From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 7 Mar 2018 03:53:50 +0000 (-0800)
Subject: 3.18-stable patches
X-Git-Tag: v4.14.25~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=98224f091b7099f7ea22ef432ca64b7b2087475a;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	arm-mvebu-fix-broken-pl310_errata_753970-selects.patch
	kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch
---

diff --git a/queue-3.18/arm-mvebu-fix-broken-pl310_errata_753970-selects.patch b/queue-3.18/arm-mvebu-fix-broken-pl310_errata_753970-selects.patch
new file mode 100644
index 00000000000..3021724bbcc
--- /dev/null
+++ b/queue-3.18/arm-mvebu-fix-broken-pl310_errata_753970-selects.patch
@@ -0,0 +1,49 @@
+From 8aa36a8dcde3183d84db7b0d622ffddcebb61077 Mon Sep 17 00:00:00 2001
+From: Ulf Magnusson <ulfalizer@gmail.com>
+Date: Mon, 5 Feb 2018 02:21:13 +0100
+Subject: ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
+
+From: Ulf Magnusson <ulfalizer@gmail.com>
+
+commit 8aa36a8dcde3183d84db7b0d622ffddcebb61077 upstream.
+
+The MACH_ARMADA_375 and MACH_ARMADA_38X boards select ARM_ERRATA_753970,
+but it was renamed to PL310_ERRATA_753970 by commit fa0ce4035d48 ("ARM:
+7162/1: errata: tidy up Kconfig options for PL310 errata workarounds").
+
+Fix the selects to use the new name.
+
+Discovered with the
+https://github.com/ulfalizer/Kconfiglib/blob/master/examples/list_undefined.py
+script.
+Fixes: fa0ce4035d48 ("ARM: 7162/1: errata: tidy up Kconfig options for
+PL310 errata workarounds"
+cc: stable@vger.kernel.org
+Signed-off-by: Ulf Magnusson <ulfalizer@gmail.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-mvebu/Kconfig |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-mvebu/Kconfig
++++ b/arch/arm/mach-mvebu/Kconfig
+@@ -37,7 +37,7 @@ config MACH_ARMADA_370
+ config MACH_ARMADA_375
+ 	bool "Marvell Armada 375 boards" if ARCH_MULTI_V7
+ 	select ARM_ERRATA_720789
+-	select ARM_ERRATA_753970
++	select PL310_ERRATA_753970
+ 	select ARM_GIC
+ 	select ARMADA_375_CLK
+ 	select HAVE_ARM_SCU
+@@ -52,7 +52,7 @@ config MACH_ARMADA_375
+ config MACH_ARMADA_38X
+ 	bool "Marvell Armada 380/385 boards" if ARCH_MULTI_V7
+ 	select ARM_ERRATA_720789
+-	select ARM_ERRATA_753970
++	select PL310_ERRATA_753970
+ 	select ARM_GIC
+ 	select ARMADA_38X_CLK
+ 	select HAVE_ARM_SCU
diff --git a/queue-3.18/kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch b/queue-3.18/kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch
new file mode 100644
index 00000000000..bce8081339c
--- /dev/null
+++ b/queue-3.18/kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch
@@ -0,0 +1,57 @@
+From 95e057e25892eaa48cad1e2d637b80d0f1a4fac5 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Thu, 8 Feb 2018 15:32:45 +0800
+Subject: KVM: X86: Fix SMRAM accessing even if VM is shutdown
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpengli@tencent.com>
+
+commit 95e057e25892eaa48cad1e2d637b80d0f1a4fac5 upstream.
+
+Reported by syzkaller:
+
+   WARNING: CPU: 6 PID: 2434 at arch/x86/kvm/vmx.c:6660 handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
+   CPU: 6 PID: 2434 Comm: repro_test Not tainted 4.15.0+ #4
+   RIP: 0010:handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
+   Call Trace:
+    vmx_handle_exit+0xbd/0xe20 [kvm_intel]
+    kvm_arch_vcpu_ioctl_run+0xdaf/0x1d50 [kvm]
+    kvm_vcpu_ioctl+0x3e9/0x720 [kvm]
+    do_vfs_ioctl+0xa4/0x6a0
+    SyS_ioctl+0x79/0x90
+    entry_SYSCALL_64_fastpath+0x25/0x9c
+
+The testcase creates a first thread to issue KVM_SMI ioctl, and then creates
+a second thread to mmap and operate on the same vCPU.  This triggers a race
+condition when running the testcase with multiple threads. Sometimes one thread
+exits with a triple fault while another thread mmaps and operates on the same
+vCPU.  Because CS=0x3000/IP=0x8000 is not mapped, accessing the SMI handler
+results in an EPT misconfig. This patch fixes it by returning RET_PF_EMULATE
+in kvm_handle_bad_page(), which will go on to cause an emulation failure and an
+exit with KVM_EXIT_INTERNAL_ERROR.
+
+Reported-by: syzbot+c1d9517cab094dae65e446c0c5b4de6c40f4dc58@syzkaller.appspotmail.com
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim KrÄmÃ¡Å <rkrcmar@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2698,7 +2698,7 @@ static int kvm_handle_bad_page(struct kv
+ 		return 0;
+ 	}
+ 
+-	return -EFAULT;
++	return RET_PF_EMULATE;
+ }
+ 
+ static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
diff --git a/queue-3.18/series b/queue-3.18/series
index 19b7f01f420..0621e67c771 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -2,3 +2,5 @@ tpm_i2c_infineon-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus
 tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch
 alsa-usb-audio-add-a-quirck-for-b-w-px-headphones.patch
 cpufreq-s3c24xx-fix-broken-s3c_cpufreq_init.patch
+arm-mvebu-fix-broken-pl310_errata_753970-selects.patch
+kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch