--- /dev/null
+From 615b2665fd20c327b631ff1e79426775de748094 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 25 Mar 2018 23:53:22 +0200
+Subject: parisc: Fix out of array access in match_pci_device()
+
+From: Helge Deller <deller@gmx.de>
+
+commit 615b2665fd20c327b631ff1e79426775de748094 upstream.
+
+As found by the ubsan checker, the value of the 'index' variable can be
+out of range for the bc[] array:
+
+UBSAN: Undefined behaviour in arch/parisc/kernel/drivers.c:655:21
+index 6 is out of range for type 'char [6]'
+Backtrace:
+ [<104fa850>] __ubsan_handle_out_of_bounds+0x68/0x80
+ [<1019d83c>] check_parent+0xc0/0x170
+ [<1019d91c>] descend_children+0x30/0x6c
+ [<1059e164>] device_for_each_child+0x60/0x98
+ [<1019cd54>] parse_tree_node+0x40/0x54
+ [<1019d86c>] check_parent+0xf0/0x170
+ [<1019d91c>] descend_children+0x30/0x6c
+ [<1059e164>] device_for_each_child+0x60/0x98
+ [<1019d938>] descend_children+0x4c/0x6c
+ [<1059e164>] device_for_each_child+0x60/0x98
+ [<1019cd54>] parse_tree_node+0x40/0x54
+ [<1019cffc>] hwpath_to_device+0xa4/0xc4
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/drivers.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/parisc/kernel/drivers.c
++++ b/arch/parisc/kernel/drivers.c
+@@ -648,6 +648,10 @@ static int match_pci_device(struct devic
+ (modpath->mod == PCI_FUNC(devfn)));
+ }
+
++ /* index might be out of bounds for bc[] */
++ if (index >= 6)
++ return 0;
++
+ id = PCI_SLOT(pdev->devfn) | (PCI_FUNC(pdev->devfn) << 5);
+ return (modpath->bc[index] == id);
+ }
--- /dev/null
+From 339b2ae0cd5d4a58f9efe06e4ee36adbeca59228 Mon Sep 17 00:00:00 2001
+From: Baoquan He <bhe@redhat.com>
+Date: Wed, 14 Feb 2018 13:46:53 +0800
+Subject: x86/apic: Fix restoring boot IRQ mode in reboot and kexec/kdump
+
+From: Baoquan He <bhe@redhat.com>
+
+commit 339b2ae0cd5d4a58f9efe06e4ee36adbeca59228 upstream.
+
+This is a regression fix.
+
+Before, to fix erratum AVR31, the following commit:
+
+ 522e66464467 ("x86/apic: Disable I/O APIC before shutdown of the local APIC")
+
+... moved the lapic_shutdown() call to after disable_IO_APIC() in the reboot
+and kexec/kdump code paths.
+
+This introduced the following regression: disable_IO_APIC() not only clears
+the IO-APIC, but it also restores boot IRQ mode by setting the
+LAPIC/APIC/IMCR, calling lapic_shutdown() after disable_IO_APIC() will
+disable LAPIC and ruin the possible virtual wire mode setting which
+the code has been trying to do all along.
+
+The consequence is that a KVM guest kernel always prints the warning below
+during kexec/kdump as the kernel boots up:
+
+ [ 0.001000] WARNING: CPU: 0 PID: 0 at arch/x86/kernel/apic/apic.c:1467 setup_local_APIC+0x228/0x330
+ [ ........]
+ [ 0.001000] Call Trace:
+ [ 0.001000] apic_bsp_setup+0x56/0x74
+ [ 0.001000] x86_late_time_init+0x11/0x16
+ [ 0.001000] start_kernel+0x3c9/0x486
+ [ 0.001000] secondary_startup_64+0xa5/0xb0
+ [ ........]
+ [ 0.001000] masked ExtINT on CPU#0
+
+To fix this, just call clear_IO_APIC() to stop the IO-APIC where
+disable_IO_APIC() was called, and call restore_boot_irq_mode() to
+restore boot IRQ mode before a reboot or a kexec/kdump jump.
+
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Reviewed-by: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: douly.fnst@cn.fujitsu.com
+Cc: joro@8bytes.org
+Cc: prarit@redhat.com
+Cc: stable@vger.kernel.org
+Cc: uobergfe@redhat.com
+Fixes: commit 522e66464467 ("x86/apic: Disable I/O APIC before shutdown of the local APIC")
+Link: http://lkml.kernel.org/r/20180214054656.3780-4-bhe@redhat.com
+[ Rewrote the changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/crash.c | 3 ++-
+ arch/x86/kernel/reboot.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/crash.c
++++ b/arch/x86/kernel/crash.c
+@@ -173,9 +173,10 @@ void native_machine_crash_shutdown(struc
+ #ifdef CONFIG_X86_IO_APIC
+ /* Prevent crash_kexec() from deadlocking on ioapic_lock. */
+ ioapic_zap_locks();
+- disable_IO_APIC();
++ clear_IO_APIC();
+ #endif
+ lapic_shutdown();
++ restore_boot_irq_mode();
+ #ifdef CONFIG_HPET_TIMER
+ hpet_disable();
+ #endif
+--- a/arch/x86/kernel/reboot.c
++++ b/arch/x86/kernel/reboot.c
+@@ -606,7 +606,7 @@ void native_machine_shutdown(void)
+ * Even without the erratum, it still makes sense to quiet IO APIC
+ * before disabling Local APIC.
+ */
+- disable_IO_APIC();
++ clear_IO_APIC();
+ #endif
+
+ #ifdef CONFIG_SMP
+@@ -620,6 +620,7 @@ void native_machine_shutdown(void)
+ #endif
+
+ lapic_shutdown();
++ restore_boot_irq_mode();
+
+ #ifdef CONFIG_HPET_TIMER
+ hpet_disable();
projects / thirdparty / kernel / stable-queue.git / commitdiff
