From: Greg Kroah-Hartman Date: Thu, 8 Nov 2018 17:35:48 +0000 (-0800) Subject: 4.4-stable patches X-Git-Tag: v3.18.125~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=80af5a33e872506ff25d4ce6353bb5b04e5bfda4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch ib-ucm-fix-spectre-v1-vulnerability.patch input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch ptp-fix-spectre-v1-vulnerability.patch rdma-ucma-fix-spectre-v1-vulnerability.patch sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch usb-gadget-storage-fix-spectre-v1-vulnerability.patch x86-percpu-fix-this_cpu_read.patch x86-time-correct-the-attribute-on-jiffies-definition.patch --- diff --git a/queue-4.4/cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch b/queue-4.4/cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch new file mode 100644 index 00000000000..d5f0b235b48 --- /dev/null +++ b/queue-4.4/cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch @@ -0,0 +1,42 @@ +From 169b803397499be85bdd1e3d07d6f5e3d4bd669e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 17 Oct 2018 15:23:26 +0100 +Subject: cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) + +From: Al Viro + +commit 169b803397499be85bdd1e3d07d6f5e3d4bd669e upstream. + +the victim might've been rmdir'ed just before the lock_rename(); +unlike the normal callers, we do not look the source up after the +parents are locked - we know it beforehand and just recheck that it's +still the child of what used to be its parent. Unfortunately, +the check is too weak - we don't spot a dead directory since its +->d_parent is unchanged, dentry is positive, etc. So we sail all +the way to ->rename(), with hosting filesystems _not_ expecting +to be asked renaming an rmdir'ed subdirectory. + +The fix is easy, fortunately - the lock on parent is sufficient for +making IS_DEADDIR() on child safe. + +Cc: stable@vger.kernel.org +Fixes: 9ae326a69004 (CacheFiles: A cache that backs onto a mounted filesystem) +Signed-off-by: Al Viro +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cachefiles/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cachefiles/namei.c ++++ b/fs/cachefiles/namei.c +@@ -317,7 +317,7 @@ try_again: + trap = lock_rename(cache->graveyard, dir); + + /* do some checks before getting the grave dentry */ +- if (rep->d_parent != dir) { ++ if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) { + /* the entry was probably culled when we dropped the parent dir + * lock */ + unlock_rename(cache->graveyard, dir); diff --git a/queue-4.4/cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch b/queue-4.4/cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch new file mode 100644 index 00000000000..496d71c9911 --- /dev/null +++ b/queue-4.4/cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch @@ -0,0 +1,55 @@ +From f976d0e5747ca65ccd0fb2a4118b193d70aa1836 Mon Sep 17 00:00:00 2001 +From: Tobias Herzog +Date: Sat, 22 Sep 2018 22:11:11 +0200 +Subject: cdc-acm: correct counting of UART states in serial state notification + +From: Tobias Herzog + +commit f976d0e5747ca65ccd0fb2a4118b193d70aa1836 upstream. + +The usb standard ("Universal Serial Bus Class Definitions for Communication +Devices") distiguishes between "consistent signals" (DSR, DCD), and +"irregular signals" (break, ring, parity error, framing error, overrun). +The bits of "irregular signals" are set, if this error/event occurred on +the device side and are immeadeatly unset, if the serial state notification +was sent. +Like other drivers of real serial ports do, just the occurence of those +events should be counted in serial_icounter_struct (but no 1->0 +transitions). + +Signed-off-by: Tobias Herzog +Acked-by: Oliver Neukum +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -332,17 +332,17 @@ static void acm_ctrl_irq(struct urb *urb + + if (difference & ACM_CTRL_DSR) + acm->iocount.dsr++; +- if (difference & ACM_CTRL_BRK) +- acm->iocount.brk++; +- if (difference & ACM_CTRL_RI) +- acm->iocount.rng++; + if (difference & ACM_CTRL_DCD) + acm->iocount.dcd++; +- if (difference & ACM_CTRL_FRAMING) ++ if (newctrl & ACM_CTRL_BRK) ++ acm->iocount.brk++; ++ if (newctrl & ACM_CTRL_RI) ++ acm->iocount.rng++; ++ if (newctrl & ACM_CTRL_FRAMING) + acm->iocount.frame++; +- if (difference & ACM_CTRL_PARITY) ++ if (newctrl & ACM_CTRL_PARITY) + acm->iocount.parity++; +- if (difference & ACM_CTRL_OVERRUN) ++ if (newctrl & ACM_CTRL_OVERRUN) + acm->iocount.overrun++; + spin_unlock(&acm->read_lock); + diff --git a/queue-4.4/ib-ucm-fix-spectre-v1-vulnerability.patch b/queue-4.4/ib-ucm-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..11ae1a088eb --- /dev/null +++ b/queue-4.4/ib-ucm-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,54 @@ +From 0295e39595e1146522f2722715dba7f7fba42217 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 16 Oct 2018 16:32:40 +0200 +Subject: IB/ucm: Fix Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit 0295e39595e1146522f2722715dba7f7fba42217 upstream. + +hdr.cmd can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/infiniband/core/ucm.c:1127 ib_ucm_write() warn: potential +spectre issue 'ucm_cmd_table' [r] (local cap) + +Fix this by sanitizing hdr.cmd before using it to index +ucm_cmd_table. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucm.c ++++ b/drivers/infiniband/core/ucm.c +@@ -46,6 +46,8 @@ + #include + #include + ++#include ++ + #include + + #include +@@ -1115,6 +1117,7 @@ static ssize_t ib_ucm_write(struct file + + if (hdr.cmd >= ARRAY_SIZE(ucm_cmd_table)) + return -EINVAL; ++ hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucm_cmd_table)); + + if (hdr.in + sizeof(hdr) > len) + return -EINVAL; diff --git a/queue-4.4/input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch b/queue-4.4/input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch new file mode 100644 index 00000000000..eaceb9a632b --- /dev/null +++ b/queue-4.4/input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch @@ -0,0 +1,31 @@ +From 13c1c5e4d7f887cba36c5e3df3faa22071c1469f Mon Sep 17 00:00:00 2001 +From: Mikhail Nikiforov +Date: Mon, 15 Oct 2018 11:17:56 -0700 +Subject: Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM + +From: Mikhail Nikiforov + +commit 13c1c5e4d7f887cba36c5e3df3faa22071c1469f upstream. + +Add ELAN061C to the ACPI table to support Elan touchpad found in Lenovo +IdeaPad 330-15IGM. + +Signed-off-by: Mikhail Nikiforov +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1251,6 +1251,7 @@ static const struct acpi_device_id elan_ + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, + { "ELAN0618", 0 }, ++ { "ELAN061C", 0 }, + { "ELAN061D", 0 }, + { "ELAN0622", 0 }, + { "ELAN1000", 0 }, diff --git a/queue-4.4/ptp-fix-spectre-v1-vulnerability.patch b/queue-4.4/ptp-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..ca90c80e9be --- /dev/null +++ b/queue-4.4/ptp-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,65 @@ +From efa61c8cf2950ab5c0e66cff3cabe2a2b24e81ba Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 16 Oct 2018 15:06:41 +0200 +Subject: ptp: fix Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit efa61c8cf2950ab5c0e66cff3cabe2a2b24e81ba upstream. + +pin_index can be indirectly controlled by user-space, hence leading +to a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/ptp/ptp_chardev.c:253 ptp_ioctl() warn: potential spectre issue +'ops->pin_config' [r] (local cap) + +Fix this by sanitizing pin_index before using it to index +ops->pin_config, and before passing it as an argument to +function ptp_set_pinfunc(), in which it is used to index +info->pin_config. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ptp/ptp_chardev.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/ptp/ptp_chardev.c ++++ b/drivers/ptp/ptp_chardev.c +@@ -23,6 +23,8 @@ + #include + #include + ++#include ++ + #include "ptp_private.h" + + static int ptp_disable_pinfunc(struct ptp_clock_info *ops, +@@ -224,6 +226,7 @@ long ptp_ioctl(struct posix_clock *pc, u + err = -EINVAL; + break; + } ++ pin_index = array_index_nospec(pin_index, ops->n_pins); + if (mutex_lock_interruptible(&ptp->pincfg_mux)) + return -ERESTARTSYS; + pd = ops->pin_config[pin_index]; +@@ -242,6 +245,7 @@ long ptp_ioctl(struct posix_clock *pc, u + err = -EINVAL; + break; + } ++ pin_index = array_index_nospec(pin_index, ops->n_pins); + if (mutex_lock_interruptible(&ptp->pincfg_mux)) + return -ERESTARTSYS; + err = ptp_set_pinfunc(ptp, pin_index, pd.func, pd.chan); diff --git a/queue-4.4/rdma-ucma-fix-spectre-v1-vulnerability.patch b/queue-4.4/rdma-ucma-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..95605df3d42 --- /dev/null +++ b/queue-4.4/rdma-ucma-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,54 @@ +From a3671a4f973ee9d9621d60166cc3b037c397d604 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 16 Oct 2018 16:59:01 +0200 +Subject: RDMA/ucma: Fix Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit a3671a4f973ee9d9621d60166cc3b037c397d604 upstream. + +hdr.cmd can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/infiniband/core/ucma.c:1686 ucma_write() warn: potential +spectre issue 'ucma_cmd_table' [r] (local cap) + +Fix this by sanitizing hdr.cmd before using it to index +ucm_cmd_table. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -44,6 +44,8 @@ + #include + #include + ++#include ++ + #include + #include + #include +@@ -1627,6 +1629,7 @@ static ssize_t ucma_write(struct file *f + + if (hdr.cmd >= ARRAY_SIZE(ucma_cmd_table)) + return -EINVAL; ++ hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucma_cmd_table)); + + if (hdr.in + sizeof(hdr) > len) + return -EINVAL; diff --git a/queue-4.4/sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch b/queue-4.4/sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch new file mode 100644 index 00000000000..ec8e2539a56 --- /dev/null +++ b/queue-4.4/sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch @@ -0,0 +1,175 @@ +From baa9be4ffb55876923dc9716abc0a448e510ba30 Mon Sep 17 00:00:00 2001 +From: Phil Auld +Date: Mon, 8 Oct 2018 10:36:40 -0400 +Subject: sched/fair: Fix throttle_list starvation with low CFS quota + +From: Phil Auld + +commit baa9be4ffb55876923dc9716abc0a448e510ba30 upstream. + +With a very low cpu.cfs_quota_us setting, such as the minimum of 1000, +distribute_cfs_runtime may not empty the throttled_list before it runs +out of runtime to distribute. In that case, due to the change from +c06f04c7048 to put throttled entries at the head of the list, later entries +on the list will starve. Essentially, the same X processes will get pulled +off the list, given CPU time and then, when expired, get put back on the +head of the list where distribute_cfs_runtime will give runtime to the same +set of processes leaving the rest. + +Fix the issue by setting a bit in struct cfs_bandwidth when +distribute_cfs_runtime is running, so that the code in throttle_cfs_rq can +decide to put the throttled entry on the tail or the head of the list. The +bit is set/cleared by the callers of distribute_cfs_runtime while they hold +cfs_bandwidth->lock. + +This is easy to reproduce with a handful of CPU consumers. I use 'crash' on +the live system. In some cases you can simply look at the throttled list and +see the later entries are not changing: + + crash> list cfs_rq.throttled_list -H 0xffff90b54f6ade40 -s cfs_rq.runtime_remaining | paste - - | awk '{print $1" "$4}' | pr -t -n3 + 1 ffff90b56cb2d200 -976050 + 2 ffff90b56cb2cc00 -484925 + 3 ffff90b56cb2bc00 -658814 + 4 ffff90b56cb2ba00 -275365 + 5 ffff90b166a45600 -135138 + 6 ffff90b56cb2da00 -282505 + 7 ffff90b56cb2e000 -148065 + 8 ffff90b56cb2fa00 -872591 + 9 ffff90b56cb2c000 -84687 + 10 ffff90b56cb2f000 -87237 + 11 ffff90b166a40a00 -164582 + + crash> list cfs_rq.throttled_list -H 0xffff90b54f6ade40 -s cfs_rq.runtime_remaining | paste - - | awk '{print $1" "$4}' | pr -t -n3 + 1 ffff90b56cb2d200 -994147 + 2 ffff90b56cb2cc00 -306051 + 3 ffff90b56cb2bc00 -961321 + 4 ffff90b56cb2ba00 -24490 + 5 ffff90b166a45600 -135138 + 6 ffff90b56cb2da00 -282505 + 7 ffff90b56cb2e000 -148065 + 8 ffff90b56cb2fa00 -872591 + 9 ffff90b56cb2c000 -84687 + 10 ffff90b56cb2f000 -87237 + 11 ffff90b166a40a00 -164582 + +Sometimes it is easier to see by finding a process getting starved and looking +at the sched_info: + + crash> task ffff8eb765994500 sched_info + PID: 7800 TASK: ffff8eb765994500 CPU: 16 COMMAND: "cputest" + sched_info = { + pcount = 8, + run_delay = 697094208, + last_arrival = 240260125039, + last_queued = 240260327513 + }, + crash> task ffff8eb765994500 sched_info + PID: 7800 TASK: ffff8eb765994500 CPU: 16 COMMAND: "cputest" + sched_info = { + pcount = 8, + run_delay = 697094208, + last_arrival = 240260125039, + last_queued = 240260327513 + }, + +Signed-off-by: Phil Auld +Reviewed-by: Ben Segall +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Fixes: c06f04c70489 ("sched: Fix potential near-infinite distribute_cfs_runtime() loop") +Link: http://lkml.kernel.org/r/20181008143639.GA4019@pauld.bos.csb +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/fair.c | 22 +++++++++++++++++++--- + kernel/sched/sched.h | 2 ++ + 2 files changed, 21 insertions(+), 3 deletions(-) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3624,9 +3624,13 @@ static void throttle_cfs_rq(struct cfs_r + + /* + * Add to the _head_ of the list, so that an already-started +- * distribute_cfs_runtime will not see us ++ * distribute_cfs_runtime will not see us. If disribute_cfs_runtime is ++ * not running add to the tail so that later runqueues don't get starved. + */ +- list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq); ++ if (cfs_b->distribute_running) ++ list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq); ++ else ++ list_add_tail_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq); + + /* + * If we're the first throttled task, make sure the bandwidth +@@ -3769,14 +3773,16 @@ static int do_sched_cfs_period_timer(str + * in us over-using our runtime if it is all used during this loop, but + * only by limited amounts in that extreme case. + */ +- while (throttled && cfs_b->runtime > 0) { ++ while (throttled && cfs_b->runtime > 0 && !cfs_b->distribute_running) { + runtime = cfs_b->runtime; ++ cfs_b->distribute_running = 1; + raw_spin_unlock(&cfs_b->lock); + /* we can't nest cfs_b->lock while distributing bandwidth */ + runtime = distribute_cfs_runtime(cfs_b, runtime, + runtime_expires); + raw_spin_lock(&cfs_b->lock); + ++ cfs_b->distribute_running = 0; + throttled = !list_empty(&cfs_b->throttled_cfs_rq); + + cfs_b->runtime -= min(runtime, cfs_b->runtime); +@@ -3887,6 +3893,11 @@ static void do_sched_cfs_slack_timer(str + + /* confirm we're still not at a refresh boundary */ + raw_spin_lock(&cfs_b->lock); ++ if (cfs_b->distribute_running) { ++ raw_spin_unlock(&cfs_b->lock); ++ return; ++ } ++ + if (runtime_refresh_within(cfs_b, min_bandwidth_expiration)) { + raw_spin_unlock(&cfs_b->lock); + return; +@@ -3896,6 +3907,9 @@ static void do_sched_cfs_slack_timer(str + runtime = cfs_b->runtime; + + expires = cfs_b->runtime_expires; ++ if (runtime) ++ cfs_b->distribute_running = 1; ++ + raw_spin_unlock(&cfs_b->lock); + + if (!runtime) +@@ -3906,6 +3920,7 @@ static void do_sched_cfs_slack_timer(str + raw_spin_lock(&cfs_b->lock); + if (expires == cfs_b->runtime_expires) + cfs_b->runtime -= min(runtime, cfs_b->runtime); ++ cfs_b->distribute_running = 0; + raw_spin_unlock(&cfs_b->lock); + } + +@@ -4017,6 +4032,7 @@ void init_cfs_bandwidth(struct cfs_bandw + cfs_b->period_timer.function = sched_cfs_period_timer; + hrtimer_init(&cfs_b->slack_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); + cfs_b->slack_timer.function = sched_cfs_slack_timer; ++ cfs_b->distribute_running = 0; + } + + static void init_cfs_rq_runtime(struct cfs_rq *cfs_rq) +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -233,6 +233,8 @@ struct cfs_bandwidth { + /* statistics */ + int nr_periods, nr_throttled; + u64 throttled_time; ++ ++ bool distribute_running; + #endif + }; + diff --git a/queue-4.4/series b/queue-4.4/series index e8bfb558af1..82b4fd194c4 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -101,3 +101,14 @@ rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch mremap-properly-flush-tlb-before-releasing-the-page.patch crypto-shash-fix-a-sleep-in-atomic-bug-in-shash_setk.patch ahci-don-t-ignore-result-code-of-ahci_reset_controll.patch +cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch +ptp-fix-spectre-v1-vulnerability.patch +rdma-ucma-fix-spectre-v1-vulnerability.patch +ib-ucm-fix-spectre-v1-vulnerability.patch +cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch +usb-gadget-storage-fix-spectre-v1-vulnerability.patch +usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch +input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch +sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch +x86-percpu-fix-this_cpu_read.patch +x86-time-correct-the-attribute-on-jiffies-definition.patch diff --git a/queue-4.4/usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch b/queue-4.4/usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch new file mode 100644 index 00000000000..06b1f164996 --- /dev/null +++ b/queue-4.4/usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch @@ -0,0 +1,52 @@ +From 665c365a77fbfeabe52694aedf3446d5f2f1ce42 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 15 Oct 2018 16:55:04 -0400 +Subject: USB: fix the usbfs flag sanitization for control transfers + +From: Alan Stern + +commit 665c365a77fbfeabe52694aedf3446d5f2f1ce42 upstream. + +Commit 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more") checks the +transfer flags for URBs submitted from userspace via usbfs. However, +the check for whether the USBDEVFS_URB_SHORT_NOT_OK flag should be +allowed for a control transfer was added in the wrong place, before +the code has properly determined the direction of the control +transfer. (Control transfers are special because for them, the +direction is set by the bRequestType byte of the Setup packet rather +than direction bit of the endpoint address.) + +This patch moves code which sets up the allow_short flag for control +transfers down after is_in has been set to the correct value. + +Signed-off-by: Alan Stern +Reported-and-tested-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com +Fixes: 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more") +CC: Oliver Neukum +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1329,8 +1329,6 @@ static int proc_do_submiturb(struct usb_ + u = 0; + switch (uurb->type) { + case USBDEVFS_URB_TYPE_CONTROL: +- if (is_in) +- allow_short = true; + if (!usb_endpoint_xfer_control(&ep->desc)) + return -EINVAL; + /* min 8 byte setup packet */ +@@ -1360,6 +1358,8 @@ static int proc_do_submiturb(struct usb_ + is_in = 0; + uurb->endpoint &= ~USB_DIR_IN; + } ++ if (is_in) ++ allow_short = true; + snoop(&ps->dev->dev, "control urb: bRequestType=%02x " + "bRequest=%02x wValue=%04x " + "wIndex=%04x wLength=%04x\n", diff --git a/queue-4.4/usb-gadget-storage-fix-spectre-v1-vulnerability.patch b/queue-4.4/usb-gadget-storage-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..9b1ac5b99d8 --- /dev/null +++ b/queue-4.4/usb-gadget-storage-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,54 @@ +From 9ae24af3669111d418242caec8dd4ebd9ba26860 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 16 Oct 2018 12:16:45 +0200 +Subject: usb: gadget: storage: Fix Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit 9ae24af3669111d418242caec8dd4ebd9ba26860 upstream. + +num can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/usb/gadget/function/f_mass_storage.c:3177 fsg_lun_make() warn: +potential spectre issue 'fsg_opts->common->luns' [r] (local cap) + +Fix this by sanitizing num before using it to index +fsg_opts->common->luns + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Acked-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_mass_storage.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -220,6 +220,8 @@ + #include + #include + ++#include ++ + #include "configfs.h" + + +@@ -3260,6 +3262,7 @@ static struct config_group *fsg_lun_make + fsg_opts = to_fsg_opts(&group->cg_item); + if (num >= FSG_MAX_LUNS) + return ERR_PTR(-ERANGE); ++ num = array_index_nospec(num, FSG_MAX_LUNS); + + mutex_lock(&fsg_opts->lock); + if (fsg_opts->refcnt || fsg_opts->common->luns[num]) { diff --git a/queue-4.4/x86-percpu-fix-this_cpu_read.patch b/queue-4.4/x86-percpu-fix-this_cpu_read.patch new file mode 100644 index 00000000000..179f61fc923 --- /dev/null +++ b/queue-4.4/x86-percpu-fix-this_cpu_read.patch @@ -0,0 +1,59 @@ +From b59167ac7bafd804c91e49ad53c6d33a7394d4c8 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 11 Oct 2018 12:38:27 +0200 +Subject: x86/percpu: Fix this_cpu_read() + +From: Peter Zijlstra + +commit b59167ac7bafd804c91e49ad53c6d33a7394d4c8 upstream. + +Eric reported that a sequence count loop using this_cpu_read() got +optimized out. This is wrong, this_cpu_read() must imply READ_ONCE() +because the interface is IRQ-safe, therefore an interrupt can have +changed the per-cpu value. + +Fixes: 7c3576d261ce ("[PATCH] i386: Convert PDA into the percpu section") +Reported-by: Eric Dumazet +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Thomas Gleixner +Acked-by: Eric Dumazet +Cc: hpa@zytor.com +Cc: eric.dumazet@gmail.com +Cc: bp@alien8.de +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20181011104019.748208519@infradead.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/percpu.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/percpu.h ++++ b/arch/x86/include/asm/percpu.h +@@ -184,22 +184,22 @@ do { \ + typeof(var) pfo_ret__; \ + switch (sizeof(var)) { \ + case 1: \ +- asm(op "b "__percpu_arg(1)",%0" \ ++ asm volatile(op "b "__percpu_arg(1)",%0"\ + : "=q" (pfo_ret__) \ + : "m" (var)); \ + break; \ + case 2: \ +- asm(op "w "__percpu_arg(1)",%0" \ ++ asm volatile(op "w "__percpu_arg(1)",%0"\ + : "=r" (pfo_ret__) \ + : "m" (var)); \ + break; \ + case 4: \ +- asm(op "l "__percpu_arg(1)",%0" \ ++ asm volatile(op "l "__percpu_arg(1)",%0"\ + : "=r" (pfo_ret__) \ + : "m" (var)); \ + break; \ + case 8: \ +- asm(op "q "__percpu_arg(1)",%0" \ ++ asm volatile(op "q "__percpu_arg(1)",%0"\ + : "=r" (pfo_ret__) \ + : "m" (var)); \ + break; \ diff --git a/queue-4.4/x86-time-correct-the-attribute-on-jiffies-definition.patch b/queue-4.4/x86-time-correct-the-attribute-on-jiffies-definition.patch new file mode 100644 index 00000000000..0cc51c830a1 --- /dev/null +++ b/queue-4.4/x86-time-correct-the-attribute-on-jiffies-definition.patch @@ -0,0 +1,61 @@ +From 53c13ba8ed39e89f21a0b98f4c8a241bb44e483d Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 12 Oct 2018 17:53:12 -0700 +Subject: x86/time: Correct the attribute on jiffies' definition + +From: Nathan Chancellor + +commit 53c13ba8ed39e89f21a0b98f4c8a241bb44e483d upstream. + +Clang warns that the declaration of jiffies in include/linux/jiffies.h +doesn't match the definition in arch/x86/time/kernel.c: + +arch/x86/kernel/time.c:29:42: warning: section does not match previous declaration [-Wsection] +__visible volatile unsigned long jiffies __cacheline_aligned = INITIAL_JIFFIES; + ^ +./include/linux/cache.h:49:4: note: expanded from macro '__cacheline_aligned' + __section__(".data..cacheline_aligned"))) + ^ +./include/linux/jiffies.h:81:31: note: previous attribute is here +extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data jiffies; + ^ +./arch/x86/include/asm/cache.h:20:2: note: expanded from macro '__cacheline_aligned_in_smp' + __page_aligned_data + ^ +./include/linux/linkage.h:39:29: note: expanded from macro '__page_aligned_data' +#define __page_aligned_data __section(.data..page_aligned) __aligned(PAGE_SIZE) + ^ +./include/linux/compiler_attributes.h:233:56: note: expanded from macro '__section' +#define __section(S) __attribute__((__section__(#S))) + ^ +1 warning generated. + +The declaration was changed in commit 7c30f352c852 ("jiffies.h: declare +jiffies and jiffies_64 with ____cacheline_aligned_in_smp") but wasn't +updated here. Make them match so Clang no longer warns. + +Fixes: 7c30f352c852 ("jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp") +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Gleixner +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Nick Desaulniers +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20181013005311.28617-1-natechancellor@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/time.c ++++ b/arch/x86/kernel/time.c +@@ -23,7 +23,7 @@ + #include + + #ifdef CONFIG_X86_64 +-__visible volatile unsigned long jiffies __cacheline_aligned = INITIAL_JIFFIES; ++__visible volatile unsigned long jiffies __cacheline_aligned_in_smp = INITIAL_JIFFIES; + #endif + + unsigned long profile_pc(struct pt_regs *regs)