--- /dev/null
+From tyhicks@canonical.com Thu Sep 13 09:00:58 2018
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue, 4 Sep 2018 15:24:04 +0000
+Subject: irda: Fix memory leak caused by repeated binds of irda socket
+To: stable@vger.kernel.org
+Message-ID: <1536074645-14160-2-git-send-email-tyhicks@canonical.com>
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+The irda_bind() function allocates memory for self->ias_obj without
+checking to see if the socket is already bound. A userspace process
+could repeatedly bind the socket, have each new object added into the
+LM-IAS database, and lose the reference to the old object assigned to
+the socket to exhaust memory resources. This patch errors out of the
+bind operation when self->ias_obj is already assigned.
+
+CVE-2018-6554
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
+Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/irda/net/af_irda.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/staging/irda/net/af_irda.c
++++ b/drivers/staging/irda/net/af_irda.c
+@@ -775,6 +775,13 @@ static int irda_bind(struct socket *sock
+ return -EINVAL;
+
+ lock_sock(sk);
++
++ /* Ensure that the socket is not already bound */
++ if (self->ias_obj) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ #ifdef CONFIG_IRDA_ULTRA
+ /* Special care for Ultra sockets */
+ if ((sk->sk_type == SOCK_DGRAM) &&
--- /dev/null
+From tyhicks@canonical.com Thu Sep 13 09:02:40 2018
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue, 4 Sep 2018 15:24:05 +0000
+Subject: irda: Only insert new objects into the global database via setsockopt
+To: stable@vger.kernel.org
+Message-ID: <1536074645-14160-3-git-send-email-tyhicks@canonical.com>
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+The irda_setsockopt() function conditionally allocates memory for a new
+self->ias_object or, in some cases, reuses the existing
+self->ias_object. Existing objects were incorrectly reinserted into the
+LM_IAS database which corrupted the doubly linked list used for the
+hashbin implementation of the LM_IAS database. When combined with a
+memory leak in irda_bind(), this issue could be leveraged to create a
+use-after-free vulnerability in the hashbin list. This patch fixes the
+issue by only inserting newly allocated objects into the database.
+
+CVE-2018-6555
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
+Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/irda/net/af_irda.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/irda/net/af_irda.c
++++ b/drivers/staging/irda/net/af_irda.c
+@@ -2019,7 +2019,11 @@ static int irda_setsockopt(struct socket
+ err = -EINVAL;
+ goto out;
+ }
+- irias_insert_object(ias_obj);
++
++ /* Only insert newly allocated objects */
++ if (free_ias)
++ irias_insert_object(ias_obj);
++
+ kfree(ias_opt);
+ break;
+ case IRLMP_IAS_DEL:
--- /dev/null
+From 914b087ff9e0e9a399a4927fa30793064afc0178 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Tue, 28 Aug 2018 12:59:10 -0700
+Subject: kbuild: make missing $DEPMOD a Warning instead of an Error
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 914b087ff9e0e9a399a4927fa30793064afc0178 upstream.
+
+When $DEPMOD is not found, only print a warning instead of exiting
+with an error message and error status:
+
+Warning: 'make modules_install' requires /sbin/depmod. Please install it.
+This is probably in the kmod package.
+
+Change the Error to a Warning because "not all build hosts for cross
+compiling Linux are Linux systems and are able to provide a working
+port of depmod, especially at the file patch /sbin/depmod."
+
+I.e., "make modules_install" may be used to copy/install the
+loadable modules files to a target directory on a build system and
+then transferred to an embedded device where /sbin/depmod is run
+instead of it being run on the build system.
+
+Fixes: 934193a654c1 ("kbuild: verify that $DEPMOD is installed")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
+Cc: stable@vger.kernel.org
+Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
+Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
+Cc: Michal Marek <michal.lkml@markovi.net>
+Cc: Jessica Yu <jeyu@kernel.org>
+Cc: Chih-Wei Huang <cwhuang@linux.org.tw>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Maxim Zhukov <mussitantesmortem@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/depmod.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/scripts/depmod.sh
++++ b/scripts/depmod.sh
+@@ -16,9 +16,9 @@ if ! test -r System.map ; then
+ fi
+
+ if [ -z $(command -v $DEPMOD) ]; then
+- echo "'make modules_install' requires $DEPMOD. Please install it." >&2
++ echo "Warning: 'make modules_install' requires $DEPMOD. Please install it." >&2
+ echo "This is probably in the kmod package." >&2
+- exit 1
++ exit 0
+ fi
+
+ # older versions of depmod don't support -P <symbol-prefix>
--- /dev/null
+From 28a1f3ac1d0c8558ee4453d9634dad891a6e922e Mon Sep 17 00:00:00 2001
+From: Junaid Shahid <junaids@google.com>
+Date: Tue, 14 Aug 2018 10:15:34 -0700
+Subject: kvm: x86: Set highest physical address bits in non-present/reserved SPTEs
+
+From: Junaid Shahid <junaids@google.com>
+
+commit 28a1f3ac1d0c8558ee4453d9634dad891a6e922e upstream.
+
+Always set the 5 upper-most supported physical address bits to 1 for SPTEs
+that are marked as non-present or reserved, to make them unusable for
+L1TF attacks from the guest. Currently, this just applies to MMIO SPTEs.
+(We do not need to mark PTEs that are completely 0 as physical page 0
+is already reserved.)
+
+This allows mitigation of L1TF without disabling hyper-threading by using
+shadow paging mode instead of EPT.
+
+Signed-off-by: Junaid Shahid <junaids@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 43 ++++++++++++++++++++++++++++++++++++++-----
+ arch/x86/kvm/x86.c | 8 ++++++--
+ 2 files changed, 44 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -220,6 +220,17 @@ static const u64 shadow_acc_track_saved_
+ PT64_EPT_EXECUTABLE_MASK;
+ static const u64 shadow_acc_track_saved_bits_shift = PT64_SECOND_AVAIL_BITS_SHIFT;
+
++/*
++ * This mask must be set on all non-zero Non-Present or Reserved SPTEs in order
++ * to guard against L1TF attacks.
++ */
++static u64 __read_mostly shadow_nonpresent_or_rsvd_mask;
++
++/*
++ * The number of high-order 1 bits to use in the mask above.
++ */
++static const u64 shadow_nonpresent_or_rsvd_mask_len = 5;
++
+ static void mmu_spte_set(u64 *sptep, u64 spte);
+ static void mmu_free_roots(struct kvm_vcpu *vcpu);
+
+@@ -308,9 +319,13 @@ static void mark_mmio_spte(struct kvm_vc
+ {
+ unsigned int gen = kvm_current_mmio_generation(vcpu);
+ u64 mask = generation_mmio_spte_mask(gen);
++ u64 gpa = gfn << PAGE_SHIFT;
+
+ access &= ACC_WRITE_MASK | ACC_USER_MASK;
+- mask |= shadow_mmio_value | access | gfn << PAGE_SHIFT;
++ mask |= shadow_mmio_value | access;
++ mask |= gpa | shadow_nonpresent_or_rsvd_mask;
++ mask |= (gpa & shadow_nonpresent_or_rsvd_mask)
++ << shadow_nonpresent_or_rsvd_mask_len;
+
+ trace_mark_mmio_spte(sptep, gfn, access, gen);
+ mmu_spte_set(sptep, mask);
+@@ -323,8 +338,14 @@ static bool is_mmio_spte(u64 spte)
+
+ static gfn_t get_mmio_spte_gfn(u64 spte)
+ {
+- u64 mask = generation_mmio_spte_mask(MMIO_GEN_MASK) | shadow_mmio_mask;
+- return (spte & ~mask) >> PAGE_SHIFT;
++ u64 mask = generation_mmio_spte_mask(MMIO_GEN_MASK) | shadow_mmio_mask |
++ shadow_nonpresent_or_rsvd_mask;
++ u64 gpa = spte & ~mask;
++
++ gpa |= (spte >> shadow_nonpresent_or_rsvd_mask_len)
++ & shadow_nonpresent_or_rsvd_mask;
++
++ return gpa >> PAGE_SHIFT;
+ }
+
+ static unsigned get_mmio_spte_access(u64 spte)
+@@ -381,7 +402,7 @@ void kvm_mmu_set_mask_ptes(u64 user_mask
+ }
+ EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes);
+
+-void kvm_mmu_clear_all_pte_masks(void)
++static void kvm_mmu_reset_all_pte_masks(void)
+ {
+ shadow_user_mask = 0;
+ shadow_accessed_mask = 0;
+@@ -391,6 +412,18 @@ void kvm_mmu_clear_all_pte_masks(void)
+ shadow_mmio_mask = 0;
+ shadow_present_mask = 0;
+ shadow_acc_track_mask = 0;
++
++ /*
++ * If the CPU has 46 or less physical address bits, then set an
++ * appropriate mask to guard against L1TF attacks. Otherwise, it is
++ * assumed that the CPU is not vulnerable to L1TF.
++ */
++ if (boot_cpu_data.x86_phys_bits <
++ 52 - shadow_nonpresent_or_rsvd_mask_len)
++ shadow_nonpresent_or_rsvd_mask =
++ rsvd_bits(boot_cpu_data.x86_phys_bits -
++ shadow_nonpresent_or_rsvd_mask_len,
++ boot_cpu_data.x86_phys_bits - 1);
+ }
+
+ static int is_cpuid_PSE36(void)
+@@ -5473,7 +5506,7 @@ static void mmu_destroy_caches(void)
+
+ int kvm_mmu_module_init(void)
+ {
+- kvm_mmu_clear_all_pte_masks();
++ kvm_mmu_reset_all_pte_masks();
+
+ pte_list_desc_cache = kmem_cache_create("pte_list_desc",
+ sizeof(struct pte_list_desc),
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6194,8 +6194,12 @@ static void kvm_set_mmio_spte_mask(void)
+ * Set the reserved bits and the present bit of an paging-structure
+ * entry to generate page fault with PFER.RSV = 1.
+ */
+- /* Mask the reserved physical address bits. */
+- mask = rsvd_bits(maxphyaddr, 51);
++
++ /*
++ * Mask the uppermost physical address bit, which would be reserved as
++ * long as the supported physical address width is less than 52.
++ */
++ mask = 1ull << 51;
+
+ /* Set the present bit. */
+ mask |= 1ull;
--- /dev/null
+From festevam@gmail.com Thu Sep 13 09:04:45 2018
+From: Fabio Estevam <festevam@gmail.com>
+Date: Mon, 3 Sep 2018 10:39:17 -0300
+Subject: Revert "ARM: imx_v6_v7_defconfig: Select ULPI support"
+To: stable@vger.kernel.org
+Cc: shawnguo@kernel.org, rasmus.villemoes@prevas.dk, gregkh@linuxfoundation.org, Fabio Estevam <fabio.estevam@nxp.com>
+Message-ID: <1535981957-28688-1-git-send-email-festevam@gmail.com>
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+This reverts commit 2059e527a659cf16d6bb709f1c8509f7a7623fc4.
+
+This commit causes reboot to fail on imx6 wandboard, so let's
+revert it.
+
+Cc: <stable@vger.kernel.org> #4.14
+Reported-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/configs/imx_v6_v7_defconfig | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/arm/configs/imx_v6_v7_defconfig
++++ b/arch/arm/configs/imx_v6_v7_defconfig
+@@ -289,7 +289,6 @@ CONFIG_USB_STORAGE=y
+ CONFIG_USB_CHIPIDEA=y
+ CONFIG_USB_CHIPIDEA_UDC=y
+ CONFIG_USB_CHIPIDEA_HOST=y
+-CONFIG_USB_CHIPIDEA_ULPI=y
+ CONFIG_USB_SERIAL=m
+ CONFIG_USB_SERIAL_GENERIC=y
+ CONFIG_USB_SERIAL_FTDI_SIO=m
+@@ -326,7 +325,6 @@ CONFIG_USB_GADGETFS=m
+ CONFIG_USB_FUNCTIONFS=m
+ CONFIG_USB_MASS_STORAGE=m
+ CONFIG_USB_G_SERIAL=m
+-CONFIG_USB_ULPI_BUS=y
+ CONFIG_MMC=y
+ CONFIG_MMC_SDHCI=y
+ CONFIG_MMC_SDHCI_PLTFM=y
--- /dev/null
+From 5eda25b10297684c1f46a14199ec00210f3c346e Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Mon, 6 Aug 2018 13:49:47 +0200
+Subject: s390/lib: use expoline for all bcr instructions
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 5eda25b10297684c1f46a14199ec00210f3c346e upstream.
+
+The memove, memset, memcpy, __memset16, __memset32 and __memset64
+function have an additional indirect return branch in form of a
+"bzr" instruction. These need to use expolines as well.
+
+Cc: <stable@vger.kernel.org> # v4.17+
+Fixes: 97489e0663 ("s390/lib: use expoline for indirect branches")
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/lib/mem.S | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/s390/lib/mem.S
++++ b/arch/s390/lib/mem.S
+@@ -17,7 +17,7 @@
+ ENTRY(memmove)
+ ltgr %r4,%r4
+ lgr %r1,%r2
+- bzr %r14
++ jz .Lmemmove_exit
+ aghi %r4,-1
+ clgr %r2,%r3
+ jnh .Lmemmove_forward
+@@ -36,6 +36,7 @@ ENTRY(memmove)
+ .Lmemmove_forward_remainder:
+ larl %r5,.Lmemmove_mvc
+ ex %r4,0(%r5)
++.Lmemmove_exit:
+ BR_EX %r14
+ .Lmemmove_reverse:
+ ic %r0,0(%r4,%r3)
+@@ -65,7 +66,7 @@ EXPORT_SYMBOL(memmove)
+ */
+ ENTRY(memset)
+ ltgr %r4,%r4
+- bzr %r14
++ jz .Lmemset_exit
+ ltgr %r3,%r3
+ jnz .Lmemset_fill
+ aghi %r4,-1
+@@ -80,12 +81,13 @@ ENTRY(memset)
+ .Lmemset_clear_remainder:
+ larl %r3,.Lmemset_xc
+ ex %r4,0(%r3)
++.Lmemset_exit:
+ BR_EX %r14
+ .Lmemset_fill:
+ stc %r3,0(%r2)
+ cghi %r4,1
+ lgr %r1,%r2
+- ber %r14
++ je .Lmemset_fill_exit
+ aghi %r4,-2
+ srlg %r3,%r4,8
+ ltgr %r3,%r3
+@@ -97,6 +99,7 @@ ENTRY(memset)
+ .Lmemset_fill_remainder:
+ larl %r3,.Lmemset_mvc
+ ex %r4,0(%r3)
++.Lmemset_fill_exit:
+ BR_EX %r14
+ .Lmemset_xc:
+ xc 0(1,%r1),0(%r1)
+@@ -111,7 +114,7 @@ EXPORT_SYMBOL(memset)
+ */
+ ENTRY(memcpy)
+ ltgr %r4,%r4
+- bzr %r14
++ jz .Lmemcpy_exit
+ aghi %r4,-1
+ srlg %r5,%r4,8
+ ltgr %r5,%r5
+@@ -120,6 +123,7 @@ ENTRY(memcpy)
+ .Lmemcpy_remainder:
+ larl %r5,.Lmemcpy_mvc
+ ex %r4,0(%r5)
++.Lmemcpy_exit:
+ BR_EX %r14
+ .Lmemcpy_loop:
+ mvc 0(256,%r1),0(%r3)
x86-pae-use-64-bit-atomic-xchg-function-in-native_ptep_get_and_clear.patch
x86-xen-don-t-write-ptes-directly-in-32-bit-pv-guests.patch
drm-i915-increase-lspcon-timeout.patch
+kbuild-make-missing-depmod-a-warning-instead-of-an-error.patch
+s390-lib-use-expoline-for-all-bcr-instructions.patch
+irda-fix-memory-leak-caused-by-repeated-binds-of-irda-socket.patch
+irda-only-insert-new-objects-into-the-global-database-via-setsockopt.patch
+revert-arm-imx_v6_v7_defconfig-select-ulpi-support.patch
+kvm-x86-set-highest-physical-address-bits-in-non-present-reserved-sptes.patch
+x86-kvm-avoid-unused-variable-warning.patch
--- /dev/null
+From 7288bde1f9df6c1475675419bdd7725ce84dec56 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 20 Aug 2018 23:37:50 +0200
+Subject: x86: kvm: avoid unused variable warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 7288bde1f9df6c1475675419bdd7725ce84dec56 upstream.
+
+Removing one of the two accesses of the maxphyaddr variable led to
+a harmless warning:
+
+arch/x86/kvm/x86.c: In function 'kvm_set_mmio_spte_mask':
+arch/x86/kvm/x86.c:6563:6: error: unused variable 'maxphyaddr' [-Werror=unused-variable]
+
+Removing the #ifdef seems to be the nicest workaround, as it
+makes the code look cleaner than adding another #ifdef.
+
+Fixes: 28a1f3ac1d0c ("kvm: x86: Set highest physical address bits in non-present/reserved SPTEs")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable@vger.kernel.org # L1TF
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6204,14 +6204,12 @@ static void kvm_set_mmio_spte_mask(void)
+ /* Set the present bit. */
+ mask |= 1ull;
+
+-#ifdef CONFIG_X86_64
+ /*
+ * If reserved bit is not supported, clear the present bit to disable
+ * mmio page fault.
+ */
+- if (maxphyaddr == 52)
++ if (IS_ENABLED(CONFIG_X86_64) && maxphyaddr == 52)
+ mask &= ~1ull;
+-#endif
+
+ kvm_mmu_set_mmio_spte_mask(mask, mask);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
