From: Greg Kroah-Hartman Date: Sun, 19 Nov 2017 11:51:18 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.83~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3be0e3f1e09d8e2e529f0af7ead691a6538ca14a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch crypto-dh-don-t-permit-p-to-be-0.patch usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch usb-usbfs-compute-urb-actual_length-for-isochronous.patch x86-mce-amd-always-give-panic-severity-for-uc-errors-in-kernel-context.patch --- diff --git a/queue-4.9/crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch b/queue-4.9/crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch new file mode 100644 index 00000000000..70c3d41d0af --- /dev/null +++ b/queue-4.9/crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch @@ -0,0 +1,44 @@ +From ccd9888f14a8019c0bbdeeae758aba1f58693712 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 5 Nov 2017 18:30:46 -0800 +Subject: crypto: dh - Don't permit 'key' or 'g' size longer than 'p' + +From: Eric Biggers + +commit ccd9888f14a8019c0bbdeeae758aba1f58693712 upstream. + +The "qat-dh" DH implementation assumes that 'key' and 'g' can be copied +into a buffer with size 'p_size'. However it was never checked that +that was actually the case, which most likely allowed users to cause a +buffer underflow via KEYCTL_DH_COMPUTE. + +Fix this by updating crypto_dh_decode_key() to verify this precondition +for all DH implementations. + +Fixes: c9839143ebbf ("crypto: qat - Add DH support") +Signed-off-by: Eric Biggers +Reviewed-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/dh_helper.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/crypto/dh_helper.c ++++ b/crypto/dh_helper.c +@@ -83,6 +83,14 @@ int crypto_dh_decode_key(const char *buf + if (secret.len != crypto_dh_key_len(params)) + return -EINVAL; + ++ /* ++ * Don't permit the buffer for 'key' or 'g' to be larger than 'p', since ++ * some drivers assume otherwise. ++ */ ++ if (params->key_size > params->p_size || ++ params->g_size > params->p_size) ++ return -EINVAL; ++ + /* Don't allocate memory. Set pointers to data within + * the given buffer + */ diff --git a/queue-4.9/crypto-dh-don-t-permit-p-to-be-0.patch b/queue-4.9/crypto-dh-don-t-permit-p-to-be-0.patch new file mode 100644 index 00000000000..5492d2c8ea0 --- /dev/null +++ b/queue-4.9/crypto-dh-don-t-permit-p-to-be-0.patch @@ -0,0 +1,81 @@ +From 199512b1234f09e44d592153ec82b44212b2f0c4 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 5 Nov 2017 18:30:45 -0800 +Subject: crypto: dh - Don't permit 'p' to be 0 + +From: Eric Biggers + +commit 199512b1234f09e44d592153ec82b44212b2f0c4 upstream. + +If 'p' is 0 for the software Diffie-Hellman implementation, then +dh_max_size() returns 0. In the case of KEYCTL_DH_COMPUTE, this causes +ZERO_SIZE_PTR to be passed to sg_init_one(), which with +CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in +sg_set_buf(). + +Fix this by making crypto_dh_decode_key() reject 0 for 'p'. p=0 makes +no sense for any DH implementation because 'p' is supposed to be a prime +number. Moreover, 'mod 0' is not mathematically defined. + +Bug report: + + kernel BUG at ./include/linux/scatterlist.h:140! + invalid opcode: 0000 [#1] SMP KASAN + CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted 4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014 + task: ffff88006caac0c0 task.stack: ffff88006c7c8000 + RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline] + RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 + RSP: 0018:ffff88006c7cfb08 EFLAGS: 00010216 + RAX: 0000000000010000 RBX: ffff88006c7cfe30 RCX: 00000000000064ee + RDX: ffffffff81cf64c3 RSI: ffffc90000d72000 RDI: ffffffff92e937e0 + RBP: ffff88006c7cfb30 R08: ffffed000d8f9fab R09: ffff88006c7cfd30 + R10: 0000000000000005 R11: ffffed000d8f9faa R12: ffff88006c7cfd30 + R13: 0000000000000000 R14: 0000000000000010 R15: ffff88006c7cfc50 + FS: 00007fce190fa700(0000) GS:ffff88003ea00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fffc6b33db8 CR3: 000000003cf64000 CR4: 00000000000006f0 + Call Trace: + __keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360 + keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434 + SYSC_keyctl security/keys/keyctl.c:1745 [inline] + SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641 + entry_SYSCALL_64_fastpath+0x1f/0xbe + RIP: 0033:0x4585c9 + RSP: 002b:00007fce190f9bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000fa + RAX: ffffffffffffffda RBX: 0000000000738020 RCX: 00000000004585c9 + RDX: 000000002000d000 RSI: 0000000020000ff4 RDI: 0000000000000017 + RBP: 0000000000000046 R08: 0000000020008000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff6e610cde + R13: 00007fff6e610cdf R14: 00007fce190fa700 R15: 0000000000000000 + Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89 6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f 0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20 + RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP: ffff88006c7cfb08 + RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: ffff88006c7cfb08 + +Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation") +Reviewed-by: Tudor Ambarus +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/dh_helper.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/crypto/dh_helper.c ++++ b/crypto/dh_helper.c +@@ -90,6 +90,14 @@ int crypto_dh_decode_key(const char *buf + params->p = (void *)(ptr + params->key_size); + params->g = (void *)(ptr + params->key_size + params->p_size); + ++ /* ++ * Don't permit 'p' to be 0. It's not a prime number, and it's subject ++ * to corner cases such as 'mod 0' being undefined or ++ * crypto_kpp_maxsize() returning 0. ++ */ ++ if (memchr_inv(params->p, 0, params->p_size) == NULL) ++ return -EINVAL; ++ + return 0; + } + EXPORT_SYMBOL_GPL(crypto_dh_decode_key); diff --git a/queue-4.9/series b/queue-4.9/series index d98b3928439..8af9908633c 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -59,3 +59,12 @@ uapi-fix-linux-rds.h-userspace-compilation-error.patch uapi-fix-linux-rds.h-userspace-compilation-errors.patch revert-dt-bindings-add-vendor-prefix-for-lego.patch revert-dt-bindings-add-lego-mindstorms-ev3-compatible-specification.patch +crypto-dh-don-t-permit-p-to-be-0.patch +crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch +usb-usbfs-compute-urb-actual_length-for-isochronous.patch +usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch +usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch +usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch +usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch +usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch +x86-mce-amd-always-give-panic-severity-for-uc-errors-in-kernel-context.patch diff --git a/queue-4.9/usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch b/queue-4.9/usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch new file mode 100644 index 00000000000..64ea49fd8a1 --- /dev/null +++ b/queue-4.9/usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch @@ -0,0 +1,33 @@ +From a0fea6027f19c62727315aba1a7fae75a9caa842 Mon Sep 17 00:00:00 2001 +From: Bernhard Rosenkraenzer +Date: Fri, 3 Nov 2017 16:46:02 +0100 +Subject: USB: Add delay-init quirk for Corsair K70 LUX keyboards + +From: Bernhard Rosenkraenzer + +commit a0fea6027f19c62727315aba1a7fae75a9caa842 upstream. + +Without this patch, K70 LUX keyboards don't work, saying +usb 3-3: unable to read config index 0 descriptor/all +usb 3-3: can't read configurations, error -110 +usb usb3-port3: unable to enumerate USB device + +Signed-off-by: Bernhard Rosenkraenzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -221,6 +221,9 @@ static const struct usb_device_id usb_qu + /* Corsair Strafe RGB */ + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + ++ /* Corsair K70 LUX */ ++ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* MIDI keyboard WORLDE MINI */ + { USB_DEVICE(0x1c75, 0x0204), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, diff --git a/queue-4.9/usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch b/queue-4.9/usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch new file mode 100644 index 00000000000..60e1b05c1cf --- /dev/null +++ b/queue-4.9/usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch @@ -0,0 +1,47 @@ +From cdafb6d8b8da7fde266f79b3287ac221aa841879 Mon Sep 17 00:00:00 2001 +From: Andrew Gabbasov +Date: Wed, 8 Nov 2017 10:13:15 -0700 +Subject: usb: gadget: f_fs: Fix use-after-free in ffs_free_inst + +From: Andrew Gabbasov + +commit cdafb6d8b8da7fde266f79b3287ac221aa841879 upstream. + +KASAN enabled configuration reports an error + +BUG: KASAN: use-after-free in ffs_free_inst+... [usb_f_fs] at addr ... +Write of size 8 by task ... + +This is observed after "ffs-test" is run and interrupted. If after that +functionfs is unmounted and g_ffs module is unloaded, that use-after-free +occurs during g_ffs module removal. + +Although the report indicates ffs_free_inst() function, the actual +use-after-free condition occurs in _ffs_free_dev() function, which +is probably inlined into ffs_free_inst(). + +This happens due to keeping the ffs_data reference in device structure +during functionfs unmounting, while ffs_data itself is freed as no longer +needed. The fix is to clear that reference in ffs_closed() function, +which is a counterpart of ffs_ready(), where the reference is stored. + +Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference") +Signed-off-by: Andrew Gabbasov +Acked-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3698,6 +3698,7 @@ static void ffs_closed(struct ffs_data * + goto done; + + ffs_obj->desc_ready = false; ++ ffs_obj->ffs_data = NULL; + + if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) && + ffs_obj->ffs_closed_callback) diff --git a/queue-4.9/usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch b/queue-4.9/usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch new file mode 100644 index 00000000000..246245740fa --- /dev/null +++ b/queue-4.9/usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch @@ -0,0 +1,105 @@ +From 19a565d9af6e0d828bd0d521d3bafd5017f4ce52 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 11 Oct 2017 14:02:57 +0200 +Subject: USB: serial: garmin_gps: fix I/O after failed probe and remove + +From: Johan Hovold + +commit 19a565d9af6e0d828bd0d521d3bafd5017f4ce52 upstream. + +Make sure to stop any submitted interrupt and bulk-out URBs before +returning after failed probe and when the port is being unbound to avoid +later NULL-pointer dereferences in the completion callbacks. + +Also fix up the related and broken I/O cancellation on failed open and +on close. (Note that port->write_urb was never submitted.) + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/garmin_gps.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/garmin_gps.c ++++ b/drivers/usb/serial/garmin_gps.c +@@ -138,6 +138,7 @@ struct garmin_data { + __u8 privpkt[4*6]; + spinlock_t lock; + struct list_head pktlist; ++ struct usb_anchor write_urbs; + }; + + +@@ -905,7 +906,7 @@ static int garmin_init_session(struct us + sizeof(GARMIN_START_SESSION_REQ), 0); + + if (status < 0) +- break; ++ goto err_kill_urbs; + } + + if (status > 0) +@@ -913,6 +914,12 @@ static int garmin_init_session(struct us + } + + return status; ++ ++err_kill_urbs: ++ usb_kill_anchored_urbs(&garmin_data_p->write_urbs); ++ usb_kill_urb(port->interrupt_in_urb); ++ ++ return status; + } + + +@@ -930,7 +937,6 @@ static int garmin_open(struct tty_struct + spin_unlock_irqrestore(&garmin_data_p->lock, flags); + + /* shutdown any bulk reads that might be going on */ +- usb_kill_urb(port->write_urb); + usb_kill_urb(port->read_urb); + + if (garmin_data_p->state == STATE_RESET) +@@ -953,7 +959,7 @@ static void garmin_close(struct usb_seri + + /* shutdown our urbs */ + usb_kill_urb(port->read_urb); +- usb_kill_urb(port->write_urb); ++ usb_kill_anchored_urbs(&garmin_data_p->write_urbs); + + /* keep reset state so we know that we must start a new session */ + if (garmin_data_p->state != STATE_RESET) +@@ -1037,12 +1043,14 @@ static int garmin_write_bulk(struct usb_ + } + + /* send it down the pipe */ ++ usb_anchor_urb(urb, &garmin_data_p->write_urbs); + status = usb_submit_urb(urb, GFP_ATOMIC); + if (status) { + dev_err(&port->dev, + "%s - usb_submit_urb(write bulk) failed with status = %d\n", + __func__, status); + count = status; ++ usb_unanchor_urb(urb); + kfree(buffer); + } + +@@ -1401,6 +1409,7 @@ static int garmin_port_probe(struct usb_ + garmin_data_p->state = 0; + garmin_data_p->flags = 0; + garmin_data_p->count = 0; ++ init_usb_anchor(&garmin_data_p->write_urbs); + usb_set_serial_port_data(port, garmin_data_p); + + status = garmin_init_session(port); +@@ -1413,6 +1422,7 @@ static int garmin_port_remove(struct usb + { + struct garmin_data *garmin_data_p = usb_get_serial_port_data(port); + ++ usb_kill_anchored_urbs(&garmin_data_p->write_urbs); + usb_kill_urb(port->interrupt_in_urb); + del_timer_sync(&garmin_data_p->timer); + kfree(garmin_data_p); diff --git a/queue-4.9/usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch b/queue-4.9/usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch new file mode 100644 index 00000000000..bbc56e0bf12 --- /dev/null +++ b/queue-4.9/usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch @@ -0,0 +1,36 @@ +From 74d471b598444b7f2d964930f7234779c80960a0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 11 Oct 2017 14:02:58 +0200 +Subject: USB: serial: garmin_gps: fix memory leak on probe errors + +From: Johan Hovold + +commit 74d471b598444b7f2d964930f7234779c80960a0 upstream. + +Make sure to free the port private data before returning after a failed +probe attempt. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/garmin_gps.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/garmin_gps.c ++++ b/drivers/usb/serial/garmin_gps.c +@@ -1413,6 +1413,12 @@ static int garmin_port_probe(struct usb_ + usb_set_serial_port_data(port, garmin_data_p); + + status = garmin_init_session(port); ++ if (status) ++ goto err_free; ++ ++ return 0; ++err_free: ++ kfree(garmin_data_p); + + return status; + } diff --git a/queue-4.9/usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch b/queue-4.9/usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch new file mode 100644 index 00000000000..7c49d52be99 --- /dev/null +++ b/queue-4.9/usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch @@ -0,0 +1,30 @@ +From 771394a54148f18926ca86414e51c69eda27d0cd Mon Sep 17 00:00:00 2001 +From: Douglas Fischer +Date: Sun, 29 Oct 2017 23:29:55 +0000 +Subject: USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update + +From: Douglas Fischer + +commit 771394a54148f18926ca86414e51c69eda27d0cd upstream. + +Add USB PID/VID for Sierra Wireless EM7355 LTE modem QDL firmware update +mode. + +Signed-off-by: Douglas Fischer +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/qcserial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -148,6 +148,7 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x1199, 0x68a2)}, /* Sierra Wireless MC7710 */ + {DEVICE_SWI(0x1199, 0x68c0)}, /* Sierra Wireless MC7304/MC7354 */ + {DEVICE_SWI(0x1199, 0x901c)}, /* Sierra Wireless EM7700 */ ++ {DEVICE_SWI(0x1199, 0x901e)}, /* Sierra Wireless EM7355 QDL */ + {DEVICE_SWI(0x1199, 0x901f)}, /* Sierra Wireless EM7355 */ + {DEVICE_SWI(0x1199, 0x9040)}, /* Sierra Wireless Modem */ + {DEVICE_SWI(0x1199, 0x9041)}, /* Sierra Wireless MC7305/MC7355 */ diff --git a/queue-4.9/usb-usbfs-compute-urb-actual_length-for-isochronous.patch b/queue-4.9/usb-usbfs-compute-urb-actual_length-for-isochronous.patch new file mode 100644 index 00000000000..5341f3db0f2 --- /dev/null +++ b/queue-4.9/usb-usbfs-compute-urb-actual_length-for-isochronous.patch @@ -0,0 +1,69 @@ +From 2ef47001b3ee3ded579b7532ebdcf8680e4d8c54 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 8 Nov 2017 12:23:17 -0500 +Subject: USB: usbfs: compute urb->actual_length for isochronous + +From: Alan Stern + +commit 2ef47001b3ee3ded579b7532ebdcf8680e4d8c54 upstream. + +The USB kerneldoc says that the actual_length field "is read in +non-iso completion functions", but the usbfs driver uses it for all +URB types in processcompl(). Since not all of the host controller +drivers set actual_length for isochronous URBs, programs using usbfs +with some host controllers don't work properly. For example, Minas +reports that a USB camera controlled by libusb doesn't work properly +with a dwc2 controller. + +It doesn't seem worthwhile to change the HCDs and the documentation, +since the in-kernel USB class drivers evidently don't rely on +actual_length for isochronous transfers. The easiest solution is for +usbfs to calculate the actual_length value for itself, by adding up +the lengths of the individual packets in an isochronous transfer. + +Signed-off-by: Alan Stern +CC: Minas Harutyunyan +Reported-and-tested-by: wlf +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1838,6 +1838,18 @@ static int proc_unlinkurb(struct usb_dev + return 0; + } + ++static void compute_isochronous_actual_length(struct urb *urb) ++{ ++ unsigned int i; ++ ++ if (urb->number_of_packets > 0) { ++ urb->actual_length = 0; ++ for (i = 0; i < urb->number_of_packets; i++) ++ urb->actual_length += ++ urb->iso_frame_desc[i].actual_length; ++ } ++} ++ + static int processcompl(struct async *as, void __user * __user *arg) + { + struct urb *urb = as->urb; +@@ -1845,6 +1857,7 @@ static int processcompl(struct async *as + void __user *addr = as->userurb; + unsigned int i; + ++ compute_isochronous_actual_length(urb); + if (as->userbuffer && urb->actual_length) { + if (copy_urb_data_to_user(as->userbuffer, urb)) + goto err_out; +@@ -2019,6 +2032,7 @@ static int processcompl_compat(struct as + void __user *addr = as->userurb; + unsigned int i; + ++ compute_isochronous_actual_length(urb); + if (as->userbuffer && urb->actual_length) { + if (copy_urb_data_to_user(as->userbuffer, urb)) + return -EFAULT; diff --git a/queue-4.9/x86-mce-amd-always-give-panic-severity-for-uc-errors-in-kernel-context.patch b/queue-4.9/x86-mce-amd-always-give-panic-severity-for-uc-errors-in-kernel-context.patch new file mode 100644 index 00000000000..147942ba4a3 --- /dev/null +++ b/queue-4.9/x86-mce-amd-always-give-panic-severity-for-uc-errors-in-kernel-context.patch @@ -0,0 +1,67 @@ +From d65dfc81bb3894fdb68cbc74bbf5fb48d2354071 Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Mon, 6 Nov 2017 18:46:32 +0100 +Subject: x86/MCE/AMD: Always give panic severity for UC errors in kernel context + +From: Yazen Ghannam + +commit d65dfc81bb3894fdb68cbc74bbf5fb48d2354071 upstream. + +The AMD severity grading function was introduced in kernel 4.1. The +current logic can possibly give MCE_AR_SEVERITY for uncorrectable +errors in kernel context. The system may then get stuck in a loop as +memory_failure() will try to handle the bad kernel memory and find it +busy. + +Return MCE_PANIC_SEVERITY for all UC errors IN_KERNEL context on AMD +systems. + +After: + + b2f9d678e28c ("x86/mce: Check for faults tagged in EXTABLE_CLASS_FAULT exception table entries") + +was accepted in v4.6, this issue was masked because of the tail-end attempt +at kernel mode recovery in the #MC handler. + +However, uncorrectable errors IN_KERNEL context should always be considered +unrecoverable and cause a panic. + +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: linux-edac +Fixes: bf80bbd7dcf5 (x86/mce: Add an AMD severities-grading function) +Link: http://lkml.kernel.org/r/20171106174633.13576-1-bp@alien8.de +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce-severity.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce-severity.c ++++ b/arch/x86/kernel/cpu/mcheck/mce-severity.c +@@ -245,6 +245,9 @@ static int mce_severity_amd(struct mce * + + if (m->status & MCI_STATUS_UC) { + ++ if (ctx == IN_KERNEL) ++ return MCE_PANIC_SEVERITY; ++ + /* + * On older systems where overflow_recov flag is not present, we + * should simply panic if an error overflow occurs. If +@@ -255,10 +258,6 @@ static int mce_severity_amd(struct mce * + if (mce_flags.smca) + return mce_severity_amd_smca(m, ctx); + +- /* software can try to contain */ +- if (!(m->mcgstatus & MCG_STATUS_RIPV) && (ctx == IN_KERNEL)) +- return MCE_PANIC_SEVERITY; +- + /* kill current process */ + return MCE_AR_SEVERITY; + } else {