update to 4.19.21
This commit is contained in:
parent
5cb904c8a9
commit
4a0b4cb79e
|
@ -1,4 +1,311 @@
|
||||||
linux (4.19.20-2) UNRELEASED; urgency=medium
|
linux (4.19.21-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
|
* New upstream stable update:
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21
|
||||||
|
- devres: Align data[] to ARCH_KMALLOC_MINALIGN
|
||||||
|
- drm/bufs: Fix Spectre v1 vulnerability
|
||||||
|
- drm/vgem: Fix vgem_init to get drm device available.
|
||||||
|
- [arm*] pinctrl: bcm2835: Use raw spinlock for RT compatibility
|
||||||
|
- [x86] ASoC: Intel: mrfld: fix uninitialized variable access
|
||||||
|
- gpiolib: Fix possible use after free on label
|
||||||
|
- [armhf] drm/sun4i: Initialize registers in tcon-top driver
|
||||||
|
- genirq/affinity: Spread IRQs to all available NUMA nodes
|
||||||
|
- [armhf] gpu: ipu-v3: image-convert: Prevent race between run and
|
||||||
|
unprepare
|
||||||
|
- wil6210: fix reset flow for Talyn-mb
|
||||||
|
- wil6210: fix memory leak in wil_find_tx_bcast_2
|
||||||
|
- ath10k: assign 'n_cipher_suites' for WCN3990
|
||||||
|
- ath9k: dynack: use authentication messages for 'late' ack
|
||||||
|
- scsi: lpfc: Correct LCB RJT handling
|
||||||
|
- scsi: mpt3sas: Call sas_remove_host before removing the target devices
|
||||||
|
- scsi: lpfc: Fix LOGO/PLOGI handling when triggerd by ABTS Timeout event
|
||||||
|
- [armhf] 8808/1: kexec:offline panic_smp_self_stop CPU
|
||||||
|
- [mips] clk: boston: fix possible memory leak in clk_boston_setup()
|
||||||
|
- dlm: Don't swamp the CPU with callbacks queued during recovery
|
||||||
|
- [x86] PCI: Fix Broadcom CNB20LE unintended sign extension (redux)
|
||||||
|
- [powerpc] pseries: add of_node_put() in dlpar_detach_node()
|
||||||
|
- crypto: aes_ti - disable interrupts while accessing S-box
|
||||||
|
- [arm*] drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE
|
||||||
|
- serial: fsl_lpuart: clear parity enable bit when disable parity
|
||||||
|
- ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
|
||||||
|
- [mips] Boston: Disable EG20T prefetch
|
||||||
|
- dpaa2-ptp: defer probe when portal allocation failed
|
||||||
|
- iwlwifi: fw: do not set sgi bits for HE connection
|
||||||
|
- fpga: altera-cvp: Fix registration for CvP incapable devices
|
||||||
|
- [x86] fpga: altera-cvp: fix 'bad IO access' on x86_64
|
||||||
|
- [x86] vbox: fix link error with 'gcc -Og'
|
||||||
|
- platform/chrome: don't report EC_MKBP_EVENT_SENSOR_FIFO as wakeup
|
||||||
|
- i40e: prevent overlapping tx_timeout recover
|
||||||
|
- scsi: hisi_sas: change the time of SAS SSP connection
|
||||||
|
- usbnet: smsc95xx: fix rx packet alignment
|
||||||
|
- [armhf,arm64] drm/rockchip: fix for mailbox read size
|
||||||
|
- [arm*] OMAP2+: hwmod: Fix some section annotations
|
||||||
|
- drm/amd/display: fix gamma not being applied correctly
|
||||||
|
- drm/amd/display: calculate stream->phy_pix_clk before clock mapping
|
||||||
|
- bpf: libbpf: retry map creation without the name
|
||||||
|
- net/mlx5: EQ, Use the right place to store/read IRQ affinity hint
|
||||||
|
- modpost: validate symbol names also in find_elf_symbol
|
||||||
|
- perf tools: Add Hygon Dhyana support
|
||||||
|
- [armhf] soc/tegra: Don't leak device tree node reference
|
||||||
|
- media: rc: ensure close() is called on rc_unregister_device
|
||||||
|
- media: video-i2c: avoid accessing released memory area when removing
|
||||||
|
driver
|
||||||
|
- [armhf] media: mtk-vcodec: Release device nodes in
|
||||||
|
mtk_vcodec_init_enc_pm()
|
||||||
|
- ptp: Fix pass zero to ERR_PTR() in ptp_clock_register
|
||||||
|
- dmaengine: xilinx_dma: Remove __aligned attribute on zynqmp_dma_desc_ll
|
||||||
|
- [powerpc] 32: Add .data..Lubsan_data*/.data..Lubsan_type* sections
|
||||||
|
explicitly
|
||||||
|
- media: adv*/tc358743/ths8200: fill in min width/height/pixelclock
|
||||||
|
- ACPI: SPCR: Consider baud rate 0 as preconfigured state
|
||||||
|
- f2fs: move dir data flush to write checkpoint process
|
||||||
|
- f2fs: fix race between write_checkpoint and write_begin
|
||||||
|
- f2fs: fix wrong return value of f2fs_acl_create
|
||||||
|
- i2c: sh_mobile: add support for r8a77990 (R-Car E3)
|
||||||
|
- [arm64] io: Ensure calls to delay routines are ordered against prior
|
||||||
|
readX()
|
||||||
|
- net: aquantia: return 'err' if set MPI_DEINIT state fails
|
||||||
|
- [sparc*] sunvdc: Do not spin in an infinite loop when vio_ldc_send()
|
||||||
|
returns EAGAIN
|
||||||
|
- soc: bcm: brcmstb: Don't leak device tree node reference
|
||||||
|
- nfsd4: fix crash on writing v4_end_grace before nfsd startup
|
||||||
|
- drm: Clear state->acquire_ctx before leaving
|
||||||
|
drm_atomic_helper_commit_duplicated_state()
|
||||||
|
- perf: arm_spe: handle devm_kasprintf() failure
|
||||||
|
- [arm64] io: Ensure value passed to __iormb() is held in a 64-bit register
|
||||||
|
- Thermal: do not clear passive state during system sleep
|
||||||
|
- thermal: Fix locking in cooling device sysfs update cur_state
|
||||||
|
- firmware/efi: Add NULL pointer checks in efivars API functions
|
||||||
|
- [s390] zcrypt: improve special ap message cmd handling
|
||||||
|
- mt76x0: dfs: fix IBI_R11 configuration on non-radar channels
|
||||||
|
- [arm64] ftrace: don't adjust the LR value
|
||||||
|
- ARM: dts: mmp2: fix TWSI2
|
||||||
|
- ARM: dts: aspeed: add missing memory unit-address
|
||||||
|
- [x86] fpu: Add might_fault() to user_insn()
|
||||||
|
- media: i2c: TDA1997x: select CONFIG_HDMI
|
||||||
|
- media: DaVinci-VPBE: fix error handling in vpbe_initialize()
|
||||||
|
- smack: fix access permissions for keyring
|
||||||
|
- usb: dwc3: Correct the logic for checking TRB full in
|
||||||
|
__dwc3_prepare_one_trb()
|
||||||
|
- usb: dwc2: Disable power down feature on Samsung SoCs
|
||||||
|
- usb: hub: delay hub autosuspend if USB3 port is still link training
|
||||||
|
- timekeeping: Use proper seqcount initializer
|
||||||
|
- usb: mtu3: fix the issue about SetFeature(U1/U2_Enable)
|
||||||
|
- [armhf] clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module
|
||||||
|
clocks
|
||||||
|
- media: imx274: select REGMAP_I2C
|
||||||
|
- drm/amdgpu/powerplay: fix clock stretcher limits on polaris (v2)
|
||||||
|
- tipc: fix node keep alive interval calculation
|
||||||
|
- driver core: Move async_synchronize_full call
|
||||||
|
- kobject: return error code if writing /sys/.../uevent fails
|
||||||
|
- IB/hfi1: Unreserve a reserved request when it is completed
|
||||||
|
- usb: dwc3: trace: add missing break statement to make compiler happy
|
||||||
|
- [mips] gpio: mt7621: report failure of devm_kasprintf()
|
||||||
|
- [mips] gpio: mt7621: pass mediatek_gpio_bank_probe() failure up the stack
|
||||||
|
- [x86] iommu/amd: Fix amd_iommu=force_isolation
|
||||||
|
- [armhf] dts: Fix OMAP4430 SDP Ethernet startup
|
||||||
|
- [mips] bpf: fix encoding bug for mm_srlv32_op
|
||||||
|
- media: coda: fix H.264 deblocking filter controls
|
||||||
|
- [armel] dts: Fix up the D-Link DIR-685 MTD partition info
|
||||||
|
- watchdog: renesas_wdt: don't set divider while watchdog is running
|
||||||
|
- [armhf] dts: imx51-zii-rdu1: Do not specify "power-gpio" for hpa1
|
||||||
|
- usb: dwc3: gadget: Disable CSP for stream OUT ep
|
||||||
|
- [arm64] iommu/arm-smmu-v3: Avoid memory corruption from Hisilicon MSI
|
||||||
|
payloads
|
||||||
|
- [arm64] iommu/arm-smmu: Add support for qcom,smmu-v2 variant
|
||||||
|
- [arm64] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer
|
||||||
|
- [armhf] clk: imx6sl: ensure MMDC CH0 handshake is bypassed
|
||||||
|
- [x86] platform: mlx-platform: Fix tachometer registers
|
||||||
|
- cpuidle: big.LITTLE: fix refcount leak
|
||||||
|
- OPP: Use opp_table->regulators to verify no regulator case
|
||||||
|
- tee: optee: avoid possible double list_del()
|
||||||
|
- drm/msm/dsi: fix dsi clock names in DSI 10nm PLL driver
|
||||||
|
- drm/msm: dpu: Only check flush register against pending flushes
|
||||||
|
- lightnvm: pblk: fix resubmission of overwritten write err lbas
|
||||||
|
- lightnvm: pblk: add lock protection to list operations
|
||||||
|
- i2c-axxia: check for error conditions first
|
||||||
|
- [armhf] phy: sun4i-usb: add support for missing USB PHY index
|
||||||
|
- udf: Fix BUG on corrupted inode
|
||||||
|
- selftests/bpf: use __bpf_constant_htons in test_prog.c
|
||||||
|
- [armel] pxa: avoid section mismatch warning
|
||||||
|
- [armhf] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M
|
||||||
|
- [powerpc] KVM: Book3S: Only report KVM_CAP_SPAPR_TCE_VFIO on powernv
|
||||||
|
machines
|
||||||
|
- [arm*] mmc: bcm2835: Recover from MMC_SEND_EXT_CSD
|
||||||
|
- [arm*] mmc: bcm2835: reset host on timeout
|
||||||
|
- memstick: Prevent memstick host from getting runtime suspended during
|
||||||
|
card detection
|
||||||
|
- mmc: sdhci-of-esdhc: Fix timeout checks
|
||||||
|
- mmc: sdhci-omap: Fix timeout checks
|
||||||
|
- mmc: sdhci-xenon: Fix timeout checks
|
||||||
|
- [mips] mmc: jz4740: Get CD/WP GPIOs from descriptors
|
||||||
|
- usb: renesas_usbhs: add support for RZ/G2E
|
||||||
|
- btrfs: harden agaist duplicate fsid on scanned devices
|
||||||
|
- serial: sh-sci: Fix locking in sci_submit_rx()
|
||||||
|
- serial: sh-sci: Resume PIO in sci_rx_interrupt() on DMA failure
|
||||||
|
- tty: serial: samsung: Properly set flags in autoCTS mode
|
||||||
|
- perf test: Fix perf_event_attr test failure
|
||||||
|
- perf dso: Fix unchecked usage of strncpy()
|
||||||
|
- perf header: Fix unchecked usage of strncpy()
|
||||||
|
- btrfs: use tagged writepage to mitigate livelock of snapshot
|
||||||
|
- perf probe: Fix unchecked usage of strncpy()
|
||||||
|
- i2c: sh_mobile: Add support for r8a774c0 (RZ/G2E)
|
||||||
|
- bnxt_en: Disable MSIX before re-reserving NQs/CMPL rings.
|
||||||
|
- [x86] tools/power/x86/intel_pstate_tracer: Fix non root execution for
|
||||||
|
post processing a trace file
|
||||||
|
- livepatch: check kzalloc return values
|
||||||
|
- [arm64] KVM: Skip MMIO insn after emulation
|
||||||
|
- usb: musb: dsps: fix otg state machine
|
||||||
|
- usb: musb: dsps: fix runtime pm for peripheral mode
|
||||||
|
- perf header: Fix up argument to ctime()
|
||||||
|
- perf tools: Cast off_t to s64 to avoid warning on bionic libc
|
||||||
|
- percpu: convert spin_lock_irq to spin_lock_irqsave.
|
||||||
|
- [arm64] net: hns3: fix incomplete uninitialization of IRQ in the
|
||||||
|
hns3_nic_uninit_vector_data()
|
||||||
|
- drm/amd/display: Add retry to read ddc_clock pin
|
||||||
|
- Bluetooth: hci_bcm: Handle deferred probing for the clock supply
|
||||||
|
- drm/amd/display: fix YCbCr420 blank color
|
||||||
|
- [powerpc] uaccess: fix warning/error with access_ok()
|
||||||
|
- mac80211: fix radiotap vendor presence bitmap handling
|
||||||
|
- xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi
|
||||||
|
- mlxsw: spectrum: Properly cleanup LAG uppers when removing port from LAG
|
||||||
|
- scsi: smartpqi: correct host serial num for ssa
|
||||||
|
- scsi: smartpqi: correct volume status
|
||||||
|
- scsi: smartpqi: increase fw status register read timeout
|
||||||
|
- cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()
|
||||||
|
- [arm64] net: hns3: add max vector number check for pf
|
||||||
|
- [powerpc] perf: Fix thresholding counter data for unknown type
|
||||||
|
- iwlwifi: mvm: fix setting HE ppe FW config
|
||||||
|
- [powerpc] powernv/ioda: Allocate indirect TCE levels of cached userspace
|
||||||
|
addresses on demand
|
||||||
|
- mlx5: update timecounter at least twice per counter overflow
|
||||||
|
- drbd: narrow rcu_read_lock in drbd_sync_handshake
|
||||||
|
- drbd: disconnect, if the wrong UUIDs are attached on a connected peer
|
||||||
|
- drbd: skip spurious timeout (ping-timeo) when failing promote
|
||||||
|
- drbd: Avoid Clang warning about pointless switch statment
|
||||||
|
- drm/amd/display: validate extended dongle caps
|
||||||
|
- video: clps711x-fb: release disp device node in probe()
|
||||||
|
- md: fix raid10 hang issue caused by barrier
|
||||||
|
- fbdev: fbmem: behave better with small rotated displays and many CPUs
|
||||||
|
- i40e: define proper net_device::neigh_priv_len
|
||||||
|
- ice: Do not enable NAPI on q_vectors that have no rings
|
||||||
|
- igb: Fix an issue that PME is not enabled during runtime suspend
|
||||||
|
- ACPI/APEI: Clear GHES block_status before panic()
|
||||||
|
- fbdev: fbcon: Fix unregister crash when more than one framebuffer
|
||||||
|
- [powerpc] mm: Fix reporting of kernel execute faults on the 8xx
|
||||||
|
- [x86] KVM: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
|
||||||
|
- [powerpc] fadump: Do not allow hot-remove memory from fadump reserved
|
||||||
|
area.
|
||||||
|
- kvm: Change offset in kvm_write_guest_offset_cached to unsigned
|
||||||
|
- NFS: nfs_compare_mount_options always compare auth flavors.
|
||||||
|
- perf build: Don't unconditionally link the libbfd feature test to
|
||||||
|
-liberty and -lz
|
||||||
|
- hwmon: (lm80) fix a missing check of the status of SMBus read
|
||||||
|
- hwmon: (lm80) fix a missing check of bus read in lm80 probe
|
||||||
|
- seq_buf: Make seq_buf_puts() null-terminate the buffer
|
||||||
|
- crypto: ux500 - Use proper enum in cryp_set_dma_transfer
|
||||||
|
- crypto: ux500 - Use proper enum in hash_set_dma_transfer
|
||||||
|
- [mips] ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8
|
||||||
|
- cifs: check ntwrk_buf_start for NULL before dereferencing it
|
||||||
|
- f2fs: fix use-after-free issue when accessing sbi->stat_info
|
||||||
|
- um: Avoid marking pages with "changed protection"
|
||||||
|
- niu: fix missing checks of niu_pci_eeprom_read
|
||||||
|
- f2fs: fix sbi->extent_list corruption issue
|
||||||
|
- cgroup: fix parsing empty mount option string
|
||||||
|
- perf python: Do not force closing original perf descriptor in
|
||||||
|
evlist.get_pollfd()
|
||||||
|
- scripts/decode_stacktrace: only strip base path when a prefix of the path
|
||||||
|
- arch/sh/boards/mach-kfr2r09/setup.c: fix struct mtd_oob_ops build warning
|
||||||
|
- ocfs2: don't clear bh uptodate for block read
|
||||||
|
- ocfs2: improve ocfs2 Makefile
|
||||||
|
- mm/page_alloc.c: don't call kasan_free_pages() at deferred mem init
|
||||||
|
- zram: fix lockdep warning of free block handling
|
||||||
|
- isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in
|
||||||
|
HFCPCI_l1hw()
|
||||||
|
- gdrom: fix a memory leak bug
|
||||||
|
- fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address()
|
||||||
|
- block/swim3: Fix -EBUSY error when re-opening device after unmount
|
||||||
|
- [arm*] thermal: bcm2835: enable hwmon explicitly
|
||||||
|
- kdb: Don't back trace on a cpu that didn't round up
|
||||||
|
- [armhf] PCI: imx: Enable MSI from downstream components
|
||||||
|
- thermal: generic-adc: Fix adc to temp interpolation
|
||||||
|
- [arm64] sve: ptrace: Fix SVE_PT_REGS_OFFSET definition
|
||||||
|
- kernel/hung_task.c: break RCU locks based on jiffies
|
||||||
|
- proc/sysctl: fix return error for proc_doulongvec_minmax()
|
||||||
|
- kernel/hung_task.c: force console verbose before panic
|
||||||
|
- fs/epoll: drop ovflist branch prediction
|
||||||
|
- exec: load_script: don't blindly truncate shebang string
|
||||||
|
- kernel/kcov.c: mark write_comp_data() as notrace
|
||||||
|
- scripts/gdb: fix lx-version string output
|
||||||
|
- xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat
|
||||||
|
- xfs: cancel COW blocks before swapext
|
||||||
|
- xfs: Fix error code in 'xfs_ioc_getbmap()'
|
||||||
|
- xfs: fix overflow in xfs_attr3_leaf_verify
|
||||||
|
- xfs: fix shared extent data corruption due to missing cow reservation
|
||||||
|
- xfs: fix transient reference count error in
|
||||||
|
xfs_buf_resubmit_failed_buffers
|
||||||
|
- xfs: delalloc -> unwritten COW fork allocation can go wrong
|
||||||
|
- fs/xfs: fix f_ffree value for statfs when project quota is set
|
||||||
|
- xfs: fix PAGE_MASK usage in xfs_free_file_space
|
||||||
|
- xfs: fix inverted return from xfs_btree_sblock_verify_crc
|
||||||
|
- thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set
|
||||||
|
- dccp: fool proof ccid_hc_[rt]x_parse_options()
|
||||||
|
- enic: fix checksum validation for IPv6
|
||||||
|
- lib/test_rhashtable: Make test_insert_dup() allocate its hash table
|
||||||
|
dynamically
|
||||||
|
- net: dp83640: expire old TX-skb
|
||||||
|
- net: dsa: Fix lockdep false positive splat
|
||||||
|
- net: dsa: Fix NULL checking in dsa_slave_set_eee()
|
||||||
|
- net: dsa: mv88e6xxx: Fix counting of ATU violations
|
||||||
|
- net: dsa: slave: Don't propagate flag changes on down slave interfaces
|
||||||
|
- net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames
|
||||||
|
- net: systemport: Fix WoL with password after deep sleep
|
||||||
|
- rds: fix refcount bug in rds_sock_addref
|
||||||
|
- Revert "net: phy: marvell: avoid pause mode on SGMII-to-Copper for
|
||||||
|
88e151x"
|
||||||
|
- rxrpc: bad unlock balance in rxrpc_recvmsg
|
||||||
|
- sctp: check and update stream->out_curr when allocating stream_out
|
||||||
|
- sctp: walk the list of asoc safely (CVE-2019-8956)
|
||||||
|
- skge: potential memory corruption in skge_get_regs()
|
||||||
|
- virtio_net: Account for tx bytes and packets on sending xdp_frames
|
||||||
|
- net/mlx5e: FPGA, fix Innova IPsec TX offload data path performance
|
||||||
|
- xfs: eof trim writeback mapping as soon as it is cached
|
||||||
|
- ALSA: compress: Fix stop handling on compressed capture streams
|
||||||
|
- ALSA: usb-audio: Add support for new T+A USB DAC
|
||||||
|
- ALSA: hda - Serialize codec registrations
|
||||||
|
- ALSA: hda/realtek - Fix lose hp_pins for disable auto mute
|
||||||
|
- ALSA: hda/realtek - Use a common helper for hp pin reference
|
||||||
|
- ALSA: hda/realtek - Headset microphone support for System76 darp5
|
||||||
|
- fuse: call pipe_buf_release() under pipe lock
|
||||||
|
- fuse: decrement NR_WRITEBACK_TEMP on the right page
|
||||||
|
- fuse: handle zero sized retrieve correctly
|
||||||
|
- [arm*] dmaengine: bcm2835: Fix interrupt race on RT
|
||||||
|
- [arm*] dmaengine: bcm2835: Fix abort of transactions
|
||||||
|
- [armhf] dmaengine: imx-dma: fix wrong callback invoke
|
||||||
|
- futex: Handle early deadlock return correctly
|
||||||
|
- [arm64] irqchip/gic-v3-its: Plug allocation race for devices sharing a
|
||||||
|
DevID
|
||||||
|
- [armhf] usb: phy: am335x: fix race condition in _probe
|
||||||
|
- usb: dwc3: gadget: Handle 0 xfer length for OUT EP
|
||||||
|
- usb: gadget: udc: net2272: Fix bitwise and boolean operations
|
||||||
|
- usb: gadget: musb: fix short isoc packets with inventra dma
|
||||||
|
- staging: speakup: fix tty-operation NULL derefs
|
||||||
|
- scsi: cxlflash: Prevent deadlock when adapter probe fails
|
||||||
|
- scsi: aic94xx: fix module loading
|
||||||
|
- cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM
|
||||||
|
- [x86] perf/x86/intel/uncore: Add Node ID mask
|
||||||
|
- [x86] MCE: Initialize mce.bank in the case of a fatal error in
|
||||||
|
mce_no_way_out()
|
||||||
|
- perf/core: Don't WARN() for impossible ring-buffer sizes
|
||||||
|
- perf tests evsel-tp-sched: Fix bitwise operator
|
||||||
|
- serial: fix race between flush_to_ldisc and tty_open
|
||||||
|
- serial: 8250_pci: Make PCI class test non fatal
|
||||||
|
- serial: sh-sci: Do not free irqs that have already been freed
|
||||||
|
- cacheinfo: Keep the old value if of_property_read_u32 fails
|
||||||
|
- IB/hfi1: Add limit test for RC/UC send via loopback
|
||||||
|
- [x86] perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu()
|
||||||
|
- ath9k: dynack: make ewma estimation faster
|
||||||
|
- ath9k: dynack: check da->enabled first in sampling routines
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* [sparc64] udeb: Use standard module list in nic-modules; add i2c-modules
|
* [sparc64] udeb: Use standard module list in nic-modules; add i2c-modules
|
||||||
|
|
|
@ -1,259 +0,0 @@
|
||||||
From: Vladis Dronov <vdronov@redhat.com>
|
|
||||||
Date: Tue, 29 Jan 2019 11:58:35 +0100
|
|
||||||
Subject: HID: debug: fix the ring buffer implementation
|
|
||||||
Origin: https://git.kernel.org/linus/13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3819
|
|
||||||
|
|
||||||
Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
|
|
||||||
is strange allowing lost or corrupted data. After commit 717adfdaf147
|
|
||||||
("HID: debug: check length before copy_to_user()") it is possible to enter
|
|
||||||
an infinite loop in hid_debug_events_read() by providing 0 as count, this
|
|
||||||
locks up a system. Fix this by rewriting the ring buffer implementation
|
|
||||||
with kfifo and simplify the code.
|
|
||||||
|
|
||||||
This fixes CVE-2019-3819.
|
|
||||||
|
|
||||||
v2: fix an execution logic and add a comment
|
|
||||||
v3: use __set_current_state() instead of set_current_state()
|
|
||||||
|
|
||||||
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
|
|
||||||
Cc: stable@vger.kernel.org # v4.18+
|
|
||||||
Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
|
|
||||||
Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
|
|
||||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
|
||||||
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
|
|
||||||
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
|
|
||||||
---
|
|
||||||
drivers/hid/hid-debug.c | 120 ++++++++++++++++++----------------------------
|
|
||||||
include/linux/hid-debug.h | 9 ++--
|
|
||||||
2 files changed, 51 insertions(+), 78 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
|
|
||||||
index c530476edba6..ac9fda1b5a72 100644
|
|
||||||
--- a/drivers/hid/hid-debug.c
|
|
||||||
+++ b/drivers/hid/hid-debug.c
|
|
||||||
@@ -30,6 +30,7 @@
|
|
||||||
|
|
||||||
#include <linux/debugfs.h>
|
|
||||||
#include <linux/seq_file.h>
|
|
||||||
+#include <linux/kfifo.h>
|
|
||||||
#include <linux/sched/signal.h>
|
|
||||||
#include <linux/export.h>
|
|
||||||
#include <linux/slab.h>
|
|
||||||
@@ -661,17 +662,12 @@ EXPORT_SYMBOL_GPL(hid_dump_device);
|
|
||||||
/* enqueue string to 'events' ring buffer */
|
|
||||||
void hid_debug_event(struct hid_device *hdev, char *buf)
|
|
||||||
{
|
|
||||||
- unsigned i;
|
|
||||||
struct hid_debug_list *list;
|
|
||||||
unsigned long flags;
|
|
||||||
|
|
||||||
spin_lock_irqsave(&hdev->debug_list_lock, flags);
|
|
||||||
- list_for_each_entry(list, &hdev->debug_list, node) {
|
|
||||||
- for (i = 0; buf[i]; i++)
|
|
||||||
- list->hid_debug_buf[(list->tail + i) % HID_DEBUG_BUFSIZE] =
|
|
||||||
- buf[i];
|
|
||||||
- list->tail = (list->tail + i) % HID_DEBUG_BUFSIZE;
|
|
||||||
- }
|
|
||||||
+ list_for_each_entry(list, &hdev->debug_list, node)
|
|
||||||
+ kfifo_in(&list->hid_debug_fifo, buf, strlen(buf));
|
|
||||||
spin_unlock_irqrestore(&hdev->debug_list_lock, flags);
|
|
||||||
|
|
||||||
wake_up_interruptible(&hdev->debug_wait);
|
|
||||||
@@ -722,8 +718,7 @@ void hid_dump_input(struct hid_device *hdev, struct hid_usage *usage, __s32 valu
|
|
||||||
hid_debug_event(hdev, buf);
|
|
||||||
|
|
||||||
kfree(buf);
|
|
||||||
- wake_up_interruptible(&hdev->debug_wait);
|
|
||||||
-
|
|
||||||
+ wake_up_interruptible(&hdev->debug_wait);
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(hid_dump_input);
|
|
||||||
|
|
||||||
@@ -1083,8 +1078,8 @@ static int hid_debug_events_open(struct inode *inode, struct file *file)
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!(list->hid_debug_buf = kzalloc(HID_DEBUG_BUFSIZE, GFP_KERNEL))) {
|
|
||||||
- err = -ENOMEM;
|
|
||||||
+ err = kfifo_alloc(&list->hid_debug_fifo, HID_DEBUG_FIFOSIZE, GFP_KERNEL);
|
|
||||||
+ if (err) {
|
|
||||||
kfree(list);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
@@ -1104,77 +1099,57 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
|
|
||||||
size_t count, loff_t *ppos)
|
|
||||||
{
|
|
||||||
struct hid_debug_list *list = file->private_data;
|
|
||||||
- int ret = 0, len;
|
|
||||||
+ int ret = 0, copied;
|
|
||||||
DECLARE_WAITQUEUE(wait, current);
|
|
||||||
|
|
||||||
mutex_lock(&list->read_mutex);
|
|
||||||
- while (ret == 0) {
|
|
||||||
- if (list->head == list->tail) {
|
|
||||||
- add_wait_queue(&list->hdev->debug_wait, &wait);
|
|
||||||
- set_current_state(TASK_INTERRUPTIBLE);
|
|
||||||
-
|
|
||||||
- while (list->head == list->tail) {
|
|
||||||
- if (file->f_flags & O_NONBLOCK) {
|
|
||||||
- ret = -EAGAIN;
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
- if (signal_pending(current)) {
|
|
||||||
- ret = -ERESTARTSYS;
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
+ if (kfifo_is_empty(&list->hid_debug_fifo)) {
|
|
||||||
+ add_wait_queue(&list->hdev->debug_wait, &wait);
|
|
||||||
+ set_current_state(TASK_INTERRUPTIBLE);
|
|
||||||
+
|
|
||||||
+ while (kfifo_is_empty(&list->hid_debug_fifo)) {
|
|
||||||
+ if (file->f_flags & O_NONBLOCK) {
|
|
||||||
+ ret = -EAGAIN;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if (!list->hdev || !list->hdev->debug) {
|
|
||||||
- ret = -EIO;
|
|
||||||
- set_current_state(TASK_RUNNING);
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
+ if (signal_pending(current)) {
|
|
||||||
+ ret = -ERESTARTSYS;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- /* allow O_NONBLOCK from other threads */
|
|
||||||
- mutex_unlock(&list->read_mutex);
|
|
||||||
- schedule();
|
|
||||||
- mutex_lock(&list->read_mutex);
|
|
||||||
- set_current_state(TASK_INTERRUPTIBLE);
|
|
||||||
+ /* if list->hdev is NULL we cannot remove_wait_queue().
|
|
||||||
+ * if list->hdev->debug is 0 then hid_debug_unregister()
|
|
||||||
+ * was already called and list->hdev is being destroyed.
|
|
||||||
+ * if we add remove_wait_queue() here we can hit a race.
|
|
||||||
+ */
|
|
||||||
+ if (!list->hdev || !list->hdev->debug) {
|
|
||||||
+ ret = -EIO;
|
|
||||||
+ set_current_state(TASK_RUNNING);
|
|
||||||
+ goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- set_current_state(TASK_RUNNING);
|
|
||||||
- remove_wait_queue(&list->hdev->debug_wait, &wait);
|
|
||||||
+ /* allow O_NONBLOCK from other threads */
|
|
||||||
+ mutex_unlock(&list->read_mutex);
|
|
||||||
+ schedule();
|
|
||||||
+ mutex_lock(&list->read_mutex);
|
|
||||||
+ set_current_state(TASK_INTERRUPTIBLE);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (ret)
|
|
||||||
- goto out;
|
|
||||||
+ __set_current_state(TASK_RUNNING);
|
|
||||||
+ remove_wait_queue(&list->hdev->debug_wait, &wait);
|
|
||||||
|
|
||||||
- /* pass the ringbuffer contents to userspace */
|
|
||||||
-copy_rest:
|
|
||||||
- if (list->tail == list->head)
|
|
||||||
+ if (ret)
|
|
||||||
goto out;
|
|
||||||
- if (list->tail > list->head) {
|
|
||||||
- len = list->tail - list->head;
|
|
||||||
- if (len > count)
|
|
||||||
- len = count;
|
|
||||||
-
|
|
||||||
- if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
|
|
||||||
- ret = -EFAULT;
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
- ret += len;
|
|
||||||
- list->head += len;
|
|
||||||
- } else {
|
|
||||||
- len = HID_DEBUG_BUFSIZE - list->head;
|
|
||||||
- if (len > count)
|
|
||||||
- len = count;
|
|
||||||
-
|
|
||||||
- if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
|
|
||||||
- ret = -EFAULT;
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
- list->head = 0;
|
|
||||||
- ret += len;
|
|
||||||
- count -= len;
|
|
||||||
- if (count > 0)
|
|
||||||
- goto copy_rest;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* pass the fifo content to userspace, locking is not needed with only
|
|
||||||
+ * one concurrent reader and one concurrent writer
|
|
||||||
+ */
|
|
||||||
+ ret = kfifo_to_user(&list->hid_debug_fifo, buffer, count, &copied);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ ret = copied;
|
|
||||||
out:
|
|
||||||
mutex_unlock(&list->read_mutex);
|
|
||||||
return ret;
|
|
||||||
@@ -1185,7 +1160,7 @@ static __poll_t hid_debug_events_poll(struct file *file, poll_table *wait)
|
|
||||||
struct hid_debug_list *list = file->private_data;
|
|
||||||
|
|
||||||
poll_wait(file, &list->hdev->debug_wait, wait);
|
|
||||||
- if (list->head != list->tail)
|
|
||||||
+ if (!kfifo_is_empty(&list->hid_debug_fifo))
|
|
||||||
return EPOLLIN | EPOLLRDNORM;
|
|
||||||
if (!list->hdev->debug)
|
|
||||||
return EPOLLERR | EPOLLHUP;
|
|
||||||
@@ -1200,7 +1175,7 @@ static int hid_debug_events_release(struct inode *inode, struct file *file)
|
|
||||||
spin_lock_irqsave(&list->hdev->debug_list_lock, flags);
|
|
||||||
list_del(&list->node);
|
|
||||||
spin_unlock_irqrestore(&list->hdev->debug_list_lock, flags);
|
|
||||||
- kfree(list->hid_debug_buf);
|
|
||||||
+ kfifo_free(&list->hid_debug_fifo);
|
|
||||||
kfree(list);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
@@ -1246,4 +1221,3 @@ void hid_debug_exit(void)
|
|
||||||
{
|
|
||||||
debugfs_remove_recursive(hid_debug_root);
|
|
||||||
}
|
|
||||||
-
|
|
||||||
diff --git a/include/linux/hid-debug.h b/include/linux/hid-debug.h
|
|
||||||
index 8663f216c563..2d6100edf204 100644
|
|
||||||
--- a/include/linux/hid-debug.h
|
|
||||||
+++ b/include/linux/hid-debug.h
|
|
||||||
@@ -24,7 +24,10 @@
|
|
||||||
|
|
||||||
#ifdef CONFIG_DEBUG_FS
|
|
||||||
|
|
||||||
+#include <linux/kfifo.h>
|
|
||||||
+
|
|
||||||
#define HID_DEBUG_BUFSIZE 512
|
|
||||||
+#define HID_DEBUG_FIFOSIZE 512
|
|
||||||
|
|
||||||
void hid_dump_input(struct hid_device *, struct hid_usage *, __s32);
|
|
||||||
void hid_dump_report(struct hid_device *, int , u8 *, int);
|
|
||||||
@@ -37,11 +40,8 @@ void hid_debug_init(void);
|
|
||||||
void hid_debug_exit(void);
|
|
||||||
void hid_debug_event(struct hid_device *, char *);
|
|
||||||
|
|
||||||
-
|
|
||||||
struct hid_debug_list {
|
|
||||||
- char *hid_debug_buf;
|
|
||||||
- int head;
|
|
||||||
- int tail;
|
|
||||||
+ DECLARE_KFIFO_PTR(hid_debug_fifo, char);
|
|
||||||
struct fasync_struct *fasync;
|
|
||||||
struct hid_device *hdev;
|
|
||||||
struct list_head node;
|
|
||||||
@@ -64,4 +64,3 @@ struct hid_debug_list {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#endif
|
|
||||||
-
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -1,57 +0,0 @@
|
||||||
From: Jann Horn <jannh@google.com>
|
|
||||||
Date: Sat, 26 Jan 2019 01:54:33 +0100
|
|
||||||
Subject: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
|
|
||||||
Origin: https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6974
|
|
||||||
|
|
||||||
kvm_ioctl_create_device() does the following:
|
|
||||||
|
|
||||||
1. creates a device that holds a reference to the VM object (with a borrowed
|
|
||||||
reference, the VM's refcount has not been bumped yet)
|
|
||||||
2. initializes the device
|
|
||||||
3. transfers the reference to the device to the caller's file descriptor table
|
|
||||||
4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
|
|
||||||
reference
|
|
||||||
|
|
||||||
The ownership transfer in step 3 must not happen before the reference to the VM
|
|
||||||
becomes a proper, non-borrowed reference, which only happens in step 4.
|
|
||||||
After step 3, an attacker can close the file descriptor and drop the borrowed
|
|
||||||
reference, which can cause the refcount of the kvm object to drop to zero.
|
|
||||||
|
|
||||||
This means that we need to grab a reference for the device before
|
|
||||||
anon_inode_getfd(), otherwise the VM can disappear from under us.
|
|
||||||
|
|
||||||
Fixes: 852b6d57dc7f ("kvm: add device control API")
|
|
||||||
Cc: stable@kernel.org
|
|
||||||
Signed-off-by: Jann Horn <jannh@google.com>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
---
|
|
||||||
virt/kvm/kvm_main.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
|
|
||||||
index 5ecea812cb6a..585845203db8 100644
|
|
||||||
--- a/virt/kvm/kvm_main.c
|
|
||||||
+++ b/virt/kvm/kvm_main.c
|
|
||||||
@@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
|
|
||||||
if (ops->init)
|
|
||||||
ops->init(dev);
|
|
||||||
|
|
||||||
+ kvm_get_kvm(kvm);
|
|
||||||
ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
|
|
||||||
if (ret < 0) {
|
|
||||||
+ kvm_put_kvm(kvm);
|
|
||||||
mutex_lock(&kvm->lock);
|
|
||||||
list_del(&dev->vm_node);
|
|
||||||
mutex_unlock(&kvm->lock);
|
|
||||||
@@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- kvm_get_kvm(kvm);
|
|
||||||
cd->fd = ret;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -1,49 +0,0 @@
|
||||||
From: Dennis Zhou <dennis@kernel.org>
|
|
||||||
Date: Tue, 18 Dec 2018 08:42:27 -0800
|
|
||||||
Subject: percpu: convert spin_lock_irq to spin_lock_irqsave.
|
|
||||||
Origin: https://git.kernel.org/linus/6ab7d47bcbf0144a8cb81536c2cead4cde18acfe
|
|
||||||
|
|
||||||
From Michael Cree:
|
|
||||||
"Bisection lead to commit b38d08f3181c ("percpu: restructure
|
|
||||||
locking") as being the cause of lockups at initial boot on
|
|
||||||
the kernel built for generic Alpha.
|
|
||||||
|
|
||||||
On a suggestion by Tejun Heo that:
|
|
||||||
|
|
||||||
So, the only thing I can think of is that it's calling
|
|
||||||
spin_unlock_irq() while irq handling isn't set up yet.
|
|
||||||
Can you please try the followings?
|
|
||||||
|
|
||||||
1. Convert all spin_[un]lock_irq() to
|
|
||||||
spin_lock_irqsave/unlock_irqrestore()."
|
|
||||||
|
|
||||||
Fixes: b38d08f3181c ("percpu: restructure locking")
|
|
||||||
Reported-and-tested-by: Michael Cree <mcree@orcon.net.nz>
|
|
||||||
Acked-by: Tejun Heo <tj@kernel.org>
|
|
||||||
Signed-off-by: Dennis Zhou <dennis@kernel.org>
|
|
||||||
---
|
|
||||||
mm/percpu-km.c | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/mm/percpu-km.c
|
|
||||||
+++ b/mm/percpu-km.c
|
|
||||||
@@ -50,6 +50,7 @@ static struct pcpu_chunk *pcpu_create_ch
|
|
||||||
const int nr_pages = pcpu_group_sizes[0] >> PAGE_SHIFT;
|
|
||||||
struct pcpu_chunk *chunk;
|
|
||||||
struct page *pages;
|
|
||||||
+ unsigned long flags;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
chunk = pcpu_alloc_chunk(gfp);
|
|
||||||
@@ -68,9 +69,9 @@ static struct pcpu_chunk *pcpu_create_ch
|
|
||||||
chunk->data = pages;
|
|
||||||
chunk->base_addr = page_address(pages) - pcpu_group_offsets[0];
|
|
||||||
|
|
||||||
- spin_lock_irq(&pcpu_lock);
|
|
||||||
+ spin_lock_irqsave(&pcpu_lock, flags);
|
|
||||||
pcpu_chunk_populated(chunk, 0, nr_pages, false);
|
|
||||||
- spin_unlock_irq(&pcpu_lock);
|
|
||||||
+ spin_unlock_irqrestore(&pcpu_lock, flags);
|
|
||||||
|
|
||||||
pcpu_stats_chunk_alloc();
|
|
||||||
trace_percpu_create_chunk(chunk->base_addr);
|
|
|
@ -1,37 +0,0 @@
|
||||||
From: Peter Shier <pshier@google.com>
|
|
||||||
Date: Thu, 11 Oct 2018 11:46:46 -0700
|
|
||||||
Subject: KVM: nVMX: unconditionally cancel preemption timer in free_nested
|
|
||||||
(CVE-2019-7221)
|
|
||||||
Origin: https://git.kernel.org/linus/ecec76885bcfe3294685dc363fd1273df0d5d65f
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-7221
|
|
||||||
|
|
||||||
Bugzilla: 1671904
|
|
||||||
|
|
||||||
There are multiple code paths where an hrtimer may have been started to
|
|
||||||
emulate an L1 VMX preemption timer that can result in a call to free_nested
|
|
||||||
without an intervening L2 exit where the hrtimer is normally
|
|
||||||
cancelled. Unconditionally cancel in free_nested to cover all cases.
|
|
||||||
|
|
||||||
Embargoed until Feb 7th 2019.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Shier <pshier@google.com>
|
|
||||||
Reported-by: Jim Mattson <jmattson@google.com>
|
|
||||||
Reviewed-by: Jim Mattson <jmattson@google.com>
|
|
||||||
Reported-by: Felix Wilhelm <fwilhelm@google.com>
|
|
||||||
Cc: stable@kernel.org
|
|
||||||
Message-Id: <20181011184646.154065-1-pshier@google.com>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
[carnil: Backport to 4.19. Adjust filename to arch/x86/kvm/vmx/vmx.c
|
|
||||||
as later refactoring moved nested code to dedicated files]
|
|
||||||
---
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -8469,6 +8469,7 @@ static void free_nested(struct vcpu_vmx
|
|
||||||
if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
|
|
||||||
return;
|
|
||||||
|
|
||||||
+ hrtimer_cancel(&vmx->nested.preemption_timer);
|
|
||||||
vmx->nested.vmxon = false;
|
|
||||||
vmx->nested.smm.vmxon = false;
|
|
||||||
free_vpid(vmx->nested.vpid02);
|
|
|
@ -1,48 +0,0 @@
|
||||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Date: Tue, 29 Jan 2019 18:41:16 +0100
|
|
||||||
Subject: KVM: x86: work around leak of uninitialized stack contents
|
|
||||||
(CVE-2019-7222)
|
|
||||||
Origin: https://git.kernel.org/linus/353c0956a618a07ba4bbe7ad00ff29fe70e8412a
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-7222
|
|
||||||
|
|
||||||
Bugzilla: 1671930
|
|
||||||
|
|
||||||
Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with
|
|
||||||
memory operand, INVEPT, INVVPID) can incorrectly inject a page fault
|
|
||||||
when passed an operand that points to an MMIO address. The page fault
|
|
||||||
will use uninitialized kernel stack memory as the CR2 and error code.
|
|
||||||
|
|
||||||
The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
|
|
||||||
exit to userspace; however, it is not an easy fix, so for now just
|
|
||||||
ensure that the error code and CR2 are zero.
|
|
||||||
|
|
||||||
Embargoed until Feb 7th 2019.
|
|
||||||
|
|
||||||
Reported-by: Felix Wilhelm <fwilhelm@google.com>
|
|
||||||
Cc: stable@kernel.org
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
---
|
|
||||||
arch/x86/kvm/x86.c | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
|
||||||
index 3d27206f6c01..e67ecf25e690 100644
|
|
||||||
--- a/arch/x86/kvm/x86.c
|
|
||||||
+++ b/arch/x86/kvm/x86.c
|
|
||||||
@@ -5116,6 +5116,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
|
|
||||||
{
|
|
||||||
u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
|
|
||||||
+ * is returned, but our callers are not ready for that and they blindly
|
|
||||||
+ * call kvm_inject_page_fault. Ensure that they at least do not leak
|
|
||||||
+ * uninitialized kernel stack memory into cr2 and error code.
|
|
||||||
+ */
|
|
||||||
+ memset(exception, 0, sizeof(*exception));
|
|
||||||
return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
|
|
||||||
exception);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
|
@ -102,7 +102,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
|
||||||
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
||||||
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
||||||
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
|
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
|
||||||
bugfix/all/percpu-convert-spin_lock_irq-to-spin_lock_irqsave.patch
|
|
||||||
bugfix/all/mt76-use-the-correct-hweight8-function.patch
|
bugfix/all/mt76-use-the-correct-hweight8-function.patch
|
||||||
bugfix/all/btrfs-fix-corruption-reading-shared-and-compressed-e.patch
|
bugfix/all/btrfs-fix-corruption-reading-shared-and-compressed-e.patch
|
||||||
|
|
||||||
|
@ -144,10 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch
|
|
||||||
bugfix/x86/KVM-x86-work-around-leak-of-uninitialized-stack-cont.patch
|
|
||||||
bugfix/x86/KVM-nVMX-unconditionally-cancel-preemption-timer-in-.patch
|
|
||||||
bugfix/all/HID-debug-fix-the-ring-buffer-implementation.patch
|
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue