From: Greg Kroah-Hartman Date: Thu, 3 Oct 2019 08:04:36 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.195~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=26e7c1695469101fdae50dd6d4b583b55044637d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: fuse-fix-missing-unlock_page-in-fuse_writepage.patch kvm-x86-always-stop-emulation-on-page-fault.patch kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch parisc-disable-hp-hsc-pci-cards-to-prevent-kernel-crash.patch powerpc-imc-dont-create-debugfs-files-for-cpu-less-nodes.patch --- diff --git a/queue-4.19/fuse-fix-missing-unlock_page-in-fuse_writepage.patch b/queue-4.19/fuse-fix-missing-unlock_page-in-fuse_writepage.patch new file mode 100644 index 00000000000..5a607c7b4b5 --- /dev/null +++ b/queue-4.19/fuse-fix-missing-unlock_page-in-fuse_writepage.patch @@ -0,0 +1,32 @@ +From d5880c7a8620290a6c90ced7a0e8bd0ad9419601 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Fri, 13 Sep 2019 18:17:11 +0300 +Subject: fuse: fix missing unlock_page in fuse_writepage() + +From: Vasily Averin + +commit d5880c7a8620290a6c90ced7a0e8bd0ad9419601 upstream. + +unlock_page() was missing in case of an already in-flight write against the +same page. + +Signed-off-by: Vasily Averin +Fixes: ff17be086477 ("fuse: writepage: skip already in flight") +Cc: # v3.13 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1700,6 +1700,7 @@ static int fuse_writepage(struct page *p + WARN_ON(wbc->sync_mode == WB_SYNC_ALL); + + redirty_page_for_writepage(wbc, page); ++ unlock_page(page); + return 0; + } + diff --git a/queue-4.19/kvm-x86-always-stop-emulation-on-page-fault.patch b/queue-4.19/kvm-x86-always-stop-emulation-on-page-fault.patch new file mode 100644 index 00000000000..3ff15d5eac6 --- /dev/null +++ b/queue-4.19/kvm-x86-always-stop-emulation-on-page-fault.patch @@ -0,0 +1,52 @@ +From 8530a79c5a9f4e29e6ffb35ec1a79d81f4968ec8 Mon Sep 17 00:00:00 2001 +From: Jan Dakinevich +Date: Tue, 27 Aug 2019 13:07:09 +0000 +Subject: KVM: x86: always stop emulation on page fault + +From: Jan Dakinevich + +commit 8530a79c5a9f4e29e6ffb35ec1a79d81f4968ec8 upstream. + +inject_emulated_exception() returns true if and only if nested page +fault happens. However, page fault can come from guest page tables +walk, either nested or not nested. In both cases we should stop an +attempt to read under RIP and give guest to step over its own page +fault handler. + +This is also visible when an emulated instruction causes a #GP fault +and the VMware backdoor is enabled. To handle the VMware backdoor, +KVM intercepts #GP faults; with only the next patch applied, +x86_emulate_instruction() injects a #GP but returns EMULATE_FAIL +instead of EMULATE_DONE. EMULATE_FAIL causes handle_exception_nmi() +(or gp_interception() for SVM) to re-inject the original #GP because it +thinks emulation failed due to a non-VMware opcode. This patch prevents +the issue as x86_emulate_instruction() will return EMULATE_DONE after +injecting the #GP. + +Fixes: 6ea6e84309ca ("KVM: x86: inject exceptions produced by x86_decode_insn") +Cc: stable@vger.kernel.org +Cc: Denis Lunev +Cc: Roman Kagan +Cc: Denis Plotnikov +Signed-off-by: Jan Dakinevich +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6244,8 +6244,10 @@ int x86_emulate_instruction(struct kvm_v + if (reexecute_instruction(vcpu, cr2, write_fault_to_spt, + emulation_type)) + return EMULATE_DONE; +- if (ctxt->have_exception && inject_emulated_exception(vcpu)) ++ if (ctxt->have_exception) { ++ inject_emulated_exception(vcpu); + return EMULATE_DONE; ++ } + if (emulation_type & EMULTYPE_SKIP) + return EMULATE_FAIL; + return handle_emulation_failure(vcpu, emulation_type); diff --git a/queue-4.19/kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch b/queue-4.19/kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch new file mode 100644 index 00000000000..5d4a08f8843 --- /dev/null +++ b/queue-4.19/kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch @@ -0,0 +1,75 @@ +From 16cfacc8085782dab8e365979356ce1ca87fd6cc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 3 Sep 2019 16:36:45 -0700 +Subject: KVM: x86: Manually calculate reserved bits when loading PDPTRS + +From: Sean Christopherson + +commit 16cfacc8085782dab8e365979356ce1ca87fd6cc upstream. + +Manually generate the PDPTR reserved bit mask when explicitly loading +PDPTRs. The reserved bits that are being tracked by the MMU reflect the +current paging mode, which is unlikely to be PAE paging in the vast +majority of flows that use load_pdptrs(), e.g. CR0 and CR4 emulation, +__set_sregs(), etc... This can cause KVM to incorrectly signal a bad +PDPTR, or more likely, miss a reserved bit check and subsequently fail +a VM-Enter due to a bad VMCS.GUEST_PDPTR. + +Add a one off helper to generate the reserved bits instead of sharing +code across the MMU's calculations and the PDPTR emulation. The PDPTR +reserved bits are basically set in stone, and pushing a helper into +the MMU's calculation adds unnecessary complexity without improving +readability. + +Oppurtunistically fix/update the comment for load_pdptrs(). + +Note, the buggy commit also introduced a deliberate functional change, +"Also remove bit 5-6 from rsvd_bits_mask per latest SDM.", which was +effectively (and correctly) reverted by commit cd9ae5fe47df ("KVM: x86: +Fix page-tables reserved bits"). A bit of SDM archaeology shows that +the SDM from late 2008 had a bug (likely a copy+paste error) where it +listed bits 6:5 as AVL and A for PDPTEs used for 4k entries but reserved +for 2mb entries. I.e. the SDM contradicted itself, and bits 6:5 are and +always have been reserved. + +Fixes: 20c466b56168d ("KVM: Use rsvd_bits_mask in load_pdptrs()") +Cc: stable@vger.kernel.org +Cc: Nadav Amit +Reported-by: Doug Reiland +Signed-off-by: Sean Christopherson +Reviewed-by: Peter Xu +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -581,8 +581,14 @@ static int kvm_read_nested_guest_page(st + data, offset, len, access); + } + ++static inline u64 pdptr_rsvd_bits(struct kvm_vcpu *vcpu) ++{ ++ return rsvd_bits(cpuid_maxphyaddr(vcpu), 63) | rsvd_bits(5, 8) | ++ rsvd_bits(1, 2); ++} ++ + /* +- * Load the pae pdptrs. Return true is they are all valid. ++ * Load the pae pdptrs. Return 1 if they are all valid, 0 otherwise. + */ + int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3) + { +@@ -601,8 +607,7 @@ int load_pdptrs(struct kvm_vcpu *vcpu, s + } + for (i = 0; i < ARRAY_SIZE(pdpte); ++i) { + if ((pdpte[i] & PT_PRESENT_MASK) && +- (pdpte[i] & +- vcpu->arch.mmu.guest_rsvd_check.rsvd_bits_mask[0][2])) { ++ (pdpte[i] & pdptr_rsvd_bits(vcpu))) { + ret = 0; + goto out; + } diff --git a/queue-4.19/kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch b/queue-4.19/kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch new file mode 100644 index 00000000000..5447e6fe389 --- /dev/null +++ b/queue-4.19/kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch @@ -0,0 +1,53 @@ +From c8848cee74ff05638e913582a476bde879c968ad Mon Sep 17 00:00:00 2001 +From: Jan Dakinevich +Date: Tue, 27 Aug 2019 13:07:08 +0000 +Subject: KVM: x86: set ctxt->have_exception in x86_decode_insn() + +From: Jan Dakinevich + +commit c8848cee74ff05638e913582a476bde879c968ad upstream. + +x86_emulate_instruction() takes into account ctxt->have_exception flag +during instruction decoding, but in practice this flag is never set in +x86_decode_insn(). + +Fixes: 6ea6e84309ca ("KVM: x86: inject exceptions produced by x86_decode_insn") +Cc: stable@vger.kernel.org +Cc: Denis Lunev +Cc: Roman Kagan +Cc: Denis Plotnikov +Signed-off-by: Jan Dakinevich +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 2 ++ + arch/x86/kvm/x86.c | 6 ++++++ + 2 files changed, 8 insertions(+) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -5368,6 +5368,8 @@ done_prefixes: + ctxt->memopp->addr.mem.ea + ctxt->_eip); + + done: ++ if (rc == X86EMUL_PROPAGATE_FAULT) ++ ctxt->have_exception = true; + return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK; + } + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6245,6 +6245,12 @@ int x86_emulate_instruction(struct kvm_v + emulation_type)) + return EMULATE_DONE; + if (ctxt->have_exception) { ++ /* ++ * #UD should result in just EMULATION_FAILED, and trap-like ++ * exception should not be encountered during decode. ++ */ ++ WARN_ON_ONCE(ctxt->exception.vector == UD_VECTOR || ++ exception_type(ctxt->exception.vector) == EXCPT_TRAP); + inject_emulated_exception(vcpu); + return EMULATE_DONE; + } diff --git a/queue-4.19/parisc-disable-hp-hsc-pci-cards-to-prevent-kernel-crash.patch b/queue-4.19/parisc-disable-hp-hsc-pci-cards-to-prevent-kernel-crash.patch new file mode 100644 index 00000000000..b0e7471f695 --- /dev/null +++ b/queue-4.19/parisc-disable-hp-hsc-pci-cards-to-prevent-kernel-crash.patch @@ -0,0 +1,73 @@ +From 5fa1659105fac63e0f3c199b476025c2e04111ce Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 5 Sep 2019 16:44:17 +0200 +Subject: parisc: Disable HP HSC-PCI Cards to prevent kernel crash + +From: Helge Deller + +commit 5fa1659105fac63e0f3c199b476025c2e04111ce upstream. + +The HP Dino PCI controller chip can be used in two variants: as on-board +controller (e.g. in B160L), or on an Add-On card ("Card-Mode") to bridge +PCI components to systems without a PCI bus, e.g. to a HSC/GSC bus. One +such Add-On card is the HP HSC-PCI Card which has one or more DEC Tulip +PCI NIC chips connected to the on-card Dino PCI controller. + +Dino in Card-Mode has a big disadvantage: All PCI memory accesses need +to go through the DINO_MEM_DATA register, so Linux drivers will not be +able to use the ioremap() function. Without ioremap() many drivers will +not work, one example is the tulip driver which then simply crashes the +kernel if it tries to access the ports on the HP HSC card. + +This patch disables the HP HSC card if it finds one, and as such +fixes the kernel crash on a HP D350/2 machine. + +Signed-off-by: Helge Deller +Noticed-by: Phil Scarr +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/parisc/dino.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/parisc/dino.c ++++ b/drivers/parisc/dino.c +@@ -160,6 +160,15 @@ struct dino_device + (struct dino_device *)__pdata; }) + + ++/* Check if PCI device is behind a Card-mode Dino. */ ++static int pci_dev_is_behind_card_dino(struct pci_dev *dev) ++{ ++ struct dino_device *dino_dev; ++ ++ dino_dev = DINO_DEV(parisc_walk_tree(dev->bus->bridge)); ++ return is_card_dino(&dino_dev->hba.dev->id); ++} ++ + /* + * Dino Configuration Space Accessor Functions + */ +@@ -442,6 +451,21 @@ static void quirk_cirrus_cardbus(struct + } + DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_CIRRUS, PCI_DEVICE_ID_CIRRUS_6832, quirk_cirrus_cardbus ); + ++#ifdef CONFIG_TULIP ++static void pci_fixup_tulip(struct pci_dev *dev) ++{ ++ if (!pci_dev_is_behind_card_dino(dev)) ++ return; ++ if (!(pci_resource_flags(dev, 1) & IORESOURCE_MEM)) ++ return; ++ pr_warn("%s: HP HSC-PCI Cards with card-mode Dino not yet supported.\n", ++ pci_name(dev)); ++ /* Disable this card by zeroing the PCI resources */ ++ memset(&dev->resource[0], 0, sizeof(dev->resource[0])); ++ memset(&dev->resource[1], 0, sizeof(dev->resource[1])); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_DEC, PCI_ANY_ID, pci_fixup_tulip); ++#endif /* CONFIG_TULIP */ + + static void __init + dino_bios_init(void) diff --git a/queue-4.19/powerpc-imc-dont-create-debugfs-files-for-cpu-less-nodes.patch b/queue-4.19/powerpc-imc-dont-create-debugfs-files-for-cpu-less-nodes.patch new file mode 100644 index 00000000000..dbb179e737b --- /dev/null +++ b/queue-4.19/powerpc-imc-dont-create-debugfs-files-for-cpu-less-nodes.patch @@ -0,0 +1,107 @@ +From 41ba17f20ea835c489e77bd54e2da73184e22060 Mon Sep 17 00:00:00 2001 +From: Madhavan Srinivasan +Date: Tue, 27 Aug 2019 15:46:35 +0530 +Subject: powerpc/imc: Dont create debugfs files for cpu-less nodes + +From: Madhavan Srinivasan + +commit 41ba17f20ea835c489e77bd54e2da73184e22060 upstream. + +Commit <684d984038aa> ('powerpc/powernv: Add debugfs interface for +imc-mode and imc') added debugfs interface for the nest imc pmu +devices to support changing of different ucode modes. Primarily adding +this capability for debug. But when doing so, the code did not +consider the case of cpu-less nodes. So when reading the _cmd_ or +_mode_ file of a cpu-less node will create this crash. + + Faulting instruction address: 0xc0000000000d0d58 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + CPU: 67 PID: 5301 Comm: cat Not tainted 5.2.0-rc6-next-20190627+ #19 + NIP: c0000000000d0d58 LR: c00000000049aa18 CTR:c0000000000d0d50 + REGS: c00020194548f9e0 TRAP: 0300 Not tainted (5.2.0-rc6-next-20190627+) + MSR: 9000000000009033 CR:28022822 XER: 00000000 + CFAR: c00000000049aa14 DAR: 000000000003fc08 DSISR:40000000 IRQMASK: 0 + ... + NIP imc_mem_get+0x8/0x20 + LR simple_attr_read+0x118/0x170 + Call Trace: + simple_attr_read+0x70/0x170 (unreliable) + debugfs_attr_read+0x6c/0xb0 + __vfs_read+0x3c/0x70 + vfs_read+0xbc/0x1a0 + ksys_read+0x7c/0x140 + system_call+0x5c/0x70 + +Patch fixes the issue with a more robust check for vbase to NULL. + +Before patch, ls output for the debugfs imc directory + + # ls /sys/kernel/debug/powerpc/imc/ + imc_cmd_0 imc_cmd_251 imc_cmd_253 imc_cmd_255 imc_mode_0 imc_mode_251 imc_mode_253 imc_mode_255 + imc_cmd_250 imc_cmd_252 imc_cmd_254 imc_cmd_8 imc_mode_250 imc_mode_252 imc_mode_254 imc_mode_8 + +After patch, ls output for the debugfs imc directory + + # ls /sys/kernel/debug/powerpc/imc/ + imc_cmd_0 imc_cmd_8 imc_mode_0 imc_mode_8 + +Actual bug here is that, we have two loops with potentially different +loop counts. That is, in imc_get_mem_addr_nest(), loop count is +obtained from the dt entries. But in case of export_imc_mode_and_cmd(), +loop was based on for_each_nid() count. Patch fixes the loop count in +latter based on the struct mem_info. Ideally it would be better to +have array size in struct imc_pmu. + +Fixes: 684d984038aa ('powerpc/powernv: Add debugfs interface for imc-mode and imc') +Reported-by: Qian Cai +Suggested-by: Michael Ellerman +Signed-off-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190827101635.6942-1-maddy@linux.vnet.ibm.com +Cc: Jan Stancek +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-imc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/platforms/powernv/opal-imc.c ++++ b/arch/powerpc/platforms/powernv/opal-imc.c +@@ -57,9 +57,9 @@ static void export_imc_mode_and_cmd(stru + struct imc_pmu *pmu_ptr) + { + static u64 loc, *imc_mode_addr, *imc_cmd_addr; +- int chip = 0, nid; + char mode[16], cmd[16]; + u32 cb_offset; ++ struct imc_mem_info *ptr = pmu_ptr->mem_info; + + imc_debugfs_parent = debugfs_create_dir("imc", powerpc_debugfs_root); + +@@ -73,20 +73,20 @@ static void export_imc_mode_and_cmd(stru + if (of_property_read_u32(node, "cb_offset", &cb_offset)) + cb_offset = IMC_CNTL_BLK_OFFSET; + +- for_each_node(nid) { +- loc = (u64)(pmu_ptr->mem_info[chip].vbase) + cb_offset; ++ while (ptr->vbase != NULL) { ++ loc = (u64)(ptr->vbase) + cb_offset; + imc_mode_addr = (u64 *)(loc + IMC_CNTL_BLK_MODE_OFFSET); +- sprintf(mode, "imc_mode_%d", nid); ++ sprintf(mode, "imc_mode_%d", (u32)(ptr->id)); + if (!imc_debugfs_create_x64(mode, 0600, imc_debugfs_parent, + imc_mode_addr)) + goto err; + + imc_cmd_addr = (u64 *)(loc + IMC_CNTL_BLK_CMD_OFFSET); +- sprintf(cmd, "imc_cmd_%d", nid); ++ sprintf(cmd, "imc_cmd_%d", (u32)(ptr->id)); + if (!imc_debugfs_create_x64(cmd, 0600, imc_debugfs_parent, + imc_cmd_addr)) + goto err; +- chip++; ++ ptr++; + } + return; + diff --git a/queue-4.19/series b/queue-4.19/series index 2888902c5a3..4dedb509d59 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -160,3 +160,9 @@ ceph-use-ceph_evict_inode-to-cleanup-inode-s-resourc.patch alsa-hda-realtek-pci-quirk-for-medion-e4254.patch blk-mq-add-callback-of-.cleanup_rq.patch scsi-implement-.cleanup_rq-callback.patch +powerpc-imc-dont-create-debugfs-files-for-cpu-less-nodes.patch +fuse-fix-missing-unlock_page-in-fuse_writepage.patch +parisc-disable-hp-hsc-pci-cards-to-prevent-kernel-crash.patch +kvm-x86-always-stop-emulation-on-page-fault.patch +kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch +kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch