diff options
author | Jason M. Bills <jason.m.bills@linux.intel.com> | 2021-01-11 23:27:14 +0300 |
---|---|---|
committer | Jason M. Bills <jason.m.bills@linux.intel.com> | 2021-01-12 01:15:33 +0300 |
commit | cd8549453858d3865e1798566fb2e7f1d2f8ec5e (patch) | |
tree | 07b0c089be906f69a4044e16679c2037c7903943 /meta-openbmc-mods/meta-common/recipes-kernel | |
parent | 18576aaaa49bf249aef0b72dd12fc452fccb6aed (diff) | |
download | openbmc-cd8549453858d3865e1798566fb2e7f1d2f8ec5e.tar.xz |
Update to internal 1.00-40
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel')
13 files changed, 1090 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0125-i2c-aspeed-clear-slave-addresses-in-probe.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0125-i2c-aspeed-clear-slave-addresses-in-probe.patch new file mode 100644 index 000000000..cd5fe4deb --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0125-i2c-aspeed-clear-slave-addresses-in-probe.patch @@ -0,0 +1,33 @@ +From 40af0a280cad30194c5ced83f6462c304d2f8c92 Mon Sep 17 00:00:00 2001 +From: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com> +Date: Wed, 16 Dec 2020 12:49:16 -0800 +Subject: [PATCH] i2c: aspeed: clear slave addresses in probe + +Initial value of I2CD18 is undefined according to the datasheet +so this commit adds the I2CD18 register clearing code into bus +initialization function to prevent any unexpected slave match +events. + +Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com> +Change-Id: I6c6cadeaf6fefcf74eba0d96c49986a810ccbb51 +--- + drivers/i2c/busses/i2c-aspeed.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-aspeed.c b/drivers/i2c/busses/i2c-aspeed.c +index d622ca14eb2a..d48489c803a8 100644 +--- a/drivers/i2c/busses/i2c-aspeed.c ++++ b/drivers/i2c/busses/i2c-aspeed.c +@@ -1610,6 +1610,9 @@ static int aspeed_i2c_probe_bus(struct platform_device *pdev) + writel(0, bus->base + ASPEED_I2C_INTR_CTRL_REG); + writel(0xffffffff, bus->base + ASPEED_I2C_INTR_STS_REG); + ++ /* Clear slave addresses. */ ++ writel(0, bus->base + ASPEED_I2C_DEV_ADDR_REG); ++ + parent_clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(parent_clk)) + return PTR_ERR(parent_clk); +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/1002-Filter-erroneous-adc-readings.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/1002-Filter-erroneous-adc-readings.patch new file mode 100644 index 000000000..9306ca9e2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/1002-Filter-erroneous-adc-readings.patch @@ -0,0 +1,59 @@ +From 8188c4d5deda1d747801bfafb750fd61d0292ba5 Mon Sep 17 00:00:00 2001 +From: Zhikui Ren <zhikui.ren@intel.com> +Date: Tue, 13 Oct 2020 12:23:29 -0700 +Subject: [PATCH] Filter erroneous adc readings + +There has been cases that ast2500 ADC appears to return an incorrect +reading. Re-read the ADC data once if the ADC valuse jumped more than +80 counts comparing the previous value. + +This is a workaround to filter out these erroneous readings recorded +from user space application polling every second: +PVNN_PCH_AUX history dump: + 0.9,0.9,0.9,0.9,1.351,0.9,0.9,0.9,0.901,0.898 +PVDQ_DEF_CPU1 history dump: + 1.235,1.237,1.237,1.235,1.348,1.237,1.237,1.235,1.237,1.235 +ADC raw reading is 1000 times above numbers. + +This approach works if there is a silicon bug in adc register read +with minimal risk. It will not work if the bad readings come from noise +in the sensing circuitry. This patch may be removed if that is proven +to be the case. + +Tested: +Build and verified no regression in voltage reading on my WC. + +Signed-off-by: Zhikui Ren <zhikui.ren@intel.com> +--- + drivers/iio/adc/aspeed_adc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/iio/adc/aspeed_adc.c b/drivers/iio/adc/aspeed_adc.c +index c115797c4cc5..c1e775e764ca 100644 +--- a/drivers/iio/adc/aspeed_adc.c ++++ b/drivers/iio/adc/aspeed_adc.c +@@ -55,6 +55,7 @@ + + #define ASPEED_ADC_CHANNELS_MAX 16 + #define ASPEED_ADC_RAW_VALUE_MAX 0x3ff ++#define ASPEED_ADC_RAW_VALUE_DELTA_THRESHOLD 80 + + struct aspeed_adc_model_data { + const char *model_name; +@@ -133,6 +134,13 @@ static int aspeed_adc_read_raw(struct iio_dev *indio_dev, + pr_err("aspeed_adc: channel %d drop invalid raw reading 0x3FF %d\n", + chan->channel, ASPEED_ADC_RAW_VALUE_MAX); + } else { ++ if (*val > (data->channel_raw_value[chan->channel] + ++ ASPEED_ADC_RAW_VALUE_DELTA_THRESHOLD)) { ++ pr_err("aspeed_adc: Warning-channel %d prev=%d, curr=%d, retry.\n", ++ chan->channel, ++ data->channel_raw_value[chan->channel], *val); ++ *val = readw(data->base + chan->address); ++ } + data->channel_raw_value[chan->channel] = *val; + } + return IIO_VAL_INT; +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-14351/0001-perf-core-Fix-race-in-the-perf_mmap_close-function.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-14351/0001-perf-core-Fix-race-in-the-perf_mmap_close-function.patch new file mode 100644 index 000000000..c5114ac32 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-14351/0001-perf-core-Fix-race-in-the-perf_mmap_close-function.patch @@ -0,0 +1,98 @@ +From 4ef4d084d9e38fbf31d40ff0a91bd621720421d9 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa <jolsa@redhat.com> +Date: Wed, 16 Sep 2020 13:53:11 +0200 +Subject: [PATCH] perf/core: Fix race in the perf_mmap_close() function + +There's a possible race in perf_mmap_close() when checking ring buffer's +mmap_count refcount value. The problem is that the mmap_count check is +not atomic because we call atomic_dec() and atomic_read() separately. + + perf_mmap_close: + ... + atomic_dec(&rb->mmap_count); + ... + if (atomic_read(&rb->mmap_count)) + goto out_put; + + <ring buffer detach> + free_uid + +out_put: + ring_buffer_put(rb); /* could be last */ + +The race can happen when we have two (or more) events sharing same ring +buffer and they go through atomic_dec() and then they both see 0 as refcount +value later in atomic_read(). Then both will go on and execute code which +is meant to be run just once. + +The code that detaches ring buffer is probably fine to be executed more +than once, but the problem is in calling free_uid(), which will later on +demonstrate in related crashes and refcount warnings, like: + + refcount_t: addition on 0; use-after-free. + ... + RIP: 0010:refcount_warn_saturate+0x6d/0xf + ... + Call Trace: + prepare_creds+0x190/0x1e0 + copy_creds+0x35/0x172 + copy_process+0x471/0x1a80 + _do_fork+0x83/0x3a0 + __do_sys_wait4+0x83/0x90 + __do_sys_clone+0x85/0xa0 + do_syscall_64+0x5b/0x1e0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Using atomic decrease and check instead of separated calls. + +Tested-by: Michael Petlan <mpetlan@redhat.com> +Signed-off-by: Jiri Olsa <jolsa@kernel.org> +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl> +Acked-by: Namhyung Kim <namhyung@kernel.org> +Acked-by: Wade Mealing <wmealing@redhat.com> +Fixes: 9bb5d40cd93c ("perf: Fix mmap() accounting hole"); +Link: https://lore.kernel.org/r/20200916115311.GE2301783@krava +--- + kernel/events/core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 956d5ab46db9..1d5f2806c65e 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5587,11 +5587,11 @@ static void perf_pmu_output_stop(struct perf_event *event); + static void perf_mmap_close(struct vm_area_struct *vma) + { + struct perf_event *event = vma->vm_file->private_data; +- + struct ring_buffer *rb = ring_buffer_get(event); + struct user_struct *mmap_user = rb->mmap_user; + int mmap_locked = rb->mmap_locked; + unsigned long size = perf_data_size(rb); ++ bool detach_rest = false; + + if (event->pmu->event_unmapped) + event->pmu->event_unmapped(event, vma->vm_mm); +@@ -5622,7 +5622,8 @@ static void perf_mmap_close(struct vm_area_struct *vma) + mutex_unlock(&event->mmap_mutex); + } + +- atomic_dec(&rb->mmap_count); ++ if (atomic_dec_and_test(&rb->mmap_count)) ++ detach_rest = true; + + if (!atomic_dec_and_mutex_lock(&event->mmap_count, &event->mmap_mutex)) + goto out_put; +@@ -5631,7 +5632,7 @@ static void perf_mmap_close(struct vm_area_struct *vma) + mutex_unlock(&event->mmap_mutex); + + /* If there's still other mmap()s of this buffer, we're done. */ +- if (atomic_read(&rb->mmap_count)) ++ if (!detach_rest) + goto out_put; + + /* +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-15436/0001-block-Fix-use-after-free-in-blkdev_get.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-15436/0001-block-Fix-use-after-free-in-blkdev_get.patch new file mode 100644 index 000000000..958fb1967 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-15436/0001-block-Fix-use-after-free-in-blkdev_get.patch @@ -0,0 +1,194 @@ +From 2d3a8e2deddea6c89961c422ec0c5b851e648c14 Mon Sep 17 00:00:00 2001 +From: Jason Yan <yanaijie@huawei.com> +Date: Tue, 16 Jun 2020 20:16:55 +0800 +Subject: [PATCH] block: Fix use-after-free in blkdev_get() + +In blkdev_get() we call __blkdev_get() to do some internal jobs and if +there is some errors in __blkdev_get(), the bdput() is called which +means we have released the refcount of the bdev (actually the refcount of +the bdev inode). This means we cannot access bdev after that point. But +acctually bdev is still accessed in blkdev_get() after calling +__blkdev_get(). This results in use-after-free if the refcount is the +last one we released in __blkdev_get(). Let's take a look at the +following scenerio: + + CPU0 CPU1 CPU2 +blkdev_open blkdev_open Remove disk + bd_acquire + blkdev_get + __blkdev_get del_gendisk + bdev_unhash_inode + bd_acquire bdev_get_gendisk + bd_forget failed because of unhashed + bdput + bdput (the last one) + bdev_evict_inode + + access bdev => use after free + +[ 459.350216] BUG: KASAN: use-after-free in __lock_acquire+0x24c1/0x31b0 +[ 459.351190] Read of size 8 at addr ffff88806c815a80 by task syz-executor.0/20132 +[ 459.352347] +[ 459.352594] CPU: 0 PID: 20132 Comm: syz-executor.0 Not tainted 4.19.90 #2 +[ 459.353628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +[ 459.354947] Call Trace: +[ 459.355337] dump_stack+0x111/0x19e +[ 459.355879] ? __lock_acquire+0x24c1/0x31b0 +[ 459.356523] print_address_description+0x60/0x223 +[ 459.357248] ? __lock_acquire+0x24c1/0x31b0 +[ 459.357887] kasan_report.cold+0xae/0x2d8 +[ 459.358503] __lock_acquire+0x24c1/0x31b0 +[ 459.359120] ? _raw_spin_unlock_irq+0x24/0x40 +[ 459.359784] ? lockdep_hardirqs_on+0x37b/0x580 +[ 459.360465] ? _raw_spin_unlock_irq+0x24/0x40 +[ 459.361123] ? finish_task_switch+0x125/0x600 +[ 459.361812] ? finish_task_switch+0xee/0x600 +[ 459.362471] ? mark_held_locks+0xf0/0xf0 +[ 459.363108] ? __schedule+0x96f/0x21d0 +[ 459.363716] lock_acquire+0x111/0x320 +[ 459.364285] ? blkdev_get+0xce/0xbe0 +[ 459.364846] ? blkdev_get+0xce/0xbe0 +[ 459.365390] __mutex_lock+0xf9/0x12a0 +[ 459.365948] ? blkdev_get+0xce/0xbe0 +[ 459.366493] ? bdev_evict_inode+0x1f0/0x1f0 +[ 459.367130] ? blkdev_get+0xce/0xbe0 +[ 459.367678] ? destroy_inode+0xbc/0x110 +[ 459.368261] ? mutex_trylock+0x1a0/0x1a0 +[ 459.368867] ? __blkdev_get+0x3e6/0x1280 +[ 459.369463] ? bdev_disk_changed+0x1d0/0x1d0 +[ 459.370114] ? blkdev_get+0xce/0xbe0 +[ 459.370656] blkdev_get+0xce/0xbe0 +[ 459.371178] ? find_held_lock+0x2c/0x110 +[ 459.371774] ? __blkdev_get+0x1280/0x1280 +[ 459.372383] ? lock_downgrade+0x680/0x680 +[ 459.373002] ? lock_acquire+0x111/0x320 +[ 459.373587] ? bd_acquire+0x21/0x2c0 +[ 459.374134] ? do_raw_spin_unlock+0x4f/0x250 +[ 459.374780] blkdev_open+0x202/0x290 +[ 459.375325] do_dentry_open+0x49e/0x1050 +[ 459.375924] ? blkdev_get_by_dev+0x70/0x70 +[ 459.376543] ? __x64_sys_fchdir+0x1f0/0x1f0 +[ 459.377192] ? inode_permission+0xbe/0x3a0 +[ 459.377818] path_openat+0x148c/0x3f50 +[ 459.378392] ? kmem_cache_alloc+0xd5/0x280 +[ 459.379016] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 459.379802] ? path_lookupat.isra.0+0x900/0x900 +[ 459.380489] ? __lock_is_held+0xad/0x140 +[ 459.381093] do_filp_open+0x1a1/0x280 +[ 459.381654] ? may_open_dev+0xf0/0xf0 +[ 459.382214] ? find_held_lock+0x2c/0x110 +[ 459.382816] ? lock_downgrade+0x680/0x680 +[ 459.383425] ? __lock_is_held+0xad/0x140 +[ 459.384024] ? do_raw_spin_unlock+0x4f/0x250 +[ 459.384668] ? _raw_spin_unlock+0x1f/0x30 +[ 459.385280] ? __alloc_fd+0x448/0x560 +[ 459.385841] do_sys_open+0x3c3/0x500 +[ 459.386386] ? filp_open+0x70/0x70 +[ 459.386911] ? trace_hardirqs_on_thunk+0x1a/0x1c +[ 459.387610] ? trace_hardirqs_off_caller+0x55/0x1c0 +[ 459.388342] ? do_syscall_64+0x1a/0x520 +[ 459.388930] do_syscall_64+0xc3/0x520 +[ 459.389490] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 459.390248] RIP: 0033:0x416211 +[ 459.390720] Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 +04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f + 05 <48> 8b 3c 24 48 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d + 01 +[ 459.393483] RSP: 002b:00007fe45dfe9a60 EFLAGS: 00000293 ORIG_RAX: 0000000000000002 +[ 459.394610] RAX: ffffffffffffffda RBX: 00007fe45dfea6d4 RCX: 0000000000416211 +[ 459.395678] RDX: 00007fe45dfe9b0a RSI: 0000000000000002 RDI: 00007fe45dfe9b00 +[ 459.396758] RBP: 000000000076bf20 R08: 0000000000000000 R09: 000000000000000a +[ 459.397930] R10: 0000000000000075 R11: 0000000000000293 R12: 00000000ffffffff +[ 459.399022] R13: 0000000000000bd9 R14: 00000000004cdb80 R15: 000000000076bf2c +[ 459.400168] +[ 459.400430] Allocated by task 20132: +[ 459.401038] kasan_kmalloc+0xbf/0xe0 +[ 459.401652] kmem_cache_alloc+0xd5/0x280 +[ 459.402330] bdev_alloc_inode+0x18/0x40 +[ 459.402970] alloc_inode+0x5f/0x180 +[ 459.403510] iget5_locked+0x57/0xd0 +[ 459.404095] bdget+0x94/0x4e0 +[ 459.404607] bd_acquire+0xfa/0x2c0 +[ 459.405113] blkdev_open+0x110/0x290 +[ 459.405702] do_dentry_open+0x49e/0x1050 +[ 459.406340] path_openat+0x148c/0x3f50 +[ 459.406926] do_filp_open+0x1a1/0x280 +[ 459.407471] do_sys_open+0x3c3/0x500 +[ 459.408010] do_syscall_64+0xc3/0x520 +[ 459.408572] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 459.409415] +[ 459.409679] Freed by task 1262: +[ 459.410212] __kasan_slab_free+0x129/0x170 +[ 459.410919] kmem_cache_free+0xb2/0x2a0 +[ 459.411564] rcu_process_callbacks+0xbb2/0x2320 +[ 459.412318] __do_softirq+0x225/0x8ac + +Fix this by delaying bdput() to the end of blkdev_get() which means we +have finished accessing bdev. + +Fixes: 77ea887e433a ("implement in-kernel gendisk events handling") +Reported-by: Hulk Robot <hulkci@huawei.com> +Signed-off-by: Jason Yan <yanaijie@huawei.com> +Tested-by: Sedat Dilek <sedat.dilek@gmail.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: Christoph Hellwig <hch@lst.de> +Cc: Jens Axboe <axboe@kernel.dk> +Cc: Ming Lei <ming.lei@redhat.com> +Cc: Jan Kara <jack@suse.cz> +Cc: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +--- + fs/block_dev.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/fs/block_dev.c b/fs/block_dev.c +index 47860e589388..08c87db3a92b 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1565,10 +1565,8 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + */ + if (!for_part) { + ret = devcgroup_inode_permission(bdev->bd_inode, perm); +- if (ret != 0) { +- bdput(bdev); ++ if (ret != 0) + return ret; +- } + } + + restart: +@@ -1637,8 +1635,10 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + goto out_clear; + BUG_ON(for_part); + ret = __blkdev_get(whole, mode, 1); +- if (ret) ++ if (ret) { ++ bdput(whole); + goto out_clear; ++ } + bdev->bd_contains = whole; + bdev->bd_part = disk_get_part(disk, partno); + if (!(disk->flags & GENHD_FL_UP) || +@@ -1688,7 +1688,6 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + disk_unblock_events(disk); + put_disk_and_module(disk); + out: +- bdput(bdev); + + return ret; + } +@@ -1755,6 +1754,9 @@ int blkdev_get(struct block_device *bdev, fmode_t mode, void *holder) + bdput(whole); + } + ++ if (res) ++ bdput(bdev); ++ + return res; + } + EXPORT_SYMBOL(blkdev_get); +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-15437/0001-serial-8250-fix-null-ptr-deref-in-serial8250_start_t.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-15437/0001-serial-8250-fix-null-ptr-deref-in-serial8250_start_t.patch new file mode 100644 index 000000000..c10d98f76 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-15437/0001-serial-8250-fix-null-ptr-deref-in-serial8250_start_t.patch @@ -0,0 +1,90 @@ +From f4c23a140d80ef5e6d3d1f8f57007649014b60fa Mon Sep 17 00:00:00 2001 +From: Yang Yingliang <yangyingliang@huawei.com> +Date: Tue, 21 Jul 2020 14:38:52 +0000 +Subject: [PATCH] serial: 8250: fix null-ptr-deref in serial8250_start_tx() + +I got null-ptr-deref in serial8250_start_tx(): + +[ 78.114630] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 78.123778] Mem abort info: +[ 78.126560] ESR = 0x86000007 +[ 78.129603] EC = 0x21: IABT (current EL), IL = 32 bits +[ 78.134891] SET = 0, FnV = 0 +[ 78.137933] EA = 0, S1PTW = 0 +[ 78.141064] user pgtable: 64k pages, 48-bit VAs, pgdp=00000027d41a8600 +[ 78.147562] [0000000000000000] pgd=00000027893f0003, p4d=00000027893f0003, pud=00000027893f0003, pmd=00000027c9a20003, pte=0000000000000000 +[ 78.160029] Internal error: Oops: 86000007 [#1] SMP +[ 78.164886] Modules linked in: sunrpc vfat fat aes_ce_blk crypto_simd cryptd aes_ce_cipher crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce ses enclosure sg sbsa_gwdt ipmi_ssif spi_dw_mmio sch_fq_codel vhost_net tun vhost vhost_iotlb tap ip_tables ext4 mbcache jbd2 ahci hisi_sas_v3_hw libahci hisi_sas_main libsas hns3 scsi_transport_sas hclge libata megaraid_sas ipmi_si hnae3 ipmi_devintf ipmi_msghandler br_netfilter bridge stp llc nvme nvme_core xt_sctp sctp libcrc32c dm_mod nbd +[ 78.207383] CPU: 11 PID: 23258 Comm: null-ptr Not tainted 5.8.0-rc6+ #48 +[ 78.214056] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B210.01 03/12/2020 +[ 78.222888] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--) +[ 78.228435] pc : 0x0 +[ 78.230618] lr : serial8250_start_tx+0x160/0x260 +[ 78.235215] sp : ffff800062eefb80 +[ 78.238517] x29: ffff800062eefb80 x28: 0000000000000fff +[ 78.243807] x27: ffff800062eefd80 x26: ffff202fd83b3000 +[ 78.249098] x25: ffff800062eefd80 x24: ffff202fd83b3000 +[ 78.254388] x23: ffff002fc5e50be8 x22: 0000000000000002 +[ 78.259679] x21: 0000000000000001 x20: 0000000000000000 +[ 78.264969] x19: ffffa688827eecc8 x18: 0000000000000000 +[ 78.270259] x17: 0000000000000000 x16: 0000000000000000 +[ 78.275550] x15: ffffa68881bc67a8 x14: 00000000000002e6 +[ 78.280841] x13: ffffa68881bc67a8 x12: 000000000000c539 +[ 78.286131] x11: d37a6f4de9bd37a7 x10: ffffa68881cccff0 +[ 78.291421] x9 : ffffa68881bc6000 x8 : ffffa688819daa88 +[ 78.296711] x7 : ffffa688822a0f20 x6 : ffffa688819e0000 +[ 78.302002] x5 : ffff800062eef9d0 x4 : ffffa68881e707a8 +[ 78.307292] x3 : 0000000000000000 x2 : 0000000000000002 +[ 78.312582] x1 : 0000000000000001 x0 : ffffa688827eecc8 +[ 78.317873] Call trace: +[ 78.320312] 0x0 +[ 78.322147] __uart_start.isra.9+0x64/0x78 +[ 78.326229] uart_start+0xb8/0x1c8 +[ 78.329620] uart_flush_chars+0x24/0x30 +[ 78.333442] n_tty_receive_buf_common+0x7b0/0xc30 +[ 78.338128] n_tty_receive_buf+0x44/0x2c8 +[ 78.342122] tty_ioctl+0x348/0x11f8 +[ 78.345599] ksys_ioctl+0xd8/0xf8 +[ 78.348903] __arm64_sys_ioctl+0x2c/0xc8 +[ 78.352812] el0_svc_common.constprop.2+0x88/0x1b0 +[ 78.357583] do_el0_svc+0x44/0xd0 +[ 78.360887] el0_sync_handler+0x14c/0x1d0 +[ 78.364880] el0_sync+0x140/0x180 +[ 78.368185] Code: bad PC value + +SERIAL_PORT_DFNS is not defined on each arch, if it's not defined, +serial8250_set_defaults() won't be called in serial8250_isa_init_ports(), +so the p->serial_in pointer won't be initialized, and it leads a null-ptr-deref. +Fix this problem by calling serial8250_set_defaults() after init uart port. + +Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> +Cc: stable <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20200721143852.4058352-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/tty/serial/8250/8250_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index fc118f649887..cae61d1ebec5 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -524,6 +524,7 @@ static void __init serial8250_isa_init_ports(void) + */ + up->mcr_mask = ~ALPHA_KLUDGE_MCR; + up->mcr_force = ALPHA_KLUDGE_MCR; ++ serial8250_set_defaults(up); + } + + /* chain base port ops to support Remote Supervisor Adapter */ +@@ -547,7 +548,6 @@ static void __init serial8250_isa_init_ports(void) + port->membase = old_serial_port[i].iomem_base; + port->iotype = old_serial_port[i].io_type; + port->regshift = old_serial_port[i].iomem_reg_shift; +- serial8250_set_defaults(up); + + port->irqflags |= irqflag; + if (serial8250_isa_config != NULL) +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25704/0001-perf-core-Fix-a-memory-leak-in-perf_event_parse_addr.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25704/0001-perf-core-Fix-a-memory-leak-in-perf_event_parse_addr.patch new file mode 100644 index 000000000..e51593af2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25704/0001-perf-core-Fix-a-memory-leak-in-perf_event_parse_addr.patch @@ -0,0 +1,92 @@ +From 7bdb157cdebbf95a1cd94ed2e01b338714075d00 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?kiyin=28=E5=B0=B9=E4=BA=AE=29?= <kiyin@tencent.com> +Date: Wed, 4 Nov 2020 08:23:22 +0300 +Subject: [PATCH] perf/core: Fix a memory leak in + perf_event_parse_addr_filter() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As shown through runtime testing, the "filename" allocation is not +always freed in perf_event_parse_addr_filter(). + +There are three possible ways that this could happen: + + - It could be allocated twice on subsequent iterations through the loop, + - or leaked on the success path, + - or on the failure path. + +Clean up the code flow to make it obvious that 'filename' is always +freed in the reallocation path and in the two return paths as well. + +We rely on the fact that kfree(NULL) is NOP and filename is initialized +with NULL. + +This fixes the leak. No other side effects expected. + +[ Dan Carpenter: cleaned up the code flow & added a changelog. ] +[ Ingo Molnar: updated the changelog some more. ] + +Fixes: 375637bc5249 ("perf/core: Introduce address range filtering") +Signed-off-by: "kiyin(尹亮)" <kiyin@tencent.com> +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Cc: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu> +Cc: Anthony Liguori <aliguori@amazon.com> +-- + kernel/events/core.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) +--- + kernel/events/core.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index da467e1dd49a..5a29ab09e72d 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10085,6 +10085,7 @@ perf_event_parse_addr_filter(struct perf_event *event, char *fstr, + if (token == IF_SRC_FILE || token == IF_SRC_FILEADDR) { + int fpos = token == IF_SRC_FILE ? 2 : 1; + ++ kfree(filename); + filename = match_strdup(&args[fpos]); + if (!filename) { + ret = -ENOMEM; +@@ -10131,16 +10132,13 @@ perf_event_parse_addr_filter(struct perf_event *event, char *fstr, + */ + ret = -EOPNOTSUPP; + if (!event->ctx->task) +- goto fail_free_name; ++ goto fail; + + /* look up the path and grab its inode */ + ret = kern_path(filename, LOOKUP_FOLLOW, + &filter->path); + if (ret) +- goto fail_free_name; +- +- kfree(filename); +- filename = NULL; ++ goto fail; + + ret = -EINVAL; + if (!filter->path.dentry || +@@ -10160,13 +10158,13 @@ perf_event_parse_addr_filter(struct perf_event *event, char *fstr, + if (state != IF_STATE_ACTION) + goto fail; + ++ kfree(filename); + kfree(orig); + + return 0; + +-fail_free_name: +- kfree(filename); + fail: ++ kfree(filename); + free_filters_list(filters); + kfree(orig); + +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25705/0001-icmp-randomize-the-global-rate-limiter.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25705/0001-icmp-randomize-the-global-rate-limiter.patch new file mode 100644 index 000000000..079f8d78e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25705/0001-icmp-randomize-the-global-rate-limiter.patch @@ -0,0 +1,51 @@ +From df6369cb69d03c30b299a8a2e3dbeab2261562f9 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 15 Oct 2020 11:42:00 -0700 +Subject: [PATCH] icmp: randomize the global rate limiter + +[ Upstream commit b38e7819cae946e2edf869e604af1e65a5d241c5 ] + +Keyu Man reported that the ICMP rate limiter could be used +by attackers to get useful signal. Details will be provided +in an upcoming academic publication. + +Our solution is to add some noise, so that the attackers +no longer can get help from the predictable token bucket limiter. + +Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Keyu Man <kman001@ucr.edu> +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/ipv4/icmp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index ac95ba78b903..76cacbe39a21 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -239,7 +239,7 @@ static struct { + /** + * icmp_global_allow - Are we allowed to send one more ICMP message ? + * +- * Uses a token bucket to limit our ICMP messages to sysctl_icmp_msgs_per_sec. ++ * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec. + * Returns false if we reached the limit and can not send another packet. + * Note: called with BH disabled + */ +@@ -267,7 +267,10 @@ bool icmp_global_allow(void) + } + credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst); + if (credit) { +- credit--; ++ /* We want to use a credit of one in average, but need to randomize ++ * it for security reasons. ++ */ ++ credit = max_t(int, credit - prandom_u32_max(3), 0); + rc = true; + } + WRITE_ONCE(icmp_global.credit, credit); +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29369/0001-mm-mmap.c-close-race-between-munmap-and-expand_upwar.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29369/0001-mm-mmap.c-close-race-between-munmap-and-expand_upwar.patch new file mode 100644 index 000000000..378d7c529 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29369/0001-mm-mmap.c-close-race-between-munmap-and-expand_upwar.patch @@ -0,0 +1,89 @@ +From 246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> +Date: Thu, 23 Jul 2020 21:15:11 -0700 +Subject: [PATCH] mm/mmap.c: close race between munmap() and + expand_upwards()/downwards() + +VMA with VM_GROWSDOWN or VM_GROWSUP flag set can change their size under +mmap_read_lock(). It can lead to race with __do_munmap(): + + Thread A Thread B +__do_munmap() + detach_vmas_to_be_unmapped() + mmap_write_downgrade() + expand_downwards() + vma->vm_start = address; + // The VMA now overlaps with + // VMAs detached by the Thread A + // page fault populates expanded part + // of the VMA + unmap_region() + // Zaps pagetables partly + // populated by Thread B + +Similar race exists for expand_upwards(). + +The fix is to avoid downgrading mmap_lock in __do_munmap() if detached +VMAs are next to VM_GROWSDOWN or VM_GROWSUP VMA. + +[akpm@linux-foundation.org: s/mmap_sem/mmap_lock/ in comment] + +Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com> +Acked-by: Vlastimil Babka <vbabka@suse.cz> +Cc: Oleg Nesterov <oleg@redhat.com> +Cc: Matthew Wilcox <willy@infradead.org> +Cc: <stable@vger.kernel.org> [4.20+] +Link: http://lkml.kernel.org/r/20200709105309.42495-1-kirill.shutemov@linux.intel.com +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + mm/mmap.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 59a4682ebf3f..8c7ca737a19b 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2620,7 +2620,7 @@ static void unmap_region(struct mm_struct *mm, + * Create a list of vma's touched by the unmap, removing them from the mm's + * vma list as we go.. + */ +-static void ++static bool + detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, + struct vm_area_struct *prev, unsigned long end) + { +@@ -2645,6 +2645,17 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, + + /* Kill the cache */ + vmacache_invalidate(mm); ++ ++ /* ++ * Do not downgrade mmap_lock if we are next to VM_GROWSDOWN or ++ * VM_GROWSUP VMA. Such VMAs can change their size under ++ * down_read(mmap_lock) and collide with the VMA we are about to unmap. ++ */ ++ if (vma && (vma->vm_flags & VM_GROWSDOWN)) ++ return false; ++ if (prev && (prev->vm_flags & VM_GROWSUP)) ++ return false; ++ return true; + } + + /* +@@ -2825,7 +2836,8 @@ int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len, + } + + /* Detach vmas from rbtree */ +- detach_vmas_to_be_unmapped(mm, vma, prev, end); ++ if (!detach_vmas_to_be_unmapped(mm, vma, prev, end)) ++ downgrade = false; + + if (downgrade) + mmap_write_downgrade(mm); +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29372/0001-mm-check-that-mm-is-still-valid-in-madvise.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29372/0001-mm-check-that-mm-is-still-valid-in-madvise.patch new file mode 100644 index 000000000..80519ac8d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29372/0001-mm-check-that-mm-is-still-valid-in-madvise.patch @@ -0,0 +1,72 @@ +From bc0c4d1e176eeb614dc8734fc3ace34292771f11 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Fri, 24 Apr 2020 11:10:58 -0700 +Subject: [PATCH] mm: check that mm is still valid in madvise() + +IORING_OP_MADVISE can end up basically doing mprotect() on the VM of +another process, which means that it can race with our crazy core dump +handling which accesses the VM state without holding the mmap_sem +(because it incorrectly thinks that it is the final user). + +This is clearly a core dumping problem, but we've never fixed it the +right way, and instead have the notion of "check that the mm is still +ok" using mmget_still_valid() after getting the mmap_sem for writing in +any situation where we're not the original VM thread. + +See commit 04f5866e41fb ("coredump: fix race condition between +mmget_not_zero()/get_task_mm() and core dumping") for more background on +this whole mmget_still_valid() thing. You might want to have a barf bag +handy when you do. + +We're discussing just fixing this properly in the only remaining core +dumping routines. But even if we do that, let's make do_madvise() do +the right thing, and then when we fix core dumping, we can remove all +these mmget_still_valid() checks. + +Reported-and-tested-by: Jann Horn <jannh@google.com> +Fixes: c1ca757bd6f4 ("io_uring: add IORING_OP_MADVISE") +Acked-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + mm/madvise.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/mm/madvise.c b/mm/madvise.c +index 4bb30ed6c8d2..8cbd8c1bfe15 100644 +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -27,6 +27,7 @@ + #include <linux/swapops.h> + #include <linux/shmem_fs.h> + #include <linux/mmu_notifier.h> ++#include <linux/sched/mm.h> + + #include <asm/tlb.h> + +@@ -1090,6 +1091,23 @@ int do_madvise(unsigned long start, size_t len_in, int behavior) + if (write) { + if (down_write_killable(¤t->mm->mmap_sem)) + return -EINTR; ++ ++ /* ++ * We may have stolen the mm from another process ++ * that is undergoing core dumping. ++ * ++ * Right now that's io_ring, in the future it may ++ * be remote process management and not "current" ++ * at all. ++ * ++ * We need to fix core dumping to not do this, ++ * but for now we have the mmget_still_valid() ++ * model. ++ */ ++ if (!mmget_still_valid(current->mm)) { ++ up_write(¤t->mm->mmap_sem); ++ return -EINTR; ++ } + } else { + down_read(¤t->mm->mmap_sem); + } +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29660/0001-tty-Fix-session-locking.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29660/0001-tty-Fix-session-locking.patch new file mode 100644 index 000000000..a00ce2a95 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29660/0001-tty-Fix-session-locking.patch @@ -0,0 +1,204 @@ +From 35ee9ac513280f46eeb1196bac82ed5320380412 Mon Sep 17 00:00:00 2001 +From: Jann Horn <jannh@google.com> +Date: Thu, 3 Dec 2020 02:25:05 +0100 +Subject: [PATCH] tty: Fix ->session locking + +commit c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9 upstream. + +Currently, locking of ->session is very inconsistent; most places +protect it using the legacy tty mutex, but disassociate_ctty(), +__do_SAK(), tiocspgrp() and tiocgsid() don't. +Two of the writers hold the ctrl_lock (because they already need it for +->pgrp), but __proc_set_tty() doesn't do that yet. + +On a PREEMPT=y system, an unprivileged user can theoretically abuse +this broken locking to read 4 bytes of freed memory via TIOCGSID if +tiocgsid() is preempted long enough at the right point. (Other things +might also go wrong, especially if root-only ioctls are involved; I'm +not sure about that.) + +Change the locking on ->session such that: + + - tty_lock() is held by all writers: By making disassociate_ctty() + hold it. This should be fine because the same lock can already be + taken through the call to tty_vhangup_session(). + The tricky part is that we need to shorten the area covered by + siglock to be able to take tty_lock() without ugly retry logic; as + far as I can tell, this should be fine, since nothing in the + signal_struct is touched in the `if (tty)` branch. + - ctrl_lock is held by all writers: By changing __proc_set_tty() to + hold the lock a little longer. + - All readers that aren't holding tty_lock() hold ctrl_lock: By + adding locking to tiocgsid() and __do_SAK(), and expanding the area + covered by ctrl_lock in tiocspgrp(). + +Cc: stable@kernel.org +Signed-off-by: Jann Horn <jannh@google.com> +Reviewed-by: Jiri Slaby <jirislaby@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/tty/tty_io.c | 7 ++++++- + drivers/tty/tty_jobctrl.c | 44 +++++++++++++++++++++++++++------------ + include/linux/tty.h | 4 ++++ + 3 files changed, 41 insertions(+), 14 deletions(-) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 36c1c59cc72a..642765bf1023 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2894,10 +2894,14 @@ void __do_SAK(struct tty_struct *tty) + struct task_struct *g, *p; + struct pid *session; + int i; ++ unsigned long flags; + + if (!tty) + return; +- session = tty->session; ++ ++ spin_lock_irqsave(&tty->ctrl_lock, flags); ++ session = get_pid(tty->session); ++ spin_unlock_irqrestore(&tty->ctrl_lock, flags); + + tty_ldisc_flush(tty); + +@@ -2929,6 +2933,7 @@ void __do_SAK(struct tty_struct *tty) + task_unlock(p); + } while_each_thread(g, p); + read_unlock(&tasklist_lock); ++ put_pid(session); + #endif + } + +diff --git a/drivers/tty/tty_jobctrl.c b/drivers/tty/tty_jobctrl.c +index af508957ff05..813be2c05262 100644 +--- a/drivers/tty/tty_jobctrl.c ++++ b/drivers/tty/tty_jobctrl.c +@@ -103,8 +103,8 @@ static void __proc_set_tty(struct tty_struct *tty) + put_pid(tty->session); + put_pid(tty->pgrp); + tty->pgrp = get_pid(task_pgrp(current)); +- spin_unlock_irqrestore(&tty->ctrl_lock, flags); + tty->session = get_pid(task_session(current)); ++ spin_unlock_irqrestore(&tty->ctrl_lock, flags); + if (current->signal->tty) { + tty_debug(tty, "current tty %s not NULL!!\n", + current->signal->tty->name); +@@ -293,20 +293,23 @@ void disassociate_ctty(int on_exit) + spin_lock_irq(¤t->sighand->siglock); + put_pid(current->signal->tty_old_pgrp); + current->signal->tty_old_pgrp = NULL; +- + tty = tty_kref_get(current->signal->tty); ++ spin_unlock_irq(¤t->sighand->siglock); ++ + if (tty) { + unsigned long flags; ++ ++ tty_lock(tty); + spin_lock_irqsave(&tty->ctrl_lock, flags); + put_pid(tty->session); + put_pid(tty->pgrp); + tty->session = NULL; + tty->pgrp = NULL; + spin_unlock_irqrestore(&tty->ctrl_lock, flags); ++ tty_unlock(tty); + tty_kref_put(tty); + } + +- spin_unlock_irq(¤t->sighand->siglock); + /* Now clear signal->tty under the lock */ + read_lock(&tasklist_lock); + session_clear_tty(task_session(current)); +@@ -477,14 +480,19 @@ static int tiocspgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t + return -ENOTTY; + if (retval) + return retval; +- if (!current->signal->tty || +- (current->signal->tty != real_tty) || +- (real_tty->session != task_session(current))) +- return -ENOTTY; ++ + if (get_user(pgrp_nr, p)) + return -EFAULT; + if (pgrp_nr < 0) + return -EINVAL; ++ ++ spin_lock_irq(&real_tty->ctrl_lock); ++ if (!current->signal->tty || ++ (current->signal->tty != real_tty) || ++ (real_tty->session != task_session(current))) { ++ retval = -ENOTTY; ++ goto out_unlock_ctrl; ++ } + rcu_read_lock(); + pgrp = find_vpid(pgrp_nr); + retval = -ESRCH; +@@ -494,12 +502,12 @@ static int tiocspgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t + if (session_of_pgrp(pgrp) != task_session(current)) + goto out_unlock; + retval = 0; +- spin_lock_irq(&real_tty->ctrl_lock); + put_pid(real_tty->pgrp); + real_tty->pgrp = get_pid(pgrp); +- spin_unlock_irq(&real_tty->ctrl_lock); + out_unlock: + rcu_read_unlock(); ++out_unlock_ctrl: ++ spin_unlock_irq(&real_tty->ctrl_lock); + return retval; + } + +@@ -511,20 +519,30 @@ static int tiocspgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t + * + * Obtain the session id of the tty. If there is no session + * return an error. +- * +- * Locking: none. Reference to current->signal->tty is safe. + */ + static int tiocgsid(struct tty_struct *tty, struct tty_struct *real_tty, pid_t __user *p) + { ++ unsigned long flags; ++ pid_t sid; ++ + /* + * (tty == real_tty) is a cheap way of + * testing if the tty is NOT a master pty. + */ + if (tty == real_tty && current->signal->tty != real_tty) + return -ENOTTY; ++ ++ spin_lock_irqsave(&real_tty->ctrl_lock, flags); + if (!real_tty->session) +- return -ENOTTY; +- return put_user(pid_vnr(real_tty->session), p); ++ goto err; ++ sid = pid_vnr(real_tty->session); ++ spin_unlock_irqrestore(&real_tty->ctrl_lock, flags); ++ ++ return put_user(sid, p); ++ ++err: ++ spin_unlock_irqrestore(&real_tty->ctrl_lock, flags); ++ return -ENOTTY; + } + + /* +diff --git a/include/linux/tty.h b/include/linux/tty.h +index a99e9b8e4e31..eb33d948788c 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -306,6 +306,10 @@ struct tty_struct { + struct termiox *termiox; /* May be NULL for unsupported */ + char name[64]; + struct pid *pgrp; /* Protected by ctrl lock */ ++ /* ++ * Writes protected by both ctrl lock and legacy mutex, readers must use ++ * at least one of them. ++ */ + struct pid *session; + unsigned long flags; + int count; +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29661/0001-tty-Fix-pgrp-locking-in-tiocspgrp.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29661/0001-tty-Fix-pgrp-locking-in-tiocspgrp.patch new file mode 100644 index 000000000..b41d6a9a1 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-29661/0001-tty-Fix-pgrp-locking-in-tiocspgrp.patch @@ -0,0 +1,46 @@ +From c536ecd4856084604701b95bd7e3fb15f05634bf Mon Sep 17 00:00:00 2001 +From: Jann Horn <jannh@google.com> +Date: Thu, 3 Dec 2020 02:25:04 +0100 +Subject: [PATCH] tty: Fix ->pgrp locking in tiocspgrp() + +commit 54ffccbf053b5b6ca4f6e45094b942fab92a25fc upstream. + +tiocspgrp() takes two tty_struct pointers: One to the tty that userspace +passed to ioctl() (`tty`) and one to the TTY being changed (`real_tty`). +These pointers are different when ioctl() is called with a master fd. + +To properly lock real_tty->pgrp, we must take real_tty->ctrl_lock. + +This bug makes it possible for racing ioctl(TIOCSPGRP, ...) calls on +both sides of a PTY pair to corrupt the refcount of `struct pid`, +leading to use-after-free errors. + +Fixes: 47f86834bbd4 ("redo locking of tty->pgrp") +CC: stable@kernel.org +Signed-off-by: Jann Horn <jannh@google.com> +Reviewed-by: Jiri Slaby <jirislaby@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/tty/tty_jobctrl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/tty_jobctrl.c b/drivers/tty/tty_jobctrl.c +index f8ed50a16848..af508957ff05 100644 +--- a/drivers/tty/tty_jobctrl.c ++++ b/drivers/tty/tty_jobctrl.c +@@ -494,10 +494,10 @@ static int tiocspgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t + if (session_of_pgrp(pgrp) != task_session(current)) + goto out_unlock; + retval = 0; +- spin_lock_irq(&tty->ctrl_lock); ++ spin_lock_irq(&real_tty->ctrl_lock); + put_pid(real_tty->pgrp); + real_tty->pgrp = get_pid(pgrp); +- spin_unlock_irq(&tty->ctrl_lock); ++ spin_unlock_irq(&real_tty->ctrl_lock); + out_unlock: + rcu_read_unlock(); + return retval; +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg index 077b83bac..9c08d590f 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg @@ -88,3 +88,6 @@ CONFIG_USB_EHCI_HCD=n CONFIG_USB_EHCI_ROOT_HUB_TT=n CONFIG_USB_EHCI_HCD_PLATFORM=n CONFIG_IPMB_DEVICE_INTERFACE=y +CONFIG_BPF_SYSCALL=n +CONFIG_IO_URING=n + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend index 908dc0a8d..c2e2343dc 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend @@ -1,5 +1,8 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +LINUX_VERSION="5.4.48" +SRCREV="2b4829edfc1c225c717652153097470529d171db" + do_compile_prepend(){ # device tree compiler flags export DTC_FLAGS=-@ @@ -93,7 +96,9 @@ SRC_URI += " \ file://0123-peci-fix-error-handling-in-peci_dev_ioctl.patch \ file://1001-Igore-0x3FF-in-aspeed_adc-driver.patch \ file://0120-media-aspeed-adjust-irq-enabling-timing-and-resource.patch \ + file://1002-Filter-erroneous-adc-readings.patch \ file://0121-Add-a-WA-to-defer-flash-writes-on-PS_ALERT_N-asserti.patch \ + file://0125-i2c-aspeed-clear-slave-addresses-in-probe.patch \ " # CVE-2020-16166 vulnerability fix @@ -121,5 +126,59 @@ SRC_URI += " \ file://0001-net-packet-fix-overflow-in-tpacket_rcv.patch \ " +# CVE-2020-25705 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-25705:" +SRC_URI += " \ + file://0001-icmp-randomize-the-global-rate-limiter.patch \ + " + +# CVE-2020-15436 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-15436:" +SRC_URI += " \ + file://0001-block-Fix-use-after-free-in-blkdev_get.patch \ + " + +# CVE-2020-29369 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-29369:" +SRC_URI += " \ + file://0001-mm-mmap.c-close-race-between-munmap-and-expand_upwar.patch \ + " + +# CVE-2020-15437 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-15437:" +SRC_URI += " \ + file://0001-serial-8250-fix-null-ptr-deref-in-serial8250_start_t.patch \ + " + +# CVE-2020-25704 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-25704:" +SRC_URI += " \ + file://0001-perf-core-Fix-a-memory-leak-in-perf_event_parse_addr.patch \ + " + +# CVE-2020-29372 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-29372:" +SRC_URI += " \ + file://0001-mm-check-that-mm-is-still-valid-in-madvise.patch \ + " + +# CVE-2020-14351 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-14351:" +SRC_URI += " \ + file://0001-perf-core-Fix-race-in-the-perf_mmap_close-function.patch \ + " + +# CVE-2020-29661 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-29661:" +SRC_URI += " \ + file://0001-tty-Fix-pgrp-locking-in-tiocspgrp.patch \ + " + +# CVE-2020-29660 vulnerability fix +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/CVE-2020-29660:" +SRC_URI += " \ + file://0001-tty-Fix-session-locking.patch \ + " + SRC_URI += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'file://0005-128MB-flashmap-for-PFR.patch', '', d)}" SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', 'file://debug.cfg', '', d)}" |