From: Greg Kroah-Hartman Date: Sat, 4 Aug 2018 08:11:47 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.17.13~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b0a06966900d062fd6a8b7f13ec9287fed294f3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: audit-fix-potential-null-dereference-context-module.name.patch can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch crypto-padlock-aes-fix-nano-workaround-data-corruption.patch drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch iwlwifi-add-more-card-ids-for-9000-series.patch kvm-x86-vmx-fix-vpid-leak.patch net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch rdma-uverbs-expand-primary-and-alt-av-port-checks.patch scsi-sg-fix-minor-memory-leak-in-error-path.patch squashfs-more-metadata-hardening.patch squashfs-more-metadata-hardenings.patch userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch virtio_balloon-fix-another-race-between-migration-and-ballooning.patch x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch --- diff --git a/queue-4.14/audit-fix-potential-null-dereference-context-module.name.patch b/queue-4.14/audit-fix-potential-null-dereference-context-module.name.patch new file mode 100644 index 00000000000..765ed7ccfff --- /dev/null +++ b/queue-4.14/audit-fix-potential-null-dereference-context-module.name.patch @@ -0,0 +1,55 @@ +From b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Wed, 25 Jul 2018 10:26:19 +0800 +Subject: audit: fix potential null dereference 'context->module.name' + +From: Yi Wang + +commit b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 upstream. + +The variable 'context->module.name' may be null pointer when +kmalloc return null, so it's better to check it before using +to avoid null dereference. +Another one more thing this patch does is using kstrdup instead +of (kmalloc + strcpy), and signal a lost record via audit_log_lost. + +Cc: stable@vger.kernel.org # 4.11 +Signed-off-by: Yi Wang +Reviewed-by: Jiang Biao +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditsc.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1274,8 +1274,12 @@ static void show_special(struct audit_co + break; + case AUDIT_KERN_MODULE: + audit_log_format(ab, "name="); +- audit_log_untrustedstring(ab, context->module.name); +- kfree(context->module.name); ++ if (context->module.name) { ++ audit_log_untrustedstring(ab, context->module.name); ++ kfree(context->module.name); ++ } else ++ audit_log_format(ab, "(null)"); ++ + break; + } + audit_log_end(ab); +@@ -2387,8 +2391,9 @@ void __audit_log_kern_module(char *name) + { + struct audit_context *context = current->audit_context; + +- context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL); +- strcpy(context->module.name, name); ++ context->module.name = kstrdup(name, GFP_KERNEL); ++ if (!context->module.name) ++ audit_log_lost("out of memory in __audit_log_kern_module"); + context->type = AUDIT_KERN_MODULE; + } + diff --git a/queue-4.14/can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch b/queue-4.14/can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch new file mode 100644 index 00000000000..497c926d717 --- /dev/null +++ b/queue-4.14/can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch @@ -0,0 +1,33 @@ +From 72c05f32f4a5055c9c8fe889bb6903ec959c0aad Mon Sep 17 00:00:00 2001 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 18:50:42 +0300 +Subject: can: ems_usb: Fix memory leak on ems_usb_disconnect() + +From: Anton Vasilyev + +commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream. + +ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there +is no its deallocation in ems_usb_disconnect(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Cc: +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/ems_usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -1071,6 +1071,7 @@ static void ems_usb_disconnect(struct us + usb_free_urb(dev->intr_urb); + + kfree(dev->intr_in_buffer); ++ kfree(dev->tx_msg_buffer); + } + } + diff --git a/queue-4.14/crypto-padlock-aes-fix-nano-workaround-data-corruption.patch b/queue-4.14/crypto-padlock-aes-fix-nano-workaround-data-corruption.patch new file mode 100644 index 00000000000..acd0eaf5b48 --- /dev/null +++ b/queue-4.14/crypto-padlock-aes-fix-nano-workaround-data-corruption.patch @@ -0,0 +1,71 @@ +From 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 13 Jul 2018 16:12:32 +0800 +Subject: crypto: padlock-aes - Fix Nano workaround data corruption + +From: Herbert Xu + +commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream. + +This was detected by the self-test thanks to Ard's chunking patch. + +I finally got around to testing this out on my ancient Via box. It +turns out that the workaround got the assembly wrong and we end up +doing count + initial cycles of the loop instead of just count. + +This obviously causes corruption, either by overwriting the source +that is yet to be processed, or writing over the end of the buffer. + +On CPUs that don't require the workaround only ECB is affected. +On Nano CPUs both ECB and CBC are affected. + +This patch fixes it by doing the subtraction prior to the assembly. + +Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...") +Cc: +Reported-by: Jamie Heilman +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/padlock-aes.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/padlock-aes.c ++++ b/drivers/crypto/padlock-aes.c +@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co + return; + } + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co + + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +- : "d"(control_word), "b"(key), "c"(count - initial)); ++ : "d"(control_word), "b"(key), "c"(count)); + } + + static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, +@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con + if (count < cbc_fetch_blocks) + return cbc_crypt(input, output, key, iv, control_word, count); + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con + + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +- : "d" (control_word), "b" (key), "c" (count-initial)); ++ : "d" (control_word), "b" (key), "c" (count)); + return iv; + } + diff --git a/queue-4.14/drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch b/queue-4.14/drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch new file mode 100644 index 00000000000..5c3ae77b28d --- /dev/null +++ b/queue-4.14/drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch @@ -0,0 +1,36 @@ +From a6a00918d4ad8718c3ccde38c02cec17f116b2fd Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 24 Jul 2018 15:36:01 +0200 +Subject: drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats + +From: Boris Brezillon + +commit a6a00918d4ad8718c3ccde38c02cec17f116b2fd upstream. + +This is needed to ensure ->is_unity is correct when the plane was +previously configured to output a multi-planar format with scaling +enabled, and is then being reconfigured to output a uniplanar format. + +Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.") +Cc: +Signed-off-by: Boris Brezillon +Reviewed-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20180724133601.32114-1-boris.brezillon@bootlin.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_plane.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -352,6 +352,9 @@ static int vc4_plane_setup_clipping_and_ + vc4_state->x_scaling[0] = VC4_SCALING_TPZ; + if (vc4_state->y_scaling[0] == VC4_SCALING_NONE) + vc4_state->y_scaling[0] = VC4_SCALING_TPZ; ++ } else { ++ vc4_state->x_scaling[1] = VC4_SCALING_NONE; ++ vc4_state->y_scaling[1] = VC4_SCALING_NONE; + } + + vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE && diff --git a/queue-4.14/iwlwifi-add-more-card-ids-for-9000-series.patch b/queue-4.14/iwlwifi-add-more-card-ids-for-9000-series.patch new file mode 100644 index 00000000000..a6b97fcc77a --- /dev/null +++ b/queue-4.14/iwlwifi-add-more-card-ids-for-9000-series.patch @@ -0,0 +1,240 @@ +From 0a5257bc6d89c2ae69b9bf955679cb4f89261874 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 17 Jul 2018 13:43:56 +0300 +Subject: iwlwifi: add more card IDs for 9000 series + +From: Emmanuel Grumbach + +commit 0a5257bc6d89c2ae69b9bf955679cb4f89261874 upstream. + +Add new device IDs for the 9000 series. + +Cc: stable@vger.kernel.org # 4.14 +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/cfg/9000.c | 69 ++++++++++++++++++++++++ + drivers/net/wireless/intel/iwlwifi/iwl-config.h | 5 + + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 22 +++++++ + 3 files changed, 96 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c ++++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c +@@ -177,6 +177,17 @@ const struct iwl_cfg iwl9260_2ac_cfg = { + .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, + }; + ++const struct iwl_cfg iwl9260_killer_2ac_cfg = { ++ .name = "Killer (R) Wireless-AC 1550 Wireless Network Adapter (9260NGW)", ++ .fw_name_pre = IWL9260A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9260B_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++}; ++ + const struct iwl_cfg iwl9270_2ac_cfg = { + .name = "Intel(R) Dual Band Wireless AC 9270", + .fw_name_pre = IWL9260A_FW_PRE, +@@ -266,6 +277,34 @@ const struct iwl_cfg iwl9560_2ac_cfg_soc + .soc_latency = 5000, + }; + ++const struct iwl_cfg iwl9560_killer_2ac_cfg_soc = { ++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++}; ++ ++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc = { ++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++}; ++ + const struct iwl_cfg iwl9460_2ac_cfg_shared_clk = { + .name = "Intel(R) Dual Band Wireless AC 9460", + .fw_name_pre = IWL9000A_FW_PRE, +@@ -316,6 +355,36 @@ const struct iwl_cfg iwl9560_2ac_cfg_sha + .fw_name_pre = IWL9000A_FW_PRE, + .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, + .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK ++}; ++ ++const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk = { ++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK ++}; ++ ++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk = { ++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, + IWL_DEVICE_9000, + .ht_params = &iwl9000_ht_params, + .nvm_ver = IWL9000_NVM_VERSION, +--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h +@@ -470,6 +470,7 @@ extern const struct iwl_cfg iwl8265_2ac_ + extern const struct iwl_cfg iwl4165_2ac_sdio_cfg; + extern const struct iwl_cfg iwl9160_2ac_cfg; + extern const struct iwl_cfg iwl9260_2ac_cfg; ++extern const struct iwl_cfg iwl9260_killer_2ac_cfg; + extern const struct iwl_cfg iwl9270_2ac_cfg; + extern const struct iwl_cfg iwl9460_2ac_cfg; + extern const struct iwl_cfg iwl9560_2ac_cfg; +@@ -477,10 +478,14 @@ extern const struct iwl_cfg iwl9460_2ac_ + extern const struct iwl_cfg iwl9461_2ac_cfg_soc; + extern const struct iwl_cfg iwl9462_2ac_cfg_soc; + extern const struct iwl_cfg iwl9560_2ac_cfg_soc; ++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_soc; ++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc; + extern const struct iwl_cfg iwl9460_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl9461_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl9462_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl9560_2ac_cfg_shared_clk; ++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk; ++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwla000_2ac_cfg_hr; + extern const struct iwl_cfg iwla000_2ac_cfg_hr_cdb; + extern const struct iwl_cfg iwla000_2ac_cfg_jf; +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -543,6 +543,9 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x2526, 0x1210, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x1410, iwl9270_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x1420, iwl9460_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x1550, iwl9260_killer_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2526, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x1610, iwl9270_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x2034, iwl9560_2ac_cfg_soc)}, +@@ -552,6 +555,7 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x2526, 0x40A4, iwl9460_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x4234, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x42A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x8014, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0xA014, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271B, 0x0010, iwl9160_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271B, 0x0014, iwl9160_2ac_cfg)}, +@@ -576,6 +580,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x2720, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2720, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2720, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2720, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_cfg)}, +@@ -602,6 +608,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x30DC, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x30DC, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -628,6 +636,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x31DC, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x31DC, 0x1030, iwl9560_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x31DC, 0x1551, iwl9560_killer_s_2ac_cfg_shared_clk)}, ++ {IWL_PCI_DEVICE(0x31DC, 0x1552, iwl9560_killer_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x2030, iwl9560_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x2034, iwl9560_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x4030, iwl9560_2ac_cfg_shared_clk)}, +@@ -654,6 +664,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x34F0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x34F0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x34F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x34F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -680,6 +692,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x3DF0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x3DF0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x3DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x3DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -706,6 +720,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x43F0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x43F0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x43F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x43F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -741,6 +757,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x9DF0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x9DF0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x9DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x9DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x2010, iwl9460_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x2034, iwl9560_2ac_cfg_soc)}, +@@ -769,6 +787,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0xA0F0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0xA0F0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0xA0F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0xA0F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -795,6 +815,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0xA370, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0xA370, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0xA370, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0xA370, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x4030, iwl9560_2ac_cfg_soc)}, diff --git a/queue-4.14/kvm-x86-vmx-fix-vpid-leak.patch b/queue-4.14/kvm-x86-vmx-fix-vpid-leak.patch new file mode 100644 index 00000000000..be8ba8f7b89 --- /dev/null +++ b/queue-4.14/kvm-x86-vmx-fix-vpid-leak.patch @@ -0,0 +1,64 @@ +From 63aff65573d73eb8dda4732ad4ef222dd35e4862 Mon Sep 17 00:00:00 2001 +From: Roman Kagan +Date: Thu, 19 Jul 2018 21:59:07 +0300 +Subject: kvm: x86: vmx: fix vpid leak + +From: Roman Kagan + +commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream. + +VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested +vmx is turned on with the module parameter. + +However, it's only freed if the L1 guest has executed VMXON which is not +a given. + +As a result, on a system with nested==on every creation+deletion of an +L1 vcpu without running an L2 guest results in leaking one vpid. Since +the total number of vpids is limited to 64k, they can eventually get +exhausted, preventing L2 from starting. + +Delay allocation of the L2 vpid until VMXON emulation, thus matching its +freeing. + +Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0 +Cc: stable@vger.kernel.org +Signed-off-by: Roman Kagan +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7354,6 +7354,8 @@ static int enter_vmx_operation(struct kv + HRTIMER_MODE_REL_PINNED); + vmx->nested.preemption_timer.function = vmx_preemption_timer_fn; + ++ vmx->nested.vpid02 = allocate_vpid(); ++ + vmx->nested.vmxon = true; + return 0; + +@@ -9802,10 +9804,8 @@ static struct kvm_vcpu *vmx_create_vcpu( + goto free_vmcs; + } + +- if (nested) { ++ if (nested) + nested_vmx_setup_ctls_msrs(vmx); +- vmx->nested.vpid02 = allocate_vpid(); +- } + + vmx->nested.posted_intr_nv = -1; + vmx->nested.current_vmptr = -1ull; +@@ -9822,7 +9822,6 @@ static struct kvm_vcpu *vmx_create_vcpu( + return &vmx->vcpu; + + free_vmcs: +- free_vpid(vmx->nested.vpid02); + free_loaded_vmcs(vmx->loaded_vmcs); + free_msrs: + kfree(vmx->guest_msrs); diff --git a/queue-4.14/net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch b/queue-4.14/net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch new file mode 100644 index 00000000000..0702ab2837a --- /dev/null +++ b/queue-4.14/net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch @@ -0,0 +1,45 @@ +From c8e8cd579bb4265651df8223730105341e61a2d1 Mon Sep 17 00:00:00 2001 +From: Jeremy Cline +Date: Fri, 27 Jul 2018 22:43:01 +0000 +Subject: net: socket: fix potential spectre v1 gadget in socketcall + +From: Jeremy Cline + +commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream. + +'call' is a user-controlled value, so sanitize the array index after the +bounds check to avoid speculating past the bounds of the 'nargs' array. + +Found with the help of Smatch: + +net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue +'nargs' [r] (local cap) + +Cc: Josh Poimboeuf +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Cline +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -89,6 +89,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2443,6 +2444,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u + + if (call < 1 || call > SYS_SENDMMSG) + return -EINVAL; ++ call = array_index_nospec(call, SYS_SENDMMSG + 1); + + len = nargs[call]; + if (len > sizeof(a)) diff --git a/queue-4.14/rdma-uverbs-expand-primary-and-alt-av-port-checks.patch b/queue-4.14/rdma-uverbs-expand-primary-and-alt-av-port-checks.patch new file mode 100644 index 00000000000..a8fb3c0e41a --- /dev/null +++ b/queue-4.14/rdma-uverbs-expand-primary-and-alt-av-port-checks.patch @@ -0,0 +1,112 @@ +From addb8a6559f0f8b5a37582b7ca698358445a55bf Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 11 Jul 2018 11:23:52 +0300 +Subject: RDMA/uverbs: Expand primary and alt AV port checks + +From: Jack Morgenstein + +commit addb8a6559f0f8b5a37582b7ca698358445a55bf upstream. + +The commit cited below checked that the port numbers provided in the +primary and alt AVs are legal. + +That is sufficient to prevent a kernel panic. However, it is not +sufficient for correct operation. + +In Linux, AVs (both primary and alt) must be completely self-described. +We do not accept an AV from userspace without an embedded port number. +(This has been the case since kernel 3.14 commit dbf727de7440 +("IB/core: Use GID table in AH creation and dmac resolution")). + +For the primary AV, this embedded port number must match the port number +specified with IB_QP_PORT. + +We also expect the port number embedded in the alt AV to match the +alt_port_num value passed by the userspace driver in the modify_qp command +base structure. + +Add these checks to modify_qp. + +Cc: # 4.16 +Fixes: 5d4c05c3ee36 ("RDMA/uverbs: Sanitize user entered port numbers prior to access it") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_cmd.c | 59 ++++++++++++++++++++++++++++++++--- + 1 file changed, 54 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -1981,15 +1981,64 @@ static int modify_qp(struct ib_uverbs_fi + goto release_qp; + } + +- if ((cmd->base.attr_mask & IB_QP_AV) && +- !rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) { +- ret = -EINVAL; +- goto release_qp; ++ if ((cmd->base.attr_mask & IB_QP_AV)) { ++ if (!rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ ++ if (cmd->base.attr_mask & IB_QP_STATE && ++ cmd->base.qp_state == IB_QPS_RTR) { ++ /* We are in INIT->RTR TRANSITION (if we are not, ++ * this transition will be rejected in subsequent checks). ++ * In the INIT->RTR transition, we cannot have IB_QP_PORT set, ++ * but the IB_QP_STATE flag is required. ++ * ++ * Since kernel 3.14 (commit dbf727de7440), the uverbs driver, ++ * when IB_QP_AV is set, has required inclusion of a valid ++ * port number in the primary AV. (AVs are created and handled ++ * differently for infiniband and ethernet (RoCE) ports). ++ * ++ * Check the port number included in the primary AV against ++ * the port number in the qp struct, which was set (and saved) ++ * in the RST->INIT transition. ++ */ ++ if (cmd->base.dest.port_num != qp->real_qp->port) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ } else { ++ /* We are in SQD->SQD. (If we are not, this transition will ++ * be rejected later in the verbs layer checks). ++ * Check for both IB_QP_PORT and IB_QP_AV, these can be set ++ * together in the SQD->SQD transition. ++ * ++ * If only IP_QP_AV was set, add in IB_QP_PORT as well (the ++ * verbs layer driver does not track primary port changes ++ * resulting from path migration. Thus, in SQD, if the primary ++ * AV is modified, the primary port should also be modified). ++ * ++ * Note that in this transition, the IB_QP_STATE flag ++ * is not allowed. ++ */ ++ if (((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT)) ++ == (IB_QP_AV | IB_QP_PORT)) && ++ cmd->base.port_num != cmd->base.dest.port_num) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ if ((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT)) ++ == IB_QP_AV) { ++ cmd->base.attr_mask |= IB_QP_PORT; ++ cmd->base.port_num = cmd->base.dest.port_num; ++ } ++ } + } + + if ((cmd->base.attr_mask & IB_QP_ALT_PATH) && + (!rdma_is_port_valid(qp->device, cmd->base.alt_port_num) || +- !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num))) { ++ !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num) || ++ cmd->base.alt_port_num != cmd->base.alt_dest.port_num)) { + ret = -EINVAL; + goto release_qp; + } diff --git a/queue-4.14/scsi-sg-fix-minor-memory-leak-in-error-path.patch b/queue-4.14/scsi-sg-fix-minor-memory-leak-in-error-path.patch new file mode 100644 index 00000000000..4e17d361c38 --- /dev/null +++ b/queue-4.14/scsi-sg-fix-minor-memory-leak-in-error-path.patch @@ -0,0 +1,33 @@ +From c170e5a8d222537e98aa8d4fddb667ff7a2ee114 Mon Sep 17 00:00:00 2001 +From: Tony Battersby +Date: Thu, 12 Jul 2018 16:30:45 -0400 +Subject: scsi: sg: fix minor memory leak in error path + +From: Tony Battersby + +commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream. + +Fix a minor memory leak when there is an error opening a /dev/sg device. + +Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling") +Cc: +Reviewed-by: Ewan D. Milne +Signed-off-by: Tony Battersby +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -2186,6 +2186,7 @@ sg_add_sfp(Sg_device * sdp) + write_lock_irqsave(&sdp->sfd_lock, iflags); + if (atomic_read(&sdp->detaching)) { + write_unlock_irqrestore(&sdp->sfd_lock, iflags); ++ kfree(sfp); + return ERR_PTR(-ENODEV); + } + list_add_tail(&sfp->sfd_siblings, &sdp->sfds); diff --git a/queue-4.14/series b/queue-4.14/series index 50d1d250760..155948f4967 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -6,3 +6,18 @@ netlink-fix-spectre-v1-gadget-in-netlink_create.patch net-stmmac-fix-wol-for-pci-based-setups.patch rxrpc-fix-user-call-id-check-in-rxrpc_service_prealloc_one.patch net-mlx5e-e-switch-initialize-eswitch-only-if-eswitch-manager.patch +squashfs-more-metadata-hardening.patch +squashfs-more-metadata-hardenings.patch +can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch +net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch +virtio_balloon-fix-another-race-between-migration-and-ballooning.patch +x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch +x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch +kvm-x86-vmx-fix-vpid-leak.patch +audit-fix-potential-null-dereference-context-module.name.patch +userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch +iwlwifi-add-more-card-ids-for-9000-series.patch +rdma-uverbs-expand-primary-and-alt-av-port-checks.patch +crypto-padlock-aes-fix-nano-workaround-data-corruption.patch +drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch +scsi-sg-fix-minor-memory-leak-in-error-path.patch diff --git a/queue-4.14/squashfs-more-metadata-hardening.patch b/queue-4.14/squashfs-more-metadata-hardening.patch new file mode 100644 index 00000000000..f06d7a4add4 --- /dev/null +++ b/queue-4.14/squashfs-more-metadata-hardening.patch @@ -0,0 +1,37 @@ +From d512584780d3e6a7cacb2f482834849453d444a1 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 30 Jul 2018 14:27:15 -0700 +Subject: squashfs: more metadata hardening + +From: Linus Torvalds + +commit d512584780d3e6a7cacb2f482834849453d444a1 upstream. + +Anatoly reports another squashfs fuzzing issue, where the decompression +parameters themselves are in a compressed block. + +This causes squashfs_read_data() to be called in order to read the +decompression options before the decompression stream having been set +up, making squashfs go sideways. + +Reported-by: Anatoly Trosinenko +Acked-by: Phillip Lougher +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/squashfs/block.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/squashfs/block.c ++++ b/fs/squashfs/block.c +@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_bloc + } + + if (compressed) { ++ if (!msblk->stream) ++ goto read_failure; + length = squashfs_decompress(msblk, bh, b, offset, length, + output); + if (length < 0) diff --git a/queue-4.14/squashfs-more-metadata-hardenings.patch b/queue-4.14/squashfs-more-metadata-hardenings.patch new file mode 100644 index 00000000000..6d9ff9d6a91 --- /dev/null +++ b/queue-4.14/squashfs-more-metadata-hardenings.patch @@ -0,0 +1,93 @@ +From 71755ee5350b63fb1f283de8561cdb61b47f4d1d Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 2 Aug 2018 08:43:35 -0700 +Subject: squashfs: more metadata hardening +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream. + +The squashfs fragment reading code doesn't actually verify that the +fragment is inside the fragment table. The end result _is_ verified to +be inside the image when actually reading the fragment data, but before +that is done, we may end up taking a page fault because the fragment +table itself might not even exist. + +Another report from Anatoly and his endless squashfs image fuzzing. + +Reported-by: Анатолий Тросиненко +Acked-by:: Phillip Lougher , +Cc: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/squashfs/fragment.c | 13 +++++++++---- + fs/squashfs/squashfs_fs_sb.h | 1 + + fs/squashfs/super.c | 5 +++-- + 3 files changed, 13 insertions(+), 6 deletions(-) + +--- a/fs/squashfs/fragment.c ++++ b/fs/squashfs/fragment.c +@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_bl + u64 *fragment_block) + { + struct squashfs_sb_info *msblk = sb->s_fs_info; +- int block = SQUASHFS_FRAGMENT_INDEX(fragment); +- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); +- u64 start_block = le64_to_cpu(msblk->fragment_index[block]); ++ int block, offset, size; + struct squashfs_fragment_entry fragment_entry; +- int size; ++ u64 start_block; ++ ++ if (fragment >= msblk->fragments) ++ return -EIO; ++ block = SQUASHFS_FRAGMENT_INDEX(fragment); ++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); ++ ++ start_block = le64_to_cpu(msblk->fragment_index[block]); + + size = squashfs_read_metadata(sb, &fragment_entry, &start_block, + &offset, sizeof(fragment_entry)); +--- a/fs/squashfs/squashfs_fs_sb.h ++++ b/fs/squashfs/squashfs_fs_sb.h +@@ -75,6 +75,7 @@ struct squashfs_sb_info { + unsigned short block_log; + long long bytes_used; + unsigned int inodes; ++ unsigned int fragments; + int xattr_ids; + }; + #endif +--- a/fs/squashfs/super.c ++++ b/fs/squashfs/super.c +@@ -175,6 +175,7 @@ static int squashfs_fill_super(struct su + msblk->inode_table = le64_to_cpu(sblk->inode_table_start); + msblk->directory_table = le64_to_cpu(sblk->directory_table_start); + msblk->inodes = le32_to_cpu(sblk->inodes); ++ msblk->fragments = le32_to_cpu(sblk->fragments); + flags = le16_to_cpu(sblk->flags); + + TRACE("Found valid superblock on %pg\n", sb->s_bdev); +@@ -185,7 +186,7 @@ static int squashfs_fill_super(struct su + TRACE("Filesystem size %lld bytes\n", msblk->bytes_used); + TRACE("Block size %d\n", msblk->block_size); + TRACE("Number of inodes %d\n", msblk->inodes); +- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments)); ++ TRACE("Number of fragments %d\n", msblk->fragments); + TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids)); + TRACE("sblk->inode_table_start %llx\n", msblk->inode_table); + TRACE("sblk->directory_table_start %llx\n", msblk->directory_table); +@@ -272,7 +273,7 @@ allocate_id_index_table: + sb->s_export_op = &squashfs_export_ops; + + handle_fragments: +- fragments = le32_to_cpu(sblk->fragments); ++ fragments = msblk->fragments; + if (fragments == 0) + goto check_directory_table; + diff --git a/queue-4.14/userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch b/queue-4.14/userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch new file mode 100644 index 00000000000..6865973aaf1 --- /dev/null +++ b/queue-4.14/userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch @@ -0,0 +1,50 @@ +From 31e810aa1033a7db50a2746cd34a2432237f6420 Mon Sep 17 00:00:00 2001 +From: Mike Rapoport +Date: Thu, 2 Aug 2018 15:36:09 -0700 +Subject: userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails + +From: Mike Rapoport + +commit 31e810aa1033a7db50a2746cd34a2432237f6420 upstream. + +The fix in commit 0cbb4b4f4c44 ("userfaultfd: clear the +vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") cleared the +vma->vm_userfaultfd_ctx but kept userfaultfd flags in vma->vm_flags +that were copied from the parent process VMA. + +As the result, there is an inconsistency between the values of +vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON +in userfaultfd_release(). + +Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK +failure resolves the issue. + +Link: http://lkml.kernel.org/r/1532931975-25473-1-git-send-email-rppt@linux.vnet.ibm.com +Fixes: 0cbb4b4f4c44 ("userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") +Signed-off-by: Mike Rapoport +Reported-by: syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com +Cc: Andrea Arcangeli +Cc: Eric Biggers +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/userfaultfd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -628,8 +628,10 @@ static void userfaultfd_event_wait_compl + /* the various vma->vm_userfaultfd_ctx still points to it */ + down_write(&mm->mmap_sem); + for (vma = mm->mmap; vma; vma = vma->vm_next) +- if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) ++ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) { + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; ++ vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING); ++ } + up_write(&mm->mmap_sem); + + userfaultfd_ctx_put(release_new_ctx); diff --git a/queue-4.14/virtio_balloon-fix-another-race-between-migration-and-ballooning.patch b/queue-4.14/virtio_balloon-fix-another-race-between-migration-and-ballooning.patch new file mode 100644 index 00000000000..1cbca1d324f --- /dev/null +++ b/queue-4.14/virtio_balloon-fix-another-race-between-migration-and-ballooning.patch @@ -0,0 +1,64 @@ +From 89da619bc18d79bca5304724c11d4ba3b67ce2c6 Mon Sep 17 00:00:00 2001 +From: Jiang Biao +Date: Wed, 18 Jul 2018 10:29:28 +0800 +Subject: virtio_balloon: fix another race between migration and ballooning + +From: Jiang Biao + +commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream. + +Kernel panic when with high memory pressure, calltrace looks like, + +PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java" + #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb + #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942 + #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30 + #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8 + #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46 + #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc + #6 [ffff881ec7ed7838] __node_set at ffffffff81680300 + #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f + #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5 + #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8 + [exception RIP: _raw_spin_lock_irqsave+47] + RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046 + RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8 + RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008 + RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098 + R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + +It happens in the pagefault and results in double pagefault +during compacting pages when memory allocation fails. + +Analysed the vmcore, the page leads to second pagefault is corrupted +with _mapcount=-256, but private=0. + +It's caused by the race between migration and ballooning, and lock +missing in virtballoon_migratepage() of virtio_balloon driver. +This patch fix the bug. + +Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages") +Cc: stable@vger.kernel.org +Signed-off-by: Jiang Biao +Signed-off-by: Huang Chong +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -490,7 +490,9 @@ static int virtballoon_migratepage(struc + tell_host(vb, vb->inflate_vq); + + /* balloon's page migration 2nd step -- deflate "page" */ ++ spin_lock_irqsave(&vb_dev_info->pages_lock, flags); + balloon_page_delete(page); ++ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags); + vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE; + set_page_pfns(vb, vb->pfns, page); + tell_host(vb, vb->deflate_vq); diff --git a/queue-4.14/x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch b/queue-4.14/x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch new file mode 100644 index 00000000000..5fab0d6f5d0 --- /dev/null +++ b/queue-4.14/x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch @@ -0,0 +1,41 @@ +From d9e6dbcf28f383bf08e6a3180972f5722e514a54 Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Sat, 21 Jul 2018 17:19:19 -0400 +Subject: x86/apic: Future-proof the TSC_DEADLINE quirk for SKX + +From: Len Brown + +commit d9e6dbcf28f383bf08e6a3180972f5722e514a54 upstream. + +All SKX with stepping higher than 4 support the TSC_DEADLINE, +no matter the microcode version. + +Without this patch, upcoming SKX steppings will not be able to use +their TSC_DEADLINE timer. + +Signed-off-by: Len Brown +Cc: # v4.14+ +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 616dd5872e ("x86/apic: Update TSC_DEADLINE quirk with additional SKX stepping") +Link: http://lkml.kernel.org/r/d0c7129e509660be9ec6b233284b8d42d90659e8.1532207856.git.len.brown@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -580,6 +580,9 @@ static u32 skx_deadline_rev(void) + case 0x04: return 0x02000014; + } + ++ if (boot_cpu_data.x86_stepping > 4) ++ return 0; ++ + return ~0U; + } + diff --git a/queue-4.14/x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch b/queue-4.14/x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch new file mode 100644 index 00000000000..0e7f05a7f44 --- /dev/null +++ b/queue-4.14/x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch @@ -0,0 +1,134 @@ +From b3681dd548d06deb2e1573890829dff4b15abf46 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Sun, 22 Jul 2018 11:05:09 -0700 +Subject: x86/entry/64: Remove %ebx handling from error_entry/exit + +From: Andy Lutomirski + +commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream. + +error_entry and error_exit communicate the user vs. kernel status of +the frame using %ebx. This is unnecessary -- the information is in +regs->cs. Just use regs->cs. + +This makes error_entry simpler and makes error_exit more robust. + +It also fixes a nasty bug. Before all the Spectre nonsense, the +xen_failsafe_callback entry point returned like this: + + ALLOC_PT_GPREGS_ON_STACK + SAVE_C_REGS + SAVE_EXTRA_REGS + ENCODE_FRAME_POINTER + jmp error_exit + +And it did not go through error_entry. This was bogus: RBX +contained garbage, and error_exit expected a flag in RBX. + +Fortunately, it generally contained *nonzero* garbage, so the +correct code path was used. As part of the Spectre fixes, code was +added to clear RBX to mitigate certain speculation attacks. Now, +depending on kernel configuration, RBX got zeroed and, when running +some Wine workloads, the kernel crashes. This was introduced by: + + commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") + +With this patch applied, RBX is no longer needed as a flag, and the +problem goes away. + +I suspect that malicious userspace could use this bug to crash the +kernel even without the offending patch applied, though. + +[ Historical note: I wrote this patch as a cleanup before I was aware + of the bug it fixed. ] + +[ Note to stable maintainers: this should probably get applied to all + kernels. If you're nervous about that, a more conservative fix to + add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should + also fix the problem. ] + +Reported-and-tested-by: M. Vefa Bicakci +Signed-off-by: Andy Lutomirski +Cc: Boris Ostrovsky +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: Dominik Brodowski +Cc: Greg KH +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: xen-devel@lists.xenproject.org +Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") +Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64.S | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -933,7 +933,7 @@ ENTRY(\sym) + + call \do_sym + +- jmp error_exit /* %ebx: no swapgs flag */ ++ jmp error_exit + .endif + END(\sym) + .endm +@@ -1166,7 +1166,6 @@ END(paranoid_exit) + + /* + * Save all registers in pt_regs, and switch GS if needed. +- * Return: EBX=0: came from user mode; EBX=1: otherwise + */ + ENTRY(error_entry) + UNWIND_HINT_FUNC +@@ -1213,7 +1212,6 @@ ENTRY(error_entry) + * for these here too. + */ + .Lerror_kernelspace: +- incl %ebx + leaq native_irq_return_iret(%rip), %rcx + cmpq %rcx, RIP+8(%rsp) + je .Lerror_bad_iret +@@ -1247,28 +1245,20 @@ ENTRY(error_entry) + + /* + * Pretend that the exception came from user mode: set up pt_regs +- * as if we faulted immediately after IRET and clear EBX so that +- * error_exit knows that we will be returning to user mode. ++ * as if we faulted immediately after IRET. + */ + mov %rsp, %rdi + call fixup_bad_iret + mov %rax, %rsp +- decl %ebx + jmp .Lerror_entry_from_usermode_after_swapgs + END(error_entry) + +- +-/* +- * On entry, EBX is a "return to kernel mode" flag: +- * 1: already in kernel mode, don't need SWAPGS +- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode +- */ + ENTRY(error_exit) + UNWIND_HINT_REGS + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +- testl %ebx, %ebx +- jnz retint_kernel ++ testb $3, CS(%rsp) ++ jz retint_kernel + jmp retint_user + END(error_exit) +