--- /dev/null
+From 32d43cd391bacb5f0814c2624399a5dad3501d09 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 20 Mar 2018 12:16:59 -0700
+Subject: kvm/x86: fix icebp instruction handling
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 32d43cd391bacb5f0814c2624399a5dad3501d09 upstream.
+
+The undocumented 'icebp' instruction (aka 'int1') works pretty much like
+'int3' in the absense of in-circuit probing equipment (except,
+obviously, that it raises #DB instead of raising #BP), and is used by
+some validation test-suites as such.
+
+But Andy Lutomirski noticed that his test suite acted differently in kvm
+than on bare hardware.
+
+The reason is that kvm used an inexact test for the icebp instruction:
+it just assumed that an all-zero VM exit qualification value meant that
+the VM exit was due to icebp.
+
+That is not unlike the guess that do_debug() does for the actual
+exception handling case, but it's purely a heuristic, not an absolute
+rule. do_debug() does it because it wants to ascribe _some_ reasons to
+the #DB that happened, and an empty %dr6 value means that 'icebp' is the
+most likely casue and we have no better information.
+
+But kvm can just do it right, because unlike the do_debug() case, kvm
+actually sees the real reason for the #DB in the VM-exit interruption
+information field.
+
+So instead of relying on an inexact heuristic, just use the actual VM
+exit information that says "it was 'icebp'".
+
+Right now the 'icebp' instruction isn't technically documented by Intel,
+but that will hopefully change. The special "privileged software
+exception" information _is_ actually mentioned in the Intel SDM, even
+though the cause of it isn't enumerated.
+
+Reported-by: Andy Lutomirski <luto@kernel.org>
+Tested-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/vmx.h | 1 +
+ arch/x86/kvm/vmx.c | 9 ++++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/vmx.h
++++ b/arch/x86/include/asm/vmx.h
+@@ -352,6 +352,7 @@ enum vmcs_field {
+ #define INTR_TYPE_NMI_INTR (2 << 8) /* NMI */
+ #define INTR_TYPE_HARD_EXCEPTION (3 << 8) /* processor exception */
+ #define INTR_TYPE_SOFT_INTR (4 << 8) /* software interrupt */
++#define INTR_TYPE_PRIV_SW_EXCEPTION (5 << 8) /* ICE breakpoint - undocumented */
+ #define INTR_TYPE_SOFT_EXCEPTION (6 << 8) /* software exception */
+
+ /* GUEST_INTERRUPTIBILITY_INFO flags. */
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1079,6 +1079,13 @@ static inline bool is_machine_check(u32
+ (INTR_TYPE_HARD_EXCEPTION | MC_VECTOR | INTR_INFO_VALID_MASK);
+ }
+
++/* Undocumented: icebp/int1 */
++static inline bool is_icebp(u32 intr_info)
++{
++ return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
++ == (INTR_TYPE_PRIV_SW_EXCEPTION | INTR_INFO_VALID_MASK);
++}
++
+ static inline bool cpu_has_vmx_msr_bitmap(void)
+ {
+ return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_USE_MSR_BITMAPS;
+@@ -6173,7 +6180,7 @@ static int handle_exception(struct kvm_v
+ (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) {
+ vcpu->arch.dr6 &= ~15;
+ vcpu->arch.dr6 |= dr6 | DR6_RTM;
+- if (!(dr6 & ~DR6_RESERVED)) /* icebp */
++ if (is_icebp(intr_info))
+ skip_emulated_instruction(vcpu);
+
+ kvm_queue_exception(vcpu, DB_VECTOR);
--- /dev/null
+From 19b558db12f9f4e45a22012bae7b4783e62224da Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Thu, 15 Feb 2018 17:21:55 +0100
+Subject: posix-timers: Protect posix clock array access against speculation
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 19b558db12f9f4e45a22012bae7b4783e62224da upstream.
+
+The clockid argument of clockid_to_kclock() comes straight from user space
+via various syscalls and is used as index into the posix_clocks array.
+
+Protect it against spectre v1 array out of bounds speculation. Remove the
+redundant check for !posix_clock[id] as this is another source for
+speculation and does not provide any advantage over the return
+posix_clock[id] path which returns NULL in that case anyway.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Dan Williams <dan.j.williams@intel.com>
+Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1802151718320.1296@nanos.tec.linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/posix-timers.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -50,6 +50,7 @@
+ #include <linux/export.h>
+ #include <linux/hashtable.h>
+ #include <linux/compat.h>
++#include <linux/nospec.h>
+
+ #include "timekeeping.h"
+ #include "posix-timers.h"
+@@ -1346,11 +1347,15 @@ static const struct k_clock * const posi
+
+ static const struct k_clock *clockid_to_kclock(const clockid_t id)
+ {
+- if (id < 0)
++ clockid_t idx = id;
++
++ if (id < 0) {
+ return (id & CLOCKFD_MASK) == CLOCKFD ?
+ &clock_posix_dynamic : &clock_posix_cpu;
++ }
+
+- if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])
++ if (id >= ARRAY_SIZE(posix_clocks))
+ return NULL;
+- return posix_clocks[id];
++
++ return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))];
+ }
--- /dev/null
+From 4b0b37d4cc54b21a6ecad7271cbc850555869c62 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Sat, 17 Mar 2018 08:25:07 -0700
+Subject: selftests/x86/ptrace_syscall: Fix for yet more glibc interference
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 4b0b37d4cc54b21a6ecad7271cbc850555869c62 upstream.
+
+glibc keeps getting cleverer, and my version now turns raise() into
+more than one syscall. Since the test relies on ptrace seeing an
+exact set of syscalls, this breaks the test. Replace raise(SIGSTOP)
+with syscall(SYS_tgkill, ...) to force glibc to get out of our way.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kselftest@vger.kernel.org
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/bc80338b453afa187bc5f895bd8e2c8d6e264da2.1521300271.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/x86/ptrace_syscall.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/x86/ptrace_syscall.c
++++ b/tools/testing/selftests/x86/ptrace_syscall.c
+@@ -183,8 +183,10 @@ static void test_ptrace_syscall_restart(
+ if (ptrace(PTRACE_TRACEME, 0, 0, 0) != 0)
+ err(1, "PTRACE_TRACEME");
+
++ pid_t pid = getpid(), tid = syscall(SYS_gettid);
++
+ printf("\tChild will make one syscall\n");
+- raise(SIGSTOP);
++ syscall(SYS_tgkill, pid, tid, SIGSTOP);
+
+ syscall(SYS_gettid, 10, 11, 12, 13, 14, 15);
+ _exit(0);
+@@ -301,9 +303,11 @@ static void test_restart_under_ptrace(vo
+ if (ptrace(PTRACE_TRACEME, 0, 0, 0) != 0)
+ err(1, "PTRACE_TRACEME");
+
++ pid_t pid = getpid(), tid = syscall(SYS_gettid);
++
+ printf("\tChild will take a nap until signaled\n");
+ setsigign(SIGUSR1, SA_RESTART);
+- raise(SIGSTOP);
++ syscall(SYS_tgkill, pid, tid, SIGSTOP);
+
+ syscall(SYS_pause, 0, 0, 0, 0, 0, 0);
+ _exit(0);
can-cc770-fix-stalls-on-rt-linux-remove-redundant-irq-ack.patch
can-cc770-fix-queue-stall-dropped-rtr-reply.patch
can-cc770-fix-use-after-free-in-cc770_tx_interrupt.patch
+tty-vt-fix-up-tabstops-properly.patch
+x86-entry-64-don-t-use-ist-entry-for-bp-stack.patch
+selftests-x86-ptrace_syscall-fix-for-yet-more-glibc-interference.patch
+x86-vsyscall-64-use-proper-accessor-to-update-p4d-entry.patch
+x86-efi-free-efi_pgd-with-free_pages.patch
+posix-timers-protect-posix-clock-array-access-against-speculation.patch
+kvm-x86-fix-icebp-instruction-handling.patch
--- /dev/null
+From f1869a890cdedb92a3fab969db5d0fd982850273 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 24 Mar 2018 10:43:26 +0100
+Subject: tty: vt: fix up tabstops properly
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f1869a890cdedb92a3fab969db5d0fd982850273 upstream.
+
+Tabs on a console with long lines do not wrap properly, so correctly
+account for the line length when computing the tab placement location.
+
+Reported-by: James Holderness <j4_james@hotmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -1727,7 +1727,7 @@ static void reset_terminal(struct vc_dat
+ default_attr(vc);
+ update_attr(vc);
+
+- vc->vc_tab_stop[0] = 0x01010100;
++ vc->vc_tab_stop[0] =
+ vc->vc_tab_stop[1] =
+ vc->vc_tab_stop[2] =
+ vc->vc_tab_stop[3] =
+@@ -1771,7 +1771,7 @@ static void do_con_trol(struct tty_struc
+ vc->vc_pos -= (vc->vc_x << 1);
+ while (vc->vc_x < vc->vc_cols - 1) {
+ vc->vc_x++;
+- if (vc->vc_tab_stop[vc->vc_x >> 5] & (1 << (vc->vc_x & 31)))
++ if (vc->vc_tab_stop[7 & (vc->vc_x >> 5)] & (1 << (vc->vc_x & 31)))
+ break;
+ }
+ vc->vc_pos += (vc->vc_x << 1);
+@@ -1831,7 +1831,7 @@ static void do_con_trol(struct tty_struc
+ lf(vc);
+ return;
+ case 'H':
+- vc->vc_tab_stop[vc->vc_x >> 5] |= (1 << (vc->vc_x & 31));
++ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] |= (1 << (vc->vc_x & 31));
+ return;
+ case 'Z':
+ respond_ID(tty);
+@@ -2024,7 +2024,7 @@ static void do_con_trol(struct tty_struc
+ return;
+ case 'g':
+ if (!vc->vc_par[0])
+- vc->vc_tab_stop[vc->vc_x >> 5] &= ~(1 << (vc->vc_x & 31));
++ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] &= ~(1 << (vc->vc_x & 31));
+ else if (vc->vc_par[0] == 3) {
+ vc->vc_tab_stop[0] =
+ vc->vc_tab_stop[1] =
--- /dev/null
+From 06ace26f4e6fcf747e890a39193be811777a048a Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Thu, 22 Mar 2018 15:18:53 -0400
+Subject: x86/efi: Free efi_pgd with free_pages()
+
+From: Waiman Long <longman@redhat.com>
+
+commit 06ace26f4e6fcf747e890a39193be811777a048a upstream.
+
+The efi_pgd is allocated as PGD_ALLOCATION_ORDER pages and therefore must
+also be freed as PGD_ALLOCATION_ORDER pages with free_pages().
+
+Fixes: d9e9a6418065 ("x86/mm/pti: Allocate a separate user PGD")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1521746333-19593-1-git-send-email-longman@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/platform/efi/efi_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -228,7 +228,7 @@ int __init efi_alloc_page_tables(void)
+ if (!pud) {
+ if (CONFIG_PGTABLE_LEVELS > 4)
+ free_page((unsigned long) pgd_page_vaddr(*pgd));
+- free_page((unsigned long)efi_pgd);
++ free_pages((unsigned long)efi_pgd, PGD_ALLOCATION_ORDER);
+ return -ENOMEM;
+ }
+
--- /dev/null
+From d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Thu, 23 Jul 2015 15:37:48 -0700
+Subject: x86/entry/64: Don't use IST entry for #BP stack
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 upstream.
+
+There's nothing IST-worthy about #BP/int3. We don't allow kprobes
+in the small handful of places in the kernel that run at CPL0 with
+an invalid stack, and 32-bit kernels have used normal interrupt
+gates for #BP forever.
+
+Furthermore, we don't allow kprobes in places that have usergs while
+in kernel mode, so "paranoid" is also unnecessary.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_64.S | 2 +-
+ arch/x86/kernel/idt.c | 2 --
+ arch/x86/kernel/traps.c | 15 ++++++++-------
+ 3 files changed, 9 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -1097,7 +1097,7 @@ apicinterrupt3 HYPERVISOR_CALLBACK_VECTO
+ #endif /* CONFIG_HYPERV */
+
+ idtentry debug do_debug has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
+-idtentry int3 do_int3 has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
++idtentry int3 do_int3 has_error_code=0
+ idtentry stack_segment do_stack_segment has_error_code=1
+
+ #ifdef CONFIG_XEN
+--- a/arch/x86/kernel/idt.c
++++ b/arch/x86/kernel/idt.c
+@@ -160,7 +160,6 @@ static const __initconst struct idt_data
+ */
+ static const __initconst struct idt_data dbg_idts[] = {
+ INTG(X86_TRAP_DB, debug),
+- INTG(X86_TRAP_BP, int3),
+ };
+ #endif
+
+@@ -183,7 +182,6 @@ gate_desc debug_idt_table[IDT_ENTRIES] _
+ static const __initconst struct idt_data ist_idts[] = {
+ ISTG(X86_TRAP_DB, debug, DEBUG_STACK),
+ ISTG(X86_TRAP_NMI, nmi, NMI_STACK),
+- SISTG(X86_TRAP_BP, int3, DEBUG_STACK),
+ ISTG(X86_TRAP_DF, double_fault, DOUBLEFAULT_STACK),
+ #ifdef CONFIG_X86_MCE
+ ISTG(X86_TRAP_MC, &machine_check, MCE_STACK),
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -577,7 +577,6 @@ do_general_protection(struct pt_regs *re
+ }
+ NOKPROBE_SYMBOL(do_general_protection);
+
+-/* May run on IST stack. */
+ dotraplinkage void notrace do_int3(struct pt_regs *regs, long error_code)
+ {
+ #ifdef CONFIG_DYNAMIC_FTRACE
+@@ -592,6 +591,13 @@ dotraplinkage void notrace do_int3(struc
+ if (poke_int3_handler(regs))
+ return;
+
++ /*
++ * Use ist_enter despite the fact that we don't use an IST stack.
++ * We can be called from a kprobe in non-CONTEXT_KERNEL kernel
++ * mode or even during context tracking state changes.
++ *
++ * This means that we can't schedule. That's okay.
++ */
+ ist_enter(regs);
+ RCU_LOCKDEP_WARN(!rcu_is_watching(), "entry code didn't wake RCU");
+ #ifdef CONFIG_KGDB_LOW_LEVEL_TRAP
+@@ -609,15 +615,10 @@ dotraplinkage void notrace do_int3(struc
+ SIGTRAP) == NOTIFY_STOP)
+ goto exit;
+
+- /*
+- * Let others (NMI) know that the debug stack is in use
+- * as we may switch to the interrupt stack.
+- */
+- debug_stack_usage_inc();
+ cond_local_irq_enable(regs);
+ do_trap(X86_TRAP_BP, SIGTRAP, "int3", regs, error_code, NULL);
+ cond_local_irq_disable(regs);
+- debug_stack_usage_dec();
++
+ exit:
+ ist_exit(regs);
+ }
--- /dev/null
+From 31ad7f8e7dc94d3b85ccf9b6141ce6dfd35a1781 Mon Sep 17 00:00:00 2001
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Mon, 19 Mar 2018 10:31:54 -0400
+Subject: x86/vsyscall/64: Use proper accessor to update P4D entry
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+commit 31ad7f8e7dc94d3b85ccf9b6141ce6dfd35a1781 upstream.
+
+Writing to it directly does not work for Xen PV guests.
+
+Fixes: 49275fef986a ("x86/vsyscall/64: Explicitly set _PAGE_USER in the pagetable hierarchy")
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Acked-by: Andy Lutomirski <luto@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180319143154.3742-1-boris.ostrovsky@oracle.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/vsyscall/vsyscall_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/entry/vsyscall/vsyscall_64.c
++++ b/arch/x86/entry/vsyscall/vsyscall_64.c
+@@ -355,7 +355,7 @@ void __init set_vsyscall_pgtable_user_bi
+ set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER));
+ p4d = p4d_offset(pgd, VSYSCALL_ADDR);
+ #if CONFIG_PGTABLE_LEVELS >= 5
+- p4d->p4d |= _PAGE_USER;
++ set_p4d(p4d, __p4d(p4d_val(*p4d) | _PAGE_USER));
+ #endif
+ pud = pud_offset(p4d, VSYSCALL_ADDR);
+ set_pud(pud, __pud(pud_val(*pud) | _PAGE_USER));
projects / thirdparty / kernel / stable-queue.git / commitdiff
