Commit 98008e29 authored by Ben Hutchings's avatar Ben Hutchings

Merge tag 'debian/4.19.20-1'

Release linux (4.19.20-1).
parents 1a811f45 9050e91a
......@@ -52,7 +52,7 @@ linux (4.20-1~exp1) experimental; urgency=medium
-- Ben Hutchings <ben@decadent.org.uk> Mon, 24 Dec 2018 04:26:47 +0000
linux (4.19.20-1) UNRELEASED; urgency=medium
linux (4.19.20-1) unstable; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.17
......@@ -62,6 +62,14 @@ linux (4.19.20-1) UNRELEASED; urgency=medium
- tty: Don't hold ldisc lock in tty_reopen() if ldisc present
- can: gw: ensure DLC boundaries after CAN frame modification
(CVE-2019-3701)
- netfilter: nf_conncount: don't skip eviction when age is negative
- netfilter: nf_conncount: split gc in two phases
- netfilter: nf_conncount: restart search when nodes have been erased
(Closes: #921616)
- netfilter: nf_conncount: merge lookup and add functions
- netfilter: nf_conncount: move all list iterations under spinlock
- netfilter: nf_conncount: speculative garbage collection on empty lists
- netfilter: nf_conncount: fix argument order to find_next_bit
- [arm64] mmc: sdhci-msm: Disable CDR function on TX
- Revert "scsi: target: iscsi: cxgbit: fix csk leak"
- scsi: target: iscsi: cxgbit: fix csk leak
......@@ -160,7 +168,8 @@ linux (4.19.20-1) UNRELEASED; urgency=medium
- [mips] SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
- [arm64] perf: set suppress_bind_attrs flag to true
- drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
- [arm64] clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
- [arm64] clk: meson: meson8b: fix incorrect divider mapping in
cpu_scale_table
- samples: bpf: fix: error handling regarding kprobe_events
- usb: gadget: udc: renesas_usb3: add a safety connection way for
forced_b_device
......@@ -437,15 +446,92 @@ linux (4.19.20-1) UNRELEASED; urgency=medium
* debian/tests/python: Fix spurious failure due to misuse of stderr
* Update "Revert "objtool: Fix CONFIG_STACK_VALIDATION=y warning for ..."
to not duplicate the conditional warning/error
* Bump ABI to 3
* drivers/firmware: Enable FW_CFG_SYSFS as module (Closes: #882208)
* [arm64,armhf,ia64,riscv64,sparc64] udeb: Add usb-serial-modules
(Closes: #903824)
* [powerpc*,sparc64] udeb: Add nic-usb-modules
* [armhf,riscv64,s390x] udeb: Add cdrom-core-modules
* 9p: Enable NET_9P_XEN as module
* ACPI: Enable ACPI_TAD as module
* amd-xgbe: Enable AMD_XGBE_DCB
* ath9k: Enable ATH9K_CHANNEL_CONTEXT
* block: Enable BLK_DEV_ZONED (except armel/marvell)
* bluetooth: Enable BT_HCIUART_RTL; BT_HCIUART_NOKIA, BT_MTKUART as modules
* bnxt: Enable BNXT_DCB
* ethernet: Enable HINIC, ICE, LAN743X, LIQUIDIO_VF as modules
* can: Enable CAN_VXCAN, CAN_MCBA_USB, CAN_UCAN as modules
* dm: Enable DM_UNSTRIPED, DM_WRITECACHE, DM_ZONED as modules
* [arm64,armhf] drm: Enable DRM_PANEL_RASPBERRYPI_TOUCHSCREEN as module
* dvb-usb-v2: Enable DVB_USB_ZD1301 as module
* gnss: Enable GNSS, GNSS_SIRF_SERIAL, GNSS_UBX_SERIAL as modules
* gpio: Enable GPIO_EXAR, GPIO_PCI_IDIO_16, GPIO_PCIE_IDIO_24 as modules
* HID: Enable HID_ACCUTOUCH, HID_COUGAR, HID_ELAN, HID_ITE, HID_JABRA,
HID_MAYFLASH, HID_REDRAGON, HID_RETRODE, HID_STEAM, HID_UDRAW_PS3 as
modules
* [x86] i2c: Enable I2C_DESIGNWARE_BAYTRAIL
* IB: Enable CGROUP_RDMA (except armel/marvell)
* ieee802154: Enable IEEE802154_HWSIM as module
* inet: Enable INET_RAW_DIAG as module
* input: Enable INPUT_AXP20X_PEK as module
* IPMI: Enable IPMI_SSIF as module
* joystick: Enable JOYSTICK_PXRC as module
* media/rc: Enable IR_IMON_DECODER, IR_IMON_RAW as modules
* [x86] mfd: Enable INTEL_SOC_PMIC_BXTWC, INTEL_SOC_PMIC_CHTDC_TI as modules
* mlx5: Enable MLX5_FPGA, MLX5_CORE_IPOIB; MLXFW as module
* net: Enable BPF_STREAM_PARSER, XDP_SOCKETS (except armel/marvell)
(Closes: #908860); NET_FAILOVER, SMC, SMC_DIAG, VSOCKMON as modules
* net/phy: Enable LED_TRIGGER_PHY; CORTINA_PHY, DP83822_PHY, DP83TC811_PHY,
MARVELL_10G_PHY, MICROCHIP_T1_PHY, RENESAS_PHY, ROCKCHIP_PHY as modules
* net/sched: Enable NET_SCH_CBS, NET_SCH_ETF, NET_SCH_SKBPRIO, NET_EMATCH_IPT
as modules
* PCMCIA: Enable SCR24X as module
* [x86] pinctrl: Enable PINCTRL_CANNONLAKE, PINCTRL_CEDARFORK,
PINCTRL_DENVERTON, PINCTRL_GEMINILAKE, PINCTRL_ICELAKE, PINCTRL_LEWISBURG
* [x86] rmi4: Re-enable RMI4_CORE, RMI4_SMB as modules (Closes: #875621);
RMI4_F03, RMI4_F11, RMI4_F12, RMI4_F30, RMI4_F34, RMI4_F55
* xfrm: Enable XFRM_INTERFACE as module
* PCI: Enable PCI_PF_STUB as module
* ptp: Change PTP_1588_CLOCK_KVM from built-in to module
* random: Enable RANDOM_TRUST_CPU. This can be reverted using the kernel
parameter: random.trust_cpu=off
* SCSI: Enable QEDF, QEDI as modules
* serial: Enable SERIAL_8250_EXAR, USB_SERIAL_F8153X, USB_SERIAL_UPD78F0730
as modules
* sound: Enable SND_FIREWIRE_MOTU, SND_FIREFACE, SND_XEN_FRONTEND as modules
* [x86] sound: Enable SND_SOC_AMD_CZ_DA7219MX98357_MACH,
SND_SOC_AMD_CZ_RT5645_MACH, SND_SOC_INTEL_CHT_BSW_NAU8824_MACH,
SND_SOC_INTEL_BYT_CHT_DA7213_MACH, SND_SOC_INTEL_KBL_RT5663_MAX98927_MACH,
SND_SOC_INTEL_KBL_RT5663_RT5514_MAX98927_MACH,
SND_SOC_INTEL_KBL_DA7219_MAX98357A_MACH,
SND_SOC_INTEL_GLK_RT5682_MAX98357A_MACH as modules
* thermal: Enable DEVFREQ_THERMAL, THERMAL_STATISTICS
* tpm: Enable TCG_TIS_SPI, TCG_VTPM_PROXY as modules
* usbtouchscreen: Enable TOUCHSCREEN_USB_EASYTOUCH
* watchdog: Enable WATCHDOG_PRETIMEOUT_GOV, WATCHDOG_PRETIMEOUT_GOV_NOOP,
WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP; WATCHDOG_PRETIMEOUT_GOV_PANIC,
WDAT_WDT as modules
* [x86] watchdog: Enable INTEL_MEI_WDT, NI903X_WDT, NIC7018_WDT as modules
* wireless: Enable MT76x0U, MT76x2E, MT76x2U, QTNFMAC_PEARL_PCIE as modules
(Closes: #918331)
* zram: Enable ZRAM_WRITEBACK, ZRAM_MEMORY_TRACKING
* udeb: Add scsi-nic-modules containing Chelsio and Qlogic iSCSI/FC drivers
[ Marcin Juszkiewicz ]
* [arm64] enable ARM_CCI_PMU so ARM_CCI400_PMU and ARM_CCI5xx_PMU options
get really enabled.
* [arm64] enable PCI_PRI, PCI_PASID as PCI can be behind IOMMU in servers.
* udeb: Add virtio-gpu into d-i to get graphical output in VM instances.
* [arm64] Enable ARM64_ERRATUM_843419 (Closes: #920866)
[ Salvatore Bonaccorso ]
* [x86] kvmclock: set offset for kvm unstable clock (Closes: #918036)
* kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
* [x86] KVM: work around leak of uninitialized stack contents
(CVE-2019-7222)
* [x86] KVM: nVMX: unconditionally cancel preemption timer in free_nested
(CVE-2019-7221)
* HID: debug: fix the ring buffer implementation (CVE-2019-3819)
[ Hideki Yamane ]
* [x86] Enable Touchpad support on Gemini Lake via CONFIG_PINCTRL_GEMINILAKE
......@@ -457,6 +543,8 @@ linux (4.19.20-1) UNRELEASED; urgency=medium
* net: can: Enable CONFIG_CAN_PEAK_PCIEFD for a PCI express CAN Bus adapter
(Closes: #920809)
* [armhf] Enable CONFIG_SENSORS_LM75 for armhf (Closes: #918114)
* [armhf] Enable CONFIG_IMX_THERMAL for armhf (Closes: #883023)
* [arm64] Enable CONFIG_ARM_ARMADA_37XX_CPUFREQ for arm64 (Closes: #917939)
[ Vagrant Cascadian ]
* [armhf] Enable CONFIG_MMC_SDHCI_OMAP=m, used on DRA7 and related SoCs.
......@@ -465,7 +553,7 @@ linux (4.19.20-1) UNRELEASED; urgency=medium
* [armel] add spi-orion to mtd.udeb to be able to access spi flash on e.g.
qnap ts-21x. (Closes: #920607)
-- Luca Boccassi <bluca@debian.org> Fri, 18 Jan 2019 19:09:06 +0000
-- Ben Hutchings <ben@decadent.org.uk> Mon, 11 Feb 2019 16:55:59 +0000
linux (4.19.16-1) unstable; urgency=medium
......
......@@ -3,8 +3,7 @@
##
CONFIG_PCI=y
CONFIG_ARM64_ERRATUM_834220=y
#. Until we decide how/whether to handle this in userland as well
# CONFIG_ARM64_ERRATUM_843419 is not set
CONFIG_ARM64_ERRATUM_843419=y
## choice: Virtual address space size
CONFIG_ARM64_VA_BITS_48=y
## end choice
......@@ -174,6 +173,7 @@ CONFIG_CPUFREQ_DT=m
## file: drivers/cpufreq/Kconfig.arm
##
CONFIG_ACPI_CPPC_CPUFREQ=m
CONFIG_ARM_ARMADA_37XX_CPUFREQ=m
##
## file: drivers/cpuidle/Kconfig.arm
......@@ -309,6 +309,7 @@ CONFIG_NOUVEAU_PLATFORM_DRIVER=y
## file: drivers/gpu/drm/panel/Kconfig
##
CONFIG_DRM_PANEL_SIMPLE=m
CONFIG_DRM_PANEL_RASPBERRYPI_TOUCHSCREEN=m
##
## file: drivers/gpu/drm/rockchip/Kconfig
......
......@@ -86,6 +86,7 @@ CONFIG_ARM_THUMB=y
##
## file: block/Kconfig
##
# CONFIG_BLK_DEV_ZONED is not set
# CONFIG_BLK_SED_OPAL is not set
##
......@@ -733,6 +734,7 @@ CONFIG_NLS=m
#. Saves about 7K
# CONFIG_MEMCG is not set
# CONFIG_CFS_BANDWIDTH is not set
# CONFIG_CGROUP_RDMA is not set
# CONFIG_CGROUP_BPF is not set
# CONFIG_CHECKPOINT_RESTORE is not set
## choice: Compiler optimization level
......@@ -788,6 +790,7 @@ CONFIG_FLATMEM_MANUAL=y
##
#. Saves about 3K
# CONFIG_BPF_JIT is not set
# CONFIG_BPF_STREAM_PARSER is not set
# CONFIG_LWTUNNEL is not set
##
......@@ -826,6 +829,11 @@ CONFIG_IPV6=m
##
CONFIG_PACKET=m
##
## file: net/xdp/Kconfig
##
# CONFIG_XDP_SOCKETS is not set
##
## file: security/integrity/Kconfig
##
......
......@@ -357,6 +357,7 @@ CONFIG_OMAP2_DSS_DSI=y
## file: drivers/gpu/drm/panel/Kconfig
##
CONFIG_DRM_PANEL_SIMPLE=m
CONFIG_DRM_PANEL_RASPBERRYPI_TOUCHSCREEN=m
##
## file: drivers/gpu/drm/rockchip/Kconfig
......@@ -1118,6 +1119,7 @@ CONFIG_SND_BCM2835=m
##
## file: drivers/thermal/Kconfig
##
CONFIG_IMX_THERMAL=m
CONFIG_ROCKCHIP_THERMAL=m
CONFIG_DOVE_THERMAL=m
CONFIG_ARMADA_THERMAL=y
......
This diff is collapsed.
......@@ -10,6 +10,7 @@ CONFIG_REFCOUNT_FULL=y
CONFIG_ZONE_DMA=y
CONFIG_X86_MPPARSE=y
CONFIG_RETPOLINE=y
# CONFIG_INTEL_RDT is not set
# CONFIG_X86_EXTENDED_PLATFORM is not set
CONFIG_X86_INTEL_LPSS=y
CONFIG_X86_AMD_PLATFORM_DEVICE=y
......@@ -684,6 +685,7 @@ CONFIG_I2C_SCMI=m
#. Sony Vaio Duo 13".
CONFIG_I2C_DESIGNWARE_PLATFORM=m
CONFIG_I2C_DESIGNWARE_PCI=m
CONFIG_I2C_DESIGNWARE_BAYTRAIL=y
CONFIG_I2C_KEMPLD=m
CONFIG_I2C_PARPORT=m
CONFIG_I2C_PARPORT_LIGHT=m
......@@ -800,6 +802,12 @@ CONFIG_MOUSE_ELAN_I2C_I2C=y
CONFIG_MOUSE_ELAN_I2C_SMBUS=y
CONFIG_MOUSE_VSXXXAA=m
##
## file: drivers/input/rmi4/Kconfig
##
CONFIG_RMI4_CORE=m
CONFIG_RMI4_SMB=m
##
## file: drivers/input/serio/Kconfig
##
......@@ -812,6 +820,7 @@ CONFIG_SERIO_PCIPS2=m
CONFIG_SERIO_LIBPS2=y
CONFIG_SERIO_RAW=m
CONFIG_HYPERV_KEYBOARD=m
# CONFIG_SERIO_GPIO_PS2 is not set
##
## file: drivers/input/touchscreen/Kconfig
......@@ -925,7 +934,9 @@ CONFIG_VIDEO_TM6000_DVB=m
CONFIG_MFD_AXP20X_I2C=m
# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set
CONFIG_LPC_ICH=m
CONFIG_INTEL_SOC_PMIC_BXTWC=m
CONFIG_INTEL_SOC_PMIC_CHTWC=y
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
CONFIG_MFD_INTEL_LPSS_ACPI=m
CONFIG_MFD_INTEL_LPSS_PCI=m
CONFIG_MFD_KEMPLD=m
......@@ -1356,7 +1367,12 @@ CONFIG_PINCTRL_AMD=y
CONFIG_PINCTRL_BAYTRAIL=y
CONFIG_PINCTRL_CHERRYVIEW=y
CONFIG_PINCTRL_BROXTON=y
CONFIG_PINCTRL_CANNONLAKE=y
CONFIG_PINCTRL_CEDARFORK=y
CONFIG_PINCTRL_DENVERTON=y
CONFIG_PINCTRL_GEMINILAKE=y
CONFIG_PINCTRL_ICELAKE=y
CONFIG_PINCTRL_LEWISBURG=y
CONFIG_PINCTRL_SUNRISEPOINT=y
##
......@@ -1459,6 +1475,7 @@ CONFIG_INTEL_RAPL=m
## file: drivers/ptp/Kconfig
##
CONFIG_PTP_1588_CLOCK_PCH=m
CONFIG_PTP_1588_CLOCK_KVM=m
##
## file: drivers/pwm/Kconfig
......@@ -1886,6 +1903,9 @@ CONFIG_W83627HF_WDT=m
CONFIG_W83877F_WDT=m
CONFIG_W83977F_WDT=m
CONFIG_MACHZ_WDT=m
CONFIG_INTEL_MEI_WDT=m
CONFIG_NI903X_WDT=m
CONFIG_NIC7018_WDT=m
CONFIG_PCIPCWATCHDOG=m
CONFIG_WDTPCI=m
CONFIG_USBPCWATCHDOG=m
......@@ -2061,6 +2081,8 @@ CONFIG_SND_SOC=m
## file: sound/soc/amd/Kconfig
##
CONFIG_SND_SOC_AMD_ACP=m
CONFIG_SND_SOC_AMD_CZ_DA7219MX98357_MACH=m
CONFIG_SND_SOC_AMD_CZ_RT5645_MACH=m
##
## file: sound/soc/codecs/Kconfig
......@@ -2074,6 +2096,7 @@ CONFIG_SND_SOC_INTEL_SST_TOPLEVEL=y
CONFIG_SND_SOC_INTEL_HASWELL=m
#. Cannot be enabled together with SND_SST_ATOM_HIFI2_PLATFORM_ACPI
# CONFIG_SND_SOC_INTEL_BAYTRAIL is not set
# CONFIG_SND_SST_ATOM_HIFI2_PLATFORM_PCI is not set
CONFIG_SND_SST_ATOM_HIFI2_PLATFORM_ACPI=m
CONFIG_SND_SOC_INTEL_SKYLAKE=m
......@@ -2088,12 +2111,19 @@ CONFIG_SND_SOC_INTEL_BYTCR_RT5651_MACH=m
CONFIG_SND_SOC_INTEL_CHT_BSW_RT5672_MACH=m
CONFIG_SND_SOC_INTEL_CHT_BSW_RT5645_MACH=m
CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH=m
CONFIG_SND_SOC_INTEL_CHT_BSW_NAU8824_MACH=m
CONFIG_SND_SOC_INTEL_BYT_CHT_DA7213_MACH=m
CONFIG_SND_SOC_INTEL_BYT_CHT_ES8316_MACH=m
# CONFIG_SND_SOC_INTEL_BYT_CHT_NOCODEC_MACH is not set
CONFIG_SND_SOC_INTEL_SKL_RT286_MACH=m
CONFIG_SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH=m
CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m
# CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH is not set
# CONFIG_SND_SOC_INTEL_BXT_RT298_MACH is not set
CONFIG_SND_SOC_INTEL_KBL_RT5663_MAX98927_MACH=m
CONFIG_SND_SOC_INTEL_KBL_RT5663_RT5514_MAX98927_MACH=m
CONFIG_SND_SOC_INTEL_KBL_DA7219_MAX98357A_MACH=m
CONFIG_SND_SOC_INTEL_GLK_RT5682_MAX98357A_MACH=m
##
## file: sound/x86/Kconfig
......
......@@ -19,11 +19,12 @@ virtio_scsi -
# Exclude PCMCIA drivers, which depend on pcmcia-modules (FIXME)
drivers/scsi/pcmcia/* -
# Exclude Chelsio iSCSI drivers, which depend on the corresponding Ethernet
# drivers in nic-modules (FIXME)
# Exclude drivers for converged NICs, packaged in scsi-nic-modules
drivers/scsi/cxgbi/* -
cxgb3i -
cxgb4i -
qedf -
qedi -
# Exclude enclosure driver
ses -
......
......@@ -100,6 +100,12 @@ Priority: standard
Description: SCSI drivers
This package contains SCSI drivers for the kernel.
Package: scsi-nic-modules
Depends: scsi-modules, nic-modules
Priority: optional
Description: SCSI drivers for converged NICs
This package contains SCSI drivers that depend on net drivers.
Package: loop-modules
Depends: kernel-image
Priority: standard
......
From: Vladis Dronov <vdronov@redhat.com>
Date: Tue, 29 Jan 2019 11:58:35 +0100
Subject: HID: debug: fix the ring buffer implementation
Origin: https://git.kernel.org/linus/13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3819
Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
is strange allowing lost or corrupted data. After commit 717adfdaf147
("HID: debug: check length before copy_to_user()") it is possible to enter
an infinite loop in hid_debug_events_read() by providing 0 as count, this
locks up a system. Fix this by rewriting the ring buffer implementation
with kfifo and simplify the code.
This fixes CVE-2019-3819.
v2: fix an execution logic and add a comment
v3: use __set_current_state() instead of set_current_state()
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
Cc: stable@vger.kernel.org # v4.18+
Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
---
drivers/hid/hid-debug.c | 120 ++++++++++++++++++----------------------------
include/linux/hid-debug.h | 9 ++--
2 files changed, 51 insertions(+), 78 deletions(-)
diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
index c530476edba6..ac9fda1b5a72 100644
--- a/drivers/hid/hid-debug.c
+++ b/drivers/hid/hid-debug.c
@@ -30,6 +30,7 @@
#include <linux/debugfs.h>
#include <linux/seq_file.h>
+#include <linux/kfifo.h>
#include <linux/sched/signal.h>
#include <linux/export.h>
#include <linux/slab.h>
@@ -661,17 +662,12 @@ EXPORT_SYMBOL_GPL(hid_dump_device);
/* enqueue string to 'events' ring buffer */
void hid_debug_event(struct hid_device *hdev, char *buf)
{
- unsigned i;
struct hid_debug_list *list;
unsigned long flags;
spin_lock_irqsave(&hdev->debug_list_lock, flags);
- list_for_each_entry(list, &hdev->debug_list, node) {
- for (i = 0; buf[i]; i++)
- list->hid_debug_buf[(list->tail + i) % HID_DEBUG_BUFSIZE] =
- buf[i];
- list->tail = (list->tail + i) % HID_DEBUG_BUFSIZE;
- }
+ list_for_each_entry(list, &hdev->debug_list, node)
+ kfifo_in(&list->hid_debug_fifo, buf, strlen(buf));
spin_unlock_irqrestore(&hdev->debug_list_lock, flags);
wake_up_interruptible(&hdev->debug_wait);
@@ -722,8 +718,7 @@ void hid_dump_input(struct hid_device *hdev, struct hid_usage *usage, __s32 valu
hid_debug_event(hdev, buf);
kfree(buf);
- wake_up_interruptible(&hdev->debug_wait);
-
+ wake_up_interruptible(&hdev->debug_wait);
}
EXPORT_SYMBOL_GPL(hid_dump_input);
@@ -1083,8 +1078,8 @@ static int hid_debug_events_open(struct inode *inode, struct file *file)
goto out;
}
- if (!(list->hid_debug_buf = kzalloc(HID_DEBUG_BUFSIZE, GFP_KERNEL))) {
- err = -ENOMEM;
+ err = kfifo_alloc(&list->hid_debug_fifo, HID_DEBUG_FIFOSIZE, GFP_KERNEL);
+ if (err) {
kfree(list);
goto out;
}
@@ -1104,77 +1099,57 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
size_t count, loff_t *ppos)
{
struct hid_debug_list *list = file->private_data;
- int ret = 0, len;
+ int ret = 0, copied;
DECLARE_WAITQUEUE(wait, current);
mutex_lock(&list->read_mutex);
- while (ret == 0) {
- if (list->head == list->tail) {
- add_wait_queue(&list->hdev->debug_wait, &wait);
- set_current_state(TASK_INTERRUPTIBLE);
-
- while (list->head == list->tail) {
- if (file->f_flags & O_NONBLOCK) {
- ret = -EAGAIN;
- break;
- }
- if (signal_pending(current)) {
- ret = -ERESTARTSYS;
- break;
- }
+ if (kfifo_is_empty(&list->hid_debug_fifo)) {
+ add_wait_queue(&list->hdev->debug_wait, &wait);
+ set_current_state(TASK_INTERRUPTIBLE);
+
+ while (kfifo_is_empty(&list->hid_debug_fifo)) {
+ if (file->f_flags & O_NONBLOCK) {
+ ret = -EAGAIN;
+ break;
+ }
- if (!list->hdev || !list->hdev->debug) {
- ret = -EIO;
- set_current_state(TASK_RUNNING);
- goto out;
- }
+ if (signal_pending(current)) {
+ ret = -ERESTARTSYS;
+ break;
+ }
- /* allow O_NONBLOCK from other threads */
- mutex_unlock(&list->read_mutex);
- schedule();
- mutex_lock(&list->read_mutex);
- set_current_state(TASK_INTERRUPTIBLE);
+ /* if list->hdev is NULL we cannot remove_wait_queue().
+ * if list->hdev->debug is 0 then hid_debug_unregister()
+ * was already called and list->hdev is being destroyed.
+ * if we add remove_wait_queue() here we can hit a race.
+ */
+ if (!list->hdev || !list->hdev->debug) {
+ ret = -EIO;
+ set_current_state(TASK_RUNNING);
+ goto out;
}
- set_current_state(TASK_RUNNING);
- remove_wait_queue(&list->hdev->debug_wait, &wait);
+ /* allow O_NONBLOCK from other threads */
+ mutex_unlock(&list->read_mutex);
+ schedule();
+ mutex_lock(&list->read_mutex);
+ set_current_state(TASK_INTERRUPTIBLE);
}
- if (ret)
- goto out;
+ __set_current_state(TASK_RUNNING);
+ remove_wait_queue(&list->hdev->debug_wait, &wait);
- /* pass the ringbuffer contents to userspace */
-copy_rest:
- if (list->tail == list->head)
+ if (ret)
goto out;
- if (list->tail > list->head) {
- len = list->tail - list->head;
- if (len > count)
- len = count;
-
- if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
- ret = -EFAULT;
- goto out;
- }
- ret += len;
- list->head += len;
- } else {
- len = HID_DEBUG_BUFSIZE - list->head;
- if (len > count)
- len = count;
-
- if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
- ret = -EFAULT;
- goto out;
- }
- list->head = 0;
- ret += len;
- count -= len;
- if (count > 0)
- goto copy_rest;
- }
-
}
+
+ /* pass the fifo content to userspace, locking is not needed with only
+ * one concurrent reader and one concurrent writer
+ */
+ ret = kfifo_to_user(&list->hid_debug_fifo, buffer, count, &copied);
+ if (ret)
+ goto out;
+ ret = copied;
out:
mutex_unlock(&list->read_mutex);
return ret;
@@ -1185,7 +1160,7 @@ static __poll_t hid_debug_events_poll(struct file *file, poll_table *wait)
struct hid_debug_list *list = file->private_data;
poll_wait(file, &list->hdev->debug_wait, wait);
- if (list->head != list->tail)
+ if (!kfifo_is_empty(&list->hid_debug_fifo))
return EPOLLIN | EPOLLRDNORM;
if (!list->hdev->debug)
return EPOLLERR | EPOLLHUP;
@@ -1200,7 +1175,7 @@ static int hid_debug_events_release(struct inode *inode, struct file *file)
spin_lock_irqsave(&list->hdev->debug_list_lock, flags);
list_del(&list->node);
spin_unlock_irqrestore(&list->hdev->debug_list_lock, flags);
- kfree(list->hid_debug_buf);
+ kfifo_free(&list->hid_debug_fifo);
kfree(list);
return 0;
@@ -1246,4 +1221,3 @@ void hid_debug_exit(void)
{
debugfs_remove_recursive(hid_debug_root);
}
-
diff --git a/include/linux/hid-debug.h b/include/linux/hid-debug.h
index 8663f216c563..2d6100edf204 100644
--- a/include/linux/hid-debug.h
+++ b/include/linux/hid-debug.h
@@ -24,7 +24,10 @@
#ifdef CONFIG_DEBUG_FS
+#include <linux/kfifo.h>
+
#define HID_DEBUG_BUFSIZE 512
+#define HID_DEBUG_FIFOSIZE 512
void hid_dump_input(struct hid_device *, struct hid_usage *, __s32);
void hid_dump_report(struct hid_device *, int , u8 *, int);
@@ -37,11 +40,8 @@ void hid_debug_init(void);
void hid_debug_exit(void);
void hid_debug_event(struct hid_device *, char *);
-
struct hid_debug_list {
- char *hid_debug_buf;
- int head;
- int tail;
+ DECLARE_KFIFO_PTR(hid_debug_fifo, char);
struct fasync_struct *fasync;
struct hid_device *hdev;
struct list_head node;
@@ -64,4 +64,3 @@ struct hid_debug_list {
#endif
#endif
-
--
2.11.0
From: Jann Horn <jannh@google.com>
Date: Sat, 26 Jan 2019 01:54:33 +0100
Subject: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
Origin: https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6974
kvm_ioctl_create_device() does the following:
1. creates a device that holds a reference to the VM object (with a borrowed
reference, the VM's refcount has not been bumped yet)
2. initializes the device
3. transfers the reference to the device to the caller's file descriptor table
4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
reference
The ownership transfer in step 3 must not happen before the reference to the VM
becomes a proper, non-borrowed reference, which only happens in step 4.
After step 3, an attacker can close the file descriptor and drop the borrowed
reference, which can cause the refcount of the kvm object to drop to zero.
This means that we need to grab a reference for the device before
anon_inode_getfd(), otherwise the VM can disappear from under us.
Fixes: 852b6d57dc7f ("kvm: add device control API")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
virt/kvm/kvm_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 5ecea812cb6a..585845203db8 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
if (ops->init)
ops->init(dev);
+ kvm_get_kvm(kvm);
ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
if (ret < 0) {
+ kvm_put_kvm(kvm);
mutex_lock(&kvm->lock);
list_del(&dev->vm_node);
mutex_unlock(&kvm->lock);
@@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
return ret;
}
- kvm_get_kvm(kvm);
cd->fd = ret;