1. 08 Nov, 2020 1 commit
    • Daniel Vetter's avatar
      vt: Disable KD_FONT_OP_COPY · 3c4e0dff
      Daniel Vetter authored
      It's buggy:
      
      On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote:
      > We recently discovered a slab-out-of-bounds read in fbcon in the latest
      > kernel ( v5.10-rc2 for now ).  The root cause of this vulnerability is that
      > "fbcon_do_set_font" did not handle "vc->vc_font.data" and
      > "vc->vc_font.height" correctly, and the patch
      > <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX can't handle this
      > issue.
      >
      > Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and
      > use  KD_FONT_OP_SET again to set a large font.height for tty1. After that,
      > we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data
      > in "fbcon_do_set_font", while tty1 retains the original larger
      > height. Obviously, this will cause an out-of-bounds read, because we can
      > access a smaller vc_font.data with a larger vc_font.height.
      
      Further there was only one user ever.
      - Android's loadfont, busybox and console-tools only ever use OP_GET
        and OP_SET
      - fbset documentation only mentions the kernel cmdline font: option,
        not anything else.
      - systemd used OP_COPY before release 232 published in Nov 2016
      
      Now unfortunately the crucial report seems to have gone down with
      gmane, and the commit message doesn't say much. But the pull request
      hints at OP_COPY being broken
      
      https://github.com/systemd/systemd/pull/3651
      
      So in other words, this never worked, and the only project which
      foolishly every tried to use it, realized that rather quickly too.
      
      Instead of trying to fix security issues here on dead code by adding
      missing checks, fix the entire thing by removing the functionality.
      
      Note that systemd code using the OP_COPY function ignored the return
      value, so it doesn't matter what we're doing here really - just in
      case a lone server somewhere happens to be extremely unlucky and
      running an affected old version of systemd. The relevant code from
      font_copy_to_all_vcs() in systemd was:
      
      	/* copy font from active VT, where the font was uploaded to */
      	cfo.op = KD_FONT_OP_COPY;
      	cfo.height = vcs.v_active-1; /* tty1 == index 0 */
      	(void) ioctl(vcfd, KDFONTOP, &cfo);
      
      Note this just disables the ioctl, garbage collecting the now unused
      callbacks is left for -next.
      
      v2: Tetsuo found the old mail, which allowed me to find it on another
      archive. Add the link too.
      Acked-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
      Reported-by: default avatarMinh Yuan <yuanmingbuaa@gmail.com>
      References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html
      References: https://github.com/systemd/systemd/pull/3651
      Cc: Greg KH <greg@kroah.com>
      Cc: Peilin Ye <yepeilin.cs@gmail.com>
      Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.chSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c4e0dff
  2. 06 Nov, 2020 4 commits
  3. 01 Nov, 2020 11 commits
    • Linus Torvalds's avatar
      Linux 5.10-rc2 · 3cea11cd
      Linus Torvalds authored
      3cea11cd
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7b56fbd8
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "Three fixes all related to #DB:
      
         - Handle the BTF bit correctly so it doesn't get lost due to a kernel
           #DB
      
         - Only clear and set the virtual DR6 value used by ptrace on user
           space triggered #DB. A kernel #DB must leave it alone to ensure
           data consistency for ptrace.
      
         - Make the bitmasking of the virtual DR6 storage correct so it does
           not lose DR_STEP"
      
      * tag 'x86-urgent-2020-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/debug: Fix DR_STEP vs ptrace_get_debugreg(6)
        x86/debug: Only clear/set ->virtual_dr6 for userspace #DB
        x86/debug: Fix BTF handling
      7b56fbd8
    • Linus Torvalds's avatar
      Merge tag 'timers-urgent-2020-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4312e0e8
      Linus Torvalds authored
      Pull timer fixes from Thomas Gleixner:
       "A few fixes for timers/timekeeping:
      
         - Prevent undefined behaviour in the timespec64_to_ns() conversion
           which is used for converting user supplied time input to
           nanoseconds. It lacked overflow protection.
      
         - Mark sched_clock_read_begin/retry() to prevent recursion in the
           tracer
      
         - Remove unused debug functions in the hrtimer and timerlist code"
      
      * tag 'timers-urgent-2020-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        time: Prevent undefined behaviour in timespec64_to_ns()
        timers: Remove unused inline funtion debug_timer_free()
        hrtimer: Remove unused inline function debug_hrtimer_free()
        time/sched_clock: Mark sched_clock_read_begin/retry() as notrace
      4312e0e8
    • Linus Torvalds's avatar
      Merge tag 'smp-urgent-2020-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 82423b46
      Linus Torvalds authored
      Pull smp fix from Thomas Gleixner:
       "A single fix for stop machine.
      
        Mark functions no trace to prevent a crash caused by recursion when
        enabling or disabling a tracer on RISC-V (probably all architectures
        which patch through stop machine)"
      
      * tag 'smp-urgent-2020-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        stop_machine, rcu: Mark functions as notrace
      82423b46
    • Linus Torvalds's avatar
      Merge tag 'locking-urgent-2020-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8d99084e
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "A couple of locking fixes:
      
         - Fix incorrect failure injection handling in the fuxtex code
      
         - Prevent a preemption warning in lockdep when tracking
           local_irq_enable() and interrupts are already enabled
      
         - Remove more raw_cpu_read() usage from lockdep which causes state
           corruption on !X86 architectures.
      
         - Make the nr_unused_locks accounting in lockdep correct again"
      
      * tag 'locking-urgent-2020-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        lockdep: Fix nr_unused_locks accounting
        locking/lockdep: Remove more raw_cpu_read() usage
        futex: Fix incorrect should_fail_futex() handling
        lockdep: Fix preemption WARN for spurious IRQ-enable
      8d99084e
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 31f02006
      Linus Torvalds authored
      Pull char/misc fixes/removals from Greg KH:
       "Here's some small fixes for 5.10-rc2 and a big driver removal.
      
        The fixes are for some reported issues in the interconnect and
        coresight drivers, nothing major.
      
        The "big" driver removal is the MIC drivers have been asked to be
        removed as the hardware never shipped and Intel no longer wants to
        maintain something that no one can use. This is welcomed by many as
        the DMA usage of these drivers was "interesting" and the security
        people were starting to question some issues that were starting to be
        found in the codebase.
      
        Note, one of the subsystems for this driver, the "VOP" code, will
        probably come back in future kernel versions as it was looking to
        potentially solve some PCIe virtualization issues that a number of
        other vendors were wanting to solve. But as-is, this codebase didn't
        work for anyone else so no actual functionality is being removed.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'char-misc-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        coresight: cti: Initialize dynamic sysfs attributes
        coresight: Fix uninitialised pointer bug in etm_setup_aux()
        coresight: add module license
        misc: mic: remove the MIC drivers
        interconnect: qcom: use icc_sync state for sm8[12]50
        interconnect: qcom: Ensure that the floor bandwidth value is enforced
        interconnect: qcom: sc7180: Init BCMs before creating the nodes
        interconnect: qcom: sdm845: Init BCMs before creating the nodes
        interconnect: Aggregate before setting initial bandwidth
        interconnect: qcom: sdm845: Enable keepalive for the MM1 BCM
      31f02006
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.10-rc2' of... · 9c75b68b
      Linus Torvalds authored
      Merge tag 'driver-core-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core and documentation fixes from Greg KH:
       "Here is one tiny debugfs change to fix up an API where the last user
        was successfully fixed up in 5.10-rc1 (so it couldn't be merged
        earlier), and a much larger Documentation/ABI/ update to the files so
        they can be automatically parsed by our tools.
      
        The Documentation/ABI/ updates are just formatting issues, small ones
        to bring the files into parsable format, and have been acked by
        numerous subsystem maintainers and the documentation maintainer. I
        figured it was good to get this into 5.10-rc2 to help wih the merge
        issues that would arise if these were to stick in linux-next until
        5.11-rc1.
      
        The debugfs change has been in linux-next for a long time, and the
        Documentation updates only for the last linux-next release"
      
      * tag 'driver-core-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (40 commits)
        scripts: get_abi.pl: assume ReST format by default
        docs: ABI: sysfs-class-led-trigger-pattern: remove hw_pattern duplication
        docs: ABI: sysfs-class-backlight: unify ABI documentation
        docs: ABI: sysfs-c2port: remove a duplicated entry
        docs: ABI: sysfs-class-power: unify duplicated properties
        docs: ABI: unify /sys/class/leds/<led>/brightness documentation
        docs: ABI: stable: remove a duplicated documentation
        docs: ABI: change read/write attributes
        docs: ABI: cleanup several ABI documents
        docs: ABI: sysfs-bus-nvdimm: use the right format for ABI
        docs: ABI: vdso: use the right format for ABI
        docs: ABI: fix syntax to be parsed using ReST notation
        docs: ABI: convert testing/configfs-acpi to ReST
        docs: Kconfig/Makefile: add a check for broken ABI files
        docs: abi-testing.rst: enable --rst-sources when building docs
        docs: ABI: don't escape ReST-incompatible chars from obsolete and removed
        docs: ABI: create a 2-depth index for ABI
        docs: ABI: make it parse ABI/stable as ReST-compatible files
        docs: ABI: sysfs-uevent: make it compatible with ReST output
        docs: ABI: testing: make the files compatible with ReST output
        ...
      9c75b68b
    • Linus Torvalds's avatar
      Merge tag 'staging-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 2376cca0
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are some small staging driver fixes for issues that have been
        reported in 5.10-rc1:
      
         - octeon driver fixes
      
         - wfx driver fixes
      
         - memory leak fix in vchiq driver
      
         - fieldbus driver bugfix
      
         - comedi driver bugfix
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'staging-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: fieldbus: anybuss: jump to correct label in an error path
        staging: wfx: fix test on return value of gpiod_get_value()
        staging: wfx: fix use of uninitialized pointer
        staging: mmal-vchiq: Fix memory leak for vchiq_instance
        staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice
        staging: octeon: Drop on uncorrectable alignment or FCS error
        staging: octeon: repair "fixed-link" support
      2376cca0
    • Linus Torvalds's avatar
      Merge tag 'tty-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 2754a42e
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are some small TTY and Serial driver fixes for reported issues
        for 5.10-rc2. They include:
      
         - vt ioctl bugfix for reported problems
      
         - fsl_lpuart serial driver fix
      
         - 21285 serial driver bugfix
      
        All have been in linux-next with no reported issues"
      
      * tag 'tty-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        vt_ioctl: fix GIO_UNIMAP regression
        vt: keyboard, extend func_buf_lock to readers
        vt: keyboard, simplify vt_kdgkbsent
        tty: serial: fsl_lpuart: LS1021A has a FIFO size of 16 words, like LS1028A
        tty: serial: 21285: fix lockup on open
      2754a42e
    • Linus Torvalds's avatar
      Merge tag 'usb-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 9b5ff3c9
      Linus Torvalds authored
      Pull USB driver fixes from Greg KH:
       "Here are a number of small bugfixes for reported issues in some USB
        drivers. They include:
      
         - typec bugfixes
      
         - xhci bugfixes and lockdep warning fixes
      
         - cdc-acm driver regression fix
      
         - kernel doc fixes
      
         - cdns3 driver bugfixes for a bunch of reported issues
      
         - other tiny USB driver fixes
      
        All have been in linux-next with no reported issues"
      
      * tag 'usb-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: cdns3: gadget: own the lock wrongly at the suspend routine
        usb: cdns3: Fix on-chip memory overflow issue
        usb: cdns3: gadget: suspicious implicit sign extension
        xhci: Don't create stream debugfs files with spinlock held.
        usb: xhci: Workaround for S3 issue on AMD SNPS 3.0 xHC
        xhci: Fix sizeof() mismatch
        usb: typec: stusb160x: fix signedness comparison issue with enum variables
        usb: typec: add missing MODULE_DEVICE_TABLE() to stusb160x
        USB: apple-mfi-fastcharge: don't probe unhandled devices
        usbcore: Check both id_table and match() when both available
        usb: host: ehci-tegra: Fix error handling in tegra_ehci_probe()
        usb: typec: stusb160x: fix an IS_ERR() vs NULL check in probe
        usb: typec: tcpm: reset hard_reset_count for any disconnect
        usb: cdc-acm: fix cooldown mechanism
        usb: host: fsl-mph-dr-of: check return of dma_set_mask()
        usb: fix kernel-doc markups
        usb: typec: stusb160x: fix some signedness bugs
        usb: cdns3: Variable 'length' set but not used
      9b5ff3c9
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 2d38c80d
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "ARM:
         - selftest fix
         - force PTE mapping on device pages provided via VFIO
         - fix detection of cacheable mapping at S2
         - fallback to PMD/PTE mappings for composite huge pages
         - fix accounting of Stage-2 PGD allocation
         - fix AArch32 handling of some of the debug registers
         - simplify host HYP entry
         - fix stray pointer conversion on nVHE TLB invalidation
         - fix initialization of the nVHE code
         - simplify handling of capabilities exposed to HYP
         - nuke VCPUs caught using a forbidden AArch32 EL0
      
        x86:
         - new nested virtualization selftest
         - miscellaneous fixes
         - make W=1 fixes
         - reserve new CPUID bit in the KVM leaves"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: vmx: remove unused variable
        KVM: selftests: Don't require THP to run tests
        KVM: VMX: eVMCS: make evmcs_sanitize_exec_ctrls() work again
        KVM: selftests: test behavior of unmapped L2 APIC-access address
        KVM: x86: Fix NULL dereference at kvm_msr_ignored_check()
        KVM: x86: replace static const variables with macros
        KVM: arm64: Handle Asymmetric AArch32 systems
        arm64: cpufeature: upgrade hyp caps to final
        arm64: cpufeature: reorder cpus_have_{const, final}_cap()
        KVM: arm64: Factor out is_{vhe,nvhe}_hyp_code()
        KVM: arm64: Force PTE mapping on fault resulting in a device mapping
        KVM: arm64: Use fallback mapping sizes for contiguous huge page sizes
        KVM: arm64: Fix masks in stage2_pte_cacheable()
        KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR
        KVM: arm64: Allocate stage-2 pgd pages with GFP_KERNEL_ACCOUNT
        KVM: arm64: Drop useless PAN setting on host EL1 to EL2 transition
        KVM: arm64: Remove leftover kern_hyp_va() in nVHE TLB invalidation
        KVM: arm64: Don't corrupt tpidr_el2 on failed HVC call
        x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID
      2d38c80d
  4. 31 Oct, 2020 8 commits
  5. 30 Oct, 2020 16 commits