From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 Aug 2018 10:50:51 +0000 (+0200)
Subject: 4.18-stable patches
X-Git-Tag: v4.18.5~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8abc089507a94b1e1e6838102a52f59e9ade94e9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.18-stable patches

added patches:
	drm-amdgpu-pm-fix-potential-spectre-v1.patch
	drm-i915-kvmgt-fix-potential-spectre-v1.patch
	ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
	powerpc64s-show-ori31-availability-in-spectre_v1-sysfs-file-not-v2.patch
---

diff --git a/queue-4.18/drm-amdgpu-pm-fix-potential-spectre-v1.patch b/queue-4.18/drm-amdgpu-pm-fix-potential-spectre-v1.patch
new file mode 100644
index 00000000000..b304e6648c1
--- /dev/null
+++ b/queue-4.18/drm-amdgpu-pm-fix-potential-spectre-v1.patch
@@ -0,0 +1,53 @@
+From ddf74e79a54070f277ae520722d3bab7f7a6c67a Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 23 Jul 2018 11:32:32 -0500
+Subject: drm/amdgpu/pm: Fix potential Spectre v1
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit ddf74e79a54070f277ae520722d3bab7f7a6c67a upstream.
+
+idx can be indirectly controlled by user-space, hence leading to a
+potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c:408 amdgpu_set_pp_force_state()
+warn: potential spectre issue 'data.states'
+
+Fix this by sanitizing idx before using it to index data.states
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+@@ -31,7 +31,7 @@
+ #include <linux/power_supply.h>
+ #include <linux/hwmon.h>
+ #include <linux/hwmon-sysfs.h>
+-
++#include <linux/nospec.h>
+ 
+ static int amdgpu_debugfs_pm_init(struct amdgpu_device *adev);
+ 
+@@ -393,6 +393,7 @@ static ssize_t amdgpu_set_pp_force_state
+ 			count = -EINVAL;
+ 			goto fail;
+ 		}
++		idx = array_index_nospec(idx, ARRAY_SIZE(data.states));
+ 
+ 		amdgpu_dpm_get_pp_num_states(adev, &data);
+ 		state = data.states[idx];
diff --git a/queue-4.18/drm-i915-kvmgt-fix-potential-spectre-v1.patch b/queue-4.18/drm-i915-kvmgt-fix-potential-spectre-v1.patch
new file mode 100644
index 00000000000..bcb043d8c98
--- /dev/null
+++ b/queue-4.18/drm-i915-kvmgt-fix-potential-spectre-v1.patch
@@ -0,0 +1,67 @@
+From de5372da605d3bca46e3102bab51b7e1c0e0a6f6 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 2 Aug 2018 22:40:19 -0500
+Subject: drm/i915/kvmgt: Fix potential Spectre v1
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit de5372da605d3bca46e3102bab51b7e1c0e0a6f6 upstream.
+
+info.index can be indirectly controlled by user-space, hence leading
+to a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/i915/gvt/kvmgt.c:1232 intel_vgpu_ioctl() warn:
+potential spectre issue 'vgpu->vdev.region' [r]
+
+Fix this by sanitizing info.index before indirectly using it to index
+vgpu->vdev.region
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/kvmgt.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
+@@ -43,6 +43,8 @@
+ #include <linux/mdev.h>
+ #include <linux/debugfs.h>
+ 
++#include <linux/nospec.h>
++
+ #include "i915_drv.h"
+ #include "gvt.h"
+ 
+@@ -1084,7 +1086,8 @@ static long intel_vgpu_ioctl(struct mdev
+ 	} else if (cmd == VFIO_DEVICE_GET_REGION_INFO) {
+ 		struct vfio_region_info info;
+ 		struct vfio_info_cap caps = { .buf = NULL, .size = 0 };
+-		int i, ret;
++		unsigned int i;
++		int ret;
+ 		struct vfio_region_info_cap_sparse_mmap *sparse = NULL;
+ 		size_t size;
+ 		int nr_areas = 1;
+@@ -1169,6 +1172,10 @@ static long intel_vgpu_ioctl(struct mdev
+ 				if (info.index >= VFIO_PCI_NUM_REGIONS +
+ 						vgpu->vdev.num_regions)
+ 					return -EINVAL;
++				info.index =
++					array_index_nospec(info.index,
++							VFIO_PCI_NUM_REGIONS +
++							vgpu->vdev.num_regions);
+ 
+ 				i = info.index - VFIO_PCI_NUM_REGIONS;
+ 
diff --git a/queue-4.18/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch b/queue-4.18/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
new file mode 100644
index 00000000000..b2ac534a18f
--- /dev/null
+++ b/queue-4.18/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
@@ -0,0 +1,54 @@
+From 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Thu, 2 Aug 2018 00:03:40 -0400
+Subject: ext4: fix spectre gadget in ext4_mb_regular_allocator()
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 upstream.
+
+'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
+derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
+index arrays which makes it a potential spectre gadget. Fix this by
+sanitizing the value assigned to 'ac->ac2_order'.  This covers the
+following accesses found with the help of smatch:
+
+* fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
+  spectre issue 'grp->bb_counters' [w] (local cap)
+
+* fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
+  'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)
+
+* fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
+  'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)
+
+Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/mballoc.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -14,6 +14,7 @@
+ #include <linux/log2.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+ #include <linux/backing-dev.h>
+ #include <trace/events/ext4.h>
+ 
+@@ -2140,7 +2141,8 @@ ext4_mb_regular_allocator(struct ext4_al
+ 		 * This should tell if fe_len is exactly power of 2
+ 		 */
+ 		if ((ac->ac_g_ex.fe_len & (~(1 << (i - 1)))) == 0)
+-			ac->ac_2order = i - 1;
++			ac->ac_2order = array_index_nospec(i - 1,
++							   sb->s_blocksize_bits + 2);
+ 	}
+ 
+ 	/* if stream allocation is enabled, use global goal */
diff --git a/queue-4.18/powerpc64s-show-ori31-availability-in-spectre_v1-sysfs-file-not-v2.patch b/queue-4.18/powerpc64s-show-ori31-availability-in-spectre_v1-sysfs-file-not-v2.patch
new file mode 100644
index 00000000000..8bd9fa6e5a2
--- /dev/null
+++ b/queue-4.18/powerpc64s-show-ori31-availability-in-spectre_v1-sysfs-file-not-v2.patch
@@ -0,0 +1,95 @@
+From 6d44acae1937b81cf8115ada8958e04f601f3f2e Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 9 Jul 2018 16:25:21 +1000
+Subject: powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 6d44acae1937b81cf8115ada8958e04f601f3f2e upstream.
+
+When I added the spectre_v2 information in sysfs, I included the
+availability of the ori31 speculation barrier.
+
+Although the ori31 barrier can be used to mitigate v2, it's primarily
+intended as a spectre v1 mitigation. Spectre v2 is mitigated by
+hardware changes.
+
+So rework the sysfs files to show the ori31 information in the
+spectre_v1 file, rather than v2.
+
+Currently we display eg:
+
+  $ grep . spectre_v*
+  spectre_v1:Mitigation: __user pointer sanitization
+  spectre_v2:Mitigation: Indirect branch cache disabled, ori31 speculation barrier enabled
+
+After:
+
+  $ grep . spectre_v*
+  spectre_v1:Mitigation: __user pointer sanitization, ori31 speculation barrier enabled
+  spectre_v2:Mitigation: Indirect branch cache disabled
+
+Fixes: d6fbe1c55c55 ("powerpc/64s: Wire up cpu_show_spectre_v2()")
+Cc: stable@vger.kernel.org # v4.17+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/security.c |   27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -117,25 +117,35 @@ ssize_t cpu_show_meltdown(struct device
+ 
+ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+-	if (!security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR))
+-		return sprintf(buf, "Not affected\n");
++	struct seq_buf s;
++
++	seq_buf_init(&s, buf, PAGE_SIZE - 1);
++
++	if (security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR)) {
++		if (barrier_nospec_enabled)
++			seq_buf_printf(&s, "Mitigation: __user pointer sanitization");
++		else
++			seq_buf_printf(&s, "Vulnerable");
+ 
+-	if (barrier_nospec_enabled)
+-		return sprintf(buf, "Mitigation: __user pointer sanitization\n");
++		if (security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31))
++			seq_buf_printf(&s, ", ori31 speculation barrier enabled");
+ 
+-	return sprintf(buf, "Vulnerable\n");
++		seq_buf_printf(&s, "\n");
++	} else
++		seq_buf_printf(&s, "Not affected\n");
++
++	return s.len;
+ }
+ 
+ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+-	bool bcs, ccd, ori;
+ 	struct seq_buf s;
++	bool bcs, ccd;
+ 
+ 	seq_buf_init(&s, buf, PAGE_SIZE - 1);
+ 
+ 	bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
+ 	ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
+-	ori = security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31);
+ 
+ 	if (bcs || ccd) {
+ 		seq_buf_printf(&s, "Mitigation: ");
+@@ -151,9 +161,6 @@ ssize_t cpu_show_spectre_v2(struct devic
+ 	} else
+ 		seq_buf_printf(&s, "Vulnerable");
+ 
+-	if (ori)
+-		seq_buf_printf(&s, ", ori31 speculation barrier enabled");
+-
+ 	seq_buf_printf(&s, "\n");
+ 
+ 	return s.len;
diff --git a/queue-4.18/series b/queue-4.18/series
index 1a0ac96c26f..0a50b81ece2 100644
--- a/queue-4.18/series
+++ b/queue-4.18/series
@@ -4,3 +4,7 @@ mm-allow-non-direct-map-arguments-to-free_reserved_area.patch
 x86-mm-init-pass-unconverted-symbol-addresses-to-free_init_pages.patch
 x86-mm-init-add-helper-for-freeing-kernel-image-pages.patch
 x86-mm-init-remove-freed-kernel-image-areas-from-alias-mapping.patch
+powerpc64s-show-ori31-availability-in-spectre_v1-sysfs-file-not-v2.patch
+ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
+drm-i915-kvmgt-fix-potential-spectre-v1.patch
+drm-amdgpu-pm-fix-potential-spectre-v1.patch