From: Greg Kroah-Hartman Date: Sun, 22 Jul 2018 15:57:32 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.144~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=039588fdc67794c18fcd47a3794b447503a3c3a4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-rawmidi-change-resized-buffers-atomically.patch arc-configs-remove-config_initramfs_source-from-defconfigs.patch arc-fix-config_swap.patch arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch fat-fix-memory-allocation-failure-handling-of-match_strdup.patch kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch x86-mce-remove-min-interval-polling-limitation.patch --- diff --git a/queue-4.9/alsa-rawmidi-change-resized-buffers-atomically.patch b/queue-4.9/alsa-rawmidi-change-resized-buffers-atomically.patch new file mode 100644 index 00000000000..92b5d9a94cb --- /dev/null +++ b/queue-4.9/alsa-rawmidi-change-resized-buffers-atomically.patch @@ -0,0 +1,84 @@ +From 39675f7a7c7e7702f7d5341f1e0d01db746543a0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 17 Jul 2018 17:26:43 +0200 +Subject: ALSA: rawmidi: Change resized buffers atomically + +From: Takashi Iwai + +commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0 upstream. + +The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the +current code is racy. For example, the sequencer client may write to +buffer while it being resized. + +As a simple workaround, let's switch to the resized buffer inside the +stream runtime lock. + +Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -635,7 +635,7 @@ static int snd_rawmidi_info_select_user( + int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream, + struct snd_rawmidi_params * params) + { +- char *newbuf; ++ char *newbuf, *oldbuf; + struct snd_rawmidi_runtime *runtime = substream->runtime; + + if (substream->append && substream->use_count > 1) +@@ -648,13 +648,17 @@ int snd_rawmidi_output_params(struct snd + return -EINVAL; + } + if (params->buffer_size != runtime->buffer_size) { +- newbuf = krealloc(runtime->buffer, params->buffer_size, +- GFP_KERNEL); ++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL); + if (!newbuf) + return -ENOMEM; ++ spin_lock_irq(&runtime->lock); ++ oldbuf = runtime->buffer; + runtime->buffer = newbuf; + runtime->buffer_size = params->buffer_size; + runtime->avail = runtime->buffer_size; ++ runtime->appl_ptr = runtime->hw_ptr = 0; ++ spin_unlock_irq(&runtime->lock); ++ kfree(oldbuf); + } + runtime->avail_min = params->avail_min; + substream->active_sensing = !params->no_active_sensing; +@@ -665,7 +669,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params) + int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream, + struct snd_rawmidi_params * params) + { +- char *newbuf; ++ char *newbuf, *oldbuf; + struct snd_rawmidi_runtime *runtime = substream->runtime; + + snd_rawmidi_drain_input(substream); +@@ -676,12 +680,16 @@ int snd_rawmidi_input_params(struct snd_ + return -EINVAL; + } + if (params->buffer_size != runtime->buffer_size) { +- newbuf = krealloc(runtime->buffer, params->buffer_size, +- GFP_KERNEL); ++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL); + if (!newbuf) + return -ENOMEM; ++ spin_lock_irq(&runtime->lock); ++ oldbuf = runtime->buffer; + runtime->buffer = newbuf; + runtime->buffer_size = params->buffer_size; ++ runtime->appl_ptr = runtime->hw_ptr = 0; ++ spin_unlock_irq(&runtime->lock); ++ kfree(oldbuf); + } + runtime->avail_min = params->avail_min; + return 0; diff --git a/queue-4.9/arc-configs-remove-config_initramfs_source-from-defconfigs.patch b/queue-4.9/arc-configs-remove-config_initramfs_source-from-defconfigs.patch new file mode 100644 index 00000000000..3151a6c0892 --- /dev/null +++ b/queue-4.9/arc-configs-remove-config_initramfs_source-from-defconfigs.patch @@ -0,0 +1,133 @@ +From 64234961c145606b36eaa82c47b11be842b21049 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Wed, 6 Jun 2018 15:59:38 +0300 +Subject: ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs + +From: Alexey Brodkin + +commit 64234961c145606b36eaa82c47b11be842b21049 upstream. + +We used to have pre-set CONFIG_INITRAMFS_SOURCE with local path +to intramfs in ARC defconfigs. This was quite convenient for +in-house development but not that convenient for newcomers +who obviusly don't have folders like "arc_initramfs" next to +the Linux source tree. Which leads to quite surprising failure +of defconfig building: +------------------------------->8----------------------------- + ../scripts/gen_initramfs_list.sh: Cannot open '../../arc_initramfs_hs/' +../usr/Makefile:57: recipe for target 'usr/initramfs_data.cpio.gz' failed +make[2]: *** [usr/initramfs_data.cpio.gz] Error 1 +------------------------------->8----------------------------- + +So now when more and more people start to deal with our defconfigs +let's make their life easier with removal of CONFIG_INITRAMFS_SOURCE. + +Signed-off-by: Alexey Brodkin +Cc: Kevin Hilman +Cc: stable@vger.kernel.org +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/configs/axs101_defconfig | 1 - + arch/arc/configs/axs103_defconfig | 1 - + arch/arc/configs/axs103_smp_defconfig | 1 - + arch/arc/configs/nsim_700_defconfig | 1 - + arch/arc/configs/nsim_hs_defconfig | 1 - + arch/arc/configs/nsim_hs_smp_defconfig | 1 - + arch/arc/configs/nsimosci_defconfig | 1 - + arch/arc/configs/nsimosci_hs_defconfig | 1 - + arch/arc/configs/nsimosci_hs_smp_defconfig | 1 - + 9 files changed, 9 deletions(-) + +--- a/arch/arc/configs/axs101_defconfig ++++ b/arch/arc/configs/axs101_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +--- a/arch/arc/configs/axs103_defconfig ++++ b/arch/arc/configs/axs103_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +--- a/arch/arc/configs/axs103_smp_defconfig ++++ b/arch/arc/configs/axs103_smp_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +--- a/arch/arc/configs/nsim_700_defconfig ++++ b/arch/arc/configs/nsim_700_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsim_hs_defconfig ++++ b/arch/arc/configs/nsim_hs_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsim_hs_smp_defconfig ++++ b/arch/arc/configs/nsim_hs_smp_defconfig +@@ -9,7 +9,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsimosci_defconfig ++++ b/arch/arc/configs/nsimosci_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsimosci_hs_defconfig ++++ b/arch/arc/configs/nsimosci_hs_defconfig +@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + CONFIG_KALLSYMS_ALL=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y +--- a/arch/arc/configs/nsimosci_hs_smp_defconfig ++++ b/arch/arc/configs/nsimosci_hs_smp_defconfig +@@ -9,7 +9,6 @@ CONFIG_IKCONFIG_PROC=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y +-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/" + CONFIG_PERF_EVENTS=y + # CONFIG_COMPAT_BRK is not set + CONFIG_KPROBES=y diff --git a/queue-4.9/arc-fix-config_swap.patch b/queue-4.9/arc-fix-config_swap.patch new file mode 100644 index 00000000000..f13ddfda2ab --- /dev/null +++ b/queue-4.9/arc-fix-config_swap.patch @@ -0,0 +1,48 @@ +From 6e3761145a9ba3ce267c330b6bff51cf6a057b06 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Thu, 28 Jun 2018 16:59:14 -0700 +Subject: ARC: Fix CONFIG_SWAP + +From: Alexey Brodkin + +commit 6e3761145a9ba3ce267c330b6bff51cf6a057b06 upstream. + +swap was broken on ARC due to silly copy-paste issue. + +We encode offset from swapcache page in __swp_entry() as (off << 13) but +were not decoding back in __swp_offset() as (off >> 13) - it was still +(off << 13). + +This finally fixes swap usage on ARC. + +| # mkswap /dev/sda2 +| +| # swapon -a -e /dev/sda2 +| Adding 500728k swap on /dev/sda2. Priority:-2 extents:1 across:500728k +| +| # free +| total used free shared buffers cached +| Mem: 765104 13456 751648 4736 8 4736 +| -/+ buffers/cache: 8712 756392 +| Swap: 500728 0 500728 + +Cc: stable@vger.kernel.org +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/pgtable.h ++++ b/arch/arc/include/asm/pgtable.h +@@ -378,7 +378,7 @@ void update_mmu_cache(struct vm_area_str + + /* Decode a PTE containing swap "identifier "into constituents */ + #define __swp_type(pte_lookalike) (((pte_lookalike).val) & 0x1f) +-#define __swp_offset(pte_lookalike) ((pte_lookalike).val << 13) ++#define __swp_offset(pte_lookalike) ((pte_lookalike).val >> 13) + + /* NOPs, to keep generic kernel happy */ + #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) }) diff --git a/queue-4.9/arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch b/queue-4.9/arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch new file mode 100644 index 00000000000..b7e2cb43d71 --- /dev/null +++ b/queue-4.9/arc-mm-allow-mprotect-to-make-stack-mappings-executable.patch @@ -0,0 +1,44 @@ +From 93312b6da4df31e4102ce5420e6217135a16c7ea Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Wed, 11 Jul 2018 10:42:20 -0700 +Subject: ARC: mm: allow mprotect to make stack mappings executable + +From: Vineet Gupta + +commit 93312b6da4df31e4102ce5420e6217135a16c7ea upstream. + +mprotect(EXEC) was failing for stack mappings as default vm flags was +missing MAYEXEC. + +This was triggered by glibc test suite nptl/tst-execstack testcase + +What is surprising is that despite running LTP for years on, we didn't +catch this issue as it lacks a directed test case. + +gcc dejagnu tests with nested functions also requiring exec stack work +fine though because they rely on the GNU_STACK segment spit out by +compiler and handled in kernel elf loader. + +This glibc case is different as the stack is non exec to begin with and +a dlopen of shared lib with GNU_STACK segment triggers the exec stack +proceedings using a mprotect(PROT_EXEC) which was broken. + +CC: stable@vger.kernel.org +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/page.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/page.h ++++ b/arch/arc/include/asm/page.h +@@ -105,7 +105,7 @@ typedef pte_t * pgtable_t; + #define virt_addr_valid(kaddr) pfn_valid(virt_to_pfn(kaddr)) + + /* Default Permissions for stack/heaps pages (Non Executable) */ +-#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE) ++#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC) + + #define WANT_PAGE_VIRTUAL 1 + diff --git a/queue-4.9/fat-fix-memory-allocation-failure-handling-of-match_strdup.patch b/queue-4.9/fat-fix-memory-allocation-failure-handling-of-match_strdup.patch new file mode 100644 index 00000000000..ad49c776c34 --- /dev/null +++ b/queue-4.9/fat-fix-memory-allocation-failure-handling-of-match_strdup.patch @@ -0,0 +1,82 @@ +From 35033ab988c396ad7bce3b6d24060c16a9066db8 Mon Sep 17 00:00:00 2001 +From: OGAWA Hirofumi +Date: Fri, 20 Jul 2018 17:53:42 -0700 +Subject: fat: fix memory allocation failure handling of match_strdup() + +From: OGAWA Hirofumi + +commit 35033ab988c396ad7bce3b6d24060c16a9066db8 upstream. + +In parse_options(), if match_strdup() failed, parse_options() leaves +opts->iocharset in unexpected state (i.e. still pointing the freed +string). And this can be the cause of double free. + +To fix, this initialize opts->iocharset always when freeing. + +Link: http://lkml.kernel.org/r/8736wp9dzc.fsf@mail.parknet.co.jp +Signed-off-by: OGAWA Hirofumi +Reported-by: syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fat/inode.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -696,13 +696,21 @@ static void fat_set_state(struct super_b + brelse(bh); + } + ++static void fat_reset_iocharset(struct fat_mount_options *opts) ++{ ++ if (opts->iocharset != fat_default_iocharset) { ++ /* Note: opts->iocharset can be NULL here */ ++ kfree(opts->iocharset); ++ opts->iocharset = fat_default_iocharset; ++ } ++} ++ + static void delayed_free(struct rcu_head *p) + { + struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu); + unload_nls(sbi->nls_disk); + unload_nls(sbi->nls_io); +- if (sbi->options.iocharset != fat_default_iocharset) +- kfree(sbi->options.iocharset); ++ fat_reset_iocharset(&sbi->options); + kfree(sbi); + } + +@@ -1117,7 +1125,7 @@ static int parse_options(struct super_bl + opts->fs_fmask = opts->fs_dmask = current_umask(); + opts->allow_utime = -1; + opts->codepage = fat_default_codepage; +- opts->iocharset = fat_default_iocharset; ++ fat_reset_iocharset(opts); + if (is_vfat) { + opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95; + opts->rodir = 0; +@@ -1274,8 +1282,7 @@ static int parse_options(struct super_bl + + /* vfat specific */ + case Opt_charset: +- if (opts->iocharset != fat_default_iocharset) +- kfree(opts->iocharset); ++ fat_reset_iocharset(opts); + iocharset = match_strdup(&args[0]); + if (!iocharset) + return -ENOMEM; +@@ -1866,8 +1873,7 @@ out_fail: + iput(fat_inode); + unload_nls(sbi->nls_io); + unload_nls(sbi->nls_disk); +- if (sbi->options.iocharset != fat_default_iocharset) +- kfree(sbi->options.iocharset); ++ fat_reset_iocharset(&sbi->options); + sb->s_fs_info = NULL; + kfree(sbi); + return error; diff --git a/queue-4.9/kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch b/queue-4.9/kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch new file mode 100644 index 00000000000..7ec0f08a395 --- /dev/null +++ b/queue-4.9/kvm-eventfd-avoid-crash-when-assign-and-deassign-specific-eventfd-in-parallel.patch @@ -0,0 +1,67 @@ +From b5020a8e6b54d2ece80b1e7dedb33c79a40ebd47 Mon Sep 17 00:00:00 2001 +From: Lan Tianyu +Date: Thu, 21 Dec 2017 21:10:36 -0500 +Subject: KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lan Tianyu + +commit b5020a8e6b54d2ece80b1e7dedb33c79a40ebd47 upstream. + +Syzbot reports crashes in kvm_irqfd_assign(), caused by use-after-free +when kvm_irqfd_assign() and kvm_irqfd_deassign() run in parallel +for one specific eventfd. When the assign path hasn't finished but irqfd +has been added to kvm->irqfds.items list, another thead may deassign the +eventfd and free struct kvm_kernel_irqfd(). The assign path then uses +the struct kvm_kernel_irqfd that has been freed by deassign path. To avoid +such issue, keep irqfd under kvm->irq_srcu protection after the irqfd +has been added to kvm->irqfds.items list, and call synchronize_srcu() +in irq_shutdown() to make sure that irqfd has been fully initialized in +the assign path. + +Reported-by: Dmitry Vyukov +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Dmitry Vyukov +Signed-off-by: Tianyu Lan +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -119,8 +119,12 @@ irqfd_shutdown(struct work_struct *work) + { + struct kvm_kernel_irqfd *irqfd = + container_of(work, struct kvm_kernel_irqfd, shutdown); ++ struct kvm *kvm = irqfd->kvm; + u64 cnt; + ++ /* Make sure irqfd has been initalized in assign path. */ ++ synchronize_srcu(&kvm->irq_srcu); ++ + /* + * Synchronize with the wait-queue and unhook ourselves to prevent + * further events. +@@ -387,7 +391,6 @@ kvm_irqfd_assign(struct kvm *kvm, struct + + idx = srcu_read_lock(&kvm->irq_srcu); + irqfd_update(kvm, irqfd); +- srcu_read_unlock(&kvm->irq_srcu, idx); + + list_add_tail(&irqfd->list, &kvm->irqfds.items); + +@@ -421,6 +424,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct + } + #endif + ++ srcu_read_unlock(&kvm->irq_srcu, idx); + return 0; + + fail: diff --git a/queue-4.9/x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch b/queue-4.9/x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch new file mode 100644 index 00000000000..8a8bf589a87 --- /dev/null +++ b/queue-4.9/x86-apm-don-t-access-__preempt_count-with-zeroed-fs.patch @@ -0,0 +1,141 @@ +From 6f6060a5c9cc76fdbc22748264e6aa3779ec2427 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Mon, 9 Jul 2018 16:35:34 +0300 +Subject: x86/apm: Don't access __preempt_count with zeroed fs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 6f6060a5c9cc76fdbc22748264e6aa3779ec2427 upstream. + +APM_DO_POP_SEGS does not restore fs/gs which were zeroed by +APM_DO_ZERO_SEGS. Trying to access __preempt_count with +zeroed fs doesn't really work. + +Move the ibrs call outside the APM_DO_SAVE_SEGS/APM_DO_RESTORE_SEGS +invocations so that fs is actually restored before calling +preempt_enable(). + +Fixes the following sort of oopses: +[ 0.313581] general protection fault: 0000 [#1] PREEMPT SMP +[ 0.313803] Modules linked in: +[ 0.314040] CPU: 0 PID: 268 Comm: kapmd Not tainted 4.16.0-rc1-triton-bisect-00090-gdd84441a7971 #19 +[ 0.316161] EIP: __apm_bios_call_simple+0xc8/0x170 +[ 0.316161] EFLAGS: 00210016 CPU: 0 +[ 0.316161] EAX: 00000102 EBX: 00000000 ECX: 00000102 EDX: 00000000 +[ 0.316161] ESI: 0000530e EDI: dea95f64 EBP: dea95f18 ESP: dea95ef0 +[ 0.316161] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 +[ 0.316161] CR0: 80050033 CR2: 00000000 CR3: 015d3000 CR4: 000006d0 +[ 0.316161] Call Trace: +[ 0.316161] ? cpumask_weight.constprop.15+0x20/0x20 +[ 0.316161] on_cpu0+0x44/0x70 +[ 0.316161] apm+0x54e/0x720 +[ 0.316161] ? __switch_to_asm+0x26/0x40 +[ 0.316161] ? __schedule+0x17d/0x590 +[ 0.316161] kthread+0xc0/0xf0 +[ 0.316161] ? proc_apm_show+0x150/0x150 +[ 0.316161] ? kthread_create_worker_on_cpu+0x20/0x20 +[ 0.316161] ret_from_fork+0x2e/0x38 +[ 0.316161] Code: da 8e c2 8e e2 8e ea 57 55 2e ff 1d e0 bb 5d b1 0f 92 c3 5d 5f 07 1f 89 47 0c 90 8d b4 26 00 00 00 00 90 8d b4 26 00 00 00 00 90 <64> ff 0d 84 16 5c b1 74 7f 8b 45 dc 8e e0 8b 45 d8 8e e8 8b 45 +[ 0.316161] EIP: __apm_bios_call_simple+0xc8/0x170 SS:ESP: 0068:dea95ef0 +[ 0.316161] ---[ end trace 656253db2deaa12c ]--- + +Fixes: dd84441a7971 ("x86/speculation: Use IBRS if available before calling into firmware") +Signed-off-by: Ville Syrjälä +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: David Woodhouse +Cc: "H. Peter Anvin" +Cc: x86@kernel.org +Cc: David Woodhouse +Cc: "H. Peter Anvin" +Link: https://lkml.kernel.org/r/20180709133534.5963-1-ville.syrjala@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/apm.h | 6 ------ + arch/x86/kernel/apm_32.c | 5 +++++ + 2 files changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/apm.h ++++ b/arch/x86/include/asm/apm.h +@@ -6,8 +6,6 @@ + #ifndef _ASM_X86_MACH_DEFAULT_APM_H + #define _ASM_X86_MACH_DEFAULT_APM_H + +-#include +- + #ifdef APM_ZERO_SEGS + # define APM_DO_ZERO_SEGS \ + "pushl %%ds\n\t" \ +@@ -33,7 +31,6 @@ static inline void apm_bios_call_asm(u32 + * N.B. We do NOT need a cld after the BIOS call + * because we always save and restore the flags. + */ +- firmware_restrict_branch_speculation_start(); + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +@@ -46,7 +43,6 @@ static inline void apm_bios_call_asm(u32 + "=S" (*esi) + : "a" (func), "b" (ebx_in), "c" (ecx_in) + : "memory", "cc"); +- firmware_restrict_branch_speculation_end(); + } + + static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, +@@ -59,7 +55,6 @@ static inline bool apm_bios_call_simple_ + * N.B. We do NOT need a cld after the BIOS call + * because we always save and restore the flags. + */ +- firmware_restrict_branch_speculation_start(); + __asm__ __volatile__(APM_DO_ZERO_SEGS + "pushl %%edi\n\t" + "pushl %%ebp\n\t" +@@ -72,7 +67,6 @@ static inline bool apm_bios_call_simple_ + "=S" (si) + : "a" (func), "b" (ebx_in), "c" (ecx_in) + : "memory", "cc"); +- firmware_restrict_branch_speculation_end(); + return error; + } + +--- a/arch/x86/kernel/apm_32.c ++++ b/arch/x86/kernel/apm_32.c +@@ -239,6 +239,7 @@ + #include + #include + #include ++#include + + #if defined(CONFIG_APM_DISPLAY_BLANK) && defined(CONFIG_VT) + extern int (*console_blank_hook)(int); +@@ -613,11 +614,13 @@ static long __apm_bios_call(void *_call) + gdt[0x40 / 8] = bad_bios_desc; + + apm_irq_save(flags); ++ firmware_restrict_branch_speculation_start(); + APM_DO_SAVE_SEGS; + apm_bios_call_asm(call->func, call->ebx, call->ecx, + &call->eax, &call->ebx, &call->ecx, &call->edx, + &call->esi); + APM_DO_RESTORE_SEGS; ++ firmware_restrict_branch_speculation_end(); + apm_irq_restore(flags); + gdt[0x40 / 8] = save_desc_40; + put_cpu(); +@@ -689,10 +692,12 @@ static long __apm_bios_call_simple(void + gdt[0x40 / 8] = bad_bios_desc; + + apm_irq_save(flags); ++ firmware_restrict_branch_speculation_start(); + APM_DO_SAVE_SEGS; + error = apm_bios_call_simple_asm(call->func, call->ebx, call->ecx, + &call->eax); + APM_DO_RESTORE_SEGS; ++ firmware_restrict_branch_speculation_end(); + apm_irq_restore(flags); + gdt[0x40 / 8] = save_desc_40; + put_cpu(); diff --git a/queue-4.9/x86-mce-remove-min-interval-polling-limitation.patch b/queue-4.9/x86-mce-remove-min-interval-polling-limitation.patch new file mode 100644 index 00000000000..df6a991e967 --- /dev/null +++ b/queue-4.9/x86-mce-remove-min-interval-polling-limitation.patch @@ -0,0 +1,44 @@ +From fbdb328c6bae0a7c78d75734a738b66b86dffc96 Mon Sep 17 00:00:00 2001 +From: Dewet Thibaut +Date: Mon, 16 Jul 2018 10:49:27 +0200 +Subject: x86/MCE: Remove min interval polling limitation + +From: Dewet Thibaut + +commit fbdb328c6bae0a7c78d75734a738b66b86dffc96 upstream. + +commit b3b7c4795c ("x86/MCE: Serialize sysfs changes") introduced a min +interval limitation when setting the check interval for polled MCEs. +However, the logic is that 0 disables polling for corrected MCEs, see +Documentation/x86/x86_64/machinecheck. The limitation prevents disabling. + +Remove this limitation and allow the value 0 to disable polling again. + +Fixes: b3b7c4795c ("x86/MCE: Serialize sysfs changes") +Signed-off-by: Dewet Thibaut +Signed-off-by: Alexander Sverdlin +[ Massage commit message. ] +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Cc: Tony Luck +Cc: linux-edac +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20180716084927.24869-1-alexander.sverdlin@nokia.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -2397,9 +2397,6 @@ static ssize_t store_int_with_restart(st + if (check_interval == old_check_interval) + return ret; + +- if (check_interval < 1) +- check_interval = 1; +- + mutex_lock(&mce_sysfs_mutex); + mce_restart(); + mutex_unlock(&mce_sysfs_mutex);