Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-08-20 07:21:59 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-08-20 07:21:59 +0200
commitb7e69df709b769c093d9cf8a7d29863c643226c8 (patch)
treec210bda2d88c44067156c35e28e9c2bfc4b534ff
parent47e0fc0a0f861f21431a8b4543f1e323b642e887 (diff)
parenta2925e149c37d7fa36f9bf5c35e2e04a7dd49153 (diff)
Merge branch 'SLE15' into SLE15-AZURESLE15-AZURE
-rw-r--r--blacklist.conf4
-rw-r--r--patches.arch/kvm-x86-fix-backward-migration-with-async_pf97
-rw-r--r--patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch71
-rw-r--r--patches.drivers/iommu-dma-handle-sg-length-overflow-better42
-rw-r--r--series.conf3
5 files changed, 216 insertions, 1 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 80357b6dfd..0a2bcb7e52 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -163,6 +163,7 @@ CVE-2018-16880 # bsc#1122767, needed only for SLE15-SP1+
CVE-2019-9003 # bsc#1126704, needed only for SLE15-SP1+
CVE-2019-11811 # bsc#1134397, needed only for SLE15-SP1+
CVE-2019-12817 # bsc#1138263, bsc#1139619, needed only for SLE15-SP1+
+CVE-2019-13233 # bsc#1140454, needed only for SLE15-SP1+
# Blacklisted Commits
# -------------------
@@ -790,7 +791,6 @@ a158531f3c92467df0e93e000d58185acae78a6e # gpio: inapplicable
6de0b13cc0b4ba10e98a9263d7a83b940720b77a # HID: kABI
3064a03b94e60388f0955fcc29f3e8a978d28f75 # HID: kABI
2e210bbb7429cdcf1a1a3ad00c1bf98bd9bf2452 # HID: kABI
-89c6efa61f5709327ecfa24bff18e57a4e80c7fa # i2c: core-smbus: inapplicable
771b7bf05339081019d22452ebcab6929372e13e # i2c: i2c-stm32f7: inapplicable
4fb840c95f82652cece7352be9080884cafb92a0 # iio: adc: stm32: inapplicable
dd92d5ea20ef8a42be7aeda08c669c586c730451 # iio: multiplexer: inapplicable
@@ -1314,3 +1314,5 @@ fe60522ec60082a1dd735691b82c64f65d4ad15e # not needed (bsc#1088804)
3e3ebed3fef4878e6f1680ff98088db1a9688831 # config-only fix
d065ee93aab6ef4c2a5af5c455b5044bd5136547 # config-only fix
2b874a5c7b75fdc90fdd1e2ffaa3ec5a9d21e253 # config-only fix
+1e1c50a929bc9e49bc3f9935b92450d9e69f8158 # affects only single core-machines
+c2d1b3aae33605a61cbab445d8ae1c708ccd2698 # effectively reverted in upstream
diff --git a/patches.arch/kvm-x86-fix-backward-migration-with-async_pf b/patches.arch/kvm-x86-fix-backward-migration-with-async_pf
new file mode 100644
index 0000000000..66a9b49970
--- /dev/null
+++ b/patches.arch/kvm-x86-fix-backward-migration-with-async_pf
@@ -0,0 +1,97 @@
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 1 Feb 2018 22:16:21 +0100
+Subject: KVM: x86: fix backward migration with async_PF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: fe2a3027e74e40a3ece3a4c1e4e51403090a907a
+Patch-mainline: v4.16-rc4
+References: bsc#1146074
+
+Guests on new hypersiors might set KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT
+bit when enabling async_PF, but this bit is reserved on old hypervisors,
+which results in a failure upon migration.
+
+To avoid breaking different cases, we are checking for CPUID feature bit
+before enabling the feature and nothing else.
+
+Fixes: 52a5c155cf79 ("KVM: async_pf: Let guest support delivery of async_pf from guest mode")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Wanpeng Li <wanpengli@tencent.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/virtual/kvm/cpuid.txt | 4 ++++
+ Documentation/virtual/kvm/msr.txt | 3 ++-
+ arch/x86/include/uapi/asm/kvm_para.h | 1 +
+ arch/x86/kernel/kvm.c | 8 ++++----
+ arch/x86/kvm/cpuid.c | 3 ++-
+ 5 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/Documentation/virtual/kvm/cpuid.txt
++++ b/Documentation/virtual/kvm/cpuid.txt
+@@ -54,6 +54,10 @@ KVM_FEATURE_PV_UNHALT ||
+ || || before enabling paravirtualized
+ || || spinlock support.
+ ------------------------------------------------------------------------------
++KVM_FEATURE_ASYNC_PF_VMEXIT || 10 || paravirtualized async PF VM exit
++ || || can be enabled by setting bit 2
++ || || when writing to msr 0x4b564d02
++------------------------------------------------------------------------------
+ KVM_FEATURE_CLOCKSOURCE_STABLE_BIT || 24 || host will warn if no guest-side
+ || || per-cpu warps are expected in
+ || || kvmclock.
+--- a/Documentation/virtual/kvm/msr.txt
++++ b/Documentation/virtual/kvm/msr.txt
+@@ -170,7 +170,8 @@ MSR_KVM_ASYNC_PF_EN: 0x4b564d02
+ when asynchronous page faults are enabled on the vcpu 0 when
+ disabled. Bit 1 is 1 if asynchronous page faults can be injected
+ when vcpu is in cpl == 0. Bit 2 is 1 if asynchronous page faults
+- are delivered to L1 as #PF vmexits.
++ are delivered to L1 as #PF vmexits. Bit 2 can be set only if
++ KVM_FEATURE_ASYNC_PF_VMEXIT is present in CPUID.
+
+ First 4 byte of 64 byte memory location will be written to by
+ the hypervisor at the time of asynchronous page fault (APF)
+--- a/arch/x86/include/uapi/asm/kvm_para.h
++++ b/arch/x86/include/uapi/asm/kvm_para.h
+@@ -24,6 +24,7 @@
+ #define KVM_FEATURE_STEAL_TIME 5
+ #define KVM_FEATURE_PV_EOI 6
+ #define KVM_FEATURE_PV_UNHALT 7
++#define KVM_FEATURE_ASYNC_PF_VMEXIT 10
+
+ /* The last 8 bits are used to indicate how to interpret the flags field
+ * in pvclock structure. If no bits are set, all flags are ignored.
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -341,10 +341,10 @@ static void kvm_guest_cpu_init(void)
+ #endif
+ pa |= KVM_ASYNC_PF_ENABLED;
+
+- /* Async page fault support for L1 hypervisor is optional */
+- if (wrmsr_safe(MSR_KVM_ASYNC_PF_EN,
+- (pa | KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT) & 0xffffffff, pa >> 32) < 0)
+- wrmsrl(MSR_KVM_ASYNC_PF_EN, pa);
++ if (kvm_para_has_feature(KVM_FEATURE_ASYNC_PF_VMEXIT))
++ pa |= KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT;
++
++ wrmsrl(MSR_KVM_ASYNC_PF_EN, pa);
+ __this_cpu_write(apf_reason.enabled, 1);
+ printk(KERN_INFO"KVM setup async PF for cpu %d\n",
+ smp_processor_id());
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -597,7 +597,8 @@ static inline int __do_cpuid_ent(struct
+ (1 << KVM_FEATURE_ASYNC_PF) |
+ (1 << KVM_FEATURE_PV_EOI) |
+ (1 << KVM_FEATURE_CLOCKSOURCE_STABLE_BIT) |
+- (1 << KVM_FEATURE_PV_UNHALT);
++ (1 << KVM_FEATURE_PV_UNHALT) |
++ (1 << KVM_FEATURE_ASYNC_PF_VMEXIT);
+
+ if (sched_info_on())
+ entry->eax |= (1 << KVM_FEATURE_STEAL_TIME);
+
diff --git a/patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch b/patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch
new file mode 100644
index 0000000000..109248d1ba
--- /dev/null
+++ b/patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch
@@ -0,0 +1,71 @@
+From 89c6efa61f5709327ecfa24bff18e57a4e80c7fa Mon Sep 17 00:00:00 2001
+From: Jeremy Compostella <jeremy.compostella@intel.com>
+Date: Wed, 15 Nov 2017 12:31:44 -0700
+Subject: [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
+Git-commit: 89c6efa61f5709327ecfa24bff18e57a4e80c7fa
+Patch-mainline: v4.15-rc9
+References: CVE-2017-18551,bsc#1146163
+
+[ Applied to drivers/i2c/i2c-core.c instead of i2c-core-smbus.c for older
+ code base -- tiwai ]
+
+On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
+greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
+data out of the msgbuf1 array boundary.
+
+It is possible from a user application to run into that issue by
+calling the I2C_SMBUS ioctl with data.block[0] greater than
+I2C_SMBUS_BLOCK_MAX + 1.
+
+This patch makes the code compliant with
+Documentation/i2c/dev-interface by raising an error when the requested
+size is larger than 32 bytes.
+
+Call Trace:
+ [<ffffffff8139f695>] dump_stack+0x67/0x92
+ [<ffffffff811802a4>] panic+0xc5/0x1eb
+ [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
+ [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
+ [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
+ [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
+ [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
+ [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
+ [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
+ [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
+ [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a
+
+Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/i2c/i2c-core.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/i2c/i2c-core.c
++++ b/drivers/i2c/i2c-core.c
+@@ -3536,16 +3536,17 @@ static s32 i2c_smbus_xfer_emulated(struc
+ the underlying bus driver */
+ break;
+ case I2C_SMBUS_I2C_BLOCK_DATA:
++ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
++ dev_err(&adapter->dev, "Invalid block %s size %d\n",
++ read_write == I2C_SMBUS_READ ? "read" : "write",
++ data->block[0]);
++ return -EINVAL;
++ }
++
+ if (read_write == I2C_SMBUS_READ) {
+ msg[1].len = data->block[0];
+ } else {
+ msg[0].len = data->block[0] + 1;
+- if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
+- dev_err(&adapter->dev,
+- "Invalid block write size %d\n",
+- data->block[0]);
+- return -EINVAL;
+- }
+ for (i = 1; i <= data->block[0]; i++)
+ msgbuf0[i] = data->block[i];
+ }
diff --git a/patches.drivers/iommu-dma-handle-sg-length-overflow-better b/patches.drivers/iommu-dma-handle-sg-length-overflow-better
new file mode 100644
index 0000000000..9a978e6c60
--- /dev/null
+++ b/patches.drivers/iommu-dma-handle-sg-length-overflow-better
@@ -0,0 +1,42 @@
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 29 Jul 2019 17:46:00 +0100
+Subject: iommu/dma: Handle SG length overflow better
+Git-commit: ab2cbeb0ed301a9f0460078e91b09f39958212ef
+Patch-mainline: v5.3-rc5
+References: bsc#1146084
+
+Since scatterlist dimensions are all unsigned ints, in the relatively
+rare cases where a device's max_segment_size is set to UINT_MAX, then
+the "cur_len + s_length <= max_len" check in __finalise_sg() will always
+return true. As a result, the corner case of such a device mapping an
+excessively large scatterlist which is mergeable to or beyond a total
+length of 4GB can lead to overflow and a bogus truncated dma_length in
+the resulting segment.
+
+As we already assume that any single segment must be no longer than
+max_len to begin with, this can easily be addressed by reshuffling the
+comparison.
+
+Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging")
+Reported-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Tested-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/dma-iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
+index 6441197a75ea..4ea9cf02ba2d 100644
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -762,7 +762,7 @@ static int __finalise_sg(struct device *dev, struct scatterlist *sg, int nents,
+ * - and wouldn't make the resulting output segment too long
+ */
+ if (cur_len && !s_iova_off && (dma_addr & seg_mask) &&
+- (cur_len + s_length <= max_len)) {
++ (max_len - cur_len >= s_length)) {
+ /* ...then concatenate it with the previous one */
+ cur_len += s_length;
+ } else {
+
diff --git a/series.conf b/series.conf
index de162368b3..87eacdb94c 100644
--- a/series.conf
+++ b/series.conf
@@ -11619,6 +11619,7 @@
patches.drivers/phy-work-around-phys-references-to-usb-nop-xceiv-dev.patch
patches.fixes/workqueue-avoid-hard-lockups-in-show_workqueue_state.patch
patches.drivers/libata-apply-max_sec_1024-to-all-liteon-ep1-series-devices.patch
+ patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch
patches.drivers/Input-twl4030-vibra-fix-sibling-node-lookup
patches.drivers/Input-twl6040-vibra-fix-child-node-lookup
patches.drivers/Input-88pm860x-ts-fix-child-node-lookup
@@ -14019,6 +14020,7 @@
patches.arch/kvm-x86-remove-warn_on-for-when-vm_munmap-fails
patches.arch/KVM-mmu-Fix-overlap-between-public-and-private-memsl.patch
patches.arch/kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2
+ patches.arch/kvm-x86-fix-backward-migration-with-async_pf
patches.suse/include-psp-sev-capitalize-invalid-length-enum.patch
patches.suse/kvm-svm-no-need-to-call-access_ok-in-launch_measure-command.patch
patches.suse/kvm-svm-fix-sev-launch_secret-command.patch
@@ -23513,6 +23515,7 @@
patches.drivers/usb-iowarrior-fix-deadlock-on-disconnect.patch
patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch
patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch
+ patches.drivers/iommu-dma-handle-sg-length-overflow-better
patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch
patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch
patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch