From: Greg Kroah-Hartman Date: Sun, 9 Feb 2020 12:27:20 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.19.103~71 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bc9769dc3df3e54c9666ea956bf8cf17d1b0a6f1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch btrfs-set-trans-drity-in-btrfs_commit_transaction.patch kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch sunrpc-expiry_time-should-be-seconds-not-timeval.patch --- diff --git a/queue-4.4/arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch b/queue-4.4/arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch new file mode 100644 index 00000000000..ce45dc4930b --- /dev/null +++ b/queue-4.4/arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch @@ -0,0 +1,70 @@ +From 1a3388d506bf5b45bb283e6a4c4706cfb4897333 Mon Sep 17 00:00:00 2001 +From: Stephen Warren +Date: Thu, 3 Oct 2019 14:50:31 -0600 +Subject: ARM: tegra: Enable PLLP bypass during Tegra124 LP1 + +From: Stephen Warren + +commit 1a3388d506bf5b45bb283e6a4c4706cfb4897333 upstream. + +For a little over a year, U-Boot has configured the flow controller to +perform automatic RAM re-repair on off->on power transitions of the CPU +rail[1]. This is mandatory for correct operation of Tegra124. However, +RAM re-repair relies on certain clocks, which the kernel must enable and +leave running. PLLP is one of those clocks. This clock is shut down +during LP1 in order to save power. Enable bypass (which I believe routes +osc_div_clk, essentially the crystal clock, to the PLL output) so that +this clock signal toggles even though the PLL is not active. This is +required so that LP1 power mode (system suspend) operates correctly. + +The bypass configuration must then be undone when resuming from LP1, so +that all peripheral clocks run at the expected rate. Without this, many +peripherals won't work correctly; for example, the UART baud rate would +be incorrect. + +NVIDIA's downstream kernel code only does this if not compiled for +Tegra30, so the added code is made conditional upon the chip ID. +NVIDIA's downstream code makes this change conditional upon the active +CPU cluster. The upstream kernel currently doesn't support cluster +switching, so this patch doesn't test the active CPU cluster ID. + +[1] 3cc7942a4ae5 ARM: tegra: implement RAM repair + +Reported-by: Jonathan Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Warren +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-tegra/sleep-tegra30.S | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/arm/mach-tegra/sleep-tegra30.S ++++ b/arch/arm/mach-tegra/sleep-tegra30.S +@@ -379,6 +379,14 @@ _pll_m_c_x_done: + pll_locked r1, r0, CLK_RESET_PLLC_BASE + pll_locked r1, r0, CLK_RESET_PLLX_BASE + ++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1 ++ cmp r1, #TEGRA30 ++ beq 1f ++ ldr r1, [r0, #CLK_RESET_PLLP_BASE] ++ bic r1, r1, #(1<<31) @ disable PllP bypass ++ str r1, [r0, #CLK_RESET_PLLP_BASE] ++1: ++ + mov32 r7, TEGRA_TMRUS_BASE + ldr r1, [r7] + add r1, r1, #LOCK_DELAY +@@ -638,7 +646,10 @@ tegra30_switch_cpu_to_clk32k: + str r0, [r4, #PMC_PLLP_WB0_OVERRIDE] + + /* disable PLLP, PLLA, PLLC and PLLX */ ++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1 ++ cmp r1, #TEGRA30 + ldr r0, [r5, #CLK_RESET_PLLP_BASE] ++ orrne r0, r0, #(1 << 31) @ enable PllP bypass on fast cluster + bic r0, r0, #(1 << 30) + str r0, [r5, #CLK_RESET_PLLP_BASE] + ldr r0, [r5, #CLK_RESET_PLLA_BASE] diff --git a/queue-4.4/btrfs-set-trans-drity-in-btrfs_commit_transaction.patch b/queue-4.4/btrfs-set-trans-drity-in-btrfs_commit_transaction.patch new file mode 100644 index 00000000000..e70c2145334 --- /dev/null +++ b/queue-4.4/btrfs-set-trans-drity-in-btrfs_commit_transaction.patch @@ -0,0 +1,96 @@ +From d62b23c94952e78211a383b7d90ef0afbd9a3717 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 17 Jan 2020 08:57:51 -0500 +Subject: btrfs: set trans->drity in btrfs_commit_transaction + +From: Josef Bacik + +commit d62b23c94952e78211a383b7d90ef0afbd9a3717 upstream. + +If we abort a transaction we have the following sequence + +if (!trans->dirty && list_empty(&trans->new_bgs)) + return; +WRITE_ONCE(trans->transaction->aborted, err); + +The idea being if we didn't modify anything with our trans handle then +we don't really need to abort the whole transaction, maybe the other +trans handles are fine and we can carry on. + +However in the case of create_snapshot we add a pending_snapshot object +to our transaction and then commit the transaction. We don't actually +modify anything. sync() behaves the same way, attach to an existing +transaction and commit it. This means that if we have an IO error in +the right places we could abort the committing transaction with our +trans->dirty being not set and thus not set transaction->aborted. + +This is a problem because in the create_snapshot() case we depend on +pending->error being set to something, or btrfs_commit_transaction +returning an error. + +If we are not the trans handle that gets to commit the transaction, and +we're waiting on the commit to happen we get our return value from +cur_trans->aborted. If this was not set to anything because sync() hit +an error in the transaction commit before it could modify anything then +cur_trans->aborted would be 0. Thus we'd return 0 from +btrfs_commit_transaction() in create_snapshot. + +This is a problem because we then try to do things with +pending_snapshot->snap, which will be NULL because we didn't create the +snapshot, and then we'll get a NULL pointer dereference like the +following + +"BUG: kernel NULL pointer dereference, address: 00000000000001f0" +RIP: 0010:btrfs_orphan_cleanup+0x2d/0x330 +Call Trace: + ? btrfs_mksubvol.isra.31+0x3f2/0x510 + btrfs_mksubvol.isra.31+0x4bc/0x510 + ? __sb_start_write+0xfa/0x200 + ? mnt_want_write_file+0x24/0x50 + btrfs_ioctl_snap_create_transid+0x16c/0x1a0 + btrfs_ioctl_snap_create_v2+0x11e/0x1a0 + btrfs_ioctl+0x1534/0x2c10 + ? free_debug_processing+0x262/0x2a3 + do_vfs_ioctl+0xa6/0x6b0 + ? do_sys_open+0x188/0x220 + ? syscall_trace_enter+0x1f8/0x330 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x4a/0x1b0 + +In order to fix this we need to make sure anybody who calls +commit_transaction has trans->dirty set so that they properly set the +trans->transaction->aborted value properly so any waiters know bad +things happened. + +This was found while I was running generic/475 with my modified +fsstress, it reproduced within a few runs. I ran with this patch all +night and didn't see the problem again. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/transaction.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1814,6 +1814,14 @@ int btrfs_commit_transaction(struct btrf + struct btrfs_inode *btree_ino = BTRFS_I(root->fs_info->btree_inode); + int ret; + ++ /* ++ * Some places just start a transaction to commit it. We need to make ++ * sure that if this commit fails that the abort code actually marks the ++ * transaction as failed, so set trans->dirty to make the abort code do ++ * the right thing. ++ */ ++ trans->dirty = true; ++ + /* Stop the commit early if ->aborted is set */ + if (unlikely(ACCESS_ONCE(cur_trans->aborted))) { + ret = cur_trans->aborted; diff --git a/queue-4.4/kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch b/queue-4.4/kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch new file mode 100644 index 00000000000..1f0a22b20f7 --- /dev/null +++ b/queue-4.4/kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch @@ -0,0 +1,44 @@ +From 1a978d9d3e72ddfa40ac60d26301b154247ee0bc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 18 Dec 2019 13:54:46 -0800 +Subject: KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails + +From: Sean Christopherson + +commit 1a978d9d3e72ddfa40ac60d26301b154247ee0bc upstream. + +Call kvm_vcpu_uninit() if vcore creation fails to avoid leaking any +resources allocated by kvm_vcpu_init(), i.e. the vcpu->run page. + +Fixes: 371fefd6f2dc4 ("KVM: PPC: Allow book3s_hv guests to use SMT processor modes") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kurz +Signed-off-by: Sean Christopherson +Acked-by: Paul Mackerras +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -1669,7 +1669,7 @@ static struct kvm_vcpu *kvmppc_core_vcpu + mutex_unlock(&kvm->lock); + + if (!vcore) +- goto free_vcpu; ++ goto uninit_vcpu; + + spin_lock(&vcore->lock); + ++vcore->num_threads; +@@ -1685,6 +1685,8 @@ static struct kvm_vcpu *kvmppc_core_vcpu + + return vcpu; + ++uninit_vcpu: ++ kvm_vcpu_uninit(vcpu); + free_vcpu: + kmem_cache_free(kvm_vcpu_cache, vcpu); + out: diff --git a/queue-4.4/kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch b/queue-4.4/kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch new file mode 100644 index 00000000000..545c9422b96 --- /dev/null +++ b/queue-4.4/kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch @@ -0,0 +1,41 @@ +From cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 18 Dec 2019 13:54:47 -0800 +Subject: KVM: PPC: Book3S PR: Free shared page if mmu initialization fails + +From: Sean Christopherson + +commit cb10bf9194f4d2c5d830eddca861f7ca0fecdbb4 upstream. + +Explicitly free the shared page if kvmppc_mmu_init() fails during +kvmppc_core_vcpu_create(), as the page is freed only in +kvmppc_core_vcpu_free(), which is not reached via kvm_vcpu_uninit(). + +Fixes: 96bc451a15329 ("KVM: PPC: Introduce shared page") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kurz +Signed-off-by: Sean Christopherson +Acked-by: Paul Mackerras +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_pr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_pr.c ++++ b/arch/powerpc/kvm/book3s_pr.c +@@ -1434,10 +1434,12 @@ static struct kvm_vcpu *kvmppc_core_vcpu + + err = kvmppc_mmu_init(vcpu); + if (err < 0) +- goto uninit_vcpu; ++ goto free_shared_page; + + return vcpu; + ++free_shared_page: ++ free_page((unsigned long)vcpu->arch.shared); + uninit_vcpu: + kvm_vcpu_uninit(vcpu); + free_shadow_vcpu: diff --git a/queue-4.4/kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch b/queue-4.4/kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..8da5f757c04 --- /dev/null +++ b/queue-4.4/kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,65 @@ +From ea740059ecb37807ba47b84b33d1447435a8d868 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:52 -0800 +Subject: KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit ea740059ecb37807ba47b84b33d1447435a8d868 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and +kvm_get_dr(). +Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are +exported symbols so KVM should tream them conservatively from a security +perspective. + +Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + #include + + #define CREATE_TRACE_POINTS +@@ -873,9 +874,11 @@ static u64 kvm_dr6_fixed(struct kvm_vcpu + + static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- vcpu->arch.db[dr] = val; ++ vcpu->arch.db[array_index_nospec(dr, size)] = val; + if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)) + vcpu->arch.eff_db[dr] = val; + break; +@@ -912,9 +915,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr); + + int kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val) + { ++ size_t size = ARRAY_SIZE(vcpu->arch.db); ++ + switch (dr) { + case 0 ... 3: +- *val = vcpu->arch.db[dr]; ++ *val = vcpu->arch.db[array_index_nospec(dr, size)]; + break; + case 4: + /* fall through */ diff --git a/queue-4.4/kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch b/queue-4.4/kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..0d1cdffd1c7 --- /dev/null +++ b/queue-4.4/kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,50 @@ +From 8c86405f606ca8508b8d9280680166ca26723695 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:44 -0800 +Subject: KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 8c86405f606ca8508b8d9280680166ca26723695 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/ioapic.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -74,13 +74,14 @@ static unsigned long ioapic_read_indirec + default: + { + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; +- u64 redir_content; ++ u64 redir_content = ~0ULL; + +- if (redir_index < IOAPIC_NUM_PINS) +- redir_content = +- ioapic->redirtbl[redir_index].bits; +- else +- redir_content = ~0ULL; ++ if (redir_index < IOAPIC_NUM_PINS) { ++ u32 index = array_index_nospec( ++ redir_index, IOAPIC_NUM_PINS); ++ ++ redir_content = ioapic->redirtbl[index].bits; ++ } + + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : diff --git a/queue-4.4/kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch b/queue-4.4/kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..a8807b06b9b --- /dev/null +++ b/queue-4.4/kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,48 @@ +From 670564559ca35b439c8d8861fc399451ddf95137 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:45 -0800 +Subject: KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 670564559ca35b439c8d8861fc399451ddf95137 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect(). +This function contains index computations based on the +(attacker-controlled) IOREGSEL register. + +This patch depends on patch +"KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks". + +Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/ioapic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/ioapic.c ++++ b/arch/x86/kvm/ioapic.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -289,6 +290,7 @@ static void ioapic_write_indirect(struct + ioapic_debug("change redir index %x val %x\n", index, val); + if (index >= IOAPIC_NUM_PINS) + return; ++ index = array_index_nospec(index, IOAPIC_NUM_PINS); + e = &ioapic->redirtbl[index]; + mask_before = e->fields.mask; + /* Preserve read-only fields */ diff --git a/queue-4.4/kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch b/queue-4.4/kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..fb5669fe18c --- /dev/null +++ b/queue-4.4/kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,67 @@ +From 8618793750071d66028584a83ed0b4fa7eb4f607 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:42 -0800 +Subject: KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 8618793750071d66028584a83ed0b4fa7eb4f607 upstream. + +This fixes Spectre-v1/L1TF vulnerabilities in kvm_hv_msr_get_crash_data() +and kvm_hv_msr_set_crash_data(). +These functions contain index computations that use the +(attacker-controlled) MSR number. + +Fixes: e7d9513b60e8 ("kvm/x86: added hyper-v crash msrs into kvm hyperv context") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/hyperv.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -26,6 +26,7 @@ + #include "hyperv.h" + + #include ++#include + #include + + #include "trace.h" +@@ -53,11 +54,12 @@ static int kvm_hv_msr_get_crash_data(str + u32 index, u64 *pdata) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- *pdata = hv->hv_crash_param[index]; ++ *pdata = hv->hv_crash_param[array_index_nospec(index, size)]; + return 0; + } + +@@ -96,11 +98,12 @@ static int kvm_hv_msr_set_crash_data(str + u32 index, u64 data) + { + struct kvm_hv *hv = &vcpu->kvm->arch.hyperv; ++ size_t size = ARRAY_SIZE(hv->hv_crash_param); + +- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param))) ++ if (WARN_ON_ONCE(index >= size)) + return -EINVAL; + +- hv->hv_crash_param[index] = data; ++ hv->hv_crash_param[array_index_nospec(index, size)] = data; + return 0; + } + diff --git a/queue-4.4/kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch b/queue-4.4/kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch new file mode 100644 index 00000000000..1f772ce1530 --- /dev/null +++ b/queue-4.4/kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch @@ -0,0 +1,54 @@ +From 6ec4c5eee1750d5d17951c4e1960d953376a0dda Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:49 -0800 +Subject: KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c + +From: Marios Pomonis + +commit 6ec4c5eee1750d5d17951c4e1960d953376a0dda upstream. + +This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and +get_msr_mce(). +Both functions contain index computations based on the +(attacker-controlled) MSR number. + +Fixes: 890ca9aefa78 ("KVM: Add MCE support") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1994,7 +1994,10 @@ static int set_msr_mce(struct kvm_vcpu * + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + /* only 0 or all 1s can be written to IA32_MCi_CTL + * some Linux kernels though clear bit 10 in bank 4 to + * workaround a BIOS/GART TBL issue on AMD K8s, ignore +@@ -2355,7 +2358,10 @@ static int get_msr_mce(struct kvm_vcpu * + default: + if (msr >= MSR_IA32_MC0_CTL && + msr < MSR_IA32_MCx_CTL(bank_num)) { +- u32 offset = msr - MSR_IA32_MC0_CTL; ++ u32 offset = array_index_nospec( ++ msr - MSR_IA32_MC0_CTL, ++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL); ++ + data = vcpu->arch.mce_banks[offset]; + break; + } diff --git a/queue-4.4/kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch b/queue-4.4/kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..c11eed9cb69 --- /dev/null +++ b/queue-4.4/kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,55 @@ +From 25a5edea71b7c154b6a0b8cec14c711cafa31d26 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:47 -0800 +Subject: KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 25a5edea71b7c154b6a0b8cec14c711cafa31d26 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit(). +This function contains index computations based on the +(attacker-controlled) MSR number. + +Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mtrr.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -17,6 +17,7 @@ + */ + + #include ++#include + #include + + #include "cpuid.h" +@@ -202,11 +203,15 @@ static bool fixed_msr_to_seg_unit(u32 ms + break; + case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000: + *seg = 1; +- *unit = msr - MSR_MTRRfix16K_80000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix16K_80000, ++ MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1); + break; + case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000: + *seg = 2; +- *unit = msr - MSR_MTRRfix4K_C0000; ++ *unit = array_index_nospec( ++ msr - MSR_MTRRfix4K_C0000, ++ MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1); + break; + default: + return false; diff --git a/queue-4.4/kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch b/queue-4.4/kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..89a207f9c92 --- /dev/null +++ b/queue-4.4/kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,69 @@ +From 13c5183a4e643cc2b03a22d0e582c8e17bb7457d Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:48 -0800 +Subject: KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 13c5183a4e643cc2b03a22d0e582c8e17bb7457d upstream. + +This fixes a Spectre-v1/L1TF vulnerability in the get_gp_pmc() and +get_fixed_pmc() functions. +They both contain index computations based on the (attacker-controlled) +MSR number. + +Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/pmu.h | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/pmu.h ++++ b/arch/x86/kvm/pmu.h +@@ -1,6 +1,8 @@ + #ifndef __KVM_X86_PMU_H + #define __KVM_X86_PMU_H + ++#include ++ + #define vcpu_to_pmu(vcpu) (&(vcpu)->arch.pmu) + #define pmu_to_vcpu(pmu) (container_of((pmu), struct kvm_vcpu, arch.pmu)) + #define pmc_to_pmu(pmc) (&(pmc)->vcpu->arch.pmu) +@@ -80,8 +82,12 @@ static inline bool pmc_is_enabled(struct + static inline struct kvm_pmc *get_gp_pmc(struct kvm_pmu *pmu, u32 msr, + u32 base) + { +- if (msr >= base && msr < base + pmu->nr_arch_gp_counters) +- return &pmu->gp_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_gp_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_gp_counters); ++ ++ return &pmu->gp_counters[index]; ++ } + + return NULL; + } +@@ -91,8 +97,12 @@ static inline struct kvm_pmc *get_fixed_ + { + int base = MSR_CORE_PERF_FIXED_CTR0; + +- if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) +- return &pmu->fixed_counters[msr - base]; ++ if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) { ++ u32 index = array_index_nospec(msr - base, ++ pmu->nr_arch_fixed_counters); ++ ++ return &pmu->fixed_counters[index]; ++ } + + return NULL; + } diff --git a/queue-4.4/kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch b/queue-4.4/kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..8cd123b9bf0 --- /dev/null +++ b/queue-4.4/kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,56 @@ +From 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:41 -0800 +Subject: KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream. + +This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn(). +kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported +symbol, so KVM should treat it conservatively from a security perspective. + +Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw") + +Signed-off-by: Nick Finco +Signed-off-by: Marios Pomonis +Reviewed-by: Andrew Honig +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -23,6 +23,7 @@ + #include + #include "kvm_cache_regs.h" + #include ++#include + #include + #include + #include +@@ -5146,10 +5147,15 @@ done_prefixes: + } + break; + case Escape: +- if (ctxt->modrm > 0xbf) +- opcode = opcode.u.esc->high[ctxt->modrm - 0xc0]; +- else ++ if (ctxt->modrm > 0xbf) { ++ size_t size = ARRAY_SIZE(opcode.u.esc->high); ++ u32 index = array_index_nospec( ++ ctxt->modrm - 0xc0, size); ++ ++ opcode = opcode.u.esc->high[index]; ++ } else { + opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7]; ++ } + break; + case InstrDual: + if ((ctxt->modrm >> 6) == 3) diff --git a/queue-4.4/kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch b/queue-4.4/kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch new file mode 100644 index 00000000000..3d9aea9dd99 --- /dev/null +++ b/queue-4.4/kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch @@ -0,0 +1,57 @@ +From 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 Mon Sep 17 00:00:00 2001 +From: Marios Pomonis +Date: Wed, 11 Dec 2019 12:47:50 -0800 +Subject: KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks + +From: Marios Pomonis + +commit 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 upstream. + +This fixes Spectre-v1/L1TF vulnerabilities in +vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(), +vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). When +invoked from emulation, these functions contain index computations +based on the (attacker-influenced) segment value. Using constants +prevents the attack. + +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -5041,16 +5041,28 @@ int x86_decode_insn(struct x86_emulate_c + ctxt->ad_bytes = def_ad_bytes ^ 6; + break; + case 0x26: /* ES override */ ++ has_seg_override = true; ++ ctxt->seg_override = VCPU_SREG_ES; ++ break; + case 0x2e: /* CS override */ ++ has_seg_override = true; ++ ctxt->seg_override = VCPU_SREG_CS; ++ break; + case 0x36: /* SS override */ ++ has_seg_override = true; ++ ctxt->seg_override = VCPU_SREG_SS; ++ break; + case 0x3e: /* DS override */ + has_seg_override = true; +- ctxt->seg_override = (ctxt->b >> 3) & 3; ++ ctxt->seg_override = VCPU_SREG_DS; + break; + case 0x64: /* FS override */ ++ has_seg_override = true; ++ ctxt->seg_override = VCPU_SREG_FS; ++ break; + case 0x65: /* GS override */ + has_seg_override = true; +- ctxt->seg_override = ctxt->b & 7; ++ ctxt->seg_override = VCPU_SREG_GS; + break; + case 0x40 ... 0x4f: /* REX */ + if (mode != X86EMUL_MODE_PROT64) diff --git a/queue-4.4/mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch b/queue-4.4/mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch new file mode 100644 index 00000000000..1360670885a --- /dev/null +++ b/queue-4.4/mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch @@ -0,0 +1,35 @@ +From 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 6 Jan 2020 14:42:12 -0800 +Subject: mwifiex: fix unbalanced locking in mwifiex_process_country_ie() + +From: Brian Norris + +commit 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c upstream. + +We called rcu_read_lock(), so we need to call rcu_read_unlock() before +we return. + +Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()") +Cc: stable@vger.kernel.org +Cc: huangwen +Cc: Ganapathi Bhat +Signed-off-by: Brian Norris +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/sta_ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/mwifiex/sta_ioctl.c +@@ -232,6 +232,7 @@ static int mwifiex_process_country_ie(st + + if (country_ie_len > + (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { ++ rcu_read_unlock(); + mwifiex_dbg(priv->adapter, ERROR, + "11D: country_ie_len overflow!, deauth AP\n"); + return -EINVAL; diff --git a/queue-4.4/series b/queue-4.4/series index 413274aa612..eb54a546993 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -28,3 +28,18 @@ padata-remove-broken-queue-flushing.patch crypto-pcrypt-do-not-clear-may_sleep-flag-in-original-request.patch crypto-api-fix-race-condition-in-crypto_spawn_alg.patch crypto-picoxcell-adjust-the-position-of-tasklet_init-and-fix-missed-tasklet_kill.patch +btrfs-set-trans-drity-in-btrfs_commit_transaction.patch +arm-tegra-enable-pllp-bypass-during-tegra124-lp1.patch +mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch +sunrpc-expiry_time-should-be-seconds-not-timeval.patch +kvm-x86-refactor-prefix-decoding-to-prevent-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-dr-based-index-computations-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-kvm_hv_msr__crash_data-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-ioapic_write_indirect-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-msr-based-index-computations-in-pmu.h-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-ioapic_read_indirect-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-msr-based-index-computations-from-spectre-v1-l1tf-attacks-in-x86.c.patch +kvm-x86-protect-x86_decode_insn-from-spectre-v1-l1tf-attacks.patch +kvm-x86-protect-msr-based-index-computations-in-fixed_msr_to_seg_unit-from-spectre-v1-l1tf-attacks.patch +kvm-ppc-book3s-hv-uninit-vcpu-if-vcore-creation-fails.patch +kvm-ppc-book3s-pr-free-shared-page-if-mmu-initialization-fails.patch diff --git a/queue-4.4/sunrpc-expiry_time-should-be-seconds-not-timeval.patch b/queue-4.4/sunrpc-expiry_time-should-be-seconds-not-timeval.patch new file mode 100644 index 00000000000..88b42e9289a --- /dev/null +++ b/queue-4.4/sunrpc-expiry_time-should-be-seconds-not-timeval.patch @@ -0,0 +1,54 @@ +From 3d96208c30f84d6edf9ab4fac813306ac0d20c10 Mon Sep 17 00:00:00 2001 +From: Roberto Bergantinos Corpas +Date: Tue, 4 Feb 2020 11:32:56 +0100 +Subject: sunrpc: expiry_time should be seconds not timeval + +From: Roberto Bergantinos Corpas + +commit 3d96208c30f84d6edf9ab4fac813306ac0d20c10 upstream. + +When upcalling gssproxy, cache_head.expiry_time is set as a +timeval, not seconds since boot. As such, RPC cache expiry +logic will not clean expired objects created under +auth.rpcsec.context cache. + +This has proven to cause kernel memory leaks on field. Using +64 bit variants of getboottime/timespec + +Expiration times have worked this way since 2010's c5b29f885afe "sunrpc: +use seconds since boot in expiry cache". The gssproxy code introduced +in 2012 added gss_proxy_save_rsc and introduced the bug. That's a while +for this to lurk, but it required a bit of an extreme case to make it +obvious. + +Signed-off-by: Roberto Bergantinos Corpas +Cc: stable@vger.kernel.org +Fixes: 030d794bf498 "SUNRPC: Use gssproxy upcall for server..." +Tested-By: Frank Sorenson +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/svcauth_gss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1173,6 +1173,7 @@ static int gss_proxy_save_rsc(struct cac + dprintk("RPC: No creds found!\n"); + goto out; + } else { ++ struct timespec64 boot; + + /* steal creds */ + rsci.cred = ud->creds; +@@ -1193,6 +1194,9 @@ static int gss_proxy_save_rsc(struct cac + &expiry, GFP_KERNEL); + if (status) + goto out; ++ ++ getboottime64(&boot); ++ expiry -= boot.tv_sec; + } + + rsci.h.expiry_time = expiry;