1. 03 7月, 2019 26 次提交
  2. 25 6月, 2019 14 次提交
    • G
      Linux 4.19.56 · aec3002d
      Greg Kroah-Hartman 提交于
      aec3002d
    • M
      powerpc/mm/64s/hash: Reallocate context ids on fork · cd3e4939
      Michael Ellerman 提交于
      commit ca72d88378b2f2444d3ec145dd442d449d3fefbc upstream.
      
      When using the Hash Page Table (HPT) MMU, userspace memory mappings
      are managed at two levels. Firstly in the Linux page tables, much like
      other architectures, and secondly in the SLB (Segment Lookaside
      Buffer) and HPT. It's the SLB and HPT that are actually used by the
      hardware to do translations.
      
      As part of the series adding support for 4PB user virtual address
      space using the hash MMU, we added support for allocating multiple
      "context ids" per process, one for each 512TB chunk of address space.
      These are tracked in an array called extended_id in the mm_context_t
      of a process that has done a mapping above 512TB.
      
      If such a process forks (ie. clone(2) without CLONE_VM set) it's mm is
      copied, including the mm_context_t, and then init_new_context() is
      called to reinitialise parts of the mm_context_t as appropriate to
      separate the address spaces of the two processes.
      
      The key step in ensuring the two processes have separate address
      spaces is to allocate a new context id for the process, this is done
      at the beginning of hash__init_new_context(). If we didn't allocate a
      new context id then the two processes would share mappings as far as
      the SLB and HPT are concerned, even though their Linux page tables
      would be separate.
      
      For mappings above 512TB, which use the extended_id array, we
      neglected to allocate new context ids on fork, meaning the parent and
      child use the same ids and therefore share those mappings even though
      they're supposed to be separate. This can lead to the parent seeing
      writes done by the child, which is essentially memory corruption.
      
      There is an additional exposure which is that if the child process
      exits, all its context ids are freed, including the context ids that
      are still in use by the parent for mappings above 512TB. One or more
      of those ids can then be reallocated to a third process, that process
      can then read/write to the parent's mappings above 512TB. Additionally
      if the freed id is used for the third process's primary context id,
      then the parent is able to read/write to the third process's mappings
      *below* 512TB.
      
      All of these are fundamental failures to enforce separation between
      processes. The only mitigating factor is that the bug only occurs if a
      process creates mappings above 512TB, and most applications still do
      not create such mappings.
      
      Only machines using the hash page table MMU are affected, eg. PowerPC
      970 (G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines
      (powernv) use the Radix MMU and are not affected, unless the machine
      has been explicitly booted in HPT mode (using disable_radix on the
      kernel command line). KVM guests on Power9 may be affected if the host
      or guest is configured to use the HPT MMU. LPARs under PowerVM on
      Power9 are affected as they always use the HPT MMU. Kernels built with
      PAGE_SIZE=4K are not affected.
      
      The fix is relatively simple, we need to reallocate context ids for
      all extended mappings on fork.
      
      Fixes: f384796c ("powerpc/mm: Add support for handling > 512TB address in SLB miss")
      Cc: stable@vger.kernel.org # v4.17+
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd3e4939
    • J
      x86/resctrl: Don't stop walking closids when a locksetup group is found · 8c4fe200
      James Morse 提交于
      commit 87d3aa28f345bea77c396855fa5d5fec4c24461f upstream.
      
      When a new control group is created __init_one_rdt_domain() walks all
      the other closids to calculate the sets of used and unused bits.
      
      If it discovers a pseudo_locksetup group, it breaks out of the loop.  This
      means any later closid doesn't get its used bits added to used_b.  These
      bits will then get set in unused_b, and added to the new control group's
      configuration, even if they were marked as exclusive for a later closid.
      
      When encountering a pseudo_locksetup group, we should continue. This is
      because "a resource group enters 'pseudo-locked' mode after the schemata is
      written while the resource group is in 'pseudo-locksetup' mode." When we
      find a pseudo_locksetup group, its configuration is expected to be
      overwritten, we can skip it.
      
      Fixes: dfe9674b ("x86/intel_rdt: Enable entering of pseudo-locksetup mode")
      Signed-off-by: NJames Morse <james.morse@arm.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Acked-by: NReinette Chatre <reinette.chatre@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H Peter Avin <hpa@zytor.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20190603172531.178830-1-james.morse@arm.com
      [Dropped comment due to lack of space]
      Signed-off-by: NJames Morse <james.morse@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c4fe200
    • J
      mac80211: Do not use stack memory with scatterlist for GMAC · d451b505
      Jouni Malinen 提交于
      commit a71fd9dac23613d96ba3c05619a8ef4fd6cdf9b9 upstream.
      
      ieee80211_aes_gmac() uses the mic argument directly in sg_set_buf() and
      that does not allow use of stack memory (e.g., BUG_ON() is hit in
      sg_set_buf() with CONFIG_DEBUG_SG). BIP GMAC TX side is fine for this
      since it can use the skb data buffer, but the RX side was using a stack
      variable for deriving the local MIC value to compare against the
      received one.
      
      Fix this by allocating heap memory for the mic buffer.
      
      This was found with hwsim test case ap_cipher_bip_gmac_128 hitting that
      BUG_ON() and kernel panic.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJouni Malinen <j@w1.fi>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d451b505
    • A
      nl80211: fix station_info pertid memory leak · 72dc6786
      Andy Strohman 提交于
      commit f77bf4863dc2218362f4227d56af4a5f3f08830c upstream.
      
      When dumping stations, memory allocated for station_info's
      pertid member will leak if the nl80211 header cannot be added to
      the sk_buff due to insufficient tail room.
      
      I noticed this leak in the kmalloc-2048 cache.
      
      Cc: stable@vger.kernel.org
      Fixes: 8689c051 ("cfg80211: dynamically allocate per-tid stats for station info")
      Signed-off-by: NAndy Strohman <andy@uplevelsystems.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72dc6786
    • Y
      mac80211: handle deauthentication/disassociation from TDLS peer · 1e1007ac
      Yu Wang 提交于
      commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da upstream.
      
      When receiving a deauthentication/disassociation frame from a TDLS
      peer, a station should not disconnect the current AP, but only
      disable the current TDLS link if it's enabled.
      
      Without this change, a TDLS issue can be reproduced by following the
      steps as below:
      
      1. STA-1 and STA-2 are connected to AP, bidirection traffic is running
         between STA-1 and STA-2.
      2. Set up TDLS link between STA-1 and STA-2, stay for a while, then
         teardown TDLS link.
      3. Repeat step #2 and monitor the connection between STA and AP.
      
      During the test, one STA may send a deauthentication/disassociation
      frame to another, after TDLS teardown, with reason code 6/7, which
      means: Class 2/3 frame received from nonassociated STA.
      
      On receive this frame, the receiver STA will disconnect the current
      AP and then reconnect. It's not a expected behavior, purpose of this
      frame should be disabling the TDLS link, not the link with AP.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NYu Wang <yyuwang@codeaurora.org>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e1007ac
    • M
      {nl,mac}80211: allow 4addr AP operation on crypto controlled devices · ccf6a155
      Manikanta Pubbisetty 提交于
      commit 33d915d9e8ce811d8958915ccd18d71a66c7c495 upstream.
      
      As per the current design, in the case of sw crypto controlled devices,
      it is the device which advertises the support for AP/VLAN iftype based
      on it's ability to tranmsit packets encrypted in software
      (In VLAN functionality, group traffic generated for a specific
      VLAN group is always encrypted in software). Commit db3bdcb9
      ("mac80211: allow AP_VLAN operation on crypto controlled devices")
      has introduced this change.
      
      Since 4addr AP operation also uses AP/VLAN iftype, this conditional
      way of advertising AP/VLAN support has broken 4addr AP mode operation on
      crypto controlled devices which do not support VLAN functionality.
      
      In the case of ath10k driver, not all firmwares have support for VLAN
      functionality but all can support 4addr AP operation. Because AP/VLAN
      support is not advertised for these devices, 4addr AP operations are
      also blocked.
      
      Fix this by allowing 4addr operation on devices which do not support
      AP/VLAN iftype but can support 4addr AP operation (decision is based on
      the wiphy flag WIPHY_FLAG_4ADDR_AP).
      
      Cc: stable@vger.kernel.org
      Fixes: db3bdcb9 ("mac80211: allow AP_VLAN operation on crypto controlled devices")
      Signed-off-by: NManikanta Pubbisetty <mpubbise@codeaurora.org>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ccf6a155
    • J
      mac80211: drop robust management frames from unknown TA · 0e879ef1
      Johannes Berg 提交于
      commit 588f7d39b3592a36fb7702ae3b8bdd9be4621e2f upstream.
      
      When receiving a robust management frame, drop it if we don't have
      rx->sta since then we don't have a security association and thus
      couldn't possibly validate the frame.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0e879ef1
    • E
      cfg80211: fix memory leak of wiphy device name · 17d941dc
      Eric Biggers 提交于
      commit 4f488fbca2a86cc7714a128952eead92cac279ab upstream.
      
      In wiphy_new_nm(), if an error occurs after dev_set_name() and
      device_initialize() have already been called, it's necessary to call
      put_device() (via wiphy_free()) to avoid a memory leak.
      
      Reported-by: syzbot+7fddca22578bc67c3fe4@syzkaller.appspotmail.com
      Fixes: 1f87f7d3 ("cfg80211: add rfkill support")
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17d941dc
    • S
      SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write · 5293c79c
      Steve French 提交于
      commit 8d526d62db907e786fd88948c75d1833d82bd80e upstream.
      
      Some servers such as Windows 10 will return STATUS_INSUFFICIENT_RESOURCES
      as the number of simultaneous SMB3 requests grows (even though the client
      has sufficient credits).  Return EAGAIN on STATUS_INSUFFICIENT_RESOURCES
      so that we can retry writes which fail with this status code.
      
      This (for example) fixes large file copies to Windows 10 on fast networks.
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5293c79c
    • M
      Bluetooth: Fix regression with minimum encryption key size alignment · db7f1076
      Marcel Holtmann 提交于
      commit 693cd8ce3f882524a5d06f7800dd8492411877b3 upstream.
      
      When trying to align the minimum encryption key size requirement for
      Bluetooth connections, it turns out doing this in a central location in
      the HCI connection handling code is not possible.
      
      Original Bluetooth version up to 2.0 used a security model where the
      L2CAP service would enforce authentication and encryption.  Starting
      with Bluetooth 2.1 and Secure Simple Pairing that model has changed into
      that the connection initiator is responsible for providing an encrypted
      ACL link before any L2CAP communication can happen.
      
      Now connecting Bluetooth 2.1 or later devices with Bluetooth 2.0 and
      before devices are causing a regression.  The encryption key size check
      needs to be moved out of the HCI connection handling into the L2CAP
      channel setup.
      
      To achieve this, the current check inside hci_conn_security() has been
      moved into l2cap_check_enc_key_size() helper function and then called
      from four decisions point inside L2CAP to cover all combinations of
      Secure Simple Pairing enabled devices and device using legacy pairing
      and legacy service security model.
      
      Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections")
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203643Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db7f1076
    • M
      Bluetooth: Align minimum encryption key size for LE and BR/EDR connections · 5e9a6c68
      Marcel Holtmann 提交于
      commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream.
      
      The minimum encryption key size for LE connections is 56 bits and to
      align LE with BR/EDR, enforce 56 bits of minimum encryption key size for
      BR/EDR connections as well.
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e9a6c68
    • G
      staging: erofs: add requirements field in superblock · 64e37023
      Gao Xiang 提交于
      commit 5efe5137f05bbb4688890620934538c005e7d1d6 upstream.
      
      There are some backward incompatible features pending
      for months, mainly due to on-disk format expensions.
      
      However, we should ensure that it cannot be mounted with
      old kernels. Otherwise, it will causes unexpected behaviors.
      
      Fixes: ba2b77a8 ("staging: erofs: add super block operations")
      Cc: <stable@vger.kernel.org> # 4.19+
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NGao Xiang <gaoxiang25@huawei.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64e37023
    • T
      drm/vmwgfx: Use the backdoor port if the HB port is not available · e6803ce3
      Thomas Hellstrom 提交于
      commit cc0ba0d8624f210995924bb57a8b181ce8976606 upstream.
      
      The HB port may not be available for various reasons. Either it has been
      disabled by a config option or by the hypervisor for other reasons.
      In that case, make sure we have a backup plan and use the backdoor port
      instead with a performance penalty.
      
      Cc: stable@vger.kernel.org
      Fixes: 89da76fd ("drm/vmwgfx: Add VMWare host messaging capability")
      Signed-off-by: NThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: NDeepak Rawat <drawat@vmware.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e6803ce3