1. 18 Aug, 2018 2 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.18.3 · 8a8c540d
      Greg Kroah-Hartman authored
      8a8c540d
    • Sean Christopherson's avatar
      x86/speculation/l1tf: Exempt zeroed PTEs from inversion · 8f7b7e0b
      Sean Christopherson authored
      commit f19f5c49 upstream.
      
      It turns out that we should *not* invert all not-present mappings,
      because the all zeroes case is obviously special.
      
      clear_page() does not undergo the XOR logic to invert the address bits,
      i.e. PTE, PMD and PUD entries that have not been individually written
      will have val=0 and so will trigger __pte_needs_invert(). As a result,
      {pte,pmd,pud}_pfn() will return the wrong PFN value, i.e. all ones
      (adjusted by the max PFN mask) instead of zero. A zeroed entry is ok
      because the page at physical address 0 is reserved early in boot
      specifically to mitigate L1TF, so explicitly exempt them from the
      inversion when reading the PFN.
      
      Manifested as an unexpected mprotect(..., PROT_NONE) failure when called
      on a VMA that has VM_PFNMAP and was mmap'd to as something other than
      PROT_NONE but never used. mprotect() sends the PROT_NONE request down
      prot_none_walk(), which walks the PTEs to check the PFNs.
      prot_none_pte_entry() gets the bogus PFN from pte_pfn() and returns
      -EACCES because it thinks mprotect() is trying to adjust a high MMIO
      address.
      
      [ This is a very modified version of Sean's original patch, but all
        credit goes to Sean for doing this and also pointing out that
        sometimes the __pte_needs_invert() function only gets the protection
        bits, not the full eventual pte.  But zero remains special even in
        just protection bits, so that's ok.   - Linus ]
      
      Fixes: f22cc87f
      
       ("x86/speculation/l1tf: Invert all not present mappings")
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Acked-by: default avatarAndi Kleen <ak@linux.intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f7b7e0b
  2. 17 Aug, 2018 23 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.18.2 · e8c3aced
      Greg Kroah-Hartman authored
      e8c3aced
    • Toshi Kani's avatar
      x86/mm: Add TLB purge to free pmd/pte page interfaces · 69622a5c
      Toshi Kani authored
      commit 5e0fb5df upstream.
      
      ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates
      a pud / pmd map.  The following preconditions are met at their entry.
       - All pte entries for a target pud/pmd address range have been cleared.
       - System-wide TLB purges have been peformed for a target pud/pmd address
         range.
      
      The preconditions assure that there is no stale TLB entry for the range.
      Speculation may not cache TLB entries since it requires all levels of page
      entries, including ptes, to have P & A-bits set for an associated address.
      However, speculation may cache pud/pmd entries (paging-structure caches)
      when they have P-bit set.
      
      Add a system-wide TLB purge (INVLPG) to a single page after clearing
      pud/pmd entry's P-bit.
      
      SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches,
      states that:
        INVLPG invalidates all paging-structure caches associated with the
        current PCID regardless of the liner addresses to which they correspond.
      
      Fixes: 28ee90fe
      
       ("x86/mm: implement free pmd/pte page interfaces")
      Signed-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: mhocko@suse.com
      Cc: akpm@linux-foundation.org
      Cc: hpa@zytor.com
      Cc: cpandya@codeaurora.org
      Cc: linux-mm@kvack.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: stable@vger.kernel.org
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20180627141348.21777-4-toshi.kani@hpe.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69622a5c
    • Chintan Pandya's avatar
      ioremap: Update pgtable free interfaces with addr · c414efdf
      Chintan Pandya authored
      commit 785a19f9 upstream.
      
      The following kernel panic was observed on ARM64 platform due to a stale
      TLB entry.
      
       1. ioremap with 4K size, a valid pte page table is set.
       2. iounmap it, its pte entry is set to 0.
       3. ioremap the same address with 2M size, update its pmd entry with
          a new value.
       4. CPU may hit an exception because the old pmd entry is still in TLB,
          which leads to a kernel panic.
      
      Commit b6bdb751 ("mm/vmalloc: add interfaces to free unmapped page
      table") has addressed this panic by falling to pte mappings in the above
      case on ARM64.
      
      To support pmd mappings in all cases, TLB purge needs to be performed
      in this case on ARM64.
      
      Add a new arg, 'addr', to pud_free_pmd_page() and pmd_free_pte_page()
      so that TLB purge can be added later in seprate patches.
      
      [toshi.kani@hpe.com: merge changes, rewrite patch description]
      Fixes: 28ee90fe
      
       ("x86/mm: implement free pmd/pte page interfaces")
      Signed-off-by: default avatarChintan Pandya <cpandya@codeaurora.org>
      Signed-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: mhocko@suse.com
      Cc: akpm@linux-foundation.org
      Cc: hpa@zytor.com
      Cc: linux-mm@kvack.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: stable@vger.kernel.org
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20180627141348.21777-3-toshi.kani@hpe.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c414efdf
    • Mark Salyzyn's avatar
      Bluetooth: hidp: buffer overflow in hidp_process_report · f47e3431
      Mark Salyzyn authored
      commit 7992c188
      
       upstream.
      
      CVE-2018-9363
      
      The buffer length is unsigned at all layers, but gets cast to int and
      checked in hidp_process_report and can lead to a buffer overflow.
      Switch len parameter to unsigned int to resolve issue.
      
      This affects 3.18 and newer kernels.
      Signed-off-by: default avatarMark Salyzyn <salyzyn@android.com>
      Fixes: a4b1b587
      
       ("HID: Bluetooth: hidp: make sure input buffers are big enough")
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
      Cc: linux-bluetooth@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: security@kernel.org
      Cc: kernel-team@android.com
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f47e3431
    • Eric Biggers's avatar
      crypto: skcipher - fix crash flushing dcache in error path · 744ff5f0
      Eric Biggers authored
      commit 8088d3dd
      
       upstream.
      
      scatterwalk_done() is only meant to be called after a nonzero number of
      bytes have been processed, since scatterwalk_pagedone() will flush the
      dcache of the *previous* page.  But in the error case of
      skcipher_walk_done(), e.g. if the input wasn't an integer number of
      blocks, scatterwalk_done() was actually called after advancing 0 bytes.
      This caused a crash ("BUG: unable to handle kernel paging request")
      during '!PageSlab(page)' on architectures like arm and arm64 that define
      ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
      page-aligned as in that case walk->offset == 0.
      
      Fix it by reorganizing skcipher_walk_done() to skip the
      scatterwalk_advance() and scatterwalk_done() if an error has occurred.
      
      This bug was found by syzkaller fuzzing.
      
      Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
      
      	#include <linux/if_alg.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		struct sockaddr_alg addr = {
      			.salg_type = "skcipher",
      			.salg_name = "cbc(aes-generic)",
      		};
      		char buffer[4096] __attribute__((aligned(4096))) = { 0 };
      		int fd;
      
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
      		fd = accept(fd, NULL, NULL);
      		write(fd, buffer, 15);
      		read(fd, buffer, 15);
      	}
      Reported-by: default avatarLiu Chao <liuchao741@huawei.com>
      Fixes: b286d8b1
      
       ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      744ff5f0
    • Eric Biggers's avatar
      crypto: skcipher - fix aligning block size in skcipher_copy_iv() · d5cceea6
      Eric Biggers authored
      commit 0567fc9e upstream.
      
      The ALIGN() macro needs to be passed the alignment, not the alignmask
      (which is the alignment minus 1).
      
      Fixes: b286d8b1
      
       ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5cceea6
    • Eric Biggers's avatar
      crypto: ablkcipher - fix crash flushing dcache in error path · e990be06
      Eric Biggers authored
      commit 318abdfb
      
       upstream.
      
      Like the skcipher_walk and blkcipher_walk cases:
      
      scatterwalk_done() is only meant to be called after a nonzero number of
      bytes have been processed, since scatterwalk_pagedone() will flush the
      dcache of the *previous* page.  But in the error case of
      ablkcipher_walk_done(), e.g. if the input wasn't an integer number of
      blocks, scatterwalk_done() was actually called after advancing 0 bytes.
      This caused a crash ("BUG: unable to handle kernel paging request")
      during '!PageSlab(page)' on architectures like arm and arm64 that define
      ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
      page-aligned as in that case walk->offset == 0.
      
      Fix it by reorganizing ablkcipher_walk_done() to skip the
      scatterwalk_advance() and scatterwalk_done() if an error has occurred.
      Reported-by: default avatarLiu Chao <liuchao741@huawei.com>
      Fixes: bf06099d
      
       ("crypto: skcipher - Add ablkcipher_walk interfaces")
      Cc: <stable@vger.kernel.org> # v2.6.35+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e990be06
    • Eric Biggers's avatar
      crypto: blkcipher - fix crash flushing dcache in error path · 4b900641
      Eric Biggers authored
      commit 0868def3
      
       upstream.
      
      Like the skcipher_walk case:
      
      scatterwalk_done() is only meant to be called after a nonzero number of
      bytes have been processed, since scatterwalk_pagedone() will flush the
      dcache of the *previous* page.  But in the error case of
      blkcipher_walk_done(), e.g. if the input wasn't an integer number of
      blocks, scatterwalk_done() was actually called after advancing 0 bytes.
      This caused a crash ("BUG: unable to handle kernel paging request")
      during '!PageSlab(page)' on architectures like arm and arm64 that define
      ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
      page-aligned as in that case walk->offset == 0.
      
      Fix it by reorganizing blkcipher_walk_done() to skip the
      scatterwalk_advance() and scatterwalk_done() if an error has occurred.
      
      This bug was found by syzkaller fuzzing.
      
      Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
      
      	#include <linux/if_alg.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		struct sockaddr_alg addr = {
      			.salg_type = "skcipher",
      			.salg_name = "ecb(aes-generic)",
      		};
      		char buffer[4096] __attribute__((aligned(4096))) = { 0 };
      		int fd;
      
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
      		fd = accept(fd, NULL, NULL);
      		write(fd, buffer, 15);
      		read(fd, buffer, 15);
      	}
      Reported-by: default avatarLiu Chao <liuchao741@huawei.com>
      Fixes: 5cde0af2
      
       ("[CRYPTO] cipher: Added block cipher type")
      Cc: <stable@vger.kernel.org> # v2.6.19+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b900641
    • Eric Biggers's avatar
      crypto: vmac - separate tfm and request context · 990e4778
      Eric Biggers authored
      commit bb296481 upstream.
      
      syzbot reported a crash in vmac_final() when multiple threads
      concurrently use the same "vmac(aes)" transform through AF_ALG.  The bug
      is pretty fundamental: the VMAC template doesn't separate per-request
      state from per-tfm (per-key) state like the other hash algorithms do,
      but rather stores it all in the tfm context.  That's wrong.
      
      Also, vmac_final() incorrectly zeroes most of the state including the
      derived keys and cached pseudorandom pad.  Therefore, only the first
      VMAC invocation with a given key calculates the correct digest.
      
      Fix these bugs by splitting the per-tfm state from the per-request state
      and using the proper init/update/final sequencing for requests.
      
      Reproducer for the crash:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          int main()
          {
                  int fd;
                  struct sockaddr_alg addr = {
                          .salg_type = "hash",
                          .salg_name = "vmac(aes)",
                  };
                  char buf[256] = { 0 };
      
                  fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  bind(fd, (void *)&addr, sizeof(addr));
                  setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16);
                  fork();
                  fd = accept(fd, NULL, NULL);
                  for (;;)
                          write(fd, buf, 256);
          }
      
      The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds
      VMAC_NHBYTES, causing vmac_final() to memset() a negative length.
      
      Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com
      Fixes: f1939f7c
      
       ("crypto: vmac - New hash algorithm for intel_txt support")
      Cc: <stable@vger.kernel.org> # v2.6.32+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      990e4778
    • Eric Biggers's avatar
      crypto: vmac - require a block cipher with 128-bit block size · bbf934bc
      Eric Biggers authored
      commit 73bf20ef upstream.
      
      The VMAC template assumes the block cipher has a 128-bit block size, but
      it failed to check for that.  Thus it was possible to instantiate it
      using a 64-bit block size cipher, e.g. "vmac(cast5)", causing
      uninitialized memory to be used.
      
      Add the needed check when instantiating the template.
      
      Fixes: f1939f7c
      
       ("crypto: vmac - New hash algorithm for intel_txt support")
      Cc: <stable@vger.kernel.org> # v2.6.32+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbf934bc
    • Eric Biggers's avatar
      crypto: x86/sha256-mb - fix digest copy in sha256_mb_mgr_get_comp_job_avx2() · 6223c1f7
      Eric Biggers authored
      commit af839b4e upstream.
      
      There is a copy-paste error where sha256_mb_mgr_get_comp_job_avx2()
      copies the SHA-256 digest state from sha256_mb_mgr::args::digest to
      job_sha256::result_digest.  Consequently, the sha256_mb algorithm
      sometimes calculates the wrong digest.  Fix it.
      
      Reproducer using AF_ALG:
      
          #include <assert.h>
          #include <linux/if_alg.h>
          #include <stdio.h>
          #include <string.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          static const __u8 expected[32] =
              "\xad\x7f\xac\xb2\x58\x6f\xc6\xe9\x66\xc0\x04\xd7\xd1\xd1\x6b\x02"
              "\x4f\x58\x05\xff\x7c\xb4\x7c\x7a\x85\xda\xbd\x8b\x48\x89\x2c\xa7";
      
          int main()
          {
              int fd;
              struct sockaddr_alg addr = {
                  .salg_type = "hash",
                  .salg_name = "sha256_mb",
              };
              __u8 data[4096] = { 0 };
              __u8 digest[32];
              int ret;
              int i;
      
              fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
              bind(fd, (void *)&addr, sizeof(addr));
              fork();
              fd = accept(fd, 0, 0);
              do {
                  ret = write(fd, data, 4096);
                  assert(ret == 4096);
                  ret = read(fd, digest, 32);
                  assert(ret == 32);
              } while (memcmp(digest, expected, 32) == 0);
      
              printf("wrong digest: ");
              for (i = 0; i < 32; i++)
                  printf("%02x", digest[i]);
              printf("\n");
          }
      
      Output was:
      
          wrong digest: ad7facb2000000000000000000000000ffffffef7cb47c7a85dabd8b48892ca7
      
      Fixes: 172b1d6b
      
       ("crypto: sha256-mb - fix ctx pointer and digest copy")
      Cc: <stable@vger.kernel.org> # v4.8+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6223c1f7
    • Tom Lendacky's avatar
      crypto: ccp - Fix command completion detection race · f2ccfbe4
      Tom Lendacky authored
      commit f426d2b2 upstream.
      
      The wait_event() function is used to detect command completion.  The
      interrupt handler will set the wait condition variable when the interrupt
      is triggered.  However, the variable used for wait_event() is initialized
      after the command has been submitted, which can create a race condition
      with the interrupt handler and result in the wait_event() never returning.
      Move the initialization of the wait condition variable to just before
      command submission.
      
      Fixes: 200664d5
      
       ("crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support")
      Cc: <stable@vger.kernel.org> # 4.16.x-
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Reviewed-by: default avatarBrijesh Singh <brijesh.singh@amd.com>
      Acked-by: default avatarGary R Hook <gary.hook@amd.com>
      Acked-by: default avatarGary R Hook <gary.hook@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2ccfbe4
    • Tom Lendacky's avatar
      crypto: ccp - Check for NULL PSP pointer at module unload · 93aff32d
      Tom Lendacky authored
      commit afb31cd2 upstream.
      
      Should the PSP initialization fail, the PSP data structure will be
      freed and the value contained in the sp_device struct set to NULL.
      At module unload, psp_dev_destroy() does not check if the pointer
      value is NULL and will end up dereferencing a NULL pointer.
      
      Add a pointer check of the psp_data field in the sp_device struct
      in psp_dev_destroy() and return immediately if it is NULL.
      
      Cc: <stable@vger.kernel.org> # 4.16.x-
      Fixes: 2a6170df
      
       ("crypto: ccp: Add Platform Security Processor (PSP) device support")
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Acked-by: default avatarGary R Hook <gary.hook@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      93aff32d
    • Gilad Ben-Yossef's avatar
      crypto: ccree - fix iv handling · 9113175f
      Gilad Ben-Yossef authored
      commit 00904aa0 upstream.
      
      We were copying our last cipher block into the request for use as IV for
      all modes of operations. Fix this by discerning the behaviour based on
      the mode of operation used: copy ciphertext for CBC, update counter for
      CTR.
      
      CC: stable@vger.kernel.org
      Fixes: 63ee04c8
      
       ("crypto: ccree - add skcipher support")
      Reported by: Hadar Gat <hadar.gat@arm.com>
      Signed-off-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9113175f
    • Hadar Gat's avatar
      crypto: ccree - fix finup · 46c98de7
      Hadar Gat authored
      commit 26497e72
      
       upstream.
      
      finup() operation was incorrect, padding was missing.
      Fix by setting the ccree HW to enable padding.
      Signed-off-by: default avatarHadar Gat <hadar.gat@arm.com>
      [ gilad@benyossef.com: refactored for better code sharing ]
      Signed-off-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46c98de7
    • Randy Dunlap's avatar
      kbuild: verify that $DEPMOD is installed · ce8556cc
      Randy Dunlap authored
      commit 934193a6 upstream.
      
      Verify that 'depmod' ($DEPMOD) is installed.
      This is a partial revert of commit 620c231c
      ("kbuild: do not check for ancient modutils tools").
      
      Also update Documentation/process/changes.rst to refer to
      kmod instead of module-init-tools.
      
      Fixes kernel bugzilla #198965:
      https://bugzilla.kernel.org/show_bug.cgi?id=198965
      
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
      Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
      Cc: Michal Marek <michal.lkml@markovi.net>
      Cc: Jessica Yu <jeyu@kernel.org>
      Cc: Chih-Wei Huang <cwhuang@linux.org.tw>
      Cc: stable@vger.kernel.org # any kernel since 2012
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce8556cc
    • Toshi Kani's avatar
      x86/mm: Disable ioremap free page handling on x86-PAE · 2ca715a1
      Toshi Kani authored
      commit f967db0b upstream.
      
      ioremap() supports pmd mappings on x86-PAE.  However, kernel's pmd
      tables are not shared among processes on x86-PAE.  Therefore, any
      update to sync'd pmd entries need re-syncing.  Freeing a pte page
      also leads to a vmalloc fault and hits the BUG_ON in vmalloc_sync_one().
      
      Disable free page handling on x86-PAE.  pud_free_pmd_page() and
      pmd_free_pte_page() simply return 0 if a given pud/pmd entry is present.
      This assures that ioremap() does not update sync'd pmd entries at the
      cost of falling back to pte mappings.
      
      Fixes: 28ee90fe
      
       ("x86/mm: implement free pmd/pte page interfaces")
      Reported-by: default avatarJoerg Roedel <joro@8bytes.org>
      Signed-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: mhocko@suse.com
      Cc: akpm@linux-foundation.org
      Cc: hpa@zytor.com
      Cc: cpandya@codeaurora.org
      Cc: linux-mm@kvack.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: stable@vger.kernel.org
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20180627141348.21777-2-toshi.kani@hpe.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ca715a1
    • M. Vefa Bicakci's avatar
      xen/pv: Call get_cpu_address_sizes to set x86_virt/phys_bits · 0ae4fd90
      M. Vefa Bicakci authored
      commit 405c018a upstream.
      
      Commit d94a155c
      
       ("x86/cpu: Prevent cpuinfo_x86::x86_phys_bits
      adjustment corruption") has moved the query and calculation of the
      x86_virt_bits and x86_phys_bits fields of the cpuinfo_x86 struct
      from the get_cpu_cap function to a new function named
      get_cpu_address_sizes.
      
      One of the call sites related to Xen PV VMs was unfortunately missed
      in the aforementioned commit. This prevents successful boot-up of
      kernel versions 4.17 and up in Xen PV VMs if CONFIG_DEBUG_VIRTUAL
      is enabled, due to the following code path:
      
        enlighten_pv.c::xen_start_kernel
          mmu_pv.c::xen_reserve_special_pages
            page.h::__pa
              physaddr.c::__phys_addr
                physaddr.h::phys_addr_valid
      
      phys_addr_valid uses boot_cpu_data.x86_phys_bits to validate physical
      addresses. boot_cpu_data.x86_phys_bits is no longer populated before
      the call to xen_reserve_special_pages due to the aforementioned commit
      though, so the validation performed by phys_addr_valid fails, which
      causes __phys_addr to trigger a BUG, preventing boot-up.
      Signed-off-by: default avatarM. Vefa Bicakci <m.v.b@runbox.com>
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: xen-devel@lists.xenproject.org
      Cc: x86@kernel.org
      Cc: stable@vger.kernel.org # for v4.17 and up
      Fixes: d94a155c
      
       ("x86/cpu: Prevent cpuinfo_x86::x86_phys_bits adjustment corruption")
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ae4fd90
    • Dave Hansen's avatar
      x86/mm/pti: Clear Global bit more aggressively · 48052116
      Dave Hansen authored
      commit eac7073a upstream.
      
      The kernel image starts out with the Global bit set across the entire
      kernel image.  The bit is cleared with set_memory_nonglobal() in the
      configurations with PCIDs where the performance benefits of the Global bit
      are not needed.
      
      However, this is fragile.  It means that we are stuck opting *out* of the
      less-secure (Global bit set) configuration, which seems backwards.  Let's
      start more secure (Global bit clear) and then let things opt back in if
      they want performance, or are truly mapping common data between kernel and
      userspace.
      
      This fixes a bug.  Before this patch, there are areas that are unmapped
      from the user page tables (like like everything above 0xffffffff82600000 in
      the example below).  These have the hallmark of being a wrong Global area:
      they are not identical in the 'current_kernel' and 'current_user' page
      table dumps.  They are also read-write, which means they're much more
      likely to contain secrets.
      
      Before this patch:
      
      current_kernel:---[ High Kernel Mapping ]---
      current_kernel-0xffffffff80000000-0xffffffff81000000          16M                               pmd
      current_kernel-0xffffffff81000000-0xffffffff81e00000          14M     ro         PSE     GLB x  pmd
      current_kernel-0xffffffff81e00000-0xffffffff81e11000          68K     ro                 GLB x  pte
      current_kernel-0xffffffff81e11000-0xffffffff82000000        1980K     RW                 GLB NX pte
      current_kernel-0xffffffff82000000-0xffffffff82600000           6M     ro         PSE     GLB NX pmd
      current_kernel-0xffffffff82600000-0xffffffff82c00000           6M     RW         PSE     GLB NX pmd
      current_kernel-0xffffffff82c00000-0xffffffff82e00000           2M     RW                 GLB NX pte
      current_kernel-0xffffffff82e00000-0xffffffff83200000           4M     RW         PSE     GLB NX pmd
      current_kernel-0xffffffff83200000-0xffffffffa0000000         462M                               pmd
      
       current_user:---[ High Kernel Mapping ]---
       current_user-0xffffffff80000000-0xffffffff81000000          16M                               pmd
       current_user-0xffffffff81000000-0xffffffff81e00000          14M     ro         PSE     GLB x  pmd
       current_user-0xffffffff81e00000-0xffffffff81e11000          68K     ro                 GLB x  pte
       current_user-0xffffffff81e11000-0xffffffff82000000        1980K     RW                 GLB NX pte
       current_user-0xffffffff82000000-0xffffffff82600000           6M     ro         PSE     GLB NX pmd
       current_user-0xffffffff82600000-0xffffffffa0000000         474M                               pmd
      
      After this patch:
      
      current_kernel:---[ High Kernel Mapping ]---
      current_kernel-0xffffffff80000000-0xffffffff81000000          16M                               pmd
      current_kernel-0xffffffff81000000-0xffffffff81e00000          14M     ro         PSE     GLB x  pmd
      current_kernel-0xffffffff81e00000-0xffffffff81e11000          68K     ro                 GLB x  pte
      current_kernel-0xffffffff81e11000-0xffffffff82000000        1980K     RW                     NX pte
      current_kernel-0xffffffff82000000-0xffffffff82600000           6M     ro         PSE     GLB NX pmd
      current_kernel-0xffffffff82600000-0xffffffff82c00000           6M     RW         PSE         NX pmd
      current_kernel-0xffffffff82c00000-0xffffffff82e00000           2M     RW                     NX pte
      current_kernel-0xffffffff82e00000-0xffffffff83200000           4M     RW         PSE         NX pmd
      current_kernel-0xffffffff83200000-0xffffffffa0000000         462M                               pmd
      
        current_user:---[ High Kernel Mapping ]---
        current_user-0xffffffff80000000-0xffffffff81000000          16M                               pmd
        current_user-0xffffffff81000000-0xffffffff81e00000          14M     ro         PSE     GLB x  pmd
        current_user-0xffffffff81e00000-0xffffffff81e11000          68K     ro                 GLB x  pte
        current_user-0xffffffff81e11000-0xffffffff82000000        1980K     RW                     NX pte
        current_user-0xffffffff82000000-0xffffffff82600000           6M     ro         PSE     GLB NX pmd
        current_user-0xffffffff82600000-0xffffffffa0000000         474M                               pmd
      
      Fixes: 0f561fce
      
       ("x86/pti: Enable global pages for shared areas")
      Reported-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: keescook@google.com
      Cc: aarcange@redhat.com
      Cc: jgross@suse.com
      Cc: jpoimboe@redhat.com
      Cc: gregkh@linuxfoundation.org
      Cc: peterz@infradead.org
      Cc: torvalds@linux-foundation.org
      Cc: bp@alien8.de
      Cc: luto@kernel.org
      Cc: ak@linux.intel.com
      Cc: Kees Cook <keescook@google.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Andi Kleen <ak@linux.intel.com>
      Link: https://lkml.kernel.org/r/20180802225825.A100C071@viggo.jf.intel.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      48052116
    • Dou Liyang's avatar
      x86/platform/UV: Mark memblock related init code and data correctly · 35cf3283
      Dou Liyang authored
      commit 24cfd8ca upstream.
      
      parse_mem_block_size() and mem_block_size are only used during init. Mark
      them accordingly.
      
      Fixes: d7609f42
      
       ("x86/platform/UV: Add kernel parameter to set memory block size")
      Signed-off-by: default avatarDou Liyang <douly.fnst@cn.fujitsu.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: hpa@zytor.com
      Cc: Mike Travis <mike.travis@hpe.com>
      Cc: Andrew Banman <andrew.banman@hpe.com>
      Link: https://lkml.kernel.org/r/20180730075947.23023-1-douly.fnst@cn.fujitsu.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      35cf3283
    • Vitaly Kuznetsov's avatar
      x86/hyper-v: Check for VP_INVAL in hyperv_flush_tlb_others() · 031e6466
      Vitaly Kuznetsov authored
      commit 110d2a7f upstream.
      
      Commit 1268ed0c ("x86/hyper-v: Fix the circular dependency in IPI
       enlightenment") pre-filled hv_vp_index with VP_INVAL so it is now
      (theoretically) possible to observe hv_cpu_number_to_vp_number()
      returning VP_INVAL. We need to check for that in hyperv_flush_tlb_others().
      
      Not checking for VP_INVAL on the first call site where we do
      
       if (hv_cpu_number_to_vp_number(cpumask_last(cpus)) >= 64)
                              goto do_ex_hypercall;
      
      is OK, in case we're eligible for non-ex hypercall we'll catch the
      issue later in for_each_cpu() cycle and in case we'll be doing ex-
      hypercall cpumask_to_vpset() will fail.
      
      It would be nice to change hv_cpu_number_to_vp_number() return
      value's type to 'u32' but this will likely be a bigger change as
      all call sites need to be checked first.
      
      Fixes: 1268ed0c
      
       ("x86/hyper-v: Fix the circular dependency in IPI enlightenment")
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarMichael Kelley <mikelley@microsoft.com>
      Cc: "K. Y. Srinivasan" <kys@microsoft.com>
      Cc: Haiyang Zhang <haiyangz@microsoft.com>
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Cc: "Michael Kelley (EOSG)" <Michael.H.Kelley@microsoft.com>
      Cc: devel@linuxdriverproject.org
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Link: https://lkml.kernel.org/r/20180709174012.17429-3-vkuznets@redhat.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      031e6466
    • Guenter Roeck's avatar
      x86: i8259: Add missing include file · fcaef4e2
      Guenter Roeck authored
      commit 0a957467
      
       upstream.
      
      i8259.h uses inb/outb and thus needs to include asm/io.h to avoid the
      following build error, as seen with x86_64:defconfig and CONFIG_SMP=n.
      
        In file included from drivers/rtc/rtc-cmos.c:45:0:
        arch/x86/include/asm/i8259.h: In function 'inb_pic':
        arch/x86/include/asm/i8259.h:32:24: error:
      	implicit declaration of function 'inb'
      
        arch/x86/include/asm/i8259.h: In function 'outb_pic':
        arch/x86/include/asm/i8259.h:45:2: error:
      	implicit declaration of function 'outb'
      Reported-by: default avatarSebastian Gottschall <s.gottschall@dd-wrt.com>
      Suggested-by: default avatarSebastian Gottschall <s.gottschall@dd-wrt.com>
      Fixes: 447ae316
      
       ("x86: Don't include linux/irq.h from asm/hardirq.h")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fcaef4e2
    • Guenter Roeck's avatar
      x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled · a8ac113d
      Guenter Roeck authored
      commit 1eb46908 upstream.
      
      allmodconfig+CONFIG_INTEL_KVM=n results in the following build error.
      
        ERROR: "l1tf_vmx_mitigation" [arch/x86/kvm/kvm.ko] undefined!
      
      Fixes: 5b76a3cf
      
       ("KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry")
      Reported-by: default avatarMeelis Roos <mroos@linux.ee>
      Cc: Meelis Roos <mroos@linux.ee>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8ac113d
  3. 15 Aug, 2018 15 commits