new file mode 100644

@@ -0,0 +1,305 @@

+From 84c4e1f89fefe70554da0ab33be72c9be7994379 Mon Sep 17 00:00:00 2001

+From: Linus Torvalds <torvalds@linux-foundation.org>

+Date: Sun, 3 Mar 2019 14:23:33 -0800

+Subject: aio: simplify - and fix - fget/fput for io_submit()

+

+commit 84c4e1f89fefe70554da0ab33be72c9be7994379 upstream.

+

+Al Viro root-caused a race where the IOCB_CMD_POLL handling of

+fget/fput() could cause us to access the file pointer after it had

+already been freed:

+

+ "In more details - normally IOCB_CMD_POLL handling looks so:

+

+   1) io_submit(2) allocates aio_kiocb instance and passes it to

+      aio_poll()

+

+   2) aio_poll() resolves the descriptor to struct file by req->file =

+      fget(iocb->aio_fildes)

+

+   3) aio_poll() sets ->woken to false and raises ->ki_refcnt of that

+      aio_kiocb to 2 (bumps by 1, that is).

+

+   4) aio_poll() calls vfs_poll(). After sanity checks (basically,

+      "poll_wait() had been called and only once") it locks the queue.

+      That's what the extra reference to iocb had been for - we know we

+      can safely access it.

+

+   5) With queue locked, we check if ->woken has already been set to

+      true (by aio_poll_wake()) and, if it had been, we unlock the

+      queue, drop a reference to aio_kiocb and bugger off - at that

+      point it's a responsibility to aio_poll_wake() and the stuff

+      called/scheduled by it. That code will drop the reference to file

+      in req->file, along with the other reference to our aio_kiocb.

+

+   6) otherwise, we see whether we need to wait. If we do, we unlock the

+      queue, drop one reference to aio_kiocb and go away - eventual

+      wakeup (or cancel) will deal with the reference to file and with

+      the other reference to aio_kiocb

+

+   7) otherwise we remove ourselves from waitqueue (still under the

+      queue lock), so that wakeup won't get us. No async activity will

+      be happening, so we can safely drop req->file and iocb ourselves.

+

+  If wakeup happens while we are in vfs_poll(), we are fine - aio_kiocb

+  won't get freed under us, so we can do all the checks and locking

+  safely. And we don't touch ->file if we detect that case.

+

+  However, vfs_poll() most certainly *does* touch the file it had been

+  given. So wakeup coming while we are still in ->poll() might end up

+  doing fput() on that file. That case is not too rare, and usually we

+  are saved by the still present reference from descriptor table - that

+  fput() is not the final one.

+

+  But if another thread closes that descriptor right after our fget()

+  and wakeup does happen before ->poll() returns, we are in trouble -

+  final fput() done while we are in the middle of a method:

+

+Al also wrote a patch to take an extra reference to the file descriptor

+to fix this, but I instead suggested we just streamline the whole file

+pointer handling by submit_io() so that the generic aio submission code

+simply keeps the file pointer around until the aio has completed.

+

+Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL")

+Acked-by: Al Viro <viro@zeniv.linux.org.uk>

+Reported-by: syzbot+503d4cc169fcec1cb18c@syzkaller.appspotmail.com

+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

+[ Srivatsa: Fixed accessing aio_fildes within iocb. ]

+Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>

+---

+

+ fs/aio.c           | 67 ++++++++++++++++++++++--------------------------------

+ include/linux/fs.h |  8 ++++++-

+ 2 files changed, 34 insertions(+), 41 deletions(-)

+

+diff --git a/fs/aio.c b/fs/aio.c

+index 45d5ef8..014d692 100644

+--- a/fs/aio.c

+@@ -161,9 +161,13 @@ struct kioctx {

+ 	unsigned		id;

+ };

+ 

++/*

++ * First field must be the file pointer in all the

++ * iocb unions! See also 'struct kiocb' in <linux/fs.h>

++ */

+ struct fsync_iocb {

+-	struct work_struct	work;

+ 	struct file		*file;

++	struct work_struct	work;

+ 	bool			datasync;

+ };

+ 

+@@ -177,8 +181,15 @@ struct poll_iocb {

+ 	struct work_struct	work;

+ };

+ 

++/*

++ * NOTE! Each of the iocb union members has the file pointer

++ * as the first entry in their struct definition. So you can

++ * access the file pointer through any of the sub-structs,

++ * or directly as just 'ki_filp' in this struct.

++ */

+ struct aio_kiocb {

+ 	union {

++		struct file		*ki_filp;

+ 		struct kiocb		rw;

+ 		struct fsync_iocb	fsync;

+ 		struct poll_iocb	poll;

+@@ -1054,6 +1065,8 @@ static inline void iocb_put(struct aio_kiocb *iocb)

+ {

+ 	if (refcount_read(&iocb->ki_refcnt) == 0 ||

+ 	    refcount_dec_and_test(&iocb->ki_refcnt)) {

++		if (iocb->ki_filp)

++			fput(iocb->ki_filp);

+ 		percpu_ref_put(&iocb->ki_ctx->reqs);

+ 		kmem_cache_free(kiocb_cachep, iocb);

+ 	}

+@@ -1412,7 +1425,6 @@ static void aio_complete_rw(struct kiocb *kiocb, long res, long res2)

+ 		file_end_write(kiocb->ki_filp);

+ 	}

+ 

+-	fput(kiocb->ki_filp);

+ 	aio_complete(iocb, res, res2);

+ }

+ 

+@@ -1420,9 +1432,6 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb)

+ {

+ 	int ret;

+ 

+-	req->ki_filp = fget(iocb->aio_fildes);

+-	if (unlikely(!req->ki_filp))

+-		return -EBADF;

+ 	req->ki_complete = aio_complete_rw;

+ 	req->ki_pos = iocb->aio_offset;

+ 	req->ki_flags = iocb_flags(req->ki_filp);

+@@ -1438,7 +1447,6 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb)

+ 		ret = ioprio_check_cap(iocb->aio_reqprio);

+ 		if (ret) {

+ 			pr_debug("aio ioprio check cap error: %d\n", ret);

+-			fput(req->ki_filp);

+ 			return ret;

+ 		}

+ 

+@@ -1447,8 +1455,6 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb)

+ 		req->ki_ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, 0);

+ 

+ 	ret = kiocb_set_rw_flags(req, iocb->aio_rw_flags);

+-	if (unlikely(ret))

+-		fput(req->ki_filp);

+ 	return ret;

+ }

+ 

+@@ -1503,24 +1509,19 @@ static ssize_t aio_read(struct kiocb *req, struct iocb *iocb, bool vectored,

+ 	if (ret)

+ 		return ret;

+ 	file = req->ki_filp;

+-

+-	ret = -EBADF;

+ 	if (unlikely(!(file->f_mode & FMODE_READ)))

+-		goto out_fput;

++		return -EBADF;

+ 	ret = -EINVAL;

+ 	if (unlikely(!file->f_op->read_iter))

+-		goto out_fput;

++		return -EINVAL;

+ 

+ 	ret = aio_setup_rw(READ, iocb, &iovec, vectored, compat, &iter);

+ 	if (ret)

+-		goto out_fput;

++		return ret;

+ 	ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter));

+ 	if (!ret)

+ 		aio_rw_done(req, call_read_iter(file, req, &iter));

+ 	kfree(iovec);

+-out_fput:

+-	if (unlikely(ret))

+-		fput(file);

+ 	return ret;

+ }

+ 

+@@ -1537,16 +1538,14 @@ static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored,

+ 		return ret;

+ 	file = req->ki_filp;

+ 

+-	ret = -EBADF;

+ 	if (unlikely(!(file->f_mode & FMODE_WRITE)))

+-		goto out_fput;

+-	ret = -EINVAL;

++		return -EBADF;

+ 	if (unlikely(!file->f_op->write_iter))

+-		goto out_fput;

++		return -EINVAL;

+ 

+ 	ret = aio_setup_rw(WRITE, iocb, &iovec, vectored, compat, &iter);

+ 	if (ret)

+-		goto out_fput;

++		return ret;

+ 	ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter));

+ 	if (!ret) {

+ 		/*

+@@ -1564,9 +1563,6 @@ static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored,

+ 		aio_rw_done(req, call_write_iter(file, req, &iter));

+ 	}

+ 	kfree(iovec);

+-out_fput:

+-	if (unlikely(ret))

+-		fput(file);

+ 	return ret;

+ }

+ 

+@@ -1576,7 +1572,6 @@ static void aio_fsync_work(struct work_struct *work)

+ 	int ret;

+ 

+ 	ret = vfs_fsync(req->file, req->datasync);

+-	fput(req->file);

+ 	aio_complete(container_of(req, struct aio_kiocb, fsync), ret, 0);

+ }

+ 

+@@ -1586,13 +1581,8 @@ static int aio_fsync(struct fsync_iocb *req, struct iocb *iocb, bool datasync)

+ 			iocb->aio_rw_flags))

+ 		return -EINVAL;

+ 

+-	req->file = fget(iocb->aio_fildes);

+-	if (unlikely(!req->file))

+-		return -EBADF;

+-	if (unlikely(!req->file->f_op->fsync)) {

+-		fput(req->file);

++	if (unlikely(!req->file->f_op->fsync))

+ 		return -EINVAL;

+-	}

+ 

+ 	req->datasync = datasync;

+ 	INIT_WORK(&req->work, aio_fsync_work);

+@@ -1602,10 +1592,7 @@ static int aio_fsync(struct fsync_iocb *req, struct iocb *iocb, bool datasync)

+ 

+ static inline void aio_poll_complete(struct aio_kiocb *iocb, __poll_t mask)

+ {

+-	struct file *file = iocb->poll.file;

+-

+ 	aio_complete(iocb, mangle_poll(mask), 0);

+-	fput(file);

+ }

+ 

+ static void aio_poll_complete_work(struct work_struct *work)

+@@ -1730,9 +1717,6 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb)

+ 

+ 	INIT_WORK(&req->work, aio_poll_complete_work);

+ 	req->events = demangle_poll(iocb->aio_buf) | EPOLLERR | EPOLLHUP;

+-	req->file = fget(iocb->aio_fildes);

+-	if (unlikely(!req->file))

+-		return -EBADF;

+ 

+ 	apt.pt._qproc = aio_poll_queue_proc;

+ 	apt.pt._key = req->events;

+@@ -1771,10 +1755,8 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb)

+ 	spin_unlock_irq(&ctx->ctx_lock);

+ 

+ out:

+-	if (unlikely(apt.error)) {

+-		fput(req->file);

++	if (unlikely(apt.error))

+ 		return apt.error;

+-	}

+ 

+ 	if (mask)

+ 		aio_poll_complete(aiocb, mask);

+@@ -1812,6 +1794,11 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,

+ 	if (unlikely(!req))

+ 		return -EAGAIN;

+ 

++	req->ki_filp = fget(iocb.aio_fildes);

++	ret = -EBADF;

++	if (unlikely(!req->ki_filp))

++		goto out_put_req;

++

+ 	if (iocb.aio_flags & IOCB_FLAG_RESFD) {

+ 		/*

+ 		 * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an

+diff --git a/include/linux/fs.h b/include/linux/fs.h

+index 7b60848..111c94c 100644

+--- a/include/linux/fs.h

+@@ -304,13 +304,19 @@ enum rw_hint {

+ 

+ struct kiocb {

+ 	struct file		*ki_filp;

++

++	/* The 'ki_filp' pointer is shared in a union for aio */

++	randomized_struct_fields_start

++

+ 	loff_t			ki_pos;

+ 	void (*ki_complete)(struct kiocb *iocb, long ret, long ret2);

+ 	void			*private;

+ 	int			ki_flags;

+ 	u16			ki_hint;

+ 	u16			ki_ioprio; /* See linux/ioprio.h */

+-} __randomize_layout;

++

++	randomized_struct_fields_end

++};

+ 

+ static inline bool is_sync_kiocb(struct kiocb *kiocb)

+ {

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-aws

 Version:        4.19.32

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -34,7 +34,11 @@ Patch28:        kvm-dont-accept-wrong-gsi-values.patch

 Patch29:        4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch

 Patch30:        4.17-0002-apparmor-af_unix-mediation.patch

 Patch31:        4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch

+# RDRAND-based RNG driver to enhance the kernel's entropy pool:

 Patch32:        4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

+# Fix CVE-2019-10125

+Patch33:        0001-aio-simplify-and-fix-fget-fput-for-io_submit.patch

+

 # Amazon AWS

 Patch101: 0002-watchdog-Disable-watchdog-on-virtual-machines.patch

@@ -152,6 +156,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch30 -p1

 %patch31 -p1

 %patch32 -p1

+%patch33 -p1

 %patch101 -p1

 %patch102 -p1

@@ -356,6 +361,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 %{_libdir}/perf/include/bpf/*

 %changelog

+*   Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2

+-   Fix CVE-2019-10125

 *   Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1

 -   Update to version 4.19.32

 *   Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-esx

 Version:        4.19.32

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -34,11 +34,14 @@ Patch20:        07-vmware-only.patch

 Patch22:        4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

 # Fix CVE-2017-1000252

 Patch24:        kvm-dont-accept-wrong-gsi-values.patch

+# RDRAND-based RNG driver to enhance the kernel's entropy pool:

 Patch25:        4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

 # Out-of-tree patches from AppArmor:

 Patch26:        4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch

 Patch27:        4.17-0002-apparmor-af_unix-mediation.patch

 Patch28:        4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch

+# Fix CVE-2019-10125

+Patch29:        0001-aio-simplify-and-fix-fget-fput-for-io_submit.patch

 BuildArch:     x86_64

 BuildRequires: bc

@@ -97,6 +100,7 @@ The Linux package contains the Linux kernel doc files

 %patch26 -p1

 %patch27 -p1

 %patch28 -p1

+%patch29 -p1

 %build

 # patch vmw_balloon driver

@@ -193,6 +197,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2

+-   Fix CVE-2019-10125

 *   Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1

 -   Update to version 4.19.32

 *   Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.19.32

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -37,7 +37,11 @@ Patch31:        kvm-dont-accept-wrong-gsi-values.patch

 Patch32:        4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch

 Patch33:        4.17-0002-apparmor-af_unix-mediation.patch

 Patch34:        4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch

+# RDRAND-based RNG driver to enhance the kernel's entropy pool:

 Patch35:        4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

+# Fix CVE-2019-10125

+Patch36:        0001-aio-simplify-and-fix-fget-fput-for-io_submit.patch

+

 # NSX requirements (should be removed)

 Patch99:        LKCM.patch

@@ -108,6 +112,7 @@ The Linux package contains the Linux kernel doc files

 %patch33 -p1

 %patch34 -p1

 %patch35 -p1

+%patch36 -p1

 pushd ..

 %patch99 -p0

@@ -235,6 +240,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2

+-   Fix CVE-2019-10125

 *   Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1

 -   Update to version 4.19.32

 *   Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:        4.19.32

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -42,7 +42,10 @@ Patch28:        kvm-dont-accept-wrong-gsi-values.patch

 Patch29:        4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch

 Patch30:        4.17-0002-apparmor-af_unix-mediation.patch

 Patch31:        4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch

+# RDRAND-based RNG driver to enhance the kernel's entropy pool:

 Patch32:        4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch

+# Fix CVE-2019-10125

+Patch33:        0001-aio-simplify-and-fix-fget-fput-for-io_submit.patch

 %ifarch aarch64

 # NXP LS1012a FRWY patches

@@ -180,6 +183,7 @@ Kernel Device Tree Blob files for NXP ls1012a FRWY board

 %patch30 -p1

 %patch31 -p1

 %patch32 -p1

+%patch33 -p1

 %ifarch aarch64

 # NXP FSL_PPFE Driver patches

@@ -438,6 +442,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 %endif

 %changelog

+*   Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2

+-   Fix CVE-2019-10125

 *   Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1

 -   Update to version 4.19.32

 *   Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1