--- /dev/null
+From 505b5240329b922f21f91d5b5d1e535c805eca6d Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 19 Dec 2018 18:00:15 -0600
+Subject: drm/ioctl: Fix Spectre v1 vulnerabilities
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream.
+
+nr is indirectly controlled by user-space, hence leading to a
+potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r]
+drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+
+Fix this by sanitizing nr before using it to index dev->driver->ioctls
+and drm_ioctls.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181220000015.GA18973@embeddedor
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_ioctl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -36,6 +36,7 @@
+
+ #include <linux/pci.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+
+ /**
+ * DOC: getunique and setversion story
+@@ -668,13 +669,17 @@ long drm_ioctl(struct file *filp,
+
+ if (is_driver_ioctl) {
+ /* driver ioctl */
+- if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
++ unsigned int index = nr - DRM_COMMAND_BASE;
++
++ if (index >= dev->driver->num_ioctls)
+ goto err_i1;
+- ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
++ index = array_index_nospec(index, dev->driver->num_ioctls);
++ ioctl = &dev->driver->ioctls[index];
+ } else {
+ /* core ioctl */
+ if (nr >= DRM_CORE_IOCTL_COUNT)
+ goto err_i1;
++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+ ioctl = &drm_ioctls[nr];
+ }
+
+@@ -770,6 +775,7 @@ bool drm_ioctl_flags(unsigned int nr, un
+
+ if (nr >= DRM_CORE_IOCTL_COUNT)
+ return false;
++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+
+ *flags = drm_ioctls[nr].flags;
+ return true;
--- /dev/null
+From ea5751ccd665a2fd1b24f9af81f6167f0718c5f6 Mon Sep 17 00:00:00 2001
+From: Ivan Delalande <colona@arista.com>
+Date: Thu, 13 Dec 2018 15:20:52 -0800
+Subject: proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
+
+From: Ivan Delalande <colona@arista.com>
+
+commit ea5751ccd665a2fd1b24f9af81f6167f0718c5f6 upstream.
+
+proc_sys_lookup can fail with ENOMEM instead of ENOENT when the
+corresponding sysctl table is being unregistered. In our case we see
+this upon opening /proc/sys/net/*/conf files while network interfaces
+are being deleted, which confuses our configuration daemon.
+
+The problem was successfully reproduced and this fix tested on v4.9.122
+and v4.20-rc6.
+
+v2: return ERR_PTRs in all cases when proc_sys_make_inode fails instead
+of mixing them with NULL. Thanks Al Viro for the feedback.
+
+Fixes: ace0c791e6c3 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Delalande <colona@arista.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/proc_sysctl.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -466,7 +466,7 @@ static struct inode *proc_sys_make_inode
+
+ inode = new_inode(sb);
+ if (!inode)
+- goto out;
++ return ERR_PTR(-ENOMEM);
+
+ inode->i_ino = get_next_ino();
+
+@@ -476,8 +476,7 @@ static struct inode *proc_sys_make_inode
+ if (unlikely(head->unregistering)) {
+ spin_unlock(&sysctl_lock);
+ iput(inode);
+- inode = NULL;
+- goto out;
++ return ERR_PTR(-ENOENT);
+ }
+ ei->sysctl = head;
+ ei->sysctl_entry = table;
+@@ -502,7 +501,6 @@ static struct inode *proc_sys_make_inode
+ if (root->set_ownership)
+ root->set_ownership(head, table, &inode->i_uid, &inode->i_gid);
+
+-out:
+ return inode;
+ }
+
+@@ -551,10 +549,11 @@ static struct dentry *proc_sys_lookup(st
+ goto out;
+ }
+
+- err = ERR_PTR(-ENOMEM);
+ inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
+- if (!inode)
++ if (IS_ERR(inode)) {
++ err = ERR_CAST(inode);
+ goto out;
++ }
+
+ err = NULL;
+ d_set_d_op(dentry, &proc_sys_dentry_operations);
+@@ -687,7 +686,7 @@ static bool proc_sys_fill_cache(struct f
+ return false;
+ if (d_in_lookup(child)) {
+ inode = proc_sys_make_inode(dir->d_sb, head, table);
+- if (!inode) {
++ if (IS_ERR(inode)) {
+ d_lookup_done(child);
+ dput(child);
+ return false;
x86-fpu-disable-bottom-halves-while-loading-fpu-registers.patch
ubifs-handle-re-linking-of-inodes-correctly-while-re.patch
panic-avoid-deadlocks-in-re-entrant-console-drivers.patch
+proc-sysctl-don-t-return-enomem-on-lookup-when-a-table-is-unregistering.patch
+drm-ioctl-fix-spectre-v1-vulnerabilities.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
