From 2ade0d60939bcd54197c133b03b460fe62a4ec47 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Mon, 8 Feb 2021 00:14:01 +0200 Subject: [PATCH 1/8] x86/sgx: Maintain encl->refcount for each encl->mm_list entry This has been shown in tests: [ +0.000008] WARNING: CPU: 3 PID: 7620 at kernel/rcu/srcutree.c:374 cleanup_srcu_struct+0xed/0x100 This is essentially a use-after free, although SRCU notices it as an SRCU cleanup in an invalid context. == Background == SGX has a data structure (struct sgx_encl_mm) which keeps per-mm SGX metadata. This is separate from struct sgx_encl because, in theory, an enclave can be mapped from more than one mm. sgx_encl_mm includes a pointer back to the sgx_encl. This means that sgx_encl must have a longer lifetime than all of the sgx_encl_mm's that point to it. That's usually the case: sgx_encl_mm is freed only after the mmu_notifier is unregistered in sgx_release(). However, there's a race. If the process is exiting, sgx_mmu_notifier_release() can be called in parallel with sgx_release() instead of being called *by* it. The mmu_notifier path keeps encl_mm alive past when sgx_encl can be freed. This inverts the lifetime rules and means that sgx_mmu_notifier_release() can access a freed sgx_encl. == Fix == Increase encl->refcount when encl_mm->encl is established. Release this reference when encl_mm is freed. This ensures that encl outlives encl_mm. [ bp: Massage commit message. ] Fixes: 1728ab54b4be ("x86/sgx: Add a page reclaimer") Reported-by: Haitao Huang Signed-off-by: Jarkko Sakkinen Signed-off-by: Borislav Petkov Acked-by: Dave Hansen Link: https://lkml.kernel.org/r/20210207221401.29933-1-jarkko@kernel.org --- arch/x86/kernel/cpu/sgx/driver.c | 3 +++ arch/x86/kernel/cpu/sgx/encl.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c index f2eac41bb4ff..8ce6d8371cfb 100644 --- a/arch/x86/kernel/cpu/sgx/driver.c +++ b/arch/x86/kernel/cpu/sgx/driver.c @@ -72,6 +72,9 @@ static int sgx_release(struct inode *inode, struct file *file) synchronize_srcu(&encl->srcu); mmu_notifier_unregister(&encl_mm->mmu_notifier, encl_mm->mm); kfree(encl_mm); + + /* 'encl_mm' is gone, put encl_mm->encl reference: */ + kref_put(&encl->refcount, sgx_encl_release); } kref_put(&encl->refcount, sgx_encl_release); diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index ee50a5010277..f65564a94b9b 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -481,6 +481,9 @@ static void sgx_mmu_notifier_free(struct mmu_notifier *mn) { struct sgx_encl_mm *encl_mm = container_of(mn, struct sgx_encl_mm, mmu_notifier); + /* 'encl_mm' is going away, put encl_mm->encl reference: */ + kref_put(&encl_mm->encl->refcount, sgx_encl_release); + kfree(encl_mm); } @@ -534,6 +537,8 @@ int sgx_encl_mm_add(struct sgx_encl *encl, struct mm_struct *mm) if (!encl_mm) return -ENOMEM; + /* Grab a refcount for the encl_mm->encl reference: */ + kref_get(&encl->refcount); encl_mm->encl = encl; encl_mm->mm = mm; encl_mm->mmu_notifier.ops = &sgx_mmu_notifier_ops; From 256b92af784d5043eeb7d559b6d5963dcc2ecb10 Mon Sep 17 00:00:00 2001 From: Borislav Petkov Date: Mon, 8 Feb 2021 16:43:30 +0100 Subject: [PATCH 2/8] x86/build: Disable CET instrumentation in the kernel for 32-bit too Commit 20bf2b378729 ("x86/build: Disable CET instrumentation in the kernel") disabled CET instrumentation which gets added by default by the Ubuntu gcc9 and 10 by default, but did that only for 64-bit builds. It would still fail when building a 32-bit target. So disable CET for all x86 builds. Fixes: 20bf2b378729 ("x86/build: Disable CET instrumentation in the kernel") Reported-by: AC Signed-off-by: Borislav Petkov Acked-by: Josh Poimboeuf Tested-by: AC Link: https://lkml.kernel.org/r/YCCIgMHkzh/xT4ex@arch-chirva.localdomain --- arch/x86/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86/Makefile b/arch/x86/Makefile index 5857917f83ee..30920d70b48b 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -50,6 +50,9 @@ export BITS KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow KBUILD_CFLAGS += $(call cc-option,-mno-avx,) +# Intel CET isn't enabled in the kernel +KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none) + ifeq ($(CONFIG_X86_32),y) BITS := 32 UTS_MACHINE := i386 @@ -120,9 +123,6 @@ else KBUILD_CFLAGS += -mno-red-zone KBUILD_CFLAGS += -mcmodel=kernel - - # Intel CET isn't enabled in the kernel - KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none) endif ifdef CONFIG_X86_X32 From 70245f86c109e0eafb92ea9653184c0e44b4b35c Mon Sep 17 00:00:00 2001 From: Thomas Gleixner Date: Wed, 10 Feb 2021 16:27:41 +0100 Subject: [PATCH 3/8] x86/pci: Create PCI/MSI irqdomain after x86_init.pci.arch_init() Invoking x86_init.irqs.create_pci_msi_domain() before x86_init.pci.arch_init() breaks XEN PV. The XEN_PV specific pci.arch_init() function overrides the default create_pci_msi_domain() which is obviously too late. As a consequence the XEN PV PCI/MSI allocation goes through the native path which runs out of vectors and causes malfunction. Invoke it after x86_init.pci.arch_init(). Fixes: 6b15ffa07dc3 ("x86/irq: Initialize PCI/MSI domain at PCI init time") Reported-by: Juergen Gross Signed-off-by: Thomas Gleixner Tested-by: Juergen Gross Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/87pn18djte.fsf@nanos.tec.linutronix.de --- arch/x86/pci/init.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/arch/x86/pci/init.c b/arch/x86/pci/init.c index 00bfa1ebad6c..0bb3b8b44e4e 100644 --- a/arch/x86/pci/init.c +++ b/arch/x86/pci/init.c @@ -9,16 +9,23 @@ in the right sequence from here. */ static __init int pci_arch_init(void) { - int type; - - x86_create_pci_msi_domain(); + int type, pcbios = 1; type = pci_direct_probe(); if (!(pci_probe & PCI_PROBE_NOEARLY)) pci_mmcfg_early_init(); - if (x86_init.pci.arch_init && !x86_init.pci.arch_init()) + if (x86_init.pci.arch_init) + pcbios = x86_init.pci.arch_init(); + + /* + * Must happen after x86_init.pci.arch_init(). Xen sets up the + * x86_init.irqs.create_pci_msi_domain there. + */ + x86_create_pci_msi_domain(); + + if (!pcbios) return 0; pci_pcbios_init(); From 29500f15b54b63ad0ea60b58e85144262bd24df2 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Thu, 11 Feb 2021 15:14:16 +0900 Subject: [PATCH 4/8] kbuild: fix CONFIG_TRIM_UNUSED_KSYMS build for ppc64 Stephen Rothwell reported a build error on ppc64 when CONFIG_TRIM_UNUSED_KSYMS is enabled. Jessica Yu pointed out the cause of the error with the reference to the ppc64 ELF ABI: "Symbol names with a dot (.) prefix are reserved for holding entry point addresses. The value of a symbol named ".FN", if it exists, is the entry point of the function "FN". As it turned out, CONFIG_TRIM_UNUSED_KSYMS has never worked for ppc64, but this issue has been unnoticed until recently because this option depends on !UNUSED_SYMBOLS hence is disabled by all{mod,yes}config. (Then, it was uncovered by another patch removing UNUSED_SYMBOLS.) Removing the dot prefix in scripts/gen_autoksyms.sh fixes the issue. Please note it must be done before 'sort -u' because modules have both ._mcount and _mcount undefined when CONFIG_FUNCTION_TRACER=y. Link: https://lore.kernel.org/lkml/20210209210843.3af66662@canb.auug.org.au/ Reported-by: Stephen Rothwell Signed-off-by: Masahiro Yamada Tested-by: Jessica Yu --- scripts/gen_autoksyms.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/gen_autoksyms.sh b/scripts/gen_autoksyms.sh index 16c0b2ddaa4c..d54dfba15bf2 100755 --- a/scripts/gen_autoksyms.sh +++ b/scripts/gen_autoksyms.sh @@ -43,6 +43,9 @@ EOT sed 's/ko$/mod/' $modlist | xargs -n1 sed -n -e '2{s/ /\n/g;/^$/!p;}' -- | cat - "$ksym_wl" | +# Remove the dot prefix for ppc64; symbol names with a dot (.) hold entry +# point addresses. +sed -e 's/^\.//' | sort -u | sed -e 's/\(.*\)/#define __KSYM_\1 1/' >> "$output_file" From 27dad89bab2d71a8c4b13b497054db33d264b281 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Thu, 28 Jan 2021 09:51:03 +0900 Subject: [PATCH 5/8] sparc: remove wrong comment from arch/sparc/include/asm/Kbuild These are NOT exported to userspace. The headers listed in arch/sparc/include/uapi/asm/Kbuild are exported. Signed-off-by: Masahiro Yamada --- arch/sparc/include/asm/Kbuild | 2 -- 1 file changed, 2 deletions(-) diff --git a/arch/sparc/include/asm/Kbuild b/arch/sparc/include/asm/Kbuild index 3688fdae50e4..aec20406145e 100644 --- a/arch/sparc/include/asm/Kbuild +++ b/arch/sparc/include/asm/Kbuild @@ -1,6 +1,4 @@ # SPDX-License-Identifier: GPL-2.0 -# User exported sparc header files - generated-y += syscall_table_32.h generated-y += syscall_table_64.h generated-y += syscall_table_c32.h From fe968c41ac4f4ec9ffe3c4cf16b72285f5e9674f Mon Sep 17 00:00:00 2001 From: Rolf Eike Beer Date: Fri, 12 Feb 2021 08:22:27 +0100 Subject: [PATCH 6/8] scripts: set proper OpenSSL include dir also for sign-file Fixes: 2cea4a7a1885 ("scripts: use pkg-config to locate libcrypto") Signed-off-by: Rolf Eike Beer Cc: stable@vger.kernel.org # 5.6.x Signed-off-by: Masahiro Yamada --- scripts/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/Makefile b/scripts/Makefile index 9de3c03b94aa..c36106bce80e 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -17,6 +17,7 @@ hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include +HOSTCFLAGS_sign-file.o = $(CRYPTO_CFLAGS) HOSTLDLIBS_sign-file = $(CRYPTO_LIBS) HOSTCFLAGS_extract-cert.o = $(CRYPTO_CFLAGS) HOSTLDLIBS_extract-cert = $(CRYPTO_LIBS) From dbeb02a0bc41b9e9b9c05e460890351efecf1352 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Thu, 4 Feb 2021 16:39:44 +0100 Subject: [PATCH 7/8] leds: rt8515: add V4L2_FLASH_LED_CLASS dependency The leds-rt8515 driver can optionall use the v4l2 flash led class, but it causes a link error when that class is in a loadable module and the rt8515 driver itself is built-in: ld.lld: error: undefined symbol: v4l2_flash_init >>> referenced by leds-rt8515.c >>> leds/flash/leds-rt8515.o:(rt8515_probe) in archive drivers/built-in.a Adding 'depends on V4L2_FLASH_LED_CLASS' in Kconfig would avoid that, but it would make it impossible to use the driver without the v4l2 support. Add the same dependency that the other users of this class have instead, which just prevents the broken configuration. Fixes: e1c6edcbea13 ("leds: rt8515: Add Richtek RT8515 LED driver") Signed-off-by: Arnd Bergmann Reviewed-by: Linus Walleij Signed-off-by: Pavel Machek --- drivers/leds/flash/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/leds/flash/Kconfig b/drivers/leds/flash/Kconfig index d21d273ef3da..b580b416b9a4 100644 --- a/drivers/leds/flash/Kconfig +++ b/drivers/leds/flash/Kconfig @@ -5,6 +5,7 @@ if LEDS_CLASS_FLASH config LEDS_RT8515 tristate "LED support for Richtek RT8515 flash/torch LED" depends on GPIOLIB + depends on V4L2_FLASH_LED_CLASS || !V4L2_FLASH_LED_CLASS help This option enables support for the Richtek RT8515 flash and torch LEDs found on some mobile phones. From f40ddce88593482919761f74910f42f4b84c004b Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Sun, 14 Feb 2021 14:32:24 -0800 Subject: [PATCH 8/8] Linux 5.11 --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index ade44ac4cc2f..de1acaefe87e 100644 --- a/Makefile +++ b/Makefile @@ -2,8 +2,8 @@ VERSION = 5 PATCHLEVEL = 11 SUBLEVEL = 0 -EXTRAVERSION = -rc7 -NAME = Kleptomaniac Octopus +EXTRAVERSION = +NAME = 💕 Valentine's Day Edition 💕 # *DOCUMENTATION* # To see a list of typical targets execute "make help"