--- /dev/null
+From 812ba7a2dfe1cd478ebdb6a35ecd69c5c9829162 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Feb 2020 15:26:29 -0800
+Subject: KVM: nVMX: Don't emulate instructions in guest mode
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+[ Upstream commit 07721feee46b4b248402133228235318199b05ec ]
+
+vmx_check_intercept is not yet fully implemented. To avoid emulating
+instructions disallowed by the L1 hypervisor, refuse to emulate
+instructions by default.
+
+Cc: stable@vger.kernel.org
+[Made commit, added commit msg - Oliver]
+Signed-off-by: Oliver Upton <oupton@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 67cdb08a736f0..a80a1af537d33 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -11339,7 +11339,7 @@ static int vmx_check_intercept(struct kvm_vcpu *vcpu,
+ struct x86_instruction_info *info,
+ enum x86_intercept_stage stage)
+ {
+- return X86EMUL_CONTINUE;
++ return X86EMUL_UNHANDLEABLE;
+ }
+
+ #ifdef CONFIG_X86_64
+--
+2.20.1
+
--- /dev/null
+From 8cb561148e3470eefbd847cf13f1073256115caf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2019 19:32:46 +0800
+Subject: lib/stackdepot: Fix outdated comments
+
+From: Miles Chen <miles.chen@mediatek.com>
+
+[ Upstream commit ee050dc83bc326ad5ef8ee93bca344819371e7a5 ]
+
+Replace "depot_save_stack" with "stack_depot_save" in code comments because
+depot_save_stack() was replaced in commit c0cfc337264c ("lib/stackdepot:
+Provide functions which operate on plain storage arrays") and removed in
+commit 56d8f079c51a ("lib/stackdepot: Remove obsolete functions")
+
+Signed-off-by: Miles Chen <miles.chen@mediatek.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190815113246.18478-1-miles.chen@mediatek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/stackdepot.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/stackdepot.c b/lib/stackdepot.c
+index f87d138e96724..1724cb0d6283f 100644
+--- a/lib/stackdepot.c
++++ b/lib/stackdepot.c
+@@ -96,7 +96,7 @@ static bool init_stack_slab(void **prealloc)
+ stack_slabs[depot_index + 1] = *prealloc;
+ /*
+ * This smp_store_release pairs with smp_load_acquire() from
+- * |next_slab_inited| above and in depot_save_stack().
++ * |next_slab_inited| above and in stack_depot_save().
+ */
+ smp_store_release(&next_slab_inited, 1);
+ }
+@@ -123,7 +123,7 @@ static struct stack_record *depot_alloc_stack(unsigned long *entries, int size,
+ depot_offset = 0;
+ /*
+ * smp_store_release() here pairs with smp_load_acquire() from
+- * |next_slab_inited| in depot_save_stack() and
++ * |next_slab_inited| in stack_depot_save() and
+ * init_stack_slab().
+ */
+ if (depot_index + 1 < STACK_ALLOC_MAX_SLABS)
+--
+2.20.1
+
--- /dev/null
+From 6c8d601b01734369038a3062d216155cb1fa7c95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2020 20:04:30 -0800
+Subject: lib/stackdepot.c: fix global out-of-bounds in stack_slabs
+
+From: Alexander Potapenko <glider@google.com>
+
+[ Upstream commit 305e519ce48e935702c32241f07d393c3c8fed3e ]
+
+Walter Wu has reported a potential case in which init_stack_slab() is
+called after stack_slabs[STACK_ALLOC_MAX_SLABS - 1] has already been
+initialized. In that case init_stack_slab() will overwrite
+stack_slabs[STACK_ALLOC_MAX_SLABS], which may result in a memory
+corruption.
+
+Link: http://lkml.kernel.org/r/20200218102950.260263-1-glider@google.com
+Fixes: cd11016e5f521 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reported-by: Walter Wu <walter-zh.wu@mediatek.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/stackdepot.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/stackdepot.c b/lib/stackdepot.c
+index 1724cb0d6283f..54fe55b6bbc0a 100644
+--- a/lib/stackdepot.c
++++ b/lib/stackdepot.c
+@@ -92,15 +92,19 @@ static bool init_stack_slab(void **prealloc)
+ return true;
+ if (stack_slabs[depot_index] == NULL) {
+ stack_slabs[depot_index] = *prealloc;
++ *prealloc = NULL;
+ } else {
+- stack_slabs[depot_index + 1] = *prealloc;
++ /* If this is the last depot slab, do not touch the next one. */
++ if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) {
++ stack_slabs[depot_index + 1] = *prealloc;
++ *prealloc = NULL;
++ }
+ /*
+ * This smp_store_release pairs with smp_load_acquire() from
+ * |next_slab_inited| above and in stack_depot_save().
+ */
+ smp_store_release(&next_slab_inited, 1);
+ }
+- *prealloc = NULL;
+ return true;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 748c18a8d69bedc917ca0ee1242251476ec96c1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2020 13:35:01 -0800
+Subject: netfilter: xt_bpf: add overflow checks
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 6ab405114b0b229151ef06f4e31c7834dd09d0c0 ]
+
+Check whether inputs from userspace are too long (explicit length field too
+big or string not null-terminated) to avoid out-of-bounds reads.
+
+As far as I can tell, this can at worst lead to very limited kernel heap
+memory disclosure or oopses.
+
+This bug can be triggered by an unprivileged user even if the xt_bpf module
+is not loaded: iptables is available in network namespaces, and the xt_bpf
+module can be autoloaded.
+
+Triggering the bug with a classic BPF filter with fake length 0x1000 causes
+the following KASAN report:
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in bpf_prog_create+0x84/0xf0
+Read of size 32768 at addr ffff8801eff2c494 by task test/4627
+
+CPU: 0 PID: 4627 Comm: test Not tainted 4.15.0-rc1+ #1
+[...]
+Call Trace:
+ dump_stack+0x5c/0x85
+ print_address_description+0x6a/0x260
+ kasan_report+0x254/0x370
+ ? bpf_prog_create+0x84/0xf0
+ memcpy+0x1f/0x50
+ bpf_prog_create+0x84/0xf0
+ bpf_mt_check+0x90/0xd6 [xt_bpf]
+[...]
+Allocated by task 4627:
+ kasan_kmalloc+0xa0/0xd0
+ __kmalloc_node+0x47/0x60
+ xt_alloc_table_info+0x41/0x70 [x_tables]
+[...]
+The buggy address belongs to the object at ffff8801eff2c3c0
+ which belongs to the cache kmalloc-2048 of size 2048
+The buggy address is located 212 bytes inside of
+ 2048-byte region [ffff8801eff2c3c0, ffff8801eff2cbc0)
+[...]
+==================================================================
+
+Fixes: e6f30c731718 ("netfilter: x_tables: add xt_bpf match")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_bpf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
+index dffee9d47ec4b..7b993f25aab92 100644
+--- a/net/netfilter/xt_bpf.c
++++ b/net/netfilter/xt_bpf.c
+@@ -25,6 +25,9 @@ static int bpf_mt_check(const struct xt_mtchk_param *par)
+ struct xt_bpf_info *info = par->matchinfo;
+ struct sock_fprog_kern program;
+
++ if (info->bpf_program_num_elem > XT_BPF_MAX_NUM_INSTR)
++ return -EINVAL;
++
+ program.len = info->bpf_program_num_elem;
+ program.filter = info->bpf_program;
+
+--
+2.20.1
+
--- /dev/null
+From d3744c10957f86723df8df8a5058867d550f2f06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2020 00:38:29 -0300
+Subject: powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal
+ delivery
+
+From: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+
+[ Upstream commit 2464cc4c345699adea52c7aef75707207cb8a2f6 ]
+
+After a treclaim, we expect to be in non-transactional state. If we
+don't clear the current thread's MSR[TS] before we get preempted, then
+tm_recheckpoint_new_task() will recheckpoint and we get rescheduled in
+suspended transaction state.
+
+When handling a signal caught in transactional state,
+handle_rt_signal64() calls get_tm_stackpointer() that treclaims the
+transaction using tm_reclaim_current() but without clearing the
+thread's MSR[TS]. This can cause the TM Bad Thing exception below if
+later we pagefault and get preempted trying to access the user's
+sigframe, using __put_user(). Afterwards, when we are rescheduled back
+into do_page_fault() (but now in suspended state since the thread's
+MSR[TS] was not cleared), upon executing 'rfid' after completion of
+the page fault handling, the exception is raised because a transition
+from suspended to non-transactional state is invalid.
+
+ Unexpected TM Bad Thing exception at c00000000000de44 (msr 0x8000000302a03031) tm_scratch=800000010280b033
+ Oops: Unrecoverable exception, sig: 6 [#1]
+ LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+ CPU: 25 PID: 15547 Comm: a.out Not tainted 5.4.0-rc2 #32
+ NIP: c00000000000de44 LR: c000000000034728 CTR: 0000000000000000
+ REGS: c00000003fe7bd70 TRAP: 0700 Not tainted (5.4.0-rc2)
+ MSR: 8000000302a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[SE]> CR: 44000884 XER: 00000000
+ CFAR: c00000000000dda4 IRQMASK: 0
+ PACATMSCRATCH: 800000010280b033
+ GPR00: c000000000034728 c000000f65a17c80 c000000001662800 00007fffacf3fd78
+ GPR04: 0000000000001000 0000000000001000 0000000000000000 c000000f611f8af0
+ GPR08: 0000000000000000 0000000078006001 0000000000000000 000c000000000000
+ GPR12: c000000f611f84b0 c00000003ffcb200 0000000000000000 0000000000000000
+ GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000f611f8140
+ GPR24: 0000000000000000 00007fffacf3fd68 c000000f65a17d90 c000000f611f7800
+ GPR28: c000000f65a17e90 c000000f65a17e90 c000000001685e18 00007fffacf3f000
+ NIP [c00000000000de44] fast_exception_return+0xf4/0x1b0
+ LR [c000000000034728] handle_rt_signal64+0x78/0xc50
+ Call Trace:
+ [c000000f65a17c80] [c000000000034710] handle_rt_signal64+0x60/0xc50 (unreliable)
+ [c000000f65a17d30] [c000000000023640] do_notify_resume+0x330/0x460
+ [c000000f65a17e20] [c00000000000dcc4] ret_from_except_lite+0x70/0x74
+ Instruction dump:
+ 7c4ff120 e8410170 7c5a03a6 38400000 f8410060 e8010070 e8410080 e8610088
+ 60000000 60000000 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed0989
+ ---[ end trace 93094aa44b442f87 ]---
+
+The simplified sequence of events that triggers the above exception is:
+
+ ... # userspace in NON-TRANSACTIONAL state
+ tbegin # userspace in TRANSACTIONAL state
+ signal delivery # kernelspace in SUSPENDED state
+ handle_rt_signal64()
+ get_tm_stackpointer()
+ treclaim # kernelspace in NON-TRANSACTIONAL state
+ __put_user()
+ page fault happens. We will never get back here because of the TM Bad Thing exception.
+
+ page fault handling kicks in and we voluntarily preempt ourselves
+ do_page_fault()
+ __schedule()
+ __switch_to(other_task)
+
+ our task is rescheduled and we recheckpoint because the thread's MSR[TS] was not cleared
+ __switch_to(our_task)
+ switch_to_tm()
+ tm_recheckpoint_new_task()
+ trechkpt # kernelspace in SUSPENDED state
+
+ The page fault handling resumes, but now we are in suspended transaction state
+ do_page_fault() completes
+ rfid <----- trying to get back where the page fault happened (we were non-transactional back then)
+ TM Bad Thing # illegal transition from suspended to non-transactional
+
+This patch fixes that issue by clearing the current thread's MSR[TS]
+just after treclaim in get_tm_stackpointer() so that we stay in
+non-transactional state in case we are preempted. In order to make
+treclaim and clearing the thread's MSR[TS] atomic from a preemption
+perspective when CONFIG_PREEMPT is set, preempt_disable/enable() is
+used. It's also necessary to save the previous value of the thread's
+MSR before get_tm_stackpointer() is called so that it can be exposed
+to the signal handler later in setup_tm_sigcontexts() to inform the
+userspace MSR at the moment of the signal delivery.
+
+Found with tm-signal-context-force-tm kernel selftest.
+
+Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
+Cc: stable@vger.kernel.org # v3.9
+Signed-off-by: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+Acked-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200211033831.11165-1-gustavold@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/signal.c | 17 +++++++++++++++--
+ arch/powerpc/kernel/signal_32.c | 28 ++++++++++++++--------------
+ arch/powerpc/kernel/signal_64.c | 22 ++++++++++------------
+ 3 files changed, 39 insertions(+), 28 deletions(-)
+
+diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c
+index 3600c0d99ae94..2dbb066d95194 100644
+--- a/arch/powerpc/kernel/signal.c
++++ b/arch/powerpc/kernel/signal.c
+@@ -189,14 +189,27 @@ unsigned long get_tm_stackpointer(struct task_struct *tsk)
+ * normal/non-checkpointed stack pointer.
+ */
+
++ unsigned long ret = tsk->thread.regs->gpr[1];
++
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ BUG_ON(tsk != current);
+
+ if (MSR_TM_ACTIVE(tsk->thread.regs->msr)) {
++ preempt_disable();
+ tm_reclaim_current(TM_CAUSE_SIGNAL);
+ if (MSR_TM_TRANSACTIONAL(tsk->thread.regs->msr))
+- return tsk->thread.ckpt_regs.gpr[1];
++ ret = tsk->thread.ckpt_regs.gpr[1];
++
++ /*
++ * If we treclaim, we must clear the current thread's TM bits
++ * before re-enabling preemption. Otherwise we might be
++ * preempted and have the live MSR[TS] changed behind our back
++ * (tm_recheckpoint_new_task() would recheckpoint). Besides, we
++ * enter the signal handler in non-transactional state.
++ */
++ tsk->thread.regs->msr &= ~MSR_TS_MASK;
++ preempt_enable();
+ }
+ #endif
+- return tsk->thread.regs->gpr[1];
++ return ret;
+ }
+diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
+index bec09db6981ea..1bf5eb9f8405a 100644
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -515,19 +515,11 @@ static int save_user_regs(struct pt_regs *regs, struct mcontext __user *frame,
+ */
+ static int save_tm_user_regs(struct pt_regs *regs,
+ struct mcontext __user *frame,
+- struct mcontext __user *tm_frame, int sigret)
++ struct mcontext __user *tm_frame, int sigret,
++ unsigned long msr)
+ {
+- unsigned long msr = regs->msr;
+-
+ WARN_ON(tm_suspend_disabled);
+
+- /* Remove TM bits from thread's MSR. The MSR in the sigcontext
+- * just indicates to userland that we were doing a transaction, but we
+- * don't want to return in transactional state. This also ensures
+- * that flush_fp_to_thread won't set TIF_RESTORE_TM again.
+- */
+- regs->msr &= ~MSR_TS_MASK;
+-
+ /* Save both sets of general registers */
+ if (save_general_regs(¤t->thread.ckpt_regs, frame)
+ || save_general_regs(regs, tm_frame))
+@@ -1006,6 +998,10 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
+ int sigret;
+ unsigned long tramp;
+ struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ /* Save the thread's msr before get_tm_stackpointer() changes it */
++ unsigned long msr = regs->msr;
++#endif
+
+ BUG_ON(tsk != current);
+
+@@ -1038,13 +1034,13 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
+
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ tm_frame = &rt_sf->uc_transact.uc_mcontext;
+- if (MSR_TM_ACTIVE(regs->msr)) {
++ if (MSR_TM_ACTIVE(msr)) {
+ if (__put_user((unsigned long)&rt_sf->uc_transact,
+ &rt_sf->uc.uc_link) ||
+ __put_user((unsigned long)tm_frame,
+ &rt_sf->uc_transact.uc_regs))
+ goto badframe;
+- if (save_tm_user_regs(regs, frame, tm_frame, sigret))
++ if (save_tm_user_regs(regs, frame, tm_frame, sigret, msr))
+ goto badframe;
+ }
+ else
+@@ -1451,6 +1447,10 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
+ int sigret;
+ unsigned long tramp;
+ struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ /* Save the thread's msr before get_tm_stackpointer() changes it */
++ unsigned long msr = regs->msr;
++#endif
+
+ BUG_ON(tsk != current);
+
+@@ -1484,9 +1484,9 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
+
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ tm_mctx = &frame->mctx_transact;
+- if (MSR_TM_ACTIVE(regs->msr)) {
++ if (MSR_TM_ACTIVE(msr)) {
+ if (save_tm_user_regs(regs, &frame->mctx, &frame->mctx_transact,
+- sigret))
++ sigret, msr))
+ goto badframe;
+ }
+ else
+diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
+index 459c4adf47841..bde4c1b9a0ba8 100644
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -192,7 +192,8 @@ static long setup_sigcontext(struct sigcontext __user *sc,
+ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+ struct sigcontext __user *tm_sc,
+ struct task_struct *tsk,
+- int signr, sigset_t *set, unsigned long handler)
++ int signr, sigset_t *set, unsigned long handler,
++ unsigned long msr)
+ {
+ /* When CONFIG_ALTIVEC is set, we _always_ setup v_regs even if the
+ * process never used altivec yet (MSR_VEC is zero in pt_regs of
+@@ -207,12 +208,11 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+ elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc);
+ #endif
+ struct pt_regs *regs = tsk->thread.regs;
+- unsigned long msr = tsk->thread.regs->msr;
+ long err = 0;
+
+ BUG_ON(tsk != current);
+
+- BUG_ON(!MSR_TM_ACTIVE(regs->msr));
++ BUG_ON(!MSR_TM_ACTIVE(msr));
+
+ WARN_ON(tm_suspend_disabled);
+
+@@ -222,13 +222,6 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+ */
+ msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX);
+
+- /* Remove TM bits from thread's MSR. The MSR in the sigcontext
+- * just indicates to userland that we were doing a transaction, but we
+- * don't want to return in transactional state. This also ensures
+- * that flush_fp_to_thread won't set TIF_RESTORE_TM again.
+- */
+- regs->msr &= ~MSR_TS_MASK;
+-
+ #ifdef CONFIG_ALTIVEC
+ err |= __put_user(v_regs, &sc->v_regs);
+ err |= __put_user(tm_v_regs, &tm_sc->v_regs);
+@@ -805,6 +798,10 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
+ unsigned long newsp = 0;
+ long err = 0;
+ struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ /* Save the thread's msr before get_tm_stackpointer() changes it */
++ unsigned long msr = regs->msr;
++#endif
+
+ BUG_ON(tsk != current);
+
+@@ -822,7 +819,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
+ err |= __put_user(0, &frame->uc.uc_flags);
+ err |= __save_altstack(&frame->uc.uc_stack, regs->gpr[1]);
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+- if (MSR_TM_ACTIVE(regs->msr)) {
++ if (MSR_TM_ACTIVE(msr)) {
+ /* The ucontext_t passed to userland points to the second
+ * ucontext_t (for transactional state) with its uc_link ptr.
+ */
+@@ -830,7 +827,8 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
+ err |= setup_tm_sigcontexts(&frame->uc.uc_mcontext,
+ &frame->uc_transact.uc_mcontext,
+ tsk, ksig->sig, NULL,
+- (unsigned long)ksig->ka.sa.sa_handler);
++ (unsigned long)ksig->ka.sa.sa_handler,
++ msr);
+ } else
+ #endif
+ {
+--
+2.20.1
+
--- /dev/null
+From 2456d2946f813681e8b0bb1fe57afaf7cf51cf0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Dec 2017 18:20:45 -0500
+Subject: powerpc/tm: Fix endianness flip on trap
+
+From: Gustavo Romero <gromero@linux.vnet.ibm.com>
+
+[ Upstream commit 1c200e63d055ec0125e44a5e386b9b78aada7eb3 ]
+
+Currently it's possible that a thread on PPC64 LE has its endianness
+flipped inadvertently to Big-Endian resulting in a crash once the process
+is back from the signal handler.
+
+If giveup_all() is called when regs->msr has the bits MSR.FP and MSR.VEC
+disabled (and hence MSR.VSX disabled too) it returns without calling
+check_if_tm_restore_required() which copies regs->msr to ckpt_regs->msr if
+the process caught a signal whilst in transactional mode. Then once in
+setup_tm_sigcontexts() MSR from ckpt_regs.msr is used, but since
+check_if_tm_restore_required() was not called previuosly, gp_regs[PT_MSR]
+gets a copy of invalid MSR bits as MSR in ckpt_regs was not updated from
+regs->msr and so is zeroed. Later when leaving the signal handler once in
+sys_rt_sigreturn() the TS bits of gp_regs[PT_MSR] are checked to determine
+if restore_tm_sigcontexts() must be called to pull in the correct MSR state
+into the user context. Because TS bits are zeroed
+restore_tm_sigcontexts() is never called and MSR restored from the user
+context on returning from the signal handler has the MSR.LE (the endianness
+bit) forced to zero (Big-Endian). That leads, for instance, to 'nop' being
+treated as an illegal instruction in the following sequence:
+
+ tbegin.
+ beq 1f
+ trap
+ tend.
+1: nop
+
+on PPC64 LE machines and the process dies just after returning from the
+signal handler.
+
+PPC64 BE is also affected but in a subtle way since forcing Big-Endian on
+a BE machine does not change the endianness.
+
+This commit fixes the issue described above by ensuring that once in
+setup_tm_sigcontexts() the MSR used is from regs->msr instead of from
+ckpt_regs->msr and by ensuring that we pull in only the MSR.FP, MSR.VEC,
+and MSR.VSX bits from ckpt_regs->msr.
+
+The fix was tested both on LE and BE machines and no regression regarding
+the powerpc/tm selftests was observed.
+
+Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/signal_64.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
+index 9d8fd0c74b314..459c4adf47841 100644
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -207,7 +207,7 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+ elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc);
+ #endif
+ struct pt_regs *regs = tsk->thread.regs;
+- unsigned long msr = tsk->thread.ckpt_regs.msr;
++ unsigned long msr = tsk->thread.regs->msr;
+ long err = 0;
+
+ BUG_ON(tsk != current);
+@@ -216,6 +216,12 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+
+ WARN_ON(tm_suspend_disabled);
+
++ /* Restore checkpointed FP, VEC, and VSX bits from ckpt_regs as
++ * it contains the correct FP, VEC, VSX state after we treclaimed
++ * the transaction and giveup_all() was called on reclaiming.
++ */
++ msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX);
++
+ /* Remove TM bits from thread's MSR. The MSR in the sigcontext
+ * just indicates to userland that we were doing a transaction, but we
+ * don't want to return in transactional state. This also ensures
+--
+2.20.1
+
--- /dev/null
+From 814ec9943e50993a7c51fee1e1d9e74ddc7ffd07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Oct 2017 21:17:19 +1100
+Subject: powerpc/tm: P9 disable transactionally suspended sigcontexts
+
+From: Michael Neuling <mikey@neuling.org>
+
+[ Upstream commit 92fb8690bd04cb421d987d246deac60eef85d272 ]
+
+Unfortunately userspace can construct a sigcontext which enables
+suspend. Thus userspace can force Linux into a path where trechkpt is
+executed.
+
+This patch blocks this from happening on POWER9 by sanity checking
+sigcontexts passed in.
+
+ptrace doesn't have this problem as only MSR SE and BE can be changed
+via ptrace.
+
+This patch also adds a number of WARN_ON()s in case we ever enter
+suspend when we shouldn't. This should not happen, but if it does the
+symptoms are soft lockup warnings which are not obviously TM related,
+so the WARN_ON()s should make it obvious what's happening.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/process.c | 2 ++
+ arch/powerpc/kernel/signal_32.c | 4 ++++
+ arch/powerpc/kernel/signal_64.c | 5 +++++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
+index 54c95e7c74cce..1a08c43a51f8c 100644
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -890,6 +890,8 @@ static inline void tm_reclaim_task(struct task_struct *tsk)
+ if (!MSR_TM_ACTIVE(thr->regs->msr))
+ goto out_and_saveregs;
+
++ WARN_ON(tm_suspend_disabled);
++
+ TM_DEBUG("--- tm_reclaim on pid %d (NIP=%lx, "
+ "ccr=%lx, msr=%lx, trap=%lx)\n",
+ tsk->pid, thr->regs->nip,
+diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
+index a378b1e80a1aa..bec09db6981ea 100644
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -519,6 +519,8 @@ static int save_tm_user_regs(struct pt_regs *regs,
+ {
+ unsigned long msr = regs->msr;
+
++ WARN_ON(tm_suspend_disabled);
++
+ /* Remove TM bits from thread's MSR. The MSR in the sigcontext
+ * just indicates to userland that we were doing a transaction, but we
+ * don't want to return in transactional state. This also ensures
+@@ -769,6 +771,8 @@ static long restore_tm_user_regs(struct pt_regs *regs,
+ int i;
+ #endif
+
++ if (tm_suspend_disabled)
++ return 1;
+ /*
+ * restore general registers but not including MSR or SOFTE. Also
+ * take care of keeping r2 (TLS) intact if not a signal.
+diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
+index f4c46b0ec611a..9d8fd0c74b314 100644
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -214,6 +214,8 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+
+ BUG_ON(!MSR_TM_ACTIVE(regs->msr));
+
++ WARN_ON(tm_suspend_disabled);
++
+ /* Remove TM bits from thread's MSR. The MSR in the sigcontext
+ * just indicates to userland that we were doing a transaction, but we
+ * don't want to return in transactional state. This also ensures
+@@ -430,6 +432,9 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
+
+ BUG_ON(tsk != current);
+
++ if (tm_suspend_disabled)
++ return -EINVAL;
++
+ /* copy the GPRs */
+ err |= __copy_from_user(regs->gpr, tm_sc->gp_regs, sizeof(regs->gpr));
+ err |= __copy_from_user(&tsk->thread.ckpt_regs, sc->gp_regs,
+--
+2.20.1
+
revert-ipc-sem-remove-uneeded-sem_undo_list-lock-usage-in-exit_sem.patch
xhci-apply-xhci_pme_stuck_quirk-to-intel-comet-lake-platforms.patch
kvm-x86-don-t-notify-userspace-ioapic-on-edge-triggered-interrupt-eoi.patch
+vt_resizex-get-rid-of-field-by-field-copyin.patch
+vt-vt_ioctl-fix-race-in-vt_resizex.patch
+powerpc-tm-p9-disable-transactionally-suspended-sigc.patch
+powerpc-tm-fix-endianness-flip-on-trap.patch
+powerpc-tm-fix-clearing-msr-ts-in-current-when-recla.patch
+lib-stackdepot-fix-outdated-comments.patch
+lib-stackdepot.c-fix-global-out-of-bounds-in-stack_s.patch
+kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch
+netfilter-xt_bpf-add-overflow-checks.patch
--- /dev/null
+From b5f10c5eba7ab344fd24fd8eb21b26fcf5b3bfa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2020 11:07:21 -0800
+Subject: vt: vt_ioctl: fix race in VT_RESIZEX
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6cd1ed50efd88261298577cd92a14f2768eddeeb ]
+
+We need to make sure vc_cons[i].d is not NULL after grabbing
+console_lock(), or risk a crash.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]
+CPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ ksys_ioctl+0x123/0x180 fs/ioctl.c:763
+ __do_sys_ioctl fs/ioctl.c:772 [inline]
+ __se_sys_ioctl fs/ioctl.c:770 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x45b399
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399
+RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c
+Modules linked in:
+---[ end trace 80970faf7a67eb77 ]---
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index d4c1b100f3b6d..e8efb270dc8f9 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -879,15 +879,20 @@ int vt_ioctl(struct tty_struct *tty,
+ return -EINVAL;
+
+ for (i = 0; i < MAX_NR_CONSOLES; i++) {
++ struct vc_data *vcp;
++
+ if (!vc_cons[i].d)
+ continue;
+ console_lock();
+- if (v.v_vlin)
+- vc_cons[i].d->vc_scan_lines = v.v_vlin;
+- if (v.v_clin)
+- vc_cons[i].d->vc_font.height = v.v_clin;
+- vc_cons[i].d->vc_resize_user = 1;
+- vc_resize(vc_cons[i].d, v.v_cols, v.v_rows);
++ vcp = vc_cons[i].d;
++ if (vcp) {
++ if (v.v_vlin)
++ vcp->vc_scan_lines = v.v_vlin;
++ if (v.v_clin)
++ vcp->vc_font.height = v.v_clin;
++ vcp->vc_resize_user = 1;
++ vc_resize(vcp, v.v_cols, v.v_rows);
++ }
+ console_unlock();
+ }
+ break;
+--
+2.20.1
+
--- /dev/null
+From d5cc63bd631793f6a77b521938bcb50616955ed6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2017 12:34:13 -0400
+Subject: VT_RESIZEX: get rid of field-by-field copyin
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 1b3bce4d6bf839304a90951b4b25a5863533bf2a ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 68 ++++++++++++++++-----------------------
+ 1 file changed, 27 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index 638eb9bbd59fa..d4c1b100f3b6d 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -850,58 +850,44 @@ int vt_ioctl(struct tty_struct *tty,
+
+ case VT_RESIZEX:
+ {
+- struct vt_consize __user *vtconsize = up;
+- ushort ll,cc,vlin,clin,vcol,ccol;
++ struct vt_consize v;
+ if (!perm)
+ return -EPERM;
+- if (!access_ok(VERIFY_READ, vtconsize,
+- sizeof(struct vt_consize))) {
+- ret = -EFAULT;
+- break;
+- }
++ if (copy_from_user(&v, up, sizeof(struct vt_consize)))
++ return -EFAULT;
+ /* FIXME: Should check the copies properly */
+- __get_user(ll, &vtconsize->v_rows);
+- __get_user(cc, &vtconsize->v_cols);
+- __get_user(vlin, &vtconsize->v_vlin);
+- __get_user(clin, &vtconsize->v_clin);
+- __get_user(vcol, &vtconsize->v_vcol);
+- __get_user(ccol, &vtconsize->v_ccol);
+- vlin = vlin ? vlin : vc->vc_scan_lines;
+- if (clin) {
+- if (ll) {
+- if (ll != vlin/clin) {
+- /* Parameters don't add up */
+- ret = -EINVAL;
+- break;
+- }
+- } else
+- ll = vlin/clin;
++ if (!v.v_vlin)
++ v.v_vlin = vc->vc_scan_lines;
++ if (v.v_clin) {
++ int rows = v.v_vlin/v.v_clin;
++ if (v.v_rows != rows) {
++ if (v.v_rows) /* Parameters don't add up */
++ return -EINVAL;
++ v.v_rows = rows;
++ }
+ }
+- if (vcol && ccol) {
+- if (cc) {
+- if (cc != vcol/ccol) {
+- ret = -EINVAL;
+- break;
+- }
+- } else
+- cc = vcol/ccol;
++ if (v.v_vcol && v.v_ccol) {
++ int cols = v.v_vcol/v.v_ccol;
++ if (v.v_cols != cols) {
++ if (v.v_cols)
++ return -EINVAL;
++ v.v_cols = cols;
++ }
+ }
+
+- if (clin > 32) {
+- ret = -EINVAL;
+- break;
+- }
+-
++ if (v.v_clin > 32)
++ return -EINVAL;
++
+ for (i = 0; i < MAX_NR_CONSOLES; i++) {
+ if (!vc_cons[i].d)
+ continue;
+ console_lock();
+- if (vlin)
+- vc_cons[i].d->vc_scan_lines = vlin;
+- if (clin)
+- vc_cons[i].d->vc_font.height = clin;
++ if (v.v_vlin)
++ vc_cons[i].d->vc_scan_lines = v.v_vlin;
++ if (v.v_clin)
++ vc_cons[i].d->vc_font.height = v.v_clin;
+ vc_cons[i].d->vc_resize_user = 1;
+- vc_resize(vc_cons[i].d, cc, ll);
++ vc_resize(vc_cons[i].d, v.v_cols, v.v_rows);
+ console_unlock();
+ }
+ break;
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
