--- /dev/null
+From d5b42e6607661b198d8b26a0c30969605b1bf5c7 Mon Sep 17 00:00:00 2001
+From: Wolfgang Grandegger <wg@grandegger.com>
+Date: Wed, 13 Dec 2017 19:52:23 +0100
+Subject: can: gs_usb: fix return value of the "set_bittiming" callback
+
+From: Wolfgang Grandegger <wg@grandegger.com>
+
+commit d5b42e6607661b198d8b26a0c30969605b1bf5c7 upstream.
+
+The "set_bittiming" callback treats a positive return value as error!
+For that reason "can_changelink()" will quit silently after setting
+the bittiming values without processing ctrlmode, restart-ms, etc.
+
+Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/gs_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -430,7 +430,7 @@ static int gs_usb_set_bittiming(struct n
+ dev_err(netdev->dev.parent, "Couldn't set bittimings (err=%d)",
+ rc);
+
+- return rc;
++ return (rc > 0) ? 0 : rc;
+ }
+
+ static void gs_usb_xmit_callback(struct urb *urb)
--- /dev/null
+From bec40c26041de61162f7be9d2ce548c756ce0f65 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Wed, 3 Jan 2018 13:39:15 -0800
+Subject: IB/srpt: Disable RDMA access by the initiator
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit bec40c26041de61162f7be9d2ce548c756ce0f65 upstream.
+
+With the SRP protocol all RDMA operations are initiated by the target.
+Since no RDMA operations are initiated by the initiator, do not grant
+the initiator permission to submit RDMA reads or writes to the target.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -959,8 +959,7 @@ static int srpt_init_ch_qp(struct srpt_r
+ return -ENOMEM;
+
+ attr->qp_state = IB_QPS_INIT;
+- attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_READ |
+- IB_ACCESS_REMOTE_WRITE;
++ attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE;
+ attr->port_num = ch->sport->port;
+ attr->pkey_index = 0;
+
--- /dev/null
+From 0cb5b30698fdc8f6b4646012e3acb4ddce430788 Mon Sep 17 00:00:00 2001
+From: Jim Mattson <jmattson@google.com>
+Date: Wed, 3 Jan 2018 14:31:38 -0800
+Subject: kvm: vmx: Scrub hardware GPRs at VM-exit
+
+From: Jim Mattson <jmattson@google.com>
+
+commit 0cb5b30698fdc8f6b4646012e3acb4ddce430788 upstream.
+
+Guest GPR values are live in the hardware GPRs at VM-exit. Do not
+leave any guest values in hardware GPRs after the guest GPR values are
+saved to the vcpu_vmx structure.
+
+This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
+Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
+
+Suggested-by: Eric Northup <digitaleric@google.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Eric Northup <digitaleric@google.com>
+Reviewed-by: Benjamin Serebrin <serebrin@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+[Paolo: Add AMD bits, Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 19 +++++++++++++++++++
+ arch/x86/kvm/vmx.c | 14 +++++++++++++-
+ 2 files changed, 32 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3946,6 +3946,25 @@ static void svm_vcpu_run(struct kvm_vcpu
+ "mov %%r14, %c[r14](%[svm]) \n\t"
+ "mov %%r15, %c[r15](%[svm]) \n\t"
+ #endif
++ /*
++ * Clear host registers marked as clobbered to prevent
++ * speculative use.
++ */
++ "xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
++ "xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"
++ "xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"
++ "xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
++ "xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
++#ifdef CONFIG_X86_64
++ "xor %%r8, %%r8 \n\t"
++ "xor %%r9, %%r9 \n\t"
++ "xor %%r10, %%r10 \n\t"
++ "xor %%r11, %%r11 \n\t"
++ "xor %%r12, %%r12 \n\t"
++ "xor %%r13, %%r13 \n\t"
++ "xor %%r14, %%r14 \n\t"
++ "xor %%r15, %%r15 \n\t"
++#endif
+ "pop %%" _ASM_BP
+ :
+ : [svm]"a"(svm),
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7653,6 +7653,7 @@ static void __noclone vmx_vcpu_run(struc
+ /* Save guest registers, load host registers, keep flags */
+ "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
+ "pop %0 \n\t"
++ "setbe %c[fail](%0)\n\t"
+ "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
+ "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
+ __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
+@@ -7669,12 +7670,23 @@ static void __noclone vmx_vcpu_run(struc
+ "mov %%r13, %c[r13](%0) \n\t"
+ "mov %%r14, %c[r14](%0) \n\t"
+ "mov %%r15, %c[r15](%0) \n\t"
++ "xor %%r8d, %%r8d \n\t"
++ "xor %%r9d, %%r9d \n\t"
++ "xor %%r10d, %%r10d \n\t"
++ "xor %%r11d, %%r11d \n\t"
++ "xor %%r12d, %%r12d \n\t"
++ "xor %%r13d, %%r13d \n\t"
++ "xor %%r14d, %%r14d \n\t"
++ "xor %%r15d, %%r15d \n\t"
+ #endif
+ "mov %%cr2, %%" _ASM_AX " \n\t"
+ "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
+
++ "xor %%eax, %%eax \n\t"
++ "xor %%ebx, %%ebx \n\t"
++ "xor %%esi, %%esi \n\t"
++ "xor %%edi, %%edi \n\t"
+ "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
+- "setbe %c[fail](%0) \n\t"
+ ".pushsection .rodata \n\t"
+ ".global vmx_return \n\t"
+ "vmx_return: " _ASM_PTR " 2b \n\t"
--- /dev/null
+From 006501e039eec411842bb3150c41358867d320c2 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 11 Dec 2017 22:55:40 +0000
+Subject: MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit 006501e039eec411842bb3150c41358867d320c2 upstream.
+
+Complement commit d614fd58a283 ("mips/ptrace: Preserve previous
+registers for short regset write") and like with the PTRACE_GETREGSET
+ptrace(2) request also apply a BUILD_BUG_ON check for the size of the
+`elf_fpreg_t' type in the PTRACE_SETREGSET request handler.
+
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Fixes: d614fd58a283 ("mips/ptrace: Preserve previous registers for short regset write")
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Paul Burton <Paul.Burton@mips.com>
+Cc: Alex Smith <alex@alex-smith.me.uk>
+Cc: Dave Martin <Dave.Martin@arm.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17929/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -416,6 +416,7 @@ static int fpr_get(struct task_struct *t
+ &target->thread.fpu,
+ 0, sizeof(elf_fpregset_t));
+
++ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
+ for (i = 0; i < NUM_FPU_REGS; i++) {
+ fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);
+ err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
--- /dev/null
+From 321027c1fe77f892f4ea07846aeae08cefbbb290 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 11 Jan 2017 21:09:50 +0100
+Subject: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 321027c1fe77f892f4ea07846aeae08cefbbb290 upstream.
+
+Di Shen reported a race between two concurrent sys_perf_event_open()
+calls where both try and move the same pre-existing software group
+into a hardware context.
+
+The problem is exactly that described in commit:
+
+ f63a8daa5812 ("perf: Fix event->ctx locking")
+
+... where, while we wait for a ctx->mutex acquisition, the event->ctx
+relation can have changed under us.
+
+That very same commit failed to recognise sys_perf_event_context() as an
+external access vector to the events and thereby didn't apply the
+established locking rules correctly.
+
+So while one sys_perf_event_open() call is stuck waiting on
+mutex_lock_double(), the other (which owns said locks) moves the group
+about. So by the time the former sys_perf_event_open() acquires the
+locks, the context we've acquired is stale (and possibly dead).
+
+Apply the established locking rules as per perf_event_ctx_lock_nested()
+to the mutex_lock_double() for the 'move_group' case. This obviously means
+we need to validate state after we acquire the locks.
+
+Reported-by: Di Shen (Keen Lab)
+Tested-by: John Dias <joaodias@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Min Chong <mchong@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
+Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+[bwh: Backported to 3.16:
+ - Use ACCESS_ONCE() instead of READ_ONCE()
+ - Test perf_event::group_flags instead of group_caps
+ - Add the err_locked cleanup block, which we didn't need before
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+This upstream patch is featured in recent Android Security bulletin.
+Picked up this backported patch from android-3.18. Build tested on 3.18.91
+
+ kernel/events/core.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 57 insertions(+), 4 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7414,6 +7414,37 @@ static void mutex_lock_double(struct mut
+ mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
+ }
+
++/*
++ * Variation on perf_event_ctx_lock_nested(), except we take two context
++ * mutexes.
++ */
++static struct perf_event_context *
++__perf_event_ctx_lock_double(struct perf_event *group_leader,
++ struct perf_event_context *ctx)
++{
++ struct perf_event_context *gctx;
++
++again:
++ rcu_read_lock();
++ gctx = ACCESS_ONCE(group_leader->ctx);
++ if (!atomic_inc_not_zero(&gctx->refcount)) {
++ rcu_read_unlock();
++ goto again;
++ }
++ rcu_read_unlock();
++
++ mutex_lock_double(&gctx->mutex, &ctx->mutex);
++
++ if (group_leader->ctx != gctx) {
++ mutex_unlock(&ctx->mutex);
++ mutex_unlock(&gctx->mutex);
++ put_ctx(gctx);
++ goto again;
++ }
++
++ return gctx;
++}
++
+ /**
+ * sys_perf_event_open - open a performance event, associate it to a task/cpu
+ *
+@@ -7626,14 +7657,31 @@ SYSCALL_DEFINE5(perf_event_open,
+ }
+
+ if (move_group) {
+- gctx = group_leader->ctx;
++ gctx = __perf_event_ctx_lock_double(group_leader, ctx);
++
++ /*
++ * Check if we raced against another sys_perf_event_open() call
++ * moving the software group underneath us.
++ */
++ if (!(group_leader->group_flags & PERF_GROUP_SOFTWARE)) {
++ /*
++ * If someone moved the group out from under us, check
++ * if this new event wound up on the same ctx, if so
++ * its the regular !move_group case, otherwise fail.
++ */
++ if (gctx != ctx) {
++ err = -EINVAL;
++ goto err_locked;
++ } else {
++ perf_event_ctx_unlock(group_leader, gctx);
++ move_group = 0;
++ }
++ }
+
+ /*
+ * See perf_event_ctx_lock() for comments on the details
+ * of swizzling perf_event::ctx.
+ */
+- mutex_lock_double(&gctx->mutex, &ctx->mutex);
+-
+ perf_remove_from_context(group_leader, false);
+
+ /*
+@@ -7674,7 +7722,7 @@ SYSCALL_DEFINE5(perf_event_open,
+ perf_unpin_context(ctx);
+
+ if (move_group) {
+- mutex_unlock(&gctx->mutex);
++ perf_event_ctx_unlock(group_leader, gctx);
+ put_ctx(gctx);
+ }
+ mutex_unlock(&ctx->mutex);
+@@ -7703,6 +7751,11 @@ SYSCALL_DEFINE5(perf_event_open,
+ fd_install(event_fd, event_file);
+ return event_fd;
+
++err_locked:
++ if (move_group)
++ perf_event_ctx_unlock(group_leader, gctx);
++ mutex_unlock(&ctx->mutex);
++ fput(event_file);
+ err_context:
+ perf_unpin_context(ctx);
+ put_ctx(ctx);
kernel-signal.c-remove-the-no-longer-needed-signal_unkillable-check-in-complete_signal.patch
input-elantech-add-new-icbody-type-15.patch
mtd-nand-pxa3xx-fix-readoob-implementation.patch
+can-gs_usb-fix-return-value-of-the-set_bittiming-callback.patch
+ib-srpt-disable-rdma-access-by-the-initiator.patch
+mips-also-verify-sizeof-elf_fpreg_t-with-ptrace_setregset.patch
+perf-core-fix-concurrent-sys_perf_event_open-vs.-move_group-race.patch
+kvm-vmx-scrub-hardware-gprs-at-vm-exit.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
