--- /dev/null
+From 169b803397499be85bdd1e3d07d6f5e3d4bd669e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Oct 2018 15:23:26 +0100
+Subject: cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 169b803397499be85bdd1e3d07d6f5e3d4bd669e upstream.
+
+the victim might've been rmdir'ed just before the lock_rename();
+unlike the normal callers, we do not look the source up after the
+parents are locked - we know it beforehand and just recheck that it's
+still the child of what used to be its parent. Unfortunately,
+the check is too weak - we don't spot a dead directory since its
+->d_parent is unchanged, dentry is positive, etc. So we sail all
+the way to ->rename(), with hosting filesystems _not_ expecting
+to be asked renaming an rmdir'ed subdirectory.
+
+The fix is easy, fortunately - the lock on parent is sufficient for
+making IS_DEADDIR() on child safe.
+
+Cc: stable@vger.kernel.org
+Fixes: 9ae326a69004 (CacheFiles: A cache that backs onto a mounted filesystem)
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cachefiles/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cachefiles/namei.c
++++ b/fs/cachefiles/namei.c
+@@ -317,7 +317,7 @@ try_again:
+ trap = lock_rename(cache->graveyard, dir);
+
+ /* do some checks before getting the grave dentry */
+- if (rep->d_parent != dir) {
++ if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) {
+ /* the entry was probably culled when we dropped the parent dir
+ * lock */
+ unlock_rename(cache->graveyard, dir);
--- /dev/null
+From f976d0e5747ca65ccd0fb2a4118b193d70aa1836 Mon Sep 17 00:00:00 2001
+From: Tobias Herzog <t-herzog@gmx.de>
+Date: Sat, 22 Sep 2018 22:11:11 +0200
+Subject: cdc-acm: correct counting of UART states in serial state notification
+
+From: Tobias Herzog <t-herzog@gmx.de>
+
+commit f976d0e5747ca65ccd0fb2a4118b193d70aa1836 upstream.
+
+The usb standard ("Universal Serial Bus Class Definitions for Communication
+Devices") distiguishes between "consistent signals" (DSR, DCD), and
+"irregular signals" (break, ring, parity error, framing error, overrun).
+The bits of "irregular signals" are set, if this error/event occurred on
+the device side and are immeadeatly unset, if the serial state notification
+was sent.
+Like other drivers of real serial ports do, just the occurence of those
+events should be counted in serial_icounter_struct (but no 1->0
+transitions).
+
+Signed-off-by: Tobias Herzog <t-herzog@gmx.de>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -332,17 +332,17 @@ static void acm_ctrl_irq(struct urb *urb
+
+ if (difference & ACM_CTRL_DSR)
+ acm->iocount.dsr++;
+- if (difference & ACM_CTRL_BRK)
+- acm->iocount.brk++;
+- if (difference & ACM_CTRL_RI)
+- acm->iocount.rng++;
+ if (difference & ACM_CTRL_DCD)
+ acm->iocount.dcd++;
+- if (difference & ACM_CTRL_FRAMING)
++ if (newctrl & ACM_CTRL_BRK)
++ acm->iocount.brk++;
++ if (newctrl & ACM_CTRL_RI)
++ acm->iocount.rng++;
++ if (newctrl & ACM_CTRL_FRAMING)
+ acm->iocount.frame++;
+- if (difference & ACM_CTRL_PARITY)
++ if (newctrl & ACM_CTRL_PARITY)
+ acm->iocount.parity++;
+- if (difference & ACM_CTRL_OVERRUN)
++ if (newctrl & ACM_CTRL_OVERRUN)
+ acm->iocount.overrun++;
+ spin_unlock(&acm->read_lock);
+
--- /dev/null
+From 0295e39595e1146522f2722715dba7f7fba42217 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 16:32:40 +0200
+Subject: IB/ucm: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 0295e39595e1146522f2722715dba7f7fba42217 upstream.
+
+hdr.cmd can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/infiniband/core/ucm.c:1127 ib_ucm_write() warn: potential
+spectre issue 'ucm_cmd_table' [r] (local cap)
+
+Fix this by sanitizing hdr.cmd before using it to index
+ucm_cmd_table.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/ucm.c
++++ b/drivers/infiniband/core/ucm.c
+@@ -46,6 +46,8 @@
+ #include <linux/mutex.h>
+ #include <linux/slab.h>
+
++#include <linux/nospec.h>
++
+ #include <asm/uaccess.h>
+
+ #include <rdma/ib.h>
+@@ -1115,6 +1117,7 @@ static ssize_t ib_ucm_write(struct file
+
+ if (hdr.cmd >= ARRAY_SIZE(ucm_cmd_table))
+ return -EINVAL;
++ hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucm_cmd_table));
+
+ if (hdr.in + sizeof(hdr) > len)
+ return -EINVAL;
--- /dev/null
+From 13c1c5e4d7f887cba36c5e3df3faa22071c1469f Mon Sep 17 00:00:00 2001
+From: Mikhail Nikiforov <jackxviichaos@gmail.com>
+Date: Mon, 15 Oct 2018 11:17:56 -0700
+Subject: Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM
+
+From: Mikhail Nikiforov <jackxviichaos@gmail.com>
+
+commit 13c1c5e4d7f887cba36c5e3df3faa22071c1469f upstream.
+
+Add ELAN061C to the ACPI table to support Elan touchpad found in Lenovo
+IdeaPad 330-15IGM.
+
+Signed-off-by: Mikhail Nikiforov <jackxviichaos@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1251,6 +1251,7 @@ static const struct acpi_device_id elan_
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
+ { "ELAN0618", 0 },
++ { "ELAN061C", 0 },
+ { "ELAN061D", 0 },
+ { "ELAN0622", 0 },
+ { "ELAN1000", 0 },
--- /dev/null
+From efa61c8cf2950ab5c0e66cff3cabe2a2b24e81ba Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 15:06:41 +0200
+Subject: ptp: fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit efa61c8cf2950ab5c0e66cff3cabe2a2b24e81ba upstream.
+
+pin_index can be indirectly controlled by user-space, hence leading
+to a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/ptp/ptp_chardev.c:253 ptp_ioctl() warn: potential spectre issue
+'ops->pin_config' [r] (local cap)
+
+Fix this by sanitizing pin_index before using it to index
+ops->pin_config, and before passing it as an argument to
+function ptp_set_pinfunc(), in which it is used to index
+info->pin_config.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ptp/ptp_chardev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/ptp/ptp_chardev.c
++++ b/drivers/ptp/ptp_chardev.c
+@@ -23,6 +23,8 @@
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+
++#include <linux/nospec.h>
++
+ #include "ptp_private.h"
+
+ static int ptp_disable_pinfunc(struct ptp_clock_info *ops,
+@@ -224,6 +226,7 @@ long ptp_ioctl(struct posix_clock *pc, u
+ err = -EINVAL;
+ break;
+ }
++ pin_index = array_index_nospec(pin_index, ops->n_pins);
+ if (mutex_lock_interruptible(&ptp->pincfg_mux))
+ return -ERESTARTSYS;
+ pd = ops->pin_config[pin_index];
+@@ -242,6 +245,7 @@ long ptp_ioctl(struct posix_clock *pc, u
+ err = -EINVAL;
+ break;
+ }
++ pin_index = array_index_nospec(pin_index, ops->n_pins);
+ if (mutex_lock_interruptible(&ptp->pincfg_mux))
+ return -ERESTARTSYS;
+ err = ptp_set_pinfunc(ptp, pin_index, pd.func, pd.chan);
--- /dev/null
+From a3671a4f973ee9d9621d60166cc3b037c397d604 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 16:59:01 +0200
+Subject: RDMA/ucma: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit a3671a4f973ee9d9621d60166cc3b037c397d604 upstream.
+
+hdr.cmd can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/infiniband/core/ucma.c:1686 ucma_write() warn: potential
+spectre issue 'ucma_cmd_table' [r] (local cap)
+
+Fix this by sanitizing hdr.cmd before using it to index
+ucm_cmd_table.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -44,6 +44,8 @@
+ #include <linux/module.h>
+ #include <linux/nsproxy.h>
+
++#include <linux/nospec.h>
++
+ #include <rdma/rdma_user_cm.h>
+ #include <rdma/ib_marshall.h>
+ #include <rdma/rdma_cm.h>
+@@ -1627,6 +1629,7 @@ static ssize_t ucma_write(struct file *f
+
+ if (hdr.cmd >= ARRAY_SIZE(ucma_cmd_table))
+ return -EINVAL;
++ hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucma_cmd_table));
+
+ if (hdr.in + sizeof(hdr) > len)
+ return -EINVAL;
--- /dev/null
+From baa9be4ffb55876923dc9716abc0a448e510ba30 Mon Sep 17 00:00:00 2001
+From: Phil Auld <pauld@redhat.com>
+Date: Mon, 8 Oct 2018 10:36:40 -0400
+Subject: sched/fair: Fix throttle_list starvation with low CFS quota
+
+From: Phil Auld <pauld@redhat.com>
+
+commit baa9be4ffb55876923dc9716abc0a448e510ba30 upstream.
+
+With a very low cpu.cfs_quota_us setting, such as the minimum of 1000,
+distribute_cfs_runtime may not empty the throttled_list before it runs
+out of runtime to distribute. In that case, due to the change from
+c06f04c7048 to put throttled entries at the head of the list, later entries
+on the list will starve. Essentially, the same X processes will get pulled
+off the list, given CPU time and then, when expired, get put back on the
+head of the list where distribute_cfs_runtime will give runtime to the same
+set of processes leaving the rest.
+
+Fix the issue by setting a bit in struct cfs_bandwidth when
+distribute_cfs_runtime is running, so that the code in throttle_cfs_rq can
+decide to put the throttled entry on the tail or the head of the list. The
+bit is set/cleared by the callers of distribute_cfs_runtime while they hold
+cfs_bandwidth->lock.
+
+This is easy to reproduce with a handful of CPU consumers. I use 'crash' on
+the live system. In some cases you can simply look at the throttled list and
+see the later entries are not changing:
+
+ crash> list cfs_rq.throttled_list -H 0xffff90b54f6ade40 -s cfs_rq.runtime_remaining | paste - - | awk '{print $1" "$4}' | pr -t -n3
+ 1 ffff90b56cb2d200 -976050
+ 2 ffff90b56cb2cc00 -484925
+ 3 ffff90b56cb2bc00 -658814
+ 4 ffff90b56cb2ba00 -275365
+ 5 ffff90b166a45600 -135138
+ 6 ffff90b56cb2da00 -282505
+ 7 ffff90b56cb2e000 -148065
+ 8 ffff90b56cb2fa00 -872591
+ 9 ffff90b56cb2c000 -84687
+ 10 ffff90b56cb2f000 -87237
+ 11 ffff90b166a40a00 -164582
+
+ crash> list cfs_rq.throttled_list -H 0xffff90b54f6ade40 -s cfs_rq.runtime_remaining | paste - - | awk '{print $1" "$4}' | pr -t -n3
+ 1 ffff90b56cb2d200 -994147
+ 2 ffff90b56cb2cc00 -306051
+ 3 ffff90b56cb2bc00 -961321
+ 4 ffff90b56cb2ba00 -24490
+ 5 ffff90b166a45600 -135138
+ 6 ffff90b56cb2da00 -282505
+ 7 ffff90b56cb2e000 -148065
+ 8 ffff90b56cb2fa00 -872591
+ 9 ffff90b56cb2c000 -84687
+ 10 ffff90b56cb2f000 -87237
+ 11 ffff90b166a40a00 -164582
+
+Sometimes it is easier to see by finding a process getting starved and looking
+at the sched_info:
+
+ crash> task ffff8eb765994500 sched_info
+ PID: 7800 TASK: ffff8eb765994500 CPU: 16 COMMAND: "cputest"
+ sched_info = {
+ pcount = 8,
+ run_delay = 697094208,
+ last_arrival = 240260125039,
+ last_queued = 240260327513
+ },
+ crash> task ffff8eb765994500 sched_info
+ PID: 7800 TASK: ffff8eb765994500 CPU: 16 COMMAND: "cputest"
+ sched_info = {
+ pcount = 8,
+ run_delay = 697094208,
+ last_arrival = 240260125039,
+ last_queued = 240260327513
+ },
+
+Signed-off-by: Phil Auld <pauld@redhat.com>
+Reviewed-by: Ben Segall <bsegall@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Fixes: c06f04c70489 ("sched: Fix potential near-infinite distribute_cfs_runtime() loop")
+Link: http://lkml.kernel.org/r/20181008143639.GA4019@pauld.bos.csb
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/fair.c | 22 +++++++++++++++++++---
+ kernel/sched/sched.h | 2 ++
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -3624,9 +3624,13 @@ static void throttle_cfs_rq(struct cfs_r
+
+ /*
+ * Add to the _head_ of the list, so that an already-started
+- * distribute_cfs_runtime will not see us
++ * distribute_cfs_runtime will not see us. If disribute_cfs_runtime is
++ * not running add to the tail so that later runqueues don't get starved.
+ */
+- list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
++ if (cfs_b->distribute_running)
++ list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
++ else
++ list_add_tail_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
+
+ /*
+ * If we're the first throttled task, make sure the bandwidth
+@@ -3769,14 +3773,16 @@ static int do_sched_cfs_period_timer(str
+ * in us over-using our runtime if it is all used during this loop, but
+ * only by limited amounts in that extreme case.
+ */
+- while (throttled && cfs_b->runtime > 0) {
++ while (throttled && cfs_b->runtime > 0 && !cfs_b->distribute_running) {
+ runtime = cfs_b->runtime;
++ cfs_b->distribute_running = 1;
+ raw_spin_unlock(&cfs_b->lock);
+ /* we can't nest cfs_b->lock while distributing bandwidth */
+ runtime = distribute_cfs_runtime(cfs_b, runtime,
+ runtime_expires);
+ raw_spin_lock(&cfs_b->lock);
+
++ cfs_b->distribute_running = 0;
+ throttled = !list_empty(&cfs_b->throttled_cfs_rq);
+
+ cfs_b->runtime -= min(runtime, cfs_b->runtime);
+@@ -3887,6 +3893,11 @@ static void do_sched_cfs_slack_timer(str
+
+ /* confirm we're still not at a refresh boundary */
+ raw_spin_lock(&cfs_b->lock);
++ if (cfs_b->distribute_running) {
++ raw_spin_unlock(&cfs_b->lock);
++ return;
++ }
++
+ if (runtime_refresh_within(cfs_b, min_bandwidth_expiration)) {
+ raw_spin_unlock(&cfs_b->lock);
+ return;
+@@ -3896,6 +3907,9 @@ static void do_sched_cfs_slack_timer(str
+ runtime = cfs_b->runtime;
+
+ expires = cfs_b->runtime_expires;
++ if (runtime)
++ cfs_b->distribute_running = 1;
++
+ raw_spin_unlock(&cfs_b->lock);
+
+ if (!runtime)
+@@ -3906,6 +3920,7 @@ static void do_sched_cfs_slack_timer(str
+ raw_spin_lock(&cfs_b->lock);
+ if (expires == cfs_b->runtime_expires)
+ cfs_b->runtime -= min(runtime, cfs_b->runtime);
++ cfs_b->distribute_running = 0;
+ raw_spin_unlock(&cfs_b->lock);
+ }
+
+@@ -4017,6 +4032,7 @@ void init_cfs_bandwidth(struct cfs_bandw
+ cfs_b->period_timer.function = sched_cfs_period_timer;
+ hrtimer_init(&cfs_b->slack_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
+ cfs_b->slack_timer.function = sched_cfs_slack_timer;
++ cfs_b->distribute_running = 0;
+ }
+
+ static void init_cfs_rq_runtime(struct cfs_rq *cfs_rq)
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -233,6 +233,8 @@ struct cfs_bandwidth {
+ /* statistics */
+ int nr_periods, nr_throttled;
+ u64 throttled_time;
++
++ bool distribute_running;
+ #endif
+ };
+
mremap-properly-flush-tlb-before-releasing-the-page.patch
crypto-shash-fix-a-sleep-in-atomic-bug-in-shash_setk.patch
ahci-don-t-ignore-result-code-of-ahci_reset_controll.patch
+cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch
+ptp-fix-spectre-v1-vulnerability.patch
+rdma-ucma-fix-spectre-v1-vulnerability.patch
+ib-ucm-fix-spectre-v1-vulnerability.patch
+cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch
+usb-gadget-storage-fix-spectre-v1-vulnerability.patch
+usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch
+input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch
+sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch
+x86-percpu-fix-this_cpu_read.patch
+x86-time-correct-the-attribute-on-jiffies-definition.patch
--- /dev/null
+From 665c365a77fbfeabe52694aedf3446d5f2f1ce42 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 15 Oct 2018 16:55:04 -0400
+Subject: USB: fix the usbfs flag sanitization for control transfers
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 665c365a77fbfeabe52694aedf3446d5f2f1ce42 upstream.
+
+Commit 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more") checks the
+transfer flags for URBs submitted from userspace via usbfs. However,
+the check for whether the USBDEVFS_URB_SHORT_NOT_OK flag should be
+allowed for a control transfer was added in the wrong place, before
+the code has properly determined the direction of the control
+transfer. (Control transfers are special because for them, the
+direction is set by the bRequestType byte of the Setup packet rather
+than direction bit of the endpoint address.)
+
+This patch moves code which sets up the allow_short flag for control
+transfers down after is_in has been set to the correct value.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com
+Fixes: 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more")
+CC: Oliver Neukum <oneukum@suse.com>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1329,8 +1329,6 @@ static int proc_do_submiturb(struct usb_
+ u = 0;
+ switch (uurb->type) {
+ case USBDEVFS_URB_TYPE_CONTROL:
+- if (is_in)
+- allow_short = true;
+ if (!usb_endpoint_xfer_control(&ep->desc))
+ return -EINVAL;
+ /* min 8 byte setup packet */
+@@ -1360,6 +1358,8 @@ static int proc_do_submiturb(struct usb_
+ is_in = 0;
+ uurb->endpoint &= ~USB_DIR_IN;
+ }
++ if (is_in)
++ allow_short = true;
+ snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
+ "bRequest=%02x wValue=%04x "
+ "wIndex=%04x wLength=%04x\n",
--- /dev/null
+From 9ae24af3669111d418242caec8dd4ebd9ba26860 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 12:16:45 +0200
+Subject: usb: gadget: storage: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 9ae24af3669111d418242caec8dd4ebd9ba26860 upstream.
+
+num can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/usb/gadget/function/f_mass_storage.c:3177 fsg_lun_make() warn:
+potential spectre issue 'fsg_opts->common->luns' [r] (local cap)
+
+Fix this by sanitizing num before using it to index
+fsg_opts->common->luns
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Felipe Balbi <felipe.balbi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_mass_storage.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_mass_storage.c
++++ b/drivers/usb/gadget/function/f_mass_storage.c
+@@ -220,6 +220,8 @@
+ #include <linux/usb/gadget.h>
+ #include <linux/usb/composite.h>
+
++#include <linux/nospec.h>
++
+ #include "configfs.h"
+
+
+@@ -3260,6 +3262,7 @@ static struct config_group *fsg_lun_make
+ fsg_opts = to_fsg_opts(&group->cg_item);
+ if (num >= FSG_MAX_LUNS)
+ return ERR_PTR(-ERANGE);
++ num = array_index_nospec(num, FSG_MAX_LUNS);
+
+ mutex_lock(&fsg_opts->lock);
+ if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
--- /dev/null
+From b59167ac7bafd804c91e49ad53c6d33a7394d4c8 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 11 Oct 2018 12:38:27 +0200
+Subject: x86/percpu: Fix this_cpu_read()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit b59167ac7bafd804c91e49ad53c6d33a7394d4c8 upstream.
+
+Eric reported that a sequence count loop using this_cpu_read() got
+optimized out. This is wrong, this_cpu_read() must imply READ_ONCE()
+because the interface is IRQ-safe, therefore an interrupt can have
+changed the per-cpu value.
+
+Fixes: 7c3576d261ce ("[PATCH] i386: Convert PDA into the percpu section")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Cc: hpa@zytor.com
+Cc: eric.dumazet@gmail.com
+Cc: bp@alien8.de
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20181011104019.748208519@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/percpu.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/percpu.h
++++ b/arch/x86/include/asm/percpu.h
+@@ -184,22 +184,22 @@ do { \
+ typeof(var) pfo_ret__; \
+ switch (sizeof(var)) { \
+ case 1: \
+- asm(op "b "__percpu_arg(1)",%0" \
++ asm volatile(op "b "__percpu_arg(1)",%0"\
+ : "=q" (pfo_ret__) \
+ : "m" (var)); \
+ break; \
+ case 2: \
+- asm(op "w "__percpu_arg(1)",%0" \
++ asm volatile(op "w "__percpu_arg(1)",%0"\
+ : "=r" (pfo_ret__) \
+ : "m" (var)); \
+ break; \
+ case 4: \
+- asm(op "l "__percpu_arg(1)",%0" \
++ asm volatile(op "l "__percpu_arg(1)",%0"\
+ : "=r" (pfo_ret__) \
+ : "m" (var)); \
+ break; \
+ case 8: \
+- asm(op "q "__percpu_arg(1)",%0" \
++ asm volatile(op "q "__percpu_arg(1)",%0"\
+ : "=r" (pfo_ret__) \
+ : "m" (var)); \
+ break; \
--- /dev/null
+From 53c13ba8ed39e89f21a0b98f4c8a241bb44e483d Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Fri, 12 Oct 2018 17:53:12 -0700
+Subject: x86/time: Correct the attribute on jiffies' definition
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit 53c13ba8ed39e89f21a0b98f4c8a241bb44e483d upstream.
+
+Clang warns that the declaration of jiffies in include/linux/jiffies.h
+doesn't match the definition in arch/x86/time/kernel.c:
+
+arch/x86/kernel/time.c:29:42: warning: section does not match previous declaration [-Wsection]
+__visible volatile unsigned long jiffies __cacheline_aligned = INITIAL_JIFFIES;
+ ^
+./include/linux/cache.h:49:4: note: expanded from macro '__cacheline_aligned'
+ __section__(".data..cacheline_aligned")))
+ ^
+./include/linux/jiffies.h:81:31: note: previous attribute is here
+extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data jiffies;
+ ^
+./arch/x86/include/asm/cache.h:20:2: note: expanded from macro '__cacheline_aligned_in_smp'
+ __page_aligned_data
+ ^
+./include/linux/linkage.h:39:29: note: expanded from macro '__page_aligned_data'
+#define __page_aligned_data __section(.data..page_aligned) __aligned(PAGE_SIZE)
+ ^
+./include/linux/compiler_attributes.h:233:56: note: expanded from macro '__section'
+#define __section(S) __attribute__((__section__(#S)))
+ ^
+1 warning generated.
+
+The declaration was changed in commit 7c30f352c852 ("jiffies.h: declare
+jiffies and jiffies_64 with ____cacheline_aligned_in_smp") but wasn't
+updated here. Make them match so Clang no longer warns.
+
+Fixes: 7c30f352c852 ("jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp")
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20181013005311.28617-1-natechancellor@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/time.c
++++ b/arch/x86/kernel/time.c
+@@ -23,7 +23,7 @@
+ #include <asm/time.h>
+
+ #ifdef CONFIG_X86_64
+-__visible volatile unsigned long jiffies __cacheline_aligned = INITIAL_JIFFIES;
++__visible volatile unsigned long jiffies __cacheline_aligned_in_smp = INITIAL_JIFFIES;
+ #endif
+
+ unsigned long profile_pc(struct pt_regs *regs)
projects / thirdparty / kernel / stable-queue.git / commitdiff
