--- /dev/null
+From 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 21 Aug 2019 20:00:02 +0200
+Subject: ALSA: line6: Fix memory leak at line6_init_pcm() error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 upstream.
+
+I forgot to release the allocated object at the early error path in
+line6_init_pcm(). For addressing it, slightly shuffle the code so
+that the PCM destructor (pcm->private_free) is assigned properly
+before all error paths.
+
+Fixes: 3450121997ce ("ALSA: line6: Fix write on zero-sized buffer")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/pcm.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/sound/usb/line6/pcm.c
++++ b/sound/usb/line6/pcm.c
+@@ -552,6 +552,15 @@ int line6_init_pcm(struct usb_line6 *lin
+ line6pcm->volume_monitor = 255;
+ line6pcm->line6 = line6;
+
++ spin_lock_init(&line6pcm->out.lock);
++ spin_lock_init(&line6pcm->in.lock);
++ line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD;
++
++ line6->line6pcm = line6pcm;
++
++ pcm->private_data = line6pcm;
++ pcm->private_free = line6_cleanup_pcm;
++
+ line6pcm->max_packet_size_in =
+ usb_maxpacket(line6->usbdev,
+ usb_rcvisocpipe(line6->usbdev, ep_read), 0);
+@@ -564,15 +573,6 @@ int line6_init_pcm(struct usb_line6 *lin
+ return -EINVAL;
+ }
+
+- spin_lock_init(&line6pcm->out.lock);
+- spin_lock_init(&line6pcm->in.lock);
+- line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD;
+-
+- line6->line6pcm = line6pcm;
+-
+- pcm->private_data = line6pcm;
+- pcm->private_free = line6_cleanup_pcm;
+-
+ err = line6_create_audio_out_urbs(line6pcm);
+ if (err < 0)
+ return err;
--- /dev/null
+From 75545304eba6a3d282f923b96a466dc25a81e359 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 25 Aug 2019 09:21:44 +0200
+Subject: ALSA: seq: Fix potential concurrent access to the deleted pool
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 75545304eba6a3d282f923b96a466dc25a81e359 upstream.
+
+The input pool of a client might be deleted via the resize ioctl, the
+the access to it should be covered by the proper locks. Currently the
+only missing place is the call in snd_seq_ioctl_get_client_pool(), and
+this patch papers over it.
+
+Reported-by: syzbot+4a75454b9ca2777f35c7@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 3 +--
+ sound/core/seq/seq_fifo.c | 17 +++++++++++++++++
+ sound/core/seq/seq_fifo.h | 2 ++
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1822,8 +1822,7 @@ static int snd_seq_ioctl_get_client_pool
+ if (cptr->type == USER_CLIENT) {
+ info->input_pool = cptr->data.user.fifo_pool_size;
+ info->input_free = info->input_pool;
+- if (cptr->data.user.fifo)
+- info->input_free = snd_seq_unused_cells(cptr->data.user.fifo->pool);
++ info->input_free = snd_seq_fifo_unused_cells(cptr->data.user.fifo);
+ } else {
+ info->input_pool = 0;
+ info->input_free = 0;
+--- a/sound/core/seq/seq_fifo.c
++++ b/sound/core/seq/seq_fifo.c
+@@ -278,3 +278,20 @@ int snd_seq_fifo_resize(struct snd_seq_f
+
+ return 0;
+ }
++
++/* get the number of unused cells safely */
++int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f)
++{
++ unsigned long flags;
++ int cells;
++
++ if (!f)
++ return 0;
++
++ snd_use_lock_use(&f->use_lock);
++ spin_lock_irqsave(&f->lock, flags);
++ cells = snd_seq_unused_cells(f->pool);
++ spin_unlock_irqrestore(&f->lock, flags);
++ snd_use_lock_free(&f->use_lock);
++ return cells;
++}
+--- a/sound/core/seq/seq_fifo.h
++++ b/sound/core/seq/seq_fifo.h
+@@ -68,5 +68,7 @@ int snd_seq_fifo_poll_wait(struct snd_se
+ /* resize pool in fifo */
+ int snd_seq_fifo_resize(struct snd_seq_fifo *f, int poolsize);
+
++/* get the number of unused cells safely */
++int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f);
+
+ #endif
--- /dev/null
+From 75ee23b30dc712d80d2421a9a547e7ab6e379b44 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Fri, 23 Aug 2019 13:55:44 -0700
+Subject: KVM: x86: Don't update RIP or do single-step on faulting emulation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 75ee23b30dc712d80d2421a9a547e7ab6e379b44 upstream.
+
+Don't advance RIP or inject a single-step #DB if emulation signals a
+fault. This logic applies to all state updates that are conditional on
+clean retirement of the emulation instruction, e.g. updating RFLAGS was
+previously handled by commit 38827dbd3fb85 ("KVM: x86: Do not update
+EFLAGS on faulting emulation").
+
+Not advancing RIP is likely a nop, i.e. ctxt->eip isn't updated with
+ctxt->_eip until emulation "retires" anyways. Skipping #DB injection
+fixes a bug reported by Andy Lutomirski where a #UD on SYSCALL due to
+invalid state with EFLAGS.TF=1 would loop indefinitely due to emulation
+overwriting the #UD with #DB and thus restarting the bad SYSCALL over
+and over.
+
+Cc: Nadav Amit <nadav.amit@gmail.com>
+Cc: stable@vger.kernel.org
+Reported-by: Andy Lutomirski <luto@kernel.org>
+Fixes: 663f4c61b803 ("KVM: x86: handle singlestep during emulation")
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5823,12 +5823,13 @@ restart:
+ unsigned long rflags = kvm_x86_ops->get_rflags(vcpu);
+ toggle_interruptibility(vcpu, ctxt->interruptibility);
+ vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
+- kvm_rip_write(vcpu, ctxt->eip);
+- if (r == EMULATE_DONE && ctxt->tf)
+- kvm_vcpu_do_singlestep(vcpu, &r);
+ if (!ctxt->have_exception ||
+- exception_type(ctxt->exception.vector) == EXCPT_TRAP)
++ exception_type(ctxt->exception.vector) == EXCPT_TRAP) {
++ kvm_rip_write(vcpu, ctxt->eip);
++ if (r == EMULATE_DONE && ctxt->tf)
++ kvm_vcpu_do_singlestep(vcpu, &r);
+ __kvm_set_rflags(vcpu, ctxt->eflags);
++ }
+
+ /*
+ * For STI, interrupts are shadowed; so KVM_REQ_EVENT will
alsa-usb-audio-fix-a-stack-buffer-overflow-bug-in-check_input_term.patch
alsa-usb-audio-fix-an-oob-bug-in-parse_audio_mixer_unit.patch
tcp-make-sure-epollout-wont-be-missed.patch
+alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch
+alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch
+kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch
+x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch
+x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch
--- /dev/null
+From bae3a8d3308ee69a7dbdf145911b18dfda8ade0d Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Mon, 26 Aug 2019 06:15:12 -0400
+Subject: x86/apic: Do not initialize LDR and DFR for bigsmp
+
+From: Bandan Das <bsd@redhat.com>
+
+commit bae3a8d3308ee69a7dbdf145911b18dfda8ade0d upstream.
+
+Legacy apic init uses bigsmp for smp systems with 8 and more CPUs. The
+bigsmp APIC implementation uses physical destination mode, but it
+nevertheless initializes LDR and DFR. The LDR even ends up incorrectly with
+multiple bit being set.
+
+This does not cause a functional problem because LDR and DFR are ignored
+when physical destination mode is active, but it triggered a problem on a
+32-bit KVM guest which jumps into a kdump kernel.
+
+The multiple bits set unearthed a bug in the KVM APIC implementation. The
+code which creates the logical destination map for VCPUs ignores the
+disabled state of the APIC and ends up overwriting an existing valid entry
+and as a result, APIC calibration hangs in the guest during kdump
+initialization.
+
+Remove the bogus LDR/DFR initialization.
+
+This is not intended to work around the KVM APIC bug. The LDR/DFR
+ininitalization is wrong on its own.
+
+The issue goes back into the pre git history. The fixes tag is the commit
+in the bitkeeper import which introduced bigsmp support in 2003.
+
+ git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+
+Fixes: db7b9e9f26b8 ("[PATCH] Clustered APIC setup for >8 CPU systems")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Bandan Das <bsd@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190826101513.5080-2-bsd@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/bigsmp_32.c | 24 ++----------------------
+ 1 file changed, 2 insertions(+), 22 deletions(-)
+
+--- a/arch/x86/kernel/apic/bigsmp_32.c
++++ b/arch/x86/kernel/apic/bigsmp_32.c
+@@ -37,32 +37,12 @@ static int bigsmp_early_logical_apicid(i
+ return early_per_cpu(x86_cpu_to_apicid, cpu);
+ }
+
+-static inline unsigned long calculate_ldr(int cpu)
+-{
+- unsigned long val, id;
+-
+- val = apic_read(APIC_LDR) & ~APIC_LDR_MASK;
+- id = per_cpu(x86_bios_cpu_apicid, cpu);
+- val |= SET_APIC_LOGICAL_ID(id);
+-
+- return val;
+-}
+-
+ /*
+- * Set up the logical destination ID.
+- *
+- * Intel recommends to set DFR, LDR and TPR before enabling
+- * an APIC. See e.g. "AP-388 82489DX User's Manual" (Intel
+- * document number 292116). So here it goes...
++ * bigsmp enables physical destination mode
++ * and doesn't use LDR and DFR
+ */
+ static void bigsmp_init_apic_ldr(void)
+ {
+- unsigned long val;
+- int cpu = smp_processor_id();
+-
+- apic_write(APIC_DFR, APIC_DFR_FLAT);
+- val = calculate_ldr(cpu);
+- apic_write(APIC_LDR, val);
+ }
+
+ static void bigsmp_setup_apic_routing(void)
--- /dev/null
+From 558682b5291937a70748d36fd9ba757fb25b99ae Mon Sep 17 00:00:00 2001
+From: Bandan Das <bsd@redhat.com>
+Date: Mon, 26 Aug 2019 06:15:13 -0400
+Subject: x86/apic: Include the LDR when clearing out APIC registers
+
+From: Bandan Das <bsd@redhat.com>
+
+commit 558682b5291937a70748d36fd9ba757fb25b99ae upstream.
+
+Although APIC initialization will typically clear out the LDR before
+setting it, the APIC cleanup code should reset the LDR.
+
+This was discovered with a 32-bit KVM guest jumping into a kdump
+kernel. The stale bits in the LDR triggered a bug in the KVM APIC
+implementation which caused the destination mapping for VCPUs to be
+corrupted.
+
+Note that this isn't intended to paper over the KVM APIC bug. The kernel
+has to clear the LDR when resetting the APIC registers except when X2APIC
+is enabled.
+
+This lacks a Fixes tag because missing to clear LDR goes way back into pre
+git history.
+
+[ tglx: Made x2apic_enabled a function call as required ]
+
+Signed-off-by: Bandan Das <bsd@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190826101513.5080-3-bsd@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/apic.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1067,6 +1067,10 @@ void clear_local_APIC(void)
+ apic_write(APIC_LVT0, v | APIC_LVT_MASKED);
+ v = apic_read(APIC_LVT1);
+ apic_write(APIC_LVT1, v | APIC_LVT_MASKED);
++ if (!x2apic_enabled()) {
++ v = apic_read(APIC_LDR) & ~APIC_LDR_MASK;
++ apic_write(APIC_LDR, v);
++ }
+ if (maxlvt >= 4) {
+ v = apic_read(APIC_LVTPC);
+ apic_write(APIC_LVTPC, v | APIC_LVT_MASKED);
projects / thirdparty / kernel / stable-queue.git / commitdiff
