From: Greg Kroah-Hartman Date: Sun, 4 Dec 2022 16:11:21 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.9.335~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=44ee0bcd3da5b661a72911daf7ec9f8d84b45f95;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch --- diff --git a/queue-5.4/bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch b/queue-5.4/bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch new file mode 100644 index 00000000000..1c05e8c6ee1 --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch @@ -0,0 +1,51 @@ +From 711f8c3fb3db61897080468586b970c87c61d9e4 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 31 Oct 2022 16:10:32 -0700 +Subject: Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit 711f8c3fb3db61897080468586b970c87c61d9e4 upstream. + +The Bluetooth spec states that the valid range for SPSM is from +0x0001-0x00ff so it is invalid to accept values outside of this range: + + BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + page 1059: + Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + +CVE: CVE-2022-42896 +CC: stable@vger.kernel.org +Reported-by: Tamás Koczka +Signed-off-by: Luiz Augusto von Dentz +Reviewed-by: Tedd Ho-Jeong An +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5571,6 +5571,19 @@ static int l2cap_le_connect_req(struct l + BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), + scid, mtu, mps); + ++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A ++ * page 1059: ++ * ++ * Valid range: 0x0001-0x00ff ++ * ++ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges ++ */ ++ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { ++ result = L2CAP_CR_LE_BAD_PSM; ++ chan = NULL; ++ goto response; ++ } ++ + /* Check if we have socket listening on psm */ + pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, + &conn->hcon->dst, LE_LINK); diff --git a/queue-5.4/series b/queue-5.4/series index 2bcb95d87ec..b37cdf47335 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -150,3 +150,6 @@ epoll-call-final-ep_events_available-check-under-the-lock.patch epoll-check-for-events-when-removing-a-timed-out-thread-from-the-wait-queue.patch nvme-restrict-management-ioctls-to-admin.patch nvme-ensure-subsystem-reset-is-single-threaded.patch +x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch +x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch +bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch diff --git a/queue-5.4/x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch b/queue-5.4/x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch new file mode 100644 index 00000000000..b5c628c5b5f --- /dev/null +++ b/queue-5.4/x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch @@ -0,0 +1,103 @@ +From foo@baz Sun Dec 4 05:02:01 PM CET 2022 +From: Pawan Gupta +Date: Thu, 1 Dec 2022 14:55:50 -0800 +Subject: x86/pm: Add enumeration check before spec MSRs save/restore setup +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: bp@alien8.de, dave.hansen@linux.intel.com, hdegoede@redhat.com, rafael.j.wysocki@intel.com, stable@kernel.org +Message-ID: +Content-Disposition: inline + +From: Pawan Gupta + +commit 50bcceb7724e471d9b591803889df45dcbb584bc upstream. + +pm_save_spec_msr() keeps a list of all the MSRs which _might_ need +to be saved and restored at hibernate and resume. However, it has +zero awareness of CPU support for these MSRs. It mostly works by +unconditionally attempting to manipulate these MSRs and relying on +rdmsrl_safe() being able to handle a #GP on CPUs where the support is +unavailable. + +However, it's possible for reads (RDMSR) to be supported for a given MSR +while writes (WRMSR) are not. In this case, msr_build_context() sees +a successful read (RDMSR) and marks the MSR as valid. Then, later, a +write (WRMSR) fails, producing a nasty (but harmless) error message. +This causes restore_processor_state() to try and restore it, but writing +this MSR is not allowed on the Intel Atom N2600 leading to: + + unchecked MSR access error: WRMSR to 0x122 (tried to write 0x0000000000000002) \ + at rIP: 0xffffffff8b07a574 (native_write_msr+0x4/0x20) + Call Trace: + + restore_processor_state + x86_acpi_suspend_lowlevel + acpi_suspend_enter + suspend_devices_and_enter + pm_suspend.cold + state_store + kernfs_fop_write_iter + vfs_write + ksys_write + do_syscall_64 + ? do_syscall_64 + ? up_read + ? lock_is_held_type + ? asm_exc_page_fault + ? lockdep_hardirqs_on + entry_SYSCALL_64_after_hwframe + +To fix this, add the corresponding X86_FEATURE bit for each MSR. Avoid +trying to manipulate the MSR when the feature bit is clear. This +required adding a X86_FEATURE bit for MSRs that do not have one already, +but it's a small price to pay. + + [ bp: Move struct msr_enumeration inside the only function that uses it. ] + [Pawan: Resolve build issue in backport] + +Fixes: 73924ec4d560 ("x86/pm: Save the MSR validity status at context setup") +Reported-by: Hans de Goede +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Reviewed-by: Dave Hansen +Acked-by: Rafael J. Wysocki +Cc: +Link: https://lore.kernel.org/r/c24db75d69df6e66c0465e13676ad3f2837a2ed8.1668539735.git.pawan.kumar.gupta@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/power/cpu.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -522,16 +522,23 @@ static int pm_cpu_check(const struct x86 + + static void pm_save_spec_msr(void) + { +- u32 spec_msr_id[] = { +- MSR_IA32_SPEC_CTRL, +- MSR_IA32_TSX_CTRL, +- MSR_TSX_FORCE_ABORT, +- MSR_IA32_MCU_OPT_CTRL, +- MSR_AMD64_LS_CFG, +- MSR_AMD64_DE_CFG, ++ struct msr_enumeration { ++ u32 msr_no; ++ u32 feature; ++ } msr_enum[] = { ++ { MSR_IA32_SPEC_CTRL, X86_FEATURE_MSR_SPEC_CTRL }, ++ { MSR_IA32_TSX_CTRL, X86_FEATURE_MSR_TSX_CTRL }, ++ { MSR_TSX_FORCE_ABORT, X86_FEATURE_TSX_FORCE_ABORT }, ++ { MSR_IA32_MCU_OPT_CTRL, X86_FEATURE_SRBDS_CTRL }, ++ { MSR_AMD64_LS_CFG, X86_FEATURE_LS_CFG_SSBD }, ++ { MSR_AMD64_DE_CFG, X86_FEATURE_LFENCE_RDTSC }, + }; ++ int i; + +- msr_build_context(spec_msr_id, ARRAY_SIZE(spec_msr_id)); ++ for (i = 0; i < ARRAY_SIZE(msr_enum); i++) { ++ if (boot_cpu_has(msr_enum[i].feature)) ++ msr_build_context(&msr_enum[i].msr_no, 1); ++ } + } + + static int pm_check_save_msr(void) diff --git a/queue-5.4/x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch b/queue-5.4/x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch new file mode 100644 index 00000000000..45311ffe541 --- /dev/null +++ b/queue-5.4/x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch @@ -0,0 +1,101 @@ +From foo@baz Sun Dec 4 05:02:01 PM CET 2022 +From: Pawan Gupta +Date: Thu, 1 Dec 2022 14:55:43 -0800 +Subject: x86/tsx: Add a feature bit for TSX control MSR support +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: bp@alien8.de, dave.hansen@linux.intel.com, hdegoede@redhat.com, rafael.j.wysocki@intel.com, stable@kernel.org +Message-ID: <9ef220efeee99c210649facf3a7e0f7782fa397c.1669935253.git.pawan.kumar.gupta@linux.intel.com> +Content-Disposition: inline + +From: Pawan Gupta + +commit aaa65d17eec372c6a9756833f3964ba05b05ea14 upstream. + +Support for the TSX control MSR is enumerated in MSR_IA32_ARCH_CAPABILITIES. +This is different from how other CPU features are enumerated i.e. via +CPUID. Currently, a call to tsx_ctrl_is_supported() is required for +enumerating the feature. In the absence of a feature bit for TSX control, +any code that relies on checking feature bits directly will not work. + +In preparation for adding a feature bit check in MSR save/restore +during suspend/resume, set a new feature bit X86_FEATURE_TSX_CTRL when +MSR_IA32_TSX_CTRL is present. + + [ bp: Remove tsx_ctrl_is_supported()] + + [Pawan: Resolved conflicts in backport; Removed parts of commit message + referring to removed function tsx_ctrl_is_supported()] + +Suggested-by: Andrew Cooper +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Reviewed-by: Dave Hansen +Cc: +Link: https://lore.kernel.org/r/de619764e1d98afbb7a5fa58424f1278ede37b45.1668539735.git.pawan.kumar.gupta@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/kernel/cpu/tsx.c | 33 ++++++++++++++------------------- + 2 files changed, 15 insertions(+), 19 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -290,6 +290,7 @@ + #define X86_FEATURE_RETPOLINE (11*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ + #define X86_FEATURE_RETPOLINE_LFENCE (11*32+13) /* "" Use LFENCE for Spectre variant 2 */ + #define X86_FEATURE_RSB_VMEXIT_LITE (11*32+17) /* "" Fill RSB on VM exit when EIBRS is enabled */ ++#define X86_FEATURE_MSR_TSX_CTRL (11*32+18) /* "" MSR IA32_TSX_CTRL (Intel) implemented */ + + /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ + #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instructions */ +--- a/arch/x86/kernel/cpu/tsx.c ++++ b/arch/x86/kernel/cpu/tsx.c +@@ -55,24 +55,6 @@ void tsx_enable(void) + wrmsrl(MSR_IA32_TSX_CTRL, tsx); + } + +-static bool __init tsx_ctrl_is_supported(void) +-{ +- u64 ia32_cap = x86_read_arch_cap_msr(); +- +- /* +- * TSX is controlled via MSR_IA32_TSX_CTRL. However, support for this +- * MSR is enumerated by ARCH_CAP_TSX_MSR bit in MSR_IA32_ARCH_CAPABILITIES. +- * +- * TSX control (aka MSR_IA32_TSX_CTRL) is only available after a +- * microcode update on CPUs that have their MSR_IA32_ARCH_CAPABILITIES +- * bit MDS_NO=1. CPUs with MDS_NO=0 are not planned to get +- * MSR_IA32_TSX_CTRL support even after a microcode update. Thus, +- * tsx= cmdline requests will do nothing on CPUs without +- * MSR_IA32_TSX_CTRL support. +- */ +- return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR); +-} +- + static enum tsx_ctrl_states x86_get_tsx_auto_mode(void) + { + if (boot_cpu_has_bug(X86_BUG_TAA)) +@@ -86,9 +68,22 @@ void __init tsx_init(void) + char arg[5] = {}; + int ret; + +- if (!tsx_ctrl_is_supported()) ++ /* ++ * TSX is controlled via MSR_IA32_TSX_CTRL. However, support for this ++ * MSR is enumerated by ARCH_CAP_TSX_MSR bit in MSR_IA32_ARCH_CAPABILITIES. ++ * ++ * TSX control (aka MSR_IA32_TSX_CTRL) is only available after a ++ * microcode update on CPUs that have their MSR_IA32_ARCH_CAPABILITIES ++ * bit MDS_NO=1. CPUs with MDS_NO=0 are not planned to get ++ * MSR_IA32_TSX_CTRL support even after a microcode update. Thus, ++ * tsx= cmdline requests will do nothing on CPUs without ++ * MSR_IA32_TSX_CTRL support. ++ */ ++ if (!(x86_read_arch_cap_msr() & ARCH_CAP_TSX_CTRL_MSR)) + return; + ++ setup_force_cpu_cap(X86_FEATURE_MSR_TSX_CTRL); ++ + ret = cmdline_find_option(boot_command_line, "tsx", arg, sizeof(arg)); + if (ret >= 0) { + if (!strcmp(arg, "on")) {