From 32f31cb1b09d978c2f6a68c4f8454532916c5066 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Dec 2019 21:02:48 +0100 Subject: [PATCH] 4.4-stable patches added patches: crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch crypto-user-fix-memory-leak-in-crypto_report.patch drm-i810-prevent-underflow-in-ioctl.patch kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch spi-atmel-fix-cs-high-support.patch --- ...double-free-in-crypto4xx_destroy_sdr.patch | 43 ++++++++++++++++ ...ser-fix-memory-leak-in-crypto_report.patch | 36 +++++++++++++ .../drm-i810-prevent-underflow-in-ioctl.patch | 43 ++++++++++++++++ ...ot-modify-masked-bits-of-shared-msrs.patch | 51 +++++++++++++++++++ ...-of-tsx-feature-in-arch_capabilities.patch | 44 ++++++++++++++++ queue-4.4/series | 6 +++ queue-4.4/spi-atmel-fix-cs-high-support.patch | 50 ++++++++++++++++++ 7 files changed, 273 insertions(+) create mode 100644 queue-4.4/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch create mode 100644 queue-4.4/crypto-user-fix-memory-leak-in-crypto_report.patch create mode 100644 queue-4.4/drm-i810-prevent-underflow-in-ioctl.patch create mode 100644 queue-4.4/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch create mode 100644 queue-4.4/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch create mode 100644 queue-4.4/spi-atmel-fix-cs-high-support.patch diff --git a/queue-4.4/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch b/queue-4.4/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch new file mode 100644 index 00000000000..056e20bae43 --- /dev/null +++ b/queue-4.4/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch @@ -0,0 +1,43 @@ +From 746c908c4d72e49068ab216c3926d2720d71a90d Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Thu, 31 Oct 2019 17:14:38 +0100 +Subject: crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr + +From: Christian Lamparter + +commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream. + +This patch fixes a crash that can happen during probe +when the available dma memory is not enough (this can +happen if the crypto4xx is built as a module). + +The descriptor window mapping would end up being free'd +twice, once in crypto4xx_build_pdr() and the second time +in crypto4xx_destroy_sdr(). + +Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak") +Cc: +Signed-off-by: Christian Lamparter +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/amcc/crypto4xx_core.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/crypto/amcc/crypto4xx_core.c ++++ b/drivers/crypto/amcc/crypto4xx_core.c +@@ -399,12 +399,8 @@ static u32 crypto4xx_build_sdr(struct cr + dma_alloc_coherent(dev->core_dev->device, + dev->scatter_buffer_size * PPC4XX_NUM_SD, + &dev->scatter_buffer_pa, GFP_ATOMIC); +- if (!dev->scatter_buffer_va) { +- dma_free_coherent(dev->core_dev->device, +- sizeof(struct ce_sd) * PPC4XX_NUM_SD, +- dev->sdr, dev->sdr_pa); ++ if (!dev->scatter_buffer_va) + return -ENOMEM; +- } + + sd_array = dev->sdr; + diff --git a/queue-4.4/crypto-user-fix-memory-leak-in-crypto_report.patch b/queue-4.4/crypto-user-fix-memory-leak-in-crypto_report.patch new file mode 100644 index 00000000000..65d3bd4aec7 --- /dev/null +++ b/queue-4.4/crypto-user-fix-memory-leak-in-crypto_report.patch @@ -0,0 +1,36 @@ +From ffdde5932042600c6807d46c1550b28b0db6a3bc Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 4 Oct 2019 14:29:16 -0500 +Subject: crypto: user - fix memory leak in crypto_report + +From: Navid Emamdoost + +commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream. + +In crypto_report, a new skb is created via nlmsg_new(). This skb should +be released if crypto_report_alg() fails. + +Fixes: a38f7907b926 ("crypto: Add userspace configuration API") +Cc: +Signed-off-by: Navid Emamdoost +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/crypto_user.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -249,8 +249,10 @@ static int crypto_report(struct sk_buff + drop_alg: + crypto_mod_put(alg); + +- if (err) ++ if (err) { ++ kfree_skb(skb); + return err; ++ } + + return nlmsg_unicast(crypto_nlsk, skb, NETLINK_CB(in_skb).portid); + } diff --git a/queue-4.4/drm-i810-prevent-underflow-in-ioctl.patch b/queue-4.4/drm-i810-prevent-underflow-in-ioctl.patch new file mode 100644 index 00000000000..4b3aa30dbf5 --- /dev/null +++ b/queue-4.4/drm-i810-prevent-underflow-in-ioctl.patch @@ -0,0 +1,43 @@ +From 4f69851fbaa26b155330be35ce8ac393e93e7442 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 4 Oct 2019 13:22:51 +0300 +Subject: drm/i810: Prevent underflow in ioctl + +From: Dan Carpenter + +commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream. + +The "used" variables here come from the user in the ioctl and it can be +negative. It could result in an out of bounds write. + +Signed-off-by: Dan Carpenter +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i810/i810_dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i810/i810_dma.c ++++ b/drivers/gpu/drm/i810/i810_dma.c +@@ -723,7 +723,7 @@ static void i810_dma_dispatch_vertex(str + if (nbox > I810_NR_SAREA_CLIPRECTS) + nbox = I810_NR_SAREA_CLIPRECTS; + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + if (sarea_priv->dirty) +@@ -1043,7 +1043,7 @@ static void i810_dma_dispatch_mc(struct + if (u != I810_BUF_CLIENT) + DRM_DEBUG("MC found buffer that isn't mine!\n"); + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + sarea_priv->dirty = 0x7f; diff --git a/queue-4.4/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch b/queue-4.4/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch new file mode 100644 index 00000000000..7bd9a45bb67 --- /dev/null +++ b/queue-4.4/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch @@ -0,0 +1,51 @@ +From de1fca5d6e0105c9d33924e1247e2f386efc3ece Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 18 Nov 2019 12:23:00 -0500 +Subject: KVM: x86: do not modify masked bits of shared MSRs + +From: Paolo Bonzini + +commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream. + +"Shared MSRs" are guest MSRs that are written to the host MSRs but +keep their value until the next return to userspace. They support +a mask, so that some bits keep the host value, but this mask is +only used to skip an unnecessary MSR write and the value written +to the MSR is always the guest MSR. + +Fix this and, while at it, do not update smsr->values[slot].curr if +for whatever reason the wrmsr fails. This should only happen due to +reserved bits, so the value written to smsr->values[slot].curr +will not match when the user-return notifier and the host value will +always be restored. However, it is untidy and in rare cases this +can actually avoid spurious WRMSRs on return to userspace. + +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Tested-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -260,13 +260,14 @@ int kvm_set_shared_msr(unsigned slot, u6 + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); + int err; + +- if (((value ^ smsr->values[slot].curr) & mask) == 0) ++ value = (value & mask) | (smsr->values[slot].host & ~mask); ++ if (value == smsr->values[slot].curr) + return 0; +- smsr->values[slot].curr = value; + err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); + if (err) + return 1; + ++ smsr->values[slot].curr = value; + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); diff --git a/queue-4.4/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch b/queue-4.4/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch new file mode 100644 index 00000000000..acec0f11b08 --- /dev/null +++ b/queue-4.4/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch @@ -0,0 +1,44 @@ +From cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 18 Nov 2019 18:58:26 +0100 +Subject: KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES + +From: Paolo Bonzini + +commit cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b upstream. + +KVM does not implement MSR_IA32_TSX_CTRL, so it must not be presented +to the guests. It is also confusing to have !ARCH_CAP_TSX_CTRL_MSR && +!RTM && ARCH_CAP_TAA_NO: lack of MSR_IA32_TSX_CTRL suggests TSX was not +hidden (it actually was), yet the value says that TSX is not vulnerable +to microarchitectural data sampling. Fix both. + +Cc: stable@vger.kernel.org +Tested-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1024,10 +1024,15 @@ u64 kvm_get_arch_capabilities(void) + * If TSX is disabled on the system, guests are also mitigated against + * TAA and clear CPU buffer mitigation is not required for guests. + */ +- if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) && +- (data & ARCH_CAP_TSX_CTRL_MSR)) ++ if (!boot_cpu_has(X86_FEATURE_RTM)) ++ data &= ~ARCH_CAP_TAA_NO; ++ else if (!boot_cpu_has_bug(X86_BUG_TAA)) ++ data |= ARCH_CAP_TAA_NO; ++ else if (data & ARCH_CAP_TSX_CTRL_MSR) + data &= ~ARCH_CAP_MDS_NO; + ++ /* KVM does not emulate MSR_IA32_TSX_CTRL. */ ++ data &= ~ARCH_CAP_TSX_CTRL_MSR; + return data; + } + diff --git a/queue-4.4/series b/queue-4.4/series index eb8a14479bc..e570631d4eb 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -60,3 +60,9 @@ cifs-fix-smb2-oplock-break-processing.patch tty-vt-keyboard-reject-invalid-keycodes.patch can-slcan-fix-use-after-free-read-in-slcan_open.patch jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch +drm-i810-prevent-underflow-in-ioctl.patch +kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch +kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch +crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch +crypto-user-fix-memory-leak-in-crypto_report.patch +spi-atmel-fix-cs-high-support.patch diff --git a/queue-4.4/spi-atmel-fix-cs-high-support.patch b/queue-4.4/spi-atmel-fix-cs-high-support.patch new file mode 100644 index 00000000000..b1b14242829 --- /dev/null +++ b/queue-4.4/spi-atmel-fix-cs-high-support.patch @@ -0,0 +1,50 @@ +From 7cbb16b2122c09f2ae393a1542fed628505b9da6 Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Thu, 17 Oct 2019 16:18:41 +0200 +Subject: spi: atmel: Fix CS high support + +From: Gregory CLEMENT + +commit 7cbb16b2122c09f2ae393a1542fed628505b9da6 upstream. + +Until a few years ago, this driver was only used with CS GPIO. The +only exception is CS0 on AT91RM9200 which has to use internal CS. A +limitation of the internal CS is that they don't support CS High. + +So by using the CS GPIO the CS high configuration was available except +for the particular case CS0 on RM9200. + +When the support for the internal chip-select was added, the check of +the CS high support was not updated. Due to this the driver accepts +this configuration for all the SPI controller v2 (used by all SoCs +excepting the AT91RM9200) whereas the hardware doesn't support it for +infernal CS. + +This patch fixes the test to match the hardware capabilities. + +Fixes: 4820303480a1 ("spi: atmel: add support for the internal chip-select of the spi controller") +Cc: +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20191017141846.7523-3-gregory.clement@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-atmel.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -1209,10 +1209,8 @@ static int atmel_spi_setup(struct spi_de + as = spi_master_get_devdata(spi->master); + + /* see notes above re chipselect */ +- if (!atmel_spi_is_v2(as) +- && spi->chip_select == 0 +- && (spi->mode & SPI_CS_HIGH)) { +- dev_dbg(&spi->dev, "setup: can't be active-high\n"); ++ if (!as->use_cs_gpios && (spi->mode & SPI_CS_HIGH)) { ++ dev_warn(&spi->dev, "setup: non GPIO CS can't be active-high\n"); + return -EINVAL; + } + -- 2.47.3