From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 13 May 2018 20:37:14 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.109~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=54135f66bc92adbf913146cbdd0f5a5edce26f9e;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	perf-core-fix-possible-spectre-v1-indexing-for-aux_pages.patch
	perf-x86-cstate-fix-possible-spectre-v1-indexing-for-pkg_msr.patch
	perf-x86-fix-possible-spectre-v1-indexing-for-hw_perf_event-cache_.patch
	perf-x86-fix-possible-spectre-v1-indexing-for-x86_pmu-event_map.patch
	perf-x86-msr-fix-possible-spectre-v1-indexing-in-the-msr-driver.patch
	tracing-uprobe_event-fix-strncpy-corner-case.patch
---

diff --git a/queue-4.4/perf-core-fix-possible-spectre-v1-indexing-for-aux_pages.patch b/queue-4.4/perf-core-fix-possible-spectre-v1-indexing-for-aux_pages.patch
new file mode 100644
index 00000000000..8d1f61b7b49
--- /dev/null
+++ b/queue-4.4/perf-core-fix-possible-spectre-v1-indexing-for-aux_pages.patch
@@ -0,0 +1,55 @@
+From 4411ec1d1993e8dbff2898390e3fed280d88e446 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 20 Apr 2018 14:03:18 +0200
+Subject: perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 4411ec1d1993e8dbff2898390e3fed280d88e446 upstream.
+
+> kernel/events/ring_buffer.c:871 perf_mmap_to_page() warn: potential spectre issue 'rb->aux_pages'
+
+Userspace controls @pgoff through the fault address. Sanitize the
+array index before doing the array dereference.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/ring_buffer.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -14,6 +14,7 @@
+ #include <linux/slab.h>
+ #include <linux/circ_buf.h>
+ #include <linux/poll.h>
++#include <linux/nospec.h>
+ 
+ #include "internal.h"
+ 
+@@ -779,8 +780,10 @@ perf_mmap_to_page(struct ring_buffer *rb
+ 			return NULL;
+ 
+ 		/* AUX space */
+-		if (pgoff >= rb->aux_pgoff)
+-			return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]);
++		if (pgoff >= rb->aux_pgoff) {
++			int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages);
++			return virt_to_page(rb->aux_pages[aux_pgoff]);
++		}
+ 	}
+ 
+ 	return __perf_mmap_to_page(rb, pgoff);
diff --git a/queue-4.4/perf-x86-cstate-fix-possible-spectre-v1-indexing-for-pkg_msr.patch b/queue-4.4/perf-x86-cstate-fix-possible-spectre-v1-indexing-for-pkg_msr.patch
new file mode 100644
index 00000000000..95c544f9ece
--- /dev/null
+++ b/queue-4.4/perf-x86-cstate-fix-possible-spectre-v1-indexing-for-pkg_msr.patch
@@ -0,0 +1,50 @@
+From a5f81290ce475489fa2551c01a07470c1a4c932e Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 20 Apr 2018 14:25:48 +0200
+Subject: perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit a5f81290ce475489fa2551c01a07470c1a4c932e upstream.
+
+> arch/x86/events/intel/cstate.c:307 cstate_pmu_event_init() warn: potential spectre issue 'pkg_msr' (local cap)
+
+Userspace controls @attr, sanitize cfg (attr->config) before using it
+to index an array.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_intel_cstate.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/cpu/perf_event_intel_cstate.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_cstate.c
+@@ -88,6 +88,7 @@
+ #include <linux/module.h>
+ #include <linux/slab.h>
+ #include <linux/perf_event.h>
++#include <linux/nospec.h>
+ #include <asm/cpu_device_id.h>
+ #include "perf_event.h"
+ 
+@@ -409,6 +410,7 @@ static int cstate_pmu_event_init(struct
+ 	} else if (event->pmu == &cstate_pkg_pmu) {
+ 		if (cfg >= PERF_CSTATE_PKG_EVENT_MAX)
+ 			return -EINVAL;
++		cfg = array_index_nospec((unsigned long)cfg, PERF_CSTATE_PKG_EVENT_MAX);
+ 		if (!pkg_msr[cfg].attr)
+ 			return -EINVAL;
+ 		event->hw.event_base = pkg_msr[cfg].msr;
diff --git a/queue-4.4/perf-x86-fix-possible-spectre-v1-indexing-for-hw_perf_event-cache_.patch b/queue-4.4/perf-x86-fix-possible-spectre-v1-indexing-for-hw_perf_event-cache_.patch
new file mode 100644
index 00000000000..1c7d04f7dd7
--- /dev/null
+++ b/queue-4.4/perf-x86-fix-possible-spectre-v1-indexing-for-hw_perf_event-cache_.patch
@@ -0,0 +1,59 @@
+From ef9ee4ad38445a30909c48998624861716f2a994 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 20 Apr 2018 14:06:29 +0200
+Subject: perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit ef9ee4ad38445a30909c48998624861716f2a994 upstream.
+
+> arch/x86/events/core.c:319 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_event_ids[cache_type]' (local cap)
+> arch/x86/events/core.c:319 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_event_ids' (local cap)
+> arch/x86/events/core.c:328 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_extra_regs[cache_type]' (local cap)
+> arch/x86/events/core.c:328 set_ext_hw_attr() warn: potential spectre issue 'hw_cache_extra_regs' (local cap)
+
+Userspace controls @config which contains 3 (byte) fields used for a 3
+dimensional array deref.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/perf_event.c
++++ b/arch/x86/kernel/cpu/perf_event.c
+@@ -297,17 +297,20 @@ set_ext_hw_attr(struct hw_perf_event *hw
+ 
+ 	config = attr->config;
+ 
+-	cache_type = (config >>  0) & 0xff;
++	cache_type = (config >> 0) & 0xff;
+ 	if (cache_type >= PERF_COUNT_HW_CACHE_MAX)
+ 		return -EINVAL;
++	cache_type = array_index_nospec(cache_type, PERF_COUNT_HW_CACHE_MAX);
+ 
+ 	cache_op = (config >>  8) & 0xff;
+ 	if (cache_op >= PERF_COUNT_HW_CACHE_OP_MAX)
+ 		return -EINVAL;
++	cache_op = array_index_nospec(cache_op, PERF_COUNT_HW_CACHE_OP_MAX);
+ 
+ 	cache_result = (config >> 16) & 0xff;
+ 	if (cache_result >= PERF_COUNT_HW_CACHE_RESULT_MAX)
+ 		return -EINVAL;
++	cache_result = array_index_nospec(cache_result, PERF_COUNT_HW_CACHE_RESULT_MAX);
+ 
+ 	val = hw_cache_event_ids[cache_type][cache_op][cache_result];
+ 
diff --git a/queue-4.4/perf-x86-fix-possible-spectre-v1-indexing-for-x86_pmu-event_map.patch b/queue-4.4/perf-x86-fix-possible-spectre-v1-indexing-for-x86_pmu-event_map.patch
new file mode 100644
index 00000000000..49f4514359b
--- /dev/null
+++ b/queue-4.4/perf-x86-fix-possible-spectre-v1-indexing-for-x86_pmu-event_map.patch
@@ -0,0 +1,56 @@
+From 46b1b577229a091b137831becaa0fae8690ee15a Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 20 Apr 2018 14:08:58 +0200
+Subject: perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 46b1b577229a091b137831becaa0fae8690ee15a upstream.
+
+> arch/x86/events/intel/cstate.c:307 cstate_pmu_event_init() warn: potential spectre issue 'pkg_msr' (local cap)
+> arch/x86/events/intel/core.c:337 intel_pmu_event_map() warn: potential spectre issue 'intel_perfmon_event_map'
+> arch/x86/events/intel/knc.c:122 knc_pmu_event_map() warn: potential spectre issue 'knc_perfmon_event_map'
+> arch/x86/events/intel/p4.c:722 p4_pmu_event_map() warn: potential spectre issue 'p4_general_events'
+> arch/x86/events/intel/p6.c:116 p6_pmu_event_map() warn: potential spectre issue 'p6_perfmon_event_map'
+> arch/x86/events/amd/core.c:132 amd_pmu_event_map() warn: potential spectre issue 'amd_perfmon_event_map'
+
+Userspace controls @attr, sanitize @attr->config before passing it on
+to x86_pmu::event_map().
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/cpu/perf_event.c
++++ b/arch/x86/kernel/cpu/perf_event.c
+@@ -25,6 +25,7 @@
+ #include <linux/cpu.h>
+ #include <linux/bitops.h>
+ #include <linux/device.h>
++#include <linux/nospec.h>
+ 
+ #include <asm/apic.h>
+ #include <asm/stacktrace.h>
+@@ -407,6 +408,8 @@ int x86_setup_perfctr(struct perf_event
+ 	if (attr->config >= x86_pmu.max_events)
+ 		return -EINVAL;
+ 
++	attr->config = array_index_nospec((unsigned long)attr->config, x86_pmu.max_events);
++
+ 	/*
+ 	 * The generic map:
+ 	 */
diff --git a/queue-4.4/perf-x86-msr-fix-possible-spectre-v1-indexing-in-the-msr-driver.patch b/queue-4.4/perf-x86-msr-fix-possible-spectre-v1-indexing-in-the-msr-driver.patch
new file mode 100644
index 00000000000..4cf9c68ddca
--- /dev/null
+++ b/queue-4.4/perf-x86-msr-fix-possible-spectre-v1-indexing-in-the-msr-driver.patch
@@ -0,0 +1,62 @@
+From 06ce6e9b6d6c09d4129c6e24a1314a395d816c10 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 20 Apr 2018 14:23:36 +0200
+Subject: perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 06ce6e9b6d6c09d4129c6e24a1314a395d816c10 upstream.
+
+> arch/x86/events/msr.c:178 msr_event_init() warn: potential spectre issue 'msr' (local cap)
+
+Userspace controls @attr, sanitize cfg (attr->config) before using it
+to index an array.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_msr.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/perf_event_msr.c
++++ b/arch/x86/kernel/cpu/perf_event_msr.c
+@@ -1,4 +1,5 @@
+ #include <linux/perf_event.h>
++#include <linux/nospec.h>
+ 
+ enum perf_msr_id {
+ 	PERF_MSR_TSC			= 0,
+@@ -115,9 +116,6 @@ static int msr_event_init(struct perf_ev
+ 	if (event->attr.type != event->pmu->type)
+ 		return -ENOENT;
+ 
+-	if (cfg >= PERF_MSR_EVENT_MAX)
+-		return -EINVAL;
+-
+ 	/* unsupported modes and filters */
+ 	if (event->attr.exclude_user   ||
+ 	    event->attr.exclude_kernel ||
+@@ -128,6 +126,11 @@ static int msr_event_init(struct perf_ev
+ 	    event->attr.sample_period) /* no sampling */
+ 		return -EINVAL;
+ 
++	if (cfg >= PERF_MSR_EVENT_MAX)
++		return -EINVAL;
++
++	cfg = array_index_nospec((unsigned long)cfg, PERF_MSR_EVENT_MAX);
++
+ 	if (!msr[cfg].attr)
+ 		return -EINVAL;
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index af88c6178f2..a7dcb5983f3 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -48,3 +48,9 @@ can-kvaser_usb-increase-correct-stats-counter-in-kvaser_usb_rx_can_msg.patch
 net-atm-fix-potential-spectre-v1.patch
 atm-zatm-fix-potential-spectre-v1.patch
 revert-bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch
+tracing-uprobe_event-fix-strncpy-corner-case.patch
+perf-x86-fix-possible-spectre-v1-indexing-for-hw_perf_event-cache_.patch
+perf-x86-cstate-fix-possible-spectre-v1-indexing-for-pkg_msr.patch
+perf-x86-msr-fix-possible-spectre-v1-indexing-in-the-msr-driver.patch
+perf-core-fix-possible-spectre-v1-indexing-for-aux_pages.patch
+perf-x86-fix-possible-spectre-v1-indexing-for-x86_pmu-event_map.patch
diff --git a/queue-4.4/tracing-uprobe_event-fix-strncpy-corner-case.patch b/queue-4.4/tracing-uprobe_event-fix-strncpy-corner-case.patch
new file mode 100644
index 00000000000..eebfe19a741
--- /dev/null
+++ b/queue-4.4/tracing-uprobe_event-fix-strncpy-corner-case.patch
@@ -0,0 +1,41 @@
+From 50268a3d266ecfdd6c5873d62b2758d9732fc598 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Tue, 10 Apr 2018 21:20:08 +0900
+Subject: tracing/uprobe_event: Fix strncpy corner case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 50268a3d266ecfdd6c5873d62b2758d9732fc598 upstream.
+
+Fix string fetch function to terminate with NUL.
+It is OK to drop the rest of string.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: security@kernel.org
+Cc: èé¾é£ <long7573@126.com>
+Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_uprobe.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, stri
+ 		return;
+ 
+ 	ret = strncpy_from_user(dst, src, maxlen);
++	if (ret == maxlen)
++		dst[--ret] = '\0';
+ 
+ 	if (ret < 0) {	/* Failed to fetch string */
+ 		((u8 *)get_rloc_data(dest))[0] = '\0';