Merge remote-tracking branch 'up/master' into master-riscv64

Signed-off-by: David Abdurachmanov <david.abdurachmanov@gmail.com>
This commit is contained in:
David Abdurachmanov 2019-05-04 21:02:37 +03:00
commit f27a56dd4f
Signed by: davidlt
GPG Key ID: 7108702C938B13C1
35 changed files with 1653 additions and 812 deletions

View File

@ -0,0 +1,400 @@
From 4ef7fb944ba1e4ca9ccfbd7a43afda5a1cc884c1 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Mon, 29 Apr 2019 15:11:26 +0200
Subject: [PATCH] platform/x86: ideapad-laptop: Remove no_hw_rfkill_list
When the ideapad-laptop driver was first written it was written for laptops
which had a hardware rfkill switch. So when the first ideapad laptops
showed up without a hw rfkill switch and it turned out that in this case
the ideapad firmware interface would always report the wifi being hardware-
blocked, a DMI id list of models which lack a hw rfkill switch was started
(by yours truly). Things were done this way to avoid regressing existing
models with a hw rfkill switch. In hindsight this was a mistake.
Lenovo releases a lot of ideapad models every year and even the latest
models still use the "VPC2004" ACPI interface the ideapad-laptop driver
binds to. Having a hw rfkill switch is quite rare on modern hardware, so
all these new models need to be added to the no_hw_rfkill_list, leading
to a never ending game of whack a mole.
Worse the failure mode when not present on the list, is very bad. In this
case the ideapad-laptop driver will report the wifi as being hw-blocked,
at which points NetworkManager does not even try to use it and the user
ends up with non working wifi.
This leads to various Linux fora on the internet being filled with
wifi not working on ideapad laptops stories, which does not make Linux
look good.
The failure mode when we flip the default to assuming that a hw rfkill
switch is not present OTOH is quite benign. When we properly report the
wifi as being hw-blocked on ideapads which do have the hw-switch; and it
is in the wifi-off position, then at least when using NetworkManager +
GNOME3 the user will get a "wifi disabled in hardware" message when trying
to connect to the wifi from the UI. If OTOH we assume there is no hardware
rfkill switch, then the user will get an empty list for the list of
available networks. Although the empty list vs the "wifi disabled in
hardware" message is a regression, it is a very minor regression and it
can easily be fixed on a model by model basis by filling the new
hw_rfkill_list this commit introduces.
Therefor this commit removes the ever growing no_hw_rfkill_list, flipping
the default to assuming there is no hw rfkill switch and adding a new
hw_rfkill_list. Thereby fixing the wifi not working on all the current
ideapad and yoga models which are not on the list yet and also fixing it
for all future ideapad and yoga models using the "VPC2004" ACPI interface.
Note once this patch has been accepted upstream. I plan to write a blog
post asking for users of ideapads and yoga's with a hw rfkill switch to
step forward, so that we can populate the new hw_rfkill_list with the few
older yoga and ideapad models which actually have a hw rfkill switch.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1703338
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
drivers/platform/x86/ideapad-laptop.c | 321 ++------------------------
1 file changed, 15 insertions(+), 306 deletions(-)
diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
index c53ae86b59c7..2d94536dea88 100644
--- a/drivers/platform/x86/ideapad-laptop.c
+++ b/drivers/platform/x86/ideapad-laptop.c
@@ -980,312 +980,21 @@ static void ideapad_wmi_notify(u32 value, void *context)
#endif
/*
- * Some ideapads don't have a hardware rfkill switch, reading VPCCMD_R_RF
- * always results in 0 on these models, causing ideapad_laptop to wrongly
- * report all radios as hardware-blocked.
+ * Some ideapads have a hardware rfkill switch, but most do not have one.
+ * Reading VPCCMD_R_RF always results in 0 on models without a hardware rfkill,
+ * switch causing ideapad_laptop to wrongly report all radios as hw-blocked.
+ * There used to be a long list of DMI ids for models without a hw rfkill
+ * switch here, but that resulted in playing whack a mole.
+ * More importantly wrongly reporting the wifi radio as hw-blocked, results in
+ * non working wifi. Whereas not reporting it hw-blocked, when it actually is
+ * hw-blocked results in an empty SSID list, which is a much more benign
+ * failure mode.
+ * So the default now is the much safer option of assuming there is no
+ * hardware rfkill switch. This default also actually matches most hardware,
+ * since having a hw rfkill switch is quite rare on modern hardware, so this
+ * also leads to a much shorter list.
*/
-static const struct dmi_system_id no_hw_rfkill_list[] = {
- {
- .ident = "Lenovo RESCUER R720-15IKBN",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo R720-15IKBN"),
- },
- },
- {
- .ident = "Lenovo G40-30",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo G40-30"),
- },
- },
- {
- .ident = "Lenovo G50-30",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo G50-30"),
- },
- },
- {
- .ident = "Lenovo V310-14IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-14IKB"),
- },
- },
- {
- .ident = "Lenovo V310-14ISK",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-14ISK"),
- },
- },
- {
- .ident = "Lenovo V310-15IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-15IKB"),
- },
- },
- {
- .ident = "Lenovo V310-15ISK",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V310-15ISK"),
- },
- },
- {
- .ident = "Lenovo V510-15IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo V510-15IKB"),
- },
- },
- {
- .ident = "Lenovo ideapad 300-15IBR",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300-15IBR"),
- },
- },
- {
- .ident = "Lenovo ideapad 300-15IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300-15IKB"),
- },
- },
- {
- .ident = "Lenovo ideapad 300S-11IBR",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 300S-11BR"),
- },
- },
- {
- .ident = "Lenovo ideapad 310-15ABR",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15ABR"),
- },
- },
- {
- .ident = "Lenovo ideapad 310-15IAP",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15IAP"),
- },
- },
- {
- .ident = "Lenovo ideapad 310-15IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15IKB"),
- },
- },
- {
- .ident = "Lenovo ideapad 310-15ISK",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 310-15ISK"),
- },
- },
- {
- .ident = "Lenovo ideapad 330-15ICH",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 330-15ICH"),
- },
- },
- {
- .ident = "Lenovo ideapad 530S-14ARR",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad 530S-14ARR"),
- },
- },
- {
- .ident = "Lenovo ideapad S130-14IGM",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad S130-14IGM"),
- },
- },
- {
- .ident = "Lenovo ideapad Y700-14ISK",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-14ISK"),
- },
- },
- {
- .ident = "Lenovo ideapad Y700-15ACZ",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ACZ"),
- },
- },
- {
- .ident = "Lenovo ideapad Y700-15ISK",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ISK"),
- },
- },
- {
- .ident = "Lenovo ideapad Y700 Touch-15ISK",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700 Touch-15ISK"),
- },
- },
- {
- .ident = "Lenovo ideapad Y700-17ISK",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"),
- },
- },
- {
- .ident = "Lenovo ideapad MIIX 720-12IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "MIIX 720-12IKB"),
- },
- },
- {
- .ident = "Lenovo Legion Y520-15IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKB"),
- },
- },
- {
- .ident = "Lenovo Y520-15IKBM",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y520-15IKBM"),
- },
- },
- {
- .ident = "Lenovo Legion Y530-15ICH",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Legion Y530-15ICH"),
- },
- },
- {
- .ident = "Lenovo Legion Y530-15ICH-1060",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Legion Y530-15ICH-1060"),
- },
- },
- {
- .ident = "Lenovo Legion Y720-15IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKB"),
- },
- },
- {
- .ident = "Lenovo Legion Y720-15IKBN",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKBN"),
- },
- },
- {
- .ident = "Lenovo Y720-15IKBM",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Y720-15IKBM"),
- },
- },
- {
- .ident = "Lenovo Yoga 2 11 / 13 / Pro",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 2"),
- },
- },
- {
- .ident = "Lenovo Yoga 2 11 / 13 / Pro",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_BOARD_NAME, "Yoga2"),
- },
- },
- {
- .ident = "Lenovo Yoga 2 13",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Yoga 2 13"),
- },
- },
- {
- .ident = "Lenovo Yoga 3 1170 / 1470",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 3"),
- },
- },
- {
- .ident = "Lenovo Yoga 3 Pro 1370",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 3"),
- },
- },
- {
- .ident = "Lenovo Yoga 700",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 700"),
- },
- },
- {
- .ident = "Lenovo Yoga 900",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 900"),
- },
- },
- {
- .ident = "Lenovo Yoga 900",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_BOARD_NAME, "VIUU4"),
- },
- },
- {
- .ident = "Lenovo YOGA 910-13IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 910-13IKB"),
- },
- },
- {
- .ident = "Lenovo YOGA 920-13IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 920-13IKB"),
- },
- },
- {
- .ident = "Lenovo YOGA C930-13IKB",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA C930-13IKB"),
- },
- },
- {
- .ident = "Lenovo Zhaoyang E42-80",
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
- DMI_MATCH(DMI_PRODUCT_VERSION, "ZHAOYANG E42-80"),
- },
- },
+static const struct dmi_system_id hw_rfkill_list[] = {
{}
};
@@ -1311,7 +1020,7 @@ static int ideapad_acpi_add(struct platform_device *pdev)
priv->cfg = cfg;
priv->adev = adev;
priv->platform_device = pdev;
- priv->has_hw_rfkill_switch = !dmi_check_system(no_hw_rfkill_list);
+ priv->has_hw_rfkill_switch = dmi_check_system(hw_rfkill_list);
ret = ideapad_sysfs_init(priv);
if (ret)
--
2.21.0

View File

@ -1,96 +0,0 @@
From 7ec379c439ea60507804f96910d25196ab838ec4 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 5 May 2017 08:21:56 +0100
Subject: [PATCH] KEYS: Allow unrestricted boot-time addition of keys to
secondary keyring
Allow keys to be added to the system secondary certificates keyring during
kernel initialisation in an unrestricted fashion. Such keys are implicitly
trusted and don't have their trust chains checked on link.
This allows keys in the UEFI database to be added in secure boot mode for
the purposes of module signing.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
certs/internal.h | 18 ++++++++++++++++++
certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+)
create mode 100644 certs/internal.h
diff --git a/certs/internal.h b/certs/internal.h
new file mode 100644
index 000000000000..5dcbefb0c23a
--- /dev/null
+++ b/certs/internal.h
@@ -0,0 +1,18 @@
+/* Internal definitions
+ *
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+/*
+ * system_keyring.c
+ */
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+extern void __init add_trusted_secondary_key(const char *source,
+ const void *data, size_t len);
+#endif
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index c05c29ae4d5d..183e73cc81f7 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -19,6 +19,7 @@
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include <crypto/pkcs7.h>
+#include "internal.h"
static struct key *builtin_trusted_keys;
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
@@ -287,3 +288,35 @@ void __init set_platform_trusted_keys(struct key *keyring)
platform_trusted_keys = keyring;
}
#endif
+
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+/**
+ * add_trusted_secondary_key - Add to secondary keyring with no validation
+ * @source: Source of key
+ * @data: The blob holding the key
+ * @len: The length of the data blob
+ *
+ * Add a key to the secondary keyring without checking its trust chain. This
+ * is available only during kernel initialisation.
+ */
+void __init add_trusted_secondary_key(const char *source,
+ const void *data, size_t len)
+{
+ key_ref_t key;
+
+ key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1),
+ "asymmetric",
+ NULL, data, len,
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW,
+ KEY_ALLOC_NOT_IN_QUOTA |
+ KEY_ALLOC_BYPASS_RESTRICTION);
+
+ if (IS_ERR(key))
+ pr_err("Problem loading %s X.509 certificate (%ld)\n",
+ source, PTR_ERR(key));
+ else
+ pr_notice("Loaded %s cert '%s' linked to secondary sys keyring\n",
+ source, key_ref_to_ptr(key)->description);
+}
+#endif /* CONFIG_SECONDARY_TRUSTED_KEYRING */
--
2.20.1

View File

@ -0,0 +1,54 @@
From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001
From: Robert Holmes <robeholmes@gmail.com>
Date: Tue, 23 Apr 2019 07:39:29 +0000
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
verify
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") which, while adding the
platform keyring for bzImage verification, neglected to also add
this keyring for module verification.
As such, kernel modules signed with keys from the MokList variable
were not successfully verified.
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
---
kernel/module_signing.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 6b9a926fd86b..cf94220e9154 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
{
struct module_signature ms;
size_t sig_len, modlen = info->len;
+ int ret;
pr_devel("==>%s(,%zu)\n", __func__, modlen);
@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
return -EBADMSG;
}
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
- VERIFY_USE_SECONDARY_KEYRING,
- VERIFYING_MODULE_SIGNATURE,
- NULL, NULL);
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ }
+ return ret;
}
--
2.21.0

View File

@ -18,7 +18,7 @@ i686-debug=generic:generic-x86:generic-x86-i686:debug:debug-x86
# ppc64le
ppc64le=generic:generic-powerpc
ppc64le-debug=generic:generic-powerpc:generic-powerpc:debug
ppc64le-debug=generic:generic-powerpc:debug
# s390x
s390x=generic:generic-s390x

View File

@ -0,0 +1 @@
# CONFIG_PCIE_BW is not set

View File

@ -0,0 +1 @@
# CONFIG_SENSIRION_SGP30 is not set

View File

@ -1 +1 @@
CONFIG_CRYPTO_DEV_SUN4I_SS=m
# CONFIG_CRYPTO_DEV_SUN4I_SS is not set

View File

@ -1 +1 @@
CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set

View File

@ -0,0 +1 @@
CONFIG_KEYBOARD_SNVS_PWRKEY=m

View File

@ -0,0 +1 @@
# CONFIG_FUNCTION_GRAPH_TRACER is not set

View File

@ -0,0 +1 @@
CONFIG_KEXEC_SIG=y

View File

@ -0,0 +1 @@
# CONFIG_KEXEC_SIG_FORCE is not set

View File

@ -1 +0,0 @@
CONFIG_KEXEC_VERIFY_SIG=y

View File

@ -0,0 +1 @@
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set

View File

@ -1 +0,0 @@
# CONFIG_LOCK_DOWN_MANDATORY is not set

File diff suppressed because it is too large Load Diff

View File

@ -1,43 +1,3 @@
From b96ff1fd9e94772fde7b58fd69969d1a1c87eb6d Mon Sep 17 00:00:00 2001
From: Dave Young <dyoung@redhat.com>
Date: Tue, 27 Feb 2018 10:04:51 +0000
Subject: [PATCH 07/31] Copy secure_boot flag in boot params across kexec
reboot
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load. In this state, the system is missing the protections provided
by secure boot.
Adding a patch to fix this by retain the secure_boot flag in original
kernel.
secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the
stub. Fixing this issue by copying secure_boot flag across kexec reboot.
Signed-off-by: Dave Young <dyoung@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: kexec@lists.infradead.org
---
arch/x86/kernel/kexec-bzimage64.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index fb095ba0c02f..7d0fac5bcbbe 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
if (efi_enabled(EFI_OLD_MEMMAP))
return 0;
+ params->secure_boot = boot_params.secure_boot;
ei->efi_loader_signature = current_ei->efi_loader_signature;
ei->efi_systab = current_ei->efi_systab;
ei->efi_systab_hi = current_ei->efi_systab_hi;
--
2.14.3
From b5123d0553f4ed5e734f6457696cdd30228d1eee Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 27 Feb 2018 10:04:55 +0000
@ -183,7 +143,8 @@ index 100ce4a4aff6..62361b647a75 100644
extern int efi_status_to_err(efi_status_t status);
@@ -1577,12 +1589,6 @@ efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg,
bool efi_runtime_disabled(void);
#endif
extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
extern unsigned long efi_call_virt_save_flags(void);
@ -221,34 +182,36 @@ cc: linux-efi@vger.kernel.org
4 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index a7c240f00d78..1277d1857c5c 100644
index adeee6329f55..27a54ec878bd 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -64,6 +64,7 @@
@@ -65,6 +65,7 @@
#include <linux/dma-mapping.h>
#include <linux/ctype.h>
#include <linux/uaccess.h>
+#include <linux/security.h>
#include <linux/percpu.h>
#include <linux/crash_dump.h>
@@ -997,6 +998,8 @@ void __init setup_arch(char **cmdline_p)
@@ -1005,6 +1006,10 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
+ efi_set_secure_boot(boot_params.secure_boot);
+
init_lockdown();
+ init_lockdown();
+
dmi_scan_machine();
@@ -1150,8 +1154,6 @@ void __init setup_arch(char **cmdline_p)
dmi_memdev_walk();
dmi_set_dump_stack_arch_desc();
@@ -1159,8 +1164,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
- efi_set_secure_boot(boot_params.secure_boot);
-
reserve_initrd();
acpi_table_upgrade();
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index ce261e1765ff..7aff55b309a6 100644
@ -264,13 +227,13 @@ index ce261e1765ff..7aff55b309a6 100644
return simple_setattr(dentry, ia);
}
diff --git a/security/Kconfig b/security/Kconfig
index 461d5acc3616..13fdada1ffc2 100644
index 9c343f262bdd..30788bc47863 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -248,6 +248,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
combination on a wired keyboard. On x86, this is SysRq+x.
@@ -244,6 +244,20 @@ config LOCK_DOWN_KERNEL_FORCE
help
Enable the kernel lock down functionality automatically at boot.
+config LOCK_DOWN_IN_EFI_SECURE_BOOT
+ bool "Lock down the kernel in EFI Secure Boot mode"
+ default n
@ -285,31 +248,31 @@ index 461d5acc3616..13fdada1ffc2 100644
+ Enabling this option turns on results in kernel lockdown being
+ triggered if EFI Secure Boot is set.
+
source "security/selinux/Kconfig"
source "security/smack/Kconfig"
source "security/tomoyo/Kconfig"
diff --git a/security/lock_down.c b/security/lock_down.c
index 2c6b00f0c229..527f7e51dc8d 100644
index ee00ca2677e7..bb4dc7838f3e 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -12,6 +12,7 @@
#include <linux/security.h>
#include <linux/export.h>
#include <linux/sched.h>
#include <linux/sysrq.h>
+#include <linux/efi.h>
#include <asm/setup.h>
#ifndef CONFIG_LOCK_DOWN_MANDATORY
@@ -55,6 +55,10 @@ void __init init_lockdown(void)
#ifdef CONFIG_LOCK_DOWN_MANDATORY
pr_notice("Kernel is locked down from config; see man kernel_lockdown.7\n");
static __ro_after_init bool kernel_locked_down;
@@ -44,6 +45,10 @@ void __init init_lockdown(void)
#ifdef CONFIG_LOCK_DOWN_FORCE
lock_kernel_down("Kernel configuration");
#endif
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+ if (efi_enabled(EFI_SECURE_BOOT))
+ lock_kernel_down("EFI secure boot");
+#endif
}
/**
--
2.14.3

2
gitrev
View File

@ -1 +1 @@
771acc7e4a6e5dba779cb1a7fd851a164bc81033
ea9866793d1e925b4d320eaea409263b2a568f38

View File

@ -1128,8 +1128,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
CONFIG_CRYPTO_DEV_SAFEXCEL=m
# CONFIG_CRYPTO_DEV_SAHARA is not set
CONFIG_CRYPTO_DEV_SP_CCP=y
CONFIG_CRYPTO_DEV_SUN4I_SS=m
CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
CONFIG_CRYPTO_DEV_VIRTIO=m
CONFIG_CRYPTO_DH=y
CONFIG_CRYPTO_DRBG_CTR=y
@ -2884,6 +2884,7 @@ CONFIG_KEYBOARD_PMIC8XXX=m
CONFIG_KEYBOARD_QT1070=m
# CONFIG_KEYBOARD_QT2160 is not set
# CONFIG_KEYBOARD_SAMSUNG is not set
CONFIG_KEYBOARD_SNVS_PWRKEY=m
# CONFIG_KEYBOARD_STOWAWAY is not set
# CONFIG_KEYBOARD_SUN4I_LRADC is not set
# CONFIG_KEYBOARD_SUNKBD is not set
@ -4286,6 +4287,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
CONFIG_PCIE_DW_HOST=y
@ -5209,6 +5211,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_ACPI_POWER=m
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m

View File

@ -1128,8 +1128,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
CONFIG_CRYPTO_DEV_SAFEXCEL=m
# CONFIG_CRYPTO_DEV_SAHARA is not set
CONFIG_CRYPTO_DEV_SP_CCP=y
CONFIG_CRYPTO_DEV_SUN4I_SS=m
CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
CONFIG_CRYPTO_DEV_VIRTIO=m
CONFIG_CRYPTO_DH=y
CONFIG_CRYPTO_DRBG_CTR=y
@ -2866,6 +2866,7 @@ CONFIG_KEYBOARD_PMIC8XXX=m
CONFIG_KEYBOARD_QT1070=m
# CONFIG_KEYBOARD_QT2160 is not set
# CONFIG_KEYBOARD_SAMSUNG is not set
CONFIG_KEYBOARD_SNVS_PWRKEY=m
# CONFIG_KEYBOARD_STOWAWAY is not set
# CONFIG_KEYBOARD_SUN4I_LRADC is not set
# CONFIG_KEYBOARD_SUNKBD is not set
@ -4266,6 +4267,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
CONFIG_PCIE_DW_HOST=y
@ -5188,6 +5190,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_ACPI_POWER=m
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m

View File

@ -1126,8 +1126,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
CONFIG_CRYPTO_DEV_S5P=m
CONFIG_CRYPTO_DEV_SAHARA=m
# CONFIG_CRYPTO_DEV_SP_CCP is not set
CONFIG_CRYPTO_DEV_SUN4I_SS=m
CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
CONFIG_CRYPTO_DEV_VIRTIO=m
CONFIG_CRYPTO_DH=y
CONFIG_CRYPTO_DRBG_CTR=y
@ -1905,7 +1905,7 @@ CONFIG_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_FTRACE=y
# CONFIG_FTWDT010_WATCHDOG is not set
CONFIG_FUNCTION_GRAPH_TRACER=y
# CONFIG_FUNCTION_GRAPH_TRACER is not set
CONFIG_FUNCTION_PROFILER=y
CONFIG_FUNCTION_TRACER=y
CONFIG_FUSE_FS=m
@ -4418,6 +4418,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
CONFIG_PCIE_DW_HOST=y
@ -5368,6 +5369,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m

View File

@ -1089,8 +1089,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
CONFIG_CRYPTO_DEV_S5P=m
# CONFIG_CRYPTO_DEV_SAHARA is not set
# CONFIG_CRYPTO_DEV_SP_CCP is not set
CONFIG_CRYPTO_DEV_SUN4I_SS=m
CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
CONFIG_CRYPTO_DEV_VIRTIO=m
CONFIG_CRYPTO_DH=y
CONFIG_CRYPTO_DRBG_CTR=y
@ -1835,7 +1835,7 @@ CONFIG_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_FTRACE=y
# CONFIG_FTWDT010_WATCHDOG is not set
CONFIG_FUNCTION_GRAPH_TRACER=y
# CONFIG_FUNCTION_GRAPH_TRACER is not set
CONFIG_FUNCTION_PROFILER=y
CONFIG_FUNCTION_TRACER=y
CONFIG_FUSE_FS=m
@ -4248,6 +4248,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
CONFIG_PCIE_DW_HOST=y
@ -5115,6 +5116,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m

View File

@ -1089,8 +1089,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
CONFIG_CRYPTO_DEV_S5P=m
# CONFIG_CRYPTO_DEV_SAHARA is not set
# CONFIG_CRYPTO_DEV_SP_CCP is not set
CONFIG_CRYPTO_DEV_SUN4I_SS=m
CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
CONFIG_CRYPTO_DEV_VIRTIO=m
CONFIG_CRYPTO_DH=y
CONFIG_CRYPTO_DRBG_CTR=y
@ -1820,7 +1820,7 @@ CONFIG_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_FTRACE=y
# CONFIG_FTWDT010_WATCHDOG is not set
CONFIG_FUNCTION_GRAPH_TRACER=y
# CONFIG_FUNCTION_GRAPH_TRACER is not set
CONFIG_FUNCTION_PROFILER=y
CONFIG_FUNCTION_TRACER=y
CONFIG_FUSE_FS=m
@ -4229,6 +4229,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
CONFIG_PCIE_DW_HOST=y
@ -5095,6 +5096,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m

View File

@ -1126,8 +1126,8 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=m
CONFIG_CRYPTO_DEV_S5P=m
CONFIG_CRYPTO_DEV_SAHARA=m
# CONFIG_CRYPTO_DEV_SP_CCP is not set
CONFIG_CRYPTO_DEV_SUN4I_SS=m
CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y
# CONFIG_CRYPTO_DEV_SUN4I_SS is not set
# CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG is not set
CONFIG_CRYPTO_DEV_VIRTIO=m
CONFIG_CRYPTO_DH=y
CONFIG_CRYPTO_DRBG_CTR=y
@ -1890,7 +1890,7 @@ CONFIG_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_FTRACE=y
# CONFIG_FTWDT010_WATCHDOG is not set
CONFIG_FUNCTION_GRAPH_TRACER=y
# CONFIG_FUNCTION_GRAPH_TRACER is not set
CONFIG_FUNCTION_PROFILER=y
CONFIG_FUNCTION_TRACER=y
CONFIG_FUSE_FS=m
@ -4399,6 +4399,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
CONFIG_PCIE_DW_HOST=y
@ -5348,6 +5349,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m

View File

@ -2645,7 +2645,8 @@ CONFIG_KERNEL_GZIP=y
# CONFIG_KERNEL_XZ is not set
# CONFIG_KEXEC_FILE is not set
# CONFIG_KEXEC_JUMP is not set
CONFIG_KEXEC_VERIFY_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set
# CONFIG_KEYBOARD_ADP5588 is not set
@ -2828,8 +2829,8 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
CONFIG_LOCK_DOWN_KERNEL=y
# CONFIG_LOCK_DOWN_MANDATORY is not set
CONFIG_LOCKD_V4=y
CONFIG_LOCK_STAT=y
CONFIG_LOCK_TORTURE_TEST=m
@ -4021,6 +4022,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
# CONFIG_PCIE_DW_PLAT_HOST is not set
@ -4748,6 +4750,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_ABITUGURU3=m
CONFIG_SENSORS_ABITUGURU=m
CONFIG_SENSORS_ACPI_POWER=m

View File

@ -2626,7 +2626,8 @@ CONFIG_KERNEL_GZIP=y
# CONFIG_KERNEL_XZ is not set
# CONFIG_KEXEC_FILE is not set
# CONFIG_KEXEC_JUMP is not set
CONFIG_KEXEC_VERIFY_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set
# CONFIG_KEYBOARD_ADP5588 is not set
@ -2809,8 +2810,8 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
CONFIG_LOCK_DOWN_KERNEL=y
# CONFIG_LOCK_DOWN_MANDATORY is not set
CONFIG_LOCKD_V4=y
# CONFIG_LOCK_STAT is not set
# CONFIG_LOCK_TORTURE_TEST is not set
@ -4002,6 +4003,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
# CONFIG_PCIE_DW_PLAT_HOST is not set
@ -4728,6 +4730,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_ABITUGURU3=m
CONFIG_SENSORS_ABITUGURU=m
CONFIG_SENSORS_ACPI_POWER=m

View File

@ -3726,6 +3726,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
# CONFIG_PCIE_DW_PLAT_HOST is not set
@ -4449,6 +4450,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m

View File

@ -3705,6 +3705,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
# CONFIG_PCIE_DW_PLAT_HOST is not set
@ -4427,6 +4428,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m

View File

@ -3691,6 +3691,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
# CONFIG_PCIE_DW_PLAT_HOST is not set
@ -4397,6 +4398,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m

View File

@ -3670,6 +3670,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
# CONFIG_PCIE_DW_PLAT_HOST is not set
@ -4375,6 +4376,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_AD7314=m
CONFIG_SENSORS_AD7414=m
CONFIG_SENSORS_AD7418=m

View File

@ -2702,7 +2702,8 @@ CONFIG_KERNEL_GZIP=y
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_KEXEC_FILE=y
CONFIG_KEXEC_JUMP=y
CONFIG_KEXEC_VERIFY_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set
# CONFIG_KEYBOARD_ADP5588 is not set
@ -2885,8 +2886,8 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
CONFIG_LOCK_DOWN_KERNEL=y
# CONFIG_LOCK_DOWN_MANDATORY is not set
CONFIG_LOCKD_V4=y
CONFIG_LOCK_STAT=y
CONFIG_LOCK_TORTURE_TEST=m
@ -4068,6 +4069,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
# CONFIG_PCIE_DW_PLAT_HOST is not set
@ -4793,6 +4795,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_ABITUGURU3=m
CONFIG_SENSORS_ABITUGURU=m
CONFIG_SENSORS_ACPI_POWER=m

View File

@ -2683,7 +2683,8 @@ CONFIG_KERNEL_GZIP=y
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_KEXEC_FILE=y
CONFIG_KEXEC_JUMP=y
CONFIG_KEXEC_VERIFY_SIG=y
# CONFIG_KEXEC_SIG_FORCE is not set
CONFIG_KEXEC_SIG=y
CONFIG_KEXEC=y
# CONFIG_KEYBOARD_ADC is not set
# CONFIG_KEYBOARD_ADP5588 is not set
@ -2866,8 +2867,8 @@ CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_LOCKD=m
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
CONFIG_LOCK_DOWN_KERNEL=y
# CONFIG_LOCK_DOWN_MANDATORY is not set
CONFIG_LOCKD_V4=y
# CONFIG_LOCK_STAT is not set
# CONFIG_LOCK_TORTURE_TEST is not set
@ -4049,6 +4050,7 @@ CONFIG_PCIEASPM_DEFAULT=y
# CONFIG_PCIEASPM_POWERSAVE is not set
# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
CONFIG_PCIEASPM=y
# CONFIG_PCIE_BW is not set
CONFIG_PCIE_CADENCE_HOST=y
CONFIG_PCIE_DPC=y
# CONFIG_PCIE_DW_PLAT_HOST is not set
@ -4773,6 +4775,7 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
# CONFIG_SENSIRION_SGP30 is not set
CONFIG_SENSORS_ABITUGURU3=m
CONFIG_SENSORS_ABITUGURU=m
CONFIG_SENSORS_ACPI_POWER=m

View File

@ -67,9 +67,9 @@ Summary: The Linux kernel
# The next upstream release sublevel (base_sublevel+1)
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
# The rc snapshot level
%global rcrev 4
%global rcrev 7
# The git snapshot level
%define gitrev 2
%define gitrev 4
# Set rpm version accordingly
%define rpmversion 5.%{upstream_sublevel}.0
%endif
@ -86,7 +86,7 @@ Summary: The Linux kernel
#
# standard kernel
%define with_up %{?_without_up: 0} %{?!_without_up: 1}
# kernel PAE (only valid for i686 (PAE) and ARM (lpae))
# kernel PAE (only valid for ARM (lpae))
%define with_pae %{?_without_pae: 0} %{?!_without_pae: 1}
# kernel-debug
%define with_debug %{?_without_debug: 0} %{?!_without_debug: 1}
@ -195,9 +195,7 @@ Summary: The Linux kernel
# and debuginfo generation. Currently we rely on the old alldebug setting.
%global _build_id_links alldebug
# kernel PAE is only built on ARMv7 in rawhide.
# Fedora 27 and earlier still support PAE, so change this on rebases.
# %ifnarch i686 armv7hl
# kernel PAE is only built on ARMv7
%ifnarch armv7hl
%define with_pae 0
%endif
@ -245,7 +243,7 @@ Summary: The Linux kernel
%endif
# sparse blows up on ppc
%ifnarch %{power64}
%ifnarch ppc64le
%define with_sparse 0
%endif
@ -254,7 +252,6 @@ Summary: The Linux kernel
%ifarch %{all_x86}
%define asmarch x86
%define hdrarch i386
%define pae PAE
%define all_arch_configs kernel-%{version}-i?86*.config
%define kernel_image arch/x86/boot/bzImage
%endif
@ -265,7 +262,7 @@ Summary: The Linux kernel
%define kernel_image arch/x86/boot/bzImage
%endif
%ifarch %{power64}
%ifarch ppc64le
%define asmarch powerpc
%define hdrarch powerpc
%define make_target vmlinux
@ -288,7 +285,6 @@ Summary: The Linux kernel
%define skip_nonpae_vdso 1
%define asmarch arm
%define hdrarch arm
%define pae lpae
%define make_target bzImage
%define kernel_image arch/arm/boot/zImage
# http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/091404.html
@ -345,13 +341,8 @@ Summary: The Linux kernel
%define _enable_debug_packages 0
%endif
%define with_pae_debug 0
%if %{with_pae}
%define with_pae_debug %{with_debug}
%endif
# Architectures we build tools/cpupower on
%define cpupowerarchs %{ix86} x86_64 %{power64} %{arm} aarch64
%define cpupowerarchs %{ix86} x86_64 ppc64le %{arm} aarch64
%if %{use_vdso}
@ -415,7 +406,6 @@ BuildConflicts: rpm < 4.13.0.1-19
%undefine _unique_debug_srcs
%undefine _debugsource_packages
%undefine _debuginfo_subpackages
%undefine _include_gdb_index
%global _find_debuginfo_opts -r
%global _missing_build_ids_terminate_build 1
%global _no_recompute_build_ids 1
@ -544,8 +534,6 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
Patch201: efi-lockdown.patch
Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
# bz 1497559 - Make kernel MODSIGN code not error on missing variables
Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
@ -597,6 +585,16 @@ Patch501: input-rmi4-remove-the-need-for-artifical-IRQ.patch
Patch506: 0001-s390-jump_label-Correct-asm-contraint.patch
Patch507: 0001-Drop-that-for-now.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1701096
# Submitted upstream at https://lkml.org/lkml/2019/4/23/89
Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
# CVE-2019-3900 rhbz 1698757 1702940
Patch524: net-vhost_net-fix-possible-infinite-loop.patch
# Fix wifi on various ideapad models not working (rhbz#1703338)
Patch526: 0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch
Patch550: riscv-arm-fix.patch
# END OF PATCH DEFINITIONS
@ -766,7 +764,7 @@ The meta-package for the %{1} kernel\
Summary: %{variant_summary}\
Provides: kernel-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
Provides: installonlypkg(kernel)\
%ifarch %{power64}\
%ifarch ppc64le\
Obsoletes: kernel-bootwrapper\
%endif\
%{expand:%%kernel_reqprovconf}\
@ -782,37 +780,13 @@ Obsoletes: kernel-bootwrapper\
# Now, each variant package.
%if %{with_pae}
%ifnarch armv7hl
%define variant_summary The Linux kernel compiled for PAE capable machines
%kernel_variant_package %{pae}
%description %{pae}-core
This package includes a version of the Linux kernel with support for up to
64GB of high memory. It requires a CPU with Physical Address Extensions (PAE).
The non-PAE kernel can only address up to 4GB of memory.
Install the kernel-PAE package if your machine has more than 4GB of memory.
%else
%define variant_summary The Linux kernel compiled for Cortex-A15
%kernel_variant_package %{pae}
%description %{pae}-core
%kernel_variant_package lpae
%description lpae-core
This package includes a version of the Linux kernel with support for
Cortex-A15 devices with LPAE and HW virtualisation support
%endif
%define variant_summary The Linux kernel compiled with extra debugging enabled for PAE capable machines
%kernel_variant_package %{pae}debug
Obsoletes: kernel-PAE-debug
%description %{pae}debug-core
This package includes a version of the Linux kernel with support for up to
64GB of high memory. It requires a CPU with Physical Address Extensions (PAE).
The non-PAE kernel can only address up to 4GB of memory.
Install the kernel-PAE package if your machine has more than 4GB of memory.
This variant of the kernel has numerous debugging options enabled.
It should only be installed when trying to gather additional information
on kernel bugs, as some of these options impact performance noticably.
%endif
%define variant_summary The Linux kernel compiled with extra debugging enabled
%kernel_variant_package debug
%description debug-core
@ -1365,7 +1339,7 @@ BuildKernel() {
fi
rm -f $RPM_BUILD_ROOT/lib/modules/$KernelVer/build/scripts/*.o
rm -f $RPM_BUILD_ROOT/lib/modules/$KernelVer/build/scripts/*/*.o
%ifarch %{power64}
%ifarch ppc64le
cp -a --parents arch/powerpc/lib/crtsavres.[So] $RPM_BUILD_ROOT/lib/modules/$KernelVer/build/
%endif
if [ -d arch/%{asmarch}/include ]; then
@ -1564,12 +1538,8 @@ cd linux-%{KVERREL}
BuildKernel %make_target %kernel_image %{_use_vdso} debug
%endif
%if %{with_pae_debug}
BuildKernel %make_target %kernel_image %{use_vdso} %{pae}debug
%endif
%if %{with_pae}
BuildKernel %make_target %kernel_image %{use_vdso} %{pae}
BuildKernel %make_target %kernel_image %{use_vdso} lpae
%endif
%if %{with_up}
@ -1590,14 +1560,11 @@ BuildKernel %make_target %kernel_image %{_use_vdso}
%define __modsign_install_post \
if [ "%{signmodules}" -eq "1" ]; then \
if [ "%{with_pae}" -ne "0" ]; then \
%{modsign_cmd} certs/signing_key.pem.sign+%{pae} certs/signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}/ \
%{modsign_cmd} certs/signing_key.pem.sign+lpae certs/signing_key.x509.sign+lpae $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+lpae/ \
fi \
if [ "%{with_debug}" -ne "0" ]; then \
%{modsign_cmd} certs/signing_key.pem.sign+debug certs/signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+debug/ \
fi \
if [ "%{with_pae_debug}" -ne "0" ]; then \
%{modsign_cmd} certs/signing_key.pem.sign+%{pae}debug certs/signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}+%{pae}debug/ \
fi \
if [ "%{with_up}" -ne "0" ]; then \
%{modsign_cmd} certs/signing_key.pem.sign certs/signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
fi \
@ -1776,11 +1743,8 @@ fi}\
%kernel_variant_post -r kernel-smp
%if %{with_pae}
%kernel_variant_preun %{pae}
%kernel_variant_post -v %{pae} -r (kernel|kernel-smp)
%kernel_variant_post -v %{pae}debug -r (kernel|kernel-smp)
%kernel_variant_preun %{pae}debug
%kernel_variant_preun lpae
%kernel_variant_post -v lpae -r (kernel|kernel-smp)
%endif
%kernel_variant_preun debug
@ -1864,14 +1828,85 @@ fi
%kernel_variant_files %{_use_vdso} %{with_up}
%kernel_variant_files %{_use_vdso} %{with_debug} debug
%kernel_variant_files %{use_vdso} %{with_pae} %{pae}
%kernel_variant_files %{use_vdso} %{with_pae_debug} %{pae}debug
%kernel_variant_files %{use_vdso} %{with_pae} lpae
# plz don't put in a version string unless you're going to tag
# and build.
#
#
%changelog
* Fri May 03 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git4.1
- Linux v5.1-rc7-131-gea9866793d1e
* Thu May 02 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git3.1
- Linux v5.1-rc7-29-g600d7258316d
* Wed May 01 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git2.1
- Linux v5.1-rc7-16-gf2bc9c908dfe
* Tue Apr 30 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git1.1
- Linux v5.1-rc7-5-g83a50840e72a
* Tue Apr 30 2019 Jeremy Cline <jcline@redhat.com>
- Reenable debugging options.
* Tue Apr 30 2019 Hans de Goede <hdegoede@redhat.com>
- Fix wifi on various ideapad models not working (rhbz#1703338)
* Mon Apr 29 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc7.git0.1
- Linux v5.1-rc7
* Mon Apr 29 2019 Jeremy Cline <jcline@redhat.com>
- Disable debugging options.
* Fri Apr 26 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git4.1
- Linux v5.1-rc6-72-g8113a85f8720
* Thu Apr 25 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git3.1
- Linux v5.1-rc6-64-gcd8dead0c394
* Thu Apr 25 2019 Justin M. Forbes <jforbes@fedoraproject.org>
- Fix CVE-2019-3900 (rhbz 1698757 1702940)
* Wed Apr 24 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git2.1
- Linux v5.1-rc6-15-gba25b50d582f
* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git1.1
- Linux v5.1-rc6-4-g7142eaa58b49
* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com>
- Reenable debugging options.
* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com>
- Allow modules signed by keys in the platform keyring (rbhz 1701096)
* Mon Apr 22 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git0.1
- Linux v5.1-rc6
* Mon Apr 22 2019 Jeremy Cline <jcline@redhat.com>
- Disable debugging options.
* Wed Apr 17 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc5.git2.1
- Linux v5.1-rc5-36-g444fe9913539
* Tue Apr 16 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc5.git1.1
- Linux v5.1-rc5-10-g618d919cae2f
* Tue Apr 16 2019 Jeremy Cline <jcline@redhat.com>
- Reenable debugging options.
* Mon Apr 15 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc5.git0.1
- Linux v5.1-rc5
* Mon Apr 15 2019 Jeremy Cline <jcline@redhat.com>
- Disable debugging options.
* Fri Apr 12 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc4.git4.1
- Linux v5.1-rc4-184-g8ee15f324866
* Thu Apr 11 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc4.git3.1
- Linux v5.1-rc4-58-g582549e3fbe1
* Wed Apr 10 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc4.git2.1
- Linux v5.1-rc4-43-g771acc7e4a6e

View File

@ -0,0 +1,200 @@
From patchwork Thu Apr 25 07:33:19 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jason Wang <jasowang@redhat.com>
X-Patchwork-Id: 10916185
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
[172.30.200.125])
by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E4F501575
for <patchwork-kvm@patchwork.kernel.org>;
Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D276828BD7
for <patchwork-kvm@patchwork.kernel.org>;
Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
id C64AC28BE1; Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
pdx-wl-mail.web.codeaurora.org
X-Spam-Level:
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 590B228BD7
for <patchwork-kvm@patchwork.kernel.org>;
Thu, 25 Apr 2019 07:33:33 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1726957AbfDYHd1 (ORCPT
<rfc822;patchwork-kvm@patchwork.kernel.org>);
Thu, 25 Apr 2019 03:33:27 -0400
Received: from mx1.redhat.com ([209.132.183.28]:60130 "EHLO mx1.redhat.com"
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
id S1726317AbfDYHd1 (ORCPT <rfc822;kvm@vger.kernel.org>);
Thu, 25 Apr 2019 03:33:27 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
[10.5.11.22])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mx1.redhat.com (Postfix) with ESMTPS id C2BCE3002619;
Thu, 25 Apr 2019 07:33:26 +0000 (UTC)
Received: from hp-dl380pg8-02.lab.eng.pek2.redhat.com
(hp-dl380pg8-02.lab.eng.pek2.redhat.com [10.73.8.12])
by smtp.corp.redhat.com (Postfix) with ESMTP id 5DA021001DDB;
Thu, 25 Apr 2019 07:33:21 +0000 (UTC)
From: Jason Wang <jasowang@redhat.com>
To: mst@redhat.com, jasowang@redhat.com, kvm@vger.kernel.org,
virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: ppandit@redhat.com
Subject: [PATCH net] vhost_net: fix possible infinite loop
Date: Thu, 25 Apr 2019 03:33:19 -0400
Message-Id: <1556177599-56248-1-git-send-email-jasowang@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted,
not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]);
Thu, 25 Apr 2019 07:33:26 +0000 (UTC)
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP
When the rx buffer is too small for a packet, we will discard the vq
descriptor and retry it for the next packet:
while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
&busyloop_intr))) {
...
/* On overrun, truncate and discard */
if (unlikely(headcount > UIO_MAXIOV)) {
iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
err = sock->ops->recvmsg(sock, &msg,
1, MSG_DONTWAIT | MSG_TRUNC);
pr_debug("Discarded rx packet: len %zd\n", sock_len);
continue;
}
...
}
This makes it possible to trigger a infinite while..continue loop
through the co-opreation of two VMs like:
1) Malicious VM1 allocate 1 byte rx buffer and try to slow down the
vhost process as much as possible e.g using indirect descriptors or
other.
2) Malicious VM2 generate packets to VM1 as fast as possible
Fixing this by checking against weight at the end of RX and TX
loop. This also eliminate other similar cases when:
- userspace is consuming the packets in the meanwhile
- theoretical TOCTOU attack if guest moving avail index back and forth
to hit the continue after vhost find guest just add new buffers
This addresses CVE-2019-3900.
Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short")
Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
drivers/vhost/net.c | 41 +++++++++++++++++++++--------------------
1 file changed, 21 insertions(+), 20 deletions(-)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index df51a35..fb46e6b 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -778,8 +778,9 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
int err;
int sent_pkts = 0;
bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX);
+ bool next_round = false;
- for (;;) {
+ do {
bool busyloop_intr = false;
if (nvq->done_idx == VHOST_NET_BATCH)
@@ -845,11 +846,10 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock)
vq->heads[nvq->done_idx].id = cpu_to_vhost32(vq, head);
vq->heads[nvq->done_idx].len = 0;
++nvq->done_idx;
- if (vhost_exceeds_weight(++sent_pkts, total_len)) {
- vhost_poll_queue(&vq->poll);
- break;
- }
- }
+ } while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len)));
+
+ if (next_round)
+ vhost_poll_queue(&vq->poll);
vhost_tx_batch(net, nvq, sock, &msg);
}
@@ -873,8 +873,9 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
struct vhost_net_ubuf_ref *uninitialized_var(ubufs);
bool zcopy_used;
int sent_pkts = 0;
+ bool next_round = false;
- for (;;) {
+ do {
bool busyloop_intr;
/* Release DMAs done buffers first */
@@ -951,11 +952,10 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
else
vhost_zerocopy_signal_used(net, vq);
vhost_net_tx_packet(net);
- if (unlikely(vhost_exceeds_weight(++sent_pkts, total_len))) {
- vhost_poll_queue(&vq->poll);
- break;
- }
- }
+ } while (!(next_round = vhost_exceeds_weight(++sent_pkts, total_len)));
+
+ if (next_round)
+ vhost_poll_queue(&vq->poll);
}
/* Expects to be always run from workqueue - which acts as
@@ -1134,6 +1134,7 @@ static void handle_rx(struct vhost_net *net)
struct iov_iter fixup;
__virtio16 num_buffers;
int recv_pkts = 0;
+ bool next_round = false;
mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX);
sock = vq->private_data;
@@ -1153,8 +1154,11 @@ static void handle_rx(struct vhost_net *net)
vq->log : NULL;
mergeable = vhost_has_feature(vq, VIRTIO_NET_F_MRG_RXBUF);
- while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
- &busyloop_intr))) {
+ do {
+ sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
+ &busyloop_intr);
+ if (!sock_len)
+ break;
sock_len += sock_hlen;
vhost_len = sock_len + vhost_hlen;
headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
@@ -1239,12 +1243,9 @@ static void handle_rx(struct vhost_net *net)
vhost_log_write(vq, vq_log, log, vhost_len,
vq->iov, in);
total_len += vhost_len;
- if (unlikely(vhost_exceeds_weight(++recv_pkts, total_len))) {
- vhost_poll_queue(&vq->poll);
- goto out;
- }
- }
- if (unlikely(busyloop_intr))
+ } while (!(next_round = vhost_exceeds_weight(++recv_pkts, total_len)));
+
+ if (unlikely(busyloop_intr || next_round))
vhost_poll_queue(&vq->poll);
else
vhost_net_enable_vq(net, vq);

View File

@ -1,3 +1,3 @@
SHA512 (linux-5.0.tar.xz) = 3fbab70c7b03b1a10e9fa14d1e2e1f550faba4f5792b7699ca006951da74ab86e7d7f19c6a67849ab99343186e7d6f2752cd910d76222213b93c1eab90abf1b0
SHA512 (patch-5.1-rc4.xz) = 1feffe95816601137c4b2a09a5d14d8b023d05d7a3bb259ea42a05fc52ca48c8176a4477f88bfe4bcd8220f3e174793ddbefe7896807fdafaf5153934222eac2
SHA512 (patch-5.1-rc4-git2.xz) = 81103e3340bc362c523c0c053157d9fe6946fffe03782302154b3be50eec7d7328b95cc50e0269405e8b610265c160ab5ca1df8de348cc0e5630d1edcebd56e8
SHA512 (patch-5.1-rc7.xz) = 8e2c0f9843f08c9911ca14dedaed48ee1995bb12aec9b1e718d3f4cc23d8a0e8d21c368d40f78a43dcdea628e617a190344f0b6c63a4311a36d906da84d98702
SHA512 (patch-5.1-rc7-git4.xz) = 496ad8576733ffe434c18544a9d2624281374b3f825f930a7f4518d319001a499b60d06fb6d3b21fd8b85b267666effefd3ad06f6c2a89348b284ea9db7a3f85