From: Greg Kroah-Hartman Date: Mon, 22 May 2017 16:41:09 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.55~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4fceb16fa6fe4442508d57740146e2de243c57b8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch ath9k_htc-fix-null-deref-at-probe.patch ima-accept-previously-set-ima_new_file.patch kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch kvm-x86-fix-potential-preemption-when-get-the-current-kvmclock-timestamp.patch kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch regulator-rk808-fix-rk818-ldo2.patch regulator-tps65023-fix-inverted-core-enable-logic.patch s390-cputime-fix-incorrect-system-time.patch s390-kdump-add-final-note.patch x86-fix-32-bit-case-of-__get_user_asm_u64.patch --- diff --git a/queue-4.9/ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch b/queue-4.9/ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch new file mode 100644 index 00000000000..15c3e65eeaf --- /dev/null +++ b/queue-4.9/ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch @@ -0,0 +1,36 @@ +From 16ff1fb0e32f76a5d285a6f23b82d21aa52813c6 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Wed, 8 Mar 2017 13:52:07 +0200 +Subject: ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device + +From: Dmitry Tunin + +commit 16ff1fb0e32f76a5d285a6f23b82d21aa52813c6 upstream. + +T: Bus=01 Lev=02 Prnt=02 Port=02 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs= 1 +P: Vendor=1eda ProdID=2315 Rev=01.08 +S: Manufacturer=ATHEROS +S: Product=USB2.0 WLAN +S: SerialNumber=12345 +C: #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) + +Signed-off-by: Dmitry Tunin +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -37,6 +37,7 @@ static struct usb_device_id ath9k_hif_us + { USB_DEVICE(0x0cf3, 0xb002) }, /* Ubiquiti WifiStation */ + { USB_DEVICE(0x057c, 0x8403) }, /* AVM FRITZ!WLAN 11N v2 USB */ + { USB_DEVICE(0x0471, 0x209e) }, /* Philips (or NXP) PTA01 */ ++ { USB_DEVICE(0x1eda, 0x2315) }, /* AirTies */ + + { USB_DEVICE(0x0cf3, 0x7015), + .driver_info = AR9287_USB }, /* Atheros */ diff --git a/queue-4.9/ath9k_htc-fix-null-deref-at-probe.patch b/queue-4.9/ath9k_htc-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..a506c762f2c --- /dev/null +++ b/queue-4.9/ath9k_htc-fix-null-deref-at-probe.patch @@ -0,0 +1,34 @@ +From ebeb36670ecac36c179b5fb5d5c88ff03ba191ec Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:44:20 +0100 +Subject: ath9k_htc: fix NULL-deref at probe + +From: Johan Hovold + +commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices") +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -1219,6 +1219,9 @@ static int send_eject_command(struct usb + u8 bulk_out_ep; + int r; + ++ if (iface_desc->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + /* Find bulk out endpoint */ + for (r = 1; r >= 0; r--) { + endpoint = &iface_desc->endpoint[r].desc; diff --git a/queue-4.9/ima-accept-previously-set-ima_new_file.patch b/queue-4.9/ima-accept-previously-set-ima_new_file.patch new file mode 100644 index 00000000000..354145e7c0b --- /dev/null +++ b/queue-4.9/ima-accept-previously-set-ima_new_file.patch @@ -0,0 +1,52 @@ +From 1ac202e978e18f045006d75bd549612620c6ec3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= +Date: Fri, 24 Feb 2017 15:05:14 +0100 +Subject: ima: accept previously set IMA_NEW_FILE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Glöckner + +commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream. + +Modifying the attributes of a file makes ima_inode_post_setattr reset +the IMA cache flags. So if the file, which has just been created, +is opened a second time before the first file descriptor is closed, +verification fails since the security.ima xattr has not been written +yet. We therefore have to look at the IMA_NEW_FILE even if the file +already existed. + +With this patch there should no longer be an error when cat tries to +open testfile: + +$ rm -f testfile +$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile + +A file being new is no reason to accept that it is missing a digital +signature demanded by the policy. + +Signed-off-by: Daniel Glöckner +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_appraise.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -204,10 +204,11 @@ int ima_appraise_measurement(enum ima_ho + + cause = "missing-hash"; + status = INTEGRITY_NOLABEL; +- if (opened & FILE_CREATED) { ++ if (opened & FILE_CREATED) + iint->flags |= IMA_NEW_FILE; ++ if ((iint->flags & IMA_NEW_FILE) && ++ !(iint->flags & IMA_DIGSIG_REQUIRED)) + status = INTEGRITY_PASS; +- } + goto out; + } + diff --git a/queue-4.9/kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch b/queue-4.9/kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch new file mode 100644 index 00000000000..0bc9ee2686e --- /dev/null +++ b/queue-4.9/kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch @@ -0,0 +1,112 @@ +From a575813bfe4bc15aba511a5e91e61d242bff8b9d Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Thu, 11 May 2017 02:58:55 -0700 +Subject: KVM: x86: Fix load damaged SSEx MXCSR register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit a575813bfe4bc15aba511a5e91e61d242bff8b9d upstream. + +Reported by syzkaller: + + BUG: unable to handle kernel paging request at ffffffffc07f6a2e + IP: report_bug+0x94/0x120 + PGD 348e12067 + P4D 348e12067 + PUD 348e14067 + PMD 3cbd84067 + PTE 80000003f7e87161 + + Oops: 0003 [#1] SMP + CPU: 2 PID: 7091 Comm: kvm_load_guest_ Tainted: G OE 4.11.0+ #8 + task: ffff92fdfb525400 task.stack: ffffbda6c3d04000 + RIP: 0010:report_bug+0x94/0x120 + RSP: 0018:ffffbda6c3d07b20 EFLAGS: 00010202 + do_trap+0x156/0x170 + do_error_trap+0xa3/0x170 + ? kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm] + ? mark_held_locks+0x79/0xa0 + ? retint_kernel+0x10/0x10 + ? trace_hardirqs_off_thunk+0x1a/0x1c + do_invalid_op+0x20/0x30 + invalid_op+0x1e/0x30 + RIP: 0010:kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm] + ? kvm_load_guest_fpu.part.175+0x1c/0x170 [kvm] + kvm_arch_vcpu_ioctl_run+0xed6/0x1b70 [kvm] + kvm_vcpu_ioctl+0x384/0x780 [kvm] + ? kvm_vcpu_ioctl+0x384/0x780 [kvm] + ? sched_clock+0x13/0x20 + ? __do_page_fault+0x2a0/0x550 + do_vfs_ioctl+0xa4/0x700 + ? up_read+0x1f/0x40 + ? __do_page_fault+0x2a0/0x550 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x23/0xc2 + +SDM mentioned that "The MXCSR has several reserved bits, and attempting to write +a 1 to any of these bits will cause a general-protection exception(#GP) to be +generated". The syzkaller forks' testcase overrides xsave area w/ random values +and steps on the reserved bits of MXCSR register. The damaged MXCSR register +values of guest will be restored to SSEx MXCSR register before vmentry. This +patch fixes it by catching userspace override MXCSR register reserved bits w/ +random values and bails out immediately. + +Reported-by: Andrey Konovalov +Reviewed-by: Paolo Bonzini +Cc: Paolo Bonzini +Cc: Radim Krčmář +Signed-off-by: Wanpeng Li +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/fpu/init.c | 1 + + arch/x86/kvm/x86.c | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/fpu/init.c ++++ b/arch/x86/kernel/fpu/init.c +@@ -101,6 +101,7 @@ static void fpu__init_system_early_gener + * Boot time FPU feature detection code: + */ + unsigned int mxcsr_feature_mask __read_mostly = 0xffffffffu; ++EXPORT_SYMBOL_GPL(mxcsr_feature_mask); + + static void __init fpu__init_system_mxcsr(void) + { +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3231,11 +3231,14 @@ static void kvm_vcpu_ioctl_x86_get_xsave + } + } + ++#define XSAVE_MXCSR_OFFSET 24 ++ + static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu, + struct kvm_xsave *guest_xsave) + { + u64 xstate_bv = + *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)]; ++ u32 mxcsr = *(u32 *)&guest_xsave->region[XSAVE_MXCSR_OFFSET / sizeof(u32)]; + + if (boot_cpu_has(X86_FEATURE_XSAVE)) { + /* +@@ -3243,11 +3246,13 @@ static int kvm_vcpu_ioctl_x86_set_xsave( + * CPUID leaf 0xD, index 0, EDX:EAX. This is for compatibility + * with old userspace. + */ +- if (xstate_bv & ~kvm_supported_xcr0()) ++ if (xstate_bv & ~kvm_supported_xcr0() || ++ mxcsr & ~mxcsr_feature_mask) + return -EINVAL; + load_xsave(vcpu, (u8 *)guest_xsave->region); + } else { +- if (xstate_bv & ~XFEATURE_MASK_FPSSE) ++ if (xstate_bv & ~XFEATURE_MASK_FPSSE || ++ mxcsr & ~mxcsr_feature_mask) + return -EINVAL; + memcpy(&vcpu->arch.guest_fpu.state.fxsave, + guest_xsave->region, sizeof(struct fxregs_state)); diff --git a/queue-4.9/kvm-x86-fix-potential-preemption-when-get-the-current-kvmclock-timestamp.patch b/queue-4.9/kvm-x86-fix-potential-preemption-when-get-the-current-kvmclock-timestamp.patch new file mode 100644 index 00000000000..abe548906cc --- /dev/null +++ b/queue-4.9/kvm-x86-fix-potential-preemption-when-get-the-current-kvmclock-timestamp.patch @@ -0,0 +1,89 @@ +From e2c2206a18993bc9f62393d49c7b2066c3845b25 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Thu, 11 May 2017 18:12:05 -0700 +Subject: KVM: x86: Fix potential preemption when get the current kvmclock timestamp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit e2c2206a18993bc9f62393d49c7b2066c3845b25 upstream. + + BUG: using __this_cpu_read() in preemptible [00000000] code: qemu-system-x86/2809 + caller is __this_cpu_preempt_check+0x13/0x20 + CPU: 2 PID: 2809 Comm: qemu-system-x86 Not tainted 4.11.0+ #13 + Call Trace: + dump_stack+0x99/0xce + check_preemption_disabled+0xf5/0x100 + __this_cpu_preempt_check+0x13/0x20 + get_kvmclock_ns+0x6f/0x110 [kvm] + get_time_ref_counter+0x5d/0x80 [kvm] + kvm_hv_process_stimers+0x2a1/0x8a0 [kvm] + ? kvm_hv_process_stimers+0x2a1/0x8a0 [kvm] + ? kvm_arch_vcpu_ioctl_run+0xac9/0x1ce0 [kvm] + kvm_arch_vcpu_ioctl_run+0x5bf/0x1ce0 [kvm] + kvm_vcpu_ioctl+0x384/0x7b0 [kvm] + ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm] + ? __fget+0xf3/0x210 + do_vfs_ioctl+0xa4/0x700 + ? __fget+0x114/0x210 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x23/0xc2 + RIP: 0033:0x7f9d164ed357 + ? __this_cpu_preempt_check+0x13/0x20 + +This can be reproduced by run kvm-unit-tests/hyperv_stimer.flat w/ +CONFIG_PREEMPT and CONFIG_DEBUG_PREEMPT enabled. + +Safe access to per-CPU data requires a couple of constraints, though: the +thread working with the data cannot be preempted and it cannot be migrated +while it manipulates per-CPU variables. If the thread is preempted, the +thread that replaces it could try to work with the same variables; migration +to another CPU could also cause confusion. However there is no preemption +disable when reads host per-CPU tsc rate to calculate the current kvmclock +timestamp. + +This patch fixes it by utilizing get_cpu/put_cpu pair to guarantee both +__this_cpu_read() and rdtsc() are not preempted. + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Signed-off-by: Wanpeng Li +Reviewed-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1735,6 +1735,7 @@ static u64 __get_kvmclock_ns(struct kvm + { + struct kvm_arch *ka = &kvm->arch; + struct pvclock_vcpu_time_info hv_clock; ++ u64 ret; + + spin_lock(&ka->pvclock_gtod_sync_lock); + if (!ka->use_master_clock) { +@@ -1746,10 +1747,17 @@ static u64 __get_kvmclock_ns(struct kvm + hv_clock.system_time = ka->master_kernel_ns + ka->kvmclock_offset; + spin_unlock(&ka->pvclock_gtod_sync_lock); + ++ /* both __this_cpu_read() and rdtsc() should be on the same cpu */ ++ get_cpu(); ++ + kvm_get_time_scale(NSEC_PER_SEC, __this_cpu_read(cpu_tsc_khz) * 1000LL, + &hv_clock.tsc_shift, + &hv_clock.tsc_to_system_mul); +- return __pvclock_read_cycles(&hv_clock, rdtsc()); ++ ret = __pvclock_read_cycles(&hv_clock, rdtsc()); ++ ++ put_cpu(); ++ ++ return ret; + } + + u64 get_kvmclock_ns(struct kvm *kvm) diff --git a/queue-4.9/kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch b/queue-4.9/kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch new file mode 100644 index 00000000000..c226e58eb26 --- /dev/null +++ b/queue-4.9/kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch @@ -0,0 +1,276 @@ +From cbfc6c9184ce71b52df4b1d82af5afc81a709178 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Fri, 19 May 2017 02:46:56 -0700 +Subject: KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit cbfc6c9184ce71b52df4b1d82af5afc81a709178 upstream. + +Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation. + +- "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only, + a read should be ignored) in guest can get a random number. +- "rep insb" instruction to access PIT register port 0x43 can control memcpy() + in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes, + which will disclose the unimportant kernel memory in host but no crash. + +The similar test program below can reproduce the read out-of-bounds vulnerability: + +void hexdump(void *mem, unsigned int len) +{ + unsigned int i, j; + + for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++) + { + /* print offset */ + if(i % HEXDUMP_COLS == 0) + { + printf("0x%06x: ", i); + } + + /* print hex data */ + if(i < len) + { + printf("%02x ", 0xFF & ((char*)mem)[i]); + } + else /* end of block, just aligning for ASCII dump */ + { + printf(" "); + } + + /* print ASCII dump */ + if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) + { + for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) + { + if(j >= len) /* end of block, not really printing */ + { + putchar(' '); + } + else if(isprint(((char*)mem)[j])) /* printable char */ + { + putchar(0xFF & ((char*)mem)[j]); + } + else /* other char */ + { + putchar('.'); + } + } + putchar('\n'); + } + } +} + +int main(void) +{ + int i; + if (iopl(3)) + { + err(1, "set iopl unsuccessfully\n"); + return -1; + } + static char buf[0x40]; + + /* test ioport 0x40,0x41,0x42,0x43,0x44,0x45 */ + + memset(buf, 0xab, sizeof(buf)); + + asm volatile("push %rdi;"); + asm volatile("mov %0, %%rdi;"::"q"(buf)); + + asm volatile ("mov $0x40, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x41, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x42, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x43, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x44, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x45, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("pop %rdi;"); + hexdump(buf, 0x40); + + printf("\n"); + + /* ins port 0x40 */ + + memset(buf, 0xab, sizeof(buf)); + + asm volatile("push %rdi;"); + asm volatile("mov %0, %%rdi;"::"q"(buf)); + + asm volatile ("mov $0x20, %rcx;"); + asm volatile ("mov $0x40, %rdx;"); + asm volatile ("rep insb;"); + + asm volatile ("pop %rdi;"); + hexdump(buf, 0x40); + + printf("\n"); + + /* ins port 0x43 */ + + memset(buf, 0xab, sizeof(buf)); + + asm volatile("push %rdi;"); + asm volatile("mov %0, %%rdi;"::"q"(buf)); + + asm volatile ("mov $0x20, %rcx;"); + asm volatile ("mov $0x43, %rdx;"); + asm volatile ("rep insb;"); + + asm volatile ("pop %rdi;"); + hexdump(buf, 0x40); + + printf("\n"); + return 0; +} + +The vcpu->arch.pio_data buffer is used by both in/out instrutions emulation +w/o clear after using which results in some random datas are left over in +the buffer. Guest reads port 0x43 will be ignored since it is write only, +however, the function kernel_pio() can't distigush this ignore from successfully +reads data from device's ioport. There is no new data fill the buffer from +port 0x43, however, emulator_pio_in_emulated() will copy the stale data in +the buffer to the guest unconditionally. This patch fixes it by clearing the +buffer before in instruction emulation to avoid to grant guest the stale data +in the buffer. + +In addition, string I/O is not supported for in kernel device. So there is no +iteration to read ioport %RCX times for string I/O. The function kernel_pio() +just reads one round, and then copy the io size * %RCX to the guest unconditionally, +actually it copies the one round ioport data w/ other random datas which are left +over in the vcpu->arch.pio_data buffer to the guest. This patch fixes it by +introducing the string I/O support for in kernel device in order to grant the right +ioport datas to the guest. + +Before the patch: + +0x000000: fe 38 93 93 ff ff ab ab .8...... +0x000008: ab ab ab ab ab ab ab ab ........ +0x000010: ab ab ab ab ab ab ab ab ........ +0x000018: ab ab ab ab ab ab ab ab ........ +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +0x000000: f6 00 00 00 00 00 00 00 ........ +0x000008: 00 00 00 00 00 00 00 00 ........ +0x000010: 00 00 00 00 4d 51 30 30 ....MQ00 +0x000018: 30 30 20 33 20 20 20 20 00 3 +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +0x000000: f6 00 00 00 00 00 00 00 ........ +0x000008: 00 00 00 00 00 00 00 00 ........ +0x000010: 00 00 00 00 4d 51 30 30 ....MQ00 +0x000018: 30 30 20 33 20 20 20 20 00 3 +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +After the patch: + +0x000000: 1e 02 f8 00 ff ff ab ab ........ +0x000008: ab ab ab ab ab ab ab ab ........ +0x000010: ab ab ab ab ab ab ab ab ........ +0x000018: ab ab ab ab ab ab ab ab ........ +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +0x000000: d2 e2 d2 df d2 db d2 d7 ........ +0x000008: d2 d3 d2 cf d2 cb d2 c7 ........ +0x000010: d2 c4 d2 c0 d2 bc d2 b8 ........ +0x000018: d2 b4 d2 b0 d2 ac d2 a8 ........ +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +0x000000: 00 00 00 00 00 00 00 00 ........ +0x000008: 00 00 00 00 00 00 00 00 ........ +0x000010: 00 00 00 00 00 00 00 00 ........ +0x000018: 00 00 00 00 00 00 00 00 ........ +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +Reported-by: Moguofang +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Moguofang +Signed-off-by: Wanpeng Li +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4763,16 +4763,20 @@ emul_write: + + static int kernel_pio(struct kvm_vcpu *vcpu, void *pd) + { +- /* TODO: String I/O for in kernel device */ +- int r; ++ int r = 0, i; + +- if (vcpu->arch.pio.in) +- r = kvm_io_bus_read(vcpu, KVM_PIO_BUS, vcpu->arch.pio.port, +- vcpu->arch.pio.size, pd); +- else +- r = kvm_io_bus_write(vcpu, KVM_PIO_BUS, +- vcpu->arch.pio.port, vcpu->arch.pio.size, +- pd); ++ for (i = 0; i < vcpu->arch.pio.count; i++) { ++ if (vcpu->arch.pio.in) ++ r = kvm_io_bus_read(vcpu, KVM_PIO_BUS, vcpu->arch.pio.port, ++ vcpu->arch.pio.size, pd); ++ else ++ r = kvm_io_bus_write(vcpu, KVM_PIO_BUS, ++ vcpu->arch.pio.port, vcpu->arch.pio.size, ++ pd); ++ if (r) ++ break; ++ pd += vcpu->arch.pio.size; ++ } + return r; + } + +@@ -4810,6 +4814,8 @@ static int emulator_pio_in_emulated(stru + if (vcpu->arch.pio.count) + goto data_avail; + ++ memset(vcpu->arch.pio_data, 0, size * count); ++ + ret = emulator_pio_in_out(vcpu, size, port, val, count, true); + if (ret) { + data_avail: diff --git a/queue-4.9/regulator-rk808-fix-rk818-ldo2.patch b/queue-4.9/regulator-rk808-fix-rk818-ldo2.patch new file mode 100644 index 00000000000..a7135210ad3 --- /dev/null +++ b/queue-4.9/regulator-rk808-fix-rk818-ldo2.patch @@ -0,0 +1,30 @@ +From 75f88115391156b3f0fecbbae76bf870c89bcab8 Mon Sep 17 00:00:00 2001 +From: Wadim Egorov +Date: Wed, 22 Mar 2017 16:50:50 +0100 +Subject: regulator: rk808: Fix RK818 LDO2 + +From: Wadim Egorov + +commit 75f88115391156b3f0fecbbae76bf870c89bcab8 upstream. + +Set the correct voltage select register for LDO2. + +Signed-off-by: Wadim Egorov +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/rk808-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/regulator/rk808-regulator.c ++++ b/drivers/regulator/rk808-regulator.c +@@ -520,7 +520,7 @@ static const struct regulator_desc rk818 + RK818_LDO1_ON_VSEL_REG, RK818_LDO_VSEL_MASK, RK818_LDO_EN_REG, + BIT(0), 400), + RK8XX_DESC(RK818_ID_LDO2, "LDO_REG2", "vcc6", 1800, 3400, 100, +- RK818_LDO1_ON_VSEL_REG, RK818_LDO_VSEL_MASK, RK818_LDO_EN_REG, ++ RK818_LDO2_ON_VSEL_REG, RK818_LDO_VSEL_MASK, RK818_LDO_EN_REG, + BIT(1), 400), + { + .name = "LDO_REG3", diff --git a/queue-4.9/regulator-tps65023-fix-inverted-core-enable-logic.patch b/queue-4.9/regulator-tps65023-fix-inverted-core-enable-logic.patch new file mode 100644 index 00000000000..f0a8b7cf644 --- /dev/null +++ b/queue-4.9/regulator-tps65023-fix-inverted-core-enable-logic.patch @@ -0,0 +1,43 @@ +From c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 Mon Sep 17 00:00:00 2001 +From: Richard Cochran +Date: Mon, 17 Apr 2017 10:23:36 +0200 +Subject: regulator: tps65023: Fix inverted core enable logic. + +From: Richard Cochran + +commit c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 upstream. + +Commit 43530b69d758328d3ffe6ab98fd640463e8e3667 ("regulator: Use +regmap_read/write(), regmap_update_bits functions directly") intended +to replace working inline helper functions with standard regmap +calls. However, it also inverted the set/clear logic of the "CORE ADJ +Allowed" bit. That patch was clearly never tested, since without that +bit cleared, the core VDCDC1 voltage output does not react to I2C +configuration changes. + +This patch fixes the issue by clearing the bit as in the original, +correct implementation. Note for stable back porting that, due to +subsequent driver churn, this patch will not apply on every kernel +version. + +Fixes: 43530b69d758 ("regulator: Use regmap_read/write(), regmap_update_bits functions directly") +Signed-off-by: Richard Cochran +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/tps65023-regulator.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/regulator/tps65023-regulator.c ++++ b/drivers/regulator/tps65023-regulator.c +@@ -311,8 +311,7 @@ static int tps_65023_probe(struct i2c_cl + + /* Enable setting output voltage by I2C */ + regmap_update_bits(tps->regmap, TPS65023_REG_CON_CTRL2, +- TPS65023_REG_CTRL2_CORE_ADJ, +- TPS65023_REG_CTRL2_CORE_ADJ); ++ TPS65023_REG_CTRL2_CORE_ADJ, 0); + + return 0; + } diff --git a/queue-4.9/s390-cputime-fix-incorrect-system-time.patch b/queue-4.9/s390-cputime-fix-incorrect-system-time.patch new file mode 100644 index 00000000000..3d9d90d4a0a --- /dev/null +++ b/queue-4.9/s390-cputime-fix-incorrect-system-time.patch @@ -0,0 +1,95 @@ +From 07a63cbe8bcb6ba72fb989dcab1ec55ec6c36c7e Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Tue, 2 May 2017 13:36:00 +0200 +Subject: s390/cputime: fix incorrect system time + +From: Martin Schwidefsky + +commit 07a63cbe8bcb6ba72fb989dcab1ec55ec6c36c7e upstream. + +git commit c5328901aa1db134 "[S390] entry[64].S improvements" removed +the update of the exit_timer lowcore field from the critical section +cleanup of the .Lsysc_restore/.Lsysc_done and .Lio_restore/.Lio_done +blocks. If the PSW is updated by the critical section cleanup to point to +user space again, the interrupt entry code will do a vtime calculation +after the cleanup completed with an exit_timer value which has *not* been +updated. Due to this incorrect system time deltas are calculated. + +If an interrupt occured with an old PSW between .Lsysc_restore/.Lsysc_done +or .Lio_restore/.Lio_done update __LC_EXIT_TIMER with the system entry +time of the interrupt. + +Tested-by: Christian Borntraeger +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/entry.S | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -321,6 +321,7 @@ ENTRY(system_call) + lg %r14,__LC_VDSO_PER_CPU + lmg %r0,%r10,__PT_R0(%r11) + mvc __LC_RETURN_PSW(16),__PT_PSW(%r11) ++.Lsysc_exit_timer: + stpt __LC_EXIT_TIMER + mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER + lmg %r11,%r15,__PT_R11(%r11) +@@ -606,6 +607,7 @@ ENTRY(io_int_handler) + lg %r14,__LC_VDSO_PER_CPU + lmg %r0,%r10,__PT_R0(%r11) + mvc __LC_RETURN_PSW(16),__PT_PSW(%r11) ++.Lio_exit_timer: + stpt __LC_EXIT_TIMER + mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER + lmg %r11,%r15,__PT_R11(%r11) +@@ -1135,15 +1137,23 @@ cleanup_critical: + br %r14 + + .Lcleanup_sysc_restore: ++ # check if stpt has been executed + clg %r9,BASED(.Lcleanup_sysc_restore_insn) ++ jh 0f ++ mvc __LC_EXIT_TIMER(8),__LC_ASYNC_ENTER_TIMER ++ cghi %r11,__LC_SAVE_AREA_ASYNC + je 0f ++ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER ++0: clg %r9,BASED(.Lcleanup_sysc_restore_insn+8) ++ je 1f + lg %r9,24(%r11) # get saved pointer to pt_regs + mvc __LC_RETURN_PSW(16),__PT_PSW(%r9) + mvc 0(64,%r11),__PT_R8(%r9) + lmg %r0,%r7,__PT_R0(%r9) +-0: lmg %r8,%r9,__LC_RETURN_PSW ++1: lmg %r8,%r9,__LC_RETURN_PSW + br %r14 + .Lcleanup_sysc_restore_insn: ++ .quad .Lsysc_exit_timer + .quad .Lsysc_done - 4 + + .Lcleanup_io_tif: +@@ -1151,15 +1161,20 @@ cleanup_critical: + br %r14 + + .Lcleanup_io_restore: ++ # check if stpt has been executed + clg %r9,BASED(.Lcleanup_io_restore_insn) +- je 0f ++ jh 0f ++ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER ++0: clg %r9,BASED(.Lcleanup_io_restore_insn+8) ++ je 1f + lg %r9,24(%r11) # get saved r11 pointer to pt_regs + mvc __LC_RETURN_PSW(16),__PT_PSW(%r9) + mvc 0(64,%r11),__PT_R8(%r9) + lmg %r0,%r7,__PT_R0(%r9) +-0: lmg %r8,%r9,__LC_RETURN_PSW ++1: lmg %r8,%r9,__LC_RETURN_PSW + br %r14 + .Lcleanup_io_restore_insn: ++ .quad .Lio_exit_timer + .quad .Lio_done - 4 + + .Lcleanup_idle: diff --git a/queue-4.9/s390-kdump-add-final-note.patch b/queue-4.9/s390-kdump-add-final-note.patch new file mode 100644 index 00000000000..2c6118b8b1f --- /dev/null +++ b/queue-4.9/s390-kdump-add-final-note.patch @@ -0,0 +1,73 @@ +From dcc00b79fc3d076832f7240de8870f492629b171 Mon Sep 17 00:00:00 2001 +From: Michael Holzheu +Date: Thu, 23 Mar 2017 21:02:54 +0100 +Subject: s390/kdump: Add final note + +From: Michael Holzheu + +commit dcc00b79fc3d076832f7240de8870f492629b171 upstream. + +Since linux v3.14 with commit 38dfac843cb6d7be1 ("vmcore: prevent PT_NOTE +p_memsz overflow during header update") on s390 we get the following +message in the kdump kernel: + + Warning: Exceeded p_memsz, dropping PT_NOTE entry n_namesz=0x6b6b6b6b, + n_descsz=0x6b6b6b6b + +The reason for this is that we don't create a final zero note in +the ELF header which the proc/vmcore code uses to find out the end +of the notes section (see also kernel/kexec_core.c:final_note()). + +It still worked on s390 by chance because we (most of the time?) have the +byte pattern 0x6b6b6b6b after the notes section which also makes the notes +parsing code stop in update_note_header_size_elf64() because 0x6b6b6b6b is +interpreded as note size: + + if ((real_sz + sz) > max_sz) { + pr_warn("Warning: Exceeded p_memsz, dropping P ...); + break; + } + +So fix this and add the missing final note to the ELF header. +We don't have to adjust the memory size for ELF header ("alloc_size") +because the new ELF note still fits into the 0x1000 base memory. + +Signed-off-by: Michael Holzheu +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/crash_dump.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/s390/kernel/crash_dump.c ++++ b/arch/s390/kernel/crash_dump.c +@@ -427,6 +427,20 @@ static void *nt_vmcoreinfo(void *ptr) + } + + /* ++ * Initialize final note (needed for /proc/vmcore code) ++ */ ++static void *nt_final(void *ptr) ++{ ++ Elf64_Nhdr *note; ++ ++ note = (Elf64_Nhdr *) ptr; ++ note->n_namesz = 0; ++ note->n_descsz = 0; ++ note->n_type = 0; ++ return PTR_ADD(ptr, sizeof(Elf64_Nhdr)); ++} ++ ++/* + * Initialize ELF header (new kernel) + */ + static void *ehdr_init(Elf64_Ehdr *ehdr, int mem_chunk_cnt) +@@ -513,6 +527,7 @@ static void *notes_init(Elf64_Phdr *phdr + if (sa->prefix != 0) + ptr = fill_cpu_elf_notes(ptr, cpu++, sa); + ptr = nt_vmcoreinfo(ptr); ++ ptr = nt_final(ptr); + memset(phdr, 0, sizeof(*phdr)); + phdr->p_type = PT_NOTE; + phdr->p_offset = notes_offset; diff --git a/queue-4.9/series b/queue-4.9/series index 9f33590afe9..d8c61b9d35b 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -33,3 +33,14 @@ md-md_closing-needs-to-be-cleared-after-called-md_set_readonly-or-do_md_stop.pat rtlwifi-rtl8821ae-setup-8812ae-rfe-according-to-device-type.patch mwifiex-mac-randomization-should-not-be-persistent.patch mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch +ima-accept-previously-set-ima_new_file.patch +kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch +kvm-x86-fix-potential-preemption-when-get-the-current-kvmclock-timestamp.patch +kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch +x86-fix-32-bit-case-of-__get_user_asm_u64.patch +regulator-rk808-fix-rk818-ldo2.patch +regulator-tps65023-fix-inverted-core-enable-logic.patch +s390-kdump-add-final-note.patch +s390-cputime-fix-incorrect-system-time.patch +ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch +ath9k_htc-fix-null-deref-at-probe.patch diff --git a/queue-4.9/x86-fix-32-bit-case-of-__get_user_asm_u64.patch b/queue-4.9/x86-fix-32-bit-case-of-__get_user_asm_u64.patch new file mode 100644 index 00000000000..47157841f2a --- /dev/null +++ b/queue-4.9/x86-fix-32-bit-case-of-__get_user_asm_u64.patch @@ -0,0 +1,85 @@ +From 33c9e9729033387ef0521324c62e7eba529294af Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sun, 21 May 2017 18:26:54 -0700 +Subject: x86: fix 32-bit case of __get_user_asm_u64() + +From: Linus Torvalds + +commit 33c9e9729033387ef0521324c62e7eba529294af upstream. + +The code to fetch a 64-bit value from user space was entirely buggered, +and has been since the code was merged in early 2016 in commit +b2f680380ddf ("x86/mm/32: Add support for 64-bit __get_user() on 32-bit +kernels"). + +Happily the buggered routine is almost certainly entirely unused, since +the normal way to access user space memory is just with the non-inlined +"get_user()", and the inlined version didn't even historically exist. + +The normal "get_user()" case is handled by external hand-written asm in +arch/x86/lib/getuser.S that doesn't have either of these issues. + +There were two independent bugs in __get_user_asm_u64(): + + - it still did the STAC/CLAC user space access marking, even though + that is now done by the wrapper macros, see commit 11f1a4b9755f + ("x86: reorganize SMAP handling in user space accesses"). + + This didn't result in a semantic error, it just means that the + inlined optimized version was hugely less efficient than the + allegedly slower standard version, since the CLAC/STAC overhead is + quite high on modern Intel CPU's. + + - the double register %eax/%edx was marked as an output, but the %eax + part of it was touched early in the asm, and could thus clobber other + inputs to the asm that gcc didn't expect it to touch. + + In particular, that meant that the generated code could look like + this: + + mov (%eax),%eax + mov 0x4(%eax),%edx + + where the load of %edx obviously was _supposed_ to be from the 32-bit + word that followed the source of %eax, but because %eax was + overwritten by the first instruction, the source of %edx was + basically random garbage. + +The fixes are trivial: remove the extraneous STAC/CLAC entries, and mark +the 64-bit output as early-clobber to let gcc know that no inputs should +alias with the output register. + +Cc: Al Viro +Cc: Benjamin LaHaise +Cc: Ingo Molnar +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/uaccess.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -315,10 +315,10 @@ do { \ + #define __get_user_asm_u64(x, ptr, retval, errret) \ + ({ \ + __typeof__(ptr) __ptr = (ptr); \ +- asm volatile(ASM_STAC "\n" \ ++ asm volatile("\n" \ + "1: movl %2,%%eax\n" \ + "2: movl %3,%%edx\n" \ +- "3: " ASM_CLAC "\n" \ ++ "3:\n" \ + ".section .fixup,\"ax\"\n" \ + "4: mov %4,%0\n" \ + " xorl %%eax,%%eax\n" \ +@@ -327,7 +327,7 @@ do { \ + ".previous\n" \ + _ASM_EXTABLE(1b, 4b) \ + _ASM_EXTABLE(2b, 4b) \ +- : "=r" (retval), "=A"(x) \ ++ : "=r" (retval), "=&A"(x) \ + : "m" (__m(__ptr)), "m" __m(((u32 *)(__ptr)) + 1), \ + "i" (errret), "0" (retval)); \ + })