From: Greg Kroah-Hartman Date: Sat, 4 Aug 2018 08:12:08 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.17.13~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=53648c4314fb62eedd3c49e5e27f6d8f9d1b2dd8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: audit-fix-potential-null-dereference-context-module.name.patch brcmfmac-fix-regression-in-parsing-nvram-for-multiple-devices.patch can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch crypto-padlock-aes-fix-nano-workaround-data-corruption.patch drm-atomic-check-old_plane_state-crtc-in-drm_atomic_helper_async_check.patch drm-atomic-initialize-variables-in-drm_atomic_helper_async_check-to-make-gcc-happy.patch drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch ipc-shm.c-add-pagesize-function-to-shm_vm_ops.patch iwlwifi-add-more-card-ids-for-9000-series.patch kvm-x86-vmx-fix-vpid-leak.patch net-socket-fix-potential-spectre-v1-gadget-in-sock_is_registered.patch net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch rdma-uverbs-expand-primary-and-alt-av-port-checks.patch scsi-sg-fix-minor-memory-leak-in-error-path.patch squashfs-more-metadata-hardening.patch squashfs-more-metadata-hardenings.patch userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch virtio_balloon-fix-another-race-between-migration-and-ballooning.patch x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch x86-efi-access-efi-mmio-data-as-unencrypted-when-sev-is-active.patch x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch --- diff --git a/queue-4.17/audit-fix-potential-null-dereference-context-module.name.patch b/queue-4.17/audit-fix-potential-null-dereference-context-module.name.patch new file mode 100644 index 00000000000..b2fedf0d4d9 --- /dev/null +++ b/queue-4.17/audit-fix-potential-null-dereference-context-module.name.patch @@ -0,0 +1,55 @@ +From b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Wed, 25 Jul 2018 10:26:19 +0800 +Subject: audit: fix potential null dereference 'context->module.name' + +From: Yi Wang + +commit b305f7ed0f4f494ad6f3ef5667501535d5a8fa31 upstream. + +The variable 'context->module.name' may be null pointer when +kmalloc return null, so it's better to check it before using +to avoid null dereference. +Another one more thing this patch does is using kstrdup instead +of (kmalloc + strcpy), and signal a lost record via audit_log_lost. + +Cc: stable@vger.kernel.org # 4.11 +Signed-off-by: Yi Wang +Reviewed-by: Jiang Biao +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditsc.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1274,8 +1274,12 @@ static void show_special(struct audit_co + break; + case AUDIT_KERN_MODULE: + audit_log_format(ab, "name="); +- audit_log_untrustedstring(ab, context->module.name); +- kfree(context->module.name); ++ if (context->module.name) { ++ audit_log_untrustedstring(ab, context->module.name); ++ kfree(context->module.name); ++ } else ++ audit_log_format(ab, "(null)"); ++ + break; + } + audit_log_end(ab); +@@ -2408,8 +2412,9 @@ void __audit_log_kern_module(char *name) + { + struct audit_context *context = current->audit_context; + +- context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL); +- strcpy(context->module.name, name); ++ context->module.name = kstrdup(name, GFP_KERNEL); ++ if (!context->module.name) ++ audit_log_lost("out of memory in __audit_log_kern_module"); + context->type = AUDIT_KERN_MODULE; + } + diff --git a/queue-4.17/brcmfmac-fix-regression-in-parsing-nvram-for-multiple-devices.patch b/queue-4.17/brcmfmac-fix-regression-in-parsing-nvram-for-multiple-devices.patch new file mode 100644 index 00000000000..11cac2bd96f --- /dev/null +++ b/queue-4.17/brcmfmac-fix-regression-in-parsing-nvram-for-multiple-devices.patch @@ -0,0 +1,46 @@ +From 299b6365a3b7cf7f5ea1c945a420e9ee4841d6f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Sun, 22 Jul 2018 23:46:25 +0200 +Subject: brcmfmac: fix regression in parsing NVRAM for multiple devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +commit 299b6365a3b7cf7f5ea1c945a420e9ee4841d6f7 upstream. + +NVRAM is designed to work with Broadcom's SDK Linux kernel which fakes +PCI domain 0 for all internal MMIO devices. Since official Linux kernel +uses platform devices for that purpose there is a mismatch in numbering +PCI domains. + +There used to be a fix for that problem but it was accidentally dropped +during the last firmware loading rework. That resulted in brcmfmac not +being able to extract device specific NVRAM content and all kind of +calibration problems. + +Reported-by: Aditya Xavier +Fixes: 2baa3aaee27f ("brcmfmac: introduce brcmf_fw_alloc_request() function") +Cc: stable@vger.kernel.org # v4.17+ +Signed-off-by: Rafał Miłecki +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -1755,7 +1755,8 @@ brcmf_pcie_prepare_fw_request(struct brc + fwreq->items[BRCMF_PCIE_FW_CODE].type = BRCMF_FW_TYPE_BINARY; + fwreq->items[BRCMF_PCIE_FW_NVRAM].type = BRCMF_FW_TYPE_NVRAM; + fwreq->items[BRCMF_PCIE_FW_NVRAM].flags = BRCMF_FW_REQF_OPTIONAL; +- fwreq->domain_nr = pci_domain_nr(devinfo->pdev->bus); ++ /* NVRAM reserves PCI domain 0 for Broadcom's SDK faked bus */ ++ fwreq->domain_nr = pci_domain_nr(devinfo->pdev->bus) + 1; + fwreq->bus_nr = devinfo->pdev->bus->number; + + return fwreq; diff --git a/queue-4.17/can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch b/queue-4.17/can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch new file mode 100644 index 00000000000..11bb5de0b41 --- /dev/null +++ b/queue-4.17/can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch @@ -0,0 +1,33 @@ +From 72c05f32f4a5055c9c8fe889bb6903ec959c0aad Mon Sep 17 00:00:00 2001 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 18:50:42 +0300 +Subject: can: ems_usb: Fix memory leak on ems_usb_disconnect() + +From: Anton Vasilyev + +commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream. + +ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there +is no its deallocation in ems_usb_disconnect(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Cc: +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/ems_usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -1072,6 +1072,7 @@ static void ems_usb_disconnect(struct us + usb_free_urb(dev->intr_urb); + + kfree(dev->intr_in_buffer); ++ kfree(dev->tx_msg_buffer); + } + } + diff --git a/queue-4.17/crypto-padlock-aes-fix-nano-workaround-data-corruption.patch b/queue-4.17/crypto-padlock-aes-fix-nano-workaround-data-corruption.patch new file mode 100644 index 00000000000..acd0eaf5b48 --- /dev/null +++ b/queue-4.17/crypto-padlock-aes-fix-nano-workaround-data-corruption.patch @@ -0,0 +1,71 @@ +From 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 13 Jul 2018 16:12:32 +0800 +Subject: crypto: padlock-aes - Fix Nano workaround data corruption + +From: Herbert Xu + +commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream. + +This was detected by the self-test thanks to Ard's chunking patch. + +I finally got around to testing this out on my ancient Via box. It +turns out that the workaround got the assembly wrong and we end up +doing count + initial cycles of the loop instead of just count. + +This obviously causes corruption, either by overwriting the source +that is yet to be processed, or writing over the end of the buffer. + +On CPUs that don't require the workaround only ECB is affected. +On Nano CPUs both ECB and CBC are affected. + +This patch fixes it by doing the subtraction prior to the assembly. + +Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...") +Cc: +Reported-by: Jamie Heilman +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/padlock-aes.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/padlock-aes.c ++++ b/drivers/crypto/padlock-aes.c +@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co + return; + } + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co + + asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */ + : "+S"(input), "+D"(output) +- : "d"(control_word), "b"(key), "c"(count - initial)); ++ : "d"(control_word), "b"(key), "c"(count)); + } + + static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key, +@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con + if (count < cbc_fetch_blocks) + return cbc_crypt(input, output, key, iv, control_word, count); + ++ count -= initial; ++ + if (initial) + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con + + asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */ + : "+S" (input), "+D" (output), "+a" (iv) +- : "d" (control_word), "b" (key), "c" (count-initial)); ++ : "d" (control_word), "b" (key), "c" (count)); + return iv; + } + diff --git a/queue-4.17/drm-atomic-check-old_plane_state-crtc-in-drm_atomic_helper_async_check.patch b/queue-4.17/drm-atomic-check-old_plane_state-crtc-in-drm_atomic_helper_async_check.patch new file mode 100644 index 00000000000..7bdfa86f68b --- /dev/null +++ b/queue-4.17/drm-atomic-check-old_plane_state-crtc-in-drm_atomic_helper_async_check.patch @@ -0,0 +1,40 @@ +From 603ba2dfb338b307aebe95fe344c479a59b3a175 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 24 Jul 2018 15:32:15 +0200 +Subject: drm/atomic: Check old_plane_state->crtc in drm_atomic_helper_async_check() + +From: Boris Brezillon + +commit 603ba2dfb338b307aebe95fe344c479a59b3a175 upstream. + +Async plane update is supposed to work only when updating the FB or FB +position of an already enabled plane. That does not apply to requests +where the plane was previously disabled or assigned to a different +CTRC. + +Check old_plane_state->crtc value to make sure async plane update is +allowed. + +Fixes: fef9df8b5945 ("drm/atomic: initial support for asynchronous plane update") +Cc: +Signed-off-by: Boris Brezillon +Reviewed-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20180724133215.31917-1-boris.brezillon@bootlin.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_atomic_helper.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1516,7 +1516,8 @@ int drm_atomic_helper_async_check(struct + if (n_planes != 1) + return -EINVAL; + +- if (!new_plane_state->crtc) ++ if (!new_plane_state->crtc || ++ old_plane_state->crtc != new_plane_state->crtc) + return -EINVAL; + + funcs = plane->helper_private; diff --git a/queue-4.17/drm-atomic-initialize-variables-in-drm_atomic_helper_async_check-to-make-gcc-happy.patch b/queue-4.17/drm-atomic-initialize-variables-in-drm_atomic_helper_async_check-to-make-gcc-happy.patch new file mode 100644 index 00000000000..a6123538c1c --- /dev/null +++ b/queue-4.17/drm-atomic-initialize-variables-in-drm_atomic_helper_async_check-to-make-gcc-happy.patch @@ -0,0 +1,44 @@ +From de2d8db395c32d121d02871819444b631f73e0b6 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 24 Jul 2018 15:33:00 +0200 +Subject: drm/atomic: Initialize variables in drm_atomic_helper_async_check() to make gcc happy + +From: Boris Brezillon + +commit de2d8db395c32d121d02871819444b631f73e0b6 upstream. + +drm_atomic_helper_async_check() declares the plane, old_plane_state and +new_plane_state variables to iterate over all planes of the atomic +state and make sure only one plane is enabled. + +Unfortunately gcc is not smart enough to figure out that the check on +n_planes is enough to guarantee that plane, new_plane_state and +old_plane_state are initialized. + +Explicitly initialize those variables to NULL to make gcc happy. + +Fixes: fef9df8b5945 ("drm/atomic: initial support for asynchronous plane update") +Cc: +Signed-off-by: Boris Brezillon +Reviewed-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20180724133300.32023-1-boris.brezillon@bootlin.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_atomic_helper.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1499,8 +1499,9 @@ int drm_atomic_helper_async_check(struct + { + struct drm_crtc *crtc; + struct drm_crtc_state *crtc_state; +- struct drm_plane *plane; +- struct drm_plane_state *old_plane_state, *new_plane_state; ++ struct drm_plane *plane = NULL; ++ struct drm_plane_state *old_plane_state = NULL; ++ struct drm_plane_state *new_plane_state = NULL; + const struct drm_plane_helper_funcs *funcs; + int i, n_planes = 0; + diff --git a/queue-4.17/drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch b/queue-4.17/drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch new file mode 100644 index 00000000000..3b5c864d45f --- /dev/null +++ b/queue-4.17/drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch @@ -0,0 +1,36 @@ +From a6a00918d4ad8718c3ccde38c02cec17f116b2fd Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 24 Jul 2018 15:36:01 +0200 +Subject: drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats + +From: Boris Brezillon + +commit a6a00918d4ad8718c3ccde38c02cec17f116b2fd upstream. + +This is needed to ensure ->is_unity is correct when the plane was +previously configured to output a multi-planar format with scaling +enabled, and is then being reconfigured to output a uniplanar format. + +Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.") +Cc: +Signed-off-by: Boris Brezillon +Reviewed-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20180724133601.32114-1-boris.brezillon@bootlin.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_plane.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -319,6 +319,9 @@ static int vc4_plane_setup_clipping_and_ + vc4_state->x_scaling[0] = VC4_SCALING_TPZ; + if (vc4_state->y_scaling[0] == VC4_SCALING_NONE) + vc4_state->y_scaling[0] = VC4_SCALING_TPZ; ++ } else { ++ vc4_state->x_scaling[1] = VC4_SCALING_NONE; ++ vc4_state->y_scaling[1] = VC4_SCALING_NONE; + } + + vc4_state->is_unity = (vc4_state->x_scaling[0] == VC4_SCALING_NONE && diff --git a/queue-4.17/ipc-shm.c-add-pagesize-function-to-shm_vm_ops.patch b/queue-4.17/ipc-shm.c-add-pagesize-function-to-shm_vm_ops.patch new file mode 100644 index 00000000000..926c22af021 --- /dev/null +++ b/queue-4.17/ipc-shm.c-add-pagesize-function-to-shm_vm_ops.patch @@ -0,0 +1,117 @@ +From eec3636ad198d4ac61e574cb122cb67e9bef5492 Mon Sep 17 00:00:00 2001 +From: Jane Chu +Date: Thu, 2 Aug 2018 15:36:05 -0700 +Subject: ipc/shm.c add ->pagesize function to shm_vm_ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jane Chu + +commit eec3636ad198d4ac61e574cb122cb67e9bef5492 upstream. + +Commit 05ea88608d4e ("mm, hugetlbfs: introduce ->pagesize() to +vm_operations_struct") adds a new ->pagesize() function to +hugetlb_vm_ops, intended to cover all hugetlbfs backed files. + +With System V shared memory model, if "huge page" is specified, the +"shared memory" is backed by hugetlbfs files, but the mappings initiated +via shmget/shmat have their original vm_ops overwritten with shm_vm_ops, +so we need to add a ->pagesize function to shm_vm_ops. Otherwise, +vma_kernel_pagesize() returns PAGE_SIZE given a hugetlbfs backed vma, +result in below BUG: + + fs/hugetlbfs/inode.c + 443 if (unlikely(page_mapped(page))) { + 444 BUG_ON(truncate_op); + +resulting in + + hugetlbfs: oracle (4592): Using mlock ulimits for SHM_HUGETLB is deprecated + ------------[ cut here ]------------ + kernel BUG at fs/hugetlbfs/inode.c:444! + Modules linked in: nfsv3 rpcsec_gss_krb5 nfsv4 ... + CPU: 35 PID: 5583 Comm: oracle_5583_sbt Not tainted 4.14.35-1829.el7uek.x86_64 #2 + RIP: 0010:remove_inode_hugepages+0x3db/0x3e2 + .... + Call Trace: + hugetlbfs_evict_inode+0x1e/0x3e + evict+0xdb/0x1af + iput+0x1a2/0x1f7 + dentry_unlink_inode+0xc6/0xf0 + __dentry_kill+0xd8/0x18d + dput+0x1b5/0x1ed + __fput+0x18b/0x216 + ____fput+0xe/0x10 + task_work_run+0x90/0xa7 + exit_to_usermode_loop+0xdd/0x116 + do_syscall_64+0x187/0x1ae + entry_SYSCALL_64_after_hwframe+0x150/0x0 + +[jane.chu@oracle.com: relocate comment] + Link: http://lkml.kernel.org/r/20180731044831.26036-1-jane.chu@oracle.com +Link: http://lkml.kernel.org/r/20180727211727.5020-1-jane.chu@oracle.com +Fixes: 05ea88608d4e13 ("mm, hugetlbfs: introduce ->pagesize() to vm_operations_struct") +Signed-off-by: Jane Chu +Suggested-by: Mike Kravetz +Reviewed-by: Mike Kravetz +Acked-by: Davidlohr Bueso +Acked-by: Michal Hocko +Cc: Dan Williams +Cc: Jan Kara +Cc: Jérôme Glisse +Cc: Manfred Spraul +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/shm.c | 12 ++++++++++++ + mm/hugetlb.c | 7 +++++++ + 2 files changed, 19 insertions(+) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -427,6 +427,17 @@ static int shm_split(struct vm_area_stru + return 0; + } + ++static unsigned long shm_pagesize(struct vm_area_struct *vma) ++{ ++ struct file *file = vma->vm_file; ++ struct shm_file_data *sfd = shm_file_data(file); ++ ++ if (sfd->vm_ops->pagesize) ++ return sfd->vm_ops->pagesize(vma); ++ ++ return PAGE_SIZE; ++} ++ + #ifdef CONFIG_NUMA + static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new) + { +@@ -554,6 +565,7 @@ static const struct vm_operations_struct + .close = shm_close, /* callback for when the vm-area is released */ + .fault = shm_fault, + .split = shm_split, ++ .pagesize = shm_pagesize, + #if defined(CONFIG_NUMA) + .set_policy = shm_set_policy, + .get_policy = shm_get_policy, +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3166,6 +3166,13 @@ static int hugetlb_vm_op_fault(struct vm + return 0; + } + ++/* ++ * When a new function is introduced to vm_operations_struct and added ++ * to hugetlb_vm_ops, please consider adding the function to shm_vm_ops. ++ * This is because under System V memory model, mappings created via ++ * shmget/shmat with "huge page" specified are backed by hugetlbfs files, ++ * their original vm_ops are overwritten with shm_vm_ops. ++ */ + const struct vm_operations_struct hugetlb_vm_ops = { + .fault = hugetlb_vm_op_fault, + .open = hugetlb_vm_op_open, diff --git a/queue-4.17/iwlwifi-add-more-card-ids-for-9000-series.patch b/queue-4.17/iwlwifi-add-more-card-ids-for-9000-series.patch new file mode 100644 index 00000000000..75f8180371f --- /dev/null +++ b/queue-4.17/iwlwifi-add-more-card-ids-for-9000-series.patch @@ -0,0 +1,240 @@ +From 0a5257bc6d89c2ae69b9bf955679cb4f89261874 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 17 Jul 2018 13:43:56 +0300 +Subject: iwlwifi: add more card IDs for 9000 series + +From: Emmanuel Grumbach + +commit 0a5257bc6d89c2ae69b9bf955679cb4f89261874 upstream. + +Add new device IDs for the 9000 series. + +Cc: stable@vger.kernel.org # 4.14 +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/cfg/9000.c | 69 ++++++++++++++++++++++++ + drivers/net/wireless/intel/iwlwifi/iwl-config.h | 5 + + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 22 +++++++ + 3 files changed, 96 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/cfg/9000.c ++++ b/drivers/net/wireless/intel/iwlwifi/cfg/9000.c +@@ -180,6 +180,17 @@ const struct iwl_cfg iwl9260_2ac_cfg = { + .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, + }; + ++const struct iwl_cfg iwl9260_killer_2ac_cfg = { ++ .name = "Killer (R) Wireless-AC 1550 Wireless Network Adapter (9260NGW)", ++ .fw_name_pre = IWL9260A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9260B_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++}; ++ + const struct iwl_cfg iwl9270_2ac_cfg = { + .name = "Intel(R) Dual Band Wireless AC 9270", + .fw_name_pre = IWL9260A_FW_PRE, +@@ -269,6 +280,34 @@ const struct iwl_cfg iwl9560_2ac_cfg_soc + .soc_latency = 5000, + }; + ++const struct iwl_cfg iwl9560_killer_2ac_cfg_soc = { ++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++}; ++ ++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc = { ++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++}; ++ + const struct iwl_cfg iwl9460_2ac_cfg_shared_clk = { + .name = "Intel(R) Dual Band Wireless AC 9460", + .fw_name_pre = IWL9000A_FW_PRE, +@@ -319,6 +358,36 @@ const struct iwl_cfg iwl9560_2ac_cfg_sha + .fw_name_pre = IWL9000A_FW_PRE, + .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, + .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK ++}; ++ ++const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk = { ++ .name = "Killer (R) Wireless-AC 1550i Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, ++ IWL_DEVICE_9000, ++ .ht_params = &iwl9000_ht_params, ++ .nvm_ver = IWL9000_NVM_VERSION, ++ .nvm_calib_ver = IWL9000_TX_POWER_VERSION, ++ .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K, ++ .integrated = true, ++ .soc_latency = 5000, ++ .extra_phy_cfg_flags = FW_PHY_CFG_SHARED_CLK ++}; ++ ++const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk = { ++ .name = "Killer (R) Wireless-AC 1550s Wireless Network Adapter (9560NGW)", ++ .fw_name_pre = IWL9000A_FW_PRE, ++ .fw_name_pre_b_or_c_step = IWL9000B_FW_PRE, ++ .fw_name_pre_rf_next_step = IWL9000RFB_FW_PRE, + IWL_DEVICE_9000, + .ht_params = &iwl9000_ht_params, + .nvm_ver = IWL9000_NVM_VERSION, +--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h +@@ -471,6 +471,7 @@ extern const struct iwl_cfg iwl8275_2ac_ + extern const struct iwl_cfg iwl4165_2ac_cfg; + extern const struct iwl_cfg iwl9160_2ac_cfg; + extern const struct iwl_cfg iwl9260_2ac_cfg; ++extern const struct iwl_cfg iwl9260_killer_2ac_cfg; + extern const struct iwl_cfg iwl9270_2ac_cfg; + extern const struct iwl_cfg iwl9460_2ac_cfg; + extern const struct iwl_cfg iwl9560_2ac_cfg; +@@ -478,10 +479,14 @@ extern const struct iwl_cfg iwl9460_2ac_ + extern const struct iwl_cfg iwl9461_2ac_cfg_soc; + extern const struct iwl_cfg iwl9462_2ac_cfg_soc; + extern const struct iwl_cfg iwl9560_2ac_cfg_soc; ++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_soc; ++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_soc; + extern const struct iwl_cfg iwl9460_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl9461_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl9462_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl9560_2ac_cfg_shared_clk; ++extern const struct iwl_cfg iwl9560_killer_2ac_cfg_shared_clk; ++extern const struct iwl_cfg iwl9560_killer_s_2ac_cfg_shared_clk; + extern const struct iwl_cfg iwl22000_2ac_cfg_hr; + extern const struct iwl_cfg iwl22000_2ac_cfg_hr_cdb; + extern const struct iwl_cfg iwl22000_2ac_cfg_jf; +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -545,6 +545,9 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x2526, 0x1210, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x1410, iwl9270_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x1420, iwl9460_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x1550, iwl9260_killer_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2526, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x1610, iwl9270_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x2034, iwl9560_2ac_cfg_soc)}, +@@ -554,6 +557,7 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x2526, 0x40A4, iwl9460_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x4234, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x42A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2526, 0x8014, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0xA014, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271B, 0x0010, iwl9160_2ac_cfg)}, + {IWL_PCI_DEVICE(0x271B, 0x0014, iwl9160_2ac_cfg)}, +@@ -578,6 +582,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x2720, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2720, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x2720, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x2720, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2720, 0x4030, iwl9560_2ac_cfg)}, +@@ -604,6 +610,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x30DC, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x30DC, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x30DC, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x30DC, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -630,6 +638,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x31DC, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x31DC, 0x1030, iwl9560_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x31DC, 0x1551, iwl9560_killer_s_2ac_cfg_shared_clk)}, ++ {IWL_PCI_DEVICE(0x31DC, 0x1552, iwl9560_killer_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x2030, iwl9560_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x2034, iwl9560_2ac_cfg_shared_clk)}, + {IWL_PCI_DEVICE(0x31DC, 0x4030, iwl9560_2ac_cfg_shared_clk)}, +@@ -656,6 +666,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x34F0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x34F0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x34F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x34F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x34F0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -682,6 +694,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x3DF0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x3DF0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x3DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x3DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x3DF0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -708,6 +722,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x43F0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x43F0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x43F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x43F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x43F0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -743,6 +759,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x9DF0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x9DF0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x9DF0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x9DF0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x2010, iwl9460_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x9DF0, 0x2034, iwl9560_2ac_cfg_soc)}, +@@ -771,6 +789,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0xA0F0, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0xA0F0, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0xA0F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0xA0F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA0F0, 0x4030, iwl9560_2ac_cfg_soc)}, +@@ -797,6 +817,8 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0xA370, 0x1010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0xA370, 0x1030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x1210, iwl9260_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0xA370, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0xA370, 0x1552, iwl9560_killer_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x2030, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x2034, iwl9560_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0xA370, 0x4030, iwl9560_2ac_cfg_soc)}, diff --git a/queue-4.17/kvm-x86-vmx-fix-vpid-leak.patch b/queue-4.17/kvm-x86-vmx-fix-vpid-leak.patch new file mode 100644 index 00000000000..5911d6ebd0d --- /dev/null +++ b/queue-4.17/kvm-x86-vmx-fix-vpid-leak.patch @@ -0,0 +1,65 @@ +From 63aff65573d73eb8dda4732ad4ef222dd35e4862 Mon Sep 17 00:00:00 2001 +From: Roman Kagan +Date: Thu, 19 Jul 2018 21:59:07 +0300 +Subject: kvm: x86: vmx: fix vpid leak + +From: Roman Kagan + +commit 63aff65573d73eb8dda4732ad4ef222dd35e4862 upstream. + +VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested +vmx is turned on with the module parameter. + +However, it's only freed if the L1 guest has executed VMXON which is not +a given. + +As a result, on a system with nested==on every creation+deletion of an +L1 vcpu without running an L2 guest results in leaking one vpid. Since +the total number of vpids is limited to 64k, they can eventually get +exhausted, preventing L2 from starting. + +Delay allocation of the L2 vpid until VMXON emulation, thus matching its +freeing. + +Fixes: 5c614b3583e7b6dab0c86356fa36c2bcbb8322a0 +Cc: stable@vger.kernel.org +Signed-off-by: Roman Kagan +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7660,6 +7660,8 @@ static int enter_vmx_operation(struct kv + HRTIMER_MODE_REL_PINNED); + vmx->nested.preemption_timer.function = vmx_preemption_timer_fn; + ++ vmx->nested.vpid02 = allocate_vpid(); ++ + vmx->nested.vmxon = true; + return 0; + +@@ -10108,11 +10110,9 @@ static struct kvm_vcpu *vmx_create_vcpu( + goto free_vmcs; + } + +- if (nested) { ++ if (nested) + nested_vmx_setup_ctls_msrs(&vmx->nested.msrs, + kvm_vcpu_apicv_active(&vmx->vcpu)); +- vmx->nested.vpid02 = allocate_vpid(); +- } + + vmx->nested.posted_intr_nv = -1; + vmx->nested.current_vmptr = -1ull; +@@ -10129,7 +10129,6 @@ static struct kvm_vcpu *vmx_create_vcpu( + return &vmx->vcpu; + + free_vmcs: +- free_vpid(vmx->nested.vpid02); + free_loaded_vmcs(vmx->loaded_vmcs); + free_msrs: + kfree(vmx->guest_msrs); diff --git a/queue-4.17/net-socket-fix-potential-spectre-v1-gadget-in-sock_is_registered.patch b/queue-4.17/net-socket-fix-potential-spectre-v1-gadget-in-sock_is_registered.patch new file mode 100644 index 00000000000..ad59297e46f --- /dev/null +++ b/queue-4.17/net-socket-fix-potential-spectre-v1-gadget-in-sock_is_registered.patch @@ -0,0 +1,34 @@ +From e978de7a6d382ec378830ca2cf38e902df0b6d84 Mon Sep 17 00:00:00 2001 +From: Jeremy Cline +Date: Fri, 27 Jul 2018 22:43:02 +0000 +Subject: net: socket: Fix potential spectre v1 gadget in sock_is_registered + +From: Jeremy Cline + +commit e978de7a6d382ec378830ca2cf38e902df0b6d84 upstream. + +'family' can be a user-controlled value, so sanitize it after the bounds +check to avoid speculative out-of-bounds access. + +Cc: Josh Poimboeuf +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Cline +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -2694,7 +2694,8 @@ EXPORT_SYMBOL(sock_unregister); + + bool sock_is_registered(int family) + { +- return family < NPROTO && rcu_access_pointer(net_families[family]); ++ return family < NPROTO && ++ rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); + } + + static int __init sock_init(void) diff --git a/queue-4.17/net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch b/queue-4.17/net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch new file mode 100644 index 00000000000..2471d4d1250 --- /dev/null +++ b/queue-4.17/net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch @@ -0,0 +1,45 @@ +From c8e8cd579bb4265651df8223730105341e61a2d1 Mon Sep 17 00:00:00 2001 +From: Jeremy Cline +Date: Fri, 27 Jul 2018 22:43:01 +0000 +Subject: net: socket: fix potential spectre v1 gadget in socketcall + +From: Jeremy Cline + +commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream. + +'call' is a user-controlled value, so sanitize the array index after the +bounds check to avoid speculating past the bounds of the 'nargs' array. + +Found with the help of Smatch: + +net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue +'nargs' [r] (local cap) + +Cc: Josh Poimboeuf +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Cline +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -89,6 +89,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2526,6 +2527,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u + + if (call < 1 || call > SYS_SENDMMSG) + return -EINVAL; ++ call = array_index_nospec(call, SYS_SENDMMSG + 1); + + len = nargs[call]; + if (len > sizeof(a)) diff --git a/queue-4.17/rdma-uverbs-expand-primary-and-alt-av-port-checks.patch b/queue-4.17/rdma-uverbs-expand-primary-and-alt-av-port-checks.patch new file mode 100644 index 00000000000..8501f99ee02 --- /dev/null +++ b/queue-4.17/rdma-uverbs-expand-primary-and-alt-av-port-checks.patch @@ -0,0 +1,112 @@ +From addb8a6559f0f8b5a37582b7ca698358445a55bf Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 11 Jul 2018 11:23:52 +0300 +Subject: RDMA/uverbs: Expand primary and alt AV port checks + +From: Jack Morgenstein + +commit addb8a6559f0f8b5a37582b7ca698358445a55bf upstream. + +The commit cited below checked that the port numbers provided in the +primary and alt AVs are legal. + +That is sufficient to prevent a kernel panic. However, it is not +sufficient for correct operation. + +In Linux, AVs (both primary and alt) must be completely self-described. +We do not accept an AV from userspace without an embedded port number. +(This has been the case since kernel 3.14 commit dbf727de7440 +("IB/core: Use GID table in AH creation and dmac resolution")). + +For the primary AV, this embedded port number must match the port number +specified with IB_QP_PORT. + +We also expect the port number embedded in the alt AV to match the +alt_port_num value passed by the userspace driver in the modify_qp command +base structure. + +Add these checks to modify_qp. + +Cc: # 4.16 +Fixes: 5d4c05c3ee36 ("RDMA/uverbs: Sanitize user entered port numbers prior to access it") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_cmd.c | 59 ++++++++++++++++++++++++++++++++--- + 1 file changed, 54 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -1984,15 +1984,64 @@ static int modify_qp(struct ib_uverbs_fi + goto release_qp; + } + +- if ((cmd->base.attr_mask & IB_QP_AV) && +- !rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) { +- ret = -EINVAL; +- goto release_qp; ++ if ((cmd->base.attr_mask & IB_QP_AV)) { ++ if (!rdma_is_port_valid(qp->device, cmd->base.dest.port_num)) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ ++ if (cmd->base.attr_mask & IB_QP_STATE && ++ cmd->base.qp_state == IB_QPS_RTR) { ++ /* We are in INIT->RTR TRANSITION (if we are not, ++ * this transition will be rejected in subsequent checks). ++ * In the INIT->RTR transition, we cannot have IB_QP_PORT set, ++ * but the IB_QP_STATE flag is required. ++ * ++ * Since kernel 3.14 (commit dbf727de7440), the uverbs driver, ++ * when IB_QP_AV is set, has required inclusion of a valid ++ * port number in the primary AV. (AVs are created and handled ++ * differently for infiniband and ethernet (RoCE) ports). ++ * ++ * Check the port number included in the primary AV against ++ * the port number in the qp struct, which was set (and saved) ++ * in the RST->INIT transition. ++ */ ++ if (cmd->base.dest.port_num != qp->real_qp->port) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ } else { ++ /* We are in SQD->SQD. (If we are not, this transition will ++ * be rejected later in the verbs layer checks). ++ * Check for both IB_QP_PORT and IB_QP_AV, these can be set ++ * together in the SQD->SQD transition. ++ * ++ * If only IP_QP_AV was set, add in IB_QP_PORT as well (the ++ * verbs layer driver does not track primary port changes ++ * resulting from path migration. Thus, in SQD, if the primary ++ * AV is modified, the primary port should also be modified). ++ * ++ * Note that in this transition, the IB_QP_STATE flag ++ * is not allowed. ++ */ ++ if (((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT)) ++ == (IB_QP_AV | IB_QP_PORT)) && ++ cmd->base.port_num != cmd->base.dest.port_num) { ++ ret = -EINVAL; ++ goto release_qp; ++ } ++ if ((cmd->base.attr_mask & (IB_QP_AV | IB_QP_PORT)) ++ == IB_QP_AV) { ++ cmd->base.attr_mask |= IB_QP_PORT; ++ cmd->base.port_num = cmd->base.dest.port_num; ++ } ++ } + } + + if ((cmd->base.attr_mask & IB_QP_ALT_PATH) && + (!rdma_is_port_valid(qp->device, cmd->base.alt_port_num) || +- !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num))) { ++ !rdma_is_port_valid(qp->device, cmd->base.alt_dest.port_num) || ++ cmd->base.alt_port_num != cmd->base.alt_dest.port_num)) { + ret = -EINVAL; + goto release_qp; + } diff --git a/queue-4.17/scsi-sg-fix-minor-memory-leak-in-error-path.patch b/queue-4.17/scsi-sg-fix-minor-memory-leak-in-error-path.patch new file mode 100644 index 00000000000..4e17d361c38 --- /dev/null +++ b/queue-4.17/scsi-sg-fix-minor-memory-leak-in-error-path.patch @@ -0,0 +1,33 @@ +From c170e5a8d222537e98aa8d4fddb667ff7a2ee114 Mon Sep 17 00:00:00 2001 +From: Tony Battersby +Date: Thu, 12 Jul 2018 16:30:45 -0400 +Subject: scsi: sg: fix minor memory leak in error path + +From: Tony Battersby + +commit c170e5a8d222537e98aa8d4fddb667ff7a2ee114 upstream. + +Fix a minor memory leak when there is an error opening a /dev/sg device. + +Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling") +Cc: +Reviewed-by: Ewan D. Milne +Signed-off-by: Tony Battersby +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -2186,6 +2186,7 @@ sg_add_sfp(Sg_device * sdp) + write_lock_irqsave(&sdp->sfd_lock, iflags); + if (atomic_read(&sdp->detaching)) { + write_unlock_irqrestore(&sdp->sfd_lock, iflags); ++ kfree(sfp); + return ERR_PTR(-ENODEV); + } + list_add_tail(&sfp->sfd_siblings, &sdp->sfds); diff --git a/queue-4.17/series b/queue-4.17/series index 5538d37d924..5a7e106a3f8 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -8,3 +8,24 @@ rxrpc-fix-user-call-id-check-in-rxrpc_service_prealloc_one.patch net-mlx5e-e-switch-initialize-eswitch-only-if-eswitch-manager.patch net-mlx5e-set-port-trust-mode-to-pcp-as-default.patch net-mlx5e-ipoib-set-the-netdevice-sw-mtu-in-ipoib-enhanced-flow.patch +squashfs-more-metadata-hardening.patch +squashfs-more-metadata-hardenings.patch +can-ems_usb-fix-memory-leak-on-ems_usb_disconnect.patch +net-socket-fix-potential-spectre-v1-gadget-in-socketcall.patch +net-socket-fix-potential-spectre-v1-gadget-in-sock_is_registered.patch +virtio_balloon-fix-another-race-between-migration-and-ballooning.patch +x86-efi-access-efi-mmio-data-as-unencrypted-when-sev-is-active.patch +x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch +x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch +kvm-x86-vmx-fix-vpid-leak.patch +audit-fix-potential-null-dereference-context-module.name.patch +ipc-shm.c-add-pagesize-function-to-shm_vm_ops.patch +userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch +iwlwifi-add-more-card-ids-for-9000-series.patch +brcmfmac-fix-regression-in-parsing-nvram-for-multiple-devices.patch +rdma-uverbs-expand-primary-and-alt-av-port-checks.patch +crypto-padlock-aes-fix-nano-workaround-data-corruption.patch +drm-vc4-reset-x-y-_scaling-when-dealing-with-uniplanar-formats.patch +drm-atomic-check-old_plane_state-crtc-in-drm_atomic_helper_async_check.patch +drm-atomic-initialize-variables-in-drm_atomic_helper_async_check-to-make-gcc-happy.patch +scsi-sg-fix-minor-memory-leak-in-error-path.patch diff --git a/queue-4.17/squashfs-more-metadata-hardening.patch b/queue-4.17/squashfs-more-metadata-hardening.patch new file mode 100644 index 00000000000..f06d7a4add4 --- /dev/null +++ b/queue-4.17/squashfs-more-metadata-hardening.patch @@ -0,0 +1,37 @@ +From d512584780d3e6a7cacb2f482834849453d444a1 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 30 Jul 2018 14:27:15 -0700 +Subject: squashfs: more metadata hardening + +From: Linus Torvalds + +commit d512584780d3e6a7cacb2f482834849453d444a1 upstream. + +Anatoly reports another squashfs fuzzing issue, where the decompression +parameters themselves are in a compressed block. + +This causes squashfs_read_data() to be called in order to read the +decompression options before the decompression stream having been set +up, making squashfs go sideways. + +Reported-by: Anatoly Trosinenko +Acked-by: Phillip Lougher +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/squashfs/block.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/squashfs/block.c ++++ b/fs/squashfs/block.c +@@ -167,6 +167,8 @@ int squashfs_read_data(struct super_bloc + } + + if (compressed) { ++ if (!msblk->stream) ++ goto read_failure; + length = squashfs_decompress(msblk, bh, b, offset, length, + output); + if (length < 0) diff --git a/queue-4.17/squashfs-more-metadata-hardenings.patch b/queue-4.17/squashfs-more-metadata-hardenings.patch new file mode 100644 index 00000000000..6d9ff9d6a91 --- /dev/null +++ b/queue-4.17/squashfs-more-metadata-hardenings.patch @@ -0,0 +1,93 @@ +From 71755ee5350b63fb1f283de8561cdb61b47f4d1d Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 2 Aug 2018 08:43:35 -0700 +Subject: squashfs: more metadata hardening +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit 71755ee5350b63fb1f283de8561cdb61b47f4d1d upstream. + +The squashfs fragment reading code doesn't actually verify that the +fragment is inside the fragment table. The end result _is_ verified to +be inside the image when actually reading the fragment data, but before +that is done, we may end up taking a page fault because the fragment +table itself might not even exist. + +Another report from Anatoly and his endless squashfs image fuzzing. + +Reported-by: Анатолий Тросиненко +Acked-by:: Phillip Lougher , +Cc: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/squashfs/fragment.c | 13 +++++++++---- + fs/squashfs/squashfs_fs_sb.h | 1 + + fs/squashfs/super.c | 5 +++-- + 3 files changed, 13 insertions(+), 6 deletions(-) + +--- a/fs/squashfs/fragment.c ++++ b/fs/squashfs/fragment.c +@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_bl + u64 *fragment_block) + { + struct squashfs_sb_info *msblk = sb->s_fs_info; +- int block = SQUASHFS_FRAGMENT_INDEX(fragment); +- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); +- u64 start_block = le64_to_cpu(msblk->fragment_index[block]); ++ int block, offset, size; + struct squashfs_fragment_entry fragment_entry; +- int size; ++ u64 start_block; ++ ++ if (fragment >= msblk->fragments) ++ return -EIO; ++ block = SQUASHFS_FRAGMENT_INDEX(fragment); ++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment); ++ ++ start_block = le64_to_cpu(msblk->fragment_index[block]); + + size = squashfs_read_metadata(sb, &fragment_entry, &start_block, + &offset, sizeof(fragment_entry)); +--- a/fs/squashfs/squashfs_fs_sb.h ++++ b/fs/squashfs/squashfs_fs_sb.h +@@ -75,6 +75,7 @@ struct squashfs_sb_info { + unsigned short block_log; + long long bytes_used; + unsigned int inodes; ++ unsigned int fragments; + int xattr_ids; + }; + #endif +--- a/fs/squashfs/super.c ++++ b/fs/squashfs/super.c +@@ -175,6 +175,7 @@ static int squashfs_fill_super(struct su + msblk->inode_table = le64_to_cpu(sblk->inode_table_start); + msblk->directory_table = le64_to_cpu(sblk->directory_table_start); + msblk->inodes = le32_to_cpu(sblk->inodes); ++ msblk->fragments = le32_to_cpu(sblk->fragments); + flags = le16_to_cpu(sblk->flags); + + TRACE("Found valid superblock on %pg\n", sb->s_bdev); +@@ -185,7 +186,7 @@ static int squashfs_fill_super(struct su + TRACE("Filesystem size %lld bytes\n", msblk->bytes_used); + TRACE("Block size %d\n", msblk->block_size); + TRACE("Number of inodes %d\n", msblk->inodes); +- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments)); ++ TRACE("Number of fragments %d\n", msblk->fragments); + TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids)); + TRACE("sblk->inode_table_start %llx\n", msblk->inode_table); + TRACE("sblk->directory_table_start %llx\n", msblk->directory_table); +@@ -272,7 +273,7 @@ allocate_id_index_table: + sb->s_export_op = &squashfs_export_ops; + + handle_fragments: +- fragments = le32_to_cpu(sblk->fragments); ++ fragments = msblk->fragments; + if (fragments == 0) + goto check_directory_table; + diff --git a/queue-4.17/userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch b/queue-4.17/userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch new file mode 100644 index 00000000000..d9f0cb12f56 --- /dev/null +++ b/queue-4.17/userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch @@ -0,0 +1,50 @@ +From 31e810aa1033a7db50a2746cd34a2432237f6420 Mon Sep 17 00:00:00 2001 +From: Mike Rapoport +Date: Thu, 2 Aug 2018 15:36:09 -0700 +Subject: userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails + +From: Mike Rapoport + +commit 31e810aa1033a7db50a2746cd34a2432237f6420 upstream. + +The fix in commit 0cbb4b4f4c44 ("userfaultfd: clear the +vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") cleared the +vma->vm_userfaultfd_ctx but kept userfaultfd flags in vma->vm_flags +that were copied from the parent process VMA. + +As the result, there is an inconsistency between the values of +vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON +in userfaultfd_release(). + +Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK +failure resolves the issue. + +Link: http://lkml.kernel.org/r/1532931975-25473-1-git-send-email-rppt@linux.vnet.ibm.com +Fixes: 0cbb4b4f4c44 ("userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") +Signed-off-by: Mike Rapoport +Reported-by: syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com +Cc: Andrea Arcangeli +Cc: Eric Biggers +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/userfaultfd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -631,8 +631,10 @@ static void userfaultfd_event_wait_compl + /* the various vma->vm_userfaultfd_ctx still points to it */ + down_write(&mm->mmap_sem); + for (vma = mm->mmap; vma; vma = vma->vm_next) +- if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) ++ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) { + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; ++ vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING); ++ } + up_write(&mm->mmap_sem); + + userfaultfd_ctx_put(release_new_ctx); diff --git a/queue-4.17/virtio_balloon-fix-another-race-between-migration-and-ballooning.patch b/queue-4.17/virtio_balloon-fix-another-race-between-migration-and-ballooning.patch new file mode 100644 index 00000000000..11bf714e017 --- /dev/null +++ b/queue-4.17/virtio_balloon-fix-another-race-between-migration-and-ballooning.patch @@ -0,0 +1,64 @@ +From 89da619bc18d79bca5304724c11d4ba3b67ce2c6 Mon Sep 17 00:00:00 2001 +From: Jiang Biao +Date: Wed, 18 Jul 2018 10:29:28 +0800 +Subject: virtio_balloon: fix another race between migration and ballooning + +From: Jiang Biao + +commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream. + +Kernel panic when with high memory pressure, calltrace looks like, + +PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java" + #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb + #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942 + #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30 + #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8 + #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46 + #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc + #6 [ffff881ec7ed7838] __node_set at ffffffff81680300 + #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f + #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5 + #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8 + [exception RIP: _raw_spin_lock_irqsave+47] + RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046 + RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8 + RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008 + RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098 + R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + +It happens in the pagefault and results in double pagefault +during compacting pages when memory allocation fails. + +Analysed the vmcore, the page leads to second pagefault is corrupted +with _mapcount=-256, but private=0. + +It's caused by the race between migration and ballooning, and lock +missing in virtballoon_migratepage() of virtio_balloon driver. +This patch fix the bug. + +Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages") +Cc: stable@vger.kernel.org +Signed-off-by: Jiang Biao +Signed-off-by: Huang Chong +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -513,7 +513,9 @@ static int virtballoon_migratepage(struc + tell_host(vb, vb->inflate_vq); + + /* balloon's page migration 2nd step -- deflate "page" */ ++ spin_lock_irqsave(&vb_dev_info->pages_lock, flags); + balloon_page_delete(page); ++ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags); + vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE; + set_page_pfns(vb, vb->pfns, page); + tell_host(vb, vb->deflate_vq); diff --git a/queue-4.17/x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch b/queue-4.17/x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch new file mode 100644 index 00000000000..c5b15b96590 --- /dev/null +++ b/queue-4.17/x86-apic-future-proof-the-tsc_deadline-quirk-for-skx.patch @@ -0,0 +1,41 @@ +From d9e6dbcf28f383bf08e6a3180972f5722e514a54 Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Sat, 21 Jul 2018 17:19:19 -0400 +Subject: x86/apic: Future-proof the TSC_DEADLINE quirk for SKX + +From: Len Brown + +commit d9e6dbcf28f383bf08e6a3180972f5722e514a54 upstream. + +All SKX with stepping higher than 4 support the TSC_DEADLINE, +no matter the microcode version. + +Without this patch, upcoming SKX steppings will not be able to use +their TSC_DEADLINE timer. + +Signed-off-by: Len Brown +Cc: # v4.14+ +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 616dd5872e ("x86/apic: Update TSC_DEADLINE quirk with additional SKX stepping") +Link: http://lkml.kernel.org/r/d0c7129e509660be9ec6b233284b8d42d90659e8.1532207856.git.len.brown@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -573,6 +573,9 @@ static u32 skx_deadline_rev(void) + case 0x04: return 0x02000014; + } + ++ if (boot_cpu_data.x86_stepping > 4) ++ return 0; ++ + return ~0U; + } + diff --git a/queue-4.17/x86-efi-access-efi-mmio-data-as-unencrypted-when-sev-is-active.patch b/queue-4.17/x86-efi-access-efi-mmio-data-as-unencrypted-when-sev-is-active.patch new file mode 100644 index 00000000000..e42a7c14d54 --- /dev/null +++ b/queue-4.17/x86-efi-access-efi-mmio-data-as-unencrypted-when-sev-is-active.patch @@ -0,0 +1,50 @@ +From 9b788f32bee6b0b293a4bdfca4ad4bb0206407fb Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Fri, 20 Jul 2018 10:28:46 +0900 +Subject: x86/efi: Access EFI MMIO data as unencrypted when SEV is active + +From: Brijesh Singh + +commit 9b788f32bee6b0b293a4bdfca4ad4bb0206407fb upstream. + +SEV guest fails to update the UEFI runtime variables stored in the +flash. + +The following commit: + + 1379edd59673 ("x86/efi: Access EFI data as encrypted when SEV is active") + +unconditionally maps all the UEFI runtime data as 'encrypted' (C=1). + +When SEV is active the UEFI runtime data marked as EFI_MEMORY_MAPPED_IO +should be mapped as 'unencrypted' so that both guest and hypervisor can +access the data. + +Signed-off-by: Brijesh Singh +Signed-off-by: Ard Biesheuvel +Reviewed-by: Tom Lendacky +Cc: # 4.15.x +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Fixes: 1379edd59673 ("x86/efi: Access EFI data as encrypted ...") +Link: http://lkml.kernel.org/r/20180720012846.23560-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/platform/efi/efi_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -417,7 +417,7 @@ static void __init __map_region(efi_memo + if (!(md->attribute & EFI_MEMORY_WB)) + flags |= _PAGE_PCD; + +- if (sev_active()) ++ if (sev_active() && md->type != EFI_MEMORY_MAPPED_IO) + flags |= _PAGE_ENC; + + pfn = md->phys_addr >> PAGE_SHIFT; diff --git a/queue-4.17/x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch b/queue-4.17/x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch new file mode 100644 index 00000000000..176dc4d219a --- /dev/null +++ b/queue-4.17/x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch @@ -0,0 +1,134 @@ +From b3681dd548d06deb2e1573890829dff4b15abf46 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Sun, 22 Jul 2018 11:05:09 -0700 +Subject: x86/entry/64: Remove %ebx handling from error_entry/exit + +From: Andy Lutomirski + +commit b3681dd548d06deb2e1573890829dff4b15abf46 upstream. + +error_entry and error_exit communicate the user vs. kernel status of +the frame using %ebx. This is unnecessary -- the information is in +regs->cs. Just use regs->cs. + +This makes error_entry simpler and makes error_exit more robust. + +It also fixes a nasty bug. Before all the Spectre nonsense, the +xen_failsafe_callback entry point returned like this: + + ALLOC_PT_GPREGS_ON_STACK + SAVE_C_REGS + SAVE_EXTRA_REGS + ENCODE_FRAME_POINTER + jmp error_exit + +And it did not go through error_entry. This was bogus: RBX +contained garbage, and error_exit expected a flag in RBX. + +Fortunately, it generally contained *nonzero* garbage, so the +correct code path was used. As part of the Spectre fixes, code was +added to clear RBX to mitigate certain speculation attacks. Now, +depending on kernel configuration, RBX got zeroed and, when running +some Wine workloads, the kernel crashes. This was introduced by: + + commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") + +With this patch applied, RBX is no longer needed as a flag, and the +problem goes away. + +I suspect that malicious userspace could use this bug to crash the +kernel even without the offending patch applied, though. + +[ Historical note: I wrote this patch as a cleanup before I was aware + of the bug it fixed. ] + +[ Note to stable maintainers: this should probably get applied to all + kernels. If you're nervous about that, a more conservative fix to + add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should + also fix the problem. ] + +Reported-and-tested-by: M. Vefa Bicakci +Signed-off-by: Andy Lutomirski +Cc: Boris Ostrovsky +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: Dominik Brodowski +Cc: Greg KH +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: xen-devel@lists.xenproject.org +Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") +Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64.S | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -981,7 +981,7 @@ ENTRY(\sym) + + call \do_sym + +- jmp error_exit /* %ebx: no swapgs flag */ ++ jmp error_exit + .endif + END(\sym) + .endm +@@ -1222,7 +1222,6 @@ END(paranoid_exit) + + /* + * Save all registers in pt_regs, and switch GS if needed. +- * Return: EBX=0: came from user mode; EBX=1: otherwise + */ + ENTRY(error_entry) + UNWIND_HINT_FUNC +@@ -1269,7 +1268,6 @@ ENTRY(error_entry) + * for these here too. + */ + .Lerror_kernelspace: +- incl %ebx + leaq native_irq_return_iret(%rip), %rcx + cmpq %rcx, RIP+8(%rsp) + je .Lerror_bad_iret +@@ -1303,28 +1301,20 @@ ENTRY(error_entry) + + /* + * Pretend that the exception came from user mode: set up pt_regs +- * as if we faulted immediately after IRET and clear EBX so that +- * error_exit knows that we will be returning to user mode. ++ * as if we faulted immediately after IRET. + */ + mov %rsp, %rdi + call fixup_bad_iret + mov %rax, %rsp +- decl %ebx + jmp .Lerror_entry_from_usermode_after_swapgs + END(error_entry) + +- +-/* +- * On entry, EBX is a "return to kernel mode" flag: +- * 1: already in kernel mode, don't need SWAPGS +- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode +- */ + ENTRY(error_exit) + UNWIND_HINT_REGS + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +- testl %ebx, %ebx +- jnz retint_kernel ++ testb $3, CS(%rsp) ++ jz retint_kernel + jmp retint_user + END(error_exit) +