From f314dd93e82915cd4e77dfe38bb64860233069eb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 19 Jul 2018 18:40:49 +0200 Subject: [PATCH] 4.17-stable patches added patches: crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch net-cxgb3_main-fix-potential-spectre-v1.patch net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch rtlwifi-fix-kernel-oops-fw-download-fail.patch rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch x86-kvm-kconfig-ensure-crypto_dev_ccp_dd-state-at-minimum-matches-kvm_amd.patch --- ...lize-sg_num_bytes-in-error-code-path.patch | 41 +++++ ...-cxgb3_main-fix-potential-spectre-v1.patch | 53 ++++++ ...e-in-tx-pending-skb-size-calculation.patch | 55 ++++++ ...ifi-fix-kernel-oops-fw-download-fail.patch | 165 ++++++++++++++++++ ...1ae-fix-firmware-is-not-ready-to-run.patch | 41 +++++ queue-4.17/series | 6 + ..._dd-state-at-minimum-matches-kvm_amd.patch | 40 +++++ 7 files changed, 401 insertions(+) create mode 100644 queue-4.17/crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch create mode 100644 queue-4.17/net-cxgb3_main-fix-potential-spectre-v1.patch create mode 100644 queue-4.17/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch create mode 100644 queue-4.17/rtlwifi-fix-kernel-oops-fw-download-fail.patch create mode 100644 queue-4.17/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch create mode 100644 queue-4.17/x86-kvm-kconfig-ensure-crypto_dev_ccp_dd-state-at-minimum-matches-kvm_amd.patch diff --git a/queue-4.17/crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch b/queue-4.17/crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch new file mode 100644 index 00000000000..c644294413f --- /dev/null +++ b/queue-4.17/crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch @@ -0,0 +1,41 @@ +From 2546da99212f22034aecf279da9c47cbfac6c981 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Sat, 7 Jul 2018 20:41:47 +0200 +Subject: crypto: af_alg - Initialize sg_num_bytes in error code path + +From: Stephan Mueller + +commit 2546da99212f22034aecf279da9c47cbfac6c981 upstream. + +The RX SGL in processing is already registered with the RX SGL tracking +list to support proper cleanup. The cleanup code path uses the +sg_num_bytes variable which must therefore be always initialized, even +in the error code path. + +Signed-off-by: Stephan Mueller +Reported-by: syzbot+9c251bdd09f83b92ba95@syzkaller.appspotmail.com +#syz test: https://github.com/google/kmsan.git master +CC: #4.14 +Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1156,8 +1156,10 @@ int af_alg_get_rsgl(struct sock *sk, str + + /* make one iovec available as scatterlist */ + err = af_alg_make_sg(&rsgl->sgl, &msg->msg_iter, seglen); +- if (err < 0) ++ if (err < 0) { ++ rsgl->sg_num_bytes = 0; + return err; ++ } + + /* chain the new scatterlist with previous one */ + if (areq->last_rsgl) diff --git a/queue-4.17/net-cxgb3_main-fix-potential-spectre-v1.patch b/queue-4.17/net-cxgb3_main-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..7fe38ef9810 --- /dev/null +++ b/queue-4.17/net-cxgb3_main-fix-potential-spectre-v1.patch @@ -0,0 +1,53 @@ +From 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 16 Jul 2018 20:59:58 -0500 +Subject: net: cxgb3_main: fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 upstream. + +t.qset_idx can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl() +warn: potential spectre issue 'adapter->msix_info' + +Fix this by sanitizing t.qset_idx before using it to index +adapter->msix_info + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + + #include "common.h" + #include "cxgb3_ioctl.h" +@@ -2268,6 +2269,7 @@ static int cxgb_extension_ioctl(struct n + + if (t.qset_idx >= nqsets) + return -EINVAL; ++ t.qset_idx = array_index_nospec(t.qset_idx, nqsets); + + q = &adapter->params.sge.qset[q1 + t.qset_idx]; + t.rspq_size = q->rspq_size; diff --git a/queue-4.17/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch b/queue-4.17/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch new file mode 100644 index 00000000000..f49d1f60682 --- /dev/null +++ b/queue-4.17/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch @@ -0,0 +1,55 @@ +From dea39aca1d7aef1e2b95b07edeacf04cc8863a2e Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Sun, 15 Jul 2018 21:53:20 +0200 +Subject: net: lan78xx: Fix race in tx pending skb size calculation + +From: Stefan Wahren + +commit dea39aca1d7aef1e2b95b07edeacf04cc8863a2e upstream. + +The skb size calculation in lan78xx_tx_bh is in race with the start_xmit, +which could lead to rare kernel oopses. So protect the whole skb walk with +a spin lock. As a benefit we can unlink the skb directly. + +This patch was tested on Raspberry Pi 3B+ + +Link: https://github.com/raspberrypi/linux/issues/2608 +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet") +Cc: stable +Signed-off-by: Floris Bos +Signed-off-by: Stefan Wahren +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/lan78xx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3193,6 +3193,7 @@ static void lan78xx_tx_bh(struct lan78xx + pkt_cnt = 0; + count = 0; + length = 0; ++ spin_lock_irqsave(&tqp->lock, flags); + for (skb = tqp->next; pkt_cnt < tqp->qlen; skb = skb->next) { + if (skb_is_gso(skb)) { + if (pkt_cnt) { +@@ -3201,7 +3202,8 @@ static void lan78xx_tx_bh(struct lan78xx + } + count = 1; + length = skb->len - TX_OVERHEAD; +- skb2 = skb_dequeue(tqp); ++ __skb_unlink(skb, tqp); ++ spin_unlock_irqrestore(&tqp->lock, flags); + goto gso_skb; + } + +@@ -3210,6 +3212,7 @@ static void lan78xx_tx_bh(struct lan78xx + skb_totallen = skb->len + roundup(skb_totallen, sizeof(u32)); + pkt_cnt++; + } ++ spin_unlock_irqrestore(&tqp->lock, flags); + + /* copy to a single skb */ + skb = alloc_skb(skb_totallen, GFP_ATOMIC); diff --git a/queue-4.17/rtlwifi-fix-kernel-oops-fw-download-fail.patch b/queue-4.17/rtlwifi-fix-kernel-oops-fw-download-fail.patch new file mode 100644 index 00000000000..aadac198a85 --- /dev/null +++ b/queue-4.17/rtlwifi-fix-kernel-oops-fw-download-fail.patch @@ -0,0 +1,165 @@ +From 12dfa2f68ab659636e092db13b5d17cf9aac82af Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Fri, 22 Jun 2018 13:31:57 +0800 +Subject: rtlwifi: Fix kernel Oops "Fw download fail!!" + +From: Ping-Ke Shih + +commit 12dfa2f68ab659636e092db13b5d17cf9aac82af upstream. + +When connecting to AP, mac80211 asks driver to enter and leave PS quickly, +but driver deinit doesn't wait for delayed work complete when entering PS, +then driver reinit procedure and delay work are running simultaneously. +This will cause unpredictable kernel oops or crash like + +rtl8723be: error H2C cmd because of Fw download fail!!! +WARNING: CPU: 3 PID: 159 at drivers/net/wireless/realtek/rtlwifi/ + rtl8723be/fw.c:227 rtl8723be_fill_h2c_cmd+0x182/0x510 [rtl8723be] +CPU: 3 PID: 159 Comm: kworker/3:2 Tainted: G O 4.16.13-2-ARCH #1 +Hardware name: ASUSTeK COMPUTER INC. X556UF/X556UF, BIOS X556UF.406 + 10/21/2016 +Workqueue: rtl8723be_pci rtl_c2hcmd_wq_callback [rtlwifi] +RIP: 0010:rtl8723be_fill_h2c_cmd+0x182/0x510 [rtl8723be] +RSP: 0018:ffffa6ab01e1bd70 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffffa26069071520 RCX: 0000000000000001 +RDX: 0000000080000001 RSI: ffffffff8be70e9c RDI: 00000000ffffffff +RBP: 0000000000000000 R08: 0000000000000048 R09: 0000000000000348 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +R13: ffffa26069071520 R14: 0000000000000000 R15: ffffa2607d205f70 +FS: 0000000000000000(0000) GS:ffffa26081d80000(0000) knlGS:000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000443b39d3000 CR3: 000000037700a005 CR4: 00000000003606e0 +Call Trace: + ? halbtc_send_bt_mp_operation.constprop.17+0xd5/0xe0 [btcoexist] + ? ex_btc8723b1ant_bt_info_notify+0x3b8/0x820 [btcoexist] + ? rtl_c2hcmd_launcher+0xab/0x110 [rtlwifi] + ? process_one_work+0x1d1/0x3b0 + ? worker_thread+0x2b/0x3d0 + ? process_one_work+0x3b0/0x3b0 + ? kthread+0x112/0x130 + ? kthread_create_on_node+0x60/0x60 + ? ret_from_fork+0x35/0x40 +Code: 00 76 b4 e9 e2 fe ff ff 4c 89 ee 4c 89 e7 e8 56 22 86 ca e9 5e ... + +This patch ensures all delayed works done before entering PS to satisfy +our expectation, so use cancel_delayed_work_sync() instead. An exception +is delayed work ips_nic_off_wq because running task may be itself, so add +a parameter ips_wq to deinit function to handle this case. + +This issue is reported and fixed in below threads: +https://github.com/lwfinger/rtlwifi_new/issues/367 +https://github.com/lwfinger/rtlwifi_new/issues/366 + +Tested-by: Evgeny Kapun # 8723DE +Tested-by: Shivam Kakkar # 8723BE on 4.18-rc1 +Signed-off-by: Ping-Ke Shih +Fixes: cceb0a597320 ("rtlwifi: Add work queue for c2h cmd.") +Cc: Stable # 4.11+ +Reviewed-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 17 ++++++++++------- + drivers/net/wireless/realtek/rtlwifi/base.h | 2 +- + drivers/net/wireless/realtek/rtlwifi/core.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/pci.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/ps.c | 4 ++-- + drivers/net/wireless/realtek/rtlwifi/usb.c | 2 +- + 6 files changed, 16 insertions(+), 13 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -485,18 +485,21 @@ static void _rtl_init_deferred_work(stru + + } + +-void rtl_deinit_deferred_work(struct ieee80211_hw *hw) ++void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); + + del_timer_sync(&rtlpriv->works.watchdog_timer); + +- cancel_delayed_work(&rtlpriv->works.watchdog_wq); +- cancel_delayed_work(&rtlpriv->works.ips_nic_off_wq); +- cancel_delayed_work(&rtlpriv->works.ps_work); +- cancel_delayed_work(&rtlpriv->works.ps_rfon_wq); +- cancel_delayed_work(&rtlpriv->works.fwevt_wq); +- cancel_delayed_work(&rtlpriv->works.c2hcmd_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.watchdog_wq); ++ if (ips_wq) ++ cancel_delayed_work(&rtlpriv->works.ips_nic_off_wq); ++ else ++ cancel_delayed_work_sync(&rtlpriv->works.ips_nic_off_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.ps_work); ++ cancel_delayed_work_sync(&rtlpriv->works.ps_rfon_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.fwevt_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.c2hcmd_wq); + } + EXPORT_SYMBOL_GPL(rtl_deinit_deferred_work); + +--- a/drivers/net/wireless/realtek/rtlwifi/base.h ++++ b/drivers/net/wireless/realtek/rtlwifi/base.h +@@ -121,7 +121,7 @@ void rtl_init_rfkill(struct ieee80211_hw + void rtl_deinit_rfkill(struct ieee80211_hw *hw); + + void rtl_watch_dog_timer_callback(struct timer_list *t); +-void rtl_deinit_deferred_work(struct ieee80211_hw *hw); ++void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq); + + bool rtl_action_proc(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx); + int rtlwifi_rate_mapping(struct ieee80211_hw *hw, bool isht, +--- a/drivers/net/wireless/realtek/rtlwifi/core.c ++++ b/drivers/net/wireless/realtek/rtlwifi/core.c +@@ -196,7 +196,7 @@ static void rtl_op_stop(struct ieee80211 + /* reset sec info */ + rtl_cam_reset_sec_info(hw); + +- rtl_deinit_deferred_work(hw); ++ rtl_deinit_deferred_work(hw, false); + } + rtlpriv->intf_ops->adapter_stop(hw); + +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -2375,7 +2375,7 @@ void rtl_pci_disconnect(struct pci_dev * + ieee80211_unregister_hw(hw); + rtlmac->mac80211_registered = 0; + } else { +- rtl_deinit_deferred_work(hw); ++ rtl_deinit_deferred_work(hw, false); + rtlpriv->intf_ops->adapter_stop(hw); + } + rtlpriv->cfg->ops->disable_interrupt(hw); +--- a/drivers/net/wireless/realtek/rtlwifi/ps.c ++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c +@@ -71,7 +71,7 @@ bool rtl_ps_disable_nic(struct ieee80211 + struct rtl_priv *rtlpriv = rtl_priv(hw); + + /*<1> Stop all timer */ +- rtl_deinit_deferred_work(hw); ++ rtl_deinit_deferred_work(hw, true); + + /*<2> Disable Interrupt */ + rtlpriv->cfg->ops->disable_interrupt(hw); +@@ -292,7 +292,7 @@ void rtl_ips_nic_on(struct ieee80211_hw + struct rtl_ps_ctl *ppsc = rtl_psc(rtl_priv(hw)); + enum rf_pwrstate rtstate; + +- cancel_delayed_work(&rtlpriv->works.ips_nic_off_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.ips_nic_off_wq); + + mutex_lock(&rtlpriv->locks.ips_mutex); + if (ppsc->inactiveps) { +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1132,7 +1132,7 @@ void rtl_usb_disconnect(struct usb_inter + ieee80211_unregister_hw(hw); + rtlmac->mac80211_registered = 0; + } else { +- rtl_deinit_deferred_work(hw); ++ rtl_deinit_deferred_work(hw, false); + rtlpriv->intf_ops->adapter_stop(hw); + } + /*deinit rfkill */ diff --git a/queue-4.17/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch b/queue-4.17/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch new file mode 100644 index 00000000000..21f5d6ea9cf --- /dev/null +++ b/queue-4.17/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch @@ -0,0 +1,41 @@ +From 9a98302de19991d51e067b88750585203b2a3ab6 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Thu, 28 Jun 2018 10:02:27 +0800 +Subject: rtlwifi: rtl8821ae: fix firmware is not ready to run + +From: Ping-Ke Shih + +commit 9a98302de19991d51e067b88750585203b2a3ab6 upstream. + +Without this patch, firmware will not run properly on rtl8821ae, and it +causes bad user experience. For example, bad connection performance with +low rate, higher power consumption, and so on. + +rtl8821ae uses two kinds of firmwares for normal and WoWlan cases, and +each firmware has firmware data buffer and size individually. Original +code always overwrite size of normal firmware rtlpriv->rtlhal.fwsize, and +this mismatch causes firmware checksum error, then firmware can't start. + +In this situation, driver gives message "Firmware is not ready to run!". + +Fixes: fe89707f0afa ("rtlwifi: rtl8821ae: Simplify loading of WOWLAN firmware") +Signed-off-by: Ping-Ke Shih +Cc: Stable # 4.0+ +Reviewed-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/core.c ++++ b/drivers/net/wireless/realtek/rtlwifi/core.c +@@ -130,7 +130,6 @@ found_alt: + firmware->size); + rtlpriv->rtlhal.wowlan_fwsize = firmware->size; + } +- rtlpriv->rtlhal.fwsize = firmware->size; + release_firmware(firmware); + } + diff --git a/queue-4.17/series b/queue-4.17/series index 7e90cfbf970..c1aa73fa325 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -58,3 +58,9 @@ s390-qeth-avoid-using-is_multicast_ether_addr_64bits-on-u8.patch s390-qeth-fix-race-when-setting-mac-address.patch sfc-correctly-initialise-filter-rwsem-for-farch.patch virtio_net-split-xdp_tx-kick-and-xdp_redirect-map-flushing.patch +x86-kvm-kconfig-ensure-crypto_dev_ccp_dd-state-at-minimum-matches-kvm_amd.patch +net-cxgb3_main-fix-potential-spectre-v1.patch +rtlwifi-fix-kernel-oops-fw-download-fail.patch +rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch +net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch +crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch diff --git a/queue-4.17/x86-kvm-kconfig-ensure-crypto_dev_ccp_dd-state-at-minimum-matches-kvm_amd.patch b/queue-4.17/x86-kvm-kconfig-ensure-crypto_dev_ccp_dd-state-at-minimum-matches-kvm_amd.patch new file mode 100644 index 00000000000..b42e54f4b07 --- /dev/null +++ b/queue-4.17/x86-kvm-kconfig-ensure-crypto_dev_ccp_dd-state-at-minimum-matches-kvm_amd.patch @@ -0,0 +1,40 @@ +From d30f370d3a4998c13ed3e5c8ef607d05be0a987a Mon Sep 17 00:00:00 2001 +From: Janakarajan Natarajan +Date: Wed, 27 Jun 2018 11:30:53 -0500 +Subject: x86/kvm/Kconfig: Ensure CRYPTO_DEV_CCP_DD state at minimum matches KVM_AMD + +From: Janakarajan Natarajan + +commit d30f370d3a4998c13ed3e5c8ef607d05be0a987a upstream. + +Prevent a config where KVM_AMD=y and CRYPTO_DEV_CCP_DD=m thereby ensuring +that AMD Secure Processor device driver will be built-in when KVM_AMD is +also built-in. + +v1->v2: +* Removed usage of 'imply' Kconfig option. +* Change patch commit message. + +Fixes: 505c9e94d832 ("KVM: x86: prefer "depends on" to "select" for SEV") + +Cc: # 4.16.x +Signed-off-by: Janakarajan Natarajan +Reviewed-by: Brijesh Singh +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/Kconfig ++++ b/arch/x86/kvm/Kconfig +@@ -85,7 +85,7 @@ config KVM_AMD_SEV + def_bool y + bool "AMD Secure Encrypted Virtualization (SEV) support" + depends on KVM_AMD && X86_64 +- depends on CRYPTO_DEV_CCP && CRYPTO_DEV_CCP_DD && CRYPTO_DEV_SP_PSP ++ depends on CRYPTO_DEV_SP_PSP && !(KVM_AMD=y && CRYPTO_DEV_CCP_DD=m) + ---help--- + Provides support for launching Encrypted VMs on AMD processors. + -- 2.47.3