--- /dev/null
+From 505b5240329b922f21f91d5b5d1e535c805eca6d Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 19 Dec 2018 18:00:15 -0600
+Subject: drm/ioctl: Fix Spectre v1 vulnerabilities
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream.
+
+nr is indirectly controlled by user-space, hence leading to a
+potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r]
+drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+
+Fix this by sanitizing nr before using it to index dev->driver->ioctls
+and drm_ioctls.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181220000015.GA18973@embeddedor
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_ioctl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -37,6 +37,7 @@
+
+ #include <linux/pci.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+
+ /**
+ * DOC: getunique and setversion story
+@@ -778,13 +779,17 @@ long drm_ioctl(struct file *filp,
+
+ if (is_driver_ioctl) {
+ /* driver ioctl */
+- if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
++ unsigned int index = nr - DRM_COMMAND_BASE;
++
++ if (index >= dev->driver->num_ioctls)
+ goto err_i1;
+- ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
++ index = array_index_nospec(index, dev->driver->num_ioctls);
++ ioctl = &dev->driver->ioctls[index];
+ } else {
+ /* core ioctl */
+ if (nr >= DRM_CORE_IOCTL_COUNT)
+ goto err_i1;
++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+ ioctl = &drm_ioctls[nr];
+ }
+
+@@ -866,6 +871,7 @@ bool drm_ioctl_flags(unsigned int nr, un
+
+ if (nr >= DRM_CORE_IOCTL_COUNT)
+ return false;
++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+
+ *flags = drm_ioctls[nr].flags;
+ return true;
--- /dev/null
+From 68600f623d69da428c6163275f97ca126e1a8ec5 Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Fri, 26 Oct 2018 15:03:27 -0700
+Subject: mm: don't miss the last page because of round-off error
+
+From: Roman Gushchin <guro@fb.com>
+
+commit 68600f623d69da428c6163275f97ca126e1a8ec5 upstream.
+
+I've noticed, that dying memory cgroups are often pinned in memory by a
+single pagecache page. Even under moderate memory pressure they sometimes
+stayed in such state for a long time. That looked strange.
+
+My investigation showed that the problem is caused by applying the LRU
+pressure balancing math:
+
+ scan = div64_u64(scan * fraction[lru], denominator),
+
+where
+
+ denominator = fraction[anon] + fraction[file] + 1.
+
+Because fraction[lru] is always less than denominator, if the initial scan
+size is 1, the result is always 0.
+
+This means the last page is not scanned and has
+no chances to be reclaimed.
+
+Fix this by rounding up the result of the division.
+
+In practice this change significantly improves the speed of dying cgroups
+reclaim.
+
+[guro@fb.com: prevent double calculation of DIV64_U64_ROUND_UP() arguments]
+ Link: http://lkml.kernel.org/r/20180829213311.GA13501@castle
+Link: http://lkml.kernel.org/r/20180827162621.30187-3-guro@fb.com
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Konstantin Khlebnikov <koct9i@gmail.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/math64.h | 3 +++
+ mm/vmscan.c | 6 ++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/math64.h
++++ b/include/linux/math64.h
+@@ -254,4 +254,7 @@ static inline u64 mul_u64_u32_div(u64 a,
+ }
+ #endif /* mul_u64_u32_div */
+
++#define DIV64_U64_ROUND_UP(ll, d) \
++ ({ u64 _tmp = (d); div64_u64((ll) + _tmp - 1, _tmp); })
++
+ #endif /* _LINUX_MATH64_H */
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2367,9 +2367,11 @@ out:
+ /*
+ * Scan types proportional to swappiness and
+ * their relative recent reclaim efficiency.
++ * Make sure we don't miss the last page
++ * because of a round-off error.
+ */
+- scan = div64_u64(scan * fraction[file],
+- denominator);
++ scan = DIV64_U64_ROUND_UP(scan * fraction[file],
++ denominator);
+ break;
+ case SCAN_FILE:
+ case SCAN_ANON:
--- /dev/null
+From ea5751ccd665a2fd1b24f9af81f6167f0718c5f6 Mon Sep 17 00:00:00 2001
+From: Ivan Delalande <colona@arista.com>
+Date: Thu, 13 Dec 2018 15:20:52 -0800
+Subject: proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
+
+From: Ivan Delalande <colona@arista.com>
+
+commit ea5751ccd665a2fd1b24f9af81f6167f0718c5f6 upstream.
+
+proc_sys_lookup can fail with ENOMEM instead of ENOENT when the
+corresponding sysctl table is being unregistered. In our case we see
+this upon opening /proc/sys/net/*/conf files while network interfaces
+are being deleted, which confuses our configuration daemon.
+
+The problem was successfully reproduced and this fix tested on v4.9.122
+and v4.20-rc6.
+
+v2: return ERR_PTRs in all cases when proc_sys_make_inode fails instead
+of mixing them with NULL. Thanks Al Viro for the feedback.
+
+Fixes: ace0c791e6c3 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Delalande <colona@arista.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/proc_sysctl.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -464,7 +464,7 @@ static struct inode *proc_sys_make_inode
+
+ inode = new_inode(sb);
+ if (!inode)
+- goto out;
++ return ERR_PTR(-ENOMEM);
+
+ inode->i_ino = get_next_ino();
+
+@@ -474,8 +474,7 @@ static struct inode *proc_sys_make_inode
+ if (unlikely(head->unregistering)) {
+ spin_unlock(&sysctl_lock);
+ iput(inode);
+- inode = NULL;
+- goto out;
++ return ERR_PTR(-ENOENT);
+ }
+ ei->sysctl = head;
+ ei->sysctl_entry = table;
+@@ -500,7 +499,6 @@ static struct inode *proc_sys_make_inode
+ if (root->set_ownership)
+ root->set_ownership(head, table, &inode->i_uid, &inode->i_gid);
+
+-out:
+ return inode;
+ }
+
+@@ -549,10 +547,11 @@ static struct dentry *proc_sys_lookup(st
+ goto out;
+ }
+
+- err = ERR_PTR(-ENOMEM);
+ inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
+- if (!inode)
++ if (IS_ERR(inode)) {
++ err = ERR_CAST(inode);
+ goto out;
++ }
+
+ err = NULL;
+ d_set_d_op(dentry, &proc_sys_dentry_operations);
+@@ -685,7 +684,7 @@ static bool proc_sys_fill_cache(struct f
+ return false;
+ if (d_in_lookup(child)) {
+ inode = proc_sys_make_inode(dir->d_sb, head, table);
+- if (!inode) {
++ if (IS_ERR(inode)) {
+ d_lookup_done(child);
+ dput(child);
+ return false;
spi-imx-add-a-device-specific-prepare_message-callba.patch
spi-imx-mx51-ecspi-move-some-initialisation-to-prepa.patch
ubifs-handle-re-linking-of-inodes-correctly-while-re.patch
+mm-don-t-miss-the-last-page-because-of-round-off-error.patch
+proc-sysctl-don-t-return-enomem-on-lookup-when-a-table-is-unregistering.patch
+drm-ioctl-fix-spectre-v1-vulnerabilities.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
