--- /dev/null
+From 72c05f32f4a5055c9c8fe889bb6903ec959c0aad Mon Sep 17 00:00:00 2001
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Fri, 27 Jul 2018 18:50:42 +0300
+Subject: can: ems_usb: Fix memory leak on ems_usb_disconnect()
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream.
+
+ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
+is no its deallocation in ems_usb_disconnect().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/ems_usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -1078,6 +1078,7 @@ static void ems_usb_disconnect(struct us
+ usb_free_urb(dev->intr_urb);
+
+ kfree(dev->intr_in_buffer);
++ kfree(dev->tx_msg_buffer);
+ }
+ }
+
--- /dev/null
+From 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 13 Jul 2018 16:12:32 +0800
+Subject: crypto: padlock-aes - Fix Nano workaround data corruption
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream.
+
+This was detected by the self-test thanks to Ard's chunking patch.
+
+I finally got around to testing this out on my ancient Via box. It
+turns out that the workaround got the assembly wrong and we end up
+doing count + initial cycles of the loop instead of just count.
+
+This obviously causes corruption, either by overwriting the source
+that is yet to be processed, or writing over the end of the buffer.
+
+On CPUs that don't require the workaround only ECB is affected.
+On Nano CPUs both ECB and CBC are affected.
+
+This patch fixes it by doing the subtraction prior to the assembly.
+
+Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Jamie Heilman <jamie@audible.transient.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/padlock-aes.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/padlock-aes.c
++++ b/drivers/crypto/padlock-aes.c
+@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co
+ return;
+ }
+
++ count -= initial;
++
+ if (initial)
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
+ : "+S"(input), "+D"(output)
+@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co
+
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
+ : "+S"(input), "+D"(output)
+- : "d"(control_word), "b"(key), "c"(count - initial));
++ : "d"(control_word), "b"(key), "c"(count));
+ }
+
+ static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
+@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con
+ if (count < cbc_fetch_blocks)
+ return cbc_crypt(input, output, key, iv, control_word, count);
+
++ count -= initial;
++
+ if (initial)
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
+ : "+S" (input), "+D" (output), "+a" (iv)
+@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con
+
+ asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
+ : "+S" (input), "+D" (output), "+a" (iv)
+- : "d" (control_word), "b" (key), "c" (count-initial));
++ : "d" (control_word), "b" (key), "c" (count));
+ return iv;
+ }
+
--- /dev/null
+From 63aff65573d73eb8dda4732ad4ef222dd35e4862 Mon Sep 17 00:00:00 2001
+From: Roman Kagan <rkagan@virtuozzo.com>
+Date: Thu, 19 Jul 2018 21:59:07 +0300
+Subject: kvm: x86: vmx: fix vpid leak
+
+From: Roman Kagan <rkagan@virtuozzo.com>
+
+commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream.
+
+VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested
+vmx is turned on with the module parameter.
+
+However, it's only freed if the L1 guest has executed VMXON which is not
+a given.
+
+As a result, on a system with nested==on every creation+deletion of an
+L1 vcpu without running an L2 guest results in leaking one vpid. Since
+the total number of vpids is limited to 64k, they can eventually get
+exhausted, preventing L2 from starting.
+
+Delay allocation of the L2 vpid until VMXON emulation, thus matching its
+freeing.
+
+Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0
+Cc: stable@vger.kernel.org
+Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6843,6 +6843,8 @@ static int handle_vmon(struct kvm_vcpu *
+ HRTIMER_MODE_REL);
+ vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
+
++ vmx->nested.vpid02 = allocate_vpid();
++
+ vmx->nested.vmxon = true;
+
+ skip_emulated_instruction(vcpu);
+@@ -8887,10 +8889,8 @@ static struct kvm_vcpu *vmx_create_vcpu(
+ goto free_vmcs;
+ }
+
+- if (nested) {
++ if (nested)
+ nested_vmx_setup_ctls_msrs(vmx);
+- vmx->nested.vpid02 = allocate_vpid();
+- }
+
+ vmx->nested.posted_intr_nv = -1;
+ vmx->nested.current_vmptr = -1ull;
+@@ -8899,7 +8899,6 @@ static struct kvm_vcpu *vmx_create_vcpu(
+ return &vmx->vcpu;
+
+ free_vmcs:
+- free_vpid(vmx->nested.vpid02);
+ free_loaded_vmcs(vmx->loaded_vmcs);
+ free_msrs:
+ kfree(vmx->guest_msrs);
--- /dev/null
+From c8e8cd579bb4265651df8223730105341e61a2d1 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Fri, 27 Jul 2018 22:43:01 +0000
+Subject: net: socket: fix potential spectre v1 gadget in socketcall
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream.
+
+'call' is a user-controlled value, so sanitize the array index after the
+bounds check to avoid speculating past the bounds of the 'nargs' array.
+
+Found with the help of Smatch:
+
+net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
+'nargs' [r] (local cap)
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -89,6 +89,7 @@
+ #include <linux/magic.h>
+ #include <linux/slab.h>
+ #include <linux/xattr.h>
++#include <linux/nospec.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
+@@ -2324,6 +2325,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u
+
+ if (call < 1 || call > SYS_SENDMMSG)
+ return -EINVAL;
++ call = array_index_nospec(call, SYS_SENDMMSG + 1);
+
+ len = nargs[call];
+ if (len > sizeof(a))
--- /dev/null
+From c170e5a8d222537e98aa8d4fddb667ff7a2ee114 Mon Sep 17 00:00:00 2001
+From: Tony Battersby <tonyb@cybernetics.com>
+Date: Thu, 12 Jul 2018 16:30:45 -0400
+Subject: scsi: sg: fix minor memory leak in error path
+
+From: Tony Battersby <tonyb@cybernetics.com>
+
+commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream.
+
+Fix a minor memory leak when there is an error opening a /dev/sg device.
+
+Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2195,6 +2195,7 @@ sg_add_sfp(Sg_device * sdp)
+ write_lock_irqsave(&sdp->sfd_lock, iflags);
+ if (atomic_read(&sdp->detaching)) {
+ write_unlock_irqrestore(&sdp->sfd_lock, iflags);
++ kfree(sfp);
+ return ERR_PTR(-ENODEV);
+ }
+ list_add_tail(&sfp->sfd_siblings, &sdp->sfds);
inet-frag-enforce-memory-limits-earlier.patch
net-dsa-do-not-suspend-resume-closed-slave_dev.patch
netlink-fix-spectre-v1-gadget-in-netlink_create.patch
+squashfs-more-metadata-hardening.patch
+squashfs-more-metadata-hardenings.patch
+can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch
+net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch
+virtio_balloon-fix-another-race-between-migration-and-ballooning.patch
+kvm-x86-vmx-fix-vpid-leak.patch
+crypto-padlock-aes-fix-nano-workaround-data-corruption.patch
+scsi-sg-fix-minor-memory-leak-in-error-path.patch
--- /dev/null
+From d512584780d3e6a7cacb2f482834849453d444a1 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 30 Jul 2018 14:27:15 -0700
+Subject: squashfs: more metadata hardening
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d512584780d3e6a7cacb2f482834849453d444a1 upstream.
+
+Anatoly reports another squashfs fuzzing issue, where the decompression
+parameters themselves are in a compressed block.
+
+This causes squashfs_read_data() to be called in order to read the
+decompression options before the decompression stream having been set
+up, making squashfs go sideways.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Acked-by: Phillip Lougher <phillip.lougher@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/squashfs/block.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/squashfs/block.c
++++ b/fs/squashfs/block.c
+@@ -166,6 +166,8 @@ int squashfs_read_data(struct super_bloc
+ }
+
+ if (compressed) {
++ if (!msblk->stream)
++ goto read_failure;
+ length = squashfs_decompress(msblk, bh, b, offset, length,
+ output);
+ if (length < 0)
--- /dev/null
+From 71755ee5350b63fb1f283de8561cdb61b47f4d1d Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 2 Aug 2018 08:43:35 -0700
+Subject: squashfs: more metadata hardening
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream.
+
+The squashfs fragment reading code doesn't actually verify that the
+fragment is inside the fragment table. The end result _is_ verified to
+be inside the image when actually reading the fragment data, but before
+that is done, we may end up taking a page fault because the fragment
+table itself might not even exist.
+
+Another report from Anatoly and his endless squashfs image fuzzing.
+
+Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
+Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>,
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/squashfs/fragment.c | 13 +++++++++----
+ fs/squashfs/squashfs_fs_sb.h | 1 +
+ fs/squashfs/super.c | 5 +++--
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/fs/squashfs/fragment.c
++++ b/fs/squashfs/fragment.c
+@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_bl
+ u64 *fragment_block)
+ {
+ struct squashfs_sb_info *msblk = sb->s_fs_info;
+- int block = SQUASHFS_FRAGMENT_INDEX(fragment);
+- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
+- u64 start_block = le64_to_cpu(msblk->fragment_index[block]);
++ int block, offset, size;
+ struct squashfs_fragment_entry fragment_entry;
+- int size;
++ u64 start_block;
++
++ if (fragment >= msblk->fragments)
++ return -EIO;
++ block = SQUASHFS_FRAGMENT_INDEX(fragment);
++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
++
++ start_block = le64_to_cpu(msblk->fragment_index[block]);
+
+ size = squashfs_read_metadata(sb, &fragment_entry, &start_block,
+ &offset, sizeof(fragment_entry));
+--- a/fs/squashfs/squashfs_fs_sb.h
++++ b/fs/squashfs/squashfs_fs_sb.h
+@@ -75,6 +75,7 @@ struct squashfs_sb_info {
+ unsigned short block_log;
+ long long bytes_used;
+ unsigned int inodes;
++ unsigned int fragments;
+ int xattr_ids;
+ };
+ #endif
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@ -176,6 +176,7 @@ static int squashfs_fill_super(struct su
+ msblk->inode_table = le64_to_cpu(sblk->inode_table_start);
+ msblk->directory_table = le64_to_cpu(sblk->directory_table_start);
+ msblk->inodes = le32_to_cpu(sblk->inodes);
++ msblk->fragments = le32_to_cpu(sblk->fragments);
+ flags = le16_to_cpu(sblk->flags);
+
+ TRACE("Found valid superblock on %s\n", bdevname(sb->s_bdev, b));
+@@ -186,7 +187,7 @@ static int squashfs_fill_super(struct su
+ TRACE("Filesystem size %lld bytes\n", msblk->bytes_used);
+ TRACE("Block size %d\n", msblk->block_size);
+ TRACE("Number of inodes %d\n", msblk->inodes);
+- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments));
++ TRACE("Number of fragments %d\n", msblk->fragments);
+ TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids));
+ TRACE("sblk->inode_table_start %llx\n", msblk->inode_table);
+ TRACE("sblk->directory_table_start %llx\n", msblk->directory_table);
+@@ -273,7 +274,7 @@ allocate_id_index_table:
+ sb->s_export_op = &squashfs_export_ops;
+
+ handle_fragments:
+- fragments = le32_to_cpu(sblk->fragments);
++ fragments = msblk->fragments;
+ if (fragments == 0)
+ goto check_directory_table;
+
--- /dev/null
+From 89da619bc18d79bca5304724c11d4ba3b67ce2c6 Mon Sep 17 00:00:00 2001
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+Date: Wed, 18 Jul 2018 10:29:28 +0800
+Subject: virtio_balloon: fix another race between migration and ballooning
+
+From: Jiang Biao <jiang.biao2@zte.com.cn>
+
+commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream.
+
+Kernel panic when with high memory pressure, calltrace looks like,
+
+PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java"
+ #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb
+ #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942
+ #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30
+ #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8
+ #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46
+ #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc
+ #6 [ffff881ec7ed7838] __node_set at ffffffff81680300
+ #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f
+ #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5
+ #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8
+ [exception RIP: _raw_spin_lock_irqsave+47]
+ RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046
+ RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8
+ RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008
+ RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098
+ R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000
+ R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+
+It happens in the pagefault and results in double pagefault
+during compacting pages when memory allocation fails.
+
+Analysed the vmcore, the page leads to second pagefault is corrupted
+with _mapcount=-256, but private=0.
+
+It's caused by the race between migration and ballooning, and lock
+missing in virtballoon_migratepage() of virtio_balloon driver.
+This patch fix the bug.
+
+Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Signed-off-by: Huang Chong <huang.chong@zte.com.cn>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_balloon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -479,7 +479,9 @@ static int virtballoon_migratepage(struc
+ tell_host(vb, vb->inflate_vq);
+
+ /* balloon's page migration 2nd step -- deflate "page" */
++ spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
+ balloon_page_delete(page);
++ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
+ vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
+ set_page_pfns(vb, vb->pfns, page);
+ tell_host(vb, vb->deflate_vq);
projects / thirdparty / kernel / stable-queue.git / commitdiff
