--- /dev/null
+From 2a355ec25729053bb9a1a89b6c1d1cdd6c3b3fb1 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 13 Dec 2018 13:47:38 +0000
+Subject: arm64: kpti: Whitelist Cortex-A CPUs that don't implement the CSV3 field
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 2a355ec25729053bb9a1a89b6c1d1cdd6c3b3fb1 upstream.
+
+While the CSV3 field of the ID_AA64_PFR0 CPU ID register can be checked
+to see if a CPU is susceptible to Meltdown and therefore requires kpti
+to be enabled, existing CPUs do not implement this field.
+
+We therefore whitelist all unaffected Cortex-A CPUs that do not implement
+the CSV3 field.
+
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+[florian: adjust whilelist location and table to stable-4.9.y]
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/cpufeature.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/arm64/kernel/cpufeature.c
++++ b/arch/arm64/kernel/cpufeature.c
+@@ -789,6 +789,11 @@ static bool unmap_kernel_at_el0(const st
+ switch (read_cpuid_id() & MIDR_CPU_MODEL_MASK) {
+ case MIDR_CAVIUM_THUNDERX2:
+ case MIDR_BRCM_VULCAN:
++ case MIDR_CORTEX_A53:
++ case MIDR_CORTEX_A55:
++ case MIDR_CORTEX_A57:
++ case MIDR_CORTEX_A72:
++ case MIDR_CORTEX_A73:
+ return false;
+ }
+
--- /dev/null
+From da22f0eea555baf9b0a84b52afe56db2052cfe8d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 6 Sep 2017 14:26:00 +0800
+Subject: bcache: silence static checker warning
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit da22f0eea555baf9b0a84b52afe56db2052cfe8d upstream.
+
+In olden times, closure_return() used to have a hidden return built in.
+We removed the hidden return but forgot to add a new return here. If
+"c" were NULL we would oops on the next line, but fortunately "c" is
+never NULL. Let's just remove the if statement.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/super.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1398,9 +1398,6 @@ static void cache_set_flush(struct closu
+ struct btree *b;
+ unsigned i;
+
+- if (!c)
+- closure_return(cl);
+-
+ bch_cache_accounting_destroy(&c->accounting);
+
+ kobject_put(&c->internal);
--- /dev/null
+From 730766bae3280a25d40ea76a53dc6342e84e6513 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 20 Jun 2019 16:12:36 -0600
+Subject: coresight: etb10: Do not call smp_processor_id from preemptible
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 730766bae3280a25d40ea76a53dc6342e84e6513 upstream.
+
+During a perf session we try to allocate buffers on the "node" associated
+with the CPU the event is bound to. If it is not bound to a CPU, we
+use the current CPU node, using smp_processor_id(). However this is unsafe
+in a pre-emptible context and could generate the splats as below :
+
+ BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544
+
+Use NUMA_NO_NODE hint instead of using the current node for events
+not bound to CPUs.
+
+Fixes: 2997aa4063d97fdb39 ("coresight: etb10: implementing AUX API")
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable <stable@vger.kernel.org> # 4.6+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20190620221237.3536-5-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/hwtracing/coresight/coresight-etb10.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight-etb10.c
++++ b/drivers/hwtracing/coresight/coresight-etb10.c
+@@ -279,9 +279,7 @@ static void *etb_alloc_buffer(struct cor
+ int node;
+ struct cs_buffers *buf;
+
+- if (cpu == -1)
+- cpu = smp_processor_id();
+- node = cpu_to_node(cpu);
++ node = (cpu == -1) ? NUMA_NO_NODE : cpu_to_node(cpu);
+
+ buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node);
+ if (!buf)
--- /dev/null
+From 024c1fd9dbcc1d8a847f1311f999d35783921b7f Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 20 Jun 2019 16:12:35 -0600
+Subject: coresight: tmc-etf: Do not call smp_processor_id from preemptible
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 024c1fd9dbcc1d8a847f1311f999d35783921b7f upstream.
+
+During a perf session we try to allocate buffers on the "node" associated
+with the CPU the event is bound to. If it is not bound to a CPU, we
+use the current CPU node, using smp_processor_id(). However this is unsafe
+in a pre-emptible context and could generate the splats as below :
+
+ BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544
+ caller is tmc_alloc_etf_buffer+0x5c/0x60
+ CPU: 2 PID: 2544 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344
+ Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019
+ Call trace:
+ dump_backtrace+0x0/0x150
+ show_stack+0x14/0x20
+ dump_stack+0x9c/0xc4
+ debug_smp_processor_id+0x10c/0x110
+ tmc_alloc_etf_buffer+0x5c/0x60
+ etm_setup_aux+0x1c4/0x230
+ rb_alloc_aux+0x1b8/0x2b8
+ perf_mmap+0x35c/0x478
+ mmap_region+0x34c/0x4f0
+ do_mmap+0x2d8/0x418
+ vm_mmap_pgoff+0xd0/0xf8
+ ksys_mmap_pgoff+0x88/0xf8
+ __arm64_sys_mmap+0x28/0x38
+ el0_svc_handler+0xd8/0x138
+ el0_svc+0x8/0xc
+
+Use NUMA_NO_NODE hint instead of using the current node for events
+not bound to CPUs.
+
+Fixes: 2e499bbc1a929ac ("coresight: tmc: implementing TMC-ETF AUX space API")
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable <stable@vger.kernel.org> # 4.7+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20190620221237.3536-4-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/coresight/coresight-tmc-etf.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c
+@@ -292,9 +292,7 @@ static void *tmc_alloc_etf_buffer(struct
+ int node;
+ struct cs_buffers *buf;
+
+- if (cpu == -1)
+- cpu = smp_processor_id();
+- node = cpu_to_node(cpu);
++ node = (cpu == -1) ? NUMA_NO_NODE : cpu_to_node(cpu);
+
+ /* Allocate memory structure for interaction with Perf */
+ buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node);
--- /dev/null
+From de19055564c8f8f9d366f8db3395836da0b2176c Mon Sep 17 00:00:00 2001
+From: Jeremy Linton <jeremy.linton@arm.com>
+Date: Fri, 25 Jan 2019 12:07:00 -0600
+Subject: Documentation: Document arm64 kpti control
+
+From: Jeremy Linton <jeremy.linton@arm.com>
+
+commit de19055564c8f8f9d366f8db3395836da0b2176c upstream.
+
+For a while Arm64 has been capable of force enabling
+or disabling the kpti mitigations. Lets make sure the
+documentation reflects that.
+
+Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+[florian: patch the correct file]
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/kernel-parameters.txt | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -1965,6 +1965,12 @@ bytes respectively. Such letter suffixes
+ kmemcheck=2 (one-shot mode)
+ Default: 2 (one-shot mode)
+
++ kpti= [ARM64] Control page table isolation of user
++ and kernel address spaces.
++ Default: enabled on cores which need mitigation.
++ 0: force disabled
++ 1: force enabled
++
+ kstack=N [X86] Print N words from the kernel stack
+ in oops dumps.
+
--- /dev/null
+From e5e884b42639c74b5b57dc277909915c0aefc8bb Mon Sep 17 00:00:00 2001
+From: Wen Huang <huangwenabc@gmail.com>
+Date: Thu, 28 Nov 2019 18:51:04 +0800
+Subject: libertas: Fix two buffer overflows at parsing bss descriptor
+
+From: Wen Huang <huangwenabc@gmail.com>
+
+commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream.
+
+add_ie_rates() copys rates without checking the length
+in bss descriptor from remote AP.when victim connects to
+remote attacker, this may trigger buffer overflow.
+lbs_ibss_join_existing() copys rates without checking the length
+in bss descriptor from remote IBSS node.when victim connects to
+remote attacker, this may trigger buffer overflow.
+Fix them by putting the length check before performing copy.
+
+This fix addresses CVE-2019-14896 and CVE-2019-14897.
+This also fix build warning of mixed declarations and code.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Wen Huang <huangwenabc@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -272,6 +272,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int
+ int hw, ap, ap_max = ie[1];
+ u8 hw_rate;
+
++ if (ap_max > MAX_RATES) {
++ lbs_deb_assoc("invalid rates\n");
++ return tlv;
++ }
+ /* Advance past IE header */
+ ie += 2;
+
+@@ -1662,6 +1666,9 @@ static int lbs_change_intf(struct wiphy
+ {
+ struct lbs_private *priv = wiphy_priv(wiphy);
+ int ret = 0;
++ int hw, i;
++ u8 rates_max;
++ u8 *rates;
+
+ if (dev == priv->mesh_dev)
+ return -EOPNOTSUPP;
+@@ -1849,9 +1856,12 @@ static int lbs_ibss_join_existing(struct
+ if (!rates_eid) {
+ lbs_add_rates(cmd.bss.rates);
+ } else {
+- int hw, i;
+- u8 rates_max = rates_eid[1];
+- u8 *rates = cmd.bss.rates;
++ rates_max = rates_eid[1];
++ if (rates_max > MAX_RATES) {
++ lbs_deb_join("invalid rates");
++ goto out;
++ }
++ rates = cmd.bss.rates;
+ for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
+ u8 hw_rate = lbs_rates[hw].bitrate / 5;
+ for (i = 0; i < rates_max; i++) {
--- /dev/null
+From bba340c79bfe3644829db5c852fdfa9e33837d6d Mon Sep 17 00:00:00 2001
+From: Bo Wu <wubo40@huawei.com>
+Date: Wed, 20 Nov 2019 13:26:17 +0000
+Subject: scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
+
+From: Bo Wu <wubo40@huawei.com>
+
+commit bba340c79bfe3644829db5c852fdfa9e33837d6d upstream.
+
+In iscsi_if_rx func, after receiving one request through
+iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to
+reply to the request in a do-while loop. If the iscsi_if_send_reply
+function keeps returning -EAGAIN, a deadlock will occur.
+
+For example, a client only send msg without calling recvmsg func, then
+it will result in the watchdog soft lockup. The details are given as
+follows:
+
+ sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
+ retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr);
+ while (1) {
+ state_msg = sendmsg(sock_fd, &msg, 0);
+ //Note: recvmsg(sock_fd, &msg, 0) is not processed here.
+ }
+ close(sock_fd);
+
+watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat:
+curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0
+deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq:
+ TIMER: 992
+ SCHED: 8
+Sample irqstat:
+ irq 2: delta 1003, curr: 3103802, arch_timer
+CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G OE
+Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+pstate: 40400005 (nZcv daif +PAN -UAO)
+pc : __alloc_skb+0x104/0x1b0
+lr : __alloc_skb+0x9c/0x1b0
+sp : ffff000033603a30
+x29: ffff000033603a30 x28: 00000000000002dd
+x27: ffff800b34ced810 x26: ffff800ba7569f00
+x25: 00000000ffffffff x24: 0000000000000000
+x23: ffff800f7c43f600 x22: 0000000000480020
+x21: ffff0000091d9000 x20: ffff800b34eff200
+x19: ffff800ba7569f00 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000
+x15: 0000000000000000 x14: 0001000101000100
+x13: 0000000101010000 x12: 0101000001010100
+x11: 0001010101010001 x10: 00000000000002dd
+x9 : ffff000033603d58 x8 : ffff800b34eff400
+x7 : ffff800ba7569200 x6 : ffff800b34eff400
+x5 : 0000000000000000 x4 : 00000000ffffffff
+x3 : 0000000000000000 x2 : 0000000000000001
+x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace:
+__alloc_skb+0x104/0x1b0
+iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi]
+netlink_unicast+0x1e0/0x258
+netlink_sendmsg+0x310/0x378
+sock_sendmsg+0x4c/0x70
+sock_write_iter+0x90/0xf0
+__vfs_write+0x11c/0x190
+vfs_write+0xac/0x1c0
+ksys_write+0x6c/0xd8
+__arm64_sys_write+0x24/0x30
+el0_svc_common+0x78/0x130
+el0_svc_handler+0x38/0x78
+el0_svc+0x8/0xc
+
+Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com
+Signed-off-by: Bo Wu <wubo40@huawei.com>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_transport_iscsi.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -37,6 +37,8 @@
+
+ #define ISCSI_TRANSPORT_VERSION "2.0-870"
+
++#define ISCSI_SEND_MAX_ALLOWED 10
++
+ static int dbg_session;
+ module_param_named(debug_session, dbg_session, int,
+ S_IRUGO | S_IWUSR);
+@@ -3694,6 +3696,7 @@ iscsi_if_rx(struct sk_buff *skb)
+ struct nlmsghdr *nlh;
+ struct iscsi_uevent *ev;
+ uint32_t group;
++ int retries = ISCSI_SEND_MAX_ALLOWED;
+
+ nlh = nlmsg_hdr(skb);
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
+@@ -3724,6 +3727,10 @@ iscsi_if_rx(struct sk_buff *skb)
+ break;
+ err = iscsi_if_send_reply(group, nlh->nlmsg_seq,
+ nlh->nlmsg_type, 0, 0, ev, sizeof(*ev));
++ if (err == -EAGAIN && --retries < 0) {
++ printk(KERN_WARNING "Send reply failed, error %d\n", err);
++ break;
++ }
+ } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH);
+ skb_pull(skb, rlen);
+ }
net-ip6_tunnel-fix-namespaces-move.patch
net-ip_tunnel-fix-namespaces-move.patch
net_sched-fix-datalen-for-ematch.patch
-net-sysfs-fix-reference-count-leak.patch
tcp_bbr-improve-arithmetic-division-in-bbr_update_bw.patch
net-usb-lan78xx-add-.ndo_features_check.patch
gtp-make-sure-only-sock_dgram-udp-sockets-are-accepted.patch
scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch
tracing-xen-ordered-comparison-of-function-pointers.patch
do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch
+documentation-document-arm64-kpti-control.patch
+arm64-kpti-whitelist-cortex-a-cpus-that-don-t-implement-the-csv3-field.patch
+coresight-etb10-do-not-call-smp_processor_id-from-preemptible.patch
+coresight-tmc-etf-do-not-call-smp_processor_id-from-preemptible.patch
+libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
+bcache-silence-static-checker-warning.patch
+scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
