diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux')
15 files changed, 1464 insertions, 1 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0002-gpio-gpio-aspeed-sgpio-Fix-wrong-hwirq-base-in-irq-h.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0002-gpio-gpio-aspeed-sgpio-Fix-wrong-hwirq-base-in-irq-h.patch new file mode 100644 index 000000000..5109211df --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0002-gpio-gpio-aspeed-sgpio-Fix-wrong-hwirq-base-in-irq-h.patch @@ -0,0 +1,33 @@ +From 4e5ae852c4ab46c684d71d04c30dbfd01fbccae0 Mon Sep 17 00:00:00 2001 +From: Steven Lee <steven_lee@aspeedtech.com> +Date: Tue, 14 Dec 2021 12:02:38 +0800 +Subject: [PATCH] gpio: gpio-aspeed-sgpio: Fix wrong hwirq base in irq handler + +Each aspeed sgpio bank has 64 gpio pins(32 input pins and 32 output pins). +The hwirq base for each sgpio bank should be multiples of 64 rather than +multiples of 32. + +Signed-off-by: Steven Lee <steven_lee@aspeedtech.com> +Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl> +(cherry picked from commit e5a7431f5a2d6dcff7d516ee9d178a3254b17b87) +Signed-off-by: Sujoy Ray <sujoy.ray@intel.com> +--- + drivers/gpio/gpio-aspeed-sgpio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-aspeed-sgpio.c b/drivers/gpio/gpio-aspeed-sgpio.c +index 931d5c38d7de..454cefbeecf0 100644 +--- a/drivers/gpio/gpio-aspeed-sgpio.c ++++ b/drivers/gpio/gpio-aspeed-sgpio.c +@@ -395,7 +395,7 @@ static void aspeed_sgpio_irq_handler(struct irq_desc *desc) + reg = ioread32(bank_reg(data, bank, reg_irq_status)); + + for_each_set_bit(p, ®, 32) +- generic_handle_domain_irq(gc->irq.domain, i * 32 + p * 2); ++ generic_handle_domain_irq(gc->irq.domain, (i * 32 + p) * 2); + } + + chained_irq_exit(ic, desc); +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0003-Add-mux-deselect-support-on-timeout.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0003-Add-mux-deselect-support-on-timeout.patch new file mode 100644 index 000000000..0248d55ff --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0003-Add-mux-deselect-support-on-timeout.patch @@ -0,0 +1,95 @@ +From 51374967e9c5be8b0bfa093d7c62e7093f1eff94 Mon Sep 17 00:00:00 2001 +From: "Arun P. Mohanan" <arun.p.m@linux.intel.com> +Date: Wed, 27 Apr 2022 10:16:47 +0530 +Subject: [PATCH] i2c: mux: Add mux deselect support on timeout + +Add support to deselect the mux when there is a timeout. +The mux idle_state settings will be configured on startup. In case of +MCTP it is MUX_IDLE_DISCONNECT. But when there is a timeout, mux ends +up in connected position and the devices behind the mux will appear under +different muxes connected to the same bus. This change fix the same. + +Signed-off-by: Arun P. Mohanan <arun.p.m@linux.intel.com> +--- + drivers/i2c/i2c-mux.c | 15 ++++++++++----- + include/linux/i2c-mux.h | 1 + + 2 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/i2c/i2c-mux.c b/drivers/i2c/i2c-mux.c +index ce3c3ad3f129..abdfd7513df2 100644 +--- a/drivers/i2c/i2c-mux.c ++++ b/drivers/i2c/i2c-mux.c +@@ -36,9 +36,11 @@ struct i2c_mux_priv { + u32 chan_id; + }; + +-static void i2c_mux_hold(struct i2c_mux_core *muxc, unsigned long timeout) ++static void i2c_mux_hold(struct i2c_mux_core *muxc, u32 chan_id, ++ unsigned long timeout) + { + mutex_lock(&muxc->hold_lock); ++ muxc->holder_chan_id = chan_id; + schedule_delayed_work(&muxc->unhold_work, timeout); + } + +@@ -54,6 +56,9 @@ static void i2c_mux_unhold_work(struct work_struct *work) + struct i2c_mux_core *muxc = container_of(dwork, struct i2c_mux_core, + unhold_work); + ++ if (muxc->deselect) ++ muxc->deselect(muxc, muxc->holder_chan_id); ++ + mutex_unlock(&muxc->hold_lock); + } + +@@ -74,7 +79,7 @@ static int __i2c_mux_master_xfer(struct i2c_adapter *adap, + (u16 *)msgs[num - 1].buf); + if (hold_msg == I2C_HOLD_MSG_SET) { + timeout = msecs_to_jiffies(*(u16 *)msgs[num - 1].buf); +- i2c_mux_hold(muxc, timeout); ++ i2c_mux_hold(muxc, priv->chan_id, timeout); + } else if (hold_msg == I2C_HOLD_MSG_NONE) { + mutex_lock(&muxc->hold_lock); + } +@@ -112,7 +117,7 @@ static int i2c_mux_master_xfer(struct i2c_adapter *adap, + (u16 *)msgs[num - 1].buf); + if (hold_msg == I2C_HOLD_MSG_SET) { + timeout = msecs_to_jiffies(*(u16 *)msgs[num - 1].buf); +- i2c_mux_hold(muxc, timeout); ++ i2c_mux_hold(muxc, priv->chan_id, timeout); + } else if (hold_msg == I2C_HOLD_MSG_NONE) { + mutex_lock(&muxc->hold_lock); + } +@@ -150,7 +155,7 @@ static int __i2c_mux_smbus_xfer(struct i2c_adapter *adap, + &data->word); + if (hold_msg == I2C_HOLD_MSG_SET) { + timeout = msecs_to_jiffies(data->word); +- i2c_mux_hold(muxc, timeout); ++ i2c_mux_hold(muxc, priv->chan_id, timeout); + } else if (hold_msg == I2C_HOLD_MSG_NONE) { + mutex_lock(&muxc->hold_lock); + } +@@ -189,7 +194,7 @@ static int i2c_mux_smbus_xfer(struct i2c_adapter *adap, + &data->word); + if (hold_msg == I2C_HOLD_MSG_SET) { + timeout = msecs_to_jiffies(data->word); +- i2c_mux_hold(muxc, timeout); ++ i2c_mux_hold(muxc, priv->chan_id, timeout); + } else if (hold_msg == I2C_HOLD_MSG_NONE) { + mutex_lock(&muxc->hold_lock); + } +diff --git a/include/linux/i2c-mux.h b/include/linux/i2c-mux.h +index 43c40680d8c5..3d2586062ccc 100644 +--- a/include/linux/i2c-mux.h ++++ b/include/linux/i2c-mux.h +@@ -29,6 +29,7 @@ struct i2c_mux_core { + int (*deselect)(struct i2c_mux_core *, u32 chan_id); + + struct mutex hold_lock; /* mutex for channel holding */ ++ u32 holder_chan_id; + struct delayed_work unhold_work; + + int num_adapters; +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-22600.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-22600.patch new file mode 100644 index 000000000..6897998d9 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-22600.patch @@ -0,0 +1,41 @@ +From ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn <willemb@google.com> +Date: Wed, 15 Dec 2021 09:39:37 -0500 +Subject: net/packet: rx_owner_map depends on pg_vec + +Packet sockets may switch ring versions. Avoid misinterpreting state +between versions, whose fields share a union. rx_owner_map is only +allocated with a packet ring (pg_vec) and both are swapped together. +If pg_vec is NULL, meaning no packet ring was allocated, then neither +was rx_owner_map. And the field may be old state from a tpacket_v3. + +Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition") +Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/packet/af_packet.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 46943a18a10d5..76c2dca7f0a59 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4492,9 +4492,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + } + + out_free_pg_vec: +- bitmap_free(rx_owner_map); +- if (pg_vec) ++ if (pg_vec) { ++ bitmap_free(rx_owner_map); + free_pg_vec(pg_vec, order, req->tp_block_nr); ++ } + out: + return err; + } +-- +cgit 1.2.3-1.el7 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4197-001.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4197-001.patch new file mode 100644 index 000000000..065861699 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4197-001.patch @@ -0,0 +1,146 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: <linux-kernel-owner@kernel.org> +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 2746BC433F5 + for <linux-kernel@archiver.kernel.org>; Thu, 9 Dec 2021 21:47:21 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S232085AbhLIVuw (ORCPT <rfc822;linux-kernel@archiver.kernel.org>); + Thu, 9 Dec 2021 16:50:52 -0500 +Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54404 "EHLO + lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S231216AbhLIVut (ORCPT + <rfc822;linux-kernel@vger.kernel.org>); + Thu, 9 Dec 2021 16:50:49 -0500 +Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) + by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15ABAC061746 + for <linux-kernel@vger.kernel.org>; Thu, 9 Dec 2021 13:47:16 -0800 (PST) +Received: by mail-pl1-x636.google.com with SMTP id u11so4909590plf.3 + for <linux-kernel@vger.kernel.org>; Thu, 09 Dec 2021 13:47:16 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20210112; + h=sender:from:to:cc:subject:date:message-id:in-reply-to:references + :mime-version:content-transfer-encoding; + bh=a8swiEXoojgR8fMVEpmKtUWFtMz5ImAG/VTZz39Zgtg=; + b=iK06xmgZWH845WJbjlaSUNXX2witJGET/NOunc7vcXITqaQ+J0OYBlbsrVZWqXmNpq + 1ZkdS89uhl9wPRwln+nGOF3CDgn2rOlIZHy5q1hYCjPeXIRqSUNk66eYbMP9k/CE9ofE + 4Bq4HI5Zj9L3TaxJgIf5/fGE4YPT74ZH3DlBwA0YH1Mdmxl6bb+jmHmsOxvH8pNxJK2U + Am31x8dqOy61eJi8NizKPzwK6/hjeE+hdG5m1Nmnk5DWCfUUnOtRBxQrB5e0Hbo6JCPQ + kMKE3uw5v51EwhqYJNYnL//1RO98imhrjATlvuqHU0d4v4a1XKlWxqUx16iTYCvsosnF + Mo7g== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20210112; + h=x-gm-message-state:sender:from:to:cc:subject:date:message-id + :in-reply-to:references:mime-version:content-transfer-encoding; + bh=a8swiEXoojgR8fMVEpmKtUWFtMz5ImAG/VTZz39Zgtg=; + b=X87PriTxCChj/TkUhDJr4aE+PHQusR2F4ehhhro6BdZc5SYUMwHjWUuCSK1tY1BEd7 + GEtuuXtKD9Db1y31IHETMUDBRRQny9Bq+8CoZXeFfl8e4QU+kXToVAnnqHrTCQ2ixDIO + HvXo4+VYI0Pw2Xa0bBM73tTCOG6eD1vmsgzxHqD8OrvgJjwI+17qwUO+OHj8VDBTkCCK + 4RVwKbKbdUXavEkciY+gosUlmFzgA7H7cr259iTbG+HBuR2UKxpGted3TTLX873mLsbr + lIjyLjYxMaH5sJyj3cb18H5JWn1ib9XEtL7iGv8ihZQLHat2kLIepfnH+EdLIiEZ/5ul + Rc+g== +X-Gm-Message-State: AOAM530B/Jym56zUeVEmuQkH/0YbXn40Om9sSgzLwWEWqda400Am/sDL + kt7aQzHmCCChtT5uZ2factg= +X-Google-Smtp-Source: ABdhPJx+0LW9W6RtSgFd704deVCu5AmHhWzYPMKR8HLuTdkfp5ILPOsf/i/FyG1u0yQsz5MqjeYppg== +X-Received: by 2002:a17:90b:1c81:: with SMTP id oo1mr19350534pjb.137.1639086435505; + Thu, 09 Dec 2021 13:47:15 -0800 (PST) +Received: from localhost (2603-800c-1a02-1bae-e24f-43ff-fee6-449f.res6.spectrum.com. [2603:800c:1a02:1bae:e24f:43ff:fee6:449f]) + by smtp.gmail.com with ESMTPSA id h5sm673182pfc.113.2021.12.09.13.47.14 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Thu, 09 Dec 2021 13:47:15 -0800 (PST) +Sender: Tejun Heo <htejun@gmail.com> +From: Tejun Heo <tj@kernel.org> +To: torvalds@linuxfoundation.org, ebiederm@xmission.com, + mkoutny@suse.com, axboe@kernel.dk, keescook@chromium.org, + oleg@redhat.com, peterz@infradead.org, tglx@linutronix.de, + jnewsome@torproject.org, legion@kernel.org, luto@amacapital.net, + jannh@google.com +Cc: linux-kernel@vger.kernel.org, security@kernel.org, + kernel-team@fb.com, Tejun Heo <tj@kernel.org> +Subject: [PATCH 1/6] cgroup: Use open-time credentials for process migraton perm checks +Date: Thu, 9 Dec 2021 11:47:02 -1000 +Message-Id: <20211209214707.805617-2-tj@kernel.org> +X-Mailer: git-send-email 2.34.1 +In-Reply-To: <20211209214707.805617-1-tj@kernel.org> +References: <20211209214707.805617-1-tj@kernel.org> +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Precedence: bulk +List-ID: <linux-kernel.vger.kernel.org> +X-Mailing-List: linux-kernel@vger.kernel.org + +cgroup process migration permission checks are performed at write time as +whether a given operation is allowed or not is dependent on the content of +the write - the PID. This currently uses current's credentials which is a +potential security weakness as it may allow scenarios where a less +privileged process tricks a more privileged one into writing into a fd that +it created. + +This patch makes both cgroup2 and cgroup1 process migration interfaces to +use the credentials saved at the time of open (file->f_cred) instead of +current's. + +Signed-off-by: Tejun Heo <tj@kernel.org> +Reported-by: "Eric W. Biederman" <ebiederm@xmission.com> +Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org> +Cc: Michal Koutný <mkoutny@suse.com> +--- + kernel/cgroup/cgroup-v1.c | 7 ++++--- + kernel/cgroup/cgroup.c | 9 ++++++++- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c +index 81c9e0685948..0e7369103ba6 100644 +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -504,10 +504,11 @@ static ssize_t __cgroup1_procs_write(struct kernfs_open_file *of, + goto out_unlock; + + /* +- * Even if we're attaching all tasks in the thread group, we only +- * need to check permissions on one of them. ++ * Even if we're attaching all tasks in the thread group, we only need ++ * to check permissions on one of them. Check permissions using the ++ * credentials from file open to protect against inherited fd attacks. + */ +- cred = current_cred(); ++ cred = of->file->f_cred; + tcred = get_task_cred(task); + if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) && + !uid_eq(cred->euid, tcred->uid) && +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 919194de39c8..2632e46da1d4 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -4892,6 +4892,7 @@ static ssize_t __cgroup_procs_write(struct kernfs_open_file *of, char *buf, + { + struct cgroup *src_cgrp, *dst_cgrp; + struct task_struct *task; ++ const struct cred *saved_cred; + ssize_t ret; + bool locked; + +@@ -4909,9 +4910,15 @@ static ssize_t __cgroup_procs_write(struct kernfs_open_file *of, char *buf, + src_cgrp = task_cgroup_from_root(task, &cgrp_dfl_root); + spin_unlock_irq(&css_set_lock); + +- /* process and thread migrations follow same delegation rule */ ++ /* ++ * Process and thread migrations follow same delegation rule. Check ++ * permissions using the credentials from file open to protect against ++ * inherited fd attacks. ++ */ ++ saved_cred = override_creds(of->file->f_cred); + ret = cgroup_attach_permissions(src_cgrp, dst_cgrp, + of->file->f_path.dentry->d_sb, threadgroup); ++ revert_creds(saved_cred); + if (ret) + goto out_finish; + +-- +2.34.1 + + + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4197-002.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4197-002.patch new file mode 100644 index 000000000..afa5d75dc --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4197-002.patch @@ -0,0 +1,234 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: <linux-kernel-owner@kernel.org> +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) + by smtp.lore.kernel.org (Postfix) with ESMTP id A3D2FC433F5 + for <linux-kernel@archiver.kernel.org>; Thu, 9 Dec 2021 21:47:23 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S232241AbhLIVu4 (ORCPT <rfc822;linux-kernel@archiver.kernel.org>); + Thu, 9 Dec 2021 16:50:56 -0500 +Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54408 "EHLO + lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S232095AbhLIVuv (ORCPT + <rfc822;linux-kernel@vger.kernel.org>); + Thu, 9 Dec 2021 16:50:51 -0500 +Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) + by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E3818C0617A1 + for <linux-kernel@vger.kernel.org>; Thu, 9 Dec 2021 13:47:17 -0800 (PST) +Received: by mail-pf1-x436.google.com with SMTP id k26so6616237pfp.10 + for <linux-kernel@vger.kernel.org>; Thu, 09 Dec 2021 13:47:17 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20210112; + h=sender:from:to:cc:subject:date:message-id:in-reply-to:references + :mime-version:content-transfer-encoding; + bh=22UN/WZfz3+QYellK/yP53GLUSfFKJJ2R3F2tAgAET8=; + b=crlPZVYNT73j5kM8EcWEaWtWHdf132nCoHr9bHqpRMOsXF6Tbyn6sCi+bH/WLX/04M + hmOzvTEigEvwqsv/WgDLTnRhMpSgRvm9ewWUI9TDgYP8A3UP2G6Xj80jdt2qYMxJFm7e + 2NE0lc/MxGejNYvOIyonGtOOeJSq94vsLBkhaQfkvp9pWTS+qcxGS2rXiEsSqKYHj0/q + NrZ9Aik0soSXMvwrfc8PwQi8hpeyXkwocPf5zSbYCv+gU2kckT61xqdohuyOogLYA6c7 + gqCxYsOQ+aG2LfQsGnf6N+l8OisU2/FNLyKcqAUFGdpYuOOLzt2AwrK7EaCu3IROSejk + NngQ== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20210112; + h=x-gm-message-state:sender:from:to:cc:subject:date:message-id + :in-reply-to:references:mime-version:content-transfer-encoding; + bh=22UN/WZfz3+QYellK/yP53GLUSfFKJJ2R3F2tAgAET8=; + b=MpoYTlLkkOA7YDQMm1M/rxR4LjUNfnLJYNsIeotlztd3ukdc9/AXWpGrQcHsdenRhy + oy8sLRD12FWLK+krGYxyYhFqICYWvmbuPHFdrXzwD9ahvyuSw+bX2HvJKDRzdyf8Dh2w + WQT1UAPTc1RZBUh162t0df4zc//YX4x8WcrQhR+0IxJKo8B9ppAIJx/jsvGScd7S2djW + 8Wb+pMDt/T+/m80Q4XYS+beGQvJmN/lbrvI3d5QIiyIBJmBzGeyBnpjHBdFLMq+nlHNL + K2JO9UWZuy2WdT3WPqPc255QpKKJd/zD4zYZHbUe0EPS43dNC6G0pNvskSKQEgtY1NAP + 3zog== +X-Gm-Message-State: AOAM532QYv3rmIs4gLNSmAuScYZKJ3W8ir7h2ivU8RrjE6JNltIf0gNw + +T1Axm3vZZOT4PLYH5sfpss= +X-Google-Smtp-Source: ABdhPJzx0JxIsxMlhk/9r19Od8fyJzNtci3c4nOm3wCVXBhPyh+d2N/zpOeq1+rslnsz0H27YHYyIA== +X-Received: by 2002:a63:6cc8:: with SMTP id h191mr36732362pgc.76.1639086437332; + Thu, 09 Dec 2021 13:47:17 -0800 (PST) +Received: from localhost (2603-800c-1a02-1bae-e24f-43ff-fee6-449f.res6.spectrum.com. [2603:800c:1a02:1bae:e24f:43ff:fee6:449f]) + by smtp.gmail.com with ESMTPSA id rm1sm10646953pjb.3.2021.12.09.13.47.16 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Thu, 09 Dec 2021 13:47:16 -0800 (PST) +Sender: Tejun Heo <htejun@gmail.com> +From: Tejun Heo <tj@kernel.org> +To: torvalds@linuxfoundation.org, ebiederm@xmission.com, + mkoutny@suse.com, axboe@kernel.dk, keescook@chromium.org, + oleg@redhat.com, peterz@infradead.org, tglx@linutronix.de, + jnewsome@torproject.org, legion@kernel.org, luto@amacapital.net, + jannh@google.com +Cc: linux-kernel@vger.kernel.org, security@kernel.org, + kernel-team@fb.com, Tejun Heo <tj@kernel.org> +Subject: [PATCH 2/6] cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv +Date: Thu, 9 Dec 2021 11:47:03 -1000 +Message-Id: <20211209214707.805617-3-tj@kernel.org> +X-Mailer: git-send-email 2.34.1 +In-Reply-To: <20211209214707.805617-1-tj@kernel.org> +References: <20211209214707.805617-1-tj@kernel.org> +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Precedence: bulk +List-ID: <linux-kernel.vger.kernel.org> +X-Mailing-List: linux-kernel@vger.kernel.org + +of->priv is currently used by each interface file implementation to store +private information. This patch collects the current two private data usages +into struct cgroup_file_ctx which is allocated and freed by the common path. +This allows generic private data which applies to multiple files, which will +be used to in the following patch. + +Signed-off-by: Tejun Heo <tj@kernel.org> +--- + kernel/cgroup/cgroup-internal.h | 12 +++++++++ + kernel/cgroup/cgroup.c | 47 ++++++++++++++++++++++++--------- + 2 files changed, 46 insertions(+), 13 deletions(-) + +diff --git a/kernel/cgroup/cgroup-internal.h b/kernel/cgroup/cgroup-internal.h +index bfbeabc17a9d..8f681f14828c 100644 +--- a/kernel/cgroup/cgroup-internal.h ++++ b/kernel/cgroup/cgroup-internal.h +@@ -65,6 +65,18 @@ static inline struct cgroup_fs_context *cgroup_fc2context(struct fs_context *fc) + return container_of(kfc, struct cgroup_fs_context, kfc); + } + ++struct cgroup_file_ctx { ++ union { ++ struct { ++ struct css_task_iter *it; ++ } procs; ++ ++ struct { ++ void *trigger; ++ } psi; ++ }; ++}; ++ + /* + * A cgroup can be associated with multiple css_sets as different tasks may + * belong to different cgroups on different hierarchies. In the other +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 2632e46da1d4..2992eb7e8244 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3630,6 +3630,7 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v) + static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf, + size_t nbytes, enum psi_res res) + { ++ struct cgroup_file_ctx *ctx = of->priv; + struct psi_trigger *new; + struct cgroup *cgrp; + struct psi_group *psi; +@@ -3648,7 +3649,7 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf, + return PTR_ERR(new); + } + +- psi_trigger_replace(&of->priv, new); ++ psi_trigger_replace(&ctx->psi.trigger, new); + + cgroup_put(cgrp); + +@@ -3679,12 +3680,16 @@ static ssize_t cgroup_cpu_pressure_write(struct kernfs_open_file *of, + static __poll_t cgroup_pressure_poll(struct kernfs_open_file *of, + poll_table *pt) + { +- return psi_trigger_poll(&of->priv, of->file, pt); ++ struct cgroup_file_ctx *ctx = of->priv; ++ ++ return psi_trigger_poll(&ctx->psi.trigger, of->file, pt); + } + + static void cgroup_pressure_release(struct kernfs_open_file *of) + { +- psi_trigger_replace(&of->priv, NULL); ++ struct cgroup_file_ctx *ctx = of->priv; ++ ++ psi_trigger_replace(&ctx->psi.trigger, NULL); + } + + bool cgroup_psi_enabled(void) +@@ -3811,18 +3816,31 @@ static ssize_t cgroup_kill_write(struct kernfs_open_file *of, char *buf, + static int cgroup_file_open(struct kernfs_open_file *of) + { + struct cftype *cft = of_cft(of); ++ struct cgroup_file_ctx *ctx; ++ int ret; + +- if (cft->open) +- return cft->open(of); +- return 0; ++ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); ++ if (!ctx) ++ return -ENOMEM; ++ of->priv = ctx; ++ ++ if (!cft->open) ++ return 0; ++ ++ ret = cft->open(of); ++ if (ret) ++ kfree(ctx); ++ return ret; + } + + static void cgroup_file_release(struct kernfs_open_file *of) + { + struct cftype *cft = of_cft(of); ++ struct cgroup_file_ctx *ctx = of->priv; + + if (cft->release) + cft->release(of); ++ kfree(ctx); + } + + static ssize_t cgroup_file_write(struct kernfs_open_file *of, char *buf, +@@ -4751,21 +4769,23 @@ void css_task_iter_end(struct css_task_iter *it) + + static void cgroup_procs_release(struct kernfs_open_file *of) + { +- if (of->priv) { +- css_task_iter_end(of->priv); +- kfree(of->priv); ++ struct cgroup_file_ctx *ctx = of->priv; ++ ++ if (ctx->procs.it) { ++ css_task_iter_end(ctx->procs.it); ++ kfree(ctx->procs.it); + } + } + + static void *cgroup_procs_next(struct seq_file *s, void *v, loff_t *pos) + { + struct kernfs_open_file *of = s->private; +- struct css_task_iter *it = of->priv; ++ struct cgroup_file_ctx *ctx = of->priv; + + if (pos) + (*pos)++; + +- return css_task_iter_next(it); ++ return css_task_iter_next(ctx->procs.it); + } + + static void *__cgroup_procs_start(struct seq_file *s, loff_t *pos, +@@ -4773,7 +4793,8 @@ static void *__cgroup_procs_start(struct seq_file *s, loff_t *pos, + { + struct kernfs_open_file *of = s->private; + struct cgroup *cgrp = seq_css(s)->cgroup; +- struct css_task_iter *it = of->priv; ++ struct cgroup_file_ctx *ctx = of->priv; ++ struct css_task_iter *it = ctx->procs.it; + + /* + * When a seq_file is seeked, it's always traversed sequentially +@@ -4786,7 +4807,7 @@ static void *__cgroup_procs_start(struct seq_file *s, loff_t *pos, + it = kzalloc(sizeof(*it), GFP_KERNEL); + if (!it) + return ERR_PTR(-ENOMEM); +- of->priv = it; ++ ctx->procs.it = it; + css_task_iter_start(&cgrp->self, iter_flags, it); + } else if (!(*pos)) { + css_task_iter_end(it); +-- +2.34.1 + + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4197-003.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4197-003.patch new file mode 100644 index 000000000..424b43e8d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4197-003.patch @@ -0,0 +1,215 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: <linux-kernel-owner@kernel.org> +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 5D6FEC433EF + for <linux-kernel@archiver.kernel.org>; Thu, 9 Dec 2021 21:47:30 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S232858AbhLIVvA (ORCPT <rfc822;linux-kernel@archiver.kernel.org>); + Thu, 9 Dec 2021 16:51:00 -0500 +Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54424 "EHLO + lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S232209AbhLIVux (ORCPT + <rfc822;linux-kernel@vger.kernel.org>); + Thu, 9 Dec 2021 16:50:53 -0500 +Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) + by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3DD9C061746 + for <linux-kernel@vger.kernel.org>; Thu, 9 Dec 2021 13:47:19 -0800 (PST) +Received: by mail-pf1-x42a.google.com with SMTP id 8so6655245pfo.4 + for <linux-kernel@vger.kernel.org>; Thu, 09 Dec 2021 13:47:19 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20210112; + h=sender:from:to:cc:subject:date:message-id:in-reply-to:references + :mime-version:content-transfer-encoding; + bh=ceDq7F+M2EGXPTD9tNvmIZrgG0K6W+WW/I/LWWjhs78=; + b=WHvq8+W2CMnCUcsgl0Pvwlcttyl4c03Dv8EUkb4wDsrDWJAa51hDRypQXI7JGRyTKg + IMgPu45MPjyqitqII6ACZPy4bz3uYsK14VlZgDC1XLlraCyXsbxaJIpQYFFmIrOpx088 + aqNw04d8ncgifEYbJXkgpy4O9NROAkqIG9unUF1OvDr3NZiLISlBeO7hW5Pt+GoHgpdp + Yh1jWCKjaVI7C4MR6xVuEayXP7KYV+I+iQvKZeu5vHHfLxJlcviXUHTQt+YcdP5iTYZF + 82UC2BqisfXYZBK0iSUtI+DwkBztN252y+m0k8yhvvku38Gs6zvH6qNifOzXT4GQg0c9 + X3og== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20210112; + h=x-gm-message-state:sender:from:to:cc:subject:date:message-id + :in-reply-to:references:mime-version:content-transfer-encoding; + bh=ceDq7F+M2EGXPTD9tNvmIZrgG0K6W+WW/I/LWWjhs78=; + b=LYEcq9Y7kBVgUrlYRr1olI0fjQ9Kdr/lCTG//q/ZpIxjw1bwQ384WonyRCpqupfoQg + rPT2ommx9bb5lsIGGUvsnD2F0dxVBfJOb0D5TBd8YVnmzfwtsnhIOMwvXFBA9uExcfnC + Ufyy7i0USVBAwBizTiVo1+f4ZyV/z8Up7y/8Ym0Rn26TtjDLg37rwHlZP9BG1Eko+Cc+ + XMvyjTDmxR3RHgVkd3ImE5V4BITtmrd9UYEoc53Jh98pCO8esKUG/pxYLA8TczaMIZhX + cdJ+r5Kt2NhTUfJfY5gDa/Q/L5IpH1598MP3qS3JElZVhih6JWuHbupg07GQAYb8Xg6m + sCDQ== +X-Gm-Message-State: AOAM531Qjg/ui9GkWGbTS4yOpaOES1MCUOCp5fqU2CfYFKOcksNAp0LR + vZZhIGBJSDiCxYKqbwo9MtdoLw4eHbs= +X-Google-Smtp-Source: ABdhPJzWk+vi1e4wW7FZgqRviTv2hPqDTvU4iydpc8M8DrZ4RigY81P1ATgqKdyl3z0qYs9FlfOkLA== +X-Received: by 2002:a62:dd54:0:b0:4a2:93f7:c20a with SMTP id w81-20020a62dd54000000b004a293f7c20amr13508057pff.46.1639086439084; + Thu, 09 Dec 2021 13:47:19 -0800 (PST) +Received: from localhost (2603-800c-1a02-1bae-e24f-43ff-fee6-449f.res6.spectrum.com. [2603:800c:1a02:1bae:e24f:43ff:fee6:449f]) + by smtp.gmail.com with ESMTPSA id o134sm605138pfg.1.2021.12.09.13.47.18 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Thu, 09 Dec 2021 13:47:18 -0800 (PST) +Sender: Tejun Heo <htejun@gmail.com> +From: Tejun Heo <tj@kernel.org> +To: torvalds@linuxfoundation.org, ebiederm@xmission.com, + mkoutny@suse.com, axboe@kernel.dk, keescook@chromium.org, + oleg@redhat.com, peterz@infradead.org, tglx@linutronix.de, + jnewsome@torproject.org, legion@kernel.org, luto@amacapital.net, + jannh@google.com +Cc: linux-kernel@vger.kernel.org, security@kernel.org, + kernel-team@fb.com, Tejun Heo <tj@kernel.org> +Subject: [PATCH 3/6] cgroup: Use open-time cgroup namespace for process migration perm checks +Date: Thu, 9 Dec 2021 11:47:04 -1000 +Message-Id: <20211209214707.805617-4-tj@kernel.org> +X-Mailer: git-send-email 2.34.1 +In-Reply-To: <20211209214707.805617-1-tj@kernel.org> +References: <20211209214707.805617-1-tj@kernel.org> +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Precedence: bulk +List-ID: <linux-kernel.vger.kernel.org> +X-Mailing-List: linux-kernel@vger.kernel.org + +cgroup process migration permission checks are performed at write time as +whether a given operation is allowed or not is dependent on the content of +the write - the PID. This currently uses current's cgroup namespace which is +a potential security weakness as it may allow scenarios where a less +privileged process tricks a more privileged one into writing into a fd that +it created. + +This patch makes cgroup remember the cgroup namespace at the time of open +and uses it for migration permission checks instad of current's. Note that +this only applies to cgroup2 as cgroup1 doesn't have namespace support. + +Signed-off-by: Tejun Heo <tj@kernel.org> +Reported-by: "Eric W. Biederman" <ebiederm@xmission.com> +Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org> +Cc: Michal Koutný <mkoutny@suse.com> +--- + kernel/cgroup/cgroup-internal.h | 2 ++ + kernel/cgroup/cgroup.c | 28 +++++++++++++++++++--------- + 2 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/kernel/cgroup/cgroup-internal.h b/kernel/cgroup/cgroup-internal.h +index 8f681f14828c..eb0585245b07 100644 +--- a/kernel/cgroup/cgroup-internal.h ++++ b/kernel/cgroup/cgroup-internal.h +@@ -66,6 +66,8 @@ static inline struct cgroup_fs_context *cgroup_fc2context(struct fs_context *fc) + } + + struct cgroup_file_ctx { ++ struct cgroup_namespace *ns; ++ + union { + struct { + struct css_task_iter *it; +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 2992eb7e8244..a3292558e96c 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3822,14 +3822,19 @@ static int cgroup_file_open(struct kernfs_open_file *of) + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) + return -ENOMEM; ++ ++ ctx->ns = current->nsproxy->cgroup_ns; ++ get_cgroup_ns(ctx->ns); + of->priv = ctx; + + if (!cft->open) + return 0; + + ret = cft->open(of); +- if (ret) ++ if (ret) { ++ put_cgroup_ns(ctx->ns); + kfree(ctx); ++ } + return ret; + } + +@@ -3840,13 +3845,14 @@ static void cgroup_file_release(struct kernfs_open_file *of) + + if (cft->release) + cft->release(of); ++ put_cgroup_ns(ctx->ns); + kfree(ctx); + } + + static ssize_t cgroup_file_write(struct kernfs_open_file *of, char *buf, + size_t nbytes, loff_t off) + { +- struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; ++ struct cgroup_file_ctx *ctx = of->priv; + struct cgroup *cgrp = of->kn->parent->priv; + struct cftype *cft = of_cft(of); + struct cgroup_subsys_state *css; +@@ -3863,7 +3869,7 @@ static ssize_t cgroup_file_write(struct kernfs_open_file *of, char *buf, + */ + if ((cgrp->root->flags & CGRP_ROOT_NS_DELEGATE) && + !(cft->flags & CFTYPE_NS_DELEGATABLE) && +- ns != &init_cgroup_ns && ns->root_cset->dfl_cgrp == cgrp) ++ ctx->ns != &init_cgroup_ns && ctx->ns->root_cset->dfl_cgrp == cgrp) + return -EPERM; + + if (cft->write) +@@ -4859,9 +4865,9 @@ static int cgroup_may_write(const struct cgroup *cgrp, struct super_block *sb) + + static int cgroup_procs_write_permission(struct cgroup *src_cgrp, + struct cgroup *dst_cgrp, +- struct super_block *sb) ++ struct super_block *sb, ++ struct cgroup_namespace *ns) + { +- struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; + struct cgroup *com_cgrp = src_cgrp; + int ret; + +@@ -4890,11 +4896,12 @@ static int cgroup_procs_write_permission(struct cgroup *src_cgrp, + + static int cgroup_attach_permissions(struct cgroup *src_cgrp, + struct cgroup *dst_cgrp, +- struct super_block *sb, bool threadgroup) ++ struct super_block *sb, bool threadgroup, ++ struct cgroup_namespace *ns) + { + int ret = 0; + +- ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb); ++ ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb, ns); + if (ret) + return ret; + +@@ -4911,6 +4918,7 @@ static int cgroup_attach_permissions(struct cgroup *src_cgrp, + static ssize_t __cgroup_procs_write(struct kernfs_open_file *of, char *buf, + bool threadgroup) + { ++ struct cgroup_file_ctx *ctx = of->priv; + struct cgroup *src_cgrp, *dst_cgrp; + struct task_struct *task; + const struct cred *saved_cred; +@@ -4938,7 +4946,8 @@ static ssize_t __cgroup_procs_write(struct kernfs_open_file *of, char *buf, + */ + saved_cred = override_creds(of->file->f_cred); + ret = cgroup_attach_permissions(src_cgrp, dst_cgrp, +- of->file->f_path.dentry->d_sb, threadgroup); ++ of->file->f_path.dentry->d_sb, ++ threadgroup, ctx->ns); + revert_creds(saved_cred); + if (ret) + goto out_finish; +@@ -6158,7 +6167,8 @@ static int cgroup_css_set_fork(struct kernel_clone_args *kargs) + goto err; + + ret = cgroup_attach_permissions(cset->dfl_cgrp, dst_cgrp, sb, +- !(kargs->flags & CLONE_THREAD)); ++ !(kargs->flags & CLONE_THREAD), ++ current->nsproxy->cgroup_ns); + if (ret) + goto err; + +-- +2.34.1 + + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-44733.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-44733.patch new file mode 100644 index 000000000..a4f8b4d26 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-44733.patch @@ -0,0 +1,339 @@ +From 492eb7afe858d60408b2da09adc78540c4d16543 Mon Sep 17 00:00:00 2001 +From: Jens Wiklander <jens.wiklander@linaro.org> +Date: Thu, 9 Dec 2021 15:59:37 +0100 +Subject: [PATCH] tee: handle lookup of shm with reference count 0 + +commit dfd0743f1d9ea76931510ed150334d571fbab49d upstream. + +Since the tee subsystem does not keep a strong reference to its idle +shared memory buffers, it races with other threads that try to destroy a +shared memory through a close of its dma-buf fd or by unmapping the +memory. + +In tee_shm_get_from_id() when a lookup in teedev->idr has been +successful, it is possible that the tee_shm is in the dma-buf teardown +path, but that path is blocked by the teedev mutex. Since we don't have +an API to tell if the tee_shm is in the dma-buf teardown path or not we +must find another way of detecting this condition. + +Fix this by doing the reference counting directly on the tee_shm using a +new refcount_t refcount field. dma-buf is replaced by using +anon_inode_getfd() instead, this separates the life-cycle of the +underlying file from the tee_shm. tee_shm_put() is updated to hold the +mutex when decreasing the refcount to 0 and then remove the tee_shm from +teedev->idr before releasing the mutex. This means that the tee_shm can +never be found unless it has a refcount larger than 0. + +Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Reviewed-by: Lars Persson <larper@axis.com> +Reviewed-by: Sumit Garg <sumit.garg@linaro.org> +Reported-by: Patrik Lantz <patrik.lantz@axis.com> +Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/tee/tee_shm.c | 171 ++++++++++++++++------------------------ + include/linux/tee_drv.h | 4 +- + 2 files changed, 68 insertions(+), 107 deletions(-) + +diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c +index 8a9384a64f3e29..499fccba3d74bd 100644 +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -1,11 +1,11 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (c) 2015-2016, Linaro Limited ++ * Copyright (c) 2015-2017, 2019-2021 Linaro Limited + */ ++#include <linux/anon_inodes.h> + #include <linux/device.h> +-#include <linux/dma-buf.h> +-#include <linux/fdtable.h> + #include <linux/idr.h> ++#include <linux/mm.h> + #include <linux/sched.h> + #include <linux/slab.h> + #include <linux/tee_drv.h> +@@ -28,16 +28,8 @@ static void release_registered_pages(struct tee_shm *shm) + } + } + +-static void tee_shm_release(struct tee_shm *shm) ++static void tee_shm_release(struct tee_device *teedev, struct tee_shm *shm) + { +- struct tee_device *teedev = shm->ctx->teedev; +- +- if (shm->flags & TEE_SHM_DMA_BUF) { +- mutex_lock(&teedev->mutex); +- idr_remove(&teedev->idr, shm->id); +- mutex_unlock(&teedev->mutex); +- } +- + if (shm->flags & TEE_SHM_POOL) { + struct tee_shm_pool_mgr *poolm; + +@@ -64,45 +56,6 @@ static void tee_shm_release(struct tee_shm *shm) + tee_device_put(teedev); + } + +-static struct sg_table *tee_shm_op_map_dma_buf(struct dma_buf_attachment +- *attach, enum dma_data_direction dir) +-{ +- return NULL; +-} +- +-static void tee_shm_op_unmap_dma_buf(struct dma_buf_attachment *attach, +- struct sg_table *table, +- enum dma_data_direction dir) +-{ +-} +- +-static void tee_shm_op_release(struct dma_buf *dmabuf) +-{ +- struct tee_shm *shm = dmabuf->priv; +- +- tee_shm_release(shm); +-} +- +-static int tee_shm_op_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma) +-{ +- struct tee_shm *shm = dmabuf->priv; +- size_t size = vma->vm_end - vma->vm_start; +- +- /* Refuse sharing shared memory provided by application */ +- if (shm->flags & TEE_SHM_USER_MAPPED) +- return -EINVAL; +- +- return remap_pfn_range(vma, vma->vm_start, shm->paddr >> PAGE_SHIFT, +- size, vma->vm_page_prot); +-} +- +-static const struct dma_buf_ops tee_shm_dma_buf_ops = { +- .map_dma_buf = tee_shm_op_map_dma_buf, +- .unmap_dma_buf = tee_shm_op_unmap_dma_buf, +- .release = tee_shm_op_release, +- .mmap = tee_shm_op_mmap, +-}; +- + struct tee_shm *tee_shm_alloc(struct tee_context *ctx, size_t size, u32 flags) + { + struct tee_device *teedev = ctx->teedev; +@@ -137,6 +90,7 @@ struct tee_shm *tee_shm_alloc(struct tee_context *ctx, size_t size, u32 flags) + goto err_dev_put; + } + ++ refcount_set(&shm->refcount, 1); + shm->flags = flags | TEE_SHM_POOL; + shm->ctx = ctx; + if (flags & TEE_SHM_DMA_BUF) +@@ -150,10 +104,7 @@ struct tee_shm *tee_shm_alloc(struct tee_context *ctx, size_t size, u32 flags) + goto err_kfree; + } + +- + if (flags & TEE_SHM_DMA_BUF) { +- DEFINE_DMA_BUF_EXPORT_INFO(exp_info); +- + mutex_lock(&teedev->mutex); + shm->id = idr_alloc(&teedev->idr, shm, 1, 0, GFP_KERNEL); + mutex_unlock(&teedev->mutex); +@@ -161,28 +112,11 @@ struct tee_shm *tee_shm_alloc(struct tee_context *ctx, size_t size, u32 flags) + ret = ERR_PTR(shm->id); + goto err_pool_free; + } +- +- exp_info.ops = &tee_shm_dma_buf_ops; +- exp_info.size = shm->size; +- exp_info.flags = O_RDWR; +- exp_info.priv = shm; +- +- shm->dmabuf = dma_buf_export(&exp_info); +- if (IS_ERR(shm->dmabuf)) { +- ret = ERR_CAST(shm->dmabuf); +- goto err_rem; +- } + } + + teedev_ctx_get(ctx); + + return shm; +-err_rem: +- if (flags & TEE_SHM_DMA_BUF) { +- mutex_lock(&teedev->mutex); +- idr_remove(&teedev->idr, shm->id); +- mutex_unlock(&teedev->mutex); +- } + err_pool_free: + poolm->ops->free(poolm, shm); + err_kfree: +@@ -243,6 +177,7 @@ struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr, + goto err; + } + ++ refcount_set(&shm->refcount, 1); + shm->flags = flags | TEE_SHM_REGISTER; + shm->ctx = ctx; + shm->id = -1; +@@ -303,22 +238,6 @@ struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr, + goto err; + } + +- if (flags & TEE_SHM_DMA_BUF) { +- DEFINE_DMA_BUF_EXPORT_INFO(exp_info); +- +- exp_info.ops = &tee_shm_dma_buf_ops; +- exp_info.size = shm->size; +- exp_info.flags = O_RDWR; +- exp_info.priv = shm; +- +- shm->dmabuf = dma_buf_export(&exp_info); +- if (IS_ERR(shm->dmabuf)) { +- ret = ERR_CAST(shm->dmabuf); +- teedev->desc->ops->shm_unregister(ctx, shm); +- goto err; +- } +- } +- + return shm; + err: + if (shm) { +@@ -336,6 +255,35 @@ struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr, + } + EXPORT_SYMBOL_GPL(tee_shm_register); + ++static int tee_shm_fop_release(struct inode *inode, struct file *filp) ++{ ++ tee_shm_put(filp->private_data); ++ return 0; ++} ++ ++static int tee_shm_fop_mmap(struct file *filp, struct vm_area_struct *vma) ++{ ++ struct tee_shm *shm = filp->private_data; ++ size_t size = vma->vm_end - vma->vm_start; ++ ++ /* Refuse sharing shared memory provided by application */ ++ if (shm->flags & TEE_SHM_USER_MAPPED) ++ return -EINVAL; ++ ++ /* check for overflowing the buffer's size */ ++ if (vma->vm_pgoff + vma_pages(vma) > shm->size >> PAGE_SHIFT) ++ return -EINVAL; ++ ++ return remap_pfn_range(vma, vma->vm_start, shm->paddr >> PAGE_SHIFT, ++ size, vma->vm_page_prot); ++} ++ ++static const struct file_operations tee_shm_fops = { ++ .owner = THIS_MODULE, ++ .release = tee_shm_fop_release, ++ .mmap = tee_shm_fop_mmap, ++}; ++ + /** + * tee_shm_get_fd() - Increase reference count and return file descriptor + * @shm: Shared memory handle +@@ -348,10 +296,11 @@ int tee_shm_get_fd(struct tee_shm *shm) + if (!(shm->flags & TEE_SHM_DMA_BUF)) + return -EINVAL; + +- get_dma_buf(shm->dmabuf); +- fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC); ++ /* matched by tee_shm_put() in tee_shm_op_release() */ ++ refcount_inc(&shm->refcount); ++ fd = anon_inode_getfd("tee_shm", &tee_shm_fops, shm, O_RDWR); + if (fd < 0) +- dma_buf_put(shm->dmabuf); ++ tee_shm_put(shm); + return fd; + } + +@@ -361,17 +310,7 @@ int tee_shm_get_fd(struct tee_shm *shm) + */ + void tee_shm_free(struct tee_shm *shm) + { +- /* +- * dma_buf_put() decreases the dmabuf reference counter and will +- * call tee_shm_release() when the last reference is gone. +- * +- * In the case of driver private memory we call tee_shm_release +- * directly instead as it doesn't have a reference counter. +- */ +- if (shm->flags & TEE_SHM_DMA_BUF) +- dma_buf_put(shm->dmabuf); +- else +- tee_shm_release(shm); ++ tee_shm_put(shm); + } + EXPORT_SYMBOL_GPL(tee_shm_free); + +@@ -478,10 +417,15 @@ struct tee_shm *tee_shm_get_from_id(struct tee_context *ctx, int id) + teedev = ctx->teedev; + mutex_lock(&teedev->mutex); + shm = idr_find(&teedev->idr, id); ++ /* ++ * If the tee_shm was found in the IDR it must have a refcount ++ * larger than 0 due to the guarantee in tee_shm_put() below. So ++ * it's safe to use refcount_inc(). ++ */ + if (!shm || shm->ctx != ctx) + shm = ERR_PTR(-EINVAL); +- else if (shm->flags & TEE_SHM_DMA_BUF) +- get_dma_buf(shm->dmabuf); ++ else ++ refcount_inc(&shm->refcount); + mutex_unlock(&teedev->mutex); + return shm; + } +@@ -493,7 +437,24 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); + */ + void tee_shm_put(struct tee_shm *shm) + { +- if (shm->flags & TEE_SHM_DMA_BUF) +- dma_buf_put(shm->dmabuf); ++ struct tee_device *teedev = shm->ctx->teedev; ++ bool do_release = false; ++ ++ mutex_lock(&teedev->mutex); ++ if (refcount_dec_and_test(&shm->refcount)) { ++ /* ++ * refcount has reached 0, we must now remove it from the ++ * IDR before releasing the mutex. This will guarantee that ++ * the refcount_inc() in tee_shm_get_from_id() never starts ++ * from 0. ++ */ ++ if (shm->flags & TEE_SHM_DMA_BUF) ++ idr_remove(&teedev->idr, shm->id); ++ do_release = true; ++ } ++ mutex_unlock(&teedev->mutex); ++ ++ if (do_release) ++ tee_shm_release(teedev, shm); + } + EXPORT_SYMBOL_GPL(tee_shm_put); +diff --git a/include/linux/tee_drv.h b/include/linux/tee_drv.h +index 3ebfea0781f100..feda1dc7f98ee7 100644 +--- a/include/linux/tee_drv.h ++++ b/include/linux/tee_drv.h +@@ -195,7 +195,7 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, + * @offset: offset of buffer in user space + * @pages: locked pages from userspace + * @num_pages: number of locked pages +- * @dmabuf: dmabuf used to for exporting to user space ++ * @refcount: reference counter + * @flags: defined by TEE_SHM_* in tee_drv.h + * @id: unique id of a shared memory object on this device + * +@@ -210,7 +210,7 @@ struct tee_shm { + unsigned int offset; + struct page **pages; + size_t num_pages; +- struct dma_buf *dmabuf; ++ refcount_t refcount; + u32 flags; + int id; + }; + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0185.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0185.patch new file mode 100644 index 000000000..876c87dc6 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0185.patch @@ -0,0 +1,38 @@ +From 722d94847de29310e8aa03fcbdb41fc92c521756 Mon Sep 17 00:00:00 2001 +From: Jamie Hill-Daniel <jamie@hill-daniel.co.uk> +Date: Tue, 18 Jan 2022 08:06:04 +0100 +Subject: vfs: fs_context: fix up param length parsing in legacy_parse_param + +The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an +unsigned type so a large value of "size" results in a high positive +value instead of a negative value as expected. Fix this by getting rid +of the subtraction. + +Signed-off-by: Jamie Hill-Daniel <jamie@hill-daniel.co.uk> +Signed-off-by: William Liu <willsroot@protonmail.com> +Tested-by: Salvatore Bonaccorso <carnil@debian.org> +Tested-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Acked-by: Dan Carpenter <dan.carpenter@oracle.com> +Acked-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + fs/fs_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fs_context.c b/fs/fs_context.c +index b7e43a780a625..24ce12f0db32e 100644 +--- a/fs/fs_context.c ++++ b/fs/fs_context.c +@@ -548,7 +548,7 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param) + param->key); + } + +- if (len > PAGE_SIZE - 2 - size) ++ if (size + len + 2 > PAGE_SIZE) + return invalf(fc, "VFS: Legacy: Cumulative options too large"); + if (strchr(param->key, ',') || + (param->type == fs_value_is_string && +-- +cgit 1.2.3-1.el7 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0492.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0492.patch new file mode 100644 index 000000000..409689e4b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0492.patch @@ -0,0 +1,54 @@ +From 24f6008564183aa120d07c03d9289519c2fe02af Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Thu, 20 Jan 2022 11:04:01 -0600 +Subject: cgroup-v1: Require capabilities to set release_agent + +The cgroup release_agent is called with call_usermodehelper. The function +call_usermodehelper starts the release_agent with a full set fo capabilities. +Therefore require capabilities when setting the release_agaent. + +Reported-by: Tabitha Sable <tabitha.c.sable@gmail.com> +Tested-by: Tabitha Sable <tabitha.c.sable@gmail.com> +Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") +Cc: stable@vger.kernel.org # v2.6.24+ +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Tejun Heo <tj@kernel.org> +--- + kernel/cgroup/cgroup-v1.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c +index 41e0837a5a0bd..0e877dbcfeea9 100644 +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -549,6 +549,14 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, + + BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); + ++ /* ++ * Release agent gets called with all capabilities, ++ * require capabilities to set release agent. ++ */ ++ if ((of->file->f_cred->user_ns != &init_user_ns) || ++ !capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + cgrp = cgroup_kn_lock_live(of->kn, false); + if (!cgrp) + return -ENODEV; +@@ -954,6 +962,12 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param) + /* Specifying two release agents is forbidden */ + if (ctx->release_agent) + return invalfc(fc, "release_agent respecified"); ++ /* ++ * Release agent gets called with all capabilities, ++ * require capabilities to set release agent. ++ */ ++ if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN)) ++ return invalfc(fc, "Setting release_agent not allowed"); + ctx->release_agent = param->string; + param->string = NULL; + break; +-- +cgit 1.2.3-1.el7 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0742.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0742.patch new file mode 100644 index 000000000..ada9c57b1 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0742.patch @@ -0,0 +1,115 @@ +From 2d3916f3189172d5c69d33065c3c21119fe539fc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 3 Mar 2022 09:37:28 -0800 +Subject: ipv6: fix skb drops in igmp6_event_query() and igmp6_event_report() + +While investigating on why a synchronize_net() has been added recently +in ipv6_mc_down(), I found that igmp6_event_query() and igmp6_event_report() +might drop skbs in some cases. + +Discussion about removing synchronize_net() from ipv6_mc_down() +will happen in a different thread. + +Fixes: f185de28d9ae ("mld: add new workqueues for process mld events") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Taehee Yoo <ap420073@gmail.com> +Cc: Cong Wang <xiyou.wangcong@gmail.com> +Cc: David Ahern <dsahern@kernel.org> +Link: https://lore.kernel.org/r/20220303173728.937869-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + include/net/ndisc.h | 4 ++-- + net/ipv6/mcast.c | 32 ++++++++++++-------------------- + 2 files changed, 14 insertions(+), 22 deletions(-) + +diff --git a/include/net/ndisc.h b/include/net/ndisc.h +index 53cb8de0e589c..47ffb360ddfac 100644 +--- a/include/net/ndisc.h ++++ b/include/net/ndisc.h +@@ -475,9 +475,9 @@ int igmp6_late_init(void); + void igmp6_cleanup(void); + void igmp6_late_cleanup(void); + +-int igmp6_event_query(struct sk_buff *skb); ++void igmp6_event_query(struct sk_buff *skb); + +-int igmp6_event_report(struct sk_buff *skb); ++void igmp6_event_report(struct sk_buff *skb); + + + #ifdef CONFIG_SYSCTL +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index a8861db52c187..909f937befd71 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1371,27 +1371,23 @@ static void mld_process_v2(struct inet6_dev *idev, struct mld2_query *mld, + } + + /* called with rcu_read_lock() */ +-int igmp6_event_query(struct sk_buff *skb) ++void igmp6_event_query(struct sk_buff *skb) + { + struct inet6_dev *idev = __in6_dev_get(skb->dev); + +- if (!idev) +- return -EINVAL; +- +- if (idev->dead) { +- kfree_skb(skb); +- return -ENODEV; +- } ++ if (!idev || idev->dead) ++ goto out; + + spin_lock_bh(&idev->mc_query_lock); + if (skb_queue_len(&idev->mc_query_queue) < MLD_MAX_SKBS) { + __skb_queue_tail(&idev->mc_query_queue, skb); + if (!mod_delayed_work(mld_wq, &idev->mc_query_work, 0)) + in6_dev_hold(idev); ++ skb = NULL; + } + spin_unlock_bh(&idev->mc_query_lock); +- +- return 0; ++out: ++ kfree_skb(skb); + } + + static void __mld_query_work(struct sk_buff *skb) +@@ -1542,27 +1538,23 @@ static void mld_query_work(struct work_struct *work) + } + + /* called with rcu_read_lock() */ +-int igmp6_event_report(struct sk_buff *skb) ++void igmp6_event_report(struct sk_buff *skb) + { + struct inet6_dev *idev = __in6_dev_get(skb->dev); + +- if (!idev) +- return -EINVAL; +- +- if (idev->dead) { +- kfree_skb(skb); +- return -ENODEV; +- } ++ if (!idev || idev->dead) ++ goto out; + + spin_lock_bh(&idev->mc_report_lock); + if (skb_queue_len(&idev->mc_report_queue) < MLD_MAX_SKBS) { + __skb_queue_tail(&idev->mc_report_queue, skb); + if (!mod_delayed_work(mld_wq, &idev->mc_report_work, 0)) + in6_dev_hold(idev); ++ skb = NULL; + } + spin_unlock_bh(&idev->mc_report_lock); +- +- return 0; ++out: ++ kfree_skb(skb); + } + + static void __mld_report_work(struct sk_buff *skb) +-- +cgit 1.2.3-1.el7 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-24122.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-24122.patch new file mode 100644 index 000000000..42fbba9ac --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-24122.patch @@ -0,0 +1,57 @@ +From f9d87929d451d3e649699d0f1d74f71f77ad38f5 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 24 Jan 2022 12:46:50 -0600 +Subject: ucount: Make get_ucount a safe get_user replacement + +When the ucount code was refactored to create get_ucount it was missed +that some of the contexts in which a rlimit is kept elevated can be +the only reference to the user/ucount in the system. + +Ordinary ucount references exist in places that also have a reference +to the user namspace, but in POSIX message queues, the SysV shm code, +and the SIGPENDING code there is no independent user namespace +reference. + +Inspection of the the user_namespace show no instance of circular +references between struct ucounts and the user_namespace. So +hold a reference from struct ucount to i's user_namespace to +resolve this problem. + +Link: https://lore.kernel.org/lkml/YZV7Z+yXbsx9p3JN@fixkernel.com/ +Reported-by: Qian Cai <quic_qiancai@quicinc.com> +Reported-by: Mathias Krause <minipli@grsecurity.net> +Tested-by: Mathias Krause <minipli@grsecurity.net> +Reviewed-by: Mathias Krause <minipli@grsecurity.net> +Reviewed-by: Alexey Gladkov <legion@kernel.org> +Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") +Fixes: 6e52a9f0532f ("Reimplement RLIMIT_MSGQUEUE on top of ucounts") +Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts") +Cc: stable@vger.kernel.org +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +--- + kernel/ucount.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/ucount.c b/kernel/ucount.c +index 7b32c356ebc5c..65b597431c861 100644 +--- a/kernel/ucount.c ++++ b/kernel/ucount.c +@@ -190,6 +190,7 @@ struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid) + kfree(new); + } else { + hlist_add_head(&new->node, hashent); ++ get_user_ns(new->ns); + spin_unlock_irq(&ucounts_lock); + return new; + } +@@ -210,6 +211,7 @@ void put_ucounts(struct ucounts *ucounts) + if (atomic_dec_and_lock_irqsave(&ucounts->count, &ucounts_lock, flags)) { + hlist_del_init(&ucounts->node); + spin_unlock_irqrestore(&ucounts_lock, flags); ++ put_user_ns(ucounts->ns); + kfree(ucounts); + } + } +-- +cgit 1.2.3-1.el7 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-25258.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-25258.patch new file mode 100644 index 000000000..89f62c3fc --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-25258.patch @@ -0,0 +1,29 @@ +From 75e5b4849b81e19e9efe1654b30d7f3151c33c2c Mon Sep 17 00:00:00 2001 +From: Szymon Heidrich <szymon.heidrich@gmail.com> +Date: Mon, 24 Jan 2022 12:14:00 +0100 +Subject: [PATCH] USB: gadget: validate interface OS descriptor requests + +Stall the control endpoint in case provided index exceeds array size of +MAX_CONFIG_INTERFACES or when the retrieved function pointer is null. + +Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/gadget/composite.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 16f9e3423c9faa..9315313108c9d5 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1988,6 +1988,9 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + if (w_index != 0x5 || (w_value >> 8)) + break; + interface = w_value & 0xFF; ++ if (interface >= MAX_CONFIG_INTERFACES || ++ !os_desc_cfg->interface[interface]) ++ break; + buf[6] = w_index; + count = count_ext_prop(os_desc_cfg, + interface); diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-29582.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-29582.patch new file mode 100644 index 000000000..e0fac6ec5 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-29582.patch @@ -0,0 +1,53 @@ +From e677edbcabee849bfdd43f1602bccbecf736a646 Mon Sep 17 00:00:00 2001 +From: Jens Axboe <axboe@kernel.dk> +Date: Fri, 8 Apr 2022 11:08:58 -0600 +Subject: [PATCH] io_uring: fix race between timeout flush and removal + +io_flush_timeouts() assumes the timeout isn't in progress of triggering +or being removed/canceled, so it unconditionally removes it from the +timeout list and attempts to cancel it. + +Leave it on the list and let the normal timeout cancelation take care +of it. + +Cc: stable@vger.kernel.org # 5.5+ +Signed-off-by: Jens Axboe <axboe@kernel.dk> +--- + fs/io_uring.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index fafd1ca4780b6..659f8ecba5b79 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1736,12 +1736,11 @@ static __cold void io_flush_timeouts(struct io_ring_ctx *ctx) + __must_hold(&ctx->completion_lock) + { + u32 seq = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts); ++ struct io_kiocb *req, *tmp; + + spin_lock_irq(&ctx->timeout_lock); +- while (!list_empty(&ctx->timeout_list)) { ++ list_for_each_entry_safe(req, tmp, &ctx->timeout_list, timeout.list) { + u32 events_needed, events_got; +- struct io_kiocb *req = list_first_entry(&ctx->timeout_list, +- struct io_kiocb, timeout.list); + + if (io_is_timeout_noseq(req)) + break; +@@ -1758,7 +1757,6 @@ static __cold void io_flush_timeouts(struct io_ring_ctx *ctx) + if (events_got < events_needed) + break; + +- list_del_init(&req->timeout.list); + io_kill_timeout(req, 0); + } + ctx->cq_last_tm_flush = seq; +@@ -6628,6 +6626,7 @@ static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe, + if (data->ts.tv_sec < 0 || data->ts.tv_nsec < 0) + return -EINVAL; + ++ INIT_LIST_HEAD(&req->timeout.list); + data->mode = io_translate_timeout_mode(flags); + hrtimer_init(&data->timer, io_timeout_get_clock(data), data->mode); + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg index c33020874..6a8899c59 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/intel.cfg @@ -93,4 +93,5 @@ CONFIG_BPF_SYSCALL=n CONFIG_IPV6_SIT=n CONFIG_RTC_DRV_PCHC620=y CONFIG_RTC_HCTOSYS=y -CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
\ No newline at end of file +CONFIG_RTC_HCTOSYS_DEVICE="rtc0" +CONFIG_PANIC_TIMEOUT=0 diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend index 302338120..1ddfbd726 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend @@ -16,6 +16,19 @@ do_compile:prepend(){ SRC_URI += " \ file://intel.cfg \ file://0001-peci-aspeed-Improve-workaround-for-controller-hang.patch \ + file://0002-gpio-gpio-aspeed-sgpio-Fix-wrong-hwirq-base-in-irq-h.patch \ + file://0003-Add-mux-deselect-support-on-timeout.patch \ + file://CVE-2022-0185.patch \ + file://CVE-2021-22600.patch \ + file://CVE-2022-24122.patch \ + file://CVE-2022-0492.patch \ + file://CVE-2022-25258.patch \ + file://CVE-2022-0742.patch\ + file://CVE-2021-4197-001.patch \ + file://CVE-2021-4197-002.patch\ + file://CVE-2021-4197-003.patch\ + file://CVE-2021-44733.patch\ + file://CVE-2022-29582.patch\ " SRC_URI += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'file://1000-128MB-flashmap-for-PFR.patch', '', d)}" |