1. 03 7月, 2019 32 次提交
  2. 25 6月, 2019 8 次提交
    • G
      Linux 4.19.56 · aec3002d
      Greg Kroah-Hartman 提交于
      aec3002d
    • M
      powerpc/mm/64s/hash: Reallocate context ids on fork · cd3e4939
      Michael Ellerman 提交于
      commit ca72d88378b2f2444d3ec145dd442d449d3fefbc upstream.
      
      When using the Hash Page Table (HPT) MMU, userspace memory mappings
      are managed at two levels. Firstly in the Linux page tables, much like
      other architectures, and secondly in the SLB (Segment Lookaside
      Buffer) and HPT. It's the SLB and HPT that are actually used by the
      hardware to do translations.
      
      As part of the series adding support for 4PB user virtual address
      space using the hash MMU, we added support for allocating multiple
      "context ids" per process, one for each 512TB chunk of address space.
      These are tracked in an array called extended_id in the mm_context_t
      of a process that has done a mapping above 512TB.
      
      If such a process forks (ie. clone(2) without CLONE_VM set) it's mm is
      copied, including the mm_context_t, and then init_new_context() is
      called to reinitialise parts of the mm_context_t as appropriate to
      separate the address spaces of the two processes.
      
      The key step in ensuring the two processes have separate address
      spaces is to allocate a new context id for the process, this is done
      at the beginning of hash__init_new_context(). If we didn't allocate a
      new context id then the two processes would share mappings as far as
      the SLB and HPT are concerned, even though their Linux page tables
      would be separate.
      
      For mappings above 512TB, which use the extended_id array, we
      neglected to allocate new context ids on fork, meaning the parent and
      child use the same ids and therefore share those mappings even though
      they're supposed to be separate. This can lead to the parent seeing
      writes done by the child, which is essentially memory corruption.
      
      There is an additional exposure which is that if the child process
      exits, all its context ids are freed, including the context ids that
      are still in use by the parent for mappings above 512TB. One or more
      of those ids can then be reallocated to a third process, that process
      can then read/write to the parent's mappings above 512TB. Additionally
      if the freed id is used for the third process's primary context id,
      then the parent is able to read/write to the third process's mappings
      *below* 512TB.
      
      All of these are fundamental failures to enforce separation between
      processes. The only mitigating factor is that the bug only occurs if a
      process creates mappings above 512TB, and most applications still do
      not create such mappings.
      
      Only machines using the hash page table MMU are affected, eg. PowerPC
      970 (G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines
      (powernv) use the Radix MMU and are not affected, unless the machine
      has been explicitly booted in HPT mode (using disable_radix on the
      kernel command line). KVM guests on Power9 may be affected if the host
      or guest is configured to use the HPT MMU. LPARs under PowerVM on
      Power9 are affected as they always use the HPT MMU. Kernels built with
      PAGE_SIZE=4K are not affected.
      
      The fix is relatively simple, we need to reallocate context ids for
      all extended mappings on fork.
      
      Fixes: f384796c ("powerpc/mm: Add support for handling > 512TB address in SLB miss")
      Cc: stable@vger.kernel.org # v4.17+
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd3e4939
    • J
      x86/resctrl: Don't stop walking closids when a locksetup group is found · 8c4fe200
      James Morse 提交于
      commit 87d3aa28f345bea77c396855fa5d5fec4c24461f upstream.
      
      When a new control group is created __init_one_rdt_domain() walks all
      the other closids to calculate the sets of used and unused bits.
      
      If it discovers a pseudo_locksetup group, it breaks out of the loop.  This
      means any later closid doesn't get its used bits added to used_b.  These
      bits will then get set in unused_b, and added to the new control group's
      configuration, even if they were marked as exclusive for a later closid.
      
      When encountering a pseudo_locksetup group, we should continue. This is
      because "a resource group enters 'pseudo-locked' mode after the schemata is
      written while the resource group is in 'pseudo-locksetup' mode." When we
      find a pseudo_locksetup group, its configuration is expected to be
      overwritten, we can skip it.
      
      Fixes: dfe9674b ("x86/intel_rdt: Enable entering of pseudo-locksetup mode")
      Signed-off-by: NJames Morse <james.morse@arm.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Acked-by: NReinette Chatre <reinette.chatre@intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H Peter Avin <hpa@zytor.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20190603172531.178830-1-james.morse@arm.com
      [Dropped comment due to lack of space]
      Signed-off-by: NJames Morse <james.morse@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c4fe200
    • J
      mac80211: Do not use stack memory with scatterlist for GMAC · d451b505
      Jouni Malinen 提交于
      commit a71fd9dac23613d96ba3c05619a8ef4fd6cdf9b9 upstream.
      
      ieee80211_aes_gmac() uses the mic argument directly in sg_set_buf() and
      that does not allow use of stack memory (e.g., BUG_ON() is hit in
      sg_set_buf() with CONFIG_DEBUG_SG). BIP GMAC TX side is fine for this
      since it can use the skb data buffer, but the RX side was using a stack
      variable for deriving the local MIC value to compare against the
      received one.
      
      Fix this by allocating heap memory for the mic buffer.
      
      This was found with hwsim test case ap_cipher_bip_gmac_128 hitting that
      BUG_ON() and kernel panic.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJouni Malinen <j@w1.fi>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d451b505
    • A
      nl80211: fix station_info pertid memory leak · 72dc6786
      Andy Strohman 提交于
      commit f77bf4863dc2218362f4227d56af4a5f3f08830c upstream.
      
      When dumping stations, memory allocated for station_info's
      pertid member will leak if the nl80211 header cannot be added to
      the sk_buff due to insufficient tail room.
      
      I noticed this leak in the kmalloc-2048 cache.
      
      Cc: stable@vger.kernel.org
      Fixes: 8689c051 ("cfg80211: dynamically allocate per-tid stats for station info")
      Signed-off-by: NAndy Strohman <andy@uplevelsystems.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72dc6786
    • Y
      mac80211: handle deauthentication/disassociation from TDLS peer · 1e1007ac
      Yu Wang 提交于
      commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da upstream.
      
      When receiving a deauthentication/disassociation frame from a TDLS
      peer, a station should not disconnect the current AP, but only
      disable the current TDLS link if it's enabled.
      
      Without this change, a TDLS issue can be reproduced by following the
      steps as below:
      
      1. STA-1 and STA-2 are connected to AP, bidirection traffic is running
         between STA-1 and STA-2.
      2. Set up TDLS link between STA-1 and STA-2, stay for a while, then
         teardown TDLS link.
      3. Repeat step #2 and monitor the connection between STA and AP.
      
      During the test, one STA may send a deauthentication/disassociation
      frame to another, after TDLS teardown, with reason code 6/7, which
      means: Class 2/3 frame received from nonassociated STA.
      
      On receive this frame, the receiver STA will disconnect the current
      AP and then reconnect. It's not a expected behavior, purpose of this
      frame should be disabling the TDLS link, not the link with AP.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NYu Wang <yyuwang@codeaurora.org>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e1007ac
    • M
      {nl,mac}80211: allow 4addr AP operation on crypto controlled devices · ccf6a155
      Manikanta Pubbisetty 提交于
      commit 33d915d9e8ce811d8958915ccd18d71a66c7c495 upstream.
      
      As per the current design, in the case of sw crypto controlled devices,
      it is the device which advertises the support for AP/VLAN iftype based
      on it's ability to tranmsit packets encrypted in software
      (In VLAN functionality, group traffic generated for a specific
      VLAN group is always encrypted in software). Commit db3bdcb9
      ("mac80211: allow AP_VLAN operation on crypto controlled devices")
      has introduced this change.
      
      Since 4addr AP operation also uses AP/VLAN iftype, this conditional
      way of advertising AP/VLAN support has broken 4addr AP mode operation on
      crypto controlled devices which do not support VLAN functionality.
      
      In the case of ath10k driver, not all firmwares have support for VLAN
      functionality but all can support 4addr AP operation. Because AP/VLAN
      support is not advertised for these devices, 4addr AP operations are
      also blocked.
      
      Fix this by allowing 4addr operation on devices which do not support
      AP/VLAN iftype but can support 4addr AP operation (decision is based on
      the wiphy flag WIPHY_FLAG_4ADDR_AP).
      
      Cc: stable@vger.kernel.org
      Fixes: db3bdcb9 ("mac80211: allow AP_VLAN operation on crypto controlled devices")
      Signed-off-by: NManikanta Pubbisetty <mpubbise@codeaurora.org>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ccf6a155
    • J
      mac80211: drop robust management frames from unknown TA · 0e879ef1
      Johannes Berg 提交于
      commit 588f7d39b3592a36fb7702ae3b8bdd9be4621e2f upstream.
      
      When receiving a robust management frame, drop it if we don't have
      rx->sta since then we don't have a security association and thus
      couldn't possibly validate the frame.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0e879ef1