]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.4-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 8 Nov 2018 17:35:48 +0000 (09:35 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 8 Nov 2018 17:35:48 +0000 (09:35 -0800)
added patches:
cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch
cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch
ib-ucm-fix-spectre-v1-vulnerability.patch
input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch
ptp-fix-spectre-v1-vulnerability.patch
rdma-ucma-fix-spectre-v1-vulnerability.patch
sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch
usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch
usb-gadget-storage-fix-spectre-v1-vulnerability.patch
x86-percpu-fix-this_cpu_read.patch
x86-time-correct-the-attribute-on-jiffies-definition.patch

12 files changed:
queue-4.4/cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch [new file with mode: 0644]
queue-4.4/cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch [new file with mode: 0644]
queue-4.4/ib-ucm-fix-spectre-v1-vulnerability.patch [new file with mode: 0644]
queue-4.4/input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch [new file with mode: 0644]
queue-4.4/ptp-fix-spectre-v1-vulnerability.patch [new file with mode: 0644]
queue-4.4/rdma-ucma-fix-spectre-v1-vulnerability.patch [new file with mode: 0644]
queue-4.4/sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch [new file with mode: 0644]
queue-4.4/series
queue-4.4/usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch [new file with mode: 0644]
queue-4.4/usb-gadget-storage-fix-spectre-v1-vulnerability.patch [new file with mode: 0644]
queue-4.4/x86-percpu-fix-this_cpu_read.patch [new file with mode: 0644]
queue-4.4/x86-time-correct-the-attribute-on-jiffies-definition.patch [new file with mode: 0644]

diff --git a/queue-4.4/cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch b/queue-4.4/cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch
new file mode 100644 (file)
index 0000000..d5f0b23
--- /dev/null
@@ -0,0 +1,42 @@
+From 169b803397499be85bdd1e3d07d6f5e3d4bd669e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Oct 2018 15:23:26 +0100
+Subject: cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 169b803397499be85bdd1e3d07d6f5e3d4bd669e upstream.
+
+the victim might've been rmdir'ed just before the lock_rename();
+unlike the normal callers, we do not look the source up after the
+parents are locked - we know it beforehand and just recheck that it's
+still the child of what used to be its parent.  Unfortunately,
+the check is too weak - we don't spot a dead directory since its
+->d_parent is unchanged, dentry is positive, etc.  So we sail all
+the way to ->rename(), with hosting filesystems _not_ expecting
+to be asked renaming an rmdir'ed subdirectory.
+
+The fix is easy, fortunately - the lock on parent is sufficient for
+making IS_DEADDIR() on child safe.
+
+Cc: stable@vger.kernel.org
+Fixes: 9ae326a69004 (CacheFiles: A cache that backs onto a mounted filesystem)
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cachefiles/namei.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cachefiles/namei.c
++++ b/fs/cachefiles/namei.c
+@@ -317,7 +317,7 @@ try_again:
+       trap = lock_rename(cache->graveyard, dir);
+       /* do some checks before getting the grave dentry */
+-      if (rep->d_parent != dir) {
++      if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) {
+               /* the entry was probably culled when we dropped the parent dir
+                * lock */
+               unlock_rename(cache->graveyard, dir);
diff --git a/queue-4.4/cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch b/queue-4.4/cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch
new file mode 100644 (file)
index 0000000..496d71c
--- /dev/null
@@ -0,0 +1,55 @@
+From f976d0e5747ca65ccd0fb2a4118b193d70aa1836 Mon Sep 17 00:00:00 2001
+From: Tobias Herzog <t-herzog@gmx.de>
+Date: Sat, 22 Sep 2018 22:11:11 +0200
+Subject: cdc-acm: correct counting of UART states in serial state notification
+
+From: Tobias Herzog <t-herzog@gmx.de>
+
+commit f976d0e5747ca65ccd0fb2a4118b193d70aa1836 upstream.
+
+The usb standard ("Universal Serial Bus Class Definitions for Communication
+Devices") distiguishes between "consistent signals" (DSR, DCD), and
+"irregular signals" (break, ring, parity error, framing error, overrun).
+The bits of "irregular signals" are set, if this error/event occurred on
+the device side and are immeadeatly unset, if the serial state notification
+was sent.
+Like other drivers of real serial ports do, just the occurence of those
+events should be counted in serial_icounter_struct (but no 1->0
+transitions).
+
+Signed-off-by: Tobias Herzog <t-herzog@gmx.de>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -332,17 +332,17 @@ static void acm_ctrl_irq(struct urb *urb
+               if (difference & ACM_CTRL_DSR)
+                       acm->iocount.dsr++;
+-              if (difference & ACM_CTRL_BRK)
+-                      acm->iocount.brk++;
+-              if (difference & ACM_CTRL_RI)
+-                      acm->iocount.rng++;
+               if (difference & ACM_CTRL_DCD)
+                       acm->iocount.dcd++;
+-              if (difference & ACM_CTRL_FRAMING)
++              if (newctrl & ACM_CTRL_BRK)
++                      acm->iocount.brk++;
++              if (newctrl & ACM_CTRL_RI)
++                      acm->iocount.rng++;
++              if (newctrl & ACM_CTRL_FRAMING)
+                       acm->iocount.frame++;
+-              if (difference & ACM_CTRL_PARITY)
++              if (newctrl & ACM_CTRL_PARITY)
+                       acm->iocount.parity++;
+-              if (difference & ACM_CTRL_OVERRUN)
++              if (newctrl & ACM_CTRL_OVERRUN)
+                       acm->iocount.overrun++;
+               spin_unlock(&acm->read_lock);
diff --git a/queue-4.4/ib-ucm-fix-spectre-v1-vulnerability.patch b/queue-4.4/ib-ucm-fix-spectre-v1-vulnerability.patch
new file mode 100644 (file)
index 0000000..11ae1a0
--- /dev/null
@@ -0,0 +1,54 @@
+From 0295e39595e1146522f2722715dba7f7fba42217 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 16:32:40 +0200
+Subject: IB/ucm: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 0295e39595e1146522f2722715dba7f7fba42217 upstream.
+
+hdr.cmd can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/infiniband/core/ucm.c:1127 ib_ucm_write() warn: potential
+spectre issue 'ucm_cmd_table' [r] (local cap)
+
+Fix this by sanitizing hdr.cmd before using it to index
+ucm_cmd_table.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucm.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/ucm.c
++++ b/drivers/infiniband/core/ucm.c
+@@ -46,6 +46,8 @@
+ #include <linux/mutex.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
++
+ #include <asm/uaccess.h>
+ #include <rdma/ib.h>
+@@ -1115,6 +1117,7 @@ static ssize_t ib_ucm_write(struct file
+       if (hdr.cmd >= ARRAY_SIZE(ucm_cmd_table))
+               return -EINVAL;
++      hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucm_cmd_table));
+       if (hdr.in + sizeof(hdr) > len)
+               return -EINVAL;
diff --git a/queue-4.4/input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch b/queue-4.4/input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch
new file mode 100644 (file)
index 0000000..eaceb9a
--- /dev/null
@@ -0,0 +1,31 @@
+From 13c1c5e4d7f887cba36c5e3df3faa22071c1469f Mon Sep 17 00:00:00 2001
+From: Mikhail Nikiforov <jackxviichaos@gmail.com>
+Date: Mon, 15 Oct 2018 11:17:56 -0700
+Subject: Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM
+
+From: Mikhail Nikiforov <jackxviichaos@gmail.com>
+
+commit 13c1c5e4d7f887cba36c5e3df3faa22071c1469f upstream.
+
+Add ELAN061C to the ACPI table to support Elan touchpad found in Lenovo
+IdeaPad 330-15IGM.
+
+Signed-off-by: Mikhail Nikiforov <jackxviichaos@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1251,6 +1251,7 @@ static const struct acpi_device_id elan_
+       { "ELAN0611", 0 },
+       { "ELAN0612", 0 },
+       { "ELAN0618", 0 },
++      { "ELAN061C", 0 },
+       { "ELAN061D", 0 },
+       { "ELAN0622", 0 },
+       { "ELAN1000", 0 },
diff --git a/queue-4.4/ptp-fix-spectre-v1-vulnerability.patch b/queue-4.4/ptp-fix-spectre-v1-vulnerability.patch
new file mode 100644 (file)
index 0000000..ca90c80
--- /dev/null
@@ -0,0 +1,65 @@
+From efa61c8cf2950ab5c0e66cff3cabe2a2b24e81ba Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 15:06:41 +0200
+Subject: ptp: fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit efa61c8cf2950ab5c0e66cff3cabe2a2b24e81ba upstream.
+
+pin_index can be indirectly controlled by user-space, hence leading
+to a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/ptp/ptp_chardev.c:253 ptp_ioctl() warn: potential spectre issue
+'ops->pin_config' [r] (local cap)
+
+Fix this by sanitizing pin_index before using it to index
+ops->pin_config, and before passing it as an argument to
+function ptp_set_pinfunc(), in which it is used to index
+info->pin_config.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ptp/ptp_chardev.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/ptp/ptp_chardev.c
++++ b/drivers/ptp/ptp_chardev.c
+@@ -23,6 +23,8 @@
+ #include <linux/sched.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
++
+ #include "ptp_private.h"
+ static int ptp_disable_pinfunc(struct ptp_clock_info *ops,
+@@ -224,6 +226,7 @@ long ptp_ioctl(struct posix_clock *pc, u
+                       err = -EINVAL;
+                       break;
+               }
++              pin_index = array_index_nospec(pin_index, ops->n_pins);
+               if (mutex_lock_interruptible(&ptp->pincfg_mux))
+                       return -ERESTARTSYS;
+               pd = ops->pin_config[pin_index];
+@@ -242,6 +245,7 @@ long ptp_ioctl(struct posix_clock *pc, u
+                       err = -EINVAL;
+                       break;
+               }
++              pin_index = array_index_nospec(pin_index, ops->n_pins);
+               if (mutex_lock_interruptible(&ptp->pincfg_mux))
+                       return -ERESTARTSYS;
+               err = ptp_set_pinfunc(ptp, pin_index, pd.func, pd.chan);
diff --git a/queue-4.4/rdma-ucma-fix-spectre-v1-vulnerability.patch b/queue-4.4/rdma-ucma-fix-spectre-v1-vulnerability.patch
new file mode 100644 (file)
index 0000000..95605df
--- /dev/null
@@ -0,0 +1,54 @@
+From a3671a4f973ee9d9621d60166cc3b037c397d604 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 16:59:01 +0200
+Subject: RDMA/ucma: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit a3671a4f973ee9d9621d60166cc3b037c397d604 upstream.
+
+hdr.cmd can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/infiniband/core/ucma.c:1686 ucma_write() warn: potential
+spectre issue 'ucma_cmd_table' [r] (local cap)
+
+Fix this by sanitizing hdr.cmd before using it to index
+ucm_cmd_table.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -44,6 +44,8 @@
+ #include <linux/module.h>
+ #include <linux/nsproxy.h>
++#include <linux/nospec.h>
++
+ #include <rdma/rdma_user_cm.h>
+ #include <rdma/ib_marshall.h>
+ #include <rdma/rdma_cm.h>
+@@ -1627,6 +1629,7 @@ static ssize_t ucma_write(struct file *f
+       if (hdr.cmd >= ARRAY_SIZE(ucma_cmd_table))
+               return -EINVAL;
++      hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucma_cmd_table));
+       if (hdr.in + sizeof(hdr) > len)
+               return -EINVAL;
diff --git a/queue-4.4/sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch b/queue-4.4/sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch
new file mode 100644 (file)
index 0000000..ec8e253
--- /dev/null
@@ -0,0 +1,175 @@
+From baa9be4ffb55876923dc9716abc0a448e510ba30 Mon Sep 17 00:00:00 2001
+From: Phil Auld <pauld@redhat.com>
+Date: Mon, 8 Oct 2018 10:36:40 -0400
+Subject: sched/fair: Fix throttle_list starvation with low CFS quota
+
+From: Phil Auld <pauld@redhat.com>
+
+commit baa9be4ffb55876923dc9716abc0a448e510ba30 upstream.
+
+With a very low cpu.cfs_quota_us setting, such as the minimum of 1000,
+distribute_cfs_runtime may not empty the throttled_list before it runs
+out of runtime to distribute. In that case, due to the change from
+c06f04c7048 to put throttled entries at the head of the list, later entries
+on the list will starve.  Essentially, the same X processes will get pulled
+off the list, given CPU time and then, when expired, get put back on the
+head of the list where distribute_cfs_runtime will give runtime to the same
+set of processes leaving the rest.
+
+Fix the issue by setting a bit in struct cfs_bandwidth when
+distribute_cfs_runtime is running, so that the code in throttle_cfs_rq can
+decide to put the throttled entry on the tail or the head of the list.  The
+bit is set/cleared by the callers of distribute_cfs_runtime while they hold
+cfs_bandwidth->lock.
+
+This is easy to reproduce with a handful of CPU consumers. I use 'crash' on
+the live system. In some cases you can simply look at the throttled list and
+see the later entries are not changing:
+
+  crash> list cfs_rq.throttled_list -H 0xffff90b54f6ade40 -s cfs_rq.runtime_remaining | paste - - | awk '{print $1"  "$4}' | pr -t -n3
+    1     ffff90b56cb2d200  -976050
+    2     ffff90b56cb2cc00  -484925
+    3     ffff90b56cb2bc00  -658814
+    4     ffff90b56cb2ba00  -275365
+    5     ffff90b166a45600  -135138
+    6     ffff90b56cb2da00  -282505
+    7     ffff90b56cb2e000  -148065
+    8     ffff90b56cb2fa00  -872591
+    9     ffff90b56cb2c000  -84687
+   10     ffff90b56cb2f000  -87237
+   11     ffff90b166a40a00  -164582
+
+  crash> list cfs_rq.throttled_list -H 0xffff90b54f6ade40 -s cfs_rq.runtime_remaining | paste - - | awk '{print $1"  "$4}' | pr -t -n3
+    1     ffff90b56cb2d200  -994147
+    2     ffff90b56cb2cc00  -306051
+    3     ffff90b56cb2bc00  -961321
+    4     ffff90b56cb2ba00  -24490
+    5     ffff90b166a45600  -135138
+    6     ffff90b56cb2da00  -282505
+    7     ffff90b56cb2e000  -148065
+    8     ffff90b56cb2fa00  -872591
+    9     ffff90b56cb2c000  -84687
+   10     ffff90b56cb2f000  -87237
+   11     ffff90b166a40a00  -164582
+
+Sometimes it is easier to see by finding a process getting starved and looking
+at the sched_info:
+
+  crash> task ffff8eb765994500 sched_info
+  PID: 7800   TASK: ffff8eb765994500  CPU: 16  COMMAND: "cputest"
+    sched_info = {
+      pcount = 8,
+      run_delay = 697094208,
+      last_arrival = 240260125039,
+      last_queued = 240260327513
+    },
+  crash> task ffff8eb765994500 sched_info
+  PID: 7800   TASK: ffff8eb765994500  CPU: 16  COMMAND: "cputest"
+    sched_info = {
+      pcount = 8,
+      run_delay = 697094208,
+      last_arrival = 240260125039,
+      last_queued = 240260327513
+    },
+
+Signed-off-by: Phil Auld <pauld@redhat.com>
+Reviewed-by: Ben Segall <bsegall@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Fixes: c06f04c70489 ("sched: Fix potential near-infinite distribute_cfs_runtime() loop")
+Link: http://lkml.kernel.org/r/20181008143639.GA4019@pauld.bos.csb
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/fair.c  |   22 +++++++++++++++++++---
+ kernel/sched/sched.h |    2 ++
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -3624,9 +3624,13 @@ static void throttle_cfs_rq(struct cfs_r
+       /*
+        * Add to the _head_ of the list, so that an already-started
+-       * distribute_cfs_runtime will not see us
++       * distribute_cfs_runtime will not see us. If disribute_cfs_runtime is
++       * not running add to the tail so that later runqueues don't get starved.
+        */
+-      list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
++      if (cfs_b->distribute_running)
++              list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
++      else
++              list_add_tail_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
+       /*
+        * If we're the first throttled task, make sure the bandwidth
+@@ -3769,14 +3773,16 @@ static int do_sched_cfs_period_timer(str
+        * in us over-using our runtime if it is all used during this loop, but
+        * only by limited amounts in that extreme case.
+        */
+-      while (throttled && cfs_b->runtime > 0) {
++      while (throttled && cfs_b->runtime > 0 && !cfs_b->distribute_running) {
+               runtime = cfs_b->runtime;
++              cfs_b->distribute_running = 1;
+               raw_spin_unlock(&cfs_b->lock);
+               /* we can't nest cfs_b->lock while distributing bandwidth */
+               runtime = distribute_cfs_runtime(cfs_b, runtime,
+                                                runtime_expires);
+               raw_spin_lock(&cfs_b->lock);
++              cfs_b->distribute_running = 0;
+               throttled = !list_empty(&cfs_b->throttled_cfs_rq);
+               cfs_b->runtime -= min(runtime, cfs_b->runtime);
+@@ -3887,6 +3893,11 @@ static void do_sched_cfs_slack_timer(str
+       /* confirm we're still not at a refresh boundary */
+       raw_spin_lock(&cfs_b->lock);
++      if (cfs_b->distribute_running) {
++              raw_spin_unlock(&cfs_b->lock);
++              return;
++      }
++
+       if (runtime_refresh_within(cfs_b, min_bandwidth_expiration)) {
+               raw_spin_unlock(&cfs_b->lock);
+               return;
+@@ -3896,6 +3907,9 @@ static void do_sched_cfs_slack_timer(str
+               runtime = cfs_b->runtime;
+       expires = cfs_b->runtime_expires;
++      if (runtime)
++              cfs_b->distribute_running = 1;
++
+       raw_spin_unlock(&cfs_b->lock);
+       if (!runtime)
+@@ -3906,6 +3920,7 @@ static void do_sched_cfs_slack_timer(str
+       raw_spin_lock(&cfs_b->lock);
+       if (expires == cfs_b->runtime_expires)
+               cfs_b->runtime -= min(runtime, cfs_b->runtime);
++      cfs_b->distribute_running = 0;
+       raw_spin_unlock(&cfs_b->lock);
+ }
+@@ -4017,6 +4032,7 @@ void init_cfs_bandwidth(struct cfs_bandw
+       cfs_b->period_timer.function = sched_cfs_period_timer;
+       hrtimer_init(&cfs_b->slack_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
+       cfs_b->slack_timer.function = sched_cfs_slack_timer;
++      cfs_b->distribute_running = 0;
+ }
+ static void init_cfs_rq_runtime(struct cfs_rq *cfs_rq)
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -233,6 +233,8 @@ struct cfs_bandwidth {
+       /* statistics */
+       int nr_periods, nr_throttled;
+       u64 throttled_time;
++
++      bool distribute_running;
+ #endif
+ };
index e8bfb558af1be69924833a44c4bcd4f44bdded90..82b4fd194c41c7e3f7f6e6e4e9bdab02e925e94e 100644 (file)
@@ -101,3 +101,14 @@ rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch
 mremap-properly-flush-tlb-before-releasing-the-page.patch
 crypto-shash-fix-a-sleep-in-atomic-bug-in-shash_setk.patch
 ahci-don-t-ignore-result-code-of-ahci_reset_controll.patch
+cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch
+ptp-fix-spectre-v1-vulnerability.patch
+rdma-ucma-fix-spectre-v1-vulnerability.patch
+ib-ucm-fix-spectre-v1-vulnerability.patch
+cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch
+usb-gadget-storage-fix-spectre-v1-vulnerability.patch
+usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch
+input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch
+sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch
+x86-percpu-fix-this_cpu_read.patch
+x86-time-correct-the-attribute-on-jiffies-definition.patch
diff --git a/queue-4.4/usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch b/queue-4.4/usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch
new file mode 100644 (file)
index 0000000..06b1f16
--- /dev/null
@@ -0,0 +1,52 @@
+From 665c365a77fbfeabe52694aedf3446d5f2f1ce42 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 15 Oct 2018 16:55:04 -0400
+Subject: USB: fix the usbfs flag sanitization for control transfers
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 665c365a77fbfeabe52694aedf3446d5f2f1ce42 upstream.
+
+Commit 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more") checks the
+transfer flags for URBs submitted from userspace via usbfs.  However,
+the check for whether the USBDEVFS_URB_SHORT_NOT_OK flag should be
+allowed for a control transfer was added in the wrong place, before
+the code has properly determined the direction of the control
+transfer.  (Control transfers are special because for them, the
+direction is set by the bRequestType byte of the Setup packet rather
+than direction bit of the endpoint address.)
+
+This patch moves code which sets up the allow_short flag for control
+transfers down after is_in has been set to the correct value.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com
+Fixes: 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more")
+CC: Oliver Neukum <oneukum@suse.com>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1329,8 +1329,6 @@ static int proc_do_submiturb(struct usb_
+       u = 0;
+       switch (uurb->type) {
+       case USBDEVFS_URB_TYPE_CONTROL:
+-              if (is_in)
+-                      allow_short = true;
+               if (!usb_endpoint_xfer_control(&ep->desc))
+                       return -EINVAL;
+               /* min 8 byte setup packet */
+@@ -1360,6 +1358,8 @@ static int proc_do_submiturb(struct usb_
+                       is_in = 0;
+                       uurb->endpoint &= ~USB_DIR_IN;
+               }
++              if (is_in)
++                      allow_short = true;
+               snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
+                       "bRequest=%02x wValue=%04x "
+                       "wIndex=%04x wLength=%04x\n",
diff --git a/queue-4.4/usb-gadget-storage-fix-spectre-v1-vulnerability.patch b/queue-4.4/usb-gadget-storage-fix-spectre-v1-vulnerability.patch
new file mode 100644 (file)
index 0000000..9b1ac5b
--- /dev/null
@@ -0,0 +1,54 @@
+From 9ae24af3669111d418242caec8dd4ebd9ba26860 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 12:16:45 +0200
+Subject: usb: gadget: storage: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 9ae24af3669111d418242caec8dd4ebd9ba26860 upstream.
+
+num can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/usb/gadget/function/f_mass_storage.c:3177 fsg_lun_make() warn:
+potential spectre issue 'fsg_opts->common->luns' [r] (local cap)
+
+Fix this by sanitizing num before using it to index
+fsg_opts->common->luns
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Felipe Balbi <felipe.balbi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_mass_storage.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_mass_storage.c
++++ b/drivers/usb/gadget/function/f_mass_storage.c
+@@ -220,6 +220,8 @@
+ #include <linux/usb/gadget.h>
+ #include <linux/usb/composite.h>
++#include <linux/nospec.h>
++
+ #include "configfs.h"
+@@ -3260,6 +3262,7 @@ static struct config_group *fsg_lun_make
+       fsg_opts = to_fsg_opts(&group->cg_item);
+       if (num >= FSG_MAX_LUNS)
+               return ERR_PTR(-ERANGE);
++      num = array_index_nospec(num, FSG_MAX_LUNS);
+       mutex_lock(&fsg_opts->lock);
+       if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
diff --git a/queue-4.4/x86-percpu-fix-this_cpu_read.patch b/queue-4.4/x86-percpu-fix-this_cpu_read.patch
new file mode 100644 (file)
index 0000000..179f61f
--- /dev/null
@@ -0,0 +1,59 @@
+From b59167ac7bafd804c91e49ad53c6d33a7394d4c8 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 11 Oct 2018 12:38:27 +0200
+Subject: x86/percpu: Fix this_cpu_read()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit b59167ac7bafd804c91e49ad53c6d33a7394d4c8 upstream.
+
+Eric reported that a sequence count loop using this_cpu_read() got
+optimized out. This is wrong, this_cpu_read() must imply READ_ONCE()
+because the interface is IRQ-safe, therefore an interrupt can have
+changed the per-cpu value.
+
+Fixes: 7c3576d261ce ("[PATCH] i386: Convert PDA into the percpu section")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Cc: hpa@zytor.com
+Cc: eric.dumazet@gmail.com
+Cc: bp@alien8.de
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20181011104019.748208519@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/percpu.h |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/percpu.h
++++ b/arch/x86/include/asm/percpu.h
+@@ -184,22 +184,22 @@ do {                                                                     \
+       typeof(var) pfo_ret__;                          \
+       switch (sizeof(var)) {                          \
+       case 1:                                         \
+-              asm(op "b "__percpu_arg(1)",%0"         \
++              asm volatile(op "b "__percpu_arg(1)",%0"\
+                   : "=q" (pfo_ret__)                  \
+                   : "m" (var));                       \
+               break;                                  \
+       case 2:                                         \
+-              asm(op "w "__percpu_arg(1)",%0"         \
++              asm volatile(op "w "__percpu_arg(1)",%0"\
+                   : "=r" (pfo_ret__)                  \
+                   : "m" (var));                       \
+               break;                                  \
+       case 4:                                         \
+-              asm(op "l "__percpu_arg(1)",%0"         \
++              asm volatile(op "l "__percpu_arg(1)",%0"\
+                   : "=r" (pfo_ret__)                  \
+                   : "m" (var));                       \
+               break;                                  \
+       case 8:                                         \
+-              asm(op "q "__percpu_arg(1)",%0"         \
++              asm volatile(op "q "__percpu_arg(1)",%0"\
+                   : "=r" (pfo_ret__)                  \
+                   : "m" (var));                       \
+               break;                                  \
diff --git a/queue-4.4/x86-time-correct-the-attribute-on-jiffies-definition.patch b/queue-4.4/x86-time-correct-the-attribute-on-jiffies-definition.patch
new file mode 100644 (file)
index 0000000..0cc51c8
--- /dev/null
@@ -0,0 +1,61 @@
+From 53c13ba8ed39e89f21a0b98f4c8a241bb44e483d Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Fri, 12 Oct 2018 17:53:12 -0700
+Subject: x86/time: Correct the attribute on jiffies' definition
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit 53c13ba8ed39e89f21a0b98f4c8a241bb44e483d upstream.
+
+Clang warns that the declaration of jiffies in include/linux/jiffies.h
+doesn't match the definition in arch/x86/time/kernel.c:
+
+arch/x86/kernel/time.c:29:42: warning: section does not match previous declaration [-Wsection]
+__visible volatile unsigned long jiffies __cacheline_aligned = INITIAL_JIFFIES;
+                                         ^
+./include/linux/cache.h:49:4: note: expanded from macro '__cacheline_aligned'
+                 __section__(".data..cacheline_aligned")))
+                 ^
+./include/linux/jiffies.h:81:31: note: previous attribute is here
+extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data jiffies;
+                              ^
+./arch/x86/include/asm/cache.h:20:2: note: expanded from macro '__cacheline_aligned_in_smp'
+        __page_aligned_data
+        ^
+./include/linux/linkage.h:39:29: note: expanded from macro '__page_aligned_data'
+#define __page_aligned_data     __section(.data..page_aligned) __aligned(PAGE_SIZE)
+                                ^
+./include/linux/compiler_attributes.h:233:56: note: expanded from macro '__section'
+#define __section(S)                    __attribute__((__section__(#S)))
+                                                       ^
+1 warning generated.
+
+The declaration was changed in commit 7c30f352c852 ("jiffies.h: declare
+jiffies and jiffies_64 with ____cacheline_aligned_in_smp") but wasn't
+updated here. Make them match so Clang no longer warns.
+
+Fixes: 7c30f352c852 ("jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp")
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20181013005311.28617-1-natechancellor@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/time.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/time.c
++++ b/arch/x86/kernel/time.c
+@@ -23,7 +23,7 @@
+ #include <asm/time.h>
+ #ifdef CONFIG_X86_64
+-__visible volatile unsigned long jiffies __cacheline_aligned = INITIAL_JIFFIES;
++__visible volatile unsigned long jiffies __cacheline_aligned_in_smp = INITIAL_JIFFIES;
+ #endif
+ unsigned long profile_pc(struct pt_regs *regs)