--- /dev/null
+From 410f954cb1d1c79ae485dd83a175f21954fd87cd Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 10 Sep 2019 15:26:49 +0100
+Subject: Btrfs: fix assertion failure during fsync and use of stale transaction
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 410f954cb1d1c79ae485dd83a175f21954fd87cd upstream.
+
+Sometimes when fsync'ing a file we need to log that other inodes exist and
+when we need to do that we acquire a reference on the inodes and then drop
+that reference using iput() after logging them.
+
+That generally is not a problem except if we end up doing the final iput()
+(dropping the last reference) on the inode and that inode has a link count
+of 0, which can happen in a very short time window if the logging path
+gets a reference on the inode while it's being unlinked.
+
+In that case we end up getting the eviction callback, btrfs_evict_inode(),
+invoked through the iput() call chain which needs to drop all of the
+inode's items from its subvolume btree, and in order to do that, it needs
+to join a transaction at the helper function evict_refill_and_join().
+However because the task previously started a transaction at the fsync
+handler, btrfs_sync_file(), it has current->journal_info already pointing
+to a transaction handle and therefore evict_refill_and_join() will get
+that transaction handle from btrfs_join_transaction(). From this point on,
+two different problems can happen:
+
+1) evict_refill_and_join() will often change the transaction handle's
+ block reserve (->block_rsv) and set its ->bytes_reserved field to a
+ value greater than 0. If evict_refill_and_join() never commits the
+ transaction, the eviction handler ends up decreasing the reference
+ count (->use_count) of the transaction handle through the call to
+ btrfs_end_transaction(), and after that point we have a transaction
+ handle with a NULL ->block_rsv (which is the value prior to the
+ transaction join from evict_refill_and_join()) and a ->bytes_reserved
+ value greater than 0. If after the eviction/iput completes the inode
+ logging path hits an error or it decides that it must fallback to a
+ transaction commit, the btrfs fsync handle, btrfs_sync_file(), gets a
+ non-zero value from btrfs_log_dentry_safe(), and because of that
+ non-zero value it tries to commit the transaction using a handle with
+ a NULL ->block_rsv and a non-zero ->bytes_reserved value. This makes
+ the transaction commit hit an assertion failure at
+ btrfs_trans_release_metadata() because ->bytes_reserved is not zero but
+ the ->block_rsv is NULL. The produced stack trace for that is like the
+ following:
+
+ [192922.917158] assertion failed: !trans->bytes_reserved, file: fs/btrfs/transaction.c, line: 816
+ [192922.917553] ------------[ cut here ]------------
+ [192922.917922] kernel BUG at fs/btrfs/ctree.h:3532!
+ [192922.918310] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
+ [192922.918666] CPU: 2 PID: 883 Comm: fsstress Tainted: G W 5.1.4-btrfs-next-47 #1
+ [192922.919035] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
+ [192922.919801] RIP: 0010:assfail.constprop.25+0x18/0x1a [btrfs]
+ (...)
+ [192922.920925] RSP: 0018:ffffaebdc8a27da8 EFLAGS: 00010286
+ [192922.921315] RAX: 0000000000000051 RBX: ffff95c9c16a41c0 RCX: 0000000000000000
+ [192922.921692] RDX: 0000000000000000 RSI: ffff95cab6b16838 RDI: ffff95cab6b16838
+ [192922.922066] RBP: ffff95c9c16a41c0 R08: 0000000000000000 R09: 0000000000000000
+ [192922.922442] R10: ffffaebdc8a27e70 R11: 0000000000000000 R12: ffff95ca731a0980
+ [192922.922820] R13: 0000000000000000 R14: ffff95ca84c73338 R15: ffff95ca731a0ea8
+ [192922.923200] FS: 00007f337eda4e80(0000) GS:ffff95cab6b00000(0000) knlGS:0000000000000000
+ [192922.923579] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [192922.923948] CR2: 00007f337edad000 CR3: 00000001e00f6002 CR4: 00000000003606e0
+ [192922.924329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [192922.924711] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [192922.925105] Call Trace:
+ [192922.925505] btrfs_trans_release_metadata+0x10c/0x170 [btrfs]
+ [192922.925911] btrfs_commit_transaction+0x3e/0xaf0 [btrfs]
+ [192922.926324] btrfs_sync_file+0x44c/0x490 [btrfs]
+ [192922.926731] do_fsync+0x38/0x60
+ [192922.927138] __x64_sys_fdatasync+0x13/0x20
+ [192922.927543] do_syscall_64+0x60/0x1c0
+ [192922.927939] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ (...)
+ [192922.934077] ---[ end trace f00808b12068168f ]---
+
+2) If evict_refill_and_join() decides to commit the transaction, it will
+ be able to do it, since the nested transaction join only increments the
+ transaction handle's ->use_count reference counter and it does not
+ prevent the transaction from getting committed. This means that after
+ eviction completes, the fsync logging path will be using a transaction
+ handle that refers to an already committed transaction. What happens
+ when using such a stale transaction can be unpredictable, we are at
+ least having a use-after-free on the transaction handle itself, since
+ the transaction commit will call kmem_cache_free() against the handle
+ regardless of its ->use_count value, or we can end up silently losing
+ all the updates to the log tree after that iput() in the logging path,
+ or using a transaction handle that in the meanwhile was allocated to
+ another task for a new transaction, etc, pretty much unpredictable
+ what can happen.
+
+In order to fix both of them, instead of using iput() during logging, use
+btrfs_add_delayed_iput(), so that the logging path of fsync never drops
+the last reference on an inode, that step is offloaded to a safe context
+(usually the cleaner kthread).
+
+The assertion failure issue was sporadically triggered by the test case
+generic/475 from fstests, which loads the dm error target while fsstress
+is running, which lead to fsync failing while logging inodes with -EIO
+errors and then trying later to commit the transaction, triggering the
+assertion failure.
+
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -5107,7 +5107,7 @@ again:
+ BTRFS_I(other_inode),
+ LOG_OTHER_INODE, 0, LLONG_MAX,
+ ctx);
+- iput(other_inode);
++ btrfs_add_delayed_iput(other_inode);
+ if (err)
+ goto out_unlock;
+ else
+@@ -5519,7 +5519,7 @@ process_leaf:
+ }
+
+ if (btrfs_inode_in_log(BTRFS_I(di_inode), trans->transid)) {
+- iput(di_inode);
++ btrfs_add_delayed_iput(di_inode);
+ break;
+ }
+
+@@ -5531,7 +5531,7 @@ process_leaf:
+ if (!ret &&
+ btrfs_must_commit_transaction(trans, BTRFS_I(di_inode)))
+ ret = 1;
+- iput(di_inode);
++ btrfs_add_delayed_iput(di_inode);
+ if (ret)
+ goto next_dir_inode;
+ if (ctx->log_new_dentries) {
+@@ -5678,7 +5678,7 @@ static int btrfs_log_all_parents(struct
+ if (!ret && ctx && ctx->log_new_dentries)
+ ret = log_new_dir_dentries(trans, root,
+ BTRFS_I(dir_inode), ctx);
+- iput(dir_inode);
++ btrfs_add_delayed_iput(dir_inode);
+ if (ret)
+ goto out;
+ }
--- /dev/null
+From eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a Mon Sep 17 00:00:00 2001
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+Date: Wed, 4 Sep 2019 20:46:25 +0800
+Subject: genirq: Prevent NULL pointer dereference in resend_irqs()
+
+From: Yunfeng Ye <yeyunfeng@huawei.com>
+
+commit eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a upstream.
+
+The following crash was observed:
+
+ Unable to handle kernel NULL pointer dereference at 0000000000000158
+ Internal error: Oops: 96000004 [#1] SMP
+ pc : resend_irqs+0x68/0xb0
+ lr : resend_irqs+0x64/0xb0
+ ...
+ Call trace:
+ resend_irqs+0x68/0xb0
+ tasklet_action_common.isra.6+0x84/0x138
+ tasklet_action+0x2c/0x38
+ __do_softirq+0x120/0x324
+ run_ksoftirqd+0x44/0x60
+ smpboot_thread_fn+0x1ac/0x1e8
+ kthread+0x134/0x138
+ ret_from_fork+0x10/0x18
+
+The reason for this is that the interrupt resend mechanism happens in soft
+interrupt context, which is a asynchronous mechanism versus other
+operations on interrupts. free_irq() does not take resend handling into
+account. Thus, the irq descriptor might be already freed before the resend
+tasklet is executed. resend_irqs() does not check the return value of the
+interrupt descriptor lookup and derefences the return value
+unconditionally.
+
+ 1):
+ __setup_irq
+ irq_startup
+ check_irq_resend // activate softirq to handle resend irq
+ 2):
+ irq_domain_free_irqs
+ irq_free_descs
+ free_desc
+ call_rcu(&desc->rcu, delayed_free_desc)
+ 3):
+ __do_softirq
+ tasklet_action
+ resend_irqs
+ desc = irq_to_desc(irq)
+ desc->handle_irq(desc) // desc is NULL --> Ooops
+
+Fix this by adding a NULL pointer check in resend_irqs() before derefencing
+the irq descriptor.
+
+Fixes: a4633adcdbc1 ("[PATCH] genirq: add genirq sw IRQ-retrigger")
+Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1630ae13-5c8e-901e-de09-e740b6a426a7@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/resend.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/irq/resend.c
++++ b/kernel/irq/resend.c
+@@ -36,6 +36,8 @@ static void resend_irqs(unsigned long ar
+ irq = find_first_bit(irqs_resend, nr_irqs);
+ clear_bit(irq, irqs_resend);
+ desc = irq_to_desc(irq);
++ if (!desc)
++ continue;
+ local_irq_disable();
+ desc->handle_irq(desc);
+ local_irq_enable();
--- /dev/null
+From 5ca2f54b597c816df54ff1b28eb99cf7262b955d Mon Sep 17 00:00:00 2001
+From: Kent Gibson <warthog618@gmail.com>
+Date: Mon, 9 Sep 2019 03:24:06 +0000
+Subject: gpio: fix line flag validation in lineevent_create
+
+From: Kent Gibson <warthog618@gmail.com>
+
+commit 5ca2f54b597c816df54ff1b28eb99cf7262b955d upstream.
+
+lineevent_create should not allow any of GPIOHANDLE_REQUEST_OUTPUT,
+GPIOHANDLE_REQUEST_OPEN_DRAIN or GPIOHANDLE_REQUEST_OPEN_SOURCE to be set.
+
+Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Kent Gibson <warthog618@gmail.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -924,7 +924,9 @@ static int lineevent_create(struct gpio_
+ }
+
+ /* This is just wrong: we don't look for events on output lines */
+- if (lflags & GPIOHANDLE_REQUEST_OUTPUT) {
++ if ((lflags & GPIOHANDLE_REQUEST_OUTPUT) ||
++ (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN) ||
++ (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE)) {
+ ret = -EINVAL;
+ goto out_free_label;
+ }
+@@ -938,10 +940,6 @@ static int lineevent_create(struct gpio_
+
+ if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW)
+ set_bit(FLAG_ACTIVE_LOW, &desc->flags);
+- if (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN)
+- set_bit(FLAG_OPEN_DRAIN, &desc->flags);
+- if (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE)
+- set_bit(FLAG_OPEN_SOURCE, &desc->flags);
+
+ ret = gpiod_direction_input(desc);
+ if (ret)
--- /dev/null
+From e95fbc130a162ba9ad956311b95aa0da269eea48 Mon Sep 17 00:00:00 2001
+From: Kent Gibson <warthog618@gmail.com>
+Date: Mon, 9 Sep 2019 03:22:18 +0000
+Subject: gpio: fix line flag validation in linehandle_create
+
+From: Kent Gibson <warthog618@gmail.com>
+
+commit e95fbc130a162ba9ad956311b95aa0da269eea48 upstream.
+
+linehandle_create should not allow both GPIOHANDLE_REQUEST_INPUT
+and GPIOHANDLE_REQUEST_OUTPUT to be set.
+
+Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Kent Gibson <warthog618@gmail.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -525,6 +525,14 @@ static int linehandle_create(struct gpio
+ return -EINVAL;
+
+ /*
++ * Do not allow both INPUT & OUTPUT flags to be set as they are
++ * contradictory.
++ */
++ if ((lflags & GPIOHANDLE_REQUEST_INPUT) &&
++ (lflags & GPIOHANDLE_REQUEST_OUTPUT))
++ return -EINVAL;
++
++ /*
+ * Do not allow OPEN_SOURCE & OPEN_DRAIN flags in a single request. If
+ * the hardware actually supports enabling both at the same time the
+ * electrical result would be disastrous.
--- /dev/null
+From 61f7f7c8f978b1c0d80e43c83b7d110ca0496eb4 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 27 Aug 2019 22:28:35 +0200
+Subject: gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 61f7f7c8f978b1c0d80e43c83b7d110ca0496eb4 upstream.
+
+Another day; another DSDT bug we need to workaround...
+
+Since commit ca876c7483b6 ("gpiolib-acpi: make sure we trigger edge events
+at least once on boot") we call _AEI edge handlers at boot.
+
+In some rare cases this causes problems. One example of this is the Minix
+Neo Z83-4 mini PC, this device has a clear DSDT bug where it has some copy
+and pasted code for dealing with Micro USB-B connector host/device role
+switching, while the mini PC does not even have a micro-USB connector.
+This code, which should not be there, messes with the DDC data pin from
+the HDMI connector (switching it to GPIO mode) breaking HDMI support.
+
+To avoid problems like this, this commit adds a new
+gpiolib_acpi.run_edge_events_on_boot kernel commandline option, which
+allows disabling the running of _AEI edge event handlers at boot.
+
+The default value is -1/auto which uses a DMI based blacklist, the initial
+version of this blacklist contains the Neo Z83-4 fixing the HDMI breakage.
+
+Cc: stable@vger.kernel.org
+Cc: Daniel Drake <drake@endlessm.com>
+Cc: Ian W MORRISON <ianwmorrison@gmail.com>
+Reported-by: Ian W MORRISON <ianwmorrison@gmail.com>
+Suggested-by: Ian W MORRISON <ianwmorrison@gmail.com>
+Fixes: ca876c7483b6 ("gpiolib-acpi: make sure we trigger edge events at least once on boot")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20190827202835.213456-1-hdegoede@redhat.com
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Ian W MORRISON <ianwmorrison@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib-acpi.c | 42 ++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 38 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -10,6 +10,7 @@
+ * published by the Free Software Foundation.
+ */
+
++#include <linux/dmi.h>
+ #include <linux/errno.h>
+ #include <linux/gpio.h>
+ #include <linux/gpio/consumer.h>
+@@ -23,6 +24,11 @@
+
+ #include "gpiolib.h"
+
++static int run_edge_events_on_boot = -1;
++module_param(run_edge_events_on_boot, int, 0444);
++MODULE_PARM_DESC(run_edge_events_on_boot,
++ "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto");
++
+ /**
+ * struct acpi_gpio_event - ACPI GPIO event handler data
+ *
+@@ -174,10 +180,13 @@ static void acpi_gpiochip_request_irq(st
+ event->irq_requested = true;
+
+ /* Make sure we trigger the initial state of edge-triggered IRQs */
+- value = gpiod_get_raw_value_cansleep(event->desc);
+- if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
+- ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0))
+- event->handler(event->irq, event);
++ if (run_edge_events_on_boot &&
++ (event->irqflags & (IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING))) {
++ value = gpiod_get_raw_value_cansleep(event->desc);
++ if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
++ ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0))
++ event->handler(event->irq, event);
++ }
+ }
+
+ static void acpi_gpiochip_request_irqs(struct acpi_gpio_chip *acpi_gpio)
+@@ -1253,3 +1262,28 @@ static int acpi_gpio_handle_deferred_req
+ }
+ /* We must use _sync so that this runs after the first deferred_probe run */
+ late_initcall_sync(acpi_gpio_handle_deferred_request_irqs);
++
++static const struct dmi_system_id run_edge_events_on_boot_blacklist[] = {
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "MINIX"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"),
++ }
++ },
++ {} /* Terminating entry */
++};
++
++static int acpi_gpio_setup_params(void)
++{
++ if (run_edge_events_on_boot < 0) {
++ if (dmi_check_system(run_edge_events_on_boot_blacklist))
++ run_edge_events_on_boot = 0;
++ else
++ run_edge_events_on_boot = 1;
++ }
++
++ return 0;
++}
++
++/* Directly after dmi_setup() which runs as core_initcall() */
++postcore_initcall(acpi_gpio_setup_params);
--- /dev/null
+From 377228accbbb8b9738f615d791aa803f41c067e0 Mon Sep 17 00:00:00 2001
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Date: Wed, 4 Sep 2019 08:07:11 -0700
+Subject: ixgbe: Prevent u8 wrapping of ITR value to something less than 10us
+
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+
+commit 377228accbbb8b9738f615d791aa803f41c067e0 upstream.
+
+There were a couple cases where the ITR value generated via the adaptive
+ITR scheme could exceed 126. This resulted in the value becoming either 0
+or something less than 10. Switching back and forth between a value less
+than 10 and a value greater than 10 can cause issues as certain hardware
+features such as RSC to not function well when the ITR value has dropped
+that low.
+
+CC: stable@vger.kernel.org
+Fixes: b4ded8327fea ("ixgbe: Update adaptive ITR algorithm")
+Reported-by: Gregg Leventhal <gleventhal@janestreet.com>
+Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -2626,7 +2626,7 @@ adjust_by_size:
+ /* 16K ints/sec to 9.2K ints/sec */
+ avg_wire_size *= 15;
+ avg_wire_size += 11452;
+- } else if (avg_wire_size <= 1980) {
++ } else if (avg_wire_size < 1968) {
+ /* 9.2K ints/sec to 8K ints/sec */
+ avg_wire_size *= 5;
+ avg_wire_size += 22420;
+@@ -2659,6 +2659,8 @@ adjust_by_size:
+ case IXGBE_LINK_SPEED_2_5GB_FULL:
+ case IXGBE_LINK_SPEED_1GB_FULL:
+ case IXGBE_LINK_SPEED_10_FULL:
++ if (avg_wire_size > 8064)
++ avg_wire_size = 8064;
+ itr += DIV_ROUND_UP(avg_wire_size,
+ IXGBE_ITR_ADAPTIVE_MIN_INC * 64) *
+ IXGBE_ITR_ADAPTIVE_MIN_INC;
--- /dev/null
+From f7eea636c3d505fe6f1d1066234f1aaf7171b681 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sat, 14 Sep 2019 00:26:27 +0200
+Subject: KVM: nVMX: handle page fault in vmread
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit f7eea636c3d505fe6f1d1066234f1aaf7171b681 upstream.
+
+The implementation of vmread to memory is still incomplete, as it
+lacks the ability to do vmread to I/O memory just like vmptrst.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -8757,6 +8757,7 @@ static int handle_vmread(struct kvm_vcpu
+ u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
+ gva_t gva = 0;
+ struct vmcs12 *vmcs12;
++ struct x86_exception e;
+
+ if (!nested_vmx_check_permission(vcpu))
+ return 1;
+@@ -8798,8 +8799,10 @@ static int handle_vmread(struct kvm_vcpu
+ vmx_instruction_info, true, &gva))
+ return 1;
+ /* _system ok, nested_vmx_check_permission has verified cpl=0 */
+- kvm_write_guest_virt_system(vcpu, gva, &field_value,
+- (is_long_mode(vcpu) ? 8 : 4), NULL);
++ if (kvm_write_guest_virt_system(vcpu, gva, &field_value,
++ (is_long_mode(vcpu) ? 8 : 4),
++ NULL))
++ kvm_inject_page_fault(vcpu, &e);
+ }
+
+ nested_vmx_succeed(vcpu);
--- /dev/null
+From 53936b5bf35e140ae27e4bbf0447a61063f400da Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 12 Sep 2019 13:54:38 +0200
+Subject: KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit 53936b5bf35e140ae27e4bbf0447a61063f400da upstream.
+
+When the userspace program runs the KVM_S390_INTERRUPT ioctl to inject
+an interrupt, we convert them from the legacy struct kvm_s390_interrupt
+to the new struct kvm_s390_irq via the s390int_to_s390irq() function.
+However, this function does not take care of all types of interrupts
+that we can inject into the guest later (see do_inject_vcpu()). Since we
+do not clear out the s390irq values before calling s390int_to_s390irq(),
+there is a chance that we copy random data from the kernel stack which
+could be leaked to the userspace later.
+
+Specifically, the problem exists with the KVM_S390_INT_PFAULT_INIT
+interrupt: s390int_to_s390irq() does not handle it, and the function
+__inject_pfault_init() later copies irq->u.ext which contains the
+random kernel stack data. This data can then be leaked either to
+the guest memory in __deliver_pfault_init(), or the userspace might
+retrieve it directly with the KVM_S390_GET_IRQ_STATE ioctl.
+
+Fix it by handling that interrupt type in s390int_to_s390irq(), too,
+and by making sure that the s390irq struct is properly pre-initialized.
+And while we're at it, make sure that s390int_to_s390irq() now
+directly returns -EINVAL for unknown interrupt types, so that we
+immediately get a proper error code in case we add more interrupt
+types to do_inject_vcpu() without updating s390int_to_s390irq()
+sometime in the future.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Link: https://lore.kernel.org/kvm/20190912115438.25761-1-thuth@redhat.com
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/interrupt.c | 10 ++++++++++
+ arch/s390/kvm/kvm-s390.c | 2 +-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -1879,6 +1879,16 @@ int s390int_to_s390irq(struct kvm_s390_i
+ case KVM_S390_MCHK:
+ irq->u.mchk.mcic = s390int->parm64;
+ break;
++ case KVM_S390_INT_PFAULT_INIT:
++ irq->u.ext.ext_params = s390int->parm;
++ irq->u.ext.ext_params2 = s390int->parm64;
++ break;
++ case KVM_S390_RESTART:
++ case KVM_S390_INT_CLOCK_COMP:
++ case KVM_S390_INT_CPU_TIMER:
++ break;
++ default:
++ return -EINVAL;
+ }
+ return 0;
+ }
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -3958,7 +3958,7 @@ long kvm_arch_vcpu_async_ioctl(struct fi
+ }
+ case KVM_S390_INTERRUPT: {
+ struct kvm_s390_interrupt s390int;
+- struct kvm_s390_irq s390irq;
++ struct kvm_s390_irq s390irq = {};
+
+ if (copy_from_user(&s390int, argp, sizeof(s390int)))
+ return -EFAULT;
--- /dev/null
+From 13a17cc0526f08d1df9507f7484176371cd263a0 Mon Sep 17 00:00:00 2001
+From: Igor Mammedov <imammedo@redhat.com>
+Date: Wed, 11 Sep 2019 03:52:18 -0400
+Subject: KVM: s390: kvm_s390_vm_start_migration: check dirty_bitmap before using it as target for memset()
+
+From: Igor Mammedov <imammedo@redhat.com>
+
+commit 13a17cc0526f08d1df9507f7484176371cd263a0 upstream.
+
+If userspace doesn't set KVM_MEM_LOG_DIRTY_PAGES on memslot before calling
+kvm_s390_vm_start_migration(), kernel will oops with:
+
+ Unable to handle kernel pointer dereference in virtual kernel address space
+ Failing address: 0000000000000000 TEID: 0000000000000483
+ Fault in home space mode while using kernel ASCE.
+ AS:0000000002a2000b R2:00000001bff8c00b R3:00000001bff88007 S:00000001bff91000 P:000000000000003d
+ Oops: 0004 ilc:2 [#1] SMP
+ ...
+ Call Trace:
+ ([<001fffff804ec552>] kvm_s390_vm_set_attr+0x347a/0x3828 [kvm])
+ [<001fffff804ecfc0>] kvm_arch_vm_ioctl+0x6c0/0x1998 [kvm]
+ [<001fffff804b67e4>] kvm_vm_ioctl+0x51c/0x11a8 [kvm]
+ [<00000000008ba572>] do_vfs_ioctl+0x1d2/0xe58
+ [<00000000008bb284>] ksys_ioctl+0x8c/0xb8
+ [<00000000008bb2e2>] sys_ioctl+0x32/0x40
+ [<000000000175552c>] system_call+0x2b8/0x2d8
+ INFO: lockdep is turned off.
+ Last Breaking-Event-Address:
+ [<0000000000dbaf60>] __memset+0xc/0xa0
+
+due to ms->dirty_bitmap being NULL, which might crash the host.
+
+Make sure that ms->dirty_bitmap is set before using it or
+return -EINVAL otherwise.
+
+Cc: <stable@vger.kernel.org>
+Fixes: afdad61615cc ("KVM: s390: Fix storage attributes migration with memory slots")
+Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+Link: https://lore.kernel.org/kvm/20190911075218.29153-1-imammedo@redhat.com/
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -928,6 +928,8 @@ static int kvm_s390_vm_start_migration(s
+ /* mark all the pages in active slots as dirty */
+ for (slotnr = 0; slotnr < slots->used_slots; slotnr++) {
+ ms = slots->memslots + slotnr;
++ if (!ms->dirty_bitmap)
++ return -EINVAL;
+ /*
+ * The second half of the bitmap is only used on x86,
+ * and would be wasted otherwise, so we put it to good
--- /dev/null
+From 541ab2aeb28251bf7135c7961f3a6080eebcc705 Mon Sep 17 00:00:00 2001
+From: Fuqian Huang <huangfq.daxian@gmail.com>
+Date: Thu, 12 Sep 2019 12:18:17 +0800
+Subject: KVM: x86: work around leak of uninitialized stack contents
+
+From: Fuqian Huang <huangfq.daxian@gmail.com>
+
+commit 541ab2aeb28251bf7135c7961f3a6080eebcc705 upstream.
+
+Emulation of VMPTRST can incorrectly inject a page fault
+when passed an operand that points to an MMIO address.
+The page fault will use uninitialized kernel stack memory
+as the CR2 and error code.
+
+The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
+exit to userspace; however, it is not an easy fix, so for now just ensure
+that the error code and CR2 are zero.
+
+Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
+Cc: stable@vger.kernel.org
+[add comment]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5016,6 +5016,13 @@ int kvm_write_guest_virt_system(struct k
+ /* kvm_write_guest_virt_system can pull in tons of pages. */
+ vcpu->arch.l1tf_flush_l1d = true;
+
++ /*
++ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
++ * is returned, but our callers are not ready for that and they blindly
++ * call kvm_inject_page_fault. Ensure that they at least do not leak
++ * uninitialized kernel stack memory into cr2 and error code.
++ */
++ memset(exception, 0, sizeof(*exception));
+ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
+ PFERR_WRITE_MASK, exception);
+ }
tcp-fix-tcp_ecn_withdraw_cwr-to-clear-tcp_ecn_queue_cwr.patch
tipc-add-null-pointer-check-before-calling-kfree_rcu.patch
tun-fix-use-after-free-when-register-netdev-failed.patch
+gpiolib-acpi-add-gpiolib_acpi_run_edge_events_on_boot-option-and-blacklist.patch
+gpio-fix-line-flag-validation-in-linehandle_create.patch
+btrfs-fix-assertion-failure-during-fsync-and-use-of-stale-transaction.patch
+ixgbe-prevent-u8-wrapping-of-itr-value-to-something-less-than-10us.patch
+genirq-prevent-null-pointer-dereference-in-resend_irqs.patch
+kvm-s390-kvm_s390_vm_start_migration-check-dirty_bitmap-before-using-it-as-target-for-memset.patch
+kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl.patch
+kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch
+kvm-nvmx-handle-page-fault-in-vmread.patch
+gpio-fix-line-flag-validation-in-lineevent_create.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
