--- /dev/null
+From c8ea3663f7a8e6996d44500ee818c9330ac4fd88 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 15:47:00 -0700
+Subject: drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit c8ea3663f7a8e6996d44500ee818c9330ac4fd88 upstream.
+
+strndup_user() returns error pointers on error, and then in the error
+handling we pass the error pointers to kfree(). It will cause an Oops.
+
+Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Timur Tabi <timur@freescale.com>
+Cc: Mihai Caraman <mihai.caraman@freescale.com>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/fsl_hypervisor.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_i
+ struct fsl_hv_ioctl_prop param;
+ char __user *upath, *upropname;
+ void __user *upropval;
+- char *path = NULL, *propname = NULL;
+- void *propval = NULL;
++ char *path, *propname;
++ void *propval;
+ int ret = 0;
+
+ /* Get the parameters from the user. */
+@@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_i
+ upropval = (void __user *)(uintptr_t)param.propval;
+
+ path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN);
+- if (IS_ERR(path)) {
+- ret = PTR_ERR(path);
+- goto out;
+- }
++ if (IS_ERR(path))
++ return PTR_ERR(path);
+
+ propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN);
+ if (IS_ERR(propname)) {
+ ret = PTR_ERR(propname);
+- goto out;
++ goto err_free_path;
+ }
+
+ if (param.proplen > FH_DTPROP_MAX_PROPLEN) {
+ ret = -EINVAL;
+- goto out;
++ goto err_free_propname;
+ }
+
+ propval = kmalloc(param.proplen, GFP_KERNEL);
+ if (!propval) {
+ ret = -ENOMEM;
+- goto out;
++ goto err_free_propname;
+ }
+
+ if (set) {
+ if (copy_from_user(propval, upropval, param.proplen)) {
+ ret = -EFAULT;
+- goto out;
++ goto err_free_propval;
+ }
+
+ param.ret = fh_partition_set_dtprop(param.handle,
+@@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_i
+ if (copy_to_user(upropval, propval, param.proplen) ||
+ put_user(param.proplen, &p->proplen)) {
+ ret = -EFAULT;
+- goto out;
++ goto err_free_propval;
+ }
+ }
+ }
+@@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_i
+ if (put_user(param.ret, &p->ret))
+ ret = -EFAULT;
+
+-out:
+- kfree(path);
++err_free_propval:
+ kfree(propval);
++err_free_propname:
+ kfree(propname);
++err_free_path:
++ kfree(path);
+
+ return ret;
+ }
--- /dev/null
+From 6a024330650e24556b8a18cc654ad00cfecf6c6c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 15:47:03 -0700
+Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream.
+
+The "param.count" value is a u64 thatcomes from the user. The code
+later in the function assumes that param.count is at least one and if
+it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR.
+
+Also the addition can have an integer overflow which would lead us to
+allocate a smaller "pages" array than required. I can't immediately
+tell what the possible run times implications are, but it's safest to
+prevent the overflow.
+
+Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Timur Tabi <timur@freescale.com>
+Cc: Mihai Caraman <mihai.caraman@freescale.com>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/fsl_hypervisor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i
+ * hypervisor.
+ */
+ lb_offset = param.local_vaddr & (PAGE_SIZE - 1);
++ if (param.count == 0 ||
++ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1)
++ return -EINVAL;
+ num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
+
+ /* Allocate the buffers we need */
--- /dev/null
+From 5266e58d6cd90ac85c187d673093ad9cb649e16d Mon Sep 17 00:00:00 2001
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Date: Mon, 15 Apr 2019 14:52:11 +0300
+Subject: powerpc/booke64: set RI in default MSR
+
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+
+commit 5266e58d6cd90ac85c187d673093ad9cb649e16d upstream.
+
+Set RI in the default kernel's MSR so that the architected way of
+detecting unrecoverable machine check interrupts has a chance to work.
+This is inline with the MSR setup of the rest of booke powerpc
+architectures configured here.
+
+Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg_booke.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/reg_booke.h
++++ b/arch/powerpc/include/asm/reg_booke.h
+@@ -41,7 +41,7 @@
+ #if defined(CONFIG_PPC_BOOK3E_64)
+ #define MSR_64BIT MSR_CM
+
+-#define MSR_ (MSR_ME | MSR_CE)
++#define MSR_ (MSR_ME | MSR_RI | MSR_CE)
+ #define MSR_KERNEL (MSR_ | MSR_64BIT)
+ #define MSR_USER32 (MSR_ | MSR_PR | MSR_EE)
+ #define MSR_USER64 (MSR_USER32 | MSR_64BIT)
--- /dev/null
+From a3f3072db6cad40895c585dce65e36aab997f042 Mon Sep 17 00:00:00 2001
+From: Russell Currey <ruscur@russell.cc>
+Date: Thu, 18 Apr 2019 16:51:16 +1000
+Subject: powerpc/powernv/idle: Restore IAMR after idle
+
+From: Russell Currey <ruscur@russell.cc>
+
+commit a3f3072db6cad40895c585dce65e36aab997f042 upstream.
+
+Without restoring the IAMR after idle, execution prevention on POWER9
+with Radix MMU is overwritten and the kernel can freely execute
+userspace without faulting.
+
+This is necessary when returning from any stop state that modifies
+user state, as well as hypervisor state.
+
+To test how this fails without this patch, load the lkdtm driver and
+do the following:
+
+ $ echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT
+
+which won't fault, then boot the kernel with powersave=off, where it
+will fault. Applying this patch will fix this.
+
+Fixes: 3b10d0095a1e ("powerpc/mm/radix: Prevent kernel execution of user space")
+Cc: stable@vger.kernel.org # v4.10+
+Signed-off-by: Russell Currey <ruscur@russell.cc>
+Reviewed-by: Akshay Adiga <akshay.adiga@linux.vnet.ibm.com>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/idle_book3s.S | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/arch/powerpc/kernel/idle_book3s.S
++++ b/arch/powerpc/kernel/idle_book3s.S
+@@ -163,6 +163,9 @@ core_idle_lock_held:
+ bne- core_idle_lock_held
+ blr
+
++/* Reuse an unused pt_regs slot for IAMR */
++#define PNV_POWERSAVE_IAMR _DAR
++
+ /*
+ * Pass requested state in r3:
+ * r3 - PNV_THREAD_NAP/SLEEP/WINKLE in POWER8
+@@ -193,6 +196,12 @@ pnv_powersave_common:
+ /* Continue saving state */
+ SAVE_GPR(2, r1)
+ SAVE_NVGPRS(r1)
++
++BEGIN_FTR_SECTION
++ mfspr r5, SPRN_IAMR
++ std r5, PNV_POWERSAVE_IAMR(r1)
++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
++
+ mfcr r5
+ std r5,_CCR(r1)
+ std r1,PACAR1(r13)
+@@ -940,6 +949,17 @@ BEGIN_FTR_SECTION
+ END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
+ REST_NVGPRS(r1)
+ REST_GPR(2, r1)
++
++BEGIN_FTR_SECTION
++ /* IAMR was saved in pnv_powersave_common() */
++ ld r5, PNV_POWERSAVE_IAMR(r1)
++ mtspr SPRN_IAMR, r5
++ /*
++ * We don't need an isync here because the upcoming mtmsrd is
++ * execution synchronizing.
++ */
++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
++
+ ld r4,PACAKMSR(r13)
+ ld r5,_LINK(r1)
+ ld r6,_CCR(r1)
vlan-disable-siocshwtstamp-in-container.patch
vrf-sit-mtu-should-not-be-updated-when-vrf-netdev-is-the-link.patch
tipc-fix-hanging-clients-using-poll-with-epollout-flag.patch
+drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch
+drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch
+powerpc-powernv-idle-restore-iamr-after-idle.patch
+powerpc-booke64-set-ri-in-default-msr.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
