April 2021 - Linux-stable-mirror

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.12.1 release. There are 5 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 02 May 2021 14:19:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.12.1-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.12.1-rc1 Tomas Winkler <tomas.winkler(a)intel.com> mei: me: add Alder Lake P device id. Johannes Berg <johannes.berg(a)intel.com> cfg80211: fix locking in netlink owner interface destruction Jiri Kosina <jkosina(a)suse.cz> iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_gen2_enqueue_hcmd() Oliver Neukum <oneukum(a)suse.com> USB: CDC-ACM: fix poison/unpoison imbalance Johan Hovold <johan(a)kernel.org> net: hso: fix NULL-deref on disconnect regression ------------- Diffstat: Makefile | 4 ++-- drivers/misc/mei/hw-me-regs.h | 1 + drivers/misc/mei/pci-me.c | 1 + drivers/net/usb/hso.c | 2 +- drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 7 ++++--- drivers/usb/class/cdc-acm.c | 3 ++- net/wireless/core.c | 21 ++++++++++++++++---- net/wireless/nl80211.c | 24 ++++++++++++++++++----- 8 files changed, 47 insertions(+), 16 deletions(-)

3 years

8
12
0 0

[PATCH 5.11 0/3] 5.11.18-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.11.18 release. There are 3 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 02 May 2021 14:19:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.11.18-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.11.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.11.18-rc1 Tomas Winkler <tomas.winkler(a)intel.com> mei: me: add Alder Lake P device id. Qingqing Zhuo <qingqing.zhuo(a)amd.com> drm/amd/display: Update modifier list for gfx10_3 Jiri Kosina <jkosina(a)suse.cz> iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_gen2_enqueue_hcmd() ------------- Diffstat: Makefile | 4 ++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++-- drivers/misc/mei/hw-me-regs.h | 1 + drivers/misc/mei/pci-me.c | 1 + drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 7 ++++--- 5 files changed, 10 insertions(+), 7 deletions(-)

3 years

5
7
0 0

[PATCH 5.4 0/8] 5.4.116-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.116 release. There are 8 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 02 May 2021 14:19:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.116-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.116-rc1 Daniel Borkmann <daniel(a)iogearbox.net> bpf: Update selftests to reflect new error states Daniel Borkmann <daniel(a)iogearbox.net> bpf: Tighten speculative pointer arithmetic mask Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move sanitize_val_alu out of op switch Daniel Borkmann <daniel(a)iogearbox.net> bpf: Refactor and streamline bounds check into helper Daniel Borkmann <daniel(a)iogearbox.net> bpf: Improve verifier error messages for users Daniel Borkmann <daniel(a)iogearbox.net> bpf: Rework ptr_limit into alu_limit and add common error path Daniel Borkmann <daniel(a)iogearbox.net> bpf: Ensure off_reg has no mixed signed bounds for all types Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move off_reg into sanitize_ptr_alu ------------- Diffstat: Makefile | 4 +- kernel/bpf/verifier.c | 233 ++++++++++++++------- .../selftests/bpf/verifier/bounds_deduction.c | 21 +- .../bpf/verifier/bounds_mix_sign_unsign.c | 13 -- tools/testing/selftests/bpf/verifier/unpriv.c | 2 +- .../selftests/bpf/verifier/value_ptr_arith.c | 6 +- 6 files changed, 175 insertions(+), 104 deletions(-)

3 years

6
13
0 0

[RESEND][PATCH 1/2] keys: crypto: Replace BUG_ON() with WARN() in find_asymmetric_key()

by Andrew Zaborowski

From: Jarkko Sakkinen <jarkko(a)kernel.org> BUG_ON() should not be used in the kernel code, unless there are exceptional reasons to do so. Replace BUG_ON() with WARN() and return. Cc: stable(a)vger.kernel.org Fixes: b3811d36a3e7 ("KEYS: checking the input id parameters before finding asymmetric key") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- No changes from original submission by Jarkko. crypto/asymmetric_keys/asymmetric_type.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index ad8af3d70ac..a00bed3e04d 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -54,7 +54,10 @@ struct key *find_asymmetric_key(struct key *keyring, char *req, *p; int len; - BUG_ON(!id_0 && !id_1); + if (!id_0 && !id_1) { + WARN(1, "All ID's are NULL\n"); + return ERR_PTR(-EINVAL); + } if (id_0) { lookup = id_0->data; -- 2.27.0

3 years

1
0
0 0

[PATCH v2] iommu/vt-d: Force to flush iotlb before creating superpage

by Longpeng(Mike)

The translation caches may preserve obsolete data when the mapping size is changed, suppose the following sequence which can reveal the problem with high probability. 1.mmap(4GB,MAP_HUGETLB) 2. while (1) { (a) DMA MAP 0,0xa0000 (b) DMA UNMAP 0,0xa0000 (c) DMA MAP 0,0xc0000000 * DMA read IOVA 0 may failure here (Not present) * if the problem occurs. (d) DMA UNMAP 0,0xc0000000 } The page table(only focus on IOVA 0) after (a) is: PML4: 0x19db5c1003 entry:0xffff899bdcd2f000 PDPE: 0x1a1cacb003 entry:0xffff89b35b5c1000 PDE: 0x1a30a72003 entry:0xffff89b39cacb000 PTE: 0x21d200803 entry:0xffff89b3b0a72000 The page table after (b) is: PML4: 0x19db5c1003 entry:0xffff899bdcd2f000 PDPE: 0x1a1cacb003 entry:0xffff89b35b5c1000 PDE: 0x1a30a72003 entry:0xffff89b39cacb000 PTE: 0x0 entry:0xffff89b3b0a72000 The page table after (c) is: PML4: 0x19db5c1003 entry:0xffff899bdcd2f000 PDPE: 0x1a1cacb003 entry:0xffff89b35b5c1000 PDE: 0x21d200883 entry:0xffff89b39cacb000 (*) Because the PDE entry after (b) is present, it won't be flushed even if the iommu driver flush cache when unmap, so the obsolete data may be preserved in cache, which would cause the wrong translation at end. However, we can see the PDE entry is finally switch to 2M-superpage mapping, but it does not transform to 0x21d200883 directly: 1. PDE: 0x1a30a72003 2. __domain_mapping dma_pte_free_pagetable Set the PDE entry to ZERO Set the PDE entry to 0x21d200883 So we must flush the cache after the entry switch to ZERO to avoid the obsolete info be preserved. Cc: David Woodhouse <dwmw2(a)infradead.org> Cc: Lu Baolu <baolu.lu(a)linux.intel.com> Cc: Nadav Amit <nadav.amit(a)gmail.com> Cc: Alex Williamson <alex.williamson(a)redhat.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: Kevin Tian <kevin.tian(a)intel.com> Cc: Gonglei (Arei) <arei.gonglei(a)huawei.com> Fixes: 6491d4d02893 ("intel-iommu: Free old page tables before creating superpage") Cc: <stable(a)vger.kernel.org> # v3.0+ Link: https://lore.kernel.org/linux-iommu/670baaf8-4ff8-4e84-4be3-030b95ab5a5e@hu… Suggested-by: Lu Baolu <baolu.lu(a)linux.intel.com> Signed-off-by: Longpeng(Mike) <longpeng2(a)huawei.com> --- v1 -> v2: - add Joerg - reconstruct the solution base on the Baolu's suggestion --- drivers/iommu/intel/iommu.c | 52 +++++++++++++++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 14 deletions(-) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index ee09323..881c9f2 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -2289,6 +2289,41 @@ static inline int hardware_largepage_caps(struct dmar_domain *domain, return level; } +/* + * Ensure that old small page tables are removed to make room for superpage(s). + * We're going to add new large pages, so make sure we don't remove their parent + * tables. The IOTLB/devTLBs should be flushed if any PDE/PTEs are cleared. + */ +static void switch_to_super_page(struct dmar_domain *domain, + unsigned long start_pfn, + unsigned long end_pfn, int level) +{ + unsigned long lvl_pages = lvl_to_nr_pages(level); + struct dma_pte *pte = NULL; + int i; + + while (start_pfn <= end_pfn) { + if (!pte) + pte = pfn_to_dma_pte(domain, start_pfn, &level); + + if (dma_pte_present(pte)) { + dma_pte_free_pagetable(domain, start_pfn, + start_pfn + lvl_pages - 1, + level + 1); + + for_each_domain_iommu(i, domain) + iommu_flush_iotlb_psi(g_iommus[i], domain, + start_pfn, lvl_pages, + 0, 0); + } + + pte++; + start_pfn += lvl_pages; + if (first_pte_in_page(pte)) + pte = NULL; + } +} + static int __domain_mapping(struct dmar_domain *domain, unsigned long iov_pfn, unsigned long phys_pfn, unsigned long nr_pages, int prot) @@ -2329,22 +2364,11 @@ static inline int hardware_largepage_caps(struct dmar_domain *domain, return -ENOMEM; /* It is large page*/ if (largepage_lvl > 1) { - unsigned long nr_superpages, end_pfn; + unsigned long end_pfn; pteval |= DMA_PTE_LARGE_PAGE; - lvl_pages = lvl_to_nr_pages(largepage_lvl); - - nr_superpages = nr_pages / lvl_pages; - end_pfn = iov_pfn + nr_superpages * lvl_pages - 1; - - /* - * Ensure that old small page tables are - * removed to make room for superpage(s). - * We're adding new large pages, so make sure - * we don't remove their parent tables. - */ - dma_pte_free_pagetable(domain, iov_pfn, end_pfn, - largepage_lvl + 1); + end_pfn = ((iov_pfn + nr_pages) & level_mask(largepage_lvl)) - 1; + switch_to_super_page(domain, iov_pfn, end_pfn, largepage_lvl); } else { pteval &= ~(uint64_t)DMA_PTE_LARGE_PAGE; } -- 1.8.3.1

3 years

4
3
0 0

stable-rc/queue/5.10 baseline: 159 runs, 1 regressions (v5.10.33-2-g5543059a29e2)

by kernelci.org bot

stable-rc/queue/5.10 baseline: 159 runs, 1 regressions (v5.10.33-2-g5543059a29e2) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -----------+-------+---------+----------+-----------+------------ imx8mp-evk | arm64 | lab-nxp | gcc-8 | defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F5.10/kernel/v5.10.33… Test: baseline Tree: stable-rc Branch: queue/5.10 Describe: v5.10.33-2-g5543059a29e2 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 5543059a29e29c34b081a8a2656f573036e9d9d6 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -----------+-------+---------+----------+-----------+------------ imx8mp-evk | arm64 | lab-nxp | gcc-8 | defconfig | 1 Details: https://kernelci.org/test/plan/id/608c472ac2cbe7aed19b7795 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-8 (aarch64-linux-gnu-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/queue-5.10/v5.10.33-2-g5543059a29e2… HTML log: https://storage.kernelci.org//stable-rc/queue-5.10/v5.10.33-2-g5543059a29e2… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-5-g2f114cc7… * baseline.login: https://kernelci.org/test/case/id/608c472ac2cbe7aed19b7796 new failure (last pass: v5.10.33-1-gab3a0ce18e9e0)

3 years

1
0
0 0

[PATCH] cifs: fix automount regression of dfs links

by Paulo Alcantara

Unfortunately we can't kfree() the UNC and prefix paths in cifs_smb3_do_mount() because they could have come from a chased DFS referral (automount) and we rely on the new values set in cifs_sb->ctx prior to calling cifs_mount(). Instead, fix smb3_parse_devname() to not leak the UNC and prefix paths when parsing new share paths. Cc: <stable(a)vger.kernel.org> # v5.11+ Fixes: 315db9a05b7a ("cifs: fix leak in cifs_smb3_do_mount() ctx") Signed-off-by: Paulo Alcantara (SUSE) <pc(a)cjr.nz> --- fs/cifs/cifsfs.c | 6 ------ fs/cifs/connect.c | 10 +++++++--- fs/cifs/fs_context.c | 2 ++ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 8a6894577697..bfe98136f9c1 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -863,12 +863,6 @@ cifs_smb3_do_mount(struct file_system_type *fs_type, goto out; } - /* cifs_setup_volume_info->smb3_parse_devname() redups UNC & prepath */ - kfree(cifs_sb->ctx->UNC); - cifs_sb->ctx->UNC = NULL; - kfree(cifs_sb->ctx->prepath); - cifs_sb->ctx->prepath = NULL; - rc = cifs_setup_volume_info(cifs_sb->ctx, NULL, old_ctx->UNC); if (rc) { root = ERR_PTR(rc); diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index becd5f807787..ee4a92cbcb29 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -3159,9 +3159,13 @@ static int do_dfs_failover(const char *path, const char *full_path, struct cifs_ int cifs_setup_volume_info(struct smb3_fs_context *ctx, const char *mntopts, const char *devname) { - int rc = 0; + int rc; - smb3_parse_devname(devname, ctx); + rc = smb3_parse_devname(devname, ctx); + if (rc) { + cifs_dbg(VFS, "%s: failed to parse %s: %d\n", __func__, devname, rc); + return rc; + } if (mntopts) { char *ip; @@ -3189,7 +3193,7 @@ cifs_setup_volume_info(struct smb3_fs_context *ctx, const char *mntopts, const c return -EINVAL; } - return rc; + return 0; } static int diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c index 1d6e0e15b034..b502a44e15a1 100644 --- a/fs/cifs/fs_context.c +++ b/fs/cifs/fs_context.c @@ -476,6 +476,7 @@ smb3_parse_devname(const char *devname, struct smb3_fs_context *ctx) /* move "pos" up to delimiter or NULL */ pos += len; + kfree(ctx->UNC); ctx->UNC = kstrndup(devname, pos - devname, GFP_KERNEL); if (!ctx->UNC) return -ENOMEM; @@ -490,6 +491,7 @@ smb3_parse_devname(const char *devname, struct smb3_fs_context *ctx) if (!*pos) return 0; + kfree(ctx->prepath); ctx->prepath = kstrdup(pos, GFP_KERNEL); if (!ctx->prepath) return -ENOMEM; -- 2.31.1

3 years

2
2
0 0

stable-rc/queue/4.19 baseline: 137 runs, 4 regressions (v4.19.189-1-gbab36f93665a6)

by kernelci.org bot

stable-rc/queue/4.19 baseline: 137 runs, 4 regressions (v4.19.189-1-gbab36f93665a6) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------------------+------+---------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-baylibre | gcc-8 | versatile_defconfig | 1 qemu_arm-versatilepb | arm | lab-broonie | gcc-8 | versatile_defconfig | 1 qemu_arm-versatilepb | arm | lab-cip | gcc-8 | versatile_defconfig | 1 qemu_arm-versatilepb | arm | lab-collabora | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F4.19/kernel/v4.19.18… Test: baseline Tree: stable-rc Branch: queue/4.19 Describe: v4.19.189-1-gbab36f93665a6 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: bab36f93665a62ff5bdfd7359eeca2ff04b59147 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------------------+------+---------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-baylibre | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/608c352c64350e81f29b7795 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/queue-4.19/v4.19.189-1-gbab36f93665… HTML log: https://storage.kernelci.org//stable-rc/queue-4.19/v4.19.189-1-gbab36f93665… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-5-g2f114cc7… * baseline.login: https://kernelci.org/test/case/id/608c352c64350e81f29b7796 failing since 167 days (last pass: v4.19.157-26-gd59f3161b3a0, first fail: v4.19.157-27-g5543cc2c41d55) platform | arch | lab | compiler | defconfig | regressions ---------------------+------+---------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-broonie | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/608c34625ece4de5c99b77c9 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/queue-4.19/v4.19.189-1-gbab36f93665… HTML log: https://storage.kernelci.org//stable-rc/queue-4.19/v4.19.189-1-gbab36f93665… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-5-g2f114cc7… * baseline.login: https://kernelci.org/test/case/id/608c34625ece4de5c99b77ca failing since 167 days (last pass: v4.19.157-26-gd59f3161b3a0, first fail: v4.19.157-27-g5543cc2c41d55) platform | arch | lab | compiler | defconfig | regressions ---------------------+------+---------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-cip | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/608c3622b9cb1fc0879b7808 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/queue-4.19/v4.19.189-1-gbab36f93665… HTML log: https://storage.kernelci.org//stable-rc/queue-4.19/v4.19.189-1-gbab36f93665… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-5-g2f114cc7… * baseline.login: https://kernelci.org/test/case/id/608c3622b9cb1fc0879b7809 failing since 167 days (last pass: v4.19.157-26-gd59f3161b3a0, first fail: v4.19.157-27-g5543cc2c41d55) platform | arch | lab | compiler | defconfig | regressions ---------------------+------+---------------+----------+---------------------+------------ qemu_arm-versatilepb | arm | lab-collabora | gcc-8 | versatile_defconfig | 1 Details: https://kernelci.org/test/plan/id/608c4c5b06bcd1b1939b77a0 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: versatile_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/queue-4.19/v4.19.189-1-gbab36f93665… HTML log: https://storage.kernelci.org//stable-rc/queue-4.19/v4.19.189-1-gbab36f93665… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-5-g2f114cc7… * baseline.login: https://kernelci.org/test/case/id/608c4c5b06bcd1b1939b77a1 failing since 167 days (last pass: v4.19.157-26-gd59f3161b3a0, first fail: v4.19.157-27-g5543cc2c41d55)

3 years

1
0
0 0

stable-rc/linux-5.10.y baseline: 161 runs, 1 regressions (v5.10.33-3-g9fe3189f108d)

by kernelci.org bot

stable-rc/linux-5.10.y baseline: 161 runs, 1 regressions (v5.10.33-3-g9fe3189f108d) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -----------+-------+---------+----------+-----------+------------ imx8mp-evk | arm64 | lab-nxp | gcc-8 | defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/linux-5.10.y/kernel/v5.10.33… Test: baseline Tree: stable-rc Branch: linux-5.10.y Describe: v5.10.33-3-g9fe3189f108d URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 9fe3189f108d04763059a2dc87e213f4e2064ec6 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -----------+-------+---------+----------+-----------+------------ imx8mp-evk | arm64 | lab-nxp | gcc-8 | defconfig | 1 Details: https://kernelci.org/test/plan/id/608c3e68be3d0a81999b77c0 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-8 (aarch64-linux-gnu-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/linux-5.10.y/v5.10.33-3-g9fe3189f10… HTML log: https://storage.kernelci.org//stable-rc/linux-5.10.y/v5.10.33-3-g9fe3189f10… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-5-g2f114cc7… * baseline.login: https://kernelci.org/test/case/id/608c3e68be3d0a81999b77c1 new failure (last pass: v5.10.33)

3 years

1
0
0 0

[PATCH v5 03/12] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded

by Roberto Sassu

EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to temporarily disable metadata verification until all xattrs/attrs necessary to verify an EVM portable signature are copied to the file. This flag is cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is calculated on unverified xattrs/attrs. Currently EVM unnecessarily denies setting this flag if EVM is initialized with a public key, which is not a concern as it cannot be used to trust xattrs/attrs updates. This patch removes this limitation. Cc: stable(a)vger.kernel.org # 4.16.x Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata") Signed-off-by: Roberto Sassu <roberto.sassu(a)huawei.com> --- Documentation/ABI/testing/evm | 5 +++-- security/integrity/evm/evm_secfs.c | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm index 3c477ba48a31..eb6d70fd6fa2 100644 --- a/Documentation/ABI/testing/evm +++ b/Documentation/ABI/testing/evm @@ -49,8 +49,9 @@ Description: modification of EVM-protected metadata and disable all further modification of policy - Note that once a key has been loaded, it will no longer be - possible to enable metadata modification. + Note that once an HMAC key has been loaded, it will no longer + be possible to enable metadata modification and, if it is + already enabled, it will be disabled. Until key loading has been signaled EVM can not create or validate the 'security.evm' xattr, but returns diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index bbc85637e18b..197a4b83e534 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -81,10 +81,10 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf, return -EINVAL; /* Don't allow a request to freshly enable metadata writes if - * keys are loaded. + * an HMAC key is loaded. */ if ((i & EVM_ALLOW_METADATA_WRITES) && - ((evm_initialized & EVM_KEY_MASK) != 0) && + ((evm_initialized & EVM_INIT_HMAC) != 0) && !(evm_initialized & EVM_ALLOW_METADATA_WRITES)) return -EPERM; -- 2.26.2

3 years

2
1
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2021