From: Greg Kroah-Hartman Date: Mon, 3 Dec 2018 10:24:03 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.19.7~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=769f29c488817c5085d6c29d7f19f6660fd84bca;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-ac97-fix-incorrect-bit-shift-at-ac97-spsa-control-write.patch alsa-control-fix-race-between-adding-and-removing-a-user-element.patch alsa-sparc-fix-invalid-snd_free_pages-at-error-path.patch alsa-wss-fix-invalid-snd_free_pages-at-error-path.patch btrfs-ensure-path-name-is-null-terminated-at-btrfs_control_ioctl.patch fs-fix-lost-error-code-in-dio_complete.patch kvm-mmu-fix-race-in-emulated-page-table-writes.patch kvm-svm-ensure-an-ibpb-on-all-affected-cpus-when-freeing-a-vmcb.patch kvm-x86-fix-scan-ioapic-use-before-initialization.patch perf-x86-intel-add-generic-branch-tracing-check-to-intel_pmu_has_bts.patch perf-x86-intel-move-branch-tracing-setup-to-the-intel-specific-source-file.patch xtensa-enable-coprocessors-that-are-being-flushed.patch xtensa-fix-coprocessor-context-offset-definitions.patch --- diff --git a/queue-4.9/alsa-ac97-fix-incorrect-bit-shift-at-ac97-spsa-control-write.patch b/queue-4.9/alsa-ac97-fix-incorrect-bit-shift-at-ac97-spsa-control-write.patch new file mode 100644 index 00000000000..ab829e9e210 --- /dev/null +++ b/queue-4.9/alsa-ac97-fix-incorrect-bit-shift-at-ac97-spsa-control-write.patch @@ -0,0 +1,41 @@ +From 7194eda1ba0872d917faf3b322540b4f57f11ba5 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 23 Nov 2018 15:44:00 +0100 +Subject: ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write + +From: Takashi Iwai + +commit 7194eda1ba0872d917faf3b322540b4f57f11ba5 upstream. + +The function snd_ac97_put_spsa() gets the bit shift value from the +associated private_value, but it extracts too much; the current code +extracts 8 bit values in bits 8-15, but this is a combination of two +nibbles (bits 8-11 and bits 12-15) for left and right shifts. +Due to the incorrect bits extraction, the actual shift may go beyond +the 32bit value, as spotted recently by UBSAN check: + UBSAN: Undefined behaviour in sound/pci/ac97/ac97_codec.c:836:7 + shift exponent 68 is too large for 32-bit type 'int' + +This patch fixes the shift value extraction by masking the properly +with 0x0f instead of 0xff. + +Reported-and-tested-by: Meelis Roos +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/ac97/ac97_codec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -824,7 +824,7 @@ static int snd_ac97_put_spsa(struct snd_ + { + struct snd_ac97 *ac97 = snd_kcontrol_chip(kcontrol); + int reg = kcontrol->private_value & 0xff; +- int shift = (kcontrol->private_value >> 8) & 0xff; ++ int shift = (kcontrol->private_value >> 8) & 0x0f; + int mask = (kcontrol->private_value >> 16) & 0xff; + // int invert = (kcontrol->private_value >> 24) & 0xff; + unsigned short value, old, new; diff --git a/queue-4.9/alsa-control-fix-race-between-adding-and-removing-a-user-element.patch b/queue-4.9/alsa-control-fix-race-between-adding-and-removing-a-user-element.patch new file mode 100644 index 00000000000..017b7326664 --- /dev/null +++ b/queue-4.9/alsa-control-fix-race-between-adding-and-removing-a-user-element.patch @@ -0,0 +1,158 @@ +From e1a7bfe3807974e66f971f2589d4e0197ec0fced Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 22 Nov 2018 14:36:17 +0100 +Subject: ALSA: control: Fix race between adding and removing a user element + +From: Takashi Iwai + +commit e1a7bfe3807974e66f971f2589d4e0197ec0fced upstream. + +The procedure for adding a user control element has some window opened +for race against the concurrent removal of a user element. This was +caught by syzkaller, hitting a KASAN use-after-free error. + +This patch addresses the bug by wrapping the whole procedure to add a +user control element with the card->controls_rwsem, instead of only +around the increment of card->user_ctl_count. + +This required a slight code refactoring, too. The function +snd_ctl_add() is split to two parts: a core function to add the +control element and a part calling it. The former is called from the +function for adding a user control element inside the controls_rwsem. + +One change to be noted is that snd_ctl_notify() for adding a control +element gets called inside the controls_rwsem as well while it was +called outside the rwsem. But this should be OK, as snd_ctl_notify() +takes another (finer) rwlock instead of rwsem, and the call of +snd_ctl_notify() inside rwsem is already done in another code path. + +Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/control.c | 80 ++++++++++++++++++++++++++++----------------------- + 1 file changed, 45 insertions(+), 35 deletions(-) + +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -346,6 +346,40 @@ static int snd_ctl_find_hole(struct snd_ + return 0; + } + ++/* add a new kcontrol object; call with card->controls_rwsem locked */ ++static int __snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) ++{ ++ struct snd_ctl_elem_id id; ++ unsigned int idx; ++ unsigned int count; ++ ++ id = kcontrol->id; ++ if (id.index > UINT_MAX - kcontrol->count) ++ return -EINVAL; ++ ++ if (snd_ctl_find_id(card, &id)) { ++ dev_err(card->dev, ++ "control %i:%i:%i:%s:%i is already present\n", ++ id.iface, id.device, id.subdevice, id.name, id.index); ++ return -EBUSY; ++ } ++ ++ if (snd_ctl_find_hole(card, kcontrol->count) < 0) ++ return -ENOMEM; ++ ++ list_add_tail(&kcontrol->list, &card->controls); ++ card->controls_count += kcontrol->count; ++ kcontrol->id.numid = card->last_numid + 1; ++ card->last_numid += kcontrol->count; ++ ++ id = kcontrol->id; ++ count = kcontrol->count; ++ for (idx = 0; idx < count; idx++, id.index++, id.numid++) ++ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id); ++ ++ return 0; ++} ++ + /** + * snd_ctl_add - add the control instance to the card + * @card: the card instance +@@ -362,45 +396,18 @@ static int snd_ctl_find_hole(struct snd_ + */ + int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) + { +- struct snd_ctl_elem_id id; +- unsigned int idx; +- unsigned int count; + int err = -EINVAL; + + if (! kcontrol) + return err; + if (snd_BUG_ON(!card || !kcontrol->info)) + goto error; +- id = kcontrol->id; +- if (id.index > UINT_MAX - kcontrol->count) +- goto error; + + down_write(&card->controls_rwsem); +- if (snd_ctl_find_id(card, &id)) { +- up_write(&card->controls_rwsem); +- dev_err(card->dev, "control %i:%i:%i:%s:%i is already present\n", +- id.iface, +- id.device, +- id.subdevice, +- id.name, +- id.index); +- err = -EBUSY; +- goto error; +- } +- if (snd_ctl_find_hole(card, kcontrol->count) < 0) { +- up_write(&card->controls_rwsem); +- err = -ENOMEM; +- goto error; +- } +- list_add_tail(&kcontrol->list, &card->controls); +- card->controls_count += kcontrol->count; +- kcontrol->id.numid = card->last_numid + 1; +- card->last_numid += kcontrol->count; +- id = kcontrol->id; +- count = kcontrol->count; ++ err = __snd_ctl_add(card, kcontrol); + up_write(&card->controls_rwsem); +- for (idx = 0; idx < count; idx++, id.index++, id.numid++) +- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id); ++ if (err < 0) ++ goto error; + return 0; + + error: +@@ -1354,9 +1361,12 @@ static int snd_ctl_elem_add(struct snd_c + kctl->tlv.c = snd_ctl_elem_user_tlv; + + /* This function manage to free the instance on failure. */ +- err = snd_ctl_add(card, kctl); +- if (err < 0) +- return err; ++ down_write(&card->controls_rwsem); ++ err = __snd_ctl_add(card, kctl); ++ if (err < 0) { ++ snd_ctl_free_one(kctl); ++ goto unlock; ++ } + offset = snd_ctl_get_ioff(kctl, &info->id); + snd_ctl_build_ioff(&info->id, kctl, offset); + /* +@@ -1367,10 +1377,10 @@ static int snd_ctl_elem_add(struct snd_c + * which locks the element. + */ + +- down_write(&card->controls_rwsem); + card->user_ctl_count++; +- up_write(&card->controls_rwsem); + ++ unlock: ++ up_write(&card->controls_rwsem); + return 0; + } + diff --git a/queue-4.9/alsa-sparc-fix-invalid-snd_free_pages-at-error-path.patch b/queue-4.9/alsa-sparc-fix-invalid-snd_free_pages-at-error-path.patch new file mode 100644 index 00000000000..4ecee9ba3bf --- /dev/null +++ b/queue-4.9/alsa-sparc-fix-invalid-snd_free_pages-at-error-path.patch @@ -0,0 +1,51 @@ +From 9a20332ab373b1f8f947e0a9c923652b32dab031 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 23 Nov 2018 18:18:30 +0100 +Subject: ALSA: sparc: Fix invalid snd_free_pages() at error path + +From: Takashi Iwai + +commit 9a20332ab373b1f8f947e0a9c923652b32dab031 upstream. + +Some spurious calls of snd_free_pages() have been overlooked and +remain in the error paths of sparc cs4231 driver code. Since +runtime->dma_area is managed by the PCM core helper, we shouldn't +release manually. + +Drop the superfluous calls. + +Reviewed-by: Takashi Sakamoto +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/sparc/cs4231.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/sound/sparc/cs4231.c ++++ b/sound/sparc/cs4231.c +@@ -1146,10 +1146,8 @@ static int snd_cs4231_playback_open(stru + runtime->hw = snd_cs4231_playback; + + err = snd_cs4231_open(chip, CS4231_MODE_PLAY); +- if (err < 0) { +- snd_free_pages(runtime->dma_area, runtime->dma_bytes); ++ if (err < 0) + return err; +- } + chip->playback_substream = substream; + chip->p_periods_sent = 0; + snd_pcm_set_sync(substream); +@@ -1167,10 +1165,8 @@ static int snd_cs4231_capture_open(struc + runtime->hw = snd_cs4231_capture; + + err = snd_cs4231_open(chip, CS4231_MODE_RECORD); +- if (err < 0) { +- snd_free_pages(runtime->dma_area, runtime->dma_bytes); ++ if (err < 0) + return err; +- } + chip->capture_substream = substream; + chip->c_periods_sent = 0; + snd_pcm_set_sync(substream); diff --git a/queue-4.9/alsa-wss-fix-invalid-snd_free_pages-at-error-path.patch b/queue-4.9/alsa-wss-fix-invalid-snd_free_pages-at-error-path.patch new file mode 100644 index 00000000000..6083a63bd58 --- /dev/null +++ b/queue-4.9/alsa-wss-fix-invalid-snd_free_pages-at-error-path.patch @@ -0,0 +1,42 @@ +From 7b69154171b407844c273ab4c10b5f0ddcd6aa29 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 23 Nov 2018 18:16:33 +0100 +Subject: ALSA: wss: Fix invalid snd_free_pages() at error path + +From: Takashi Iwai + +commit 7b69154171b407844c273ab4c10b5f0ddcd6aa29 upstream. + +Some spurious calls of snd_free_pages() have been overlooked and +remain in the error paths of wss driver code. Since runtime->dma_area +is managed by the PCM core helper, we shouldn't release manually. + +Drop the superfluous calls. + +Reviewed-by: Takashi Sakamoto +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/isa/wss/wss_lib.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/sound/isa/wss/wss_lib.c ++++ b/sound/isa/wss/wss_lib.c +@@ -1531,7 +1531,6 @@ static int snd_wss_playback_open(struct + if (err < 0) { + if (chip->release_dma) + chip->release_dma(chip, chip->dma_private_data, chip->dma1); +- snd_free_pages(runtime->dma_area, runtime->dma_bytes); + return err; + } + chip->playback_substream = substream; +@@ -1572,7 +1571,6 @@ static int snd_wss_capture_open(struct s + if (err < 0) { + if (chip->release_dma) + chip->release_dma(chip, chip->dma_private_data, chip->dma2); +- snd_free_pages(runtime->dma_area, runtime->dma_bytes); + return err; + } + chip->capture_substream = substream; diff --git a/queue-4.9/btrfs-ensure-path-name-is-null-terminated-at-btrfs_control_ioctl.patch b/queue-4.9/btrfs-ensure-path-name-is-null-terminated-at-btrfs_control_ioctl.patch new file mode 100644 index 00000000000..01a20657882 --- /dev/null +++ b/queue-4.9/btrfs-ensure-path-name-is-null-terminated-at-btrfs_control_ioctl.patch @@ -0,0 +1,39 @@ +From f505754fd6599230371cb01b9332754ddc104be1 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Wed, 14 Nov 2018 11:35:24 +0000 +Subject: Btrfs: ensure path name is null terminated at btrfs_control_ioctl + +From: Filipe Manana + +commit f505754fd6599230371cb01b9332754ddc104be1 upstream. + +We were using the path name received from user space without checking that +it is null terminated. While btrfs-progs is well behaved and does proper +validation and null termination, someone could call the ioctl and pass +a non-null terminated patch, leading to buffer overrun problems in the +kernel. The ioctl is protected by CAP_SYS_ADMIN. + +So just set the last byte of the path to a null character, similar to what +we do in other ioctls (add/remove/resize device, snapshot creation, etc). + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -2226,6 +2226,7 @@ static long btrfs_control_ioctl(struct f + vol = memdup_user((void __user *)arg, sizeof(*vol)); + if (IS_ERR(vol)) + return PTR_ERR(vol); ++ vol->name[BTRFS_PATH_NAME_MAX] = '\0'; + + switch (cmd) { + case BTRFS_IOC_SCAN_DEV: diff --git a/queue-4.9/fs-fix-lost-error-code-in-dio_complete.patch b/queue-4.9/fs-fix-lost-error-code-in-dio_complete.patch new file mode 100644 index 00000000000..66af8e3e9e8 --- /dev/null +++ b/queue-4.9/fs-fix-lost-error-code-in-dio_complete.patch @@ -0,0 +1,56 @@ +From 41e817bca3acd3980efe5dd7d28af0e6f4ab9247 Mon Sep 17 00:00:00 2001 +From: Maximilian Heyne +Date: Fri, 30 Nov 2018 08:35:14 -0700 +Subject: fs: fix lost error code in dio_complete + +From: Maximilian Heyne + +commit 41e817bca3acd3980efe5dd7d28af0e6f4ab9247 upstream. + +commit e259221763a40403d5bb232209998e8c45804ab8 ("fs: simplify the +generic_write_sync prototype") reworked callers of generic_write_sync(), +and ended up dropping the error return for the directio path. Prior to +that commit, in dio_complete(), an error would be bubbled up the stack, +but after that commit, errors passed on to dio_complete were eaten up. + +This was reported on the list earlier, and a fix was proposed in +https://lore.kernel.org/lkml/20160921141539.GA17898@infradead.org/, but +never followed up with. We recently hit this bug in our testing where +fencing io errors, which were previously erroring out with EIO, were +being returned as success operations after this commit. + +The fix proposed on the list earlier was a little short -- it would have +still called generic_write_sync() in case `ret` already contained an +error. This fix ensures generic_write_sync() is only called when there's +no pending error in the write. Additionally, transferred is replaced +with ret to bring this code in line with other callers. + +Fixes: e259221763a4 ("fs: simplify the generic_write_sync prototype") +Reported-by: Ravi Nankani +Signed-off-by: Maximilian Heyne +Reviewed-by: Christoph Hellwig +CC: Torsten Mehlan +CC: Uwe Dannowski +CC: Amit Shah +CC: David Woodhouse +CC: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/direct-io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/direct-io.c ++++ b/fs/direct-io.c +@@ -278,8 +278,8 @@ static ssize_t dio_complete(struct dio * + */ + dio->iocb->ki_pos += transferred; + +- if (dio->op == REQ_OP_WRITE) +- ret = generic_write_sync(dio->iocb, transferred); ++ if (ret > 0 && dio->op == REQ_OP_WRITE) ++ ret = generic_write_sync(dio->iocb, ret); + dio->iocb->ki_complete(dio->iocb, ret, 0); + } + diff --git a/queue-4.9/kvm-mmu-fix-race-in-emulated-page-table-writes.patch b/queue-4.9/kvm-mmu-fix-race-in-emulated-page-table-writes.patch new file mode 100644 index 00000000000..93fd5e6c2aa --- /dev/null +++ b/queue-4.9/kvm-mmu-fix-race-in-emulated-page-table-writes.patch @@ -0,0 +1,91 @@ +From 0e0fee5c539b61fdd098332e0e2cc375d9073706 Mon Sep 17 00:00:00 2001 +From: Junaid Shahid +Date: Wed, 31 Oct 2018 14:53:57 -0700 +Subject: kvm: mmu: Fix race in emulated page table writes + +From: Junaid Shahid + +commit 0e0fee5c539b61fdd098332e0e2cc375d9073706 upstream. + +When a guest page table is updated via an emulated write, +kvm_mmu_pte_write() is called to update the shadow PTE using the just +written guest PTE value. But if two emulated guest PTE writes happened +concurrently, it is possible that the guest PTE and the shadow PTE end +up being out of sync. Emulated writes do not mark the shadow page as +unsync-ed, so this inconsistency will not be resolved even by a guest TLB +flush (unless the page was marked as unsync-ed at some other point). + +This is fixed by re-reading the current value of the guest PTE after the +MMU lock has been acquired instead of just using the value that was +written prior to calling kvm_mmu_pte_write(). + +Signed-off-by: Junaid Shahid +Reviewed-by: Wanpeng Li +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4297,9 +4297,9 @@ static bool need_remote_flush(u64 old, u + } + + static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa, +- const u8 *new, int *bytes) ++ int *bytes) + { +- u64 gentry; ++ u64 gentry = 0; + int r; + + /* +@@ -4311,22 +4311,12 @@ static u64 mmu_pte_write_fetch_gpte(stru + /* Handle a 32-bit guest writing two halves of a 64-bit gpte */ + *gpa &= ~(gpa_t)7; + *bytes = 8; +- r = kvm_vcpu_read_guest(vcpu, *gpa, &gentry, 8); +- if (r) +- gentry = 0; +- new = (const u8 *)&gentry; + } + +- switch (*bytes) { +- case 4: +- gentry = *(const u32 *)new; +- break; +- case 8: +- gentry = *(const u64 *)new; +- break; +- default: +- gentry = 0; +- break; ++ if (*bytes == 4 || *bytes == 8) { ++ r = kvm_vcpu_read_guest_atomic(vcpu, *gpa, &gentry, *bytes); ++ if (r) ++ gentry = 0; + } + + return gentry; +@@ -4437,8 +4427,6 @@ static void kvm_mmu_pte_write(struct kvm + + pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes); + +- gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, new, &bytes); +- + /* + * No need to care whether allocation memory is successful + * or not since pte prefetch is skiped if it does not have +@@ -4447,6 +4435,9 @@ static void kvm_mmu_pte_write(struct kvm + mmu_topup_memory_caches(vcpu); + + spin_lock(&vcpu->kvm->mmu_lock); ++ ++ gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, &bytes); ++ + ++vcpu->kvm->stat.mmu_pte_write; + kvm_mmu_audit(vcpu, AUDIT_PRE_PTE_WRITE); + diff --git a/queue-4.9/kvm-svm-ensure-an-ibpb-on-all-affected-cpus-when-freeing-a-vmcb.patch b/queue-4.9/kvm-svm-ensure-an-ibpb-on-all-affected-cpus-when-freeing-a-vmcb.patch new file mode 100644 index 00000000000..46742e440ab --- /dev/null +++ b/queue-4.9/kvm-svm-ensure-an-ibpb-on-all-affected-cpus-when-freeing-a-vmcb.patch @@ -0,0 +1,64 @@ +From fd65d3142f734bc4376053c8d75670041903134d Mon Sep 17 00:00:00 2001 +From: Jim Mattson +Date: Tue, 22 May 2018 09:54:20 -0700 +Subject: kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb + +From: Jim Mattson + +commit fd65d3142f734bc4376053c8d75670041903134d upstream. + +Previously, we only called indirect_branch_prediction_barrier on the +logical CPU that freed a vmcb. This function should be called on all +logical CPUs that last loaded the vmcb in question. + +Fixes: 15d45071523d ("KVM/x86: Add IBPB support") +Reported-by: Neel Natu +Signed-off-by: Jim Mattson +Reviewed-by: Konrad Rzeszutek Wilk +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1672,21 +1672,31 @@ out: + return ERR_PTR(err); + } + ++static void svm_clear_current_vmcb(struct vmcb *vmcb) ++{ ++ int i; ++ ++ for_each_online_cpu(i) ++ cmpxchg(&per_cpu(svm_data, i)->current_vmcb, vmcb, NULL); ++} ++ + static void svm_free_vcpu(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); + ++ /* ++ * The vmcb page can be recycled, causing a false negative in ++ * svm_vcpu_load(). So, ensure that no logical CPU has this ++ * vmcb page recorded as its current vmcb. ++ */ ++ svm_clear_current_vmcb(svm->vmcb); ++ + __free_page(pfn_to_page(svm->vmcb_pa >> PAGE_SHIFT)); + __free_pages(virt_to_page(svm->msrpm), MSRPM_ALLOC_ORDER); + __free_page(virt_to_page(svm->nested.hsave)); + __free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER); + kvm_vcpu_uninit(vcpu); + kmem_cache_free(kvm_vcpu_cache, svm); +- /* +- * The vmcb page can be recycled, causing a false negative in +- * svm_vcpu_load(). So do a full IBPB now. +- */ +- indirect_branch_prediction_barrier(); + } + + static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu) diff --git a/queue-4.9/kvm-x86-fix-scan-ioapic-use-before-initialization.patch b/queue-4.9/kvm-x86-fix-scan-ioapic-use-before-initialization.patch new file mode 100644 index 00000000000..0e757a1c127 --- /dev/null +++ b/queue-4.9/kvm-x86-fix-scan-ioapic-use-before-initialization.patch @@ -0,0 +1,107 @@ +From e97f852fd4561e77721bb9a4e0ea9d98305b1e93 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Tue, 20 Nov 2018 16:34:18 +0800 +Subject: KVM: X86: Fix scan ioapic use-before-initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit e97f852fd4561e77721bb9a4e0ea9d98305b1e93 upstream. + +Reported by syzkaller: + + BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8 + PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0 + Oops: 0000 [#1] PREEMPT SMP PTI + CPU: 7 PID: 5059 Comm: debug Tainted: G OE 4.19.0-rc5 #16 + RIP: 0010:__lock_acquire+0x1a6/0x1990 + Call Trace: + lock_acquire+0xdb/0x210 + _raw_spin_lock+0x38/0x70 + kvm_ioapic_scan_entry+0x3e/0x110 [kvm] + vcpu_enter_guest+0x167e/0x1910 [kvm] + kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm] + kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm] + do_vfs_ioctl+0xa5/0x690 + ksys_ioctl+0x6d/0x80 + __x64_sys_ioctl+0x1a/0x20 + do_syscall_64+0x83/0x6e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr +and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. +However, irqchip is not initialized by this simple testcase, ioapic/apic +objects should not be accessed. +This can be triggered by the following program: + + #define _GNU_SOURCE + + #include + #include + #include + #include + #include + #include + #include + #include + + uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; + + int main(void) + { + syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); + long res = 0; + memcpy((void*)0x20000040, "/dev/kvm", 9); + res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0); + if (res != -1) + r[0] = res; + res = syscall(__NR_ioctl, r[0], 0xae01, 0); + if (res != -1) + r[1] = res; + res = syscall(__NR_ioctl, r[1], 0xae41, 0); + if (res != -1) + r[2] = res; + memcpy( + (void*)0x20000080, + "\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00" + "\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43" + "\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33" + "\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe" + "\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22" + "\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb", + 106); + syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080); + syscall(__NR_ioctl, r[2], 0xae80, 0); + return 0; + } + +This patch fixes it by bailing out scan ioapic if ioapic is not initialized in +kernel. + +Reported-by: Wei Wu +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Wei Wu +Signed-off-by: Wanpeng Li +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6661,7 +6661,8 @@ static void vcpu_scan_ioapic(struct kvm_ + else { + if (vcpu->arch.apicv_active) + kvm_x86_ops->sync_pir_to_irr(vcpu); +- kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); ++ if (ioapic_in_kernel(vcpu->kvm)) ++ kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); + } + bitmap_or((ulong *)eoi_exit_bitmap, vcpu->arch.ioapic_handled_vectors, + vcpu_to_synic(vcpu)->vec_bitmap, 256); diff --git a/queue-4.9/perf-x86-intel-add-generic-branch-tracing-check-to-intel_pmu_has_bts.patch b/queue-4.9/perf-x86-intel-add-generic-branch-tracing-check-to-intel_pmu_has_bts.patch new file mode 100644 index 00000000000..1f99e001e81 --- /dev/null +++ b/queue-4.9/perf-x86-intel-add-generic-branch-tracing-check-to-intel_pmu_has_bts.patch @@ -0,0 +1,105 @@ +From 67266c1080ad56c31af72b9c18355fde8ccc124a Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Wed, 21 Nov 2018 11:16:11 +0100 +Subject: perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts() + +From: Jiri Olsa + +commit 67266c1080ad56c31af72b9c18355fde8ccc124a upstream. + +Currently we check the branch tracing only by checking for the +PERF_COUNT_HW_BRANCH_INSTRUCTIONS event of PERF_TYPE_HARDWARE +type. But we can define the same event with the PERF_TYPE_RAW +type. + +Changing the intel_pmu_has_bts() code to check on event's final +hw config value, so both HW types are covered. + +Adding unlikely to intel_pmu_has_bts() condition calls, because +it was used in the original code in intel_bts_constraints. + +Signed-off-by: Jiri Olsa +Acked-by: Peter Zijlstra +Cc: +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Link: http://lkml.kernel.org/r/20181121101612.16272-2-jolsa@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/core.c | 17 +++-------------- + arch/x86/events/perf_event.h | 13 +++++++++---- + 2 files changed, 12 insertions(+), 18 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2198,16 +2198,7 @@ done: + static struct event_constraint * + intel_bts_constraints(struct perf_event *event) + { +- struct hw_perf_event *hwc = &event->hw; +- unsigned int hw_event, bts_event; +- +- if (event->attr.freq) +- return NULL; +- +- hw_event = hwc->config & INTEL_ARCH_EVENT_MASK; +- bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS); +- +- if (unlikely(hw_event == bts_event && hwc->sample_period == 1)) ++ if (unlikely(intel_pmu_has_bts(event))) + return &bts_constraint; + + return NULL; +@@ -2825,10 +2816,8 @@ static unsigned long intel_pmu_free_runn + static int intel_pmu_bts_config(struct perf_event *event) + { + struct perf_event_attr *attr = &event->attr; +- struct hw_perf_event *hwc = &event->hw; + +- if (attr->config == PERF_COUNT_HW_BRANCH_INSTRUCTIONS && +- !attr->freq && hwc->sample_period == 1) { ++ if (unlikely(intel_pmu_has_bts(event))) { + /* BTS is not supported by this architecture. */ + if (!x86_pmu.bts_active) + return -EOPNOTSUPP; +@@ -2887,7 +2876,7 @@ static int intel_pmu_hw_config(struct pe + /* + * BTS is set up earlier in this path, so don't account twice + */ +- if (!intel_pmu_has_bts(event)) { ++ if (!unlikely(intel_pmu_has_bts(event))) { + /* disallow lbr if conflicting events are present */ + if (x86_add_exclusive(x86_lbr_exclusive_lbr)) + return -EBUSY; +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -835,11 +835,16 @@ static inline int amd_pmu_init(void) + + static inline bool intel_pmu_has_bts(struct perf_event *event) + { +- if (event->attr.config == PERF_COUNT_HW_BRANCH_INSTRUCTIONS && +- !event->attr.freq && event->hw.sample_period == 1) +- return true; ++ struct hw_perf_event *hwc = &event->hw; ++ unsigned int hw_event, bts_event; + +- return false; ++ if (event->attr.freq) ++ return false; ++ ++ hw_event = hwc->config & INTEL_ARCH_EVENT_MASK; ++ bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS); ++ ++ return hw_event == bts_event && hwc->sample_period == 1; + } + + int intel_pmu_save_and_restart(struct perf_event *event); diff --git a/queue-4.9/perf-x86-intel-move-branch-tracing-setup-to-the-intel-specific-source-file.patch b/queue-4.9/perf-x86-intel-move-branch-tracing-setup-to-the-intel-specific-source-file.patch new file mode 100644 index 00000000000..18bc11b761a --- /dev/null +++ b/queue-4.9/perf-x86-intel-move-branch-tracing-setup-to-the-intel-specific-source-file.patch @@ -0,0 +1,126 @@ +From ed6101bbf6266ee83e620b19faa7c6ad56bb41ab Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Wed, 21 Nov 2018 11:16:10 +0100 +Subject: perf/x86/intel: Move branch tracing setup to the Intel-specific source file + +From: Jiri Olsa + +commit ed6101bbf6266ee83e620b19faa7c6ad56bb41ab upstream. + +Moving branch tracing setup to Intel core object into separate +intel_pmu_bts_config function, because it's Intel specific. + +Suggested-by: Peter Zijlstra +Signed-off-by: Jiri Olsa +Acked-by: Peter Zijlstra +Cc: +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Link: http://lkml.kernel.org/r/20181121101612.16272-1-jolsa@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/core.c | 20 -------------------- + arch/x86/events/intel/core.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 40 insertions(+), 21 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -437,26 +437,6 @@ int x86_setup_perfctr(struct perf_event + if (config == -1LL) + return -EINVAL; + +- /* +- * Branch tracing: +- */ +- if (attr->config == PERF_COUNT_HW_BRANCH_INSTRUCTIONS && +- !attr->freq && hwc->sample_period == 1) { +- /* BTS is not supported by this architecture. */ +- if (!x86_pmu.bts_active) +- return -EOPNOTSUPP; +- +- /* BTS is currently only allowed for user-mode. */ +- if (!attr->exclude_kernel) +- return -EOPNOTSUPP; +- +- /* disallow bts if conflicting events are present */ +- if (x86_add_exclusive(x86_lbr_exclusive_lbr)) +- return -EBUSY; +- +- event->destroy = hw_perf_lbr_event_destroy; +- } +- + hwc->config |= config; + + return 0; +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2822,6 +2822,41 @@ static unsigned long intel_pmu_free_runn + return flags; + } + ++static int intel_pmu_bts_config(struct perf_event *event) ++{ ++ struct perf_event_attr *attr = &event->attr; ++ struct hw_perf_event *hwc = &event->hw; ++ ++ if (attr->config == PERF_COUNT_HW_BRANCH_INSTRUCTIONS && ++ !attr->freq && hwc->sample_period == 1) { ++ /* BTS is not supported by this architecture. */ ++ if (!x86_pmu.bts_active) ++ return -EOPNOTSUPP; ++ ++ /* BTS is currently only allowed for user-mode. */ ++ if (!attr->exclude_kernel) ++ return -EOPNOTSUPP; ++ ++ /* disallow bts if conflicting events are present */ ++ if (x86_add_exclusive(x86_lbr_exclusive_lbr)) ++ return -EBUSY; ++ ++ event->destroy = hw_perf_lbr_event_destroy; ++ } ++ ++ return 0; ++} ++ ++static int core_pmu_hw_config(struct perf_event *event) ++{ ++ int ret = x86_pmu_hw_config(event); ++ ++ if (ret) ++ return ret; ++ ++ return intel_pmu_bts_config(event); ++} ++ + static int intel_pmu_hw_config(struct perf_event *event) + { + int ret = x86_pmu_hw_config(event); +@@ -2829,6 +2864,10 @@ static int intel_pmu_hw_config(struct pe + if (ret) + return ret; + ++ ret = intel_pmu_bts_config(event); ++ if (ret) ++ return ret; ++ + if (event->attr.precise_ip) { + if (!event->attr.freq) { + event->hw.flags |= PERF_X86_EVENT_AUTO_RELOAD; +@@ -3265,7 +3304,7 @@ static __initconst const struct x86_pmu + .enable_all = core_pmu_enable_all, + .enable = core_pmu_enable_event, + .disable = x86_pmu_disable_event, +- .hw_config = x86_pmu_hw_config, ++ .hw_config = core_pmu_hw_config, + .schedule_events = x86_schedule_events, + .eventsel = MSR_ARCH_PERFMON_EVENTSEL0, + .perfctr = MSR_ARCH_PERFMON_PERFCTR0, diff --git a/queue-4.9/series b/queue-4.9/series index 5f51867c2a6..b8b5d9359b7 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -16,3 +16,16 @@ net-skb_scrub_packet-scrub-offload_fwd_mark.patch rapidio-rionet-do-not-free-skb-before-reading-its-length.patch s390-qeth-fix-length-check-in-snmp-processing.patch usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-bug-2.patch +kvm-mmu-fix-race-in-emulated-page-table-writes.patch +kvm-svm-ensure-an-ibpb-on-all-affected-cpus-when-freeing-a-vmcb.patch +kvm-x86-fix-scan-ioapic-use-before-initialization.patch +xtensa-enable-coprocessors-that-are-being-flushed.patch +xtensa-fix-coprocessor-context-offset-definitions.patch +btrfs-ensure-path-name-is-null-terminated-at-btrfs_control_ioctl.patch +perf-x86-intel-move-branch-tracing-setup-to-the-intel-specific-source-file.patch +perf-x86-intel-add-generic-branch-tracing-check-to-intel_pmu_has_bts.patch +fs-fix-lost-error-code-in-dio_complete.patch +alsa-wss-fix-invalid-snd_free_pages-at-error-path.patch +alsa-ac97-fix-incorrect-bit-shift-at-ac97-spsa-control-write.patch +alsa-control-fix-race-between-adding-and-removing-a-user-element.patch +alsa-sparc-fix-invalid-snd_free_pages-at-error-path.patch diff --git a/queue-4.9/xtensa-enable-coprocessors-that-are-being-flushed.patch b/queue-4.9/xtensa-enable-coprocessors-that-are-being-flushed.patch new file mode 100644 index 00000000000..620c837eb83 --- /dev/null +++ b/queue-4.9/xtensa-enable-coprocessors-that-are-being-flushed.patch @@ -0,0 +1,70 @@ +From 2958b66694e018c552be0b60521fec27e8d12988 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Mon, 26 Nov 2018 13:29:41 -0800 +Subject: xtensa: enable coprocessors that are being flushed + +From: Max Filippov + +commit 2958b66694e018c552be0b60521fec27e8d12988 upstream. + +coprocessor_flush_all may be called from a context of a thread that is +different from the thread being flushed. In that case contents of the +cpenable special register may not match ti->cpenable of the target +thread, resulting in unhandled coprocessor exception in the kernel +context. +Set cpenable special register to the ti->cpenable of the target register +for the duration of the flush and restore it afterwards. +This fixes the following crash caused by coprocessor register inspection +in native gdb: + + (gdb) p/x $w0 + Illegal instruction in kernel: sig: 9 [#1] PREEMPT + Call Trace: + ___might_sleep+0x184/0x1a4 + __might_sleep+0x41/0xac + exit_signals+0x14/0x218 + do_exit+0xc9/0x8b8 + die+0x99/0xa0 + do_illegal_instruction+0x18/0x6c + common_exception+0x77/0x77 + coprocessor_flush+0x16/0x3c + arch_ptrace+0x46c/0x674 + sys_ptrace+0x2ce/0x3b4 + system_call+0x54/0x80 + common_exception+0x77/0x77 + note: gdb[100] exited with preempt_count 1 + Killed + +Cc: stable@vger.kernel.org +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/process.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/xtensa/kernel/process.c ++++ b/arch/xtensa/kernel/process.c +@@ -85,18 +85,21 @@ void coprocessor_release_all(struct thre + + void coprocessor_flush_all(struct thread_info *ti) + { +- unsigned long cpenable; ++ unsigned long cpenable, old_cpenable; + int i; + + preempt_disable(); + ++ RSR_CPENABLE(old_cpenable); + cpenable = ti->cpenable; ++ WSR_CPENABLE(cpenable); + + for (i = 0; i < XCHAL_CP_MAX; i++) { + if ((cpenable & 1) != 0 && coprocessor_owner[i] == ti) + coprocessor_flush(ti, i); + cpenable >>= 1; + } ++ WSR_CPENABLE(old_cpenable); + + preempt_enable(); + } diff --git a/queue-4.9/xtensa-fix-coprocessor-context-offset-definitions.patch b/queue-4.9/xtensa-fix-coprocessor-context-offset-definitions.patch new file mode 100644 index 00000000000..0c318fdd2ea --- /dev/null +++ b/queue-4.9/xtensa-fix-coprocessor-context-offset-definitions.patch @@ -0,0 +1,49 @@ +From 03bc996af0cc71c7f30c384d8ce7260172423b34 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Mon, 26 Nov 2018 15:18:26 -0800 +Subject: xtensa: fix coprocessor context offset definitions + +From: Max Filippov + +commit 03bc996af0cc71c7f30c384d8ce7260172423b34 upstream. + +Coprocessor context offsets are used by the assembly code that moves +coprocessor context between the individual fields of the +thread_info::xtregs_cp structure and coprocessor registers. +This fixes coprocessor context clobbering on flushing and reloading +during normal user code execution and user process debugging in the +presence of more than one coprocessor in the core configuration. + +Cc: stable@vger.kernel.org +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/asm-offsets.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/xtensa/kernel/asm-offsets.c ++++ b/arch/xtensa/kernel/asm-offsets.c +@@ -91,14 +91,14 @@ int main(void) + DEFINE(THREAD_SP, offsetof (struct task_struct, thread.sp)); + DEFINE(THREAD_CPENABLE, offsetof (struct thread_info, cpenable)); + #if XTENSA_HAVE_COPROCESSORS +- DEFINE(THREAD_XTREGS_CP0, offsetof (struct thread_info, xtregs_cp)); +- DEFINE(THREAD_XTREGS_CP1, offsetof (struct thread_info, xtregs_cp)); +- DEFINE(THREAD_XTREGS_CP2, offsetof (struct thread_info, xtregs_cp)); +- DEFINE(THREAD_XTREGS_CP3, offsetof (struct thread_info, xtregs_cp)); +- DEFINE(THREAD_XTREGS_CP4, offsetof (struct thread_info, xtregs_cp)); +- DEFINE(THREAD_XTREGS_CP5, offsetof (struct thread_info, xtregs_cp)); +- DEFINE(THREAD_XTREGS_CP6, offsetof (struct thread_info, xtregs_cp)); +- DEFINE(THREAD_XTREGS_CP7, offsetof (struct thread_info, xtregs_cp)); ++ DEFINE(THREAD_XTREGS_CP0, offsetof(struct thread_info, xtregs_cp.cp0)); ++ DEFINE(THREAD_XTREGS_CP1, offsetof(struct thread_info, xtregs_cp.cp1)); ++ DEFINE(THREAD_XTREGS_CP2, offsetof(struct thread_info, xtregs_cp.cp2)); ++ DEFINE(THREAD_XTREGS_CP3, offsetof(struct thread_info, xtregs_cp.cp3)); ++ DEFINE(THREAD_XTREGS_CP4, offsetof(struct thread_info, xtregs_cp.cp4)); ++ DEFINE(THREAD_XTREGS_CP5, offsetof(struct thread_info, xtregs_cp.cp5)); ++ DEFINE(THREAD_XTREGS_CP6, offsetof(struct thread_info, xtregs_cp.cp6)); ++ DEFINE(THREAD_XTREGS_CP7, offsetof(struct thread_info, xtregs_cp.cp7)); + #endif + DEFINE(THREAD_XTREGS_USER, offsetof (struct thread_info, xtregs_user)); + DEFINE(XTREGS_USER_SIZE, sizeof(xtregs_user_t));