linux-intel: Fix for CVE-2018-14609

Fix for both linux-intel and linux-intel-rt. References: https://github.com/nluedtke/linux_kernel_cves/blob/master/4.14/4.14_security.txt https://nvd.nist.gov/vuln/detail/CVE-2018-14609 Change-Id: I566e0350984df12e6a77ed68cbcd2b485b9a2713 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2018-09-21 10:22:04 +0200
committer: Martin Borg <martin.borg@enea.com> 2018-09-26 11:54:35 +0200
commit: 28e754d96d3aaef7e0661a2416bad4418f2e8d9e (patch)
tree: dd8154ad527e0e1b001243c03e209ed92233012d
parent: 66bb24cffa127f106bb79e25e60aacb61fe63352 (diff)
download: meta-enea-bsp-x86-28e754d96d3aaef7e0661a2416bad4418f2e8d9e.tar.gz
3 files changed, 73 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
index b7934cf..6c4061f 100644
--- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
+++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -13,6 +13,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s
                   file://CVE-2018-15572.patch \
                   file://CVE-2018-9363.patch \
                   file://CVE-2018-16658.patch \
+                   file://CVE-2018-14609.patch \
                 "
 # Debug tools support
diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-14609.patch b/recipes-kernel/linux/linux-intel/CVE-2018-14609.patch
new file mode 100644
index 0000000..96d8a4e
--- /dev/null
+++ b/recipes-kernel/linux/linux-intel/CVE-2018-14609.patch
@@ -0,0 +1,71 @@
+From 0cdbc3faf960de16ebe8a427feb3b0544ad983cc Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 3 Jul 2018 17:10:07 +0800
+Subject: [PATCH] btrfs: relocation: Only remove reloc rb_trees if reloc
+ control has been initialized
+[ Upstream commit 389305b2aa68723c754f88d9dbd268a400e10664 ]
+Invalid reloc tree can cause kernel NULL pointer dereference when btrfs
+does some cleanup of the reloc roots.
+It turns out that fs_info::reloc_ctl can be NULL in
+btrfs_recover_relocation() as we allocate relocation control after all
+reloc roots have been verified.
+So when we hit: note, we haven't called set_reloc_control() thus
+fs_info::reloc_ctl is still NULL.
+CVE: CVE-2018-14609
+Upstream-Status: Backport
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833
+Reported-by: Xu Wen <wen.xu@gatech.edu>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Tested-by: Gu Jinxiang <gujx@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/btrfs/relocation.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 9841fae..b80b03e 100644
+--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
+@@ -1334,18 +1334,19 @@ static void __del_reloc_root(struct btrfs_root *root)
+        struct mapping_node *node = NULL;
+        struct reloc_control *rc = fs_info->reloc_ctl;
+ 
+-       spin_lock(&rc->reloc_root_tree.lock);
+-       rb_node = tree_search(&rc->reloc_root_tree.rb_root,
+-                             root->node->start);
+-       if (rb_node) {
+-               node = rb_entry(rb_node, struct mapping_node, rb_node);
+-               rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
+       if (rc) {
+               spin_lock(&rc->reloc_root_tree.lock);
+               rb_node = tree_search(&rc->reloc_root_tree.rb_root,
+                                     root->node->start);
+               if (rb_node) {
+                       node = rb_entry(rb_node, struct mapping_node, rb_node);
+                       rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
+               }
+               spin_unlock(&rc->reloc_root_tree.lock);
+               if (!node)
+                       return;
+               BUG_ON((struct btrfs_root *)node->data != root);
+        }
+-       spin_unlock(&rc->reloc_root_tree.lock);
+-
+-       if (!node)
+-               return;
+-       BUG_ON((struct btrfs_root *)node->data != root);
+ 
+        spin_lock(&fs_info->trans_lock);
+        list_del_init(&root->root_list);
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-intel_4.14.bbappend b/recipes-kernel/linux/linux-intel_4.14.bbappend
index 36e0307..1fa63e0 100644
--- a/recipes-kernel/linux/linux-intel_4.14.bbappend
+++ b/recipes-kernel/linux/linux-intel_4.14.bbappend
@@ -7,6 +7,7 @@ SRCREV_metaenea = "8a4b6e91f12d927b3b486892c50a4ad2bcdb29d2"
 KENEABRANCH = "intel-4.14"
 SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \
                   file://CVE-2018-16658.patch \
+                   file://CVE-2018-14609.patch \
                 "
 KERNEL_FEATURES_append = " features/x2apic/x2apic.scc"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2018-09-21 10:22:04 +0200
committer	Martin Borg <martin.borg@enea.com>	2018-09-26 11:54:35 +0200
commit	28e754d96d3aaef7e0661a2416bad4418f2e8d9e (patch)
tree	dd8154ad527e0e1b001243c03e209ed92233012d
parent	66bb24cffa127f106bb79e25e60aacb61fe63352 (diff)
download	meta-enea-bsp-x86-28e754d96d3aaef7e0661a2416bad4418f2e8d9e.tar.gz

diff --git a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend index b7934cf..6c4061f 100644 --- a/recipes-kernel/linux/linux-intel-rt_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel-rt_4.14.bbappend
@@ -13,6 +13,7 @@ SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=s
13	file://CVE-2018-15572.patch \	13	file://CVE-2018-15572.patch \
14	file://CVE-2018-9363.patch \	14	file://CVE-2018-9363.patch \
15	file://CVE-2018-16658.patch \	15	file://CVE-2018-16658.patch \
		16	file://CVE-2018-14609.patch \
16	"	17	"
17		18
18	# Debug tools support	19	# Debug tools support


diff --git a/recipes-kernel/linux/linux-intel/CVE-2018-14609.patch b/recipes-kernel/linux/linux-intel/CVE-2018-14609.patch new file mode 100644 index 0000000..96d8a4e --- /dev/null +++ b/recipes-kernel/linux/linux-intel/CVE-2018-14609.patch
@@ -0,0 +1,71 @@
		1	From 0cdbc3faf960de16ebe8a427feb3b0544ad983cc Mon Sep 17 00:00:00 2001
		2	From: Qu Wenruo <wqu@suse.com>
		3	Date: Tue, 3 Jul 2018 17:10:07 +0800
		4	Subject: [PATCH] btrfs: relocation: Only remove reloc rb_trees if reloc
		5	control has been initialized
		6
		7	[ Upstream commit 389305b2aa68723c754f88d9dbd268a400e10664 ]
		8
		9	Invalid reloc tree can cause kernel NULL pointer dereference when btrfs
		10	does some cleanup of the reloc roots.
		11
		12	It turns out that fs_info::reloc_ctl can be NULL in
		13	btrfs_recover_relocation() as we allocate relocation control after all
		14	reloc roots have been verified.
		15	So when we hit: note, we haven't called set_reloc_control() thus
		16	fs_info::reloc_ctl is still NULL.
		17
		18	CVE: CVE-2018-14609
		19	Upstream-Status: Backport
		20
		21	Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833
		22	Reported-by: Xu Wen <wen.xu@gatech.edu>
		23	Signed-off-by: Qu Wenruo <wqu@suse.com>
		24	Tested-by: Gu Jinxiang <gujx@cn.fujitsu.com>
		25	Reviewed-by: David Sterba <dsterba@suse.com>
		26	Signed-off-by: David Sterba <dsterba@suse.com>
		27	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
		28	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		29	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		30	---
		31	fs/btrfs/relocation.c \| 23 ++++++++++++-----------
		32	1 file changed, 12 insertions(+), 11 deletions(-)
		33
		34	diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
		35	index 9841fae..b80b03e 100644
		36	--- a/fs/btrfs/relocation.c
		37	+++ b/fs/btrfs/relocation.c
		38	@@ -1334,18 +1334,19 @@ static void __del_reloc_root(struct btrfs_root *root)
		39	struct mapping_node *node = NULL;
		40	struct reloc_control *rc = fs_info->reloc_ctl;
		41
		42	- spin_lock(&rc->reloc_root_tree.lock);
		43	- rb_node = tree_search(&rc->reloc_root_tree.rb_root,
		44	- root->node->start);
		45	- if (rb_node) {
		46	- node = rb_entry(rb_node, struct mapping_node, rb_node);
		47	- rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
		48	+ if (rc) {
		49	+ spin_lock(&rc->reloc_root_tree.lock);
		50	+ rb_node = tree_search(&rc->reloc_root_tree.rb_root,
		51	+ root->node->start);
		52	+ if (rb_node) {
		53	+ node = rb_entry(rb_node, struct mapping_node, rb_node);
		54	+ rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
		55	+ }
		56	+ spin_unlock(&rc->reloc_root_tree.lock);
		57	+ if (!node)
		58	+ return;
		59	+ BUG_ON((struct btrfs_root *)node->data != root);
		60	}
		61	- spin_unlock(&rc->reloc_root_tree.lock);
		62	-
		63	- if (!node)
		64	- return;
		65	- BUG_ON((struct btrfs_root *)node->data != root);
		66
		67	spin_lock(&fs_info->trans_lock);
		68	list_del_init(&root->root_list);
		69	--
		70	1.9.1
		71


diff --git a/recipes-kernel/linux/linux-intel_4.14.bbappend b/recipes-kernel/linux/linux-intel_4.14.bbappend index 36e0307..1fa63e0 100644 --- a/recipes-kernel/linux/linux-intel_4.14.bbappend +++ b/recipes-kernel/linux/linux-intel_4.14.bbappend
@@ -7,6 +7,7 @@ SRCREV_metaenea = "8a4b6e91f12d927b3b486892c50a4ad2bcdb29d2"
7	KENEABRANCH = "intel-4.14"	7	KENEABRANCH = "intel-4.14"
8	SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \	8	SRC_URI_append = " git://git@git.enea.com/linux/enea-kernel-cache.git;protocol=ssh;type=kmeta;name=metaenea;branch=${KENEABRANCH};destsuffix=enea-kernel-meta \
9	file://CVE-2018-16658.patch \	9	file://CVE-2018-16658.patch \
		10	file://CVE-2018-14609.patch \
10	"	11	"
11		12
12	KERNEL_FEATURES_append = " features/x2apic/x2apic.scc"	13	KERNEL_FEATURES_append = " features/x2apic/x2apic.scc"