From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 14 Aug 2019 14:51:44 +0000 (+0200)
Subject: 5.2-stable patches
X-Git-Tag: v5.2.9~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3a88e79dd97c2c17543b990c9dc3649a04c9be05;p=thirdparty%2Fkernel%2Fstable-queue.git

5.2-stable patches

added patches:
	alsa-usb-audio-fix-a-memory-leak-bug.patch
	hid-sony-fix-race-condition-between-rumble-and-device-remove.patch
	kvm-nsvm-properly-map-nested-vmcb.patch
---

diff --git a/queue-5.2/alsa-usb-audio-fix-a-memory-leak-bug.patch b/queue-5.2/alsa-usb-audio-fix-a-memory-leak-bug.patch
new file mode 100644
index 00000000000..dd1e893ab9f
--- /dev/null
+++ b/queue-5.2/alsa-usb-audio-fix-a-memory-leak-bug.patch
@@ -0,0 +1,36 @@
+From a67060201b746a308b1674f66bf289c9faef6d09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Tue, 6 Aug 2019 03:00:27 -0400
+Subject: ALSA: usb-audio: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit a67060201b746a308b1674f66bf289c9faef6d09 upstream.
+
+In snd_usb_get_audioformat_uac3(), a structure for channel maps 'chmap' is
+allocated through kzalloc() before the execution goto 'found_clock'.
+However, this structure is not deallocated if the memory allocation for
+'pd' fails, leading to a memory leak bug.
+
+To fix the above issue, free 'fp->chmap' before returning NULL.
+
+Fixes: 7edf3b5e6a45 ("ALSA: usb-audio: AudioStreaming Power Domain parsing")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/stream.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -1043,6 +1043,7 @@ found_clock:
+ 
+ 		pd = kzalloc(sizeof(*pd), GFP_KERNEL);
+ 		if (!pd) {
++			kfree(fp->chmap);
+ 			kfree(fp->rate_table);
+ 			kfree(fp);
+ 			return NULL;
diff --git a/queue-5.2/hid-sony-fix-race-condition-between-rumble-and-device-remove.patch b/queue-5.2/hid-sony-fix-race-condition-between-rumble-and-device-remove.patch
new file mode 100644
index 00000000000..b941dcb374c
--- /dev/null
+++ b/queue-5.2/hid-sony-fix-race-condition-between-rumble-and-device-remove.patch
@@ -0,0 +1,79 @@
+From e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 Mon Sep 17 00:00:00 2001
+From: Roderick Colenbrander <roderick@gaikai.com>
+Date: Fri, 2 Aug 2019 15:50:19 -0700
+Subject: HID: sony: Fix race condition between rumble and device remove.
+
+From: Roderick Colenbrander <roderick@gaikai.com>
+
+commit e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 upstream.
+
+Valve reported a kernel crash on Ubuntu 18.04 when disconnecting a DS4
+gamepad while rumble is enabled. This issue is reproducible with a
+frequency of 1 in 3 times in the game Borderlands 2 when using an
+automatic weapon, which triggers many rumble operations.
+
+We found the issue to be a race condition between sony_remove and the
+final device destruction by the HID / input system. The problem was
+that sony_remove didn't clean some of its work_item state in
+"struct sony_sc". After sony_remove work, the corresponding evdev
+node was around for sufficient time for applications to still queue
+rumble work after "sony_remove".
+
+On pre-4.19 kernels the race condition caused a kernel crash due to a
+NULL-pointer dereference as "sc->output_report_dmabuf" got freed during
+sony_remove. On newer kernels this crash doesn't happen due the buffer
+now being allocated using devm_kzalloc. However we can still queue work,
+while the driver is an undefined state.
+
+This patch fixes the described problem, by guarding the work_item
+"state_worker" with an initialized variable, which we are setting back
+to 0 on cleanup.
+
+Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-sony.c |   15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -585,10 +585,14 @@ static void sony_set_leds(struct sony_sc
+ static inline void sony_schedule_work(struct sony_sc *sc,
+ 				      enum sony_worker which)
+ {
++	unsigned long flags;
++
+ 	switch (which) {
+ 	case SONY_WORKER_STATE:
+-		if (!sc->defer_initialization)
++		spin_lock_irqsave(&sc->lock, flags);
++		if (!sc->defer_initialization && sc->state_worker_initialized)
+ 			schedule_work(&sc->state_worker);
++		spin_unlock_irqrestore(&sc->lock, flags);
+ 		break;
+ 	case SONY_WORKER_HOTPLUG:
+ 		if (sc->hotplug_worker_initialized)
+@@ -2558,13 +2562,18 @@ static inline void sony_init_output_repo
+ 
+ static inline void sony_cancel_work_sync(struct sony_sc *sc)
+ {
++	unsigned long flags;
++
+ 	if (sc->hotplug_worker_initialized)
+ 		cancel_work_sync(&sc->hotplug_worker);
+-	if (sc->state_worker_initialized)
++	if (sc->state_worker_initialized) {
++		spin_lock_irqsave(&sc->lock, flags);
++		sc->state_worker_initialized = 0;
++		spin_unlock_irqrestore(&sc->lock, flags);
+ 		cancel_work_sync(&sc->state_worker);
++	}
+ }
+ 
+-
+ static int sony_input_configured(struct hid_device *hdev,
+ 					struct hid_input *hidinput)
+ {
diff --git a/queue-5.2/kvm-nsvm-properly-map-nested-vmcb.patch b/queue-5.2/kvm-nsvm-properly-map-nested-vmcb.patch
new file mode 100644
index 00000000000..e0d16ddfd0a
--- /dev/null
+++ b/queue-5.2/kvm-nsvm-properly-map-nested-vmcb.patch
@@ -0,0 +1,44 @@
+From 8f38302c0be2d2daf3b40f7d2142ec77e35d209e Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Tue, 4 Jun 2019 18:09:39 +0200
+Subject: KVM/nSVM: properly map nested VMCB
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+commit 8f38302c0be2d2daf3b40f7d2142ec77e35d209e upstream.
+
+Commit 8c5fbf1a7231 ("KVM/nSVM: Use the new mapping API for mapping guest
+memory") broke nested SVM completely: kvm_vcpu_map()'s second parameter is
+GFN so vmcb_gpa needs to be converted with gpa_to_gfn(), not the other way
+around.
+
+Fixes: 8c5fbf1a7231 ("KVM/nSVM: Use the new mapping API for mapping guest memory")
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3290,7 +3290,7 @@ static int nested_svm_vmexit(struct vcpu
+ 				       vmcb->control.exit_int_info_err,
+ 				       KVM_ISA_SVM);
+ 
+-	rc = kvm_vcpu_map(&svm->vcpu, gfn_to_gpa(svm->nested.vmcb), &map);
++	rc = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(svm->nested.vmcb), &map);
+ 	if (rc) {
+ 		if (rc == -EINVAL)
+ 			kvm_inject_gp(&svm->vcpu, 0);
+@@ -3580,7 +3580,7 @@ static bool nested_svm_vmrun(struct vcpu
+ 
+ 	vmcb_gpa = svm->vmcb->save.rax;
+ 
+-	rc = kvm_vcpu_map(&svm->vcpu, gfn_to_gpa(vmcb_gpa), &map);
++	rc = kvm_vcpu_map(&svm->vcpu, gpa_to_gfn(vmcb_gpa), &map);
+ 	if (rc) {
+ 		if (rc == -EINVAL)
+ 			kvm_inject_gp(&svm->vcpu, 0);
diff --git a/queue-5.2/series b/queue-5.2/series
index e543fabd46c..b8ef9efa50b 100644
--- a/queue-5.2/series
+++ b/queue-5.2/series
@@ -115,3 +115,6 @@ perf-x86-apply-more-accurate-check-on-hypervisor-pla.patch
 perf-core-fix-creating-kernel-counters-for-pmus-that.patch
 s390-dma-provide-proper-arch_zone_dma_bits-value.patch
 gen_compile_commands-lower-the-entry-count-threshold.patch
+hid-sony-fix-race-condition-between-rumble-and-device-remove.patch
+alsa-usb-audio-fix-a-memory-leak-bug.patch
+kvm-nsvm-properly-map-nested-vmcb.patch