From: Greg Kroah-Hartman Date: Sun, 25 Mar 2018 18:50:41 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.15.14~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b7023acfa97e8df0bf46a9dd0dd70abd5f01aa3f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: kvm-x86-fix-icebp-instruction-handling.patch posix-timers-protect-posix-clock-array-access-against-speculation.patch selftests-x86-ptrace_syscall-fix-for-yet-more-glibc-interference.patch tty-vt-fix-up-tabstops-properly.patch x86-efi-free-efi_pgd-with-free_pages.patch x86-entry-64-don-t-use-ist-entry-for-bp-stack.patch x86-vsyscall-64-use-proper-accessor-to-update-p4d-entry.patch --- diff --git a/queue-4.14/kvm-x86-fix-icebp-instruction-handling.patch b/queue-4.14/kvm-x86-fix-icebp-instruction-handling.patch new file mode 100644 index 00000000000..759e12e1418 --- /dev/null +++ b/queue-4.14/kvm-x86-fix-icebp-instruction-handling.patch @@ -0,0 +1,84 @@ +From 32d43cd391bacb5f0814c2624399a5dad3501d09 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 20 Mar 2018 12:16:59 -0700 +Subject: kvm/x86: fix icebp instruction handling + +From: Linus Torvalds + +commit 32d43cd391bacb5f0814c2624399a5dad3501d09 upstream. + +The undocumented 'icebp' instruction (aka 'int1') works pretty much like +'int3' in the absense of in-circuit probing equipment (except, +obviously, that it raises #DB instead of raising #BP), and is used by +some validation test-suites as such. + +But Andy Lutomirski noticed that his test suite acted differently in kvm +than on bare hardware. + +The reason is that kvm used an inexact test for the icebp instruction: +it just assumed that an all-zero VM exit qualification value meant that +the VM exit was due to icebp. + +That is not unlike the guess that do_debug() does for the actual +exception handling case, but it's purely a heuristic, not an absolute +rule. do_debug() does it because it wants to ascribe _some_ reasons to +the #DB that happened, and an empty %dr6 value means that 'icebp' is the +most likely casue and we have no better information. + +But kvm can just do it right, because unlike the do_debug() case, kvm +actually sees the real reason for the #DB in the VM-exit interruption +information field. + +So instead of relying on an inexact heuristic, just use the actual VM +exit information that says "it was 'icebp'". + +Right now the 'icebp' instruction isn't technically documented by Intel, +but that will hopefully change. The special "privileged software +exception" information _is_ actually mentioned in the Intel SDM, even +though the cause of it isn't enumerated. + +Reported-by: Andy Lutomirski +Tested-by: Paolo Bonzini +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/vmx.h | 1 + + arch/x86/kvm/vmx.c | 9 ++++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/vmx.h ++++ b/arch/x86/include/asm/vmx.h +@@ -352,6 +352,7 @@ enum vmcs_field { + #define INTR_TYPE_NMI_INTR (2 << 8) /* NMI */ + #define INTR_TYPE_HARD_EXCEPTION (3 << 8) /* processor exception */ + #define INTR_TYPE_SOFT_INTR (4 << 8) /* software interrupt */ ++#define INTR_TYPE_PRIV_SW_EXCEPTION (5 << 8) /* ICE breakpoint - undocumented */ + #define INTR_TYPE_SOFT_EXCEPTION (6 << 8) /* software exception */ + + /* GUEST_INTERRUPTIBILITY_INFO flags. */ +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1071,6 +1071,13 @@ static inline bool is_machine_check(u32 + (INTR_TYPE_HARD_EXCEPTION | MC_VECTOR | INTR_INFO_VALID_MASK); + } + ++/* Undocumented: icebp/int1 */ ++static inline bool is_icebp(u32 intr_info) ++{ ++ return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK)) ++ == (INTR_TYPE_PRIV_SW_EXCEPTION | INTR_INFO_VALID_MASK); ++} ++ + static inline bool cpu_has_vmx_msr_bitmap(void) + { + return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_USE_MSR_BITMAPS; +@@ -6169,7 +6176,7 @@ static int handle_exception(struct kvm_v + (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) { + vcpu->arch.dr6 &= ~15; + vcpu->arch.dr6 |= dr6 | DR6_RTM; +- if (!(dr6 & ~DR6_RESERVED)) /* icebp */ ++ if (is_icebp(intr_info)) + skip_emulated_instruction(vcpu); + + kvm_queue_exception(vcpu, DB_VECTOR); diff --git a/queue-4.14/posix-timers-protect-posix-clock-array-access-against-speculation.patch b/queue-4.14/posix-timers-protect-posix-clock-array-access-against-speculation.patch new file mode 100644 index 00000000000..b5dd564859b --- /dev/null +++ b/queue-4.14/posix-timers-protect-posix-clock-array-access-against-speculation.patch @@ -0,0 +1,61 @@ +From 19b558db12f9f4e45a22012bae7b4783e62224da Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 15 Feb 2018 17:21:55 +0100 +Subject: posix-timers: Protect posix clock array access against speculation + +From: Thomas Gleixner + +commit 19b558db12f9f4e45a22012bae7b4783e62224da upstream. + +The clockid argument of clockid_to_kclock() comes straight from user space +via various syscalls and is used as index into the posix_clocks array. + +Protect it against spectre v1 array out of bounds speculation. Remove the +redundant check for !posix_clock[id] as this is another source for +speculation and does not provide any advantage over the return +posix_clock[id] path which returns NULL in that case anyway. + +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Acked-by: Dan Williams +Cc: Rasmus Villemoes +Cc: Greg KH +Cc: stable@vger.kernel.org +Cc: Linus Torvalds +Cc: David Woodhouse +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1802151718320.1296@nanos.tec.linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/posix-timers.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -50,6 +50,7 @@ + #include + #include + #include ++#include + + #include "timekeeping.h" + #include "posix-timers.h" +@@ -1346,11 +1347,15 @@ static const struct k_clock * const posi + + static const struct k_clock *clockid_to_kclock(const clockid_t id) + { +- if (id < 0) ++ clockid_t idx = id; ++ ++ if (id < 0) { + return (id & CLOCKFD_MASK) == CLOCKFD ? + &clock_posix_dynamic : &clock_posix_cpu; ++ } + +- if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id]) ++ if (id >= ARRAY_SIZE(posix_clocks)) + return NULL; +- return posix_clocks[id]; ++ ++ return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))]; + } diff --git a/queue-4.14/selftests-x86-ptrace_syscall-fix-for-yet-more-glibc-interference.patch b/queue-4.14/selftests-x86-ptrace_syscall-fix-for-yet-more-glibc-interference.patch new file mode 100644 index 00000000000..75528acf660 --- /dev/null +++ b/queue-4.14/selftests-x86-ptrace_syscall-fix-for-yet-more-glibc-interference.patch @@ -0,0 +1,56 @@ +From 4b0b37d4cc54b21a6ecad7271cbc850555869c62 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Sat, 17 Mar 2018 08:25:07 -0700 +Subject: selftests/x86/ptrace_syscall: Fix for yet more glibc interference + +From: Andy Lutomirski + +commit 4b0b37d4cc54b21a6ecad7271cbc850555869c62 upstream. + +glibc keeps getting cleverer, and my version now turns raise() into +more than one syscall. Since the test relies on ptrace seeing an +exact set of syscalls, this breaks the test. Replace raise(SIGSTOP) +with syscall(SYS_tgkill, ...) to force glibc to get out of our way. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kselftest@vger.kernel.org +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/bc80338b453afa187bc5f895bd8e2c8d6e264da2.1521300271.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/x86/ptrace_syscall.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/x86/ptrace_syscall.c ++++ b/tools/testing/selftests/x86/ptrace_syscall.c +@@ -183,8 +183,10 @@ static void test_ptrace_syscall_restart( + if (ptrace(PTRACE_TRACEME, 0, 0, 0) != 0) + err(1, "PTRACE_TRACEME"); + ++ pid_t pid = getpid(), tid = syscall(SYS_gettid); ++ + printf("\tChild will make one syscall\n"); +- raise(SIGSTOP); ++ syscall(SYS_tgkill, pid, tid, SIGSTOP); + + syscall(SYS_gettid, 10, 11, 12, 13, 14, 15); + _exit(0); +@@ -301,9 +303,11 @@ static void test_restart_under_ptrace(vo + if (ptrace(PTRACE_TRACEME, 0, 0, 0) != 0) + err(1, "PTRACE_TRACEME"); + ++ pid_t pid = getpid(), tid = syscall(SYS_gettid); ++ + printf("\tChild will take a nap until signaled\n"); + setsigign(SIGUSR1, SA_RESTART); +- raise(SIGSTOP); ++ syscall(SYS_tgkill, pid, tid, SIGSTOP); + + syscall(SYS_pause, 0, 0, 0, 0, 0, 0); + _exit(0); diff --git a/queue-4.14/series b/queue-4.14/series index 27e249c9d8d..3a72cb4f053 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -74,3 +74,10 @@ can-ifi-check-core-revision-upon-probe.patch can-cc770-fix-stalls-on-rt-linux-remove-redundant-irq-ack.patch can-cc770-fix-queue-stall-dropped-rtr-reply.patch can-cc770-fix-use-after-free-in-cc770_tx_interrupt.patch +tty-vt-fix-up-tabstops-properly.patch +x86-entry-64-don-t-use-ist-entry-for-bp-stack.patch +selftests-x86-ptrace_syscall-fix-for-yet-more-glibc-interference.patch +x86-vsyscall-64-use-proper-accessor-to-update-p4d-entry.patch +x86-efi-free-efi_pgd-with-free_pages.patch +posix-timers-protect-posix-clock-array-access-against-speculation.patch +kvm-x86-fix-icebp-instruction-handling.patch diff --git a/queue-4.14/tty-vt-fix-up-tabstops-properly.patch b/queue-4.14/tty-vt-fix-up-tabstops-properly.patch new file mode 100644 index 00000000000..58ba19d2432 --- /dev/null +++ b/queue-4.14/tty-vt-fix-up-tabstops-properly.patch @@ -0,0 +1,60 @@ +From f1869a890cdedb92a3fab969db5d0fd982850273 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 24 Mar 2018 10:43:26 +0100 +Subject: tty: vt: fix up tabstops properly + +From: Linus Torvalds + +commit f1869a890cdedb92a3fab969db5d0fd982850273 upstream. + +Tabs on a console with long lines do not wrap properly, so correctly +account for the line length when computing the tab placement location. + +Reported-by: James Holderness +Signed-off-by: Greg Kroah-Hartman +Cc: stable +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1725,7 +1725,7 @@ static void reset_terminal(struct vc_dat + default_attr(vc); + update_attr(vc); + +- vc->vc_tab_stop[0] = 0x01010100; ++ vc->vc_tab_stop[0] = + vc->vc_tab_stop[1] = + vc->vc_tab_stop[2] = + vc->vc_tab_stop[3] = +@@ -1769,7 +1769,7 @@ static void do_con_trol(struct tty_struc + vc->vc_pos -= (vc->vc_x << 1); + while (vc->vc_x < vc->vc_cols - 1) { + vc->vc_x++; +- if (vc->vc_tab_stop[vc->vc_x >> 5] & (1 << (vc->vc_x & 31))) ++ if (vc->vc_tab_stop[7 & (vc->vc_x >> 5)] & (1 << (vc->vc_x & 31))) + break; + } + vc->vc_pos += (vc->vc_x << 1); +@@ -1829,7 +1829,7 @@ static void do_con_trol(struct tty_struc + lf(vc); + return; + case 'H': +- vc->vc_tab_stop[vc->vc_x >> 5] |= (1 << (vc->vc_x & 31)); ++ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] |= (1 << (vc->vc_x & 31)); + return; + case 'Z': + respond_ID(tty); +@@ -2022,7 +2022,7 @@ static void do_con_trol(struct tty_struc + return; + case 'g': + if (!vc->vc_par[0]) +- vc->vc_tab_stop[vc->vc_x >> 5] &= ~(1 << (vc->vc_x & 31)); ++ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] &= ~(1 << (vc->vc_x & 31)); + else if (vc->vc_par[0] == 3) { + vc->vc_tab_stop[0] = + vc->vc_tab_stop[1] = diff --git a/queue-4.14/x86-efi-free-efi_pgd-with-free_pages.patch b/queue-4.14/x86-efi-free-efi_pgd-with-free_pages.patch new file mode 100644 index 00000000000..40d94c2c86d --- /dev/null +++ b/queue-4.14/x86-efi-free-efi_pgd-with-free_pages.patch @@ -0,0 +1,37 @@ +From 06ace26f4e6fcf747e890a39193be811777a048a Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Thu, 22 Mar 2018 15:18:53 -0400 +Subject: x86/efi: Free efi_pgd with free_pages() + +From: Waiman Long + +commit 06ace26f4e6fcf747e890a39193be811777a048a upstream. + +The efi_pgd is allocated as PGD_ALLOCATION_ORDER pages and therefore must +also be freed as PGD_ALLOCATION_ORDER pages with free_pages(). + +Fixes: d9e9a6418065 ("x86/mm/pti: Allocate a separate user PGD") +Signed-off-by: Waiman Long +Signed-off-by: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: Dave Hansen +Cc: Ard Biesheuvel +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1521746333-19593-1-git-send-email-longman@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/platform/efi/efi_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -227,7 +227,7 @@ int __init efi_alloc_page_tables(void) + if (!pud) { + if (CONFIG_PGTABLE_LEVELS > 4) + free_page((unsigned long) pgd_page_vaddr(*pgd)); +- free_page((unsigned long)efi_pgd); ++ free_pages((unsigned long)efi_pgd, PGD_ALLOCATION_ORDER); + return -ENOMEM; + } + diff --git a/queue-4.14/x86-entry-64-don-t-use-ist-entry-for-bp-stack.patch b/queue-4.14/x86-entry-64-don-t-use-ist-entry-for-bp-stack.patch new file mode 100644 index 00000000000..03e31b93ab0 --- /dev/null +++ b/queue-4.14/x86-entry-64-don-t-use-ist-entry-for-bp-stack.patch @@ -0,0 +1,99 @@ +From d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Thu, 23 Jul 2015 15:37:48 -0700 +Subject: x86/entry/64: Don't use IST entry for #BP stack + +From: Andy Lutomirski + +commit d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 upstream. + +There's nothing IST-worthy about #BP/int3. We don't allow kprobes +in the small handful of places in the kernel that run at CPL0 with +an invalid stack, and 32-bit kernels have used normal interrupt +gates for #BP forever. + +Furthermore, we don't allow kprobes in places that have usergs while +in kernel mode, so "paranoid" is also unnecessary. + +Signed-off-by: Andy Lutomirski +Signed-off-by: Linus Torvalds +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/entry_64.S | 2 +- + arch/x86/kernel/idt.c | 2 -- + arch/x86/kernel/traps.c | 15 ++++++++------- + 3 files changed, 9 insertions(+), 10 deletions(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -1091,7 +1091,7 @@ apicinterrupt3 HYPERVISOR_CALLBACK_VECTO + #endif /* CONFIG_HYPERV */ + + idtentry debug do_debug has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK +-idtentry int3 do_int3 has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK ++idtentry int3 do_int3 has_error_code=0 + idtentry stack_segment do_stack_segment has_error_code=1 + + #ifdef CONFIG_XEN +--- a/arch/x86/kernel/idt.c ++++ b/arch/x86/kernel/idt.c +@@ -160,7 +160,6 @@ static const __initconst struct idt_data + */ + static const __initconst struct idt_data dbg_idts[] = { + INTG(X86_TRAP_DB, debug), +- INTG(X86_TRAP_BP, int3), + }; + #endif + +@@ -183,7 +182,6 @@ gate_desc debug_idt_table[IDT_ENTRIES] _ + static const __initconst struct idt_data ist_idts[] = { + ISTG(X86_TRAP_DB, debug, DEBUG_STACK), + ISTG(X86_TRAP_NMI, nmi, NMI_STACK), +- SISTG(X86_TRAP_BP, int3, DEBUG_STACK), + ISTG(X86_TRAP_DF, double_fault, DOUBLEFAULT_STACK), + #ifdef CONFIG_X86_MCE + ISTG(X86_TRAP_MC, &machine_check, MCE_STACK), +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -571,7 +571,6 @@ do_general_protection(struct pt_regs *re + } + NOKPROBE_SYMBOL(do_general_protection); + +-/* May run on IST stack. */ + dotraplinkage void notrace do_int3(struct pt_regs *regs, long error_code) + { + #ifdef CONFIG_DYNAMIC_FTRACE +@@ -586,6 +585,13 @@ dotraplinkage void notrace do_int3(struc + if (poke_int3_handler(regs)) + return; + ++ /* ++ * Use ist_enter despite the fact that we don't use an IST stack. ++ * We can be called from a kprobe in non-CONTEXT_KERNEL kernel ++ * mode or even during context tracking state changes. ++ * ++ * This means that we can't schedule. That's okay. ++ */ + ist_enter(regs); + RCU_LOCKDEP_WARN(!rcu_is_watching(), "entry code didn't wake RCU"); + #ifdef CONFIG_KGDB_LOW_LEVEL_TRAP +@@ -603,15 +609,10 @@ dotraplinkage void notrace do_int3(struc + SIGTRAP) == NOTIFY_STOP) + goto exit; + +- /* +- * Let others (NMI) know that the debug stack is in use +- * as we may switch to the interrupt stack. +- */ +- debug_stack_usage_inc(); + cond_local_irq_enable(regs); + do_trap(X86_TRAP_BP, SIGTRAP, "int3", regs, error_code, NULL); + cond_local_irq_disable(regs); +- debug_stack_usage_dec(); ++ + exit: + ist_exit(regs); + } diff --git a/queue-4.14/x86-vsyscall-64-use-proper-accessor-to-update-p4d-entry.patch b/queue-4.14/x86-vsyscall-64-use-proper-accessor-to-update-p4d-entry.patch new file mode 100644 index 00000000000..4e698a8f4fd --- /dev/null +++ b/queue-4.14/x86-vsyscall-64-use-proper-accessor-to-update-p4d-entry.patch @@ -0,0 +1,36 @@ +From 31ad7f8e7dc94d3b85ccf9b6141ce6dfd35a1781 Mon Sep 17 00:00:00 2001 +From: Boris Ostrovsky +Date: Mon, 19 Mar 2018 10:31:54 -0400 +Subject: x86/vsyscall/64: Use proper accessor to update P4D entry + +From: Boris Ostrovsky + +commit 31ad7f8e7dc94d3b85ccf9b6141ce6dfd35a1781 upstream. + +Writing to it directly does not work for Xen PV guests. + +Fixes: 49275fef986a ("x86/vsyscall/64: Explicitly set _PAGE_USER in the pagetable hierarchy") +Signed-off-by: Boris Ostrovsky +Signed-off-by: Thomas Gleixner +Reviewed-by: Juergen Gross +Acked-by: Andy Lutomirski +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20180319143154.3742-1-boris.ostrovsky@oracle.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/entry/vsyscall/vsyscall_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/entry/vsyscall/vsyscall_64.c ++++ b/arch/x86/entry/vsyscall/vsyscall_64.c +@@ -355,7 +355,7 @@ void __init set_vsyscall_pgtable_user_bi + set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER)); + p4d = p4d_offset(pgd, VSYSCALL_ADDR); + #if CONFIG_PGTABLE_LEVELS >= 5 +- p4d->p4d |= _PAGE_USER; ++ set_p4d(p4d, __p4d(p4d_val(*p4d) | _PAGE_USER)); + #endif + pud = pud_offset(p4d, VSYSCALL_ADDR); + set_pud(pud, __pud(pud_val(*pud) | _PAGE_USER));