From: Greg Kroah-Hartman Date: Mon, 17 Sep 2018 12:06:20 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.18.9~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0cc18c036fbb311d3d4c000fcfc629b061a809d4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: autofs-fix-autofs_sbi-does-not-check-super-block-type.patch crypto-vmx-fix-sleep-in-atomic-bugs.patch drivers-net-cpsw-fix-parsing-of-phy-handle-dt-property-in-dual_emac-config.patch ethernet-ti-davinci_emac-add-missing-of_node_put-after-calling-of_parse_phandle.patch mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch net-ethernet-ti-cpsw-fix-mdio-device-reference-leak.patch netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch vmw_balloon-include-asm-io.h.patch x86-speculation-l1tf-increase-l1tf-memory-limit-for-nehalem.patch xhci-fix-use-after-free-in-xhci_free_virt_device.patch --- diff --git a/queue-4.4/autofs-fix-autofs_sbi-does-not-check-super-block-type.patch b/queue-4.4/autofs-fix-autofs_sbi-does-not-check-super-block-type.patch new file mode 100644 index 00000000000..41345c4fa81 --- /dev/null +++ b/queue-4.4/autofs-fix-autofs_sbi-does-not-check-super-block-type.patch @@ -0,0 +1,58 @@ +From 0633da48f0793aeba27f82d30605624416723a91 Mon Sep 17 00:00:00 2001 +From: Ian Kent +Date: Tue, 21 Aug 2018 21:51:45 -0700 +Subject: autofs: fix autofs_sbi() does not check super block type + +From: Ian Kent + +commit 0633da48f0793aeba27f82d30605624416723a91 upstream. + +autofs_sbi() does not check the superblock magic number to verify it has +been given an autofs super block. + +Backport Note: autofs4 has been renamed to autofs upstream. As a result +the upstream patch does not apply cleanly onto 4.14.y. + +Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto.themaw.net +Reported-by: +Signed-off-by: Ian Kent +Reviewed-by: Andrew Morton +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Zubin Mithra +Signed-off-by: Greg Kroah-Hartman +--- + fs/autofs4/autofs_i.h | 4 +++- + fs/autofs4/inode.c | 1 - + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/autofs4/autofs_i.h ++++ b/fs/autofs4/autofs_i.h +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + /* This is the range of ioctl() numbers we claim as ours */ + #define AUTOFS_IOC_FIRST AUTOFS_IOC_READY +@@ -135,7 +136,8 @@ struct autofs_sb_info { + + static inline struct autofs_sb_info *autofs4_sbi(struct super_block *sb) + { +- return (struct autofs_sb_info *)(sb->s_fs_info); ++ return sb->s_magic != AUTOFS_SUPER_MAGIC ? ++ NULL : (struct autofs_sb_info *)(sb->s_fs_info); + } + + static inline struct autofs_info *autofs4_dentry_ino(struct dentry *dentry) +--- a/fs/autofs4/inode.c ++++ b/fs/autofs4/inode.c +@@ -18,7 +18,6 @@ + #include + #include + #include +-#include + #include "autofs_i.h" + #include + diff --git a/queue-4.4/crypto-vmx-fix-sleep-in-atomic-bugs.patch b/queue-4.4/crypto-vmx-fix-sleep-in-atomic-bugs.patch new file mode 100644 index 00000000000..b07fcd22244 --- /dev/null +++ b/queue-4.4/crypto-vmx-fix-sleep-in-atomic-bugs.patch @@ -0,0 +1,111 @@ +From 0522236d4f9c5ab2e79889cb020d1acbe5da416e Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 22 Aug 2018 08:26:31 +0200 +Subject: crypto: vmx - Fix sleep-in-atomic bugs + +From: Ondrej Mosnacek + +commit 0522236d4f9c5ab2e79889cb020d1acbe5da416e upstream. + +This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX +implementations. The problem is that the blkcipher_* functions should +not be called in atomic context. + +The bugs can be reproduced via the AF_ALG interface by trying to +encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the +VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then +trigger BUG in crypto_yield(): + +[ 891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424 +[ 891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc +[ 891.864739] 1 lock held by kcapi-enc/12347: +[ 891.864811] #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530 +[ 891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1 +[ 891.865251] Call Trace: +[ 891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable) +[ 891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310 +[ 891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0 +[ 891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto] +[ 891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80 +[ 891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530 +[ 891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0 +[ 891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0 +[ 891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0 +[ 891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70 + +Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module") +Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") +Cc: stable@vger.kernel.org +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/vmx/aes_cbc.c | 30 ++++++++++++++---------------- + 1 file changed, 14 insertions(+), 16 deletions(-) + +--- a/drivers/crypto/vmx/aes_cbc.c ++++ b/drivers/crypto/vmx/aes_cbc.c +@@ -111,24 +111,23 @@ static int p8_aes_cbc_encrypt(struct blk + ret = crypto_blkcipher_encrypt(&fallback_desc, dst, src, + nbytes); + } else { +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_altivec(); +- enable_kernel_vsx(); +- + blkcipher_walk_init(&walk, dst, src, nbytes); + ret = blkcipher_walk_virt(desc, &walk); + while ((nbytes = walk.nbytes)) { ++ preempt_disable(); ++ pagefault_disable(); ++ enable_kernel_vsx(); ++ enable_kernel_altivec(); + aes_p8_cbc_encrypt(walk.src.virt.addr, + walk.dst.virt.addr, + nbytes & AES_BLOCK_MASK, + &ctx->enc_key, walk.iv, 1); ++ pagefault_enable(); ++ preempt_enable(); ++ + nbytes &= AES_BLOCK_SIZE - 1; + ret = blkcipher_walk_done(desc, &walk, nbytes); + } +- +- pagefault_enable(); +- preempt_enable(); + } + + return ret; +@@ -152,24 +151,23 @@ static int p8_aes_cbc_decrypt(struct blk + ret = crypto_blkcipher_decrypt(&fallback_desc, dst, src, + nbytes); + } else { +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_altivec(); +- enable_kernel_vsx(); +- + blkcipher_walk_init(&walk, dst, src, nbytes); + ret = blkcipher_walk_virt(desc, &walk); + while ((nbytes = walk.nbytes)) { ++ preempt_disable(); ++ pagefault_disable(); ++ enable_kernel_vsx(); ++ enable_kernel_altivec(); + aes_p8_cbc_encrypt(walk.src.virt.addr, + walk.dst.virt.addr, + nbytes & AES_BLOCK_MASK, + &ctx->dec_key, walk.iv, 0); ++ pagefault_enable(); ++ preempt_enable(); ++ + nbytes &= AES_BLOCK_SIZE - 1; + ret = blkcipher_walk_done(desc, &walk, nbytes); + } +- +- pagefault_enable(); +- preempt_enable(); + } + + return ret; diff --git a/queue-4.4/drivers-net-cpsw-fix-parsing-of-phy-handle-dt-property-in-dual_emac-config.patch b/queue-4.4/drivers-net-cpsw-fix-parsing-of-phy-handle-dt-property-in-dual_emac-config.patch new file mode 100644 index 00000000000..53eca6de93d --- /dev/null +++ b/queue-4.4/drivers-net-cpsw-fix-parsing-of-phy-handle-dt-property-in-dual_emac-config.patch @@ -0,0 +1,97 @@ +From 552165bcf7060b998b4a9b5b86110b6a5e04dfd9 Mon Sep 17 00:00:00 2001 +From: David Rivshin +Date: Wed, 27 Apr 2016 21:25:25 -0400 +Subject: drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config + +From: David Rivshin + +commit 552165bcf7060b998b4a9b5b86110b6a5e04dfd9 upstream. + +Commit 9e42f715264ff158478fa30eaed847f6e131366b ("drivers: net: cpsw: add +phy-handle parsing") saved the "phy-handle" phandle into a new cpsw_priv +field. However, phy connections are per-slave, so the phy_node field should +be in cpsw_slave_data rather than cpsw_priv. + +This would go unnoticed in a single emac configuration. But in dual_emac +mode, the last "phy-handle" property parsed for either slave would be used +by both of them, causing them both to refer to the same phy_device. + +Fixes: 9e42f715264f ("drivers: net: cpsw: add phy-handle parsing") +Signed-off-by: David Rivshin +Tested-by: Nicolas Chauvet +Tested-by: Andrew Goodbody +Reviewed-by: Mugunthan V N +Reviewed-by: Grygorii Strashko +Signed-off-by: David S. Miller +Signed-off-by: SZ Lin (林上智) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/ti/cpsw.c | 13 ++++++------- + drivers/net/ethernet/ti/cpsw.h | 1 + + 2 files changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -371,7 +371,6 @@ struct cpsw_priv { + spinlock_t lock; + struct platform_device *pdev; + struct net_device *ndev; +- struct device_node *phy_node; + struct napi_struct napi_rx; + struct napi_struct napi_tx; + struct device *dev; +@@ -1165,8 +1164,8 @@ static void cpsw_slave_open(struct cpsw_ + cpsw_ale_add_mcast(priv->ale, priv->ndev->broadcast, + 1 << slave_port, 0, 0, ALE_MCAST_FWD_2); + +- if (priv->phy_node) +- slave->phy = of_phy_connect(priv->ndev, priv->phy_node, ++ if (slave->data->phy_node) ++ slave->phy = of_phy_connect(priv->ndev, slave->data->phy_node, + &cpsw_adjust_link, 0, slave->data->phy_if); + else + slave->phy = phy_connect(priv->ndev, slave->data->phy_id, +@@ -1957,12 +1956,11 @@ static void cpsw_slave_init(struct cpsw_ + slave->port_vlan = data->dual_emac_res_vlan; + } + +-static int cpsw_probe_dt(struct cpsw_priv *priv, ++static int cpsw_probe_dt(struct cpsw_platform_data *data, + struct platform_device *pdev) + { + struct device_node *node = pdev->dev.of_node; + struct device_node *slave_node; +- struct cpsw_platform_data *data = &priv->data; + int i = 0, ret; + u32 prop; + +@@ -2050,7 +2048,8 @@ static int cpsw_probe_dt(struct cpsw_pri + if (strcmp(slave_node->name, "slave")) + continue; + +- priv->phy_node = of_parse_phandle(slave_node, "phy-handle", 0); ++ slave_data->phy_node = of_parse_phandle(slave_node, ++ "phy-handle", 0); + parp = of_get_property(slave_node, "phy_id", &lenp); + if (of_phy_is_fixed_link(slave_node)) { + struct device_node *phy_node; +@@ -2291,7 +2290,7 @@ static int cpsw_probe(struct platform_de + /* Select default pin state */ + pinctrl_pm_select_default_state(&pdev->dev); + +- if (cpsw_probe_dt(priv, pdev)) { ++ if (cpsw_probe_dt(&priv->data, pdev)) { + dev_err(&pdev->dev, "cpsw: platform data missing\n"); + ret = -ENODEV; + goto clean_runtime_disable_ret; +--- a/drivers/net/ethernet/ti/cpsw.h ++++ b/drivers/net/ethernet/ti/cpsw.h +@@ -18,6 +18,7 @@ + #include + + struct cpsw_slave_data { ++ struct device_node *phy_node; + char phy_id[MII_BUS_ID_SIZE]; + int phy_if; + u8 mac_addr[ETH_ALEN]; diff --git a/queue-4.4/ethernet-ti-davinci_emac-add-missing-of_node_put-after-calling-of_parse_phandle.patch b/queue-4.4/ethernet-ti-davinci_emac-add-missing-of_node_put-after-calling-of_parse_phandle.patch new file mode 100644 index 00000000000..8a56f6a1b99 --- /dev/null +++ b/queue-4.4/ethernet-ti-davinci_emac-add-missing-of_node_put-after-calling-of_parse_phandle.patch @@ -0,0 +1,30 @@ +From 5817f977527e5cdbea9ca56d2b95824f59c8747d Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Mon, 1 Aug 2016 15:02:43 +0800 +Subject: ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle + +From: Peter Chen + +commit 5817f977527e5cdbea9ca56d2b95824f59c8747d upstream. + +of_node_put needs to be called when the device node which is got +from of_parse_phandle has finished using. + +Signed-off-by: Peter Chen +Signed-off-by: David S. Miller +Signed-off-by: SZ Lin (林上智) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/davinci_emac.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -2108,6 +2108,7 @@ static int davinci_emac_remove(struct pl + cpdma_ctlr_destroy(priv->dma); + + unregister_netdev(ndev); ++ of_node_put(priv->phy_node); + free_netdev(ndev); + + return 0; diff --git a/queue-4.4/mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch b/queue-4.4/mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch new file mode 100644 index 00000000000..65663e881fe --- /dev/null +++ b/queue-4.4/mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch @@ -0,0 +1,50 @@ +From 7233982ade15eeac05c6f351e8d347406e6bcd2f Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Thu, 18 Jan 2018 14:05:05 +0000 +Subject: mtd: ubi: wl: Fix error return code in ubi_wl_init() + +From: Wei Yongjun + +commit 7233982ade15eeac05c6f351e8d347406e6bcd2f upstream. + +Fix to return error code -ENOMEM from the kmem_cache_alloc() error +handling case instead of 0, as done elsewhere in this function. + +Fixes: f78e5623f45b ("ubi: fastmap: Erase outdated anchor PEBs during +attach") +Signed-off-by: Wei Yongjun +Reviewed-by: Boris Brezillon +Signed-off-by: Richard Weinberger +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/wl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -1597,8 +1597,10 @@ int ubi_wl_init(struct ubi_device *ubi, + cond_resched(); + + e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL); +- if (!e) ++ if (!e) { ++ err = -ENOMEM; + goto out_free; ++ } + + e->pnum = aeb->pnum; + e->ec = aeb->ec; +@@ -1617,8 +1619,10 @@ int ubi_wl_init(struct ubi_device *ubi, + cond_resched(); + + e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL); +- if (!e) ++ if (!e) { ++ err = -ENOMEM; + goto out_free; ++ } + + e->pnum = aeb->pnum; + e->ec = aeb->ec; diff --git a/queue-4.4/net-ethernet-ti-cpsw-fix-mdio-device-reference-leak.patch b/queue-4.4/net-ethernet-ti-cpsw-fix-mdio-device-reference-leak.patch new file mode 100644 index 00000000000..7a57ce8fcb7 --- /dev/null +++ b/queue-4.4/net-ethernet-ti-cpsw-fix-mdio-device-reference-leak.patch @@ -0,0 +1,33 @@ +From 86e1d5adcef961eb383ce4eacbe0ef22f06e2045 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 17 Nov 2016 17:39:59 +0100 +Subject: net: ethernet: ti: cpsw: fix mdio device reference leak + +From: Johan Hovold + +commit 86e1d5adcef961eb383ce4eacbe0ef22f06e2045 upstream. + +Make sure to drop the reference taken by of_find_device_by_node() when +looking up an mdio device from a phy_id property during probe. + +Fixes: 549985ee9c72 ("cpsw: simplify the setup of the register +pointers") +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: SZ Lin (林上智) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/ti/cpsw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -2086,6 +2086,7 @@ static int cpsw_probe_dt(struct cpsw_pla + } + snprintf(slave_data->phy_id, sizeof(slave_data->phy_id), + PHY_ID_FMT, mdio->name, phyid); ++ put_device(&mdio->dev); + } else { + dev_err(&pdev->dev, "No slave[%d] phy_id or fixed-link property\n", i); + goto no_phy_slave; diff --git a/queue-4.4/netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch b/queue-4.4/netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch new file mode 100644 index 00000000000..7196f76224a --- /dev/null +++ b/queue-4.4/netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch @@ -0,0 +1,49 @@ +From e466af75c074e76107ae1cd5a2823e9c61894ffb Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 5 Oct 2017 02:50:07 -0700 +Subject: netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user + +From: Eric Dumazet + +commit e466af75c074e76107ae1cd5a2823e9c61894ffb upstream. + +syzkaller reports an out of bound read in strlcpy(), triggered +by xt_copy_counters_from_user() + +Fix this by using memcpy(), then forcing a zero byte at the last position +of the destination, as Florian did for the non COMPAT code. + +Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Cc: Greg Hackmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/x_tables.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -876,7 +876,7 @@ void *xt_copy_counters_from_user(const v + if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) + return ERR_PTR(-EFAULT); + +- strlcpy(info->name, compat_tmp.name, sizeof(info->name)); ++ memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1); + info->num_counters = compat_tmp.num_counters; + user += sizeof(compat_tmp); + } else +@@ -889,9 +889,9 @@ void *xt_copy_counters_from_user(const v + if (copy_from_user(info, user, sizeof(*info)) != 0) + return ERR_PTR(-EFAULT); + +- info->name[sizeof(info->name) - 1] = '\0'; + user += sizeof(*info); + } ++ info->name[sizeof(info->name) - 1] = '\0'; + + size = sizeof(struct xt_counters); + size *= info->num_counters; diff --git a/queue-4.4/series b/queue-4.4/series index 41211e70a13..20fa89a4dd5 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -44,3 +44,13 @@ mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch +xhci-fix-use-after-free-in-xhci_free_virt_device.patch +vmw_balloon-include-asm-io.h.patch +netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch +drivers-net-cpsw-fix-parsing-of-phy-handle-dt-property-in-dual_emac-config.patch +net-ethernet-ti-cpsw-fix-mdio-device-reference-leak.patch +ethernet-ti-davinci_emac-add-missing-of_node_put-after-calling-of_parse_phandle.patch +crypto-vmx-fix-sleep-in-atomic-bugs.patch +mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch +autofs-fix-autofs_sbi-does-not-check-super-block-type.patch +x86-speculation-l1tf-increase-l1tf-memory-limit-for-nehalem.patch diff --git a/queue-4.4/vmw_balloon-include-asm-io.h.patch b/queue-4.4/vmw_balloon-include-asm-io.h.patch new file mode 100644 index 00000000000..207d2ce6bee --- /dev/null +++ b/queue-4.4/vmw_balloon-include-asm-io.h.patch @@ -0,0 +1,32 @@ +From namit@vmware.com Mon Sep 17 13:42:18 2018 +From: Nadav Amit +Date: Thu, 13 Sep 2018 13:18:52 -0700 +Subject: vmw_balloon: include asm/io.h +To: +Cc: Nadav Amit , Xavier Deguillard +Message-ID: <20180913201852.24631-1-namit@vmware.com> + +From: Nadav Amit + +Fix a build error due to missing virt_to_phys() + +Reported-by: kbuild test robot +Fixes: f0a1bf29d821b ("vmw_balloon: fix inflation with batching") +Cc: stable@vger.kernel.org +Cc: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_balloon.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + #include + + MODULE_AUTHOR("VMware, Inc."); diff --git a/queue-4.4/x86-speculation-l1tf-increase-l1tf-memory-limit-for-nehalem.patch b/queue-4.4/x86-speculation-l1tf-increase-l1tf-memory-limit-for-nehalem.patch new file mode 100644 index 00000000000..a984d49ca73 --- /dev/null +++ b/queue-4.4/x86-speculation-l1tf-increase-l1tf-memory-limit-for-nehalem.patch @@ -0,0 +1,162 @@ +From andi@firstfloor.org Mon Sep 17 14:00:08 2018 +From: Andi Kleen +Date: Mon, 3 Sep 2018 10:19:13 -0700 +Subject: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ +To: stable@vger.kernel.org +Cc: Andi Kleen , Thomas Gleixner , x86@kernel.org, linux-kernel@vger.kernel.org, Michael Hocko , vbabka@suse.cz +Message-ID: <20180903171913.36570-1-andi@firstfloor.org> + + +From: Andi Kleen + +[upstream cc51e5428ea54f575d49cfcede1d4cb3a72b4ec4 for 4.4. +Note there might be still a trivial conflict with the backport +for b0a182f875689647b014bc01d36b340217792852, but should +be easy to resolve] + +On Nehalem and newer core CPUs the CPU cache internally uses 44 bits +physical address space. The L1TF workaround is limited by this internal +cache address width, and needs to have one bit free there for the +mitigation to work. + +Older client systems report only 36bit physical address space so the range +check decides that L1TF is not mitigated for a 36bit phys/32GB system with +some memory holes. + +But since these actually have the larger internal cache width this warning +is bogus because it would only really be needed if the system had more than +43bits of memory. + +Add a new internal x86_cache_bits field. Normally it is the same as the +physical bits field reported by CPUID, but for Nehalem and newerforce it to +be at least 44bits. + +Change the L1TF memory size warning to use the new cache_bits field to +avoid bogus warnings and remove the bogus comment about memory size. + +Fixes: 17dbca119312 ("x86/speculation/l1tf: Add sysfs reporting for l1tf") +Reported-by: George Anchev +Reported-by: Christopher Snowhill +Signed-off-by: Andi Kleen +Signed-off-by: Thomas Gleixner +Cc: x86@kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: Michael Hocko +Cc: vbabka@suse.cz +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20180824170351.34874-1-andi@firstfloor.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/processor.h | 4 ++- + arch/x86/kernel/cpu/bugs.c | 47 ++++++++++++++++++++++++++++---- + arch/x86/kernel/cpu/common.c | 2 ++ + 3 files changed, 47 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index a3a53955f01c..cb07d3f618ca 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -104,6 +104,8 @@ struct cpuinfo_x86 { + __u8 x86_phys_bits; + /* CPUID returned core id bits: */ + __u8 x86_coreid_bits; ++ ++ __u8 x86_cache_bits; + /* Max extended CPUID function supported: */ + __u32 extended_cpuid_level; + /* Maximum supported CPUID level, -1=no CPUID: */ +@@ -174,7 +176,7 @@ extern void cpu_detect(struct cpuinfo_x86 *c); + + static inline unsigned long l1tf_pfn_limit(void) + { +- return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1; ++ return BIT_ULL(boot_cpu_data.x86_cache_bits - 1 - PAGE_SHIFT); + } + + extern void early_cpu_init(void); +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 34e4aaaf03d2..2a41a86aa5c2 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -634,6 +634,46 @@ void x86_spec_ctrl_setup_ap(void) + + #undef pr_fmt + #define pr_fmt(fmt) "L1TF: " fmt ++ ++/* ++ * These CPUs all support 44bits physical address space internally in the ++ * cache but CPUID can report a smaller number of physical address bits. ++ * ++ * The L1TF mitigation uses the top most address bit for the inversion of ++ * non present PTEs. When the installed memory reaches into the top most ++ * address bit due to memory holes, which has been observed on machines ++ * which report 36bits physical address bits and have 32G RAM installed, ++ * then the mitigation range check in l1tf_select_mitigation() triggers. ++ * This is a false positive because the mitigation is still possible due to ++ * the fact that the cache uses 44bit internally. Use the cache bits ++ * instead of the reported physical bits and adjust them on the affected ++ * machines to 44bit if the reported bits are less than 44. ++ */ ++static void override_cache_bits(struct cpuinfo_x86 *c) ++{ ++ if (c->x86 != 6) ++ return; ++ ++ switch (c->x86_model) { ++ case INTEL_FAM6_NEHALEM: ++ case INTEL_FAM6_WESTMERE: ++ case INTEL_FAM6_SANDYBRIDGE: ++ case INTEL_FAM6_IVYBRIDGE: ++ case INTEL_FAM6_HASWELL_CORE: ++ case INTEL_FAM6_HASWELL_ULT: ++ case INTEL_FAM6_HASWELL_GT3E: ++ case INTEL_FAM6_BROADWELL_CORE: ++ case INTEL_FAM6_BROADWELL_GT3E: ++ case INTEL_FAM6_SKYLAKE_MOBILE: ++ case INTEL_FAM6_SKYLAKE_DESKTOP: ++ case INTEL_FAM6_KABYLAKE_MOBILE: ++ case INTEL_FAM6_KABYLAKE_DESKTOP: ++ if (c->x86_cache_bits < 44) ++ c->x86_cache_bits = 44; ++ break; ++ } ++} ++ + static void __init l1tf_select_mitigation(void) + { + u64 half_pa; +@@ -641,16 +681,13 @@ static void __init l1tf_select_mitigation(void) + if (!boot_cpu_has_bug(X86_BUG_L1TF)) + return; + ++ override_cache_bits(&boot_cpu_data); ++ + #if CONFIG_PGTABLE_LEVELS == 2 + pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n"); + return; + #endif + +- /* +- * This is extremely unlikely to happen because almost all +- * systems have far more MAX_PA/2 than RAM can be fit into +- * DIMM slots. +- */ + half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT; + if (e820_any_mapped(half_pa, ULLONG_MAX - half_pa, E820_RAM)) { + pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n"); +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 4d3fa79c0f09..b12c0287d6cf 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -798,6 +798,8 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + c->x86_phys_bits = 36; + #endif + ++ c->x86_cache_bits = c->x86_phys_bits; ++ + if (c->extended_cpuid_level >= 0x8000000a) + c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a); + +-- +2.17.1 + diff --git a/queue-4.4/xhci-fix-use-after-free-in-xhci_free_virt_device.patch b/queue-4.4/xhci-fix-use-after-free-in-xhci_free_virt_device.patch new file mode 100644 index 00000000000..ef067bcac18 --- /dev/null +++ b/queue-4.4/xhci-fix-use-after-free-in-xhci_free_virt_device.patch @@ -0,0 +1,47 @@ +From 44a182b9d17765514fa2b1cc911e4e65134eef93 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 3 May 2018 17:30:07 +0300 +Subject: xhci: Fix use-after-free in xhci_free_virt_device + +From: Mathias Nyman + +commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream. + +KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e +where xhci_free_virt_device() sets slot id to 0 if udev exists: +if (dev->udev && dev->udev->slot_id) + dev->udev->slot_id = 0; + +dev->udev will be true even if udev is freed because dev->udev is +not set to NULL. + +set dev->udev pointer to NULL in xhci_free_dev() + +The original patch went to stable so this fix needs to be applied +there as well. + +Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot") +Cc: +Reported-by: Guenter Roeck +Reviewed-by: Guenter Roeck +Tested-by: Guenter Roeck +Signed-off-by: Mathias Nyman +Signed-off-by: Matthias Kaehlcke +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3675,6 +3675,9 @@ void xhci_free_dev(struct usb_hcd *hcd, + } + + spin_lock_irqsave(&xhci->lock, flags); ++ ++ virt_dev->udev = NULL; ++ + /* Don't disable the slot if the host controller is dead. */ + state = readl(&xhci->op_regs->status); + if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) ||