summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAdrian Calianu <adrian.calianu@enea.com>2021-05-12 12:57:01 +0200
committerMatei Valeanu <Matei.Valeanu@enea.com>2021-05-14 14:37:39 +0200
commiteb09dd59bff9aafbce27ec9f265bd866e3d57fe7 (patch)
treebef94a832302c972a1c8b585bdbaf8de945ee638
parent6796af332a529809b1efc628f79129b57734fd67 (diff)
downloadenea-kernel-cache-eb09dd59bff9aafbce27ec9f265bd866e3d57fe7.tar.gz
patches: updated according to 5.10 kernel
cve - remove all patches already part of 5.10 kernel - Enea NFV Access kernel already updated to the latest available 5.10.32 from Intel repo security - patch removed since is part of 5.10 kernel ipv4 - updated the patch to 5.10 kernel kernel_startend_msg - removed because are not used anymore to measure boot time - boot time is measured with "systemd-analyze time" Change-Id: I42d217e2ff3ab9979c0d82b1ee3651f77a4ca41d Signed-off-by: Adrian Calianu <adrian.calianu@enea.com>
Diffstat
-rw-r--r--patches/cve/4.14.x.scc25
-rw-r--r--patches/cve/CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch148
-rw-r--r--patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch159
-rw-r--r--patches/cve/CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch89
-rw-r--r--patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch76
-rw-r--r--patches/cve/CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch357
-rw-r--r--patches/cve/CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch199
-rw-r--r--patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch188
-rw-r--r--patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch167
-rw-r--r--patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch79
-rw-r--r--patches/cve/CVE-2018-18281-mremap-properly-flush-TLB-before-releasing-the-page.patch179
-rw-r--r--patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch118
-rw-r--r--patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch54
-rw-r--r--patches/cve/CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch112
-rw-r--r--patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch56
-rw-r--r--patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch74
-rw-r--r--patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch107
-rw-r--r--patches/ipv4/0001-IPV4-unlock-rtnl_mutex-before-waiting-for-carrier-on.patch15
-rw-r--r--patches/kernel_startend_msg/0001-printk-Add-Enea-Linux-guest-boot-start-end-messages.patch103
-rw-r--r--patches/kernel_startend_msg/0001-printk-Add-Enea-Linux-host-boot-start-end-messages.patch103
-rw-r--r--patches/kernel_startend_msg/kernel_guest_startend_msg.scc4
-rw-r--r--patches/kernel_startend_msg/kernel_host_startend_msg.scc4
-rw-r--r--patches/security/0002-KEYS-reaching-the-keys-quotas-correctly.patch69
-rw-r--r--patches/security/keys.scc1
24 files changed, 9 insertions, 2477 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
deleted file mode 100644
index 99eedef..0000000
--- a/patches/cve/4.14.x.scc
+++ /dev/null
@@ -1,25 +0,0 @@
1#CVEs fixed in 4.14.71:
2patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
3#CVEs fixed in 4.14.73:
4patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
5#CVEs fixed in 4.14.75:
6patch CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
7#CVEs fixed in 4.14.78:
8patch CVE-2018-18281-mremap-properly-flush-TLB-before-releasing-the-page.patch
9#CVEs fixed in 4.14.86:
10patch CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch
11patch CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch
12patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch
13patch CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch
14patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch
15patch CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch
16#CVEs fixed in 4.14.87:
17patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
18#CVEs fixed in 4.14.88:
19patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch
20patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
21patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
22#CVEs fixed in 4.14.91:
23patch CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
24#CVEs fixed in 4.14.94:
25patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
diff --git a/patches/cve/CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch b/patches/cve/CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch
deleted file mode 100644
index 772adcd..0000000
--- a/patches/cve/CVE-2018-13097-f2fs-fix-to-do-sanity-check-with-user_block_count.patch
+++ /dev/null
@@ -1,148 +0,0 @@
1From 73711ba024896a2ffe4f81601dea8d8ba0085e04 Mon Sep 17 00:00:00 2001
2From: Andreas Wellving <andreas.wellving@enea.com>
3Date: Fri, 25 Jan 2019 12:44:48 +0000
4Subject: [PATCH] f2fs: fix to do sanity check with user_block_count
5
6commit 9dc956b2c8523aed39d1e6508438be9fea28c8fc upstream.
7
8This patch fixs to do sanity check with user_block_count.
9
10- Overview
11Divide zero in utilization when mount() a corrupted f2fs image
12
13- Reproduce (4.18 upstream kernel)
14
15- Kernel message
16[ 564.099503] F2FS-fs (loop0): invalid crc value
17[ 564.101991] divide error: 0000 [#1] SMP KASAN PTI
18[ 564.103103] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Not tainted 4.18.0-rc1+ #4
19[ 564.104584] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
20[ 564.106624] RIP: 0010:issue_discard_thread+0x248/0x5c0
21[ 564.107692] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
22[ 564.111686] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206
23[ 564.112775] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03
24[ 564.114250] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850
25[ 564.115706] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0
26[ 564.117177] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc
27[ 564.118634] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000
28[ 564.120094] FS: 0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
29[ 564.121748] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
30[ 564.122923] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0
31[ 564.124383] Call Trace:
32[ 564.124924] ? __issue_discard_cmd+0x480/0x480
33[ 564.125882] ? __sched_text_start+0x8/0x8
34[ 564.126756] ? __kthread_parkme+0xcb/0x100
35[ 564.127620] ? kthread_blkcg+0x70/0x70
36[ 564.128412] kthread+0x180/0x1d0
37[ 564.129105] ? __issue_discard_cmd+0x480/0x480
38[ 564.130029] ? kthread_associate_blkcg+0x150/0x150
39[ 564.131033] ret_from_fork+0x35/0x40
40[ 564.131794] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
41[ 564.141798] ---[ end trace 4ce02f25ff7d3df5 ]---
42[ 564.142773] RIP: 0010:issue_discard_thread+0x248/0x5c0
43[ 564.143885] Code: ff ff 48 8b bd e8 fe ff ff 41 8b 9d 4c 04 00 00 e8 cd b8 ad ff 41 8b 85 50 04 00 00 31 d2 48 8d 04 80 48 8d 04 80 48 c1 e0 02 <48> f7 f3 83 f8 50 7e 16 41 c7 86 7c ff ff ff 01 00 00 00 41 c7 86
44[ 564.147776] RSP: 0018:ffff8801f3117dc0 EFLAGS: 00010206
45[ 564.148856] RAX: 0000000000000384 RBX: 0000000000000000 RCX: ffffffffb88c1e03
46[ 564.150424] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e3aa4850
47[ 564.151906] RBP: ffff8801f3117f00 R08: 1ffffffff751a1d0 R09: fffffbfff751a1d0
48[ 564.153463] R10: 0000000000000001 R11: fffffbfff751a1d0 R12: 00000000fffffffc
49[ 564.154915] R13: ffff8801e3aa4400 R14: ffff8801f3117ed8 R15: ffff8801e2050000
50[ 564.156405] FS: 0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
51[ 564.158070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
52[ 564.159279] CR2: 000000000202b078 CR3: 00000001f11ac000 CR4: 00000000000006e0
53[ 564.161043] ==================================================================
54[ 564.162587] BUG: KASAN: stack-out-of-bounds in from_kuid_munged+0x1d/0x50
55[ 564.163994] Read of size 4 at addr ffff8801f3117c84 by task f2fs_discard-7:/1298
56
57[ 564.165852] CPU: 1 PID: 1298 Comm: f2fs_discard-7: Tainted: G D 4.18.0-rc1+ #4
58[ 564.167593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
59[ 564.169522] Call Trace:
60[ 564.170057] dump_stack+0x7b/0xb5
61[ 564.170778] print_address_description+0x70/0x290
62[ 564.171765] kasan_report+0x291/0x390
63[ 564.172540] ? from_kuid_munged+0x1d/0x50
64[ 564.173408] __asan_load4+0x78/0x80
65[ 564.174148] from_kuid_munged+0x1d/0x50
66[ 564.174962] do_notify_parent+0x1f5/0x4f0
67[ 564.175808] ? send_sigqueue+0x390/0x390
68[ 564.176639] ? css_set_move_task+0x152/0x340
69[ 564.184197] do_exit+0x1290/0x1390
70[ 564.184950] ? __issue_discard_cmd+0x480/0x480
71[ 564.185884] ? mm_update_next_owner+0x380/0x380
72[ 564.186829] ? __sched_text_start+0x8/0x8
73[ 564.187672] ? __kthread_parkme+0xcb/0x100
74[ 564.188528] ? kthread_blkcg+0x70/0x70
75[ 564.189333] ? kthread+0x180/0x1d0
76[ 564.190052] ? __issue_discard_cmd+0x480/0x480
77[ 564.190983] rewind_stack_do_exit+0x17/0x20
78
79[ 564.192190] The buggy address belongs to the page:
80[ 564.193213] page:ffffea0007cc45c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
81[ 564.194856] flags: 0x2ffff0000000000()
82[ 564.195644] raw: 02ffff0000000000 0000000000000000 dead000000000200 0000000000000000
83[ 564.197247] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
84[ 564.198826] page dumped because: kasan: bad access detected
85
86[ 564.200299] Memory state around the buggy address:
87[ 564.201306] ffff8801f3117b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
88[ 564.202779] ffff8801f3117c00: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3
89[ 564.204252] >ffff8801f3117c80: f3 f3 f3 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
90[ 564.205742] ^
91[ 564.206424] ffff8801f3117d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
92[ 564.207908] ffff8801f3117d80: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
93[ 564.209389] ==================================================================
94[ 564.231795] F2FS-fs (loop0): Mounted with checkpoint version = 2
95
96- Location
97https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.h#L586
98 return div_u64((u64)valid_user_blocks(sbi) * 100,
99 sbi->user_block_count);
100Missing checks on sbi->user_block_count.
101
102CVE: CVE-2018-13097
103Upstream-Status: Backport
104
105Reported-by: Wen Xu <wen.xu@gatech.edu>
106Signed-off-by: Chao Yu <yuchao0@huawei.com>
107Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
108Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
109Signed-off-by: Sasha Levin <sashal@kernel.org>
110Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
111---
112 fs/f2fs/super.c | 13 +++++++++++++
113 1 file changed, 13 insertions(+)
114
115diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
116index 400c00058bad..75af507273a4 100644
117--- a/fs/f2fs/super.c
118+++ b/fs/f2fs/super.c
119@@ -1883,6 +1883,9 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
120 struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
121 unsigned int ovp_segments, reserved_segments;
122 unsigned int main_segs, blocks_per_seg;
123+ unsigned int log_blocks_per_seg;
124+ unsigned int segment_count_main;
125+ block_t user_block_count;
126 int i;
127
128 total = le32_to_cpu(raw_super->segment_count);
129@@ -1905,6 +1908,16 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
130 return 1;
131 }
132
133+ user_block_count = le64_to_cpu(ckpt->user_block_count);
134+ segment_count_main = le32_to_cpu(raw_super->segment_count_main);
135+ log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg);
136+ if (!user_block_count || user_block_count >=
137+ segment_count_main << log_blocks_per_seg) {
138+ f2fs_msg(sbi->sb, KERN_ERR,
139+ "Wrong user_block_count: %u", user_block_count);
140+ return 1;
141+ }
142+
143 main_segs = le32_to_cpu(raw_super->segment_count_main);
144 blocks_per_seg = sbi->blocks_per_seg;
145
146--
1472.19.2
148
diff --git a/patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch b/patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
deleted file mode 100644
index c3a750d..0000000
--- a/patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
+++ /dev/null
@@ -1,159 +0,0 @@
1From 4dbe38dc386910c668c75ae616b99b823b59f3eb Mon Sep 17 00:00:00 2001
2From: Chao Yu <yuchao0@huawei.com>
3Date: Sat, 30 Jun 2018 18:13:40 +0800
4Subject: [PATCH] f2fs: fix to do sanity check with reserved blkaddr of inline
5 inode
6
7As Wen Xu reported in bugzilla, after image was injected with random data
8by fuzzing, inline inode would contain invalid reserved blkaddr, then
9during inline conversion, we will encounter illegal memory accessing
10reported by KASAN, the root cause of this is when writing out converted
11inline page, we will use invalid reserved blkaddr to update sit bitmap,
12result in accessing memory beyond sit bitmap boundary.
13
14In order to fix this issue, let's do sanity check with reserved block
15address of inline inode to avoid above condition.
16
17https://bugzilla.kernel.org/show_bug.cgi?id=200179
18
19[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
20[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741
21
22[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1
23[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
24[ 1428.846860] Call Trace:
25[ 1428.846868] dump_stack+0x71/0xab
26[ 1428.846875] print_address_description+0x6b/0x290
27[ 1428.846881] kasan_report+0x28e/0x390
28[ 1428.846888] ? update_sit_entry+0x80/0x7f0
29[ 1428.846898] update_sit_entry+0x80/0x7f0
30[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70
31[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590
32[ 1428.846920] do_write_page+0xc8/0x150
33[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210
34[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170
35[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130
36[ 1428.846946] ? __mod_node_page_state+0x22/0xa0
37[ 1428.846951] ? inc_zone_page_state+0x54/0x100
38[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0
39[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0
40[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0
41[ 1428.846978] ? __get_node_page+0x335/0x6b0
42[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500
43[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0
44[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40
45[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0
46[ 1428.847024] f2fs_file_mmap+0x79/0xc0
47[ 1428.847029] mmap_region+0x58b/0x880
48[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370
49[ 1428.847042] do_mmap+0x55b/0x7a0
50[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0
51[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50
52[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
53[ 1428.847068] ? do_sys_open+0x206/0x2a0
54[ 1428.847073] ? __fget+0xb4/0x100
55[ 1428.847079] ksys_mmap_pgoff+0x278/0x360
56[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50
57[ 1428.847091] do_syscall_64+0x73/0x160
58[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9
59[ 1428.847102] RIP: 0033:0x7fb1430766ba
60[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
61[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
62[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
63[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
64[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
65[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
66[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
67
68[ 1428.847252] Allocated by task 2683:
69[ 1428.847372] kasan_kmalloc+0xa6/0xd0
70[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0
71[ 1428.847385] getname_flags+0x73/0x2b0
72[ 1428.847390] user_path_at_empty+0x1d/0x40
73[ 1428.847395] vfs_statx+0xc1/0x150
74[ 1428.847401] __do_sys_newlstat+0x7e/0xd0
75[ 1428.847405] do_syscall_64+0x73/0x160
76[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9
77
78[ 1428.847466] Freed by task 2683:
79[ 1428.847566] __kasan_slab_free+0x137/0x190
80[ 1428.847571] kmem_cache_free+0x85/0x1e0
81[ 1428.847575] filename_lookup+0x191/0x280
82[ 1428.847580] vfs_statx+0xc1/0x150
83[ 1428.847585] __do_sys_newlstat+0x7e/0xd0
84[ 1428.847590] do_syscall_64+0x73/0x160
85[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9
86
87[ 1428.847648] The buggy address belongs to the object at ffff880194483300
88 which belongs to the cache names_cache of size 4096
89[ 1428.847946] The buggy address is located 576 bytes inside of
90 4096-byte region [ffff880194483300, ffff880194484300)
91[ 1428.848234] The buggy address belongs to the page:
92[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
93[ 1428.848606] flags: 0x17fff8000008100(slab|head)
94[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
95[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
96[ 1428.849122] page dumped because: kasan: bad access detected
97
98[ 1428.849305] Memory state around the buggy address:
99[ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
100[ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
101[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
102[ 1428.849985] ^
103[ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
104[ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
105[ 1428.850498] ==================================================================
106
107CVE: CVE-2018-13099
108Upstream-Status: Backport
109
110Reported-by: Wen Xu <wen.xu@gatech.edu>
111Signed-off-by: Chao Yu <yuchao0@huawei.com>
112Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
113Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
114---
115 fs/f2fs/inline.c | 21 +++++++++++++++++++++
116 1 file changed, 21 insertions(+)
117
118diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
119index 9a245d2..2bcb2d3 100644
120--- a/fs/f2fs/inline.c
121+++ b/fs/f2fs/inline.c
122@@ -130,6 +130,16 @@ int f2fs_convert_inline_page(struct dnode_of_data *dn, struct page *page)
123 if (err)
124 return err;
125
126+ if (unlikely(dn->data_blkaddr != NEW_ADDR)) {
127+ f2fs_put_dnode(dn);
128+ set_sbi_flag(fio.sbi, SBI_NEED_FSCK);
129+ f2fs_msg(fio.sbi->sb, KERN_WARNING,
130+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
131+ "run fsck to fix.",
132+ __func__, dn->inode->i_ino, dn->data_blkaddr);
133+ return -EINVAL;
134+ }
135+
136 f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page));
137
138 f2fs_do_read_inline_data(page, dn->inode_page);
139@@ -363,6 +373,17 @@ static int f2fs_move_inline_dirents(struct inode *dir, struct page *ipage,
140 if (err)
141 goto out;
142
143+ if (unlikely(dn.data_blkaddr != NEW_ADDR)) {
144+ f2fs_put_dnode(&dn);
145+ set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK);
146+ f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING,
147+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
148+ "run fsck to fix.",
149+ __func__, dir->i_ino, dn.data_blkaddr);
150+ err = -EINVAL;
151+ goto out;
152+ }
153+
154 f2fs_wait_on_page_writeback(page, DATA, true);
155
156 dentry_blk = page_address(page);
157--
158
159
diff --git a/patches/cve/CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch b/patches/cve/CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch
deleted file mode 100644
index c4afc0d..0000000
--- a/patches/cve/CVE-2018-14610-btrfs-Check-that-each-block-group-has-corresponding-.patch
+++ /dev/null
@@ -1,89 +0,0 @@
1From 34407a175a59b668a1a2bbf0d0e495d87a7777d8 Mon Sep 17 00:00:00 2001
2From: Qu Wenruo <wqu@suse.com>
3Date: Wed, 1 Aug 2018 10:37:16 +0800
4Subject: [PATCH] btrfs: Check that each block group has corresponding chunk at
5 mount time
6
7commit 514c7dca85a0bf40be984dab0b477403a6db901f upstream.
8
9A crafted btrfs image with incorrect chunk<->block group mapping will
10trigger a lot of unexpected things as the mapping is essential.
11
12Although the problem can be caught by block group item checker
13added in "btrfs: tree-checker: Verify block_group_item", it's still not
14sufficient. A sufficiently valid block group item can pass the check
15added by the mentioned patch but could fail to match the existing chunk.
16
17This patch will add extra block group -> chunk mapping check, to ensure
18we have a completely matching (start, len, flags) chunk for each block
19group at mount time.
20
21Here we reuse the original helper find_first_block_group(), which is
22already doing the basic bg -> chunk checks, adding further checks of the
23start/len and type flags.
24
25CVE: CVE-2018-14610
26Upstream-Status: Backport
27
28Link: https://bugzilla.kernel.org/show_bug.cgi?id=199837
29Reported-by: Xu Wen <wen.xu@gatech.edu>
30Signed-off-by: Qu Wenruo <wqu@suse.com>
31Reviewed-by: Su Yue <suy.fnst@cn.fujitsu.com>
32Reviewed-by: David Sterba <dsterba@suse.com>
33Signed-off-by: David Sterba <dsterba@suse.com>
34Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
35Signed-off-by: Sasha Levin <sashal@kernel.org>
36Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
37---
38 fs/btrfs/extent-tree.c | 28 +++++++++++++++++++++++++++-
39 1 file changed, 27 insertions(+), 1 deletion(-)
40
41diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
42index fdc42eddccc2..83791d13c204 100644
43--- a/fs/btrfs/extent-tree.c
44+++ b/fs/btrfs/extent-tree.c
45@@ -9828,6 +9828,8 @@ static int find_first_block_group(struct btrfs_fs_info *fs_info,
46 int ret = 0;
47 struct btrfs_key found_key;
48 struct extent_buffer *leaf;
49+ struct btrfs_block_group_item bg;
50+ u64 flags;
51 int slot;
52
53 ret = btrfs_search_slot(NULL, root, key, path, 0, 0);
54@@ -9862,8 +9864,32 @@ static int find_first_block_group(struct btrfs_fs_info *fs_info,
55 "logical %llu len %llu found bg but no related chunk",
56 found_key.objectid, found_key.offset);
57 ret = -ENOENT;
58+ } else if (em->start != found_key.objectid ||
59+ em->len != found_key.offset) {
60+ btrfs_err(fs_info,
61+ "block group %llu len %llu mismatch with chunk %llu len %llu",
62+ found_key.objectid, found_key.offset,
63+ em->start, em->len);
64+ ret = -EUCLEAN;
65 } else {
66- ret = 0;
67+ read_extent_buffer(leaf, &bg,
68+ btrfs_item_ptr_offset(leaf, slot),
69+ sizeof(bg));
70+ flags = btrfs_block_group_flags(&bg) &
71+ BTRFS_BLOCK_GROUP_TYPE_MASK;
72+
73+ if (flags != (em->map_lookup->type &
74+ BTRFS_BLOCK_GROUP_TYPE_MASK)) {
75+ btrfs_err(fs_info,
76+"block group %llu len %llu type flags 0x%llx mismatch with chunk type flags 0x%llx",
77+ found_key.objectid,
78+ found_key.offset, flags,
79+ (BTRFS_BLOCK_GROUP_TYPE_MASK &
80+ em->map_lookup->type));
81+ ret = -EUCLEAN;
82+ } else {
83+ ret = 0;
84+ }
85 }
86 free_extent_map(em);
87 goto out;
88--
892.19.2 \ No newline at end of file
diff --git a/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch b/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch
deleted file mode 100644
index 5dd853f..0000000
--- a/patches/cve/CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch
+++ /dev/null
@@ -1,76 +0,0 @@
1From f7eef132ccc95c9af50b647c5da0511d2b8492f8 Mon Sep 17 00:00:00 2001
2From: Gu Jinxiang <gujx@cn.fujitsu.com>
3Date: Wed, 4 Jul 2018 18:16:39 +0800
4Subject: [PATCH] btrfs: validate type when reading a chunk
5
6commit 315409b0098fb2651d86553f0436b70502b29bb2 upstream.
7
8Reported in https://bugzilla.kernel.org/show_bug.cgi?id=199839, with an
9image that has an invalid chunk type but does not return an error.
10
11Add chunk type check in btrfs_check_chunk_valid, to detect the wrong
12type combinations.
13
14CVE: CVE-2018-14611
15Upstream-Status: Backport
16
17Link: https://bugzilla.kernel.org/show_bug.cgi?id=199839
18Reported-by: Xu Wen <wen.xu@gatech.edu>
19Reviewed-by: Qu Wenruo <wqu@suse.com>
20Signed-off-by: Gu Jinxiang <gujx@cn.fujitsu.com>
21Signed-off-by: David Sterba <dsterba@suse.com>
22Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
23Signed-off-by: Sasha Levin <sashal@kernel.org>
24Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
25---
26 fs/btrfs/volumes.c | 28 ++++++++++++++++++++++++++++
27 1 file changed, 28 insertions(+)
28
29diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
30index a0947f4a3e87..cfd5728e7519 100644
31--- a/fs/btrfs/volumes.c
32+++ b/fs/btrfs/volumes.c
33@@ -6353,6 +6353,8 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info,
34 u16 num_stripes;
35 u16 sub_stripes;
36 u64 type;
37+ u64 features;
38+ bool mixed = false;
39
40 length = btrfs_chunk_length(leaf, chunk);
41 stripe_len = btrfs_chunk_stripe_len(leaf, chunk);
42@@ -6391,6 +6393,32 @@ static int btrfs_check_chunk_valid(struct btrfs_fs_info *fs_info,
43 btrfs_chunk_type(leaf, chunk));
44 return -EIO;
45 }
46+
47+ if ((type & BTRFS_BLOCK_GROUP_TYPE_MASK) == 0) {
48+ btrfs_err(fs_info, "missing chunk type flag: 0x%llx", type);
49+ return -EIO;
50+ }
51+
52+ if ((type & BTRFS_BLOCK_GROUP_SYSTEM) &&
53+ (type & (BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA))) {
54+ btrfs_err(fs_info,
55+ "system chunk with data or metadata type: 0x%llx", type);
56+ return -EIO;
57+ }
58+
59+ features = btrfs_super_incompat_flags(fs_info->super_copy);
60+ if (features & BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS)
61+ mixed = true;
62+
63+ if (!mixed) {
64+ if ((type & BTRFS_BLOCK_GROUP_METADATA) &&
65+ (type & BTRFS_BLOCK_GROUP_DATA)) {
66+ btrfs_err(fs_info,
67+ "mixed chunk type in non-mixed mode: 0x%llx", type);
68+ return -EIO;
69+ }
70+ }
71+
72 if ((type & BTRFS_BLOCK_GROUP_RAID10 && sub_stripes != 2) ||
73 (type & BTRFS_BLOCK_GROUP_RAID1 && num_stripes < 1) ||
74 (type & BTRFS_BLOCK_GROUP_RAID5 && num_stripes < 2) ||
75--
762.19.2 \ No newline at end of file
diff --git a/patches/cve/CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch b/patches/cve/CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch
deleted file mode 100644
index cc08429..0000000
--- a/patches/cve/CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch
+++ /dev/null
@@ -1,357 +0,0 @@
1From 741c90da7d31dc4bab29aa2a086b3d1ad806adab Mon Sep 17 00:00:00 2001
2From: Andreas Wellving <andreas.wellving@enea.com>
3Date: Fri, 25 Jan 2019 13:12:32 +0000
4Subject: [PATCH] f2fs: fix to do sanity check with cp_pack_start_sum
5
6commit e494c2f995d6181d6e29c4927d68e0f295ecf75b upstream.
7
8After fuzzing, cp_pack_start_sum could be corrupted, so current log's
9summary info should be wrong due to loading incorrect summary block.
10Then, if segment's type in current log is exceeded NR_CURSEG_TYPE, it
11can lead accessing invalid dirty_i->dirty_segmap bitmap finally.
12
13Add sanity check for cp_pack_start_sum to fix this issue.
14
15https://bugzilla.kernel.org/show_bug.cgi?id=200419
16
17- Reproduce
18
19- Kernel message (f2fs-dev w/ KASAN)
20[ 3117.578432] F2FS-fs (loop0): Invalid log blocks per segment (8)
21
22[ 3117.578445] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
23[ 3117.581364] F2FS-fs (loop0): invalid crc_offset: 30716
24[ 3117.583564] WARNING: CPU: 1 PID: 1225 at fs/f2fs/checkpoint.c:90 __get_meta_page+0x448/0x4b0
25[ 3117.583570] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy
26[ 3117.584014] CPU: 1 PID: 1225 Comm: mount Not tainted 4.17.0+ #1
27[ 3117.584017] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
28[ 3117.584022] RIP: 0010:__get_meta_page+0x448/0x4b0
29[ 3117.584023] Code: 00 49 8d bc 24 84 00 00 00 e8 74 54 da ff 41 83 8c 24 84 00 00 00 08 4c 89 f6 4c 89 ef e8 c0 d9 95 00 48 89 ef e8 18 e3 00 00 <0f> 0b f0 80 4d 48 04 e9 0f fe ff ff 0f 0b 48 89 c7 48 89 04 24 e8
30[ 3117.584072] RSP: 0018:ffff88018eb678c0 EFLAGS: 00010286
31[ 3117.584082] RAX: ffff88018f0a6a78 RBX: ffffea0007a46600 RCX: ffffffff9314d1b2
32[ 3117.584085] RDX: ffffffff00000001 RSI: 0000000000000000 RDI: ffff88018f0a6a98
33[ 3117.584087] RBP: ffff88018ebe9980 R08: 0000000000000002 R09: 0000000000000001
34[ 3117.584090] R10: 0000000000000001 R11: ffffed00326e4450 R12: ffff880193722200
35[ 3117.584092] R13: ffff88018ebe9afc R14: 0000000000000206 R15: ffff88018eb67900
36[ 3117.584096] FS: 00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
37[ 3117.584098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
38[ 3117.584101] CR2: 00000000016f21b8 CR3: 0000000191c22000 CR4: 00000000000006e0
39[ 3117.584112] Call Trace:
40[ 3117.584121] ? f2fs_set_meta_page_dirty+0x150/0x150
41[ 3117.584127] ? f2fs_build_segment_manager+0xbf9/0x3190
42[ 3117.584133] ? f2fs_npages_for_summary_flush+0x75/0x120
43[ 3117.584145] f2fs_build_segment_manager+0xda8/0x3190
44[ 3117.584151] ? f2fs_get_valid_checkpoint+0x298/0xa00
45[ 3117.584156] ? f2fs_flush_sit_entries+0x10e0/0x10e0
46[ 3117.584184] ? map_id_range_down+0x17c/0x1b0
47[ 3117.584188] ? __put_user_ns+0x30/0x30
48[ 3117.584206] ? find_next_bit+0x53/0x90
49[ 3117.584237] ? cpumask_next+0x16/0x20
50[ 3117.584249] f2fs_fill_super+0x1948/0x2b40
51[ 3117.584258] ? f2fs_commit_super+0x1a0/0x1a0
52[ 3117.584279] ? sget_userns+0x65e/0x690
53[ 3117.584296] ? set_blocksize+0x88/0x130
54[ 3117.584302] ? f2fs_commit_super+0x1a0/0x1a0
55[ 3117.584305] mount_bdev+0x1c0/0x200
56[ 3117.584310] mount_fs+0x5c/0x190
57[ 3117.584320] vfs_kern_mount+0x64/0x190
58[ 3117.584330] do_mount+0x2e4/0x1450
59[ 3117.584343] ? lockref_put_return+0x130/0x130
60[ 3117.584347] ? copy_mount_string+0x20/0x20
61[ 3117.584357] ? kasan_unpoison_shadow+0x31/0x40
62[ 3117.584362] ? kasan_kmalloc+0xa6/0xd0
63[ 3117.584373] ? memcg_kmem_put_cache+0x16/0x90
64[ 3117.584377] ? __kmalloc_track_caller+0x196/0x210
65[ 3117.584383] ? _copy_from_user+0x61/0x90
66[ 3117.584396] ? memdup_user+0x3e/0x60
67[ 3117.584401] ksys_mount+0x7e/0xd0
68[ 3117.584405] __x64_sys_mount+0x62/0x70
69[ 3117.584427] do_syscall_64+0x73/0x160
70[ 3117.584440] entry_SYSCALL_64_after_hwframe+0x44/0xa9
71[ 3117.584455] RIP: 0033:0x7f5693f14b9a
72[ 3117.584456] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
73[ 3117.584505] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
74[ 3117.584510] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a
75[ 3117.584512] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040
76[ 3117.584514] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
77[ 3117.584516] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040
78[ 3117.584519] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003
79[ 3117.584523] ---[ end trace a8e0d899985faf31 ]---
80[ 3117.685663] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=2, run fsck to fix.
81[ 3117.685673] F2FS-fs (loop0): recover_data: ino = 2 (i_size: recover) recovered = 1, err = 0
82[ 3117.685707] ==================================================================
83[ 3117.685955] BUG: KASAN: slab-out-of-bounds in __remove_dirty_segment+0xdd/0x1e0
84[ 3117.686175] Read of size 8 at addr ffff88018f0a63d0 by task mount/1225
85
86[ 3117.686477] CPU: 0 PID: 1225 Comm: mount Tainted: G W 4.17.0+ #1
87[ 3117.686481] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
88[ 3117.686483] Call Trace:
89[ 3117.686494] dump_stack+0x71/0xab
90[ 3117.686512] print_address_description+0x6b/0x290
91[ 3117.686517] kasan_report+0x28e/0x390
92[ 3117.686522] ? __remove_dirty_segment+0xdd/0x1e0
93[ 3117.686527] __remove_dirty_segment+0xdd/0x1e0
94[ 3117.686532] locate_dirty_segment+0x189/0x190
95[ 3117.686538] f2fs_allocate_new_segments+0xa9/0xe0
96[ 3117.686543] recover_data+0x703/0x2c20
97[ 3117.686547] ? f2fs_recover_fsync_data+0x48f/0xd50
98[ 3117.686553] ? ksys_mount+0x7e/0xd0
99[ 3117.686564] ? policy_nodemask+0x1a/0x90
100[ 3117.686567] ? policy_node+0x56/0x70
101[ 3117.686571] ? add_fsync_inode+0xf0/0xf0
102[ 3117.686592] ? blk_finish_plug+0x44/0x60
103[ 3117.686597] ? f2fs_ra_meta_pages+0x38b/0x5e0
104[ 3117.686602] ? find_inode_fast+0xac/0xc0
105[ 3117.686606] ? f2fs_is_valid_blkaddr+0x320/0x320
106[ 3117.686618] ? __radix_tree_lookup+0x150/0x150
107[ 3117.686633] ? dqget+0x670/0x670
108[ 3117.686648] ? pagecache_get_page+0x29/0x410
109[ 3117.686656] ? kmem_cache_alloc+0x176/0x1e0
110[ 3117.686660] ? f2fs_is_valid_blkaddr+0x11d/0x320
111[ 3117.686664] f2fs_recover_fsync_data+0xc23/0xd50
112[ 3117.686670] ? f2fs_space_for_roll_forward+0x60/0x60
113[ 3117.686674] ? rb_insert_color+0x323/0x3d0
114[ 3117.686678] ? f2fs_recover_orphan_inodes+0xa5/0x700
115[ 3117.686683] ? proc_register+0x153/0x1d0
116[ 3117.686686] ? f2fs_remove_orphan_inode+0x10/0x10
117[ 3117.686695] ? f2fs_attr_store+0x50/0x50
118[ 3117.686700] ? proc_create_single_data+0x52/0x60
119[ 3117.686707] f2fs_fill_super+0x1d06/0x2b40
120[ 3117.686728] ? f2fs_commit_super+0x1a0/0x1a0
121[ 3117.686735] ? sget_userns+0x65e/0x690
122[ 3117.686740] ? set_blocksize+0x88/0x130
123[ 3117.686745] ? f2fs_commit_super+0x1a0/0x1a0
124[ 3117.686748] mount_bdev+0x1c0/0x200
125[ 3117.686753] mount_fs+0x5c/0x190
126[ 3117.686758] vfs_kern_mount+0x64/0x190
127[ 3117.686762] do_mount+0x2e4/0x1450
128[ 3117.686769] ? lockref_put_return+0x130/0x130
129[ 3117.686773] ? copy_mount_string+0x20/0x20
130[ 3117.686777] ? kasan_unpoison_shadow+0x31/0x40
131[ 3117.686780] ? kasan_kmalloc+0xa6/0xd0
132[ 3117.686786] ? memcg_kmem_put_cache+0x16/0x90
133[ 3117.686790] ? __kmalloc_track_caller+0x196/0x210
134[ 3117.686795] ? _copy_from_user+0x61/0x90
135[ 3117.686801] ? memdup_user+0x3e/0x60
136[ 3117.686804] ksys_mount+0x7e/0xd0
137[ 3117.686809] __x64_sys_mount+0x62/0x70
138[ 3117.686816] do_syscall_64+0x73/0x160
139[ 3117.686824] entry_SYSCALL_64_after_hwframe+0x44/0xa9
140[ 3117.686829] RIP: 0033:0x7f5693f14b9a
141[ 3117.686830] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
142[ 3117.686887] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
143[ 3117.686892] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a
144[ 3117.686894] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040
145[ 3117.686896] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
146[ 3117.686899] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040
147[ 3117.686901] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003
148
149[ 3117.687005] Allocated by task 1225:
150[ 3117.687152] kasan_kmalloc+0xa6/0xd0
151[ 3117.687157] kmem_cache_alloc_trace+0xfd/0x200
152[ 3117.687161] f2fs_build_segment_manager+0x2d09/0x3190
153[ 3117.687165] f2fs_fill_super+0x1948/0x2b40
154[ 3117.687168] mount_bdev+0x1c0/0x200
155[ 3117.687171] mount_fs+0x5c/0x190
156[ 3117.687174] vfs_kern_mount+0x64/0x190
157[ 3117.687177] do_mount+0x2e4/0x1450
158[ 3117.687180] ksys_mount+0x7e/0xd0
159[ 3117.687182] __x64_sys_mount+0x62/0x70
160[ 3117.687186] do_syscall_64+0x73/0x160
161[ 3117.687190] entry_SYSCALL_64_after_hwframe+0x44/0xa9
162
163[ 3117.687285] Freed by task 19:
164[ 3117.687412] __kasan_slab_free+0x137/0x190
165[ 3117.687416] kfree+0x8b/0x1b0
166[ 3117.687460] ttm_bo_man_put_node+0x61/0x80 [ttm]
167[ 3117.687476] ttm_bo_cleanup_refs+0x15f/0x250 [ttm]
168[ 3117.687492] ttm_bo_delayed_delete+0x2f0/0x300 [ttm]
169[ 3117.687507] ttm_bo_delayed_workqueue+0x17/0x50 [ttm]
170[ 3117.687528] process_one_work+0x2f9/0x740
171[ 3117.687531] worker_thread+0x78/0x6b0
172[ 3117.687541] kthread+0x177/0x1c0
173[ 3117.687545] ret_from_fork+0x35/0x40
174
175[ 3117.687638] The buggy address belongs to the object at ffff88018f0a6300
176 which belongs to the cache kmalloc-192 of size 192
177[ 3117.688014] The buggy address is located 16 bytes to the right of
178 192-byte region [ffff88018f0a6300, ffff88018f0a63c0)
179[ 3117.688382] The buggy address belongs to the page:
180[ 3117.688554] page:ffffea00063c2980 count:1 mapcount:0 mapping:ffff8801f3403180 index:0x0
181[ 3117.688788] flags: 0x17fff8000000100(slab)
182[ 3117.688944] raw: 017fff8000000100 ffffea00063c2840 0000000e0000000e ffff8801f3403180
183[ 3117.689166] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
184[ 3117.689386] page dumped because: kasan: bad access detected
185
186[ 3117.689653] Memory state around the buggy address:
187[ 3117.689816] ffff88018f0a6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
188[ 3117.690027] ffff88018f0a6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
189[ 3117.690239] >ffff88018f0a6380: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
190[ 3117.690448] ^
191[ 3117.690644] ffff88018f0a6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
192[ 3117.690868] ffff88018f0a6480: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
193[ 3117.691077] ==================================================================
194[ 3117.691290] Disabling lock debugging due to kernel taint
195[ 3117.693893] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
196[ 3117.694120] PGD 80000001f01bc067 P4D 80000001f01bc067 PUD 1d9638067 PMD 0
197[ 3117.694338] Oops: 0002 [#1] SMP KASAN PTI
198[ 3117.694490] CPU: 1 PID: 1225 Comm: mount Tainted: G B W 4.17.0+ #1
199[ 3117.694703] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
200[ 3117.695073] RIP: 0010:__remove_dirty_segment+0xe2/0x1e0
201[ 3117.695246] Code: c4 48 89 c7 e8 cf bb d7 ff 45 0f b6 24 24 41 83 e4 3f 44 88 64 24 07 41 83 e4 3f 4a 8d 7c e3 08 e8 b3 bc d7 ff 4a 8b 4c e3 08 <f0> 4c 0f b3 29 0f 82 94 00 00 00 48 8d bd 20 04 00 00 e8 97 bb d7
202[ 3117.695793] RSP: 0018:ffff88018eb67638 EFLAGS: 00010292
203[ 3117.695969] RAX: 0000000000000000 RBX: ffff88018f0a6300 RCX: 0000000000000000
204[ 3117.696182] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297
205[ 3117.696391] RBP: ffff88018ebe9980 R08: ffffed003e743ebb R09: ffffed003e743ebb
206[ 3117.696604] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000019
207[ 3117.696813] R13: 0000000000000014 R14: 0000000000000320 R15: ffff88018ebe99e0
208[ 3117.697032] FS: 00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
209[ 3117.697280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
210[ 3117.702357] CR2: 00007fe89bb1a000 CR3: 0000000191c22000 CR4: 00000000000006e0
211[ 3117.707235] Call Trace:
212[ 3117.712077] locate_dirty_segment+0x189/0x190
213[ 3117.716891] f2fs_allocate_new_segments+0xa9/0xe0
214[ 3117.721617] recover_data+0x703/0x2c20
215[ 3117.726316] ? f2fs_recover_fsync_data+0x48f/0xd50
216[ 3117.730957] ? ksys_mount+0x7e/0xd0
217[ 3117.735573] ? policy_nodemask+0x1a/0x90
218[ 3117.740198] ? policy_node+0x56/0x70
219[ 3117.744829] ? add_fsync_inode+0xf0/0xf0
220[ 3117.749487] ? blk_finish_plug+0x44/0x60
221[ 3117.754152] ? f2fs_ra_meta_pages+0x38b/0x5e0
222[ 3117.758831] ? find_inode_fast+0xac/0xc0
223[ 3117.763448] ? f2fs_is_valid_blkaddr+0x320/0x320
224[ 3117.768046] ? __radix_tree_lookup+0x150/0x150
225[ 3117.772603] ? dqget+0x670/0x670
226[ 3117.777159] ? pagecache_get_page+0x29/0x410
227[ 3117.781648] ? kmem_cache_alloc+0x176/0x1e0
228[ 3117.786067] ? f2fs_is_valid_blkaddr+0x11d/0x320
229[ 3117.790476] f2fs_recover_fsync_data+0xc23/0xd50
230[ 3117.794790] ? f2fs_space_for_roll_forward+0x60/0x60
231[ 3117.799086] ? rb_insert_color+0x323/0x3d0
232[ 3117.803304] ? f2fs_recover_orphan_inodes+0xa5/0x700
233[ 3117.807563] ? proc_register+0x153/0x1d0
234[ 3117.811766] ? f2fs_remove_orphan_inode+0x10/0x10
235[ 3117.815947] ? f2fs_attr_store+0x50/0x50
236[ 3117.820087] ? proc_create_single_data+0x52/0x60
237[ 3117.824262] f2fs_fill_super+0x1d06/0x2b40
238[ 3117.828367] ? f2fs_commit_super+0x1a0/0x1a0
239[ 3117.832432] ? sget_userns+0x65e/0x690
240[ 3117.836500] ? set_blocksize+0x88/0x130
241[ 3117.840501] ? f2fs_commit_super+0x1a0/0x1a0
242[ 3117.844420] mount_bdev+0x1c0/0x200
243[ 3117.848275] mount_fs+0x5c/0x190
244[ 3117.852053] vfs_kern_mount+0x64/0x190
245[ 3117.855810] do_mount+0x2e4/0x1450
246[ 3117.859441] ? lockref_put_return+0x130/0x130
247[ 3117.862996] ? copy_mount_string+0x20/0x20
248[ 3117.866417] ? kasan_unpoison_shadow+0x31/0x40
249[ 3117.869719] ? kasan_kmalloc+0xa6/0xd0
250[ 3117.872948] ? memcg_kmem_put_cache+0x16/0x90
251[ 3117.876121] ? __kmalloc_track_caller+0x196/0x210
252[ 3117.879333] ? _copy_from_user+0x61/0x90
253[ 3117.882467] ? memdup_user+0x3e/0x60
254[ 3117.885604] ksys_mount+0x7e/0xd0
255[ 3117.888700] __x64_sys_mount+0x62/0x70
256[ 3117.891742] do_syscall_64+0x73/0x160
257[ 3117.894692] entry_SYSCALL_64_after_hwframe+0x44/0xa9
258[ 3117.897669] RIP: 0033:0x7f5693f14b9a
259[ 3117.900563] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
260[ 3117.906922] RSP: 002b:00007fff27346488 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
261[ 3117.910159] RAX: ffffffffffffffda RBX: 00000000016e2030 RCX: 00007f5693f14b9a
262[ 3117.913469] RDX: 00000000016e2210 RSI: 00000000016e3f30 RDI: 00000000016ee040
263[ 3117.916764] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
264[ 3117.920071] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000016ee040
265[ 3117.923393] R13: 00000000016e2210 R14: 0000000000000000 R15: 0000000000000003
266[ 3117.926680] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev input_leds serio_raw snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel psmouse aes_x86_64 8139cp crypto_simd cryptd mii glue_helper pata_acpi floppy
267[ 3117.949979] CR2: 0000000000000000
268[ 3117.954283] ---[ end trace a8e0d899985faf32 ]---
269[ 3117.958575] RIP: 0010:__remove_dirty_segment+0xe2/0x1e0
270[ 3117.962810] Code: c4 48 89 c7 e8 cf bb d7 ff 45 0f b6 24 24 41 83 e4 3f 44 88 64 24 07 41 83 e4 3f 4a 8d 7c e3 08 e8 b3 bc d7 ff 4a 8b 4c e3 08 <f0> 4c 0f b3 29 0f 82 94 00 00 00 48 8d bd 20 04 00 00 e8 97 bb d7
271[ 3117.971789] RSP: 0018:ffff88018eb67638 EFLAGS: 00010292
272[ 3117.976333] RAX: 0000000000000000 RBX: ffff88018f0a6300 RCX: 0000000000000000
273[ 3117.980926] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297
274[ 3117.985497] RBP: ffff88018ebe9980 R08: ffffed003e743ebb R09: ffffed003e743ebb
275[ 3117.990098] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000019
276[ 3117.994761] R13: 0000000000000014 R14: 0000000000000320 R15: ffff88018ebe99e0
277[ 3117.999392] FS: 00007f5694636840(0000) GS:ffff8801f3b00000(0000) knlGS:0000000000000000
278[ 3118.004096] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
279[ 3118.008816] CR2: 00007fe89bb1a000 CR3: 0000000191c22000 CR4: 00000000000006e0
280
281- Location
282https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/f2fs/segment.c#L775
283 if (test_and_clear_bit(segno, dirty_i->dirty_segmap[t]))
284 dirty_i->nr_dirty[t]--;
285Here dirty_i->dirty_segmap[t] can be NULL which leads to crash in test_and_clear_bit()
286
287CVE: CVE-2018-14614
288Upstream-Status: Backport
289
290Reported-by Wen Xu <wen.xu@gatech.edu>
291Signed-off-by: Chao Yu <yuchao0@huawei.com>
292Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
293[bwh: Backported to 4.14: The function is called sanity_check_ckpt()]
294Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
295Signed-off-by: Sasha Levin <sashal@kernel.org>
296Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
297---
298 fs/f2fs/checkpoint.c | 8 ++++----
299 fs/f2fs/super.c | 12 ++++++++++++
300 2 files changed, 16 insertions(+), 4 deletions(-)
301
302diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
303index c282e21f5b5e..0a78a6898e57 100644
304--- a/fs/f2fs/checkpoint.c
305+++ b/fs/f2fs/checkpoint.c
306@@ -799,15 +799,15 @@ int get_valid_checkpoint(struct f2fs_sb_info *sbi)
307 cp_block = (struct f2fs_checkpoint *)page_address(cur_page);
308 memcpy(sbi->ckpt, cp_block, blk_size);
309
310- /* Sanity checking of checkpoint */
311- if (sanity_check_ckpt(sbi))
312- goto free_fail_no_cp;
313-
314 if (cur_page == cp1)
315 sbi->cur_cp_pack = 1;
316 else
317 sbi->cur_cp_pack = 2;
318
319+ /* Sanity checking of checkpoint */
320+ if (sanity_check_ckpt(sbi))
321+ goto free_fail_no_cp;
322+
323 if (cp_blks <= 1)
324 goto done;
325
326diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
327index 75af507273a4..cf3830474c22 100644
328--- a/fs/f2fs/super.c
329+++ b/fs/f2fs/super.c
330@@ -1885,6 +1885,7 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
331 unsigned int main_segs, blocks_per_seg;
332 unsigned int log_blocks_per_seg;
333 unsigned int segment_count_main;
334+ unsigned int cp_pack_start_sum, cp_payload;
335 block_t user_block_count;
336 int i;
337
338@@ -1932,6 +1933,17 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
339 return 1;
340 }
341
342+ cp_pack_start_sum = __start_sum_addr(sbi);
343+ cp_payload = __cp_payload(sbi);
344+ if (cp_pack_start_sum < cp_payload + 1 ||
345+ cp_pack_start_sum > blocks_per_seg - 1 -
346+ NR_CURSEG_TYPE) {
347+ f2fs_msg(sbi->sb, KERN_ERR,
348+ "Wrong cp_pack_start_sum: %u",
349+ cp_pack_start_sum);
350+ return 1;
351+ }
352+
353 if (unlikely(f2fs_cp_error(sbi))) {
354 f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck");
355 return 1;
356--
3572.19.2
diff --git a/patches/cve/CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch b/patches/cve/CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch
deleted file mode 100644
index d51b3c8..0000000
--- a/patches/cve/CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch
+++ /dev/null
@@ -1,199 +0,0 @@
1From f15c072d6576c5e2b693c22e39ccc9103c952078 Mon Sep 17 00:00:00 2001
2From: Stefan Hajnoczi <stefanha@redhat.com>
3Date: Mon, 5 Nov 2018 10:35:47 +0000
4Subject: [PATCH] vhost/vsock: fix use-after-free in network stack callers
5
6commit 834e772c8db0c6a275d75315d90aba4ebbb1e249 upstream.
7
8If the network stack calls .send_pkt()/.cancel_pkt() during .release(),
9a struct vhost_vsock use-after-free is possible. This occurs because
10.release() does not wait for other CPUs to stop using struct
11vhost_vsock.
12
13Switch to an RCU-enabled hashtable (indexed by guest CID) so that
14.release() can wait for other CPUs by calling synchronize_rcu(). This
15also eliminates vhost_vsock_lock acquisition in the data path so it
16could have a positive effect on performance.
17
18This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt".
19
20CVE: CVE-2018-14625
21Upstream-Status: Backport
22
23Cc: stable@vger.kernel.org
24Reported-and-tested-by: syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com
25Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com
26Reported-by: syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com
27Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
28Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
29Acked-by: Jason Wang <jasowang@redhat.com>
30Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
31Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
32---
33 drivers/vhost/vsock.c | 57 +++++++++++++++++++++++++------------------
34 1 file changed, 33 insertions(+), 24 deletions(-)
35
36diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
37index c9de9c41aa97..b044a0800805 100644
38--- a/drivers/vhost/vsock.c
39+++ b/drivers/vhost/vsock.c
40@@ -15,6 +15,7 @@
41 #include <net/sock.h>
42 #include <linux/virtio_vsock.h>
43 #include <linux/vhost.h>
44+#include <linux/hashtable.h>
45
46 #include <net/af_vsock.h>
47 #include "vhost.h"
48@@ -27,14 +28,14 @@ enum {
49
50 /* Used to track all the vhost_vsock instances on the system. */
51 static DEFINE_SPINLOCK(vhost_vsock_lock);
52-static LIST_HEAD(vhost_vsock_list);
53+static DEFINE_READ_MOSTLY_HASHTABLE(vhost_vsock_hash, 8);
54
55 struct vhost_vsock {
56 struct vhost_dev dev;
57 struct vhost_virtqueue vqs[2];
58
59- /* Link to global vhost_vsock_list, protected by vhost_vsock_lock */
60- struct list_head list;
61+ /* Link to global vhost_vsock_hash, writes use vhost_vsock_lock */
62+ struct hlist_node hash;
63
64 struct vhost_work send_pkt_work;
65 spinlock_t send_pkt_list_lock;
66@@ -50,11 +51,14 @@ static u32 vhost_transport_get_local_cid(void)
67 return VHOST_VSOCK_DEFAULT_HOST_CID;
68 }
69
70-static struct vhost_vsock *__vhost_vsock_get(u32 guest_cid)
71+/* Callers that dereference the return value must hold vhost_vsock_lock or the
72+ * RCU read lock.
73+ */
74+static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
75 {
76 struct vhost_vsock *vsock;
77
78- list_for_each_entry(vsock, &vhost_vsock_list, list) {
79+ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
80 u32 other_cid = vsock->guest_cid;
81
82 /* Skip instances that have no CID yet */
83@@ -69,17 +73,6 @@ static struct vhost_vsock *__vhost_vsock_get(u32 guest_cid)
84 return NULL;
85 }
86
87-static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
88-{
89- struct vhost_vsock *vsock;
90-
91- spin_lock_bh(&vhost_vsock_lock);
92- vsock = __vhost_vsock_get(guest_cid);
93- spin_unlock_bh(&vhost_vsock_lock);
94-
95- return vsock;
96-}
97-
98 static void
99 vhost_transport_do_send_pkt(struct vhost_vsock *vsock,
100 struct vhost_virtqueue *vq)
101@@ -210,9 +203,12 @@ vhost_transport_send_pkt(struct virtio_vsock_pkt *pkt)
102 struct vhost_vsock *vsock;
103 int len = pkt->len;
104
105+ rcu_read_lock();
106+
107 /* Find the vhost_vsock according to guest context id */
108 vsock = vhost_vsock_get(le64_to_cpu(pkt->hdr.dst_cid));
109 if (!vsock) {
110+ rcu_read_unlock();
111 virtio_transport_free_pkt(pkt);
112 return -ENODEV;
113 }
114@@ -225,6 +221,8 @@ vhost_transport_send_pkt(struct virtio_vsock_pkt *pkt)
115 spin_unlock_bh(&vsock->send_pkt_list_lock);
116
117 vhost_work_queue(&vsock->dev, &vsock->send_pkt_work);
118+
119+ rcu_read_unlock();
120 return len;
121 }
122
123@@ -234,12 +232,15 @@ vhost_transport_cancel_pkt(struct vsock_sock *vsk)
124 struct vhost_vsock *vsock;
125 struct virtio_vsock_pkt *pkt, *n;
126 int cnt = 0;
127+ int ret = -ENODEV;
128 LIST_HEAD(freeme);
129
130+ rcu_read_lock();
131+
132 /* Find the vhost_vsock according to guest context id */
133 vsock = vhost_vsock_get(vsk->remote_addr.svm_cid);
134 if (!vsock)
135- return -ENODEV;
136+ goto out;
137
138 spin_lock_bh(&vsock->send_pkt_list_lock);
139 list_for_each_entry_safe(pkt, n, &vsock->send_pkt_list, list) {
140@@ -265,7 +266,10 @@ vhost_transport_cancel_pkt(struct vsock_sock *vsk)
141 vhost_poll_queue(&tx_vq->poll);
142 }
143
144- return 0;
145+ ret = 0;
146+out:
147+ rcu_read_unlock();
148+ return ret;
149 }
150
151 static struct virtio_vsock_pkt *
152@@ -531,10 +535,6 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file)
153 spin_lock_init(&vsock->send_pkt_list_lock);
154 INIT_LIST_HEAD(&vsock->send_pkt_list);
155 vhost_work_init(&vsock->send_pkt_work, vhost_transport_send_pkt_work);
156-
157- spin_lock_bh(&vhost_vsock_lock);
158- list_add_tail(&vsock->list, &vhost_vsock_list);
159- spin_unlock_bh(&vhost_vsock_lock);
160 return 0;
161
162 out:
163@@ -575,9 +575,13 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file)
164 struct vhost_vsock *vsock = file->private_data;
165
166 spin_lock_bh(&vhost_vsock_lock);
167- list_del(&vsock->list);
168+ if (vsock->guest_cid)
169+ hash_del_rcu(&vsock->hash);
170 spin_unlock_bh(&vhost_vsock_lock);
171
172+ /* Wait for other CPUs to finish using vsock */
173+ synchronize_rcu();
174+
175 /* Iterating over all connections for all CIDs to find orphans is
176 * inefficient. Room for improvement here. */
177 vsock_for_each_connected_socket(vhost_vsock_reset_orphans);
178@@ -618,12 +622,17 @@ static int vhost_vsock_set_cid(struct vhost_vsock *vsock, u64 guest_cid)
179
180 /* Refuse if CID is already in use */
181 spin_lock_bh(&vhost_vsock_lock);
182- other = __vhost_vsock_get(guest_cid);
183+ other = vhost_vsock_get(guest_cid);
184 if (other && other != vsock) {
185 spin_unlock_bh(&vhost_vsock_lock);
186 return -EADDRINUSE;
187 }
188+
189+ if (vsock->guest_cid)
190+ hash_del_rcu(&vsock->hash);
191+
192 vsock->guest_cid = guest_cid;
193+ hash_add_rcu(vhost_vsock_hash, &vsock->hash, guest_cid);
194 spin_unlock_bh(&vhost_vsock_lock);
195
196 return 0;
197--
1982.19.2
199
diff --git a/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch b/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
deleted file mode 100644
index 3ffd412..0000000
--- a/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
+++ /dev/null
@@ -1,188 +0,0 @@
1From 755e45f3155cc51e37dc1cce9ccde10b84df7d93 Mon Sep 17 00:00:00 2001
2From: Vincent Pelletier <plr.vincent@gmail.com>
3Date: Sun, 9 Sep 2018 04:09:26 +0000
4Subject: [PATCH] scsi: target: iscsi: Use hex2bin instead of a
5 re-implementation
6
7commit 1816494330a83f2a064499d8ed2797045641f92c upstream.
8
9This change has the following effects, in order of descreasing importance:
10
111) Prevent a stack buffer overflow
12
132) Do not append an unnecessary NULL to an anyway binary buffer, which
14 is writing one byte past client_digest when caller is:
15 chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
16
17The latter was found by KASAN (see below) when input value hes expected size
18(32 hex chars), and further analysis revealed a stack buffer overflow can
19happen when network-received value is longer, allowing an unauthenticated
20remote attacker to smash up to 17 bytes after destination buffer (16 bytes
21attacker-controlled and one null). As switching to hex2bin requires
22specifying destination buffer length, and does not internally append any null,
23it solves both issues.
24
25This addresses CVE-2018-14633.
26
27Beyond this:
28
29- Validate received value length and check hex2bin accepted the input, to log
30 this rejection reason instead of just failing authentication.
31
32- Only log received CHAP_R and CHAP_C values once they passed sanity checks.
33
34==================================================================
35BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
36Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
37
38CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G O 4.17.8kasan.sess.connops+ #2
39Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
40Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
41Call Trace:
42 dump_stack+0x71/0xac
43 print_address_description+0x65/0x22e
44 ? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
45 kasan_report.cold.6+0x241/0x2fd
46 chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
47 chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
48 ? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
49 ? ftrace_caller_op_ptr+0xe/0xe
50 ? __orc_find+0x6f/0xc0
51 ? unwind_next_frame+0x231/0x850
52 ? kthread+0x1a0/0x1c0
53 ? ret_from_fork+0x35/0x40
54 ? ret_from_fork+0x35/0x40
55 ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
56 ? deref_stack_reg+0xd0/0xd0
57 ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
58 ? is_module_text_address+0xa/0x11
59 ? kernel_text_address+0x4c/0x110
60 ? __save_stack_trace+0x82/0x100
61 ? ret_from_fork+0x35/0x40
62 ? save_stack+0x8c/0xb0
63 ? 0xffffffffc1660000
64 ? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
65 ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
66 ? process_one_work+0x35c/0x640
67 ? worker_thread+0x66/0x5d0
68 ? kthread+0x1a0/0x1c0
69 ? ret_from_fork+0x35/0x40
70 ? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
71 ? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
72 chap_main_loop+0x172/0x570 [iscsi_target_mod]
73 ? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
74 ? rx_data+0xd6/0x120 [iscsi_target_mod]
75 ? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
76 ? cyc2ns_read_begin.part.2+0x90/0x90
77 ? _raw_spin_lock_irqsave+0x25/0x50
78 ? memcmp+0x45/0x70
79 iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
80 ? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
81 ? del_timer+0xe0/0xe0
82 ? memset+0x1f/0x40
83 ? flush_sigqueue+0x29/0xd0
84 iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
85 ? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
86 ? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
87 process_one_work+0x35c/0x640
88 worker_thread+0x66/0x5d0
89 ? flush_rcu_work+0x40/0x40
90 kthread+0x1a0/0x1c0
91 ? kthread_bind+0x30/0x30
92 ret_from_fork+0x35/0x40
93
94The buggy address belongs to the page:
95page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
96flags: 0x17fffc000000000()
97raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
98raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
99page dumped because: kasan: bad access detected
100
101Memory state around the buggy address:
102 ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
103 ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
104>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
105 ^
106 ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
107 ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
108==================================================================
109
110CVE: CVE-2018-14633
111Upstream-Status: Backport
112
113Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
114Reviewed-by: Mike Christie <mchristi@redhat.com>
115Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
116Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
117Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
118---
119 drivers/target/iscsi/iscsi_target_auth.c | 30 +++++++++++-------------
120 1 file changed, 14 insertions(+), 16 deletions(-)
121
122diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
123index 9518ffd8b8ba..6c3b4c022894 100644
124--- a/drivers/target/iscsi/iscsi_target_auth.c
125+++ b/drivers/target/iscsi/iscsi_target_auth.c
126@@ -26,18 +26,6 @@
127 #include "iscsi_target_nego.h"
128 #include "iscsi_target_auth.h"
129
130-static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len)
131-{
132- int j = DIV_ROUND_UP(len, 2), rc;
133-
134- rc = hex2bin(dst, src, j);
135- if (rc < 0)
136- pr_debug("CHAP string contains non hex digit symbols\n");
137-
138- dst[j] = '\0';
139- return j;
140-}
141-
142 static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
143 {
144 int i;
145@@ -248,9 +236,16 @@ static int chap_server_compute_md5(
146 pr_err("Could not find CHAP_R.\n");
147 goto out;
148 }
149+ if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
150+ pr_err("Malformed CHAP_R\n");
151+ goto out;
152+ }
153+ if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
154+ pr_err("Malformed CHAP_R\n");
155+ goto out;
156+ }
157
158 pr_debug("[server] Got CHAP_R=%s\n", chap_r);
159- chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
160
161 tfm = crypto_alloc_shash("md5", 0, 0);
162 if (IS_ERR(tfm)) {
163@@ -349,9 +344,7 @@ static int chap_server_compute_md5(
164 pr_err("Could not find CHAP_C.\n");
165 goto out;
166 }
167- pr_debug("[server] Got CHAP_C=%s\n", challenge);
168- challenge_len = chap_string_to_hex(challenge_binhex, challenge,
169- strlen(challenge));
170+ challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
171 if (!challenge_len) {
172 pr_err("Unable to convert incoming challenge\n");
173 goto out;
174@@ -360,6 +353,11 @@ static int chap_server_compute_md5(
175 pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
176 goto out;
177 }
178+ if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
179+ pr_err("Malformed CHAP_C\n");
180+ goto out;
181+ }
182+ pr_debug("[server] Got CHAP_C=%s\n", challenge);
183 /*
184 * During mutual authentication, the CHAP_C generated by the
185 * initiator must not match the original CHAP_C generated by
186--
1872.19.2
188
diff --git a/patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch b/patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
deleted file mode 100644
index 36878cb..0000000
--- a/patches/cve/CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
+++ /dev/null
@@ -1,167 +0,0 @@
1From 65dba32522065b79a16393efc75f8006c2c3dbb8 Mon Sep 17 00:00:00 2001
2From: Vasily Averin <vvs@virtuozzo.com>
3Date: Mon, 24 Dec 2018 14:44:52 +0300
4Subject: [PATCH] sunrpc: use-after-free in svc_process_common()
5
6commit d4b09acf924b84bae77cad090a9d108e70b43643 upstream.
7
8if node have NFSv41+ mounts inside several net namespaces
9it can lead to use-after-free in svc_process_common()
10
11svc_process_common()
12 /* Setup reply header */
13 rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE
14
15svc_process_common() can use incorrect rqstp->rq_xprt,
16its caller function bc_svc_process() takes it from serv->sv_bc_xprt.
17The problem is that serv is global structure but sv_bc_xprt
18is assigned per-netnamespace.
19
20According to Trond, the whole "let's set up rqstp->rq_xprt
21for the back channel" is nothing but a giant hack in order
22to work around the fact that svc_process_common() uses it
23to find the xpt_ops, and perform a couple of (meaningless
24for the back channel) tests of xpt_flags.
25
26All we really need in svc_process_common() is to be able to run
27rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr()
28
29Bruce J Fields points that this xpo_prep_reply_hdr() call
30is an awfully roundabout way just to do "svc_putnl(resv, 0);"
31in the tcp case.
32
33This patch does not initialiuze rqstp->rq_xprt in bc_svc_process(),
34now it calls svc_process_common() with rqstp->rq_xprt = NULL.
35
36To adjust reply header svc_process_common() just check
37rqstp->rq_prot and calls svc_tcp_prep_reply_hdr() for tcp case.
38
39To handle rqstp->rq_xprt = NULL case in functions called from
40svc_process_common() patch intruduces net namespace pointer
41svc_rqst->rq_bc_net and adjust SVC_NET() definition.
42Some other function was also adopted to properly handle described case.
43
44CVE: CVE-2018-16884
45Upstream-Status: Backport
46
47Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
48Cc: stable@vger.kernel.org
49Fixes: 23c20ecd4475 ("NFS: callback up - users counting cleanup")
50Signed-off-by: J. Bruce Fields <bfields@redhat.com>
51v2: - added lost extern svc_tcp_prep_reply_hdr()
52 - dropped trace_svc_process() changes
53Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
54Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
55Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
56---
57 include/linux/sunrpc/svc.h | 5 ++++-
58 net/sunrpc/svc.c | 11 +++++++----
59 net/sunrpc/svc_xprt.c | 5 +++--
60 net/sunrpc/svcsock.c | 2 +-
61 4 files changed, 15 insertions(+), 8 deletions(-)
62
63diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
64index 3b9f0d1dbb80..e1aa80c4d6db 100644
65--- a/include/linux/sunrpc/svc.h
66+++ b/include/linux/sunrpc/svc.h
67@@ -292,9 +292,12 @@ struct svc_rqst {
68 struct svc_cacherep * rq_cacherep; /* cache info */
69 struct task_struct *rq_task; /* service thread */
70 spinlock_t rq_lock; /* per-request lock */
71+ struct net *rq_bc_net; /* pointer to backchannel's
72+ * net namespace
73+ */
74 };
75
76-#define SVC_NET(svc_rqst) (svc_rqst->rq_xprt->xpt_net)
77+#define SVC_NET(rqst) (rqst->rq_xprt ? rqst->rq_xprt->xpt_net : rqst->rq_bc_net)
78
79 /*
80 * Rigorous type checking on sockaddr type conversions
81diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
82index aa04666f929d..3a9a03717212 100644
83--- a/net/sunrpc/svc.c
84+++ b/net/sunrpc/svc.c
85@@ -1144,6 +1144,8 @@ void svc_printk(struct svc_rqst *rqstp, const char *fmt, ...)
86 static __printf(2,3) void svc_printk(struct svc_rqst *rqstp, const char *fmt, ...) {}
87 #endif
88
89+extern void svc_tcp_prep_reply_hdr(struct svc_rqst *);
90+
91 /*
92 * Common routine for processing the RPC request.
93 */
94@@ -1172,7 +1174,8 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
95 clear_bit(RQ_DROPME, &rqstp->rq_flags);
96
97 /* Setup reply header */
98- rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp);
99+ if (rqstp->rq_prot == IPPROTO_TCP)
100+ svc_tcp_prep_reply_hdr(rqstp);
101
102 svc_putu32(resv, rqstp->rq_xid);
103
104@@ -1244,7 +1247,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
105 * for lower versions. RPC_PROG_MISMATCH seems to be the closest
106 * fit.
107 */
108- if (versp->vs_need_cong_ctrl &&
109+ if (versp->vs_need_cong_ctrl && rqstp->rq_xprt &&
110 !test_bit(XPT_CONG_CTRL, &rqstp->rq_xprt->xpt_flags))
111 goto err_bad_vers;
112
113@@ -1335,7 +1338,7 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
114 return 0;
115
116 close:
117- if (test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags))
118+ if (rqstp->rq_xprt && test_bit(XPT_TEMP, &rqstp->rq_xprt->xpt_flags))
119 svc_close_xprt(rqstp->rq_xprt);
120 dprintk("svc: svc_process close\n");
121 return 0;
122@@ -1462,10 +1465,10 @@ bc_svc_process(struct svc_serv *serv, struct rpc_rqst *req,
123 dprintk("svc: %s(%p)\n", __func__, req);
124
125 /* Build the svc_rqst used by the common processing routine */
126- rqstp->rq_xprt = serv->sv_bc_xprt;
127 rqstp->rq_xid = req->rq_xid;
128 rqstp->rq_prot = req->rq_xprt->prot;
129 rqstp->rq_server = serv;
130+ rqstp->rq_bc_net = req->rq_xprt->xprt_net;
131
132 rqstp->rq_addrlen = sizeof(req->rq_xprt->addr);
133 memcpy(&rqstp->rq_addr, &req->rq_xprt->addr, rqstp->rq_addrlen);
134diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
135index ea7b5a3a53f0..7e5f849b44cd 100644
136--- a/net/sunrpc/svc_xprt.c
137+++ b/net/sunrpc/svc_xprt.c
138@@ -510,10 +510,11 @@ static struct svc_xprt *svc_xprt_dequeue(struct svc_pool *pool)
139 */
140 void svc_reserve(struct svc_rqst *rqstp, int space)
141 {
142+ struct svc_xprt *xprt = rqstp->rq_xprt;
143+
144 space += rqstp->rq_res.head[0].iov_len;
145
146- if (space < rqstp->rq_reserved) {
147- struct svc_xprt *xprt = rqstp->rq_xprt;
148+ if (xprt && space < rqstp->rq_reserved) {
149 atomic_sub((rqstp->rq_reserved - space), &xprt->xpt_reserved);
150 rqstp->rq_reserved = space;
151
152diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
153index c83df30e9655..d6771f3b715b 100644
154--- a/net/sunrpc/svcsock.c
155+++ b/net/sunrpc/svcsock.c
156@@ -1207,7 +1207,7 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp)
157 /*
158 * Setup response header. TCP has a 4B record length field.
159 */
160-static void svc_tcp_prep_reply_hdr(struct svc_rqst *rqstp)
161+void svc_tcp_prep_reply_hdr(struct svc_rqst *rqstp)
162 {
163 struct kvec *resv = &rqstp->rq_res.head[0];
164
165--
1662.19.2
167
diff --git a/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch b/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
deleted file mode 100644
index 9daec53..0000000
--- a/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch
+++ /dev/null
@@ -1,79 +0,0 @@
1From f8566a92ab75d442a823453414c6158b0b3c5ce7 Mon Sep 17 00:00:00 2001
2From: Jann Horn <jannh@google.com>
3Date: Fri, 5 Oct 2018 15:51:58 -0700
4Subject: [PATCH] proc: restrict kernel stack dumps to root
5
6commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.
7
8Currently, you can use /proc/self/task/*/stack to cause a stack walk on
9a task you control while it is running on another CPU. That means that
10the stack can change under the stack walker. The stack walker does
11have guards against going completely off the rails and into random
12kernel memory, but it can interpret random data from your kernel stack
13as instruction pointers and stack pointers. This can cause exposure of
14kernel stack contents to userspace.
15
16Restrict the ability to inspect kernel stacks of arbitrary tasks to root
17in order to prevent a local attacker from exploiting racy stack unwinding
18to leak kernel task stack contents. See the added comment for a longer
19rationale.
20
21There don't seem to be any users of this userspace API that can't
22gracefully bail out if reading from the file fails. Therefore, I believe
23that this change is unlikely to break things. In the case that this patch
24does end up needing a revert, the next-best solution might be to fake a
25single-entry stack based on wchan.
26
27CVE: CVE-2018-17972
28Upstream-Status: Backport
29
30Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
31Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
32Signed-off-by: Jann Horn <jannh@google.com>
33Acked-by: Kees Cook <keescook@chromium.org>
34Cc: Alexey Dobriyan <adobriyan@gmail.com>
35Cc: Ken Chen <kenchen@google.com>
36Cc: Will Deacon <will.deacon@arm.com>
37Cc: Laura Abbott <labbott@redhat.com>
38Cc: Andy Lutomirski <luto@amacapital.net>
39Cc: Catalin Marinas <catalin.marinas@arm.com>
40Cc: Josh Poimboeuf <jpoimboe@redhat.com>
41Cc: Thomas Gleixner <tglx@linutronix.de>
42Cc: Ingo Molnar <mingo@redhat.com>
43Cc: "H . Peter Anvin" <hpa@zytor.com>
44Cc: <stable@vger.kernel.org>
45Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
46Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
47Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
48---
49 fs/proc/base.c | 14 ++++++++++++++
50 1 file changed, 14 insertions(+)
51
52diff --git a/fs/proc/base.c b/fs/proc/base.c
53index c5c42f3e33d1..9063738ff1f0 100644
54--- a/fs/proc/base.c
55+++ b/fs/proc/base.c
56@@ -431,6 +431,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
57 int err;
58 int i;
59
60+ /*
61+ * The ability to racily run the kernel stack unwinder on a running task
62+ * and then observe the unwinder output is scary; while it is useful for
63+ * debugging kernel issues, it can also allow an attacker to leak kernel
64+ * stack contents.
65+ * Doing this in a manner that is at least safe from races would require
66+ * some work to ensure that the remote task can not be scheduled; and
67+ * even then, this would still expose the unwinder as local attack
68+ * surface.
69+ * Therefore, this interface is restricted to root.
70+ */
71+ if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
72+ return -EACCES;
73+
74 entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
75 if (!entries)
76 return -ENOMEM;
77--
782.19.2
79
diff --git a/patches/cve/CVE-2018-18281-mremap-properly-flush-TLB-before-releasing-the-page.patch b/patches/cve/CVE-2018-18281-mremap-properly-flush-TLB-before-releasing-the-page.patch
deleted file mode 100644
index c768a9b..0000000
--- a/patches/cve/CVE-2018-18281-mremap-properly-flush-TLB-before-releasing-the-page.patch
+++ /dev/null
@@ -1,179 +0,0 @@
1From 541500abfe9eb30a89ff0a6eb42a21521996d68d Mon Sep 17 00:00:00 2001
2From: Linus Torvalds <torvalds@linux-foundation.org>
3Date: Fri, 12 Oct 2018 15:22:59 -0700
4Subject: [PATCH] mremap: properly flush TLB before releasing the page
5
6commit eb66ae030829605d61fbef1909ce310e29f78821 upstream.
7
8Jann Horn points out that our TLB flushing was subtly wrong for the
9mremap() case. What makes mremap() special is that we don't follow the
10usual "add page to list of pages to be freed, then flush tlb, and then
11free pages". No, mremap() obviously just _moves_ the page from one page
12table location to another.
13
14That matters, because mremap() thus doesn't directly control the
15lifetime of the moved page with a freelist: instead, the lifetime of the
16page is controlled by the page table locking, that serializes access to
17the entry.
18
19As a result, we need to flush the TLB not just before releasing the lock
20for the source location (to avoid any concurrent accesses to the entry),
21but also before we release the destination page table lock (to avoid the
22TLB being flushed after somebody else has already done something to that
23page).
24
25This also makes the whole "need_flush" logic unnecessary, since we now
26always end up flushing the TLB for every valid entry.
27
28CVE: CVE-2018-18281
29Upstream-Status: Backport
30
31Reported-and-tested-by: Jann Horn <jannh@google.com>
32Acked-by: Will Deacon <will.deacon@arm.com>
33Tested-by: Ingo Molnar <mingo@kernel.org>
34Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
35Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
36Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
37Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
38---
39 include/linux/huge_mm.h | 2 +-
40 mm/huge_memory.c | 10 ++++------
41 mm/mremap.c | 30 +++++++++++++-----------------
42 3 files changed, 18 insertions(+), 24 deletions(-)
43
44diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
45index 87067d23a48b..bfa38da4c261 100644
46--- a/include/linux/huge_mm.h
47+++ b/include/linux/huge_mm.h
48@@ -42,7 +42,7 @@ extern int mincore_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
49 unsigned char *vec);
50 extern bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
51 unsigned long new_addr, unsigned long old_end,
52- pmd_t *old_pmd, pmd_t *new_pmd, bool *need_flush);
53+ pmd_t *old_pmd, pmd_t *new_pmd);
54 extern int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
55 unsigned long addr, pgprot_t newprot,
56 int prot_numa);
57diff --git a/mm/huge_memory.c b/mm/huge_memory.c
58index 39c1fedcfdb4..adacfe66cf3d 100644
59--- a/mm/huge_memory.c
60+++ b/mm/huge_memory.c
61@@ -1765,7 +1765,7 @@ static pmd_t move_soft_dirty_pmd(pmd_t pmd)
62
63 bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
64 unsigned long new_addr, unsigned long old_end,
65- pmd_t *old_pmd, pmd_t *new_pmd, bool *need_flush)
66+ pmd_t *old_pmd, pmd_t *new_pmd)
67 {
68 spinlock_t *old_ptl, *new_ptl;
69 pmd_t pmd;
70@@ -1796,7 +1796,7 @@ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
71 if (new_ptl != old_ptl)
72 spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);
73 pmd = pmdp_huge_get_and_clear(mm, old_addr, old_pmd);
74- if (pmd_present(pmd) && pmd_dirty(pmd))
75+ if (pmd_present(pmd))
76 force_flush = true;
77 VM_BUG_ON(!pmd_none(*new_pmd));
78
79@@ -1807,12 +1807,10 @@ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
80 }
81 pmd = move_soft_dirty_pmd(pmd);
82 set_pmd_at(mm, new_addr, new_pmd, pmd);
83- if (new_ptl != old_ptl)
84- spin_unlock(new_ptl);
85 if (force_flush)
86 flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);
87- else
88- *need_flush = true;
89+ if (new_ptl != old_ptl)
90+ spin_unlock(new_ptl);
91 spin_unlock(old_ptl);
92 return true;
93 }
94diff --git a/mm/mremap.c b/mm/mremap.c
95index 049470aa1e3e..88ceeb4ef817 100644
96--- a/mm/mremap.c
97+++ b/mm/mremap.c
98@@ -115,7 +115,7 @@ static pte_t move_soft_dirty_pte(pte_t pte)
99 static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
100 unsigned long old_addr, unsigned long old_end,
101 struct vm_area_struct *new_vma, pmd_t *new_pmd,
102- unsigned long new_addr, bool need_rmap_locks, bool *need_flush)
103+ unsigned long new_addr, bool need_rmap_locks)
104 {
105 struct mm_struct *mm = vma->vm_mm;
106 pte_t *old_pte, *new_pte, pte;
107@@ -163,15 +163,17 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
108
109 pte = ptep_get_and_clear(mm, old_addr, old_pte);
110 /*
111- * If we are remapping a dirty PTE, make sure
112+ * If we are remapping a valid PTE, make sure
113 * to flush TLB before we drop the PTL for the
114- * old PTE or we may race with page_mkclean().
115+ * PTE.
116 *
117- * This check has to be done after we removed the
118- * old PTE from page tables or another thread may
119- * dirty it after the check and before the removal.
120+ * NOTE! Both old and new PTL matter: the old one
121+ * for racing with page_mkclean(), the new one to
122+ * make sure the physical page stays valid until
123+ * the TLB entry for the old mapping has been
124+ * flushed.
125 */
126- if (pte_present(pte) && pte_dirty(pte))
127+ if (pte_present(pte))
128 force_flush = true;
129 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
130 pte = move_soft_dirty_pte(pte);
131@@ -179,13 +181,11 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
132 }
133
134 arch_leave_lazy_mmu_mode();
135+ if (force_flush)
136+ flush_tlb_range(vma, old_end - len, old_end);
137 if (new_ptl != old_ptl)
138 spin_unlock(new_ptl);
139 pte_unmap(new_pte - 1);
140- if (force_flush)
141- flush_tlb_range(vma, old_end - len, old_end);
142- else
143- *need_flush = true;
144 pte_unmap_unlock(old_pte - 1, old_ptl);
145 if (need_rmap_locks)
146 drop_rmap_locks(vma);
147@@ -200,7 +200,6 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
148 {
149 unsigned long extent, next, old_end;
150 pmd_t *old_pmd, *new_pmd;
151- bool need_flush = false;
152 unsigned long mmun_start; /* For mmu_notifiers */
153 unsigned long mmun_end; /* For mmu_notifiers */
154
155@@ -231,8 +230,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
156 if (need_rmap_locks)
157 take_rmap_locks(vma);
158 moved = move_huge_pmd(vma, old_addr, new_addr,
159- old_end, old_pmd, new_pmd,
160- &need_flush);
161+ old_end, old_pmd, new_pmd);
162 if (need_rmap_locks)
163 drop_rmap_locks(vma);
164 if (moved)
165@@ -250,10 +248,8 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
166 if (extent > LATENCY_LIMIT)
167 extent = LATENCY_LIMIT;
168 move_ptes(vma, old_pmd, old_addr, old_addr + extent, new_vma,
169- new_pmd, new_addr, need_rmap_locks, &need_flush);
170+ new_pmd, new_addr, need_rmap_locks);
171 }
172- if (need_flush)
173- flush_tlb_range(vma, old_end-len, old_addr);
174
175 mmu_notifier_invalidate_range_end(vma->vm_mm, mmun_start, mmun_end);
176
177--
1782.19.2
179
diff --git a/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch b/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
deleted file mode 100644
index 0d02d22..0000000
--- a/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
+++ /dev/null
@@ -1,118 +0,0 @@
1From 82c5a8c0debac552750a00b4fc7551c89c7b34b8 Mon Sep 17 00:00:00 2001
2From: Andrea Arcangeli <aarcange@redhat.com>
3Date: Fri, 30 Nov 2018 14:09:25 -0800
4Subject: [PATCH] userfaultfd: use ENOENT instead of EFAULT if the atomic copy
5 user fails
6
7commit 9e368259ad988356c4c95150fafd1a06af095d98 upstream.
8
9Patch series "userfaultfd shmem updates".
10
11Jann found two bugs in the userfaultfd shmem MAP_SHARED backend: the
12lack of the VM_MAYWRITE check and the lack of i_size checks.
13
14Then looking into the above we also fixed the MAP_PRIVATE case.
15
16Hugh by source review also found a data loss source if UFFDIO_COPY is
17used on shmem MAP_SHARED PROT_READ mappings (the production usages
18incidentally run with PROT_READ|PROT_WRITE, so the data loss couldn't
19happen in those production usages like with QEMU).
20
21The whole patchset is marked for stable.
22
23We verified QEMU postcopy live migration with guest running on shmem
24MAP_PRIVATE run as well as before after the fix of shmem MAP_PRIVATE.
25Regardless if it's shmem or hugetlbfs or MAP_PRIVATE or MAP_SHARED, QEMU
26unconditionally invokes a punch hole if the guest mapping is filebacked
27and a MADV_DONTNEED too (needed to get rid of the MAP_PRIVATE COWs and
28for the anon backend).
29
30This patch (of 5):
31
32We internally used EFAULT to communicate with the caller, switch to
33ENOENT, so EFAULT can be used as a non internal retval.
34
35CVE: CVE-2018-18397
36Upstream-Status: Backport
37
38Link: http://lkml.kernel.org/r/20181126173452.26955-2-aarcange@redhat.com
39Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
40Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
41Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
42Reviewed-by: Hugh Dickins <hughd@google.com>
43Cc: Mike Kravetz <mike.kravetz@oracle.com>
44Cc: Jann Horn <jannh@google.com>
45Cc: Peter Xu <peterx@redhat.com>
46Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
47Cc: <stable@vger.kernel.org>
48Cc: stable@vger.kernel.org
49Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
50Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
51Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
52Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
53---
54 mm/hugetlb.c | 2 +-
55 mm/shmem.c | 2 +-
56 mm/userfaultfd.c | 6 +++---
57 3 files changed, 5 insertions(+), 5 deletions(-)
58
59diff --git a/mm/hugetlb.c b/mm/hugetlb.c
60index f46040aed2da..224cdd953a79 100644
61--- a/mm/hugetlb.c
62+++ b/mm/hugetlb.c
63@@ -4037,7 +4037,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm,
64
65 /* fallback to copy_from_user outside mmap_sem */
66 if (unlikely(ret)) {
67- ret = -EFAULT;
68+ ret = -ENOENT;
69 *pagep = page;
70 /* don't free the page */
71 goto out;
72diff --git a/mm/shmem.c b/mm/shmem.c
73index ab7ff0aeae2d..9f856ecda73b 100644
74--- a/mm/shmem.c
75+++ b/mm/shmem.c
76@@ -2266,7 +2266,7 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
77 *pagep = page;
78 shmem_inode_unacct_blocks(inode, 1);
79 /* don't free the page */
80- return -EFAULT;
81+ return -ENOENT;
82 }
83 } else { /* mfill_zeropage_atomic */
84 clear_highpage(page);
85diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
86index 81192701964d..c63c0fc5ecfa 100644
87--- a/mm/userfaultfd.c
88+++ b/mm/userfaultfd.c
89@@ -49,7 +49,7 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
90
91 /* fallback to copy_from_user outside mmap_sem */
92 if (unlikely(ret)) {
93- ret = -EFAULT;
94+ ret = -ENOENT;
95 *pagep = page;
96 /* don't free the page */
97 goto out;
98@@ -275,7 +275,7 @@ static __always_inline ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm,
99
100 cond_resched();
101
102- if (unlikely(err == -EFAULT)) {
103+ if (unlikely(err == -ENOENT)) {
104 up_read(&dst_mm->mmap_sem);
105 BUG_ON(!page);
106
107@@ -521,7 +521,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
108 src_addr, &page, zeropage);
109 cond_resched();
110
111- if (unlikely(err == -EFAULT)) {
112+ if (unlikely(err == -ENOENT)) {
113 void *page_kaddr;
114
115 up_read(&dst_mm->mmap_sem);
116--
1172.19.2
118
diff --git a/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch b/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch
deleted file mode 100644
index 7b5e78f..0000000
--- a/patches/cve/CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch
+++ /dev/null
@@ -1,54 +0,0 @@
1From cb7ccb9924bb3596f211badf0d2becf131a979cd Mon Sep 17 00:00:00 2001
2From: "Darrick J. Wong" <darrick.wong@oracle.com>
3Date: Tue, 17 Apr 2018 19:10:15 -0700
4Subject: [PATCH] xfs: don't fail when converting shortform attr to long form
5 during ATTR_REPLACE
6
7commit 7b38460dc8e4eafba06c78f8e37099d3b34d473c upstream.
8
9Kanda Motohiro reported that expanding a tiny xattr into a large xattr
10fails on XFS because we remove the tiny xattr from a shortform fork and
11then try to re-add it after converting the fork to extents format having
12not removed the ATTR_REPLACE flag. This fails because the attr is no
13longer present, causing a fs shutdown.
14
15This is derived from the patch in his bug report, but we really
16shouldn't ignore a nonzero retval from the remove call.
17
18CVE: CVE-2018-18690
19Upstream-Status: Backport
20
21Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199119
22Reported-by: kanda.motohiro@gmail.com
23Reviewed-by: Dave Chinner <dchinner@redhat.com>
24Reviewed-by: Christoph Hellwig <hch@lst.de>
25Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
26Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
27Signed-off-by: Sasha Levin <sashal@kernel.org>
28Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
29---
30 fs/xfs/libxfs/xfs_attr.c | 9 ++++++++-
31 1 file changed, 8 insertions(+), 1 deletion(-)
32
33diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c
34index 6249c92671de..ea66f04f46f7 100644
35--- a/fs/xfs/libxfs/xfs_attr.c
36+++ b/fs/xfs/libxfs/xfs_attr.c
37@@ -501,7 +501,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args)
38 if (args->flags & ATTR_CREATE)
39 return retval;
40 retval = xfs_attr_shortform_remove(args);
41- ASSERT(retval == 0);
42+ if (retval)
43+ return retval;
44+ /*
45+ * Since we have removed the old attr, clear ATTR_REPLACE so
46+ * that the leaf format add routine won't trip over the attr
47+ * not being around.
48+ */
49+ args->flags &= ~ATTR_REPLACE;
50 }
51
52 if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX ||
53--
542.19.2
diff --git a/patches/cve/CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch b/patches/cve/CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch
deleted file mode 100644
index 55cc7e4..0000000
--- a/patches/cve/CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch
+++ /dev/null
@@ -1,112 +0,0 @@
1From 83f00ab9a7c03e9f1410727d985b7fe9473002e1 Mon Sep 17 00:00:00 2001
2From: Wanpeng Li <wanpengli@tencent.com>
3Date: Tue, 20 Nov 2018 16:34:18 +0800
4Subject: [PATCH] KVM: X86: Fix scan ioapic use-before-initialization
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9commit e97f852fd4561e77721bb9a4e0ea9d98305b1e93 upstream.
10
11Reported by syzkaller:
12
13 BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
14 PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
15 Oops: 0000 [#1] PREEMPT SMP PTI
16 CPU: 7 PID: 5059 Comm: debug Tainted: G OE 4.19.0-rc5 #16
17 RIP: 0010:__lock_acquire+0x1a6/0x1990
18 Call Trace:
19 lock_acquire+0xdb/0x210
20 _raw_spin_lock+0x38/0x70
21 kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
22 vcpu_enter_guest+0x167e/0x1910 [kvm]
23 kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
24 kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
25 do_vfs_ioctl+0xa5/0x690
26 ksys_ioctl+0x6d/0x80
27 __x64_sys_ioctl+0x1a/0x20
28 do_syscall_64+0x83/0x6e0
29 entry_SYSCALL_64_after_hwframe+0x49/0xbe
30
31The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
32and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
33However, irqchip is not initialized by this simple testcase, ioapic/apic
34objects should not be accessed.
35This can be triggered by the following program:
36
37 #define _GNU_SOURCE
38
39 #include <endian.h>
40 #include <stdint.h>
41 #include <stdio.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <sys/syscall.h>
45 #include <sys/types.h>
46 #include <unistd.h>
47
48 uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
49
50 int main(void)
51 {
52 syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
53 long res = 0;
54 memcpy((void*)0x20000040, "/dev/kvm", 9);
55 res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
56 if (res != -1)
57 r[0] = res;Backport
58 res = syscall(__NR_ioctl, r[0], 0xae01, 0);
59 if (res != -1)
60 r[1] = res;
61 res = syscall(__NR_ioctl, r[1], 0xae41, 0);
62 if (res != -1)
63 r[2] = res;
64 memcpy(
65 (void*)0x20000080,
66 "\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
67 "\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
68 "\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
69 "\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
70 "\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
71 "\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
72 106);
73 syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
74 syscall(__NR_ioctl, r[2], 0xae80, 0);
75 return 0;
76 }
77
78This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
79kernel.
80
81CVE: CVE-2018-19407
82Upstream-Status: Backport
83
84Reported-by: Wei Wu <ww9210@gmail.com>
85Cc: Paolo Bonzini <pbonzini@redhat.com>
86Cc: Radim Krčmář <rkrcmar@redhat.com>
87Cc: Wei Wu <ww9210@gmail.com>
88Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
89Cc: stable@vger.kernel.org
90Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
91Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
92Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
93---
94 arch/x86/kvm/x86.c | 3 ++-
95 1 file changed, 2 insertions(+), 1 deletion(-)
96
97diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
98index 7c4d02dba110..f24329659bea 100644
99--- a/arch/x86/kvm/x86.c
100+++ b/arch/x86/kvm/x86.c
101@@ -6885,7 +6885,8 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
102 else {
103 if (kvm_x86_ops->sync_pir_to_irr && vcpu->arch.apicv_active)
104 kvm_x86_ops->sync_pir_to_irr(vcpu);
105- kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
106+ if (ioapic_in_kernel(vcpu->kvm))
107+ kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
108 }
109 bitmap_or((ulong *)eoi_exit_bitmap, vcpu->arch.ioapic_handled_vectors,
110 vcpu_to_synic(vcpu)->vec_bitmap, 256);
111--
1122.19.2
diff --git a/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch b/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
deleted file mode 100644
index 01df831..0000000
--- a/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
+++ /dev/null
@@ -1,56 +0,0 @@
1From 19f74e45746253cafb8cb1e773041e7cadbac622 Mon Sep 17 00:00:00 2001
2From: Hui Peng <benquike@gmail.com>
3Date: Mon, 3 Dec 2018 16:09:34 +0100
4Subject: [PATCH] ALSA: usb-audio: Fix UAF decrement if card has no live
5 interfaces in card.c
6
7commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream.
8
9If a USB sound card reports 0 interfaces, an error condition is triggered
10and the function usb_audio_probe errors out. In the error path, there was a
11use-after-free vulnerability where the memory object of the card was first
12freed, followed by a decrement of the number of active chips. Moving the
13decrement above the atomic_dec fixes the UAF.
14
15[ The original problem was introduced in 3.1 kernel, while it was
16 developed in a different form. The Fixes tag below indicates the
17 original commit but it doesn't mean that the patch is applicable
18 cleanly. -- tiwai ]
19
20CVE: CVE-2018-19824
21Upstream-Status: Backport
22
23Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
24Reported-by: Hui Peng <benquike@gmail.com>
25Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
26Signed-off-by: Hui Peng <benquike@gmail.com>
27Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
28Cc: <stable@vger.kernel.org>
29Signed-off-by: Takashi Iwai <tiwai@suse.de>
30Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
31Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
32---
33 sound/usb/card.c | 5 ++++-
34 1 file changed, 4 insertions(+), 1 deletion(-)
35
36diff --git a/sound/usb/card.c b/sound/usb/card.c
37index 23d1d23aefec..4169c71f8a32 100644
38--- a/sound/usb/card.c
39+++ b/sound/usb/card.c
40@@ -644,9 +644,12 @@ static int usb_audio_probe(struct usb_interface *intf,
41
42 __error:
43 if (chip) {
44+ /* chip->active is inside the chip->card object,
45+ * decrement before memory is possibly returned.
46+ */
47+ atomic_dec(&chip->active);
48 if (!chip->num_interfaces)
49 snd_card_free(chip->card);
50- atomic_dec(&chip->active);
51 }
52 mutex_unlock(&register_mutex);
53 return err;
54--
552.19.2
56
diff --git a/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch b/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
deleted file mode 100644
index 9d81696..0000000
--- a/patches/cve/CVE-2018-19985-USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
+++ /dev/null
@@ -1,74 +0,0 @@
1From 49be8dc589aee04c64d61e362c5029ab20fd6fd7 Mon Sep 17 00:00:00 2001
2From: Hui Peng <benquike@gmail.com>
3Date: Wed, 12 Dec 2018 12:42:24 +0100
4Subject: [PATCH] USB: hso: Fix OOB memory access in
5 hso_probe/hso_get_config_data
6
7commit 5146f95df782b0ac61abde36567e718692725c89 upstream.
8
9The function hso_probe reads if_num from the USB device (as an u8) and uses
10it without a length check to index an array, resulting in an OOB memory read
11in hso_probe or hso_get_config_data.
12
13Add a length check for both locations and updated hso_probe to bail on
14error.
15
16This issue has been assigned CVE-2018-19985.
17
18CVE: CVE-2018-19985
19Upstream-Status: Backport
20
21Reported-by: Hui Peng <benquike@gmail.com>
22Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
23Signed-off-by: Hui Peng <benquike@gmail.com>
24Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
25Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
26Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
27Signed-off-by: David S. Miller <davem@davemloft.net>
28Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
29Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
30---
31 drivers/net/usb/hso.c | 18 ++++++++++++++++--
32 1 file changed, 16 insertions(+), 2 deletions(-)
33
34diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
35index d7a3379ea668..18a0952f68a8 100644
36--- a/drivers/net/usb/hso.c
37+++ b/drivers/net/usb/hso.c
38@@ -2806,6 +2806,12 @@ static int hso_get_config_data(struct usb_interface *interface)
39 return -EIO;
40 }
41
42+ /* check if we have a valid interface */
43+ if (if_num > 16) {
44+ kfree(config_data);
45+ return -EINVAL;
46+ }
47+
48 switch (config_data[if_num]) {
49 case 0x0:
50 result = 0;
51@@ -2876,10 +2882,18 @@ static int hso_probe(struct usb_interface *interface,
52
53 /* Get the interface/port specification from either driver_info or from
54 * the device itself */
55- if (id->driver_info)
56+ if (id->driver_info) {
57+ /* if_num is controlled by the device, driver_info is a 0 terminated
58+ * array. Make sure, the access is in bounds! */
59+ for (i = 0; i <= if_num; ++i)
60+ if (((u32 *)(id->driver_info))[i] == 0)
61+ goto exit;
62 port_spec = ((u32 *)(id->driver_info))[if_num];
63- else
64+ } else {
65 port_spec = hso_get_config_data(interface);
66+ if (port_spec < 0)
67+ goto exit;
68+ }
69
70 /* Check if we need to switch to alt interfaces prior to port
71 * configuration */
72--
732.19.2
74
diff --git a/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch b/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
deleted file mode 100644
index 1c1f9b9..0000000
--- a/patches/cve/CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
+++ /dev/null
@@ -1,107 +0,0 @@
1From 7b6e85da8d94948201abb8d576d485892a6a878f Mon Sep 17 00:00:00 2001
2From: Mathias Payer <mathias.payer@nebelwelt.net>
3Date: Wed, 5 Dec 2018 21:19:59 +0100
4Subject: [PATCH] USB: check usb_get_extra_descriptor for proper size
5
6commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.
7
8When reading an extra descriptor, we need to properly check the minimum
9and maximum size allowed, to prevent from invalid data being sent by a
10device.
11
12CVE: CVE-2018-20169
13Upstream-Status: Backport
14
15Reported-by: Hui Peng <benquike@gmail.com>
16Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
17Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
18Signed-off-by: Hui Peng <benquike@gmail.com>
19Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
20Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
21Cc: stable <stable@kernel.org>
22Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
23Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
24---
25 drivers/usb/core/hub.c | 2 +-
26 drivers/usb/core/usb.c | 6 +++---
27 drivers/usb/host/hwa-hc.c | 2 +-
28 include/linux/usb.h | 4 ++--
29 4 files changed, 7 insertions(+), 7 deletions(-)
30
31diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
32index 638dc6f66d70..a073cb5be013 100644
33--- a/drivers/usb/core/hub.c
34+++ b/drivers/usb/core/hub.c
35@@ -2231,7 +2231,7 @@ static int usb_enumerate_device_otg(struct usb_device *udev)
36 /* descriptor may appear anywhere in config */
37 err = __usb_get_extra_descriptor(udev->rawdescriptors[0],
38 le16_to_cpu(udev->config[0].desc.wTotalLength),
39- USB_DT_OTG, (void **) &desc);
40+ USB_DT_OTG, (void **) &desc, sizeof(*desc));
41 if (err || !(desc->bmAttributes & USB_OTG_HNP))
42 return 0;
43
44diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
45index f8b50eaf6d1e..7a4e3da549fe 100644
46--- a/drivers/usb/core/usb.c
47+++ b/drivers/usb/core/usb.c
48@@ -833,14 +833,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_number);
49 */
50
51 int __usb_get_extra_descriptor(char *buffer, unsigned size,
52- unsigned char type, void **ptr)
53+ unsigned char type, void **ptr, size_t minsize)
54 {
55 struct usb_descriptor_header *header;
56
57 while (size >= sizeof(struct usb_descriptor_header)) {
58 header = (struct usb_descriptor_header *)buffer;
59
60- if (header->bLength < 2) {
61+ if (header->bLength < 2 || header->bLength > size) {
62 printk(KERN_ERR
63 "%s: bogus descriptor, type %d length %d\n",
64 usbcore_name,
65@@ -849,7 +849,7 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size,
66 return -1;
67 }
68
69- if (header->bDescriptorType == type) {
70+ if (header->bDescriptorType == type && header->bLength >= minsize) {
71 *ptr = header;
72 return 0;
73 }
74diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
75index da3b18038d23..216069c396a0 100644
76--- a/drivers/usb/host/hwa-hc.c
77+++ b/drivers/usb/host/hwa-hc.c
78@@ -654,7 +654,7 @@ static int hwahc_security_create(struct hwahc *hwahc)
79 top = itr + itr_size;
80 result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
81 le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
82- USB_DT_SECURITY, (void **) &secd);
83+ USB_DT_SECURITY, (void **) &secd, sizeof(*secd));
84 if (result == -1) {
85 dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
86 return 0;
87diff --git a/include/linux/usb.h b/include/linux/usb.h
88index 4192a1755ccb..8c7ba40cf021 100644
89--- a/include/linux/usb.h
90+++ b/include/linux/usb.h
91@@ -407,11 +407,11 @@ struct usb_host_bos {
92 };
93
94 int __usb_get_extra_descriptor(char *buffer, unsigned size,
95- unsigned char type, void **ptr);
96+ unsigned char type, void **ptr, size_t min);
97 #define usb_get_extra_descriptor(ifpoint, type, ptr) \
98 __usb_get_extra_descriptor((ifpoint)->extra, \
99 (ifpoint)->extralen, \
100- type, (void **)ptr)
101+ type, (void **)ptr, sizeof(**(ptr)))
102
103 /* ----------------------------------------------------------------------- */
104
105--
1062.19.2
107
diff --git a/patches/ipv4/0001-IPV4-unlock-rtnl_mutex-before-waiting-for-carrier-on.patch b/patches/ipv4/0001-IPV4-unlock-rtnl_mutex-before-waiting-for-carrier-on.patch
index 5133075..955bfa8 100644
--- a/patches/ipv4/0001-IPV4-unlock-rtnl_mutex-before-waiting-for-carrier-on.patch
+++ b/patches/ipv4/0001-IPV4-unlock-rtnl_mutex-before-waiting-for-carrier-on.patch
@@ -13,25 +13,28 @@ continuing its task execution.
13The mutex should be unlocked in the ip auto configuration before waiting the 13The mutex should be unlocked in the ip auto configuration before waiting the
14carrier on from the ethernet driver. 14carrier on from the ethernet driver.
15 15
16Upstream-Status: Pending
17
16Signed-off-by: Dragos Motrea <Dragos.Motrea@enea.com> 18Signed-off-by: Dragos Motrea <Dragos.Motrea@enea.com>
19Signed-off-by: Adrian Calianu <adrian.calianu@enea.com>
17--- 20---
18 net/ipv4/ipconfig.c | 3 +-- 21 net/ipv4/ipconfig.c | 3 +--
19 1 file changed, 1 insertion(+), 2 deletions(-) 22 1 file changed, 1 insertion(+), 2 deletions(-)
20 23
21diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c 24diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
22index 071a785..55c95cc 100644 25index 3cd13e1bc6a7..2841417d8ab1 100644
23--- a/net/ipv4/ipconfig.c 26--- a/net/ipv4/ipconfig.c
24+++ b/net/ipv4/ipconfig.c 27+++ b/net/ipv4/ipconfig.c
25@@ -254,6 +254,7 @@ static int __init ic_open_devs(void) 28@@ -263,6 +263,7 @@ static int __init ic_open_devs(void)
26 dev->name, able, d->xid); 29 dev->name, able, d->xid);
27 } 30 }
28 } 31 }
29+ rtnl_unlock(); 32+ rtnl_unlock();
30 33
31 /* no point in waiting if we could not bring up at least one device */ 34 /* no point in waiting if we could not bring up at least one device */
32 if (!ic_first_dev) 35 if (!ic_first_dev)
33@@ -281,8 +282,6 @@ static int __init ic_open_devs(void) 36@@ -290,8 +291,6 @@ static int __init ic_open_devs(void)
34 next_msg = jiffies + msecs_to_jiffies(CONF_CARRIER_TIMEOUT/12); 37 next_msg = jiffies + msecs_to_jiffies(20000);
35 } 38 }
36 have_carrier: 39 have_carrier:
37- rtnl_unlock(); 40- rtnl_unlock();
@@ -40,5 +43,5 @@ index 071a785..55c95cc 100644
40 43
41 if (!ic_first_dev) { 44 if (!ic_first_dev) {
42-- 45--
432.7.4 462.29.2
44 47
diff --git a/patches/kernel_startend_msg/0001-printk-Add-Enea-Linux-guest-boot-start-end-messages.patch b/patches/kernel_startend_msg/0001-printk-Add-Enea-Linux-guest-boot-start-end-messages.patch
deleted file mode 100644
index e5c613c..0000000
--- a/patches/kernel_startend_msg/0001-printk-Add-Enea-Linux-guest-boot-start-end-messages.patch
+++ /dev/null
@@ -1,103 +0,0 @@
1From 30aff2983e14dc6482dd2cd6c9a3b96db65c689e Mon Sep 17 00:00:00 2001
2From: Matei Valeanu <Matei.Valeanu@enea.com>
3Date: Wed, 20 Jun 2018 09:41:46 +0200
4Subject: [PATCH] printk: Add Enea Linux guest boot start/end messages
5
6rebased for 4.14
7
8Upstream-status: Inappropriate [specific measurement]
9
10Signed-off-by: Adrian Calianu <adrian.calianu@enea.com>
11Signed-off-by: Matei Valeanu <Matei.Valeanu@enea.com>
12---
13 arch/x86/boot/compressed/misc.c | 23 ++++++++++++-----------
14 init/main.c | 4 +++-
15 2 files changed, 15 insertions(+), 12 deletions(-)
16
17diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
18index 252fee3..ecff964 100644
19--- a/arch/x86/boot/compressed/misc.c
20+++ b/arch/x86/boot/compressed/misc.c
21@@ -212,10 +212,10 @@ static void handle_relocations(void *output, unsigned long output_len,
22 delta = virt_addr - LOAD_PHYSICAL_ADDR;
23
24 if (!delta) {
25- debug_putstr("No relocation needed... ");
26+ /* debug_putstr("No relocation needed... "); */
27 return;
28 }
29- debug_putstr("Performing relocations... ");
30+ /* debug_putstr("Performing relocations... "); */
31
32 /*
33 * Process relocations: 32 bit relocations first then 64 bit after.
34@@ -296,7 +296,7 @@ static void parse_elf(void *output)
35 return;
36 }
37
38- debug_putstr("Parsing ELF... ");
39+ /* debug_putstr("Parsing ELF... ");*/
40
41 phdrs = malloc(sizeof(*phdrs) * ehdr.e_phnum);
42 if (!phdrs)
43@@ -374,7 +374,8 @@ asmlinkage __visible void *extract_kernel(void *rmode, memptr heap,
44 cols = boot_params->screen_info.orig_video_cols;
45
46 console_init();
47- debug_putstr("early console in extract_kernel\n");
48+ /* debug_putstr("early console in extract_kernel\n");*/
49+ debug_putstr("\n");debug_putstr("Enea Linux guest kernel boot start\n");
50
51 if (IS_ENABLED(CONFIG_X86_5LEVEL) && !l5_supported()) {
52 error("This linux kernel as configured requires 5-level paging\n"
53@@ -386,11 +387,11 @@ asmlinkage __visible void *extract_kernel(void *rmode, memptr heap,
54 free_mem_end_ptr = heap + BOOT_HEAP_SIZE;
55
56 /* Report initial kernel position details. */
57- debug_putaddr(input_data);
58- debug_putaddr(input_len);
59- debug_putaddr(output);
60- debug_putaddr(output_len);
61- debug_putaddr(kernel_total_size);
62+ /*debug_putaddr(input_data); */
63+ /*debug_putaddr(input_len); */
64+ /*debug_putaddr(output); */
65+ /*debug_putaddr(output_len); */
66+ /*debug_putaddr(kernel_total_size);*/
67
68 /*
69 * The memory hole needed for the kernel is the larger of either
70@@ -423,12 +424,12 @@ asmlinkage __visible void *extract_kernel(void *rmode, memptr heap,
71 error("Destination virtual address changed when not relocatable");
72 #endif
73
74- debug_putstr("\nDecompressing Linux... ");
75+ /*debug_putstr("\nDecompressing Linux... ");*/
76 __decompress(input_data, input_len, NULL, NULL, output, output_len,
77 NULL, error);
78 parse_elf(output);
79 handle_relocations(output, output_len, virt_addr);
80- debug_putstr("done.\nBooting the kernel.\n");
81+ /*debug_putstr("done.\nBooting the kernel.\n");*/
82 return output;
83 }
84
85diff --git a/init/main.c b/init/main.c
86index 56210eb..9e61f9d 100644
87--- a/init/main.c
88+++ b/init/main.c
89@@ -1025,8 +1025,10 @@ static int __ref kernel_init(void *unused)
90 if (!try_to_run_init_process("/sbin/init") ||
91 !try_to_run_init_process("/etc/init") ||
92 !try_to_run_init_process("/bin/init") ||
93- !try_to_run_init_process("/bin/sh"))
94+ !try_to_run_init_process("/bin/sh")) {
95+ printk(KERN_EMERG "Enea Linux guest kernel boot end\n");
96 return 0;
97+ }
98
99 panic("No working init found. Try passing init= option to kernel. "
100 "See Linux Documentation/admin-guide/init.rst for guidance.");
101--
1022.7.4
103
diff --git a/patches/kernel_startend_msg/0001-printk-Add-Enea-Linux-host-boot-start-end-messages.patch b/patches/kernel_startend_msg/0001-printk-Add-Enea-Linux-host-boot-start-end-messages.patch
deleted file mode 100644
index 565e689..0000000
--- a/patches/kernel_startend_msg/0001-printk-Add-Enea-Linux-host-boot-start-end-messages.patch
+++ /dev/null
@@ -1,103 +0,0 @@
1From 30aff2983e14dc6482dd2cd6c9a3b96db65c689e Mon Sep 17 00:00:00 2001
2From: Matei Valeanu <Matei.Valeanu@enea.com>
3Date: Wed, 20 Jun 2018 09:41:46 +0200
4Subject: [PATCH] printk: Add Enea Linux host boot start/end messages
5
6rebased for 4.14
7
8Upstream-status: Inappropriate [specific measurement]
9
10Signed-off-by: Adrian Calianu <adrian.calianu@enea.com>
11Signed-off-by: Matei Valeanu <Matei.Valeanu@enea.com>
12---
13 arch/x86/boot/compressed/misc.c | 23 ++++++++++++-----------
14 init/main.c | 4 +++-
15 2 files changed, 15 insertions(+), 12 deletions(-)
16
17diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
18index 252fee3..ecff964 100644
19--- a/arch/x86/boot/compressed/misc.c
20+++ b/arch/x86/boot/compressed/misc.c
21@@ -212,10 +212,10 @@ static void handle_relocations(void *output, unsigned long output_len,
22 delta = virt_addr - LOAD_PHYSICAL_ADDR;
23
24 if (!delta) {
25- debug_putstr("No relocation needed... ");
26+ /* debug_putstr("No relocation needed... "); */
27 return;
28 }
29- debug_putstr("Performing relocations... ");
30+ /* debug_putstr("Performing relocations... "); */
31
32 /*
33 * Process relocations: 32 bit relocations first then 64 bit after.
34@@ -296,7 +296,7 @@ static void parse_elf(void *output)
35 return;
36 }
37
38- debug_putstr("Parsing ELF... ");
39+ /* debug_putstr("Parsing ELF... ");*/
40
41 phdrs = malloc(sizeof(*phdrs) * ehdr.e_phnum);
42 if (!phdrs)
43@@ -374,7 +374,8 @@ asmlinkage __visible void *extract_kernel(void *rmode, memptr heap,
44 cols = boot_params->screen_info.orig_video_cols;
45
46 console_init();
47- debug_putstr("early console in extract_kernel\n");
48+ /* debug_putstr("early console in extract_kernel\n");*/
49+ debug_putstr("\n");debug_putstr("Enea Linux kernel boot start\n");
50
51 if (IS_ENABLED(CONFIG_X86_5LEVEL) && !l5_supported()) {
52 error("This linux kernel as configured requires 5-level paging\n"
53@@ -386,11 +387,11 @@ asmlinkage __visible void *extract_kernel(void *rmode, memptr heap,
54 free_mem_end_ptr = heap + BOOT_HEAP_SIZE;
55
56 /* Report initial kernel position details. */
57- debug_putaddr(input_data);
58- debug_putaddr(input_len);
59- debug_putaddr(output);
60- debug_putaddr(output_len);
61- debug_putaddr(kernel_total_size);
62+ /*debug_putaddr(input_data); */
63+ /*debug_putaddr(input_len); */
64+ /*debug_putaddr(output); */
65+ /*debug_putaddr(output_len); */
66+ /*debug_putaddr(kernel_total_size);*/
67
68 /*
69 * The memory hole needed for the kernel is the larger of either
70@@ -423,12 +424,12 @@ asmlinkage __visible void *extract_kernel(void *rmode, memptr heap,
71 error("Destination virtual address changed when not relocatable");
72 #endif
73
74- debug_putstr("\nDecompressing Linux... ");
75+ /*debug_putstr("\nDecompressing Linux... ");*/
76 __decompress(input_data, input_len, NULL, NULL, output, output_len,
77 NULL, error);
78 parse_elf(output);
79 handle_relocations(output, output_len, virt_addr);
80- debug_putstr("done.\nBooting the kernel.\n");
81+ /*debug_putstr("done.\nBooting the kernel.\n");*/
82 return output;
83 }
84
85diff --git a/init/main.c b/init/main.c
86index 56210eb..9e61f9d 100644
87--- a/init/main.c
88+++ b/init/main.c
89@@ -1025,8 +1025,10 @@ static int __ref kernel_init(void *unused)
90 if (!try_to_run_init_process("/sbin/init") ||
91 !try_to_run_init_process("/etc/init") ||
92 !try_to_run_init_process("/bin/init") ||
93- !try_to_run_init_process("/bin/sh"))
94+ !try_to_run_init_process("/bin/sh")) {
95+ printk(KERN_EMERG "Enea Linux kernel boot end\n");
96 return 0;
97+ }
98
99 panic("No working init found. Try passing init= option to kernel. "
100 "See Linux Documentation/admin-guide/init.rst for guidance.");
101--
1022.7.4
103
diff --git a/patches/kernel_startend_msg/kernel_guest_startend_msg.scc b/patches/kernel_startend_msg/kernel_guest_startend_msg.scc
deleted file mode 100644
index e7a1bec..0000000
--- a/patches/kernel_startend_msg/kernel_guest_startend_msg.scc
+++ /dev/null
@@ -1,4 +0,0 @@
1define KFEATURE_DESCRIPTION "Enable the kernel to output messages when it starts and ends booting"
2define KFEATURE_COMPATIBILITY all
3
4patch 0001-printk-Add-Enea-Linux-guest-boot-start-end-messages.patch
diff --git a/patches/kernel_startend_msg/kernel_host_startend_msg.scc b/patches/kernel_startend_msg/kernel_host_startend_msg.scc
deleted file mode 100644
index 861a936..0000000
--- a/patches/kernel_startend_msg/kernel_host_startend_msg.scc
+++ /dev/null
@@ -1,4 +0,0 @@
1define KFEATURE_DESCRIPTION "Enable the kernel to output messages when it starts and ends booting"
2define KFEATURE_COMPATIBILITY all
3
4patch 0001-printk-Add-Enea-Linux-host-boot-start-end-messages.patch
diff --git a/patches/security/0002-KEYS-reaching-the-keys-quotas-correctly.patch b/patches/security/0002-KEYS-reaching-the-keys-quotas-correctly.patch
deleted file mode 100644
index 37b06c6..0000000
--- a/patches/security/0002-KEYS-reaching-the-keys-quotas-correctly.patch
+++ /dev/null
@@ -1,69 +0,0 @@
1From 2e356101e72ab1361821b3af024d64877d9a798d Mon Sep 17 00:00:00 2001
2From: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
3Date: Fri, 28 Feb 2020 12:41:51 +0800
4Subject: KEYS: reaching the keys quotas correctly
5
6Currently, when we add a new user key, the calltrace as below:
7
8add_key()
9 key_create_or_update()
10 key_alloc()
11 __key_instantiate_and_link
12 generic_key_instantiate
13 key_payload_reserve
14 ......
15
16Since commit a08bf91ce28e ("KEYS: allow reaching the keys quotas exactly"),
17we can reach max bytes/keys in key_alloc, but we forget to remove this
18limit when we reserver space for payload in key_payload_reserve. So we
19can only reach max keys but not max bytes when having delta between plen
20and type->def_datalen. Remove this limit when instantiating the key, so we
21can keep consistent with key_alloc.
22
23Also, fix the similar problem in keyctl_chown_key().
24
25Fixes: 0b77f5bfb45c ("keys: make the keyring quotas controllable through /proc/sys")
26Fixes: a08bf91ce28e ("KEYS: allow reaching the keys quotas exactly")
27Cc: stable@vger.kernel.org # 5.0.x
28Cc: Eric Biggers <ebiggers@google.com>
29Signed-off-by: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
30Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
31Reviewed-by: Eric Biggers <ebiggers@google.com>
32Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
33---
34 security/keys/key.c | 2 +-
35 security/keys/keyctl.c | 4 ++--
36 2 files changed, 3 insertions(+), 3 deletions(-)
37
38diff --git a/security/keys/key.c b/security/keys/key.c
39index 718bf7217420..e959b3c96b48 100644
40--- a/security/keys/key.c
41+++ b/security/keys/key.c
42@@ -382,7 +382,7 @@ int key_payload_reserve(struct key *key, size_t datalen)
43 spin_lock(&key->user->lock);
44
45 if (delta > 0 &&
46- (key->user->qnbytes + delta >= maxbytes ||
47+ (key->user->qnbytes + delta > maxbytes ||
48 key->user->qnbytes + delta < key->user->qnbytes)) {
49 ret = -EDQUOT;
50 }
51diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
52index 9b898c969558..d1a3dea58dee 100644
53--- a/security/keys/keyctl.c
54+++ b/security/keys/keyctl.c
55@@ -937,8 +937,8 @@ long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group)
56 key_quota_root_maxbytes : key_quota_maxbytes;
57
58 spin_lock(&newowner->lock);
59- if (newowner->qnkeys + 1 >= maxkeys ||
60- newowner->qnbytes + key->quotalen >= maxbytes ||
61+ if (newowner->qnkeys + 1 > maxkeys ||
62+ newowner->qnbytes + key->quotalen > maxbytes ||
63 newowner->qnbytes + key->quotalen <
64 newowner->qnbytes)
65 goto quota_overrun;
66--
67cgit v1.2.2-1-g5e49
68
69
diff --git a/patches/security/keys.scc b/patches/security/keys.scc
deleted file mode 100644
index 0c937e0..0000000
--- a/patches/security/keys.scc
+++ /dev/null
@@ -1 +0,0 @@
1patch 0002-KEYS-reaching-the-keys-quotas-correctly.patch
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-29 05:19:02 +0000