--- /dev/null
+From 1a3388d506bf5b45bb283e6a4c4706cfb4897333 Mon Sep 17 00:00:00 2001
+From: Stephen Warren <swarren@nvidia.com>
+Date: Thu, 3 Oct 2019 14:50:31 -0600
+Subject: ARM: tegra: Enable PLLP bypass during Tegra124 LP1
+
+From: Stephen Warren <swarren@nvidia.com>
+
+commit 1a3388d506bf5b45bb283e6a4c4706cfb4897333 upstream.
+
+For a little over a year, U-Boot has configured the flow controller to
+perform automatic RAM re-repair on off->on power transitions of the CPU
+rail[1]. This is mandatory for correct operation of Tegra124. However,
+RAM re-repair relies on certain clocks, which the kernel must enable and
+leave running. PLLP is one of those clocks. This clock is shut down
+during LP1 in order to save power. Enable bypass (which I believe routes
+osc_div_clk, essentially the crystal clock, to the PLL output) so that
+this clock signal toggles even though the PLL is not active. This is
+required so that LP1 power mode (system suspend) operates correctly.
+
+The bypass configuration must then be undone when resuming from LP1, so
+that all peripheral clocks run at the expected rate. Without this, many
+peripherals won't work correctly; for example, the UART baud rate would
+be incorrect.
+
+NVIDIA's downstream kernel code only does this if not compiled for
+Tegra30, so the added code is made conditional upon the chip ID.
+NVIDIA's downstream code makes this change conditional upon the active
+CPU cluster. The upstream kernel currently doesn't support cluster
+switching, so this patch doesn't test the active CPU cluster ID.
+
+[1] 3cc7942a4ae5 ARM: tegra: implement RAM repair
+
+Reported-by: Jonathan Hunter <jonathanh@nvidia.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Warren <swarren@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-tegra/sleep-tegra30.S | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/arm/mach-tegra/sleep-tegra30.S
++++ b/arch/arm/mach-tegra/sleep-tegra30.S
+@@ -382,6 +382,14 @@ _pll_m_c_x_done:
+ pll_locked r1, r0, CLK_RESET_PLLC_BASE
+ pll_locked r1, r0, CLK_RESET_PLLX_BASE
+
++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1
++ cmp r1, #TEGRA30
++ beq 1f
++ ldr r1, [r0, #CLK_RESET_PLLP_BASE]
++ bic r1, r1, #(1<<31) @ disable PllP bypass
++ str r1, [r0, #CLK_RESET_PLLP_BASE]
++1:
++
+ mov32 r7, TEGRA_TMRUS_BASE
+ ldr r1, [r7]
+ add r1, r1, #LOCK_DELAY
+@@ -641,7 +649,10 @@ tegra30_switch_cpu_to_clk32k:
+ str r0, [r4, #PMC_PLLP_WB0_OVERRIDE]
+
+ /* disable PLLP, PLLA, PLLC and PLLX */
++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1
++ cmp r1, #TEGRA30
+ ldr r0, [r5, #CLK_RESET_PLLP_BASE]
++ orrne r0, r0, #(1 << 31) @ enable PllP bypass on fast cluster
+ bic r0, r0, #(1 << 30)
+ str r0, [r5, #CLK_RESET_PLLP_BASE]
+ ldr r0, [r5, #CLK_RESET_PLLA_BASE]
--- /dev/null
+From d62b23c94952e78211a383b7d90ef0afbd9a3717 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 17 Jan 2020 08:57:51 -0500
+Subject: btrfs: set trans->drity in btrfs_commit_transaction
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit d62b23c94952e78211a383b7d90ef0afbd9a3717 upstream.
+
+If we abort a transaction we have the following sequence
+
+if (!trans->dirty && list_empty(&trans->new_bgs))
+ return;
+WRITE_ONCE(trans->transaction->aborted, err);
+
+The idea being if we didn't modify anything with our trans handle then
+we don't really need to abort the whole transaction, maybe the other
+trans handles are fine and we can carry on.
+
+However in the case of create_snapshot we add a pending_snapshot object
+to our transaction and then commit the transaction. We don't actually
+modify anything. sync() behaves the same way, attach to an existing
+transaction and commit it. This means that if we have an IO error in
+the right places we could abort the committing transaction with our
+trans->dirty being not set and thus not set transaction->aborted.
+
+This is a problem because in the create_snapshot() case we depend on
+pending->error being set to something, or btrfs_commit_transaction
+returning an error.
+
+If we are not the trans handle that gets to commit the transaction, and
+we're waiting on the commit to happen we get our return value from
+cur_trans->aborted. If this was not set to anything because sync() hit
+an error in the transaction commit before it could modify anything then
+cur_trans->aborted would be 0. Thus we'd return 0 from
+btrfs_commit_transaction() in create_snapshot.
+
+This is a problem because we then try to do things with
+pending_snapshot->snap, which will be NULL because we didn't create the
+snapshot, and then we'll get a NULL pointer dereference like the
+following
+
+"BUG: kernel NULL pointer dereference, address: 00000000000001f0"
+RIP: 0010:btrfs_orphan_cleanup+0x2d/0x330
+Call Trace:
+ ? btrfs_mksubvol.isra.31+0x3f2/0x510
+ btrfs_mksubvol.isra.31+0x4bc/0x510
+ ? __sb_start_write+0xfa/0x200
+ ? mnt_want_write_file+0x24/0x50
+ btrfs_ioctl_snap_create_transid+0x16c/0x1a0
+ btrfs_ioctl_snap_create_v2+0x11e/0x1a0
+ btrfs_ioctl+0x1534/0x2c10
+ ? free_debug_processing+0x262/0x2a3
+ do_vfs_ioctl+0xa6/0x6b0
+ ? do_sys_open+0x188/0x220
+ ? syscall_trace_enter+0x1f8/0x330
+ ksys_ioctl+0x60/0x90
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x4a/0x1b0
+
+In order to fix this we need to make sure anybody who calls
+commit_transaction has trans->dirty set so that they properly set the
+trans->transaction->aborted value properly so any waiters know bad
+things happened.
+
+This was found while I was running generic/475 with my modified
+fsstress, it reproduced within a few runs. I ran with this patch all
+night and didn't see the problem again.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/transaction.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1917,6 +1917,14 @@ int btrfs_commit_transaction(struct btrf
+ struct btrfs_transaction *prev_trans = NULL;
+ int ret;
+
++ /*
++ * Some places just start a transaction to commit it. We need to make
++ * sure that if this commit fails that the abort code actually marks the
++ * transaction as failed, so set trans->dirty to make the abort code do
++ * the right thing.
++ */
++ trans->dirty = true;
++
+ /* Stop the commit early if ->aborted is set */
+ if (unlikely(ACCESS_ONCE(cur_trans->aborted))) {
+ ret = cur_trans->aborted;
--- /dev/null
+From 1a978d9d3e72ddfa40ac60d26301b154247ee0bc Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 18 Dec 2019 13:54:46 -0800
+Subject: KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 1a978d9d3e72ddfa40ac60d26301b154247ee0bc upstream.
+
+Call kvm_vcpu_uninit() if vcore creation fails to avoid leaking any
+resources allocated by kvm_vcpu_init(), i.e. the vcpu->run page.
+
+Fixes: 371fefd6f2dc4 ("KVM: PPC: Allow book3s_hv guests to use SMT processor modes")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Acked-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -1766,7 +1766,7 @@ static struct kvm_vcpu *kvmppc_core_vcpu
+ mutex_unlock(&kvm->lock);
+
+ if (!vcore)
+- goto free_vcpu;
++ goto uninit_vcpu;
+
+ spin_lock(&vcore->lock);
+ ++vcore->num_threads;
+@@ -1782,6 +1782,8 @@ static struct kvm_vcpu *kvmppc_core_vcpu
+
+ return vcpu;
+
++uninit_vcpu:
++ kvm_vcpu_uninit(vcpu);
+ free_vcpu:
+ kmem_cache_free(kvm_vcpu_cache, vcpu);
+ out:
--- /dev/null
+From cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 18 Dec 2019 13:54:47 -0800
+Subject: KVM: PPC: Book3S PR: Free shared page if mmu initialization fails
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 upstream.
+
+Explicitly free the shared page if kvmppc_mmu_init() fails during
+kvmppc_core_vcpu_create(), as the page is freed only in
+kvmppc_core_vcpu_free(), which is not reached via kvm_vcpu_uninit().
+
+Fixes: 96bc451a15329 ("KVM: PPC: Introduce shared page")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Acked-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_pr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/book3s_pr.c
++++ b/arch/powerpc/kvm/book3s_pr.c
+@@ -1482,10 +1482,12 @@ static struct kvm_vcpu *kvmppc_core_vcpu
+
+ err = kvmppc_mmu_init(vcpu);
+ if (err < 0)
+- goto uninit_vcpu;
++ goto free_shared_page;
+
+ return vcpu;
+
++free_shared_page:
++ free_page((unsigned long)vcpu->arch.shared);
+ uninit_vcpu:
+ kvm_vcpu_uninit(vcpu);
+ free_shadow_vcpu:
--- /dev/null
+From ea740059ecb37807ba47b84b33d1447435a8d868 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:52 -0800
+Subject: KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit ea740059ecb37807ba47b84b33d1447435a8d868 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and
+kvm_get_dr().
+Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are
+exported symbols so KVM should tream them conservatively from a security
+perspective.
+
+Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -889,9 +889,11 @@ static u64 kvm_dr6_fixed(struct kvm_vcpu
+
+ static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val)
+ {
++ size_t size = ARRAY_SIZE(vcpu->arch.db);
++
+ switch (dr) {
+ case 0 ... 3:
+- vcpu->arch.db[dr] = val;
++ vcpu->arch.db[array_index_nospec(dr, size)] = val;
+ if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP))
+ vcpu->arch.eff_db[dr] = val;
+ break;
+@@ -928,9 +930,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr);
+
+ int kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val)
+ {
++ size_t size = ARRAY_SIZE(vcpu->arch.db);
++
+ switch (dr) {
+ case 0 ... 3:
+- *val = vcpu->arch.db[dr];
++ *val = vcpu->arch.db[array_index_nospec(dr, size)];
+ break;
+ case 4:
+ /* fall through */
--- /dev/null
+From 8c86405f606ca8508b8d9280680166ca26723695 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:44 -0800
+Subject: KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 8c86405f606ca8508b8d9280680166ca26723695 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect().
+This function contains index computations based on the
+(attacker-controlled) IOREGSEL register.
+
+Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/ioapic.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -74,13 +74,14 @@ static unsigned long ioapic_read_indirec
+ default:
+ {
+ u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
+- u64 redir_content;
++ u64 redir_content = ~0ULL;
+
+- if (redir_index < IOAPIC_NUM_PINS)
+- redir_content =
+- ioapic->redirtbl[redir_index].bits;
+- else
+- redir_content = ~0ULL;
++ if (redir_index < IOAPIC_NUM_PINS) {
++ u32 index = array_index_nospec(
++ redir_index, IOAPIC_NUM_PINS);
++
++ redir_content = ioapic->redirtbl[index].bits;
++ }
+
+ result = (ioapic->ioregsel & 0x1) ?
+ (redir_content >> 32) & 0xffffffff :
--- /dev/null
+From 670564559ca35b439c8d8861fc399451ddf95137 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:45 -0800
+Subject: KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 670564559ca35b439c8d8861fc399451ddf95137 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect().
+This function contains index computations based on the
+(attacker-controlled) IOREGSEL register.
+
+This patch depends on patch
+"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks".
+
+Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/ioapic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -36,6 +36,7 @@
+ #include <linux/io.h>
+ #include <linux/slab.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+ #include <asm/processor.h>
+ #include <asm/page.h>
+ #include <asm/current.h>
+@@ -299,6 +300,7 @@ static void ioapic_write_indirect(struct
+ ioapic_debug("change redir index %x val %x\n", index, val);
+ if (index >= IOAPIC_NUM_PINS)
+ return;
++ index = array_index_nospec(index, IOAPIC_NUM_PINS);
+ e = &ioapic->redirtbl[index];
+ mask_before = e->fields.mask;
+ /* Preserve read-only fields */
--- /dev/null
+From 8618793750071d66028584a83ed0b4fa7eb4f607 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:42 -0800
+Subject: KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 8618793750071d66028584a83ed0b4fa7eb4f607 upstream.
+
+This fixes Spectre-v1/L1TF vulnerabilities in kvm_hv_msr_get_crash_data()
+and kvm_hv_msr_set_crash_data().
+These functions contain index computations that use the
+(attacker-controlled) MSR number.
+
+Fixes: e7d9513b60e8 ("kvm/x86: added hyper-v crash msrs into kvm hyperv context")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/hyperv.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -28,6 +28,7 @@
+
+ #include <linux/kvm_host.h>
+ #include <linux/highmem.h>
++#include <linux/nospec.h>
+ #include <asm/apicdef.h>
+ #include <trace/events/kvm.h>
+
+@@ -719,11 +720,12 @@ static int kvm_hv_msr_get_crash_data(str
+ u32 index, u64 *pdata)
+ {
+ struct kvm_hv *hv = &vcpu->kvm->arch.hyperv;
++ size_t size = ARRAY_SIZE(hv->hv_crash_param);
+
+- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param)))
++ if (WARN_ON_ONCE(index >= size))
+ return -EINVAL;
+
+- *pdata = hv->hv_crash_param[index];
++ *pdata = hv->hv_crash_param[array_index_nospec(index, size)];
+ return 0;
+ }
+
+@@ -762,11 +764,12 @@ static int kvm_hv_msr_set_crash_data(str
+ u32 index, u64 data)
+ {
+ struct kvm_hv *hv = &vcpu->kvm->arch.hyperv;
++ size_t size = ARRAY_SIZE(hv->hv_crash_param);
+
+- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param)))
++ if (WARN_ON_ONCE(index >= size))
+ return -EINVAL;
+
+- hv->hv_crash_param[index] = data;
++ hv->hv_crash_param[array_index_nospec(index, size)] = data;
+ return 0;
+ }
+
--- /dev/null
+From 4bf79cb089f6b1c6c632492c0271054ce52ad766 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:46 -0800
+Subject: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write().
+This function contains index computations based on the
+(attacker-controlled) MSR number.
+
+Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -28,6 +28,7 @@
+ #include <linux/export.h>
+ #include <linux/math64.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+ #include <asm/processor.h>
+ #include <asm/msr.h>
+ #include <asm/page.h>
+@@ -1587,15 +1588,20 @@ int kvm_lapic_reg_write(struct kvm_lapic
+ case APIC_LVTTHMR:
+ case APIC_LVTPC:
+ case APIC_LVT1:
+- case APIC_LVTERR:
++ case APIC_LVTERR: {
+ /* TODO: Check vector */
++ size_t size;
++ u32 index;
++
+ if (!kvm_apic_sw_enabled(apic))
+ val |= APIC_LVT_MASKED;
+-
+- val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4];
++ size = ARRAY_SIZE(apic_lvt_mask);
++ index = array_index_nospec(
++ (reg - APIC_LVTT) >> 4, size);
++ val &= apic_lvt_mask[index];
+ kvm_lapic_set_reg(apic, reg, val);
+-
+ break;
++ }
+
+ case APIC_LVTT:
+ if (!kvm_apic_sw_enabled(apic))
--- /dev/null
+From 6ec4c5eee1750d5d17951c4e1960d953376a0dda Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:49 -0800
+Subject: KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 6ec4c5eee1750d5d17951c4e1960d953376a0dda upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and
+get_msr_mce().
+Both functions contain index computations based on the
+(attacker-controlled) MSR number.
+
+Fixes: 890ca9aefa78 ("KVM: Add MCE support")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2130,7 +2130,10 @@ static int set_msr_mce(struct kvm_vcpu *
+ default:
+ if (msr >= MSR_IA32_MC0_CTL &&
+ msr < MSR_IA32_MCx_CTL(bank_num)) {
+- u32 offset = msr - MSR_IA32_MC0_CTL;
++ u32 offset = array_index_nospec(
++ msr - MSR_IA32_MC0_CTL,
++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
++
+ /* only 0 or all 1s can be written to IA32_MCi_CTL
+ * some Linux kernels though clear bit 10 in bank 4 to
+ * workaround a BIOS/GART TBL issue on AMD K8s, ignore
+@@ -2498,7 +2501,10 @@ static int get_msr_mce(struct kvm_vcpu *
+ default:
+ if (msr >= MSR_IA32_MC0_CTL &&
+ msr < MSR_IA32_MCx_CTL(bank_num)) {
+- u32 offset = msr - MSR_IA32_MC0_CTL;
++ u32 offset = array_index_nospec(
++ msr - MSR_IA32_MC0_CTL,
++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
++
+ data = vcpu->arch.mce_banks[offset];
+ break;
+ }
--- /dev/null
+From 25a5edea71b7c154b6a0b8cec14c711cafa31d26 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:47 -0800
+Subject: KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 25a5edea71b7c154b6a0b8cec14c711cafa31d26 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit().
+This function contains index computations based on the
+(attacker-controlled) MSR number.
+
+Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mtrr.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/mtrr.c
++++ b/arch/x86/kvm/mtrr.c
+@@ -17,6 +17,7 @@
+ */
+
+ #include <linux/kvm_host.h>
++#include <linux/nospec.h>
+ #include <asm/mtrr.h>
+
+ #include "cpuid.h"
+@@ -202,11 +203,15 @@ static bool fixed_msr_to_seg_unit(u32 ms
+ break;
+ case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000:
+ *seg = 1;
+- *unit = msr - MSR_MTRRfix16K_80000;
++ *unit = array_index_nospec(
++ msr - MSR_MTRRfix16K_80000,
++ MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1);
+ break;
+ case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000:
+ *seg = 2;
+- *unit = msr - MSR_MTRRfix4K_C0000;
++ *unit = array_index_nospec(
++ msr - MSR_MTRRfix4K_C0000,
++ MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1);
+ break;
+ default:
+ return false;
--- /dev/null
+From 13c5183a4e643cc2b03a22d0e582c8e17bb7457d Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:48 -0800
+Subject: KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 13c5183a4e643cc2b03a22d0e582c8e17bb7457d upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in the get_gp_pmc() and
+get_fixed_pmc() functions.
+They both contain index computations based on the (attacker-controlled)
+MSR number.
+
+Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/pmu.h | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/pmu.h
++++ b/arch/x86/kvm/pmu.h
+@@ -1,6 +1,8 @@
+ #ifndef __KVM_X86_PMU_H
+ #define __KVM_X86_PMU_H
+
++#include <linux/nospec.h>
++
+ #define vcpu_to_pmu(vcpu) (&(vcpu)->arch.pmu)
+ #define pmu_to_vcpu(pmu) (container_of((pmu), struct kvm_vcpu, arch.pmu))
+ #define pmc_to_pmu(pmc) (&(pmc)->vcpu->arch.pmu)
+@@ -80,8 +82,12 @@ static inline bool pmc_is_enabled(struct
+ static inline struct kvm_pmc *get_gp_pmc(struct kvm_pmu *pmu, u32 msr,
+ u32 base)
+ {
+- if (msr >= base && msr < base + pmu->nr_arch_gp_counters)
+- return &pmu->gp_counters[msr - base];
++ if (msr >= base && msr < base + pmu->nr_arch_gp_counters) {
++ u32 index = array_index_nospec(msr - base,
++ pmu->nr_arch_gp_counters);
++
++ return &pmu->gp_counters[index];
++ }
+
+ return NULL;
+ }
+@@ -91,8 +97,12 @@ static inline struct kvm_pmc *get_fixed_
+ {
+ int base = MSR_CORE_PERF_FIXED_CTR0;
+
+- if (msr >= base && msr < base + pmu->nr_arch_fixed_counters)
+- return &pmu->fixed_counters[msr - base];
++ if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) {
++ u32 index = array_index_nospec(msr - base,
++ pmu->nr_arch_fixed_counters);
++
++ return &pmu->fixed_counters[index];
++ }
+
+ return NULL;
+ }
--- /dev/null
+From 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:41 -0800
+Subject: KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream.
+
+This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().
+kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported
+symbol, so KVM should treat it conservatively from a security perspective.
+
+Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw")
+
+Signed-off-by: Nick Finco <nifi@google.com>
+Signed-off-by: Marios Pomonis <pomonis@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -21,6 +21,7 @@
+ */
+
+ #include <linux/kvm_host.h>
++#include <linux/nospec.h>
+ #include "kvm_cache_regs.h"
+ #include <asm/kvm_emulate.h>
+ #include <linux/stringify.h>
+@@ -5158,10 +5159,15 @@ done_prefixes:
+ }
+ break;
+ case Escape:
+- if (ctxt->modrm > 0xbf)
+- opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
+- else
++ if (ctxt->modrm > 0xbf) {
++ size_t size = ARRAY_SIZE(opcode.u.esc->high);
++ u32 index = array_index_nospec(
++ ctxt->modrm - 0xc0, size);
++
++ opcode = opcode.u.esc->high[index];
++ } else {
+ opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
++ }
+ break;
+ case InstrDual:
+ if ((ctxt->modrm >> 6) == 3)
--- /dev/null
+From 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 Mon Sep 17 00:00:00 2001
+From: Marios Pomonis <pomonis@google.com>
+Date: Wed, 11 Dec 2019 12:47:50 -0800
+Subject: KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks
+
+From: Marios Pomonis <pomonis@google.com>
+
+commit 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 upstream.
+
+This fixes Spectre-v1/L1TF vulnerabilities in
+vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(),
+vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). When
+invoked from emulation, these functions contain index computations
+based on the (attacker-influenced) segment value. Using constants
+prevents the attack.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -5053,16 +5053,28 @@ int x86_decode_insn(struct x86_emulate_c
+ ctxt->ad_bytes = def_ad_bytes ^ 6;
+ break;
+ case 0x26: /* ES override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_ES;
++ break;
+ case 0x2e: /* CS override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_CS;
++ break;
+ case 0x36: /* SS override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_SS;
++ break;
+ case 0x3e: /* DS override */
+ has_seg_override = true;
+- ctxt->seg_override = (ctxt->b >> 3) & 3;
++ ctxt->seg_override = VCPU_SREG_DS;
+ break;
+ case 0x64: /* FS override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_FS;
++ break;
+ case 0x65: /* GS override */
+ has_seg_override = true;
+- ctxt->seg_override = ctxt->b & 7;
++ ctxt->seg_override = VCPU_SREG_GS;
+ break;
+ case 0x40 ... 0x4f: /* REX */
+ if (mode != X86EMUL_MODE_PROT64)
--- /dev/null
+From 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Mon, 6 Jan 2020 14:42:12 -0800
+Subject: mwifiex: fix unbalanced locking in mwifiex_process_country_ie()
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c upstream.
+
+We called rcu_read_lock(), so we need to call rcu_read_unlock() before
+we return.
+
+Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()")
+Cc: stable@vger.kernel.org
+Cc: huangwen <huangwenabc@gmail.com>
+Cc: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+@@ -274,6 +274,7 @@ static int mwifiex_process_country_ie(st
+
+ if (country_ie_len >
+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
++ rcu_read_unlock();
+ mwifiex_dbg(priv->adapter, ERROR,
+ "11D: country_ie_len overflow!, deauth AP\n");
+ return -EINVAL;
crypto-atmel-aes-fix-counter-overflow-in-ctr-mode.patch
crypto-api-fix-race-condition-in-crypto_spawn_alg.patch
crypto-picoxcell-adjust-the-position-of-tasklet_init-and-fix-missed-tasklet_kill.patch
+btrfs-set-trans-drity-in-btrfs_commit_transaction.patch
+arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch
+mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch
+sunrpc-expiry_time-should-be-seconds-not-timeval.patch
+kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch
+kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch
+kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch
+kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch
+kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch
--- /dev/null
+From 3d96208c30f84d6edf9ab4fac813306ac0d20c10 Mon Sep 17 00:00:00 2001
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Date: Tue, 4 Feb 2020 11:32:56 +0100
+Subject: sunrpc: expiry_time should be seconds not timeval
+
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+
+commit 3d96208c30f84d6edf9ab4fac813306ac0d20c10 upstream.
+
+When upcalling gssproxy, cache_head.expiry_time is set as a
+timeval, not seconds since boot. As such, RPC cache expiry
+logic will not clean expired objects created under
+auth.rpcsec.context cache.
+
+This has proven to cause kernel memory leaks on field. Using
+64 bit variants of getboottime/timespec
+
+Expiration times have worked this way since 2010's c5b29f885afe "sunrpc:
+use seconds since boot in expiry cache". The gssproxy code introduced
+in 2012 added gss_proxy_save_rsc and introduced the bug. That's a while
+for this to lurk, but it required a bit of an extreme case to make it
+obvious.
+
+Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 030d794bf498 "SUNRPC: Use gssproxy upcall for server..."
+Tested-By: Frank Sorenson <sorenson@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1180,6 +1180,7 @@ static int gss_proxy_save_rsc(struct cac
+ dprintk("RPC: No creds found!\n");
+ goto out;
+ } else {
++ struct timespec64 boot;
+
+ /* steal creds */
+ rsci.cred = ud->creds;
+@@ -1200,6 +1201,9 @@ static int gss_proxy_save_rsc(struct cac
+ &expiry, GFP_KERNEL);
+ if (status)
+ goto out;
++
++ getboottime64(&boot);
++ expiry -= boot.tv_sec;
+ }
+
+ rsci.h.expiry_time = expiry;
projects / thirdparty / kernel / stable-queue.git / commitdiff
