From: Greg Kroah-Hartman Date: Sun, 4 Dec 2022 16:10:53 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.335~43 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e0f09bbbc4727620d8efe75778d2ba822b6839bb;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch --- diff --git a/queue-4.9/bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch b/queue-4.9/bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch new file mode 100644 index 00000000000..d6199fc1c3a --- /dev/null +++ b/queue-4.9/bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch @@ -0,0 +1,51 @@ +From 711f8c3fb3db61897080468586b970c87c61d9e4 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 31 Oct 2022 16:10:32 -0700 +Subject: Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit 711f8c3fb3db61897080468586b970c87c61d9e4 upstream. + +The Bluetooth spec states that the valid range for SPSM is from +0x0001-0x00ff so it is invalid to accept values outside of this range: + + BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + page 1059: + Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + +CVE: CVE-2022-42896 +CC: stable@vger.kernel.org +Reported-by: Tamás Koczka +Signed-off-by: Luiz Augusto von Dentz +Reviewed-by: Tedd Ho-Jeong An +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5543,6 +5543,19 @@ static int l2cap_le_connect_req(struct l + BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), + scid, mtu, mps); + ++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A ++ * page 1059: ++ * ++ * Valid range: 0x0001-0x00ff ++ * ++ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges ++ */ ++ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { ++ result = L2CAP_CR_BAD_PSM; ++ chan = NULL; ++ goto response; ++ } ++ + /* Check if we have socket listening on psm */ + pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, + &conn->hcon->dst, LE_LINK); diff --git a/queue-4.9/series b/queue-4.9/series index 347f6abd5f9..272a6d66916 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -54,3 +54,6 @@ pinctrl-single-fix-potential-division-by-zero.patch iommu-vt-d-fix-pci-device-refcount-leak-in-dmar_dev_.patch tcp-udp-fix-memory-leak-in-ipv6_renew_options.patch revert-fbdev-fb_pm2fb-avoid-potential-divide-by-zero-error.patch +x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch +x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch +bluetooth-l2cap-fix-accepting-connection-request-for-invalid-spsm.patch diff --git a/queue-4.9/x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch b/queue-4.9/x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch new file mode 100644 index 00000000000..604f4edadc7 --- /dev/null +++ b/queue-4.9/x86-pm-add-enumeration-check-before-spec-msrs-save-restore-setup.patch @@ -0,0 +1,103 @@ +From foo@baz Sun Dec 4 05:02:57 PM CET 2022 +From: Pawan Gupta +Date: Thu, 1 Dec 2022 20:23:18 -0800 +Subject: x86/pm: Add enumeration check before spec MSRs save/restore setup +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: bp@alien8.de, dave.hansen@linux.intel.com, hdegoede@redhat.com, rafael.j.wysocki@intel.com, stable@kernel.org +Message-ID: <58d3eafb5d10b85279a65f22fa71228a9a014a79.1669954772.git.pawan.kumar.gupta@linux.intel.com> +Content-Disposition: inline + +From: Pawan Gupta + +commit 50bcceb7724e471d9b591803889df45dcbb584bc upstream. + +pm_save_spec_msr() keeps a list of all the MSRs which _might_ need +to be saved and restored at hibernate and resume. However, it has +zero awareness of CPU support for these MSRs. It mostly works by +unconditionally attempting to manipulate these MSRs and relying on +rdmsrl_safe() being able to handle a #GP on CPUs where the support is +unavailable. + +However, it's possible for reads (RDMSR) to be supported for a given MSR +while writes (WRMSR) are not. In this case, msr_build_context() sees +a successful read (RDMSR) and marks the MSR as valid. Then, later, a +write (WRMSR) fails, producing a nasty (but harmless) error message. +This causes restore_processor_state() to try and restore it, but writing +this MSR is not allowed on the Intel Atom N2600 leading to: + + unchecked MSR access error: WRMSR to 0x122 (tried to write 0x0000000000000002) \ + at rIP: 0xffffffff8b07a574 (native_write_msr+0x4/0x20) + Call Trace: + + restore_processor_state + x86_acpi_suspend_lowlevel + acpi_suspend_enter + suspend_devices_and_enter + pm_suspend.cold + state_store + kernfs_fop_write_iter + vfs_write + ksys_write + do_syscall_64 + ? do_syscall_64 + ? up_read + ? lock_is_held_type + ? asm_exc_page_fault + ? lockdep_hardirqs_on + entry_SYSCALL_64_after_hwframe + +To fix this, add the corresponding X86_FEATURE bit for each MSR. Avoid +trying to manipulate the MSR when the feature bit is clear. This +required adding a X86_FEATURE bit for MSRs that do not have one already, +but it's a small price to pay. + + [ bp: Move struct msr_enumeration inside the only function that uses it. ] + [Pawan: Resolve build issue in backport] + +Fixes: 73924ec4d560 ("x86/pm: Save the MSR validity status at context setup") +Reported-by: Hans de Goede +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Reviewed-by: Dave Hansen +Acked-by: Rafael J. Wysocki +Cc: +Link: https://lore.kernel.org/r/c24db75d69df6e66c0465e13676ad3f2837a2ed8.1668539735.git.pawan.kumar.gupta@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/power/cpu.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -520,16 +520,23 @@ static int pm_cpu_check(const struct x86 + + static void pm_save_spec_msr(void) + { +- u32 spec_msr_id[] = { +- MSR_IA32_SPEC_CTRL, +- MSR_IA32_TSX_CTRL, +- MSR_TSX_FORCE_ABORT, +- MSR_IA32_MCU_OPT_CTRL, +- MSR_AMD64_LS_CFG, +- MSR_AMD64_DE_CFG, ++ struct msr_enumeration { ++ u32 msr_no; ++ u32 feature; ++ } msr_enum[] = { ++ { MSR_IA32_SPEC_CTRL, X86_FEATURE_MSR_SPEC_CTRL }, ++ { MSR_IA32_TSX_CTRL, X86_FEATURE_MSR_TSX_CTRL }, ++ { MSR_TSX_FORCE_ABORT, X86_FEATURE_TSX_FORCE_ABORT }, ++ { MSR_IA32_MCU_OPT_CTRL, X86_FEATURE_SRBDS_CTRL }, ++ { MSR_AMD64_LS_CFG, X86_FEATURE_LS_CFG_SSBD }, ++ { MSR_AMD64_DE_CFG, X86_FEATURE_LFENCE_RDTSC }, + }; ++ int i; + +- msr_build_context(spec_msr_id, ARRAY_SIZE(spec_msr_id)); ++ for (i = 0; i < ARRAY_SIZE(msr_enum); i++) { ++ if (boot_cpu_has(msr_enum[i].feature)) ++ msr_build_context(&msr_enum[i].msr_no, 1); ++ } + } + + static int pm_check_save_msr(void) diff --git a/queue-4.9/x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch b/queue-4.9/x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch new file mode 100644 index 00000000000..db950a828d5 --- /dev/null +++ b/queue-4.9/x86-tsx-add-a-feature-bit-for-tsx-control-msr-support.patch @@ -0,0 +1,101 @@ +From foo@baz Sun Dec 4 05:02:57 PM CET 2022 +From: Pawan Gupta +Date: Thu, 1 Dec 2022 20:23:12 -0800 +Subject: x86/tsx: Add a feature bit for TSX control MSR support +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: bp@alien8.de, dave.hansen@linux.intel.com, hdegoede@redhat.com, rafael.j.wysocki@intel.com, stable@kernel.org +Message-ID: +Content-Disposition: inline + +From: Pawan Gupta + +commit aaa65d17eec372c6a9756833f3964ba05b05ea14 upstream. + +Support for the TSX control MSR is enumerated in MSR_IA32_ARCH_CAPABILITIES. +This is different from how other CPU features are enumerated i.e. via +CPUID. Currently, a call to tsx_ctrl_is_supported() is required for +enumerating the feature. In the absence of a feature bit for TSX control, +any code that relies on checking feature bits directly will not work. + +In preparation for adding a feature bit check in MSR save/restore +during suspend/resume, set a new feature bit X86_FEATURE_TSX_CTRL when +MSR_IA32_TSX_CTRL is present. + + [ bp: Remove tsx_ctrl_is_supported()] + + [Pawan: Resolved conflicts in backport; Removed parts of commit message + referring to removed function tsx_ctrl_is_supported()] + +Suggested-by: Andrew Cooper +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Reviewed-by: Dave Hansen +Cc: +Link: https://lore.kernel.org/r/de619764e1d98afbb7a5fa58424f1278ede37b45.1668539735.git.pawan.kumar.gupta@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/kernel/cpu/tsx.c | 33 ++++++++++++++------------------- + 2 files changed, 15 insertions(+), 19 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -196,6 +196,7 @@ + #define X86_FEATURE_FENCE_SWAPGS_KERNEL ( 7*32+11) /* "" LFENCE in kernel entry SWAPGS path */ + #define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ + #define X86_FEATURE_RETPOLINE_LFENCE ( 7*32+13) /* "" Use LFENCE for Spectre variant 2 */ ++#define X86_FEATURE_MSR_TSX_CTRL ( 7*32+14) /* "" MSR IA32_TSX_CTRL (Intel) implemented */ + + #define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ + #define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */ +--- a/arch/x86/kernel/cpu/tsx.c ++++ b/arch/x86/kernel/cpu/tsx.c +@@ -55,24 +55,6 @@ void tsx_enable(void) + wrmsrl(MSR_IA32_TSX_CTRL, tsx); + } + +-static bool __init tsx_ctrl_is_supported(void) +-{ +- u64 ia32_cap = x86_read_arch_cap_msr(); +- +- /* +- * TSX is controlled via MSR_IA32_TSX_CTRL. However, support for this +- * MSR is enumerated by ARCH_CAP_TSX_MSR bit in MSR_IA32_ARCH_CAPABILITIES. +- * +- * TSX control (aka MSR_IA32_TSX_CTRL) is only available after a +- * microcode update on CPUs that have their MSR_IA32_ARCH_CAPABILITIES +- * bit MDS_NO=1. CPUs with MDS_NO=0 are not planned to get +- * MSR_IA32_TSX_CTRL support even after a microcode update. Thus, +- * tsx= cmdline requests will do nothing on CPUs without +- * MSR_IA32_TSX_CTRL support. +- */ +- return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR); +-} +- + static enum tsx_ctrl_states x86_get_tsx_auto_mode(void) + { + if (boot_cpu_has_bug(X86_BUG_TAA)) +@@ -86,9 +68,22 @@ void __init tsx_init(void) + char arg[5] = {}; + int ret; + +- if (!tsx_ctrl_is_supported()) ++ /* ++ * TSX is controlled via MSR_IA32_TSX_CTRL. However, support for this ++ * MSR is enumerated by ARCH_CAP_TSX_MSR bit in MSR_IA32_ARCH_CAPABILITIES. ++ * ++ * TSX control (aka MSR_IA32_TSX_CTRL) is only available after a ++ * microcode update on CPUs that have their MSR_IA32_ARCH_CAPABILITIES ++ * bit MDS_NO=1. CPUs with MDS_NO=0 are not planned to get ++ * MSR_IA32_TSX_CTRL support even after a microcode update. Thus, ++ * tsx= cmdline requests will do nothing on CPUs without ++ * MSR_IA32_TSX_CTRL support. ++ */ ++ if (!(x86_read_arch_cap_msr() & ARCH_CAP_TSX_CTRL_MSR)) + return; + ++ setup_force_cpu_cap(X86_FEATURE_MSR_TSX_CTRL); ++ + ret = cmdline_find_option(boot_command_line, "tsx", arg, sizeof(arg)); + if (ret >= 0) { + if (!strcmp(arg, "on")) {