From: Greg Kroah-Hartman Date: Sun, 9 Feb 2020 12:27:28 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.103~69 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e444c28cde4143a4ca759526b0dd331743741a9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch btrfs-set-trans-drity-in-btrfs_commit_transaction.patch iwlwifi-don-t-throw-error-when-trying-to-remove-igtk.patch kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch nfs-fix-memory-leaks-and-corruption-in-readdir.patch scsi-qla2xxx-fix-unbound-nvme-response-length.patch sunrpc-expiry_time-should-be-seconds-not-timeval.patch tools-kvm_stat-fix-kvm_exit-filter-name.patch xen-balloon-support-xend-based-toolstack-take-two.patch --- diff --git a/queue-4.14/arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch b/queue-4.14/arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch new file mode 100644 index 00000000000..4b48d3a3580 --- /dev/null +++ b/queue-4.14/arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch @@ -0,0 +1,70 @@ +From 1a3388d506bf5b45bb283e6a4c4706cfb4897333 Mon Sep 17 00:00:00 2001 +From: Stephen Warren +Date: Thu, 3 Oct 2019 14:50:31 -0600 +Subject: ARM: tegra: Enable PLLP bypass during Tegra124 LP1 + +From: Stephen Warren + +commit 1a3388d506bf5b45bb283e6a4c4706cfb4897333 upstream. + +For a little over a year, U-Boot has configured the flow controller to +perform automatic RAM re-repair on off->on power transitions of the CPU +rail[1]. This is mandatory for correct operation of Tegra124. However, +RAM re-repair relies on certain clocks, which the kernel must enable and +leave running. PLLP is one of those clocks. This clock is shut down +during LP1 in order to save power. Enable bypass (which I believe routes +osc_div_clk, essentially the crystal clock, to the PLL output) so that +this clock signal toggles even though the PLL is not active. This is +required so that LP1 power mode (system suspend) operates correctly. + +The bypass configuration must then be undone when resuming from LP1, so +that all peripheral clocks run at the expected rate. Without this, many +peripherals won't work correctly; for example, the UART baud rate would +be incorrect. + +NVIDIA's downstream kernel code only does this if not compiled for +Tegra30, so the added code is made conditional upon the chip ID. +NVIDIA's downstream code makes this change conditional upon the active +CPU cluster. The upstream kernel currently doesn't support cluster +switching, so this patch doesn't test the active CPU cluster ID. + +[1] 3cc7942a4ae5 ARM: tegra: implement RAM repair + +Reported-by: Jonathan Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Warren +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-tegra/sleep-tegra30.S | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/arm/mach-tegra/sleep-tegra30.S ++++ b/arch/arm/mach-tegra/sleep-tegra30.S +@@ -382,6 +382,14 @@ _pll_m_c_x_done: + pll_locked r1, r0, CLK_RESET_PLLC_BASE + pll_locked r1, r0, CLK_RESET_PLLX_BASE + ++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1 ++ cmp r1, #TEGRA30 ++ beq 1f ++ ldr r1, [r0, #CLK_RESET_PLLP_BASE] ++ bic r1, r1, #(1<<31) @ disable PllP bypass ++ str r1, [r0, #CLK_RESET_PLLP_BASE] ++1: ++ + mov32 r7, TEGRA_TMRUS_BASE + ldr r1, [r7] + add r1, r1, #LOCK_DELAY +@@ -641,7 +649,10 @@ tegra30_switch_cpu_to_clk32k: + str r0, [r4, #PMC_PLLP_WB0_OVERRIDE] + + /* disable PLLP, PLLA, PLLC and PLLX */ ++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1 ++ cmp r1, #TEGRA30 + ldr r0, [r5, #CLK_RESET_PLLP_BASE] ++ orrne r0, r0, #(1 << 31) @ enable PllP bypass on fast cluster + bic r0, r0, #(1 << 30) + str r0, [r5, #CLK_RESET_PLLP_BASE] + ldr r0, [r5, #CLK_RESET_PLLA_BASE] diff --git a/queue-4.14/btrfs-set-trans-drity-in-btrfs_commit_transaction.patch b/queue-4.14/btrfs-set-trans-drity-in-btrfs_commit_transaction.patch new file mode 100644 index 00000000000..fe91e8c61df --- /dev/null +++ b/queue-4.14/btrfs-set-trans-drity-in-btrfs_commit_transaction.patch @@ -0,0 +1,96 @@ +From d62b23c94952e78211a383b7d90ef0afbd9a3717 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 17 Jan 2020 08:57:51 -0500 +Subject: btrfs: set trans->drity in btrfs_commit_transaction + +From: Josef Bacik + +commit d62b23c94952e78211a383b7d90ef0afbd9a3717 upstream. + +If we abort a transaction we have the following sequence + +if (!trans->dirty && list_empty(&trans->new_bgs)) + return; +WRITE_ONCE(trans->transaction->aborted, err); + +The idea being if we didn't modify anything with our trans handle then +we don't really need to abort the whole transaction, maybe the other +trans handles are fine and we can carry on. + +However in the case of create_snapshot we add a pending_snapshot object +to our transaction and then commit the transaction. We don't actually +modify anything. sync() behaves the same way, attach to an existing +transaction and commit it. This means that if we have an IO error in +the right places we could abort the committing transaction with our +trans->dirty being not set and thus not set transaction->aborted. + +This is a problem because in the create_snapshot() case we depend on +pending->error being set to something, or btrfs_commit_transaction +returning an error. + +If we are not the trans handle that gets to commit the transaction, and +we're waiting on the commit to happen we get our return value from +cur_trans->aborted. If this was not set to anything because sync() hit +an error in the transaction commit before it could modify anything then +cur_trans->aborted would be 0. Thus we'd return 0 from +btrfs_commit_transaction() in create_snapshot. + +This is a problem because we then try to do things with +pending_snapshot->snap, which will be NULL because we didn't create the +snapshot, and then we'll get a NULL pointer dereference like the +following + +"BUG: kernel NULL pointer dereference, address: 00000000000001f0" +RIP: 0010:btrfs_orphan_cleanup+0x2d/0x330 +Call Trace: + ? btrfs_mksubvol.isra.31+0x3f2/0x510 + btrfs_mksubvol.isra.31+0x4bc/0x510 + ? __sb_start_write+0xfa/0x200 + ? mnt_want_write_file+0x24/0x50 + btrfs_ioctl_snap_create_transid+0x16c/0x1a0 + btrfs_ioctl_snap_create_v2+0x11e/0x1a0 + btrfs_ioctl+0x1534/0x2c10 + ? free_debug_processing+0x262/0x2a3 + do_vfs_ioctl+0xa6/0x6b0 + ? do_sys_open+0x188/0x220 + ? syscall_trace_enter+0x1f8/0x330 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x4a/0x1b0 + +In order to fix this we need to make sure anybody who calls +commit_transaction has trans->dirty set so that they properly set the +trans->transaction->aborted value properly so any waiters know bad +things happened. + +This was found while I was running generic/475 with my modified +fsstress, it reproduced within a few runs. I ran with this patch all +night and didn't see the problem again. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/transaction.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1948,6 +1948,14 @@ int btrfs_commit_transaction(struct btrf + struct btrfs_transaction *prev_trans = NULL; + int ret; + ++ /* ++ * Some places just start a transaction to commit it. We need to make ++ * sure that if this commit fails that the abort code actually marks the ++ * transaction as failed, so set trans->dirty to make the abort code do ++ * the right thing. ++ */ ++ trans->dirty = true; ++ + /* Stop the commit early if ->aborted is set */ + if (unlikely(READ_ONCE(cur_trans->aborted))) { + ret = cur_trans->aborted; diff --git a/queue-4.14/iwlwifi-don-t-throw-error-when-trying-to-remove-igtk.patch b/queue-4.14/iwlwifi-don-t-throw-error-when-trying-to-remove-igtk.patch new file mode 100644 index 00000000000..0d038a623dd --- /dev/null +++ b/queue-4.14/iwlwifi-don-t-throw-error-when-trying-to-remove-igtk.patch @@ -0,0 +1,56 @@ +From 197288d5ba8a5289f22d3aeb4fca3824bfd9b4af Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Fri, 31 Jan 2020 15:45:25 +0200 +Subject: iwlwifi: don't throw error when trying to remove IGTK + +From: Luca Coelho + +commit 197288d5ba8a5289f22d3aeb4fca3824bfd9b4af upstream. + +The IGTK keys are only removed by mac80211 after it has already +removed the AP station. This causes the driver to throw an error +because mac80211 is trying to remove the IGTK when the station doesn't +exist anymore. + +The firmware is aware that the station has been removed and can deal +with it the next time we try to add an IGTK for a station, so we +shouldn't try to remove the key if the station ID is +IWL_MVM_INVALID_STA. Do this by removing the check for mvm_sta before +calling iwl_mvm_send_sta_igtk() and check return from that function +gracefully if the station ID is invalid. + +Cc: stable@vger.kernel.org # 4.12+ +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2981,6 +2981,10 @@ static int iwl_mvm_send_sta_igtk(struct + igtk_cmd.sta_id = cpu_to_le32(sta_id); + + if (remove_key) { ++ /* This is a valid situation for IGTK */ ++ if (sta_id == IWL_MVM_INVALID_STA) ++ return 0; ++ + igtk_cmd.ctrl_flags |= cpu_to_le32(STA_KEY_NOT_VALID); + } else { + struct ieee80211_key_seq seq; +@@ -3285,9 +3289,9 @@ int iwl_mvm_remove_sta_key(struct iwl_mv + IWL_DEBUG_WEP(mvm, "mvm remove dynamic key: idx=%d sta=%d\n", + keyconf->keyidx, sta_id); + +- if (mvm_sta && (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC || +- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 || +- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256)) ++ if (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC || ++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 || ++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256) + return iwl_mvm_send_sta_igtk(mvm, keyconf, sta_id, true); + + if (!__test_and_clear_bit(keyconf->hw_key_idx, mvm->fw_key_table)) { diff --git a/queue-4.14/kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch b/queue-4.14/kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch new file mode 100644 index 00000000000..1f18be41e36 --- /dev/null +++ b/queue-4.14/kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch @@ -0,0 +1,44 @@ +From 1a978d9d3e72ddfa40ac60d26301b154247ee0bc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 18 Dec 2019 13:54:46 -0800 +Subject: KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails + +From: Sean Christopherson + +commit 1a978d9d3e72ddfa40ac60d26301b154247ee0bc upstream. + +Call kvm_vcpu_uninit() if vcore creation fails to avoid leaking any +resources allocated by kvm_vcpu_init(), i.e. the vcpu->run page. + +Fixes: 371fefd6f2dc4 ("KVM: PPC: Allow book3s_hv guests to use SMT processor modes") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kurz +Signed-off-by: Sean Christopherson +Acked-by: Paul Mackerras +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -1997,7 +1997,7 @@ static struct kvm_vcpu *kvmppc_core_vcpu + mutex_unlock(&kvm->lock); + + if (!vcore) +- goto free_vcpu; ++ goto uninit_vcpu; + + spin_lock(&vcore->lock); + ++vcore->num_threads; +@@ -2014,6 +2014,8 @@ static struct kvm_vcpu *kvmppc_core_vcpu + + return vcpu; + ++uninit_vcpu: ++ kvm_vcpu_uninit(vcpu); + free_vcpu: + kmem_cache_free(kvm_vcpu_cache, vcpu); + out: diff --git a/queue-4.14/kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch b/queue-4.14/kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch new file mode 100644 index 00000000000..1ad88f657e6 --- /dev/null +++ b/queue-4.14/kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch @@ -0,0 +1,41 @@ +From cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 18 Dec 2019 13:54:47 -0800 +Subject: KVM: PPC: Book3S PR: Free shared page if mmu initialization fails + +From: Sean Christopherson + +commit cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 upstream. + +Explicitly free the shared page if kvmppc_mmu_init() fails during +kvmppc_core_vcpu_create(), as the page is freed only in +kvmppc_core_vcpu_free(), which is not reached via kvm_vcpu_uninit(). + +Fixes: 96bc451a15329 ("KVM: PPC: Introduce shared page") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kurz +Signed-off-by: Sean Christopherson +Acked-by: Paul Mackerras +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_pr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_pr.c ++++ b/arch/powerpc/kvm/book3s_pr.c +@@ -1482,10 +1482,12 @@ static struct kvm_vcpu *kvmppc_core_vcpu + + err = kvmppc_mmu_init(vcpu); + if (err < 0) +- goto uninit_vcpu; ++ goto free_shared_page; + + return vcpu; + ++free_shared_page: ++ free_page((unsigned long)vcpu->arch.shared); + uninit_vcpu: + kvm_vcpu_uninit(vcpu); + free_shadow_vcpu: diff --git a/queue-4.14/kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..8b6642ca77e --- /dev/null +++ b/queue-4.14/kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,57 @@ +From ea740059ecb37807ba47b84b33d1447435a8d868 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:52 -0800 +Subject: KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit ea740059ecb37807ba47b84b33d1447435a8d868 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and +kvm_get_dr(). +Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are +exported symbols so KVM should tream them conservatively from a security +perspective. + +Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -924,9 +924,11 @@ static u64 kvm_dr6_fixed(struct kvm_vcpu + + static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- vcpu->arch.db[dr] = val; ++ vcpu->arch.db[array_index_nospec(dr, size)] = val; + if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)) + vcpu->arch.eff_db[dr] = val; + break; +@@ -963,9 +965,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr); + + int kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- *val = vcpu->arch.db[dr]; ++ *val = vcpu->arch.db[array_index_nospec(dr, size)]; + break; + case 4: + /* fall through */ diff --git a/queue-4.14/kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..9373c0d1d8e --- /dev/null +++ b/queue-4.14/kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,58 @@ +From 8c86405f606ca8508b8d9280680166ca26723695 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:44 -0800 +Subject: KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 8c86405f606ca8508b8d9280680166ca26723695 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/ioapic.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -73,13 +74,14 @@ static unsigned long ioapic_read_indirec + default: + { + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; +- u64 redir_content; ++ u64 redir_content = ~0ULL; + +- if (redir_index < IOAPIC_NUM_PINS) +- redir_content = +- ioapic->redirtbl[redir_index].bits; +- else +- redir_content = ~0ULL; ++ if (redir_index < IOAPIC_NUM_PINS) { ++ u32 index = array_index_nospec( ++ redir_index, IOAPIC_NUM_PINS); ++ ++ redir_content = ioapic->redirtbl[index].bits; ++ } + + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : diff --git a/queue-4.14/kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..8169f68e8b5 --- /dev/null +++ b/queue-4.14/kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,40 @@ +From 670564559ca35b439c8d8861fc399451ddf95137 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:45 -0800 +Subject: KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 670564559ca35b439c8d8861fc399451ddf95137 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +This patch depends on patch +"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks". + +Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/ioapic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -297,6 +297,7 @@ static void ioapic_write_indirect(struct + ioapic_debug("change redir index %x val %x\n", index, val); + if (index >= IOAPIC_NUM_PINS) + return; ++ index = array_index_nospec(index, IOAPIC_NUM_PINS); + e = &ioapic->redirtbl[index]; + mask_before = e->fields.mask; + /* Preserve read-only fields */ diff --git a/queue-4.14/kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..fc2868a8ad7 --- /dev/null +++ b/queue-4.14/kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,59 @@ +From 8618793750071d66028584a83ed0b4fa7eb4f607 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:42 -0800 +Subject: KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 8618793750071d66028584a83ed0b4fa7eb4f607 upstream. + +This fixes Spectre-v1/L1TF vulnerabilities in kvm_hv_msr_get_crash_data() +and kvm_hv_msr_set_crash_data(). +These functions contain index computations that use the +(attacker-controlled) MSR number. + +Fixes: e7d9513b60e8 ("kvm/x86: added hyper-v crash msrs into kvm hyperv context") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/hyperv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -747,11 +747,12 @@ static int kvm_hv_msr_get_crash_data(str + u32 index, u64 *pdata) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- *pdata = hv->hv_crash_param[index]; ++ *pdata = hv->hv_crash_param[array_index_nospec(index, size)]; + return 0; + } + +@@ -790,11 +791,12 @@ static int kvm_hv_msr_set_crash_data(str + u32 index, u64 data) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- hv->hv_crash_param[index] = data; ++ hv->hv_crash_param[array_index_nospec(index, size)] = data; + return 0; + } + diff --git a/queue-4.14/kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..076e3009a85 --- /dev/null +++ b/queue-4.14/kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,54 @@ +From 4bf79cb089f6b1c6c632492c0271054ce52ad766 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:46 -0800 +Subject: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1754,15 +1754,20 @@ int kvm_lapic_reg_write(struct kvm_lapic + case APIC_LVTTHMR: + case APIC_LVTPC: + case APIC_LVT1: +- case APIC_LVTERR: ++ case APIC_LVTERR: { + /* TODO: Check vector */ ++ size_t size; ++ u32 index; ++ + if (!kvm_apic_sw_enabled(apic)) + val |= APIC_LVT_MASKED; +- +- val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4]; ++ size = ARRAY_SIZE(apic_lvt_mask); ++ index = array_index_nospec( ++ (reg - APIC_LVTT) >> 4, size); ++ val &= apic_lvt_mask[index]; + kvm_lapic_set_reg(apic, reg, val); +- + break; ++ } + + case APIC_LVTT: + if (!kvm_apic_sw_enabled(apic)) diff --git a/queue-4.14/kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch b/queue-4.14/kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch new file mode 100644 index 00000000000..bc39ec45129 --- /dev/null +++ b/queue-4.14/kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch @@ -0,0 +1,54 @@ +From 6ec4c5eee1750d5d17951c4e1960d953376a0dda Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:49 -0800 +Subject: KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c + +From: Marios Pomonis + +commit 6ec4c5eee1750d5d17951c4e1960d953376a0dda upstream. + +This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and +get_msr_mce(). +Both functions contain index computations based on the +(attacker-controlled) MSR number. + +Fixes: 890ca9aefa78 ("KVM: Add MCE support") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2165,7 +2165,10 @@ static int set_msr_mce(struct kvm_vcpu * + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + /* only 0 or all 1s can be written to IA32_MCi_CTL + * some Linux kernels though clear bit 10 in bank 4 to + * workaround a BIOS/GART TBL issue on AMD K8s, ignore +@@ -2549,7 +2552,10 @@ static int get_msr_mce(struct kvm_vcpu * + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + data = vcpu->arch.mce_banks[offset]; + break; + } diff --git a/queue-4.14/kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..551dd93306d --- /dev/null +++ b/queue-4.14/kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,47 @@ +From 25a5edea71b7c154b6a0b8cec14c711cafa31d26 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:47 -0800 +Subject: KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 25a5edea71b7c154b6a0b8cec14c711cafa31d26 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mtrr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -202,11 +202,15 @@ static bool fixed_msr_to_seg_unit(u32 ms + break; + case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000: + *seg = 1; +- *unit = msr - MSR_MTRRfix16K_80000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix16K_80000, ++ MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1); + break; + case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000: + *seg = 2; +- *unit = msr - MSR_MTRRfix4K_C0000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix4K_C0000, ++ MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1); + break; + default: + return false; diff --git a/queue-4.14/kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..49892d21293 --- /dev/null +++ b/queue-4.14/kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,69 @@ +From 13c5183a4e643cc2b03a22d0e582c8e17bb7457d Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:48 -0800 +Subject: KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 13c5183a4e643cc2b03a22d0e582c8e17bb7457d upstream. + +This fixes a Spectre-v1/L1TF vulnerability in the get_gp_pmc() and +get_fixed_pmc() functions. +They both contain index computations based on the (attacker-controlled) +MSR number. + +Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/pmu.h | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/pmu.h ++++ b/arch/x86/kvm/pmu.h +@@ -2,6 +2,8 @@ + #ifndef __KVM_X86_PMU_H + #define __KVM_X86_PMU_H + ++#include ++ + #define vcpu_to_pmu(vcpu) (&(vcpu)->arch.pmu) + #define pmu_to_vcpu(pmu) (container_of((pmu), struct kvm_vcpu, arch.pmu)) + #define pmc_to_pmu(pmc) (&(pmc)->vcpu->arch.pmu) +@@ -81,8 +83,12 @@ static inline bool pmc_is_enabled(struct + static inline struct kvm_pmc *get_gp_pmc(struct kvm_pmu *pmu, u32 msr, + u32 base) + { +- if (msr >= base && msr < base + pmu->nr_arch_gp_counters) +- return &pmu->gp_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_gp_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_gp_counters); ++ ++ return &pmu->gp_counters[index]; ++ } + + return NULL; + } +@@ -92,8 +98,12 @@ static inline struct kvm_pmc *get_fixed_ + { + int base = MSR_CORE_PERF_FIXED_CTR0; + +- if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) +- return &pmu->fixed_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_fixed_counters); ++ ++ return &pmu->fixed_counters[index]; ++ } + + return NULL; + } diff --git a/queue-4.14/kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..cd8ae015e44 --- /dev/null +++ b/queue-4.14/kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,48 @@ +From 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:41 -0800 +Subject: KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn(). +kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported +symbol, so KVM should treat it conservatively from a security perspective. + +Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -5199,10 +5199,15 @@ done_prefixes: + } + break; + case Escape: +- if (ctxt->modrm > 0xbf) +- opcode = opcode.u.esc->high[ctxt->modrm - 0xc0]; +- else ++ if (ctxt->modrm > 0xbf) { ++ size_t size = ARRAY_SIZE(opcode.u.esc->high); ++ u32 index = array_index_nospec( ++ ctxt->modrm - 0xc0, size); ++ ++ opcode = opcode.u.esc->high[index]; ++ } else { + opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7]; ++ } + break; + case InstrDual: + if ((ctxt->modrm >> 6) == 3) diff --git a/queue-4.14/kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..eb7e20daeab --- /dev/null +++ b/queue-4.14/kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,45 @@ +From 14e32321f3606e4b0970200b6e5e47ee6f1e6410 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:43 -0800 +Subject: KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 14e32321f3606e4b0970200b6e5e47ee6f1e6410 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in picdev_write(). +It replaces index computations based on the (attacked-controlled) port +number with constants through a minor refactoring. + +Fixes: 85f455f7ddbe ("KVM: Add support for in-kernel PIC emulation") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/i8259.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/i8259.c ++++ b/arch/x86/kvm/i8259.c +@@ -460,10 +460,14 @@ static int picdev_write(struct kvm_pic * + switch (addr) { + case 0x20: + case 0x21: ++ pic_lock(s); ++ pic_ioport_write(&s->pics[0], addr, data); ++ pic_unlock(s); ++ break; + case 0xa0: + case 0xa1: + pic_lock(s); +- pic_ioport_write(&s->pics[addr >> 7], addr, data); ++ pic_ioport_write(&s->pics[1], addr, data); + pic_unlock(s); + break; + case 0x4d0: diff --git a/queue-4.14/kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch b/queue-4.14/kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..2ab2214d653 --- /dev/null +++ b/queue-4.14/kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,57 @@ +From 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:50 -0800 +Subject: KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 upstream. + +This fixes Spectre-v1/L1TF vulnerabilities in +vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(), +vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). When +invoked from emulation, these functions contain index computations +based on the (attacker-influenced) segment value. Using constants +prevents the attack. + +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -5094,16 +5094,28 @@ int x86_decode_insn(struct x86_emulate_c + ctxt->ad_bytes = def_ad_bytes ^ 6; + break; + case 0x26: /* ES override */ ++ has_seg_override = true; ++ ctxt->seg_override = VCPU_SREG_ES; ++ break; + case 0x2e: /* CS override */ ++ has_seg_override = true; ++ ctxt->seg_override = VCPU_SREG_CS; ++ break; + case 0x36: /* SS override */ ++ has_seg_override = true; ++ ctxt->seg_override = VCPU_SREG_SS; ++ break; + case 0x3e: /* DS override */ + has_seg_override = true; +- ctxt->seg_override = (ctxt->b >> 3) & 3; ++ ctxt->seg_override = VCPU_SREG_DS; + break; + case 0x64: /* FS override */ ++ has_seg_override = true; ++ ctxt->seg_override = VCPU_SREG_FS; ++ break; + case 0x65: /* GS override */ + has_seg_override = true; +- ctxt->seg_override = ctxt->b & 7; ++ ctxt->seg_override = VCPU_SREG_GS; + break; + case 0x40 ... 0x4f: /* REX */ + if (mode != X86EMUL_MODE_PROT64) diff --git a/queue-4.14/mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch b/queue-4.14/mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch new file mode 100644 index 00000000000..77f666b9007 --- /dev/null +++ b/queue-4.14/mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch @@ -0,0 +1,35 @@ +From 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 6 Jan 2020 14:42:12 -0800 +Subject: mwifiex: fix unbalanced locking in mwifiex_process_country_ie() + +From: Brian Norris + +commit 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c upstream. + +We called rcu_read_lock(), so we need to call rcu_read_unlock() before +we return. + +Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()") +Cc: stable@vger.kernel.org +Cc: huangwen +Cc: Ganapathi Bhat +Signed-off-by: Brian Norris +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +@@ -274,6 +274,7 @@ static int mwifiex_process_country_ie(st + + if (country_ie_len > + (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { ++ rcu_read_unlock(); + mwifiex_dbg(priv->adapter, ERROR, + "11D: country_ie_len overflow!, deauth AP\n"); + return -EINVAL; diff --git a/queue-4.14/nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch b/queue-4.14/nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch new file mode 100644 index 00000000000..51ea9af6e9f --- /dev/null +++ b/queue-4.14/nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch @@ -0,0 +1,112 @@ +From 114de38225d9b300f027e2aec9afbb6e0def154b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 2 Feb 2020 17:53:54 -0500 +Subject: NFS: Directory page cache pages need to be locked when read + +From: Trond Myklebust + +commit 114de38225d9b300f027e2aec9afbb6e0def154b upstream. + +When a NFS directory page cache page is removed from the page cache, +its contents are freed through a call to nfs_readdir_clear_array(). +To prevent the removal of the page cache entry until after we've +finished reading it, we must take the page lock. + +Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir") +Cc: stable@vger.kernel.org # v2.6.37+ +Signed-off-by: Trond Myklebust +Reviewed-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -708,8 +708,6 @@ int nfs_readdir_filler(nfs_readdir_descr + static + void cache_page_release(nfs_readdir_descriptor_t *desc) + { +- if (!desc->page->mapping) +- nfs_readdir_clear_array(desc->page); + put_page(desc->page); + desc->page = NULL; + } +@@ -723,19 +721,28 @@ struct page *get_cache_page(nfs_readdir_ + + /* + * Returns 0 if desc->dir_cookie was found on page desc->page_index ++ * and locks the page to prevent removal from the page cache. + */ + static +-int find_cache_page(nfs_readdir_descriptor_t *desc) ++int find_and_lock_cache_page(nfs_readdir_descriptor_t *desc) + { + int res; + + desc->page = get_cache_page(desc); + if (IS_ERR(desc->page)) + return PTR_ERR(desc->page); +- +- res = nfs_readdir_search_array(desc); ++ res = lock_page_killable(desc->page); + if (res != 0) +- cache_page_release(desc); ++ goto error; ++ res = -EAGAIN; ++ if (desc->page->mapping != NULL) { ++ res = nfs_readdir_search_array(desc); ++ if (res == 0) ++ return 0; ++ } ++ unlock_page(desc->page); ++error: ++ cache_page_release(desc); + return res; + } + +@@ -750,7 +757,7 @@ int readdir_search_pagecache(nfs_readdir + desc->last_cookie = 0; + } + do { +- res = find_cache_page(desc); ++ res = find_and_lock_cache_page(desc); + } while (res == -EAGAIN); + return res; + } +@@ -789,7 +796,6 @@ int nfs_do_filldir(nfs_readdir_descripto + desc->eof = 1; + + kunmap(desc->page); +- cache_page_release(desc); + dfprintk(DIRCACHE, "NFS: nfs_do_filldir() filling ended @ cookie %Lu; returning = %d\n", + (unsigned long long)*desc->dir_cookie, res); + return res; +@@ -835,13 +841,13 @@ int uncached_readdir(nfs_readdir_descrip + + status = nfs_do_filldir(desc); + ++ out_release: ++ nfs_readdir_clear_array(desc->page); ++ cache_page_release(desc); + out: + dfprintk(DIRCACHE, "NFS: %s: returns %d\n", + __func__, status); + return status; +- out_release: +- cache_page_release(desc); +- goto out; + } + + /* The file offset position represents the dirent entry number. A +@@ -906,6 +912,8 @@ static int nfs_readdir(struct file *file + break; + + res = nfs_do_filldir(desc); ++ unlock_page(desc->page); ++ cache_page_release(desc); + if (res < 0) + break; + } while (!desc->eof); diff --git a/queue-4.14/nfs-fix-memory-leaks-and-corruption-in-readdir.patch b/queue-4.14/nfs-fix-memory-leaks-and-corruption-in-readdir.patch new file mode 100644 index 00000000000..dbce874afb0 --- /dev/null +++ b/queue-4.14/nfs-fix-memory-leaks-and-corruption-in-readdir.patch @@ -0,0 +1,81 @@ +From 4b310319c6a8ce708f1033d57145e2aa027a883c Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 2 Feb 2020 17:53:53 -0500 +Subject: NFS: Fix memory leaks and corruption in readdir + +From: Trond Myklebust + +commit 4b310319c6a8ce708f1033d57145e2aa027a883c upstream. + +nfs_readdir_xdr_to_array() must not exit without having initialised +the array, so that the page cache deletion routines can safely +call nfs_readdir_clear_array(). +Furthermore, we should ensure that if we exit nfs_readdir_filler() +with an error, we free up any page contents to prevent a leak +if we try to fill the page again. + +Fixes: 11de3b11e08c ("NFS: Fix a memory leak in nfs_readdir") +Cc: stable@vger.kernel.org # v2.6.37+ +Signed-off-by: Trond Myklebust +Reviewed-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -169,6 +169,17 @@ typedef struct { + bool eof; + } nfs_readdir_descriptor_t; + ++static ++void nfs_readdir_init_array(struct page *page) ++{ ++ struct nfs_cache_array *array; ++ ++ array = kmap_atomic(page); ++ memset(array, 0, sizeof(struct nfs_cache_array)); ++ array->eof_index = -1; ++ kunmap_atomic(array); ++} ++ + /* + * we are freeing strings created by nfs_add_to_readdir_array() + */ +@@ -181,6 +192,7 @@ void nfs_readdir_clear_array(struct page + array = kmap_atomic(page); + for (i = 0; i < array->size; i++) + kfree(array->array[i].string.name); ++ array->size = 0; + kunmap_atomic(array); + } + +@@ -617,6 +629,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir + int status = -ENOMEM; + unsigned int array_size = ARRAY_SIZE(pages); + ++ nfs_readdir_init_array(page); ++ + entry.prev_cookie = 0; + entry.cookie = desc->last_cookie; + entry.eof = 0; +@@ -633,8 +647,6 @@ int nfs_readdir_xdr_to_array(nfs_readdir + } + + array = kmap(page); +- memset(array, 0, sizeof(struct nfs_cache_array)); +- array->eof_index = -1; + + status = nfs_readdir_alloc_pages(pages, array_size); + if (status < 0) +@@ -688,6 +700,7 @@ int nfs_readdir_filler(nfs_readdir_descr + unlock_page(page); + return 0; + error: ++ nfs_readdir_clear_array(page); + unlock_page(page); + return ret; + } diff --git a/queue-4.14/scsi-qla2xxx-fix-unbound-nvme-response-length.patch b/queue-4.14/scsi-qla2xxx-fix-unbound-nvme-response-length.patch new file mode 100644 index 00000000000..84604bdff2c --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-unbound-nvme-response-length.patch @@ -0,0 +1,78 @@ +From 00fe717ee1ea3c2979db4f94b1533c57aed8dea9 Mon Sep 17 00:00:00 2001 +From: Arun Easi +Date: Thu, 23 Jan 2020 20:50:14 -0800 +Subject: scsi: qla2xxx: Fix unbound NVME response length + +From: Arun Easi + +commit 00fe717ee1ea3c2979db4f94b1533c57aed8dea9 upstream. + +On certain cases when response length is less than 32, NVME response data +is supplied inline in IOCB. This is indicated by some combination of state +flags. There was an instance when a high, and incorrect, response length +was indicated causing driver to overrun buffers. Fix this by checking and +limiting the response payload length. + +Fixes: 7401bc18d1ee3 ("scsi: qla2xxx: Add FC-NVMe command handling") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200124045014.23554-1-hmadhani@marvell.com +Signed-off-by: Arun Easi +Signed-off-by: Himanshu Madhani +Reviewed-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_dbg.c | 6 ------ + drivers/scsi/qla2xxx/qla_dbg.h | 6 ++++++ + drivers/scsi/qla2xxx/qla_isr.c | 12 ++++++++++++ + 3 files changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_dbg.c ++++ b/drivers/scsi/qla2xxx/qla_dbg.c +@@ -2517,12 +2517,6 @@ qla83xx_fw_dump_failed: + /* Driver Debug Functions. */ + /****************************************************************************/ + +-static inline int +-ql_mask_match(uint32_t level) +-{ +- return (level & ql2xextended_error_logging) == level; +-} +- + /* + * This function is for formatting and logging debug information. + * It is to be used when vha is available. It formats the message +--- a/drivers/scsi/qla2xxx/qla_dbg.h ++++ b/drivers/scsi/qla2xxx/qla_dbg.h +@@ -374,3 +374,9 @@ extern int qla24xx_dump_ram(struct qla_h + extern void qla24xx_pause_risc(struct device_reg_24xx __iomem *, + struct qla_hw_data *); + extern int qla24xx_soft_reset(struct qla_hw_data *); ++ ++static inline int ++ql_mask_match(uint level) ++{ ++ return (level & ql2xextended_error_logging) == level; ++} +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -1853,6 +1853,18 @@ qla24xx_nvme_iocb_entry(scsi_qla_host_t + inbuf = (uint32_t *)&sts->nvme_ersp_data; + outbuf = (uint32_t *)fd->rspaddr; + iocb->u.nvme.rsp_pyld_len = le16_to_cpu(sts->nvme_rsp_pyld_len); ++ if (unlikely(iocb->u.nvme.rsp_pyld_len > ++ sizeof(struct nvme_fc_ersp_iu))) { ++ if (ql_mask_match(ql_dbg_io)) { ++ WARN_ONCE(1, "Unexpected response payload length %u.\n", ++ iocb->u.nvme.rsp_pyld_len); ++ ql_log(ql_log_warn, fcport->vha, 0x5100, ++ "Unexpected response payload length %u.\n", ++ iocb->u.nvme.rsp_pyld_len); ++ } ++ iocb->u.nvme.rsp_pyld_len = ++ sizeof(struct nvme_fc_ersp_iu); ++ } + iter = iocb->u.nvme.rsp_pyld_len >> 2; + for (; iter; iter--) + *outbuf++ = swab32(*inbuf++); diff --git a/queue-4.14/series b/queue-4.14/series index f980662d55e..b6301110949 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -65,3 +65,26 @@ crypto-pcrypt-do-not-clear-may_sleep-flag-in-original-request.patch crypto-atmel-aes-fix-counter-overflow-in-ctr-mode.patch crypto-api-fix-race-condition-in-crypto_spawn_alg.patch crypto-picoxcell-adjust-the-position-of-tasklet_init-and-fix-missed-tasklet_kill.patch +scsi-qla2xxx-fix-unbound-nvme-response-length.patch +nfs-fix-memory-leaks-and-corruption-in-readdir.patch +nfs-directory-page-cache-pages-need-to-be-locked-when-read.patch +btrfs-set-trans-drity-in-btrfs_commit_transaction.patch +arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch +iwlwifi-don-t-throw-error-when-trying-to-remove-igtk.patch +mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch +sunrpc-expiry_time-should-be-seconds-not-timeval.patch +tools-kvm_stat-fix-kvm_exit-filter-name.patch +xen-balloon-support-xend-based-toolstack-take-two.patch +kvm-x86-refactor-picdev_write-to-prevent-spectre-v1-l1tf-attacks.patch +kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch +kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch +kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch +kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch diff --git a/queue-4.14/sunrpc-expiry_time-should-be-seconds-not-timeval.patch b/queue-4.14/sunrpc-expiry_time-should-be-seconds-not-timeval.patch new file mode 100644 index 00000000000..1c017e778e4 --- /dev/null +++ b/queue-4.14/sunrpc-expiry_time-should-be-seconds-not-timeval.patch @@ -0,0 +1,54 @@ +From 3d96208c30f84d6edf9ab4fac813306ac0d20c10 Mon Sep 17 00:00:00 2001 +From: Roberto Bergantinos Corpas +Date: Tue, 4 Feb 2020 11:32:56 +0100 +Subject: sunrpc: expiry_time should be seconds not timeval + +From: Roberto Bergantinos Corpas + +commit 3d96208c30f84d6edf9ab4fac813306ac0d20c10 upstream. + +When upcalling gssproxy, cache_head.expiry_time is set as a +timeval, not seconds since boot. As such, RPC cache expiry +logic will not clean expired objects created under +auth.rpcsec.context cache. + +This has proven to cause kernel memory leaks on field. Using +64 bit variants of getboottime/timespec + +Expiration times have worked this way since 2010's c5b29f885afe "sunrpc: +use seconds since boot in expiry cache". The gssproxy code introduced +in 2012 added gss_proxy_save_rsc and introduced the bug. That's a while +for this to lurk, but it required a bit of an extreme case to make it +obvious. + +Signed-off-by: Roberto Bergantinos Corpas +Cc: stable@vger.kernel.org +Fixes: 030d794bf498 "SUNRPC: Use gssproxy upcall for server..." +Tested-By: Frank Sorenson +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/svcauth_gss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1188,6 +1188,7 @@ static int gss_proxy_save_rsc(struct cac + dprintk("RPC: No creds found!\n"); + goto out; + } else { ++ struct timespec64 boot; + + /* steal creds */ + rsci.cred = ud->creds; +@@ -1208,6 +1209,9 @@ static int gss_proxy_save_rsc(struct cac + &expiry, GFP_KERNEL); + if (status) + goto out; ++ ++ getboottime64(&boot); ++ expiry -= boot.tv_sec; + } + + rsci.h.expiry_time = expiry; diff --git a/queue-4.14/tools-kvm_stat-fix-kvm_exit-filter-name.patch b/queue-4.14/tools-kvm_stat-fix-kvm_exit-filter-name.patch new file mode 100644 index 00000000000..f19da7dc0a6 --- /dev/null +++ b/queue-4.14/tools-kvm_stat-fix-kvm_exit-filter-name.patch @@ -0,0 +1,73 @@ +From 5fcf3a55a62afb0760ccb6f391d62f20bce4a42f Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Tue, 10 Dec 2019 15:48:29 +1100 +Subject: tools/kvm_stat: Fix kvm_exit filter name + +From: Gavin Shan + +commit 5fcf3a55a62afb0760ccb6f391d62f20bce4a42f upstream. + +The filter name is fixed to "exit_reason" for some kvm_exit events, no +matter what architect we have. Actually, the filter name ("exit_reason") +is only applicable to x86, meaning it's broken on other architects +including aarch64. + +This fixes the issue by providing various kvm_exit filter names, depending +on architect we're on. Afterwards, the variable filter name is picked and +applied through ioctl(fd, SET_FILTER). + +Reported-by: Andrew Jones +Signed-off-by: Gavin Shan +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + tools/kvm/kvm_stat/kvm_stat | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/tools/kvm/kvm_stat/kvm_stat ++++ b/tools/kvm/kvm_stat/kvm_stat +@@ -261,6 +261,7 @@ class ArchX86(Arch): + def __init__(self, exit_reasons): + self.sc_perf_evt_open = 298 + self.ioctl_numbers = IOCTL_NUMBERS ++ self.exit_reason_field = 'exit_reason' + self.exit_reasons = exit_reasons + + +@@ -276,6 +277,7 @@ class ArchPPC(Arch): + # numbers depend on the wordsize. + char_ptr_size = ctypes.sizeof(ctypes.c_char_p) + self.ioctl_numbers['SET_FILTER'] = 0x80002406 | char_ptr_size << 16 ++ self.exit_reason_field = 'exit_nr' + self.exit_reasons = {} + + +@@ -283,6 +285,7 @@ class ArchA64(Arch): + def __init__(self): + self.sc_perf_evt_open = 241 + self.ioctl_numbers = IOCTL_NUMBERS ++ self.exit_reason_field = 'esr_ec' + self.exit_reasons = AARCH64_EXIT_REASONS + + +@@ -290,6 +293,7 @@ class ArchS390(Arch): + def __init__(self): + self.sc_perf_evt_open = 331 + self.ioctl_numbers = IOCTL_NUMBERS ++ self.exit_reason_field = None + self.exit_reasons = None + + ARCH = Arch.get_arch() +@@ -513,8 +517,8 @@ class TracepointProvider(Provider): + """ + filters = {} + filters['kvm_userspace_exit'] = ('reason', USERSPACE_EXIT_REASONS) +- if ARCH.exit_reasons: +- filters['kvm_exit'] = ('exit_reason', ARCH.exit_reasons) ++ if ARCH.exit_reason_field and ARCH.exit_reasons: ++ filters['kvm_exit'] = (ARCH.exit_reason_field, ARCH.exit_reasons) + return filters + + def get_available_fields(self): diff --git a/queue-4.14/xen-balloon-support-xend-based-toolstack-take-two.patch b/queue-4.14/xen-balloon-support-xend-based-toolstack-take-two.patch new file mode 100644 index 00000000000..3985014956a --- /dev/null +++ b/queue-4.14/xen-balloon-support-xend-based-toolstack-take-two.patch @@ -0,0 +1,47 @@ +From eda4eabf86fd6806eaabc23fb90dd056fdac037b Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 17 Jan 2020 14:49:31 +0100 +Subject: xen/balloon: Support xend-based toolstack take two + +From: Juergen Gross + +commit eda4eabf86fd6806eaabc23fb90dd056fdac037b upstream. + +Commit 3aa6c19d2f38be ("xen/balloon: Support xend-based toolstack") +tried to fix a regression with running on rather ancient Xen versions. +Unfortunately the fix was based on the assumption that xend would +just use another Xenstore node, but in reality only some downstream +versions of xend are doing that. The upstream xend does not write +that Xenstore node at all, so the problem must be fixed in another +way. + +The easiest way to achieve that is to fall back to the behavior +before commit 96edd61dcf4436 ("xen/balloon: don't online new memory +initially") in case the static memory maximum can't be read. + +This is achieved by setting static_max to the current number of +memory pages known by the system resulting in target_diff becoming +zero. + +Fixes: 3aa6c19d2f38be ("xen/balloon: Support xend-based toolstack") +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Cc: # 4.13 +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-balloon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/xen-balloon.c ++++ b/drivers/xen/xen-balloon.c +@@ -82,7 +82,7 @@ static void watch_target(struct xenbus_w + "%llu", &static_max) == 1)) + static_max >>= PAGE_SHIFT - 10; + else +- static_max = new_target; ++ static_max = balloon_stats.current_pages; + + target_diff = (xen_pv_domain() || xen_initial_domain()) ? 0 + : static_max - balloon_stats.target_pages;