--- /dev/null
+From 1a3388d506bf5b45bb283e6a4c4706cfb4897333 Mon Sep 17 00:00:00 2001
+From: Stephen Warren <swarren@nvidia.com>
+Date: Thu, 3 Oct 2019 14:50:31 -0600
+Subject: ARM: tegra: Enable PLLP bypass during Tegra124 LP1
+
+From: Stephen Warren <swarren@nvidia.com>
+
+commit 1a3388d506bf5b45bb283e6a4c4706cfb4897333 upstream.
+
+For a little over a year, U-Boot has configured the flow controller to
+perform automatic RAM re-repair on off->on power transitions of the CPU
+rail[1]. This is mandatory for correct operation of Tegra124. However,
+RAM re-repair relies on certain clocks, which the kernel must enable and
+leave running. PLLP is one of those clocks. This clock is shut down
+during LP1 in order to save power. Enable bypass (which I believe routes
+osc_div_clk, essentially the crystal clock, to the PLL output) so that
+this clock signal toggles even though the PLL is not active. This is
+required so that LP1 power mode (system suspend) operates correctly.
+
+The bypass configuration must then be undone when resuming from LP1, so
+that all peripheral clocks run at the expected rate. Without this, many
+peripherals won't work correctly; for example, the UART baud rate would
+be incorrect.
+
+NVIDIA's downstream kernel code only does this if not compiled for
+Tegra30, so the added code is made conditional upon the chip ID.
+NVIDIA's downstream code makes this change conditional upon the active
+CPU cluster. The upstream kernel currently doesn't support cluster
+switching, so this patch doesn't test the active CPU cluster ID.
+
+[1] 3cc7942a4ae5 ARM: tegra: implement RAM repair
+
+Reported-by: Jonathan Hunter <jonathanh@nvidia.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Warren <swarren@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-tegra/sleep-tegra30.S | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/arm/mach-tegra/sleep-tegra30.S
++++ b/arch/arm/mach-tegra/sleep-tegra30.S
+@@ -382,6 +382,14 @@ _pll_m_c_x_done:
+ pll_locked r1, r0, CLK_RESET_PLLC_BASE
+ pll_locked r1, r0, CLK_RESET_PLLX_BASE
+
++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1
++ cmp r1, #TEGRA30
++ beq 1f
++ ldr r1, [r0, #CLK_RESET_PLLP_BASE]
++ bic r1, r1, #(1<<31) @ disable PllP bypass
++ str r1, [r0, #CLK_RESET_PLLP_BASE]
++1:
++
+ mov32 r7, TEGRA_TMRUS_BASE
+ ldr r1, [r7]
+ add r1, r1, #LOCK_DELAY
+@@ -641,7 +649,10 @@ tegra30_switch_cpu_to_clk32k:
+ str r0, [r4, #PMC_PLLP_WB0_OVERRIDE]
+
+ /* disable PLLP, PLLA, PLLC and PLLX */
++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1
++ cmp r1, #TEGRA30
+ ldr r0, [r5, #CLK_RESET_PLLP_BASE]
++ orrne r0, r0, #(1 << 31) @ enable PllP bypass on fast cluster
+ bic r0, r0, #(1 << 30)
+ str r0, [r5, #CLK_RESET_PLLP_BASE]
+ ldr r0, [r5, #CLK_RESET_PLLA_BASE]
--- /dev/null
+From d62b23c94952e78211a383b7d90ef0afbd9a3717 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 17 Jan 2020 08:57:51 -0500
+Subject: btrfs: set trans->drity in btrfs_commit_transaction
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit d62b23c94952e78211a383b7d90ef0afbd9a3717 upstream.
+
+If we abort a transaction we have the following sequence
+
+if (!trans->dirty && list_empty(&trans->new_bgs))
+ return;
+WRITE_ONCE(trans->transaction->aborted, err);
+
+The idea being if we didn't modify anything with our trans handle then
+we don't really need to abort the whole transaction, maybe the other
+trans handles are fine and we can carry on.
+
+However in the case of create_snapshot we add a pending_snapshot object
+to our transaction and then commit the transaction. We don't actually
+modify anything. sync() behaves the same way, attach to an existing
+transaction and commit it. This means that if we have an IO error in
+the right places we could abort the committing transaction with our
+trans->dirty being not set and thus not set transaction->aborted.
+
+This is a problem because in the create_snapshot() case we depend on
+pending->error being set to something, or btrfs_commit_transaction
+returning an error.
+
+If we are not the trans handle that gets to commit the transaction, and
+we're waiting on the commit to happen we get our return value from
+cur_trans->aborted. If this was not set to anything because sync() hit
+an error in the transaction commit before it could modify anything then
+cur_trans->aborted would be 0. Thus we'd return 0 from
+btrfs_commit_transaction() in create_snapshot.
+
+This is a problem because we then try to do things with
+pending_snapshot->snap, which will be NULL because we didn't create the
+snapshot, and then we'll get a NULL pointer dereference like the
+following
+
+"BUG: kernel NULL pointer dereference, address: 00000000000001f0"
+RIP: 0010:btrfs_orphan_cleanup+0x2d/0x330
+Call Trace:
+ ? btrfs_mksubvol.isra.31+0x3f2/0x510
+ btrfs_mksubvol.isra.31+0x4bc/0x510
+ ? __sb_start_write+0xfa/0x200
+ ? mnt_want_write_file+0x24/0x50
+ btrfs_ioctl_snap_create_transid+0x16c/0x1a0
+ btrfs_ioctl_snap_create_v2+0x11e/0x1a0
+ btrfs_ioctl+0x1534/0x2c10
+ ? free_debug_processing+0x262/0x2a3
+ do_vfs_ioctl+0xa6/0x6b0
+ ? do_sys_open+0x188/0x220
+ ? syscall_trace_enter+0x1f8/0x330
+ ksys_ioctl+0x60/0x90
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x4a/0x1b0
+
+In order to fix this we need to make sure anybody who calls
+commit_transaction has trans->dirty set so that they properly set the
+trans->transaction->aborted value properly so any waiters know bad
+things happened.
+
+This was found while I was running generic/475 with my modified
+fsstress, it reproduced within a few runs. I ran with this patch all
+night and didn't see the problem again.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/transaction.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1948,6 +1948,14 @@ int btrfs_commit_transaction(struct btrf
+ struct btrfs_transaction *prev_trans = NULL;
+ int ret;
+
++ /*
++ * Some places just start a transaction to commit it. We need to make
++ * sure that if this commit fails that the abort code actually marks the
++ * transaction as failed, so set trans->dirty to make the abort code do
++ * the right thing.
++ */
++ trans->dirty = true;
++
+ /* Stop the commit early if ->aborted is set */
+ if (unlikely(READ_ONCE(cur_trans->aborted))) {
+ ret = cur_trans->aborted;
--- /dev/null
+From 197288d5ba8a5289f22d3aeb4fca3824bfd9b4af Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Fri, 31 Jan 2020 15:45:25 +0200
+Subject: iwlwifi: don't throw error when trying to remove IGTK
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit 197288d5ba8a5289f22d3aeb4fca3824bfd9b4af upstream.
+
+The IGTK keys are only removed by mac80211 after it has already
+removed the AP station. This causes the driver to throw an error
+because mac80211 is trying to remove the IGTK when the station doesn't
+exist anymore.
+
+The firmware is aware that the station has been removed and can deal
+with it the next time we try to add an IGTK for a station, so we
+shouldn't try to remove the key if the station ID is
+IWL_MVM_INVALID_STA. Do this by removing the check for mvm_sta before
+calling iwl_mvm_send_sta_igtk() and check return from that function
+gracefully if the station ID is invalid.
+
+Cc: stable@vger.kernel.org # 4.12+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -2981,6 +2981,10 @@ static int iwl_mvm_send_sta_igtk(struct
+ igtk_cmd.sta_id = cpu_to_le32(sta_id);
+
+ if (remove_key) {
++ /* This is a valid situation for IGTK */
++ if (sta_id == IWL_MVM_INVALID_STA)
++ return 0;
++
+ igtk_cmd.ctrl_flags |= cpu_to_le32(STA_KEY_NOT_VALID);
+ } else {
+ struct ieee80211_key_seq seq;
+@@ -3285,9 +3289,9 @@ int iwl_mvm_remove_sta_key(struct iwl_mv
+ IWL_DEBUG_WEP(mvm, "mvm remove dynamic key: idx=%d sta=%d\n",
+ keyconf->keyidx, sta_id);
+
+- if (mvm_sta && (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC ||
+- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 ||
+- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256))
++ if (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC ||
++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 ||
++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256)
+ return iwl_mvm_send_sta_igtk(mvm, keyconf, sta_id, true);
+
+ if (!__test_and_clear_bit(keyconf->hw_key_idx, mvm->fw_key_table)) {
--- /dev/null
+From 1a978d9d3e72ddfa40ac60d26301b154247ee0bc Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 18 Dec 2019 13:54:46 -0800
+Subject: KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 1a978d9d3e72ddfa40ac60d26301b154247ee0bc upstream.
+
+Call kvm_vcpu_uninit() if vcore creation fails to avoid leaking any
+resources allocated by kvm_vcpu_init(), i.e. the vcpu->run page.
+
+Fixes: 371fefd6f2dc4 ("KVM: PPC: Allow book3s_hv guests to use SMT processor modes")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Acked-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -1997,7 +1997,7 @@ static struct kvm_vcpu *kvmppc_core_vcpu
+ mutex_unlock(&kvm->lock);
+
+ if (!vcore)
+- goto free_vcpu;
++ goto uninit_vcpu;
+
+ spin_lock(&vcore->lock);
+ ++vcore->num_threads;
+@@ -2014,6 +2014,8 @@ static struct kvm_vcpu *kvmppc_core_vcpu
+
+ return vcpu;
+
++uninit_vcpu:
++ kvm_vcpu_uninit(vcpu);
+ free_vcpu:
+ kmem_cache_free(kvm_vcpu_cache, vcpu);
+ out:
--- /dev/null
+From cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 18 Dec 2019 13:54:47 -0800
+Subject: KVM: PPC: Book3S PR: Free shared page if mmu initialization fails
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 upstream.
+
+Explicitly free the shared page if kvmppc_mmu_init() fails during
+kvmppc_core_vcpu_create(), as the page is freed only in
+kvmppc_core_vcpu_free(), which is not reached via kvm_vcpu_uninit().
+
+Fixes: 96bc451a15329 ("KVM: PPC: Introduce shared page")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Acked-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_pr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/book3s_pr.c
++++ b/arch/powerpc/kvm/book3s_pr.c
+@@ -1482,10 +1482,12 @@ static struct kvm_vcpu *kvmppc_core_vcpu
+
+ err = kvmppc_mmu_init(vcpu);
+ if (err < 0)
+- goto uninit_vcpu;
++ goto free_shared_page;
+
+ return vcpu;
+
++free_shared_page:
++ free_page((unsigned long)vcpu->arch.shared);
+ uninit_vcpu:
+ kvm_vcpu_uninit(vcpu);
+ free_shadow_vcpu:
--- /dev/null
+From ea740059ecb37807ba47b84b33d1447435a8d868 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:52 -0800
+Subject: KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit ea740059ecb37807ba47b84b33d1447435a8d868 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and
+kvm_get_dr().
+Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are
+exported symbols so KVM should tream them conservatively from a security
+perspective.
+
+Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -924,9 +924,11 @@ static u64 kvm_dr6_fixed(struct kvm_vcpu
+
+ static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val)
+ {
++ size_t size = ARRAY_SIZE(vcpu->arch.db);
++
+ switch (dr) {
+ case 0 ... 3:
+- vcpu->arch.db[dr] = val;
++ vcpu->arch.db[array_index_nospec(dr, size)] = val;
+ if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP))
+ vcpu->arch.eff_db[dr] = val;
+ break;
+@@ -963,9 +965,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr);
+
+ int kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val)
+ {
++ size_t size = ARRAY_SIZE(vcpu->arch.db);
++
+ switch (dr) {
+ case 0 ... 3:
+- *val = vcpu->arch.db[dr];
++ *val = vcpu->arch.db[array_index_nospec(dr, size)];
+ break;
+ case 4:
+ /* fall through */
--- /dev/null
+From 8c86405f606ca8508b8d9280680166ca26723695 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:44 -0800
+Subject: KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 8c86405f606ca8508b8d9280680166ca26723695 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect().
+This function contains index computations based on the
+(attacker-controlled) IOREGSEL register.
+
+Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/ioapic.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -36,6 +36,7 @@
+ #include <linux/io.h>
+ #include <linux/slab.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+ #include <asm/processor.h>
+ #include <asm/page.h>
+ #include <asm/current.h>
+@@ -73,13 +74,14 @@ static unsigned long ioapic_read_indirec
+ default:
+ {
+ u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
+- u64 redir_content;
++ u64 redir_content = ~0ULL;
+
+- if (redir_index < IOAPIC_NUM_PINS)
+- redir_content =
+- ioapic->redirtbl[redir_index].bits;
+- else
+- redir_content = ~0ULL;
++ if (redir_index < IOAPIC_NUM_PINS) {
++ u32 index = array_index_nospec(
++ redir_index, IOAPIC_NUM_PINS);
++
++ redir_content = ioapic->redirtbl[index].bits;
++ }
+
+ result = (ioapic->ioregsel & 0x1) ?
+ (redir_content >> 32) & 0xffffffff :
--- /dev/null
+From 670564559ca35b439c8d8861fc399451ddf95137 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:45 -0800
+Subject: KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 670564559ca35b439c8d8861fc399451ddf95137 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect().
+This function contains index computations based on the
+(attacker-controlled) IOREGSEL register.
+
+This patch depends on patch
+"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks".
+
+Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/ioapic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -297,6 +297,7 @@ static void ioapic_write_indirect(struct
+ ioapic_debug("change redir index %x val %x\n", index, val);
+ if (index >= IOAPIC_NUM_PINS)
+ return;
++ index = array_index_nospec(index, IOAPIC_NUM_PINS);
+ e = &ioapic->redirtbl[index];
+ mask_before = e->fields.mask;
+ /* Preserve read-only fields */
--- /dev/null
+From 8618793750071d66028584a83ed0b4fa7eb4f607 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:42 -0800
+Subject: KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 8618793750071d66028584a83ed0b4fa7eb4f607 upstream.
+
+This fixes Spectre-v1/L1TF vulnerabilities in kvm_hv_msr_get_crash_data()
+and kvm_hv_msr_set_crash_data().
+These functions contain index computations that use the
+(attacker-controlled) MSR number.
+
+Fixes: e7d9513b60e8 ("kvm/x86: added hyper-v crash msrs into kvm hyperv context")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/hyperv.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -747,11 +747,12 @@ static int kvm_hv_msr_get_crash_data(str
+ u32 index, u64 *pdata)
+ {
+ struct kvm_hv *hv = &vcpu->kvm->arch.hyperv;
++ size_t size = ARRAY_SIZE(hv->hv_crash_param);
+
+- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param)))
++ if (WARN_ON_ONCE(index >= size))
+ return -EINVAL;
+
+- *pdata = hv->hv_crash_param[index];
++ *pdata = hv->hv_crash_param[array_index_nospec(index, size)];
+ return 0;
+ }
+
+@@ -790,11 +791,12 @@ static int kvm_hv_msr_set_crash_data(str
+ u32 index, u64 data)
+ {
+ struct kvm_hv *hv = &vcpu->kvm->arch.hyperv;
++ size_t size = ARRAY_SIZE(hv->hv_crash_param);
+
+- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param)))
++ if (WARN_ON_ONCE(index >= size))
+ return -EINVAL;
+
+- hv->hv_crash_param[index] = data;
++ hv->hv_crash_param[array_index_nospec(index, size)] = data;
+ return 0;
+ }
+
--- /dev/null
+From 4bf79cb089f6b1c6c632492c0271054ce52ad766 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:46 -0800
+Subject: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write().
+This function contains index computations based on the
+(attacker-controlled) MSR number.
+
+Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1754,15 +1754,20 @@ int kvm_lapic_reg_write(struct kvm_lapic
+ case APIC_LVTTHMR:
+ case APIC_LVTPC:
+ case APIC_LVT1:
+- case APIC_LVTERR:
++ case APIC_LVTERR: {
+ /* TODO: Check vector */
++ size_t size;
++ u32 index;
++
+ if (!kvm_apic_sw_enabled(apic))
+ val |= APIC_LVT_MASKED;
+-
+- val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4];
++ size = ARRAY_SIZE(apic_lvt_mask);
++ index = array_index_nospec(
++ (reg - APIC_LVTT) >> 4, size);
++ val &= apic_lvt_mask[index];
+ kvm_lapic_set_reg(apic, reg, val);
+-
+ break;
++ }
+
+ case APIC_LVTT:
+ if (!kvm_apic_sw_enabled(apic))
--- /dev/null
+From 6ec4c5eee1750d5d17951c4e1960d953376a0dda Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:49 -0800
+Subject: KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 6ec4c5eee1750d5d17951c4e1960d953376a0dda upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and
+get_msr_mce().
+Both functions contain index computations based on the
+(attacker-controlled) MSR number.
+
+Fixes: 890ca9aefa78 ("KVM: Add MCE support")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2165,7 +2165,10 @@ static int set_msr_mce(struct kvm_vcpu *
+ default:
+ if (msr >= MSR_IA32_MC0_CTL &&
+ msr < MSR_IA32_MCx_CTL(bank_num)) {
+- u32 offset = msr - MSR_IA32_MC0_CTL;
++ u32 offset = array_index_nospec(
++ msr - MSR_IA32_MC0_CTL,
++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
++
+ /* only 0 or all 1s can be written to IA32_MCi_CTL
+ * some Linux kernels though clear bit 10 in bank 4 to
+ * workaround a BIOS/GART TBL issue on AMD K8s, ignore
+@@ -2549,7 +2552,10 @@ static int get_msr_mce(struct kvm_vcpu *
+ default:
+ if (msr >= MSR_IA32_MC0_CTL &&
+ msr < MSR_IA32_MCx_CTL(bank_num)) {
+- u32 offset = msr - MSR_IA32_MC0_CTL;
++ u32 offset = array_index_nospec(
++ msr - MSR_IA32_MC0_CTL,
++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
++
+ data = vcpu->arch.mce_banks[offset];
+ break;
+ }
--- /dev/null
+From 25a5edea71b7c154b6a0b8cec14c711cafa31d26 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:47 -0800
+Subject: KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 25a5edea71b7c154b6a0b8cec14c711cafa31d26 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit().
+This function contains index computations based on the
+(attacker-controlled) MSR number.
+
+Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mtrr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/mtrr.c
++++ b/arch/x86/kvm/mtrr.c
+@@ -202,11 +202,15 @@ static bool fixed_msr_to_seg_unit(u32 ms
+ break;
+ case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000:
+ *seg = 1;
+- *unit = msr - MSR_MTRRfix16K_80000;
++ *unit = array_index_nospec(
++ msr - MSR_MTRRfix16K_80000,
++ MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1);
+ break;
+ case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000:
+ *seg = 2;
+- *unit = msr - MSR_MTRRfix4K_C0000;
++ *unit = array_index_nospec(
++ msr - MSR_MTRRfix4K_C0000,
++ MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1);
+ break;
+ default:
+ return false;
--- /dev/null
+From 13c5183a4e643cc2b03a22d0e582c8e17bb7457d Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:48 -0800
+Subject: KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 13c5183a4e643cc2b03a22d0e582c8e17bb7457d upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in the get_gp_pmc() and
+get_fixed_pmc() functions.
+They both contain index computations based on the (attacker-controlled)
+MSR number.
+
+Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/pmu.h | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/pmu.h
++++ b/arch/x86/kvm/pmu.h
+@@ -2,6 +2,8 @@
+ #ifndef __KVM_X86_PMU_H
+ #define __KVM_X86_PMU_H
+
++#include <linux/nospec.h>
++
+ #define vcpu_to_pmu(vcpu) (&(vcpu)->arch.pmu)
+ #define pmu_to_vcpu(pmu) (container_of((pmu), struct kvm_vcpu, arch.pmu))
+ #define pmc_to_pmu(pmc) (&(pmc)->vcpu->arch.pmu)
+@@ -81,8 +83,12 @@ static inline bool pmc_is_enabled(struct
+ static inline struct kvm_pmc *get_gp_pmc(struct kvm_pmu *pmu, u32 msr,
+ u32 base)
+ {
+- if (msr >= base && msr < base + pmu->nr_arch_gp_counters)
+- return &pmu->gp_counters[msr - base];
++ if (msr >= base && msr < base + pmu->nr_arch_gp_counters) {
++ u32 index = array_index_nospec(msr - base,
++ pmu->nr_arch_gp_counters);
++
++ return &pmu->gp_counters[index];
++ }
+
+ return NULL;
+ }
+@@ -92,8 +98,12 @@ static inline struct kvm_pmc *get_fixed_
+ {
+ int base = MSR_CORE_PERF_FIXED_CTR0;
+
+- if (msr >= base && msr < base + pmu->nr_arch_fixed_counters)
+- return &pmu->fixed_counters[msr - base];
++ if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) {
++ u32 index = array_index_nospec(msr - base,
++ pmu->nr_arch_fixed_counters);
++
++ return &pmu->fixed_counters[index];
++ }
+
+ return NULL;
+ }
--- /dev/null
+From 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:41 -0800
+Subject: KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().
+kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported
+symbol, so KVM should treat it conservatively from a security perspective.
+
+Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -5199,10 +5199,15 @@ done_prefixes:
+ }
+ break;
+ case Escape:
+- if (ctxt->modrm > 0xbf)
+- opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
+- else
++ if (ctxt->modrm > 0xbf) {
++ size_t size = ARRAY_SIZE(opcode.u.esc->high);
++ u32 index = array_index_nospec(
++ ctxt->modrm - 0xc0, size);
++
++ opcode = opcode.u.esc->high[index];
++ } else {
+ opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
++ }
+ break;
+ case InstrDual:
+ if ((ctxt->modrm >> 6) == 3)
--- /dev/null
+From 14e32321f3606e4b0970200b6e5e47ee6f1e6410 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:43 -0800
+Subject: KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 14e32321f3606e4b0970200b6e5e47ee6f1e6410 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in picdev_write().
+It replaces index computations based on the (attacked-controlled) port
+number with constants through a minor refactoring.
+
+Fixes: 85f455f7ddbe ("KVM: Add support for in-kernel PIC emulation")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/i8259.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/i8259.c
++++ b/arch/x86/kvm/i8259.c
+@@ -460,10 +460,14 @@ static int picdev_write(struct kvm_pic *
+ switch (addr) {
+ case 0x20:
+ case 0x21:
++ pic_lock(s);
++ pic_ioport_write(&s->pics[0], addr, data);
++ pic_unlock(s);
++ break;
+ case 0xa0:
+ case 0xa1:
+ pic_lock(s);
+- pic_ioport_write(&s->pics[addr >> 7], addr, data);
++ pic_ioport_write(&s->pics[1], addr, data);
+ pic_unlock(s);
+ break;
+ case 0x4d0:
--- /dev/null
+From 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:50 -0800
+Subject: KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 upstream.
+
+This fixes Spectre-v1/L1TF vulnerabilities in
+vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(),
+vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). When
+invoked from emulation, these functions contain index computations
+based on the (attacker-influenced) segment value. Using constants
+prevents the attack.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -5094,16 +5094,28 @@ int x86_decode_insn(struct x86_emulate_c
+ ctxt->ad_bytes = def_ad_bytes ^ 6;
+ break;
+ case 0x26: /* ES override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_ES;
++ break;
+ case 0x2e: /* CS override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_CS;
++ break;
+ case 0x36: /* SS override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_SS;
++ break;
+ case 0x3e: /* DS override */
+ has_seg_override = true;
+- ctxt->seg_override = (ctxt->b >> 3) & 3;
++ ctxt->seg_override = VCPU_SREG_DS;
+ break;
+ case 0x64: /* FS override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_FS;
++ break;
+ case 0x65: /* GS override */
+ has_seg_override = true;
+- ctxt->seg_override = ctxt->b & 7;
++ ctxt->seg_override = VCPU_SREG_GS;
+ break;
+ case 0x40 ... 0x4f: /* REX */
+ if (mode != X86EMUL_MODE_PROT64)
--- /dev/null
+From 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Mon, 6 Jan 2020 14:42:12 -0800
+Subject: mwifiex: fix unbalanced locking in mwifiex_process_country_ie()
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c upstream.
+
+We called rcu_read_lock(), so we need to call rcu_read_unlock() before
+we return.
+
+Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()")
+Cc: stable@vger.kernel.org
+Cc: huangwen <huangwenabc@gmail.com>
+Cc: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+@@ -274,6 +274,7 @@ static int mwifiex_process_country_ie(st
+
+ if (country_ie_len >
+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
++ rcu_read_unlock();
+ mwifiex_dbg(priv->adapter, ERROR,
+ "11D: country_ie_len overflow!, deauth AP\n");
+ return -EINVAL;
--- /dev/null
+From 114de38225d9b300f027e2aec9afbb6e0def154b Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Sun, 2 Feb 2020 17:53:54 -0500
+Subject: NFS: Directory page cache pages need to be locked when read
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit 114de38225d9b300f027e2aec9afbb6e0def154b upstream.
+
+When a NFS directory page cache page is removed from the page cache,
+its contents are freed through a call to nfs_readdir_clear_array().
+To prevent the removal of the page cache entry until after we've
+finished reading it, we must take the page lock.
+
+Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir")
+Cc: stable@vger.kernel.org # v2.6.37+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/dir.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -708,8 +708,6 @@ int nfs_readdir_filler(nfs_readdir_descr
+ static
+ void cache_page_release(nfs_readdir_descriptor_t *desc)
+ {
+- if (!desc->page->mapping)
+- nfs_readdir_clear_array(desc->page);
+ put_page(desc->page);
+ desc->page = NULL;
+ }
+@@ -723,19 +721,28 @@ struct page *get_cache_page(nfs_readdir_
+
+ /*
+ * Returns 0 if desc->dir_cookie was found on page desc->page_index
++ * and locks the page to prevent removal from the page cache.
+ */
+ static
+-int find_cache_page(nfs_readdir_descriptor_t *desc)
++int find_and_lock_cache_page(nfs_readdir_descriptor_t *desc)
+ {
+ int res;
+
+ desc->page = get_cache_page(desc);
+ if (IS_ERR(desc->page))
+ return PTR_ERR(desc->page);
+-
+- res = nfs_readdir_search_array(desc);
++ res = lock_page_killable(desc->page);
+ if (res != 0)
+- cache_page_release(desc);
++ goto error;
++ res = -EAGAIN;
++ if (desc->page->mapping != NULL) {
++ res = nfs_readdir_search_array(desc);
++ if (res == 0)
++ return 0;
++ }
++ unlock_page(desc->page);
++error:
++ cache_page_release(desc);
+ return res;
+ }
+
+@@ -750,7 +757,7 @@ int readdir_search_pagecache(nfs_readdir
+ desc->last_cookie = 0;
+ }
+ do {
+- res = find_cache_page(desc);
++ res = find_and_lock_cache_page(desc);
+ } while (res == -EAGAIN);
+ return res;
+ }
+@@ -789,7 +796,6 @@ int nfs_do_filldir(nfs_readdir_descripto
+ desc->eof = 1;
+
+ kunmap(desc->page);
+- cache_page_release(desc);
+ dfprintk(DIRCACHE, "NFS: nfs_do_filldir() filling ended @ cookie %Lu; returning = %d\n",
+ (unsigned long long)*desc->dir_cookie, res);
+ return res;
+@@ -835,13 +841,13 @@ int uncached_readdir(nfs_readdir_descrip
+
+ status = nfs_do_filldir(desc);
+
++ out_release:
++ nfs_readdir_clear_array(desc->page);
++ cache_page_release(desc);
+ out:
+ dfprintk(DIRCACHE, "NFS: %s: returns %d\n",
+ __func__, status);
+ return status;
+- out_release:
+- cache_page_release(desc);
+- goto out;
+ }
+
+ /* The file offset position represents the dirent entry number. A
+@@ -906,6 +912,8 @@ static int nfs_readdir(struct file *file
+ break;
+
+ res = nfs_do_filldir(desc);
++ unlock_page(desc->page);
++ cache_page_release(desc);
+ if (res < 0)
+ break;
+ } while (!desc->eof);
--- /dev/null
+From 4b310319c6a8ce708f1033d57145e2aa027a883c Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Sun, 2 Feb 2020 17:53:53 -0500
+Subject: NFS: Fix memory leaks and corruption in readdir
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit 4b310319c6a8ce708f1033d57145e2aa027a883c upstream.
+
+nfs_readdir_xdr_to_array() must not exit without having initialised
+the array, so that the page cache deletion routines can safely
+call nfs_readdir_clear_array().
+Furthermore, we should ensure that if we exit nfs_readdir_filler()
+with an error, we free up any page contents to prevent a leak
+if we try to fill the page again.
+
+Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir")
+Cc: stable@vger.kernel.org # v2.6.37+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/dir.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -169,6 +169,17 @@ typedef struct {
+ bool eof;
+ } nfs_readdir_descriptor_t;
+
++static
++void nfs_readdir_init_array(struct page *page)
++{
++ struct nfs_cache_array *array;
++
++ array = kmap_atomic(page);
++ memset(array, 0, sizeof(struct nfs_cache_array));
++ array->eof_index = -1;
++ kunmap_atomic(array);
++}
++
+ /*
+ * we are freeing strings created by nfs_add_to_readdir_array()
+ */
+@@ -181,6 +192,7 @@ void nfs_readdir_clear_array(struct page
+ array = kmap_atomic(page);
+ for (i = 0; i < array->size; i++)
+ kfree(array->array[i].string.name);
++ array->size = 0;
+ kunmap_atomic(array);
+ }
+
+@@ -617,6 +629,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir
+ int status = -ENOMEM;
+ unsigned int array_size = ARRAY_SIZE(pages);
+
++ nfs_readdir_init_array(page);
++
+ entry.prev_cookie = 0;
+ entry.cookie = desc->last_cookie;
+ entry.eof = 0;
+@@ -633,8 +647,6 @@ int nfs_readdir_xdr_to_array(nfs_readdir
+ }
+
+ array = kmap(page);
+- memset(array, 0, sizeof(struct nfs_cache_array));
+- array->eof_index = -1;
+
+ status = nfs_readdir_alloc_pages(pages, array_size);
+ if (status < 0)
+@@ -688,6 +700,7 @@ int nfs_readdir_filler(nfs_readdir_descr
+ unlock_page(page);
+ return 0;
+ error:
++ nfs_readdir_clear_array(page);
+ unlock_page(page);
+ return ret;
+ }
--- /dev/null
+From 00fe717ee1ea3c2979db4f94b1533c57aed8dea9 Mon Sep 17 00:00:00 2001
+From: Arun Easi <aeasi@marvell.com>
+Date: Thu, 23 Jan 2020 20:50:14 -0800
+Subject: scsi: qla2xxx: Fix unbound NVME response length
+
+From: Arun Easi <aeasi@marvell.com>
+
+commit 00fe717ee1ea3c2979db4f94b1533c57aed8dea9 upstream.
+
+On certain cases when response length is less than 32, NVME response data
+is supplied inline in IOCB. This is indicated by some combination of state
+flags. There was an instance when a high, and incorrect, response length
+was indicated causing driver to overrun buffers. Fix this by checking and
+limiting the response payload length.
+
+Fixes: 7401bc18d1ee3 ("scsi: qla2xxx: Add FC-NVMe command handling")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200124045014.23554-1-hmadhani@marvell.com
+Signed-off-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_dbg.c | 6 ------
+ drivers/scsi/qla2xxx/qla_dbg.h | 6 ++++++
+ drivers/scsi/qla2xxx/qla_isr.c | 12 ++++++++++++
+ 3 files changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_dbg.c
++++ b/drivers/scsi/qla2xxx/qla_dbg.c
+@@ -2517,12 +2517,6 @@ qla83xx_fw_dump_failed:
+ /* Driver Debug Functions. */
+ /****************************************************************************/
+
+-static inline int
+-ql_mask_match(uint32_t level)
+-{
+- return (level & ql2xextended_error_logging) == level;
+-}
+-
+ /*
+ * This function is for formatting and logging debug information.
+ * It is to be used when vha is available. It formats the message
+--- a/drivers/scsi/qla2xxx/qla_dbg.h
++++ b/drivers/scsi/qla2xxx/qla_dbg.h
+@@ -374,3 +374,9 @@ extern int qla24xx_dump_ram(struct qla_h
+ extern void qla24xx_pause_risc(struct device_reg_24xx __iomem *,
+ struct qla_hw_data *);
+ extern int qla24xx_soft_reset(struct qla_hw_data *);
++
++static inline int
++ql_mask_match(uint level)
++{
++ return (level & ql2xextended_error_logging) == level;
++}
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -1853,6 +1853,18 @@ qla24xx_nvme_iocb_entry(scsi_qla_host_t
+ inbuf = (uint32_t *)&sts->nvme_ersp_data;
+ outbuf = (uint32_t *)fd->rspaddr;
+ iocb->u.nvme.rsp_pyld_len = le16_to_cpu(sts->nvme_rsp_pyld_len);
++ if (unlikely(iocb->u.nvme.rsp_pyld_len >
++ sizeof(struct nvme_fc_ersp_iu))) {
++ if (ql_mask_match(ql_dbg_io)) {
++ WARN_ONCE(1, "Unexpected response payload length %u.\n",
++ iocb->u.nvme.rsp_pyld_len);
++ ql_log(ql_log_warn, fcport->vha, 0x5100,
++ "Unexpected response payload length %u.\n",
++ iocb->u.nvme.rsp_pyld_len);
++ }
++ iocb->u.nvme.rsp_pyld_len =
++ sizeof(struct nvme_fc_ersp_iu);
++ }
+ iter = iocb->u.nvme.rsp_pyld_len >> 2;
+ for (; iter; iter--)
+ *outbuf++ = swab32(*inbuf++);
crypto-atmel-aes-fix-counter-overflow-in-ctr-mode.patch
crypto-api-fix-race-condition-in-crypto_spawn_alg.patch
crypto-picoxcell-adjust-the-position-of-tasklet_init-and-fix-missed-tasklet_kill.patch
+scsi-qla2xxx-fix-unbound-nvme-response-length.patch
+nfs-fix-memory-leaks-and-corruption-in-readdir.patch
+nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch
+btrfs-set-trans-drity-in-btrfs_commit_transaction.patch
+arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch
+iwlwifi-don-t-throw-error-when-trying-to-remove-igtk.patch
+mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch
+sunrpc-expiry_time-should-be-seconds-not-timeval.patch
+tools-kvm_stat-fix-kvm_exit-filter-name.patch
+xen-balloon-support-xend-based-toolstack-take-two.patch
+kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch
+kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch
+kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch
+kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch
+kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch
--- /dev/null
+From 3d96208c30f84d6edf9ab4fac813306ac0d20c10 Mon Sep 17 00:00:00 2001
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Date: Tue, 4 Feb 2020 11:32:56 +0100
+Subject: sunrpc: expiry_time should be seconds not timeval
+
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+
+commit 3d96208c30f84d6edf9ab4fac813306ac0d20c10 upstream.
+
+When upcalling gssproxy, cache_head.expiry_time is set as a
+timeval, not seconds since boot. As such, RPC cache expiry
+logic will not clean expired objects created under
+auth.rpcsec.context cache.
+
+This has proven to cause kernel memory leaks on field. Using
+64 bit variants of getboottime/timespec
+
+Expiration times have worked this way since 2010's c5b29f885afe "sunrpc:
+use seconds since boot in expiry cache". The gssproxy code introduced
+in 2012 added gss_proxy_save_rsc and introduced the bug. That's a while
+for this to lurk, but it required a bit of an extreme case to make it
+obvious.
+
+Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 030d794bf498 "SUNRPC: Use gssproxy upcall for server..."
+Tested-By: Frank Sorenson <sorenson@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1188,6 +1188,7 @@ static int gss_proxy_save_rsc(struct cac
+ dprintk("RPC: No creds found!\n");
+ goto out;
+ } else {
++ struct timespec64 boot;
+
+ /* steal creds */
+ rsci.cred = ud->creds;
+@@ -1208,6 +1209,9 @@ static int gss_proxy_save_rsc(struct cac
+ &expiry, GFP_KERNEL);
+ if (status)
+ goto out;
++
++ getboottime64(&boot);
++ expiry -= boot.tv_sec;
+ }
+
+ rsci.h.expiry_time = expiry;
--- /dev/null
+From 5fcf3a55a62afb0760ccb6f391d62f20bce4a42f Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gshan@redhat.com>
+Date: Tue, 10 Dec 2019 15:48:29 +1100
+Subject: tools/kvm_stat: Fix kvm_exit filter name
+
+From: Gavin Shan <gshan@redhat.com>
+
+commit 5fcf3a55a62afb0760ccb6f391d62f20bce4a42f upstream.
+
+The filter name is fixed to "exit_reason" for some kvm_exit events, no
+matter what architect we have. Actually, the filter name ("exit_reason")
+is only applicable to x86, meaning it's broken on other architects
+including aarch64.
+
+This fixes the issue by providing various kvm_exit filter names, depending
+on architect we're on. Afterwards, the variable filter name is picked and
+applied through ioctl(fd, SET_FILTER).
+
+Reported-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/kvm/kvm_stat/kvm_stat | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/tools/kvm/kvm_stat/kvm_stat
++++ b/tools/kvm/kvm_stat/kvm_stat
+@@ -261,6 +261,7 @@ class ArchX86(Arch):
+ def __init__(self, exit_reasons):
+ self.sc_perf_evt_open = 298
+ self.ioctl_numbers = IOCTL_NUMBERS
++ self.exit_reason_field = 'exit_reason'
+ self.exit_reasons = exit_reasons
+
+
+@@ -276,6 +277,7 @@ class ArchPPC(Arch):
+ # numbers depend on the wordsize.
+ char_ptr_size = ctypes.sizeof(ctypes.c_char_p)
+ self.ioctl_numbers['SET_FILTER'] = 0x80002406 | char_ptr_size << 16
++ self.exit_reason_field = 'exit_nr'
+ self.exit_reasons = {}
+
+
+@@ -283,6 +285,7 @@ class ArchA64(Arch):
+ def __init__(self):
+ self.sc_perf_evt_open = 241
+ self.ioctl_numbers = IOCTL_NUMBERS
++ self.exit_reason_field = 'esr_ec'
+ self.exit_reasons = AARCH64_EXIT_REASONS
+
+
+@@ -290,6 +293,7 @@ class ArchS390(Arch):
+ def __init__(self):
+ self.sc_perf_evt_open = 331
+ self.ioctl_numbers = IOCTL_NUMBERS
++ self.exit_reason_field = None
+ self.exit_reasons = None
+
+ ARCH = Arch.get_arch()
+@@ -513,8 +517,8 @@ class TracepointProvider(Provider):
+ """
+ filters = {}
+ filters['kvm_userspace_exit'] = ('reason', USERSPACE_EXIT_REASONS)
+- if ARCH.exit_reasons:
+- filters['kvm_exit'] = ('exit_reason', ARCH.exit_reasons)
++ if ARCH.exit_reason_field and ARCH.exit_reasons:
++ filters['kvm_exit'] = (ARCH.exit_reason_field, ARCH.exit_reasons)
+ return filters
+
+ def get_available_fields(self):
--- /dev/null
+From eda4eabf86fd6806eaabc23fb90dd056fdac037b Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 17 Jan 2020 14:49:31 +0100
+Subject: xen/balloon: Support xend-based toolstack take two
+
+From: Juergen Gross <jgross@suse.com>
+
+commit eda4eabf86fd6806eaabc23fb90dd056fdac037b upstream.
+
+Commit 3aa6c19d2f38be ("xen/balloon: Support xend-based toolstack")
+tried to fix a regression with running on rather ancient Xen versions.
+Unfortunately the fix was based on the assumption that xend would
+just use another Xenstore node, but in reality only some downstream
+versions of xend are doing that. The upstream xend does not write
+that Xenstore node at all, so the problem must be fixed in another
+way.
+
+The easiest way to achieve that is to fall back to the behavior
+before commit 96edd61dcf4436 ("xen/balloon: don't online new memory
+initially") in case the static memory maximum can't be read.
+
+This is achieved by setting static_max to the current number of
+memory pages known by the system resulting in target_diff becoming
+zero.
+
+Fixes: 3aa6c19d2f38be ("xen/balloon: Support xend-based toolstack")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: <stable@vger.kernel.org> # 4.13
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-balloon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/xen-balloon.c
++++ b/drivers/xen/xen-balloon.c
+@@ -82,7 +82,7 @@ static void watch_target(struct xenbus_w
+ "%llu", &static_max) == 1))
+ static_max >>= PAGE_SHIFT - 10;
+ else
+- static_max = new_target;
++ static_max = balloon_stats.current_pages;
+
+ target_diff = (xen_pv_domain() || xen_initial_domain()) ? 0
+ : static_max - balloon_stats.target_pages;
projects / thirdparty / kernel / stable-queue.git / commitdiff
