tablet-mode, as we already do for bit 6.
-
-While at it also prefix all VGBS constant defines with "VGBS_".
-
-Fixes: cfae58ed681c ("platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / "Laptop" chasis-type")
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/platform/x86/intel-vbtn.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
-index e85d8e58320c..f443619e1e7e 100644
---- a/drivers/platform/x86/intel-vbtn.c
-+++ b/drivers/platform/x86/intel-vbtn.c
-@@ -15,9 +15,13 @@
- #include <linux/platform_device.h>
- #include <linux/suspend.h>
- 
-+/* Returned when NOT in tablet mode on some HP Stream x360 11 models */
-+#define VGBS_TABLET_MODE_FLAG_ALT	0x10
- /* When NOT in tablet mode, VGBS returns with the flag 0x40 */
--#define TABLET_MODE_FLAG 0x40
--#define DOCK_MODE_FLAG   0x80
-+#define VGBS_TABLET_MODE_FLAG		0x40
-+#define VGBS_DOCK_MODE_FLAG		0x80
-+
-+#define VGBS_TABLET_MODE_FLAGS (VGBS_TABLET_MODE_FLAG | VGBS_TABLET_MODE_FLAG_ALT)
- 
- MODULE_LICENSE("GPL");
- MODULE_AUTHOR("AceLan Kao");
-@@ -72,9 +76,9 @@ static void detect_tablet_mode(struct platform_device *device)
- 	if (ACPI_FAILURE(status))
- 		return;
- 
--	m = !(vgbs & TABLET_MODE_FLAG);
-+	m = !(vgbs & VGBS_TABLET_MODE_FLAGS);
- 	input_report_switch(priv->input_dev, SW_TABLET_MODE, m);
--	m = (vgbs & DOCK_MODE_FLAG) ? 1 : 0;
-+	m = (vgbs & VGBS_DOCK_MODE_FLAG) ? 1 : 0;
- 	input_report_switch(priv->input_dev, SW_DOCK, m);
- }
- 
--- 
-2.28.0
-
-From d26d82852e926fee13b5fa71cc004da391aaa5e3 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Wed, 16 Sep 2020 16:14:39 +0200
-Subject: [PATCH 2/2] platform/x86: asus-wmi: Fix SW_TABLET_MODE always
- reporting 1 on many different models
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit b0dbd97de1f1 ("platform/x86: asus-wmi: Add support for
-SW_TABLET_MODE") added support for reporting SW_TABLET_MODE using the
-Asus 0x00120063 WMI-device-id to see if various transformer models were
-docked into their keyboard-dock (SW_TABLET_MODE=0) or if they were
-being used as a tablet.
-
-The new SW_TABLET_MODE support (naively?) assumed that non Transformer
-devices would either not support the 0x00120063 WMI-device-id at all,
-or would NOT set ASUS_WMI_DSTS_PRESENCE_BIT in their reply when querying
-the device-id.
-
-Unfortunately this is not true and we have received many bug reports about
-this change causing the asus-wmi driver to always report SW_TABLET_MODE=1
-on non Transformer devices. This causes libinput to think that these are
-360 degree hinges style 2-in-1s folded into tablet-mode. Making libinput
-suppress keyboard and touchpad events from the builtin keyboard and
-touchpad. So effectively this causes the keyboard and touchpad to not work
-on many non Transformer Asus models.
-
-This commit fixes this by using the existing DMI based quirk mechanism in
-asus-nb-wmi.c to allow using the 0x00120063 device-id for reporting
-SW_TABLET_MODE on Transformer models and ignoring it on all other models.
-
-Fixes: b0dbd97de1f1 ("platform/x86: asus-wmi: Add support for SW_TABLET_MODE")
-BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=209011
-BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1875339
-BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1875828
-BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1876997
-Reported-by: Samuel Čavoj <samuel@cavoj.net>
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/platform/x86/asus-nb-wmi.c | 32 ++++++++++++++++++++++++++++++
- drivers/platform/x86/asus-wmi.c    | 16 ++++++++-------
- drivers/platform/x86/asus-wmi.h    |  1 +
- 3 files changed, 42 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
-index 680c3640e013..1d9fbabd02fb 100644
---- a/drivers/platform/x86/asus-nb-wmi.c
-+++ b/drivers/platform/x86/asus-nb-wmi.c
-@@ -115,6 +115,10 @@ static struct quirk_entry quirk_asus_vendor_backlight = {
- 	.wmi_backlight_set_devstate = true,
- };
- 
-+static struct quirk_entry quirk_asus_use_kbd_dock_devid = {
-+	.use_kbd_dock_devid = true,
-+};
-+
- static int dmi_matched(const struct dmi_system_id *dmi)
- {
- 	pr_info("Identified laptop model '%s'\n", dmi->ident);
-@@ -488,6 +492,34 @@ static const struct dmi_system_id asus_quirks[] = {
- 		},
- 		.driver_data = &quirk_asus_ga502i,
- 	},
-+	{
-+		.callback = dmi_matched,
-+		.ident = "Asus Transformer T100TA / T100HA / T100CHI",
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-+			/* Match *T100* */
-+			DMI_MATCH(DMI_PRODUCT_NAME, "T100"),
-+		},
-+		.driver_data = &quirk_asus_use_kbd_dock_devid,
-+	},
-+	{
-+		.callback = dmi_matched,
-+		.ident = "Asus Transformer T101HA",
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-+			DMI_MATCH(DMI_PRODUCT_NAME, "T101HA"),
-+		},
-+		.driver_data = &quirk_asus_use_kbd_dock_devid,
-+	},
-+	{
-+		.callback = dmi_matched,
-+		.ident = "Asus Transformer T200TA",
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-+			DMI_MATCH(DMI_PRODUCT_NAME, "T200TA"),
-+		},
-+		.driver_data = &quirk_asus_use_kbd_dock_devid,
-+	},
- 	{},
- };
- 
-diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index 8f4acdc06b13..ae6289d37faf 100644
---- a/drivers/platform/x86/asus-wmi.c
-+++ b/drivers/platform/x86/asus-wmi.c
-@@ -365,12 +365,14 @@ static int asus_wmi_input_init(struct asus_wmi *asus)
- 	if (err)
- 		goto err_free_dev;
- 
--	result = asus_wmi_get_devstate_simple(asus, ASUS_WMI_DEVID_KBD_DOCK);
--	if (result >= 0) {
--		input_set_capability(asus->inputdev, EV_SW, SW_TABLET_MODE);
--		input_report_switch(asus->inputdev, SW_TABLET_MODE, !result);
--	} else if (result != -ENODEV) {
--		pr_err("Error checking for keyboard-dock: %d\n", result);
-+	if (asus->driver->quirks->use_kbd_dock_devid) {
-+		result = asus_wmi_get_devstate_simple(asus, ASUS_WMI_DEVID_KBD_DOCK);
-+		if (result >= 0) {
-+			input_set_capability(asus->inputdev, EV_SW, SW_TABLET_MODE);
-+			input_report_switch(asus->inputdev, SW_TABLET_MODE, !result);
-+		} else if (result != -ENODEV) {
-+			pr_err("Error checking for keyboard-dock: %d\n", result);
-+		}
- 	}
- 
- 	err = input_register_device(asus->inputdev);
-@@ -2114,7 +2116,7 @@ static void asus_wmi_handle_event_code(int code, struct asus_wmi *asus)
- 		return;
- 	}
- 
--	if (code == NOTIFY_KBD_DOCK_CHANGE) {
-+	if (asus->driver->quirks->use_kbd_dock_devid && code == NOTIFY_KBD_DOCK_CHANGE) {
- 		result = asus_wmi_get_devstate_simple(asus,
- 						      ASUS_WMI_DEVID_KBD_DOCK);
- 		if (result >= 0) {
-diff --git a/drivers/platform/x86/asus-wmi.h b/drivers/platform/x86/asus-wmi.h
-index 4f31b68642a0..1a95c172f94b 100644
---- a/drivers/platform/x86/asus-wmi.h
-+++ b/drivers/platform/x86/asus-wmi.h
-@@ -33,6 +33,7 @@ struct quirk_entry {
- 	bool wmi_backlight_native;
- 	bool wmi_backlight_set_devstate;
- 	bool wmi_force_als_set;
-+	bool use_kbd_dock_devid;
- 	int wapf;
- 	/*
- 	 * For machines with AMD graphic chips, it will send out WMI event
--- 
-2.28.0
-

sources

@@ -1,2 +1,2 @@
 SHA512 (linux-5.8.tar.xz) = 19c8694bda4533464877e2d976aca95f48c2c40c11efcc1dce0ca91cc5f9826110e277c7de2a49ff99af8ae1c76e275b7c463abf71fbf410956d63066dc4ee53
-SHA512 (patch-5.8.14.xz) = 41a75b2b2f02f3412be9327a54688830396e66bd2bf6ca5535ba7a20bef8b8619b5939b7fbea70ed54e895480be99b6cf1484403a4da44f3500349349a8e14fc
+SHA512 (patch-5.8.15.xz) = 885f25aae3f4598ccee765f3ecaf68a6694041c5540c212d5782560f9f2abe581737033cc9e9f16a24b999eb6f30a5bf8ed8f9a975e6fd8ac8649a0e84ddbae9