--- /dev/null
+From a69261e4470d680185a15f748d9cdafb37c57a33 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 7 Feb 2017 16:19:06 +0300
+Subject: cpufreq: s3c2416: double free on driver init error path
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a69261e4470d680185a15f748d9cdafb37c57a33 upstream.
+
+The "goto err_armclk;" error path already does a clk_put(s3c_freq->hclk);
+so this is a double free.
+
+Fixes: 34ee55075265 ([CPUFREQ] Add S3C2416/S3C2450 cpufreq driver)
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/s3c2416-cpufreq.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/cpufreq/s3c2416-cpufreq.c
++++ b/drivers/cpufreq/s3c2416-cpufreq.c
+@@ -400,7 +400,6 @@ static int s3c2416_cpufreq_driver_init(s
+ rate = clk_get_rate(s3c_freq->hclk);
+ if (rate < 133 * 1000 * 1000) {
+ pr_err("cpufreq: HCLK not at 133MHz\n");
+- clk_put(s3c_freq->hclk);
+ ret = -EINVAL;
+ goto err_armclk;
+ }
--- /dev/null
+From 73dbd4a4230216b6a5540a362edceae0c9b4876b Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 18:23:21 +0800
+Subject: iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 73dbd4a4230216b6a5540a362edceae0c9b4876b upstream.
+
+In function amd_iommu_bind_pasid(), the control flow jumps
+to label out_free when pasid_state->mm and mm is NULL. And
+mmput(mm) is called. In function mmput(mm), mm is
+referenced without validation. This will result in a NULL
+dereference bug. This patch fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Fixes: f0aac63b873b ('iommu/amd: Don't hold a reference to mm_struct')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/amd_iommu_v2.c
++++ b/drivers/iommu/amd_iommu_v2.c
+@@ -701,9 +701,9 @@ out_clear_state:
+
+ out_unregister:
+ mmu_notifier_unregister(&pasid_state->mn, mm);
++ mmput(mm);
+
+ out_free:
+- mmput(mm);
+ free_pasid_state(pasid_state);
+
+ out:
--- /dev/null
+From f7116e115acdd74bc75a4daf6492b11d43505125 Mon Sep 17 00:00:00 2001
+From: David Dillow <dillow@google.com>
+Date: Mon, 30 Jan 2017 19:11:11 -0800
+Subject: iommu/vt-d: Don't over-free page table directories
+
+From: David Dillow <dillow@google.com>
+
+commit f7116e115acdd74bc75a4daf6492b11d43505125 upstream.
+
+dma_pte_free_level() recurses down the IOMMU page tables and frees
+directory pages that are entirely contained in the given PFN range.
+Unfortunately, it incorrectly calculates the starting address covered
+by the PTE under consideration, which can lead to it clearing an entry
+that is still in use.
+
+This occurs if we have a scatterlist with an entry that has a length
+greater than 1026 MB and is aligned to 2 MB for both the IOMMU and
+physical addresses. For example, if __domain_mapping() is asked to map a
+two-entry scatterlist with 2 MB and 1028 MB segments to PFN 0xffff80000,
+it will ask if dma_pte_free_pagetable() is asked to PFNs from
+0xffff80200 to 0xffffc05ff, it will also incorrectly clear the PFNs from
+0xffff80000 to 0xffff801ff because of this issue. The current code will
+set level_pfn to 0xffff80200, and 0xffff80200-0xffffc01ff fits inside
+the range being cleared. Properly setting the level_pfn for the current
+level under consideration catches that this PTE is outside of the range
+being cleared.
+
+This patch also changes the value passed into dma_pte_free_level() when
+it recurses. This only affects the first PTE of the range being cleared,
+and is handled by the existing code that ensures we start our cursor no
+lower than start_pfn.
+
+This was found when using dma_map_sg() to map large chunks of contiguous
+memory, which immediatedly led to faults on the first access of the
+erroneously-deleted mappings.
+
+Fixes: 3269ee0bd668 ("intel-iommu: Fix leaks in pagetable freeing")
+Reviewed-by: Benjamin Serebrin <serebrin@google.com>
+Signed-off-by: David Dillow <dillow@google.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -980,7 +980,7 @@ static void dma_pte_free_level(struct dm
+ if (!dma_pte_present(pte) || dma_pte_superpage(pte))
+ goto next;
+
+- level_pfn = pfn & level_mask(level - 1);
++ level_pfn = pfn & level_mask(level);
+ level_pte = phys_to_virt(dma_pte_addr(pte));
+
+ if (level > 2)
--- /dev/null
+From d4912215d1031e4fb3d1038d2e1857218dba0d0a Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 5 Jun 2017 05:19:09 -0700
+Subject: KVM: nVMX: Fix exception injection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit d4912215d1031e4fb3d1038d2e1857218dba0d0a upstream.
+
+ WARNING: CPU: 3 PID: 2840 at arch/x86/kvm/vmx.c:10966 nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel]
+ CPU: 3 PID: 2840 Comm: qemu-system-x86 Tainted: G OE 4.12.0-rc3+ #23
+ RIP: 0010:nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel]
+ Call Trace:
+ ? kvm_check_async_pf_completion+0xef/0x120 [kvm]
+ ? rcu_read_lock_sched_held+0x79/0x80
+ vmx_queue_exception+0x104/0x160 [kvm_intel]
+ ? vmx_queue_exception+0x104/0x160 [kvm_intel]
+ kvm_arch_vcpu_ioctl_run+0x1171/0x1ce0 [kvm]
+ ? kvm_arch_vcpu_load+0x47/0x240 [kvm]
+ ? kvm_arch_vcpu_load+0x62/0x240 [kvm]
+ kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
+ ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
+ ? __fget+0xf3/0x210
+ do_vfs_ioctl+0xa4/0x700
+ ? __fget+0x114/0x210
+ SyS_ioctl+0x79/0x90
+ do_syscall_64+0x81/0x220
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+This is triggered occasionally by running both win7 and win2016 in L2, in
+addition, EPT is disabled on both L1 and L2. It can't be reproduced easily.
+
+Commit 0b6ac343fc (KVM: nVMX: Correct handling of exception injection) mentioned
+that "KVM wants to inject page-faults which it got to the guest. This function
+assumes it is called with the exit reason in vmcs02 being a #PF exception".
+Commit e011c663 (KVM: nVMX: Check all exceptions for intercept during delivery to
+L2) allows to check all exceptions for intercept during delivery to L2. However,
+there is no guarantee the exit reason is exception currently, when there is an
+external interrupt occurred on host, maybe a time interrupt for host which should
+not be injected to guest, and somewhere queues an exception, then the function
+nested_vmx_check_exception() will be called and the vmexit emulation codes will
+try to emulate the "Acknowledge interrupt on exit" behavior, the warning is
+triggered.
+
+Reusing the exit reason from the L2->L0 vmexit is wrong in this case,
+the reason must always be EXCEPTION_NMI when injecting an exception into
+L1 as a nested vmexit.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Fixes: e011c663b9c7 ("KVM: nVMX: Check all exceptions for intercept during delivery to L2")
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2026,7 +2026,7 @@ static int nested_vmx_check_exception(st
+ if (!(vmcs12->exception_bitmap & (1u << nr)))
+ return 0;
+
+- nested_vmx_vmexit(vcpu, to_vmx(vcpu)->exit_reason,
++ nested_vmx_vmexit(vcpu, EXIT_REASON_EXCEPTION_NMI,
+ vmcs_read32(VM_EXIT_INTR_INFO),
+ vmcs_readl(EXIT_QUALIFICATION));
+ return 1;
--- /dev/null
+From f0367ee1d64d27fa08be2407df5c125442e885e3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 18 May 2017 19:37:30 +0200
+Subject: KVM: x86: zero base3 of unusable segments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit f0367ee1d64d27fa08be2407df5c125442e885e3 upstream.
+
+Static checker noticed that base3 could be used uninitialized if the
+segment was not present (useable). Random stack values probably would
+not pass VMCS entry checks.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 1aa366163b8b ("KVM: x86 emulator: consolidate segment accessors")
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4853,6 +4853,8 @@ static bool emulator_get_segment(struct
+
+ if (var.unusable) {
+ memset(desc, 0, sizeof(*desc));
++ if (base3)
++ *base3 = 0;
+ return false;
+ }
+
xfrm-oops-on-error-in-pfkey_msg2xfrm_state.patch
watchdog-bcm281xx-fix-use-of-uninitialized-spinlock.patch
arm-8685-1-ensure-memblock-limit-is-pmd-aligned.patch
+iommu-vt-d-don-t-over-free-page-table-directories.patch
+iommu-amd-fix-incorrect-error-handling-in-amd_iommu_bind_pasid.patch
+cpufreq-s3c2416-double-free-on-driver-init-error-path.patch
+kvm-x86-zero-base3-of-unusable-segments.patch
+kvm-nvmx-fix-exception-injection.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
