From: Greg Kroah-Hartman Date: Wed, 15 May 2019 08:44:56 +0000 (+0200) Subject: 5.0-stable patches X-Git-Tag: v3.18.140~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f1a9d4138b47846afe8fb2a639228ea70b0b017;p=thirdparty%2Fkernel%2Fstable-queue.git 5.0-stable patches added patches: drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch f2fs-fix-use-of-number-of-devices.patch pci-hv-add-hv_pci_remove_slots-when-we-unload-the-driver.patch pci-hv-add-pci_destroy_slot-in-pci_devices_present_work-if-necessary.patch pci-hv-fix-a-memory-leak-in-hv_eject_device_work.patch powerpc-book3s-64-check-for-null-pointer-in-pgd_alloc.patch powerpc-booke64-set-ri-in-default-msr.patch powerpc-powernv-idle-restore-iamr-after-idle.patch virtio_ring-fix-potential-mem-leak-in-virtqueue_add_indirect_packed.patch --- diff --git a/queue-5.0/drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch b/queue-5.0/drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch new file mode 100644 index 00000000000..2f9d92ae0c3 --- /dev/null +++ b/queue-5.0/drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch @@ -0,0 +1,104 @@ +From c8ea3663f7a8e6996d44500ee818c9330ac4fd88 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 14 May 2019 15:47:00 -0700 +Subject: drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl + +From: Dan Carpenter + +commit c8ea3663f7a8e6996d44500ee818c9330ac4fd88 upstream. + +strndup_user() returns error pointers on error, and then in the error +handling we pass the error pointers to kfree(). It will cause an Oops. + +Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Andrew Morton +Cc: Timur Tabi +Cc: Mihai Caraman +Cc: Kumar Gala +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virt/fsl_hypervisor.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_i + struct fsl_hv_ioctl_prop param; + char __user *upath, *upropname; + void __user *upropval; +- char *path = NULL, *propname = NULL; +- void *propval = NULL; ++ char *path, *propname; ++ void *propval; + int ret = 0; + + /* Get the parameters from the user. */ +@@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_i + upropval = (void __user *)(uintptr_t)param.propval; + + path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN); +- if (IS_ERR(path)) { +- ret = PTR_ERR(path); +- goto out; +- } ++ if (IS_ERR(path)) ++ return PTR_ERR(path); + + propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN); + if (IS_ERR(propname)) { + ret = PTR_ERR(propname); +- goto out; ++ goto err_free_path; + } + + if (param.proplen > FH_DTPROP_MAX_PROPLEN) { + ret = -EINVAL; +- goto out; ++ goto err_free_propname; + } + + propval = kmalloc(param.proplen, GFP_KERNEL); + if (!propval) { + ret = -ENOMEM; +- goto out; ++ goto err_free_propname; + } + + if (set) { + if (copy_from_user(propval, upropval, param.proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + + param.ret = fh_partition_set_dtprop(param.handle, +@@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_i + if (copy_to_user(upropval, propval, param.proplen) || + put_user(param.proplen, &p->proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + } + } +@@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_i + if (put_user(param.ret, &p->ret)) + ret = -EFAULT; + +-out: +- kfree(path); ++err_free_propval: + kfree(propval); ++err_free_propname: + kfree(propname); ++err_free_path: ++ kfree(path); + + return ret; + } diff --git a/queue-5.0/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch b/queue-5.0/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch new file mode 100644 index 00000000000..b064ad8b89e --- /dev/null +++ b/queue-5.0/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch @@ -0,0 +1,46 @@ +From 6a024330650e24556b8a18cc654ad00cfecf6c6c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 14 May 2019 15:47:03 -0700 +Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl + +From: Dan Carpenter + +commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream. + +The "param.count" value is a u64 thatcomes from the user. The code +later in the function assumes that param.count is at least one and if +it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR. + +Also the addition can have an integer overflow which would lead us to +allocate a smaller "pages" array than required. I can't immediately +tell what the possible run times implications are, but it's safest to +prevent the overflow. + +Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Andrew Morton +Cc: Timur Tabi +Cc: Mihai Caraman +Cc: Kumar Gala +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virt/fsl_hypervisor.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i + * hypervisor. + */ + lb_offset = param.local_vaddr & (PAGE_SIZE - 1); ++ if (param.count == 0 || ++ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1) ++ return -EINVAL; + num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT; + + /* Allocate the buffers we need */ diff --git a/queue-5.0/f2fs-fix-use-of-number-of-devices.patch b/queue-5.0/f2fs-fix-use-of-number-of-devices.patch new file mode 100644 index 00000000000..8eaa85341ad --- /dev/null +++ b/queue-5.0/f2fs-fix-use-of-number-of-devices.patch @@ -0,0 +1,186 @@ +From 0916878da355650d7e77104a7ac0fa1784eca852 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 16 Mar 2019 09:13:06 +0900 +Subject: f2fs: Fix use of number of devices + +From: Damien Le Moal + +commit 0916878da355650d7e77104a7ac0fa1784eca852 upstream. + +For a single device mount using a zoned block device, the zone +information for the device is stored in the sbi->devs single entry +array and sbi->s_ndevs is set to 1. This differs from a single device +mount using a regular block device which does not allocate sbi->devs +and sets sbi->s_ndevs to 0. + +However, sbi->s_devs == 0 condition is used throughout the code to +differentiate a single device mount from a multi-device mount where +sbi->s_ndevs is always larger than 1. This results in problems with +single zoned block device volumes as these are treated as multi-device +mounts but do not have the start_blk and end_blk information set. One +of the problem observed is skipping of zone discard issuing resulting in +write commands being issued to full zones or unaligned to a zone write +pointer. + +Fix this problem by simply treating the cases sbi->s_ndevs == 0 (single +regular block device mount) and sbi->s_ndevs == 1 (single zoned block +device mount) in the same manner. This is done by introducing the +helper function f2fs_is_multi_device() and using this helper in place +of direct tests of sbi->s_ndevs value, improving code readability. + +Fixes: 7bb3a371d199 ("f2fs: Fix zoned block device support") +Cc: +Signed-off-by: Damien Le Moal +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/data.c | 17 +++++++++++------ + fs/f2fs/f2fs.h | 13 ++++++++++++- + fs/f2fs/file.c | 2 +- + fs/f2fs/gc.c | 2 +- + fs/f2fs/segment.c | 13 +++++++------ + 5 files changed, 32 insertions(+), 15 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -218,12 +218,14 @@ struct block_device *f2fs_target_device( + struct block_device *bdev = sbi->sb->s_bdev; + int i; + +- for (i = 0; i < sbi->s_ndevs; i++) { +- if (FDEV(i).start_blk <= blk_addr && +- FDEV(i).end_blk >= blk_addr) { +- blk_addr -= FDEV(i).start_blk; +- bdev = FDEV(i).bdev; +- break; ++ if (f2fs_is_multi_device(sbi)) { ++ for (i = 0; i < sbi->s_ndevs; i++) { ++ if (FDEV(i).start_blk <= blk_addr && ++ FDEV(i).end_blk >= blk_addr) { ++ blk_addr -= FDEV(i).start_blk; ++ bdev = FDEV(i).bdev; ++ break; ++ } + } + } + if (bio) { +@@ -237,6 +239,9 @@ int f2fs_target_device_index(struct f2fs + { + int i; + ++ if (!f2fs_is_multi_device(sbi)) ++ return 0; ++ + for (i = 0; i < sbi->s_ndevs; i++) + if (FDEV(i).start_blk <= blkaddr && FDEV(i).end_blk >= blkaddr) + return i; +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1364,6 +1364,17 @@ static inline bool time_to_inject(struct + } + #endif + ++/* ++ * Test if the mounted volume is a multi-device volume. ++ * - For a single regular disk volume, sbi->s_ndevs is 0. ++ * - For a single zoned disk volume, sbi->s_ndevs is 1. ++ * - For a multi-device volume, sbi->s_ndevs is always 2 or more. ++ */ ++static inline bool f2fs_is_multi_device(struct f2fs_sb_info *sbi) ++{ ++ return sbi->s_ndevs > 1; ++} ++ + /* For write statistics. Suppose sector size is 512 bytes, + * and the return value is in kbytes. s is of struct f2fs_sb_info. + */ +@@ -3612,7 +3623,7 @@ static inline bool f2fs_force_buffered_i + + if (f2fs_post_read_required(inode)) + return true; +- if (sbi->s_ndevs) ++ if (f2fs_is_multi_device(sbi)) + return true; + /* + * for blkzoned device, fallback direct IO to buffered IO, so +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2570,7 +2570,7 @@ static int f2fs_ioc_flush_device(struct + sizeof(range))) + return -EFAULT; + +- if (sbi->s_ndevs <= 1 || sbi->s_ndevs - 1 <= range.dev_num || ++ if (!f2fs_is_multi_device(sbi) || sbi->s_ndevs - 1 <= range.dev_num || + __is_large_section(sbi)) { + f2fs_msg(sbi->sb, KERN_WARNING, + "Can't flush %u in %d for segs_per_sec %u != 1\n", +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1346,7 +1346,7 @@ void f2fs_build_gc_manager(struct f2fs_s + sbi->gc_pin_file_threshold = DEF_GC_FAILED_PINNED_FILES; + + /* give warm/cold data area from slower device */ +- if (sbi->s_ndevs && !__is_large_section(sbi)) ++ if (f2fs_is_multi_device(sbi) && !__is_large_section(sbi)) + SIT_I(sbi)->last_victim[ALLOC_NEXT] = + GET_SEGNO(sbi, FDEV(0).end_blk) + 1; + } +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -576,7 +576,7 @@ static int submit_flush_wait(struct f2fs + int ret = 0; + int i; + +- if (!sbi->s_ndevs) ++ if (!f2fs_is_multi_device(sbi)) + return __submit_flush_wait(sbi, sbi->sb->s_bdev); + + for (i = 0; i < sbi->s_ndevs; i++) { +@@ -644,7 +644,8 @@ int f2fs_issue_flush(struct f2fs_sb_info + return ret; + } + +- if (atomic_inc_return(&fcc->queued_flush) == 1 || sbi->s_ndevs > 1) { ++ if (atomic_inc_return(&fcc->queued_flush) == 1 || ++ f2fs_is_multi_device(sbi)) { + ret = submit_flush_wait(sbi, ino); + atomic_dec(&fcc->queued_flush); + +@@ -750,7 +751,7 @@ int f2fs_flush_device_cache(struct f2fs_ + { + int ret = 0, i; + +- if (!sbi->s_ndevs) ++ if (!f2fs_is_multi_device(sbi)) + return 0; + + for (i = 1; i < sbi->s_ndevs; i++) { +@@ -1359,7 +1360,7 @@ static int __queue_discard_cmd(struct f2 + + trace_f2fs_queue_discard(bdev, blkstart, blklen); + +- if (sbi->s_ndevs) { ++ if (f2fs_is_multi_device(sbi)) { + int devi = f2fs_target_device_index(sbi, blkstart); + + blkstart -= FDEV(devi).start_blk; +@@ -1714,7 +1715,7 @@ static int __f2fs_issue_discard_zone(str + block_t lblkstart = blkstart; + int devi = 0; + +- if (sbi->s_ndevs) { ++ if (f2fs_is_multi_device(sbi)) { + devi = f2fs_target_device_index(sbi, blkstart); + blkstart -= FDEV(devi).start_blk; + } +@@ -3071,7 +3072,7 @@ static void update_device_state(struct f + struct f2fs_sb_info *sbi = fio->sbi; + unsigned int devidx; + +- if (!sbi->s_ndevs) ++ if (!f2fs_is_multi_device(sbi)) + return; + + devidx = f2fs_target_device_index(sbi, fio->new_blkaddr); diff --git a/queue-5.0/pci-hv-add-hv_pci_remove_slots-when-we-unload-the-driver.patch b/queue-5.0/pci-hv-add-hv_pci_remove_slots-when-we-unload-the-driver.patch new file mode 100644 index 00000000000..d77f95cbb7a --- /dev/null +++ b/queue-5.0/pci-hv-add-hv_pci_remove_slots-when-we-unload-the-driver.patch @@ -0,0 +1,78 @@ +From 15becc2b56c6eda3d9bf5ae993bafd5661c1fad1 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Mon, 4 Mar 2019 21:34:48 +0000 +Subject: PCI: hv: Add hv_pci_remove_slots() when we unload the driver + +From: Dexuan Cui + +commit 15becc2b56c6eda3d9bf5ae993bafd5661c1fad1 upstream. + +When we unload the pci-hyperv host controller driver, the host does not +send us a PCI_EJECT message. + +In this case we also need to make sure the sysfs PCI slot directory is +removed, otherwise a command on a slot file eg: + +"cat /sys/bus/pci/slots/2/address" + +will trigger a + +"BUG: unable to handle kernel paging request" + +and, if we unload/reload the driver several times we would end up with +stale slot entries in PCI slot directories in /sys/bus/pci/slots/ + +root@localhost:~# ls -rtl /sys/bus/pci/slots/ +total 0 +drwxr-xr-x 2 root root 0 Feb 7 10:49 2 +drwxr-xr-x 2 root root 0 Feb 7 10:49 2-1 +drwxr-xr-x 2 root root 0 Feb 7 10:51 2-2 + +Add the missing code to remove the PCI slot and fix the current +behaviour. + +Fixes: a15f2c08c708 ("PCI: hv: support reporting serial number as slot information") +Signed-off-by: Dexuan Cui +[lorenzo.pieralisi@arm.com: reformatted the log] +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Stephen Hemminger +Reviewed-by: Michael Kelley +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/controller/pci-hyperv.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -1491,6 +1491,21 @@ static void hv_pci_assign_slots(struct h + } + } + ++/* ++ * Remove entries in sysfs pci slot directory. ++ */ ++static void hv_pci_remove_slots(struct hv_pcibus_device *hbus) ++{ ++ struct hv_pci_dev *hpdev; ++ ++ list_for_each_entry(hpdev, &hbus->children, list_entry) { ++ if (!hpdev->pci_slot) ++ continue; ++ pci_destroy_slot(hpdev->pci_slot); ++ hpdev->pci_slot = NULL; ++ } ++} ++ + /** + * create_root_hv_pci_bus() - Expose a new root PCI bus + * @hbus: Root PCI bus, as understood by this driver +@@ -2685,6 +2700,7 @@ static int hv_pci_remove(struct hv_devic + pci_lock_rescan_remove(); + pci_stop_root_bus(hbus->pci_bus); + pci_remove_root_bus(hbus->pci_bus); ++ hv_pci_remove_slots(hbus); + pci_unlock_rescan_remove(); + hbus->state = hv_pcibus_removed; + } diff --git a/queue-5.0/pci-hv-add-pci_destroy_slot-in-pci_devices_present_work-if-necessary.patch b/queue-5.0/pci-hv-add-pci_destroy_slot-in-pci_devices_present_work-if-necessary.patch new file mode 100644 index 00000000000..f72956519ff --- /dev/null +++ b/queue-5.0/pci-hv-add-pci_destroy_slot-in-pci_devices_present_work-if-necessary.patch @@ -0,0 +1,91 @@ +From 340d455699400f2c2c0f9b3f703ade3085cdb501 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Mon, 4 Mar 2019 21:34:49 +0000 +Subject: PCI: hv: Add pci_destroy_slot() in pci_devices_present_work(), if necessary + +From: Dexuan Cui + +commit 340d455699400f2c2c0f9b3f703ade3085cdb501 upstream. + +When we hot-remove a device, usually the host sends us a PCI_EJECT message, +and a PCI_BUS_RELATIONS message with bus_rel->device_count == 0. + +When we execute the quick hot-add/hot-remove test, the host may not send +us the PCI_EJECT message if the guest has not fully finished the +initialization by sending the PCI_RESOURCES_ASSIGNED* message to the +host, so it's potentially unsafe to only depend on the +pci_destroy_slot() in hv_eject_device_work() because the code path + +create_root_hv_pci_bus() + -> hv_pci_assign_slots() + +is not called in this case. Note: in this case, the host still sends the +guest a PCI_BUS_RELATIONS message with bus_rel->device_count == 0. + +In the quick hot-add/hot-remove test, we can have such a race before +the code path + +pci_devices_present_work() + -> new_pcichild_device() + +adds the new device into the hbus->children list, we may have already +received the PCI_EJECT message, and since the tasklet handler + +hv_pci_onchannelcallback() + +may fail to find the "hpdev" by calling + +get_pcichild_wslot(hbus, dev_message->wslot.slot) + +hv_pci_eject_device() is not called; Later, by continuing execution + +create_root_hv_pci_bus() + -> hv_pci_assign_slots() + +creates the slot and the PCI_BUS_RELATIONS message with +bus_rel->device_count == 0 removes the device from hbus->children, and +we end up being unable to remove the slot in + +hv_pci_remove() + -> hv_pci_remove_slots() + +Remove the slot in pci_devices_present_work() when the device +is removed to address this race. + +pci_devices_present_work() and hv_eject_device_work() run in the +singled-threaded hbus->wq, so there is not a double-remove issue for the +slot. + +We cannot offload hv_pci_eject_device() from hv_pci_onchannelcallback() +to the workqueue, because we need the hv_pci_onchannelcallback() +synchronously call hv_pci_eject_device() to poll the channel +ringbuffer to work around the "hangs in hv_compose_msi_msg()" issue +fixed in commit de0aa7b2f97d ("PCI: hv: Fix 2 hang issues in +hv_compose_msi_msg()") + +Fixes: a15f2c08c708 ("PCI: hv: support reporting serial number as slot information") +Signed-off-by: Dexuan Cui +[lorenzo.pieralisi@arm.com: rewritten commit log] +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Stephen Hemminger +Reviewed-by: Michael Kelley +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/controller/pci-hyperv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -1781,6 +1781,10 @@ static void pci_devices_present_work(str + hpdev = list_first_entry(&removed, struct hv_pci_dev, + list_entry); + list_del(&hpdev->list_entry); ++ ++ if (hpdev->pci_slot) ++ pci_destroy_slot(hpdev->pci_slot); ++ + put_pcichild(hpdev); + } + diff --git a/queue-5.0/pci-hv-fix-a-memory-leak-in-hv_eject_device_work.patch b/queue-5.0/pci-hv-fix-a-memory-leak-in-hv_eject_device_work.patch new file mode 100644 index 00000000000..d83db8395bc --- /dev/null +++ b/queue-5.0/pci-hv-fix-a-memory-leak-in-hv_eject_device_work.patch @@ -0,0 +1,51 @@ +From 05f151a73ec2b23ffbff706e5203e729a995cdc2 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Mon, 4 Mar 2019 21:34:48 +0000 +Subject: PCI: hv: Fix a memory leak in hv_eject_device_work() + +From: Dexuan Cui + +commit 05f151a73ec2b23ffbff706e5203e729a995cdc2 upstream. + +When a device is created in new_pcichild_device(), hpdev->refs is set +to 2 (i.e. the initial value of 1 plus the get_pcichild()). + +When we hot remove the device from the host, in a Linux VM we first call +hv_pci_eject_device(), which increases hpdev->refs by get_pcichild() and +then schedules a work of hv_eject_device_work(), so hpdev->refs becomes +3 (let's ignore the paired get/put_pcichild() in other places). But in +hv_eject_device_work(), currently we only call put_pcichild() twice, +meaning the 'hpdev' struct can't be freed in put_pcichild(). + +Add one put_pcichild() to fix the memory leak. + +The device can also be removed when we run "rmmod pci-hyperv". On this +path (hv_pci_remove() -> hv_pci_bus_exit() -> hv_pci_devices_present()), +hpdev->refs is 2, and we do correctly call put_pcichild() twice in +pci_devices_present_work(). + +Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs") +Signed-off-by: Dexuan Cui +[lorenzo.pieralisi@arm.com: commit log rework] +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Stephen Hemminger +Reviewed-by: Michael Kelley +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/controller/pci-hyperv.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -1905,6 +1905,9 @@ static void hv_eject_device_work(struct + sizeof(*ejct_pkt), (unsigned long)&ctxt.pkt, + VM_PKT_DATA_INBAND, 0); + ++ /* For the get_pcichild() in hv_pci_eject_device() */ ++ put_pcichild(hpdev); ++ /* For the two refs got in new_pcichild_device() */ + put_pcichild(hpdev); + put_pcichild(hpdev); + put_hvpcibus(hpdev->hbus); diff --git a/queue-5.0/powerpc-book3s-64-check-for-null-pointer-in-pgd_alloc.patch b/queue-5.0/powerpc-book3s-64-check-for-null-pointer-in-pgd_alloc.patch new file mode 100644 index 00000000000..99a856429cb --- /dev/null +++ b/queue-5.0/powerpc-book3s-64-check-for-null-pointer-in-pgd_alloc.patch @@ -0,0 +1,58 @@ +From f39356261c265a0689d7ee568132d516e8b6cecc Mon Sep 17 00:00:00 2001 +From: Rick Lindsley +Date: Sun, 5 May 2019 17:20:43 -0700 +Subject: powerpc/book3s/64: check for NULL pointer in pgd_alloc() + +From: Rick Lindsley + +commit f39356261c265a0689d7ee568132d516e8b6cecc upstream. + +When the memset code was added to pgd_alloc(), it failed to consider +that kmem_cache_alloc() can return NULL. It's uncommon, but not +impossible under heavy memory contention. Example oops: + + Unable to handle kernel paging request for data at address 0x00000000 + Faulting instruction address: 0xc0000000000a4000 + Oops: Kernel access of bad area, sig: 11 [#1] + LE SMP NR_CPUS=2048 NUMA pSeries + CPU: 70 PID: 48471 Comm: entrypoint.sh Kdump: loaded Not tainted 4.14.0-115.6.1.el7a.ppc64le #1 + task: c000000334a00000 task.stack: c000000331c00000 + NIP: c0000000000a4000 LR: c00000000012f43c CTR: 0000000000000020 + REGS: c000000331c039c0 TRAP: 0300 Not tainted (4.14.0-115.6.1.el7a.ppc64le) + MSR: 800000010280b033 CR: 44022840 XER: 20040000 + CFAR: c000000000008874 DAR: 0000000000000000 DSISR: 42000000 SOFTE: 1 + ... + NIP [c0000000000a4000] memset+0x68/0x104 + LR [c00000000012f43c] mm_init+0x27c/0x2f0 + Call Trace: + mm_init+0x260/0x2f0 (unreliable) + copy_mm+0x11c/0x638 + copy_process.isra.28.part.29+0x6fc/0x1080 + _do_fork+0xdc/0x4c0 + ppc_clone+0x8/0xc + Instruction dump: + 409e000c b0860000 38c60002 409d000c 90860000 38c60004 78a0d183 78a506a0 + 7c0903a6 41820034 60000000 60420000 f8860008 f8860010 f8860018 + +Fixes: fc5c2f4a55a2 ("powerpc/mm/hash64: Zero PGD pages on allocation") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Rick Lindsley +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/book3s/64/pgalloc.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/include/asm/book3s/64/pgalloc.h ++++ b/arch/powerpc/include/asm/book3s/64/pgalloc.h +@@ -81,6 +81,9 @@ static inline pgd_t *pgd_alloc(struct mm + + pgd = kmem_cache_alloc(PGT_CACHE(PGD_INDEX_SIZE), + pgtable_gfp_flags(mm, GFP_KERNEL)); ++ if (unlikely(!pgd)) ++ return pgd; ++ + /* + * Don't scan the PGD for pointers, it contains references to PUDs but + * those references are not full pointers and so can't be recognised by diff --git a/queue-5.0/powerpc-booke64-set-ri-in-default-msr.patch b/queue-5.0/powerpc-booke64-set-ri-in-default-msr.patch new file mode 100644 index 00000000000..b6d3689ac25 --- /dev/null +++ b/queue-5.0/powerpc-booke64-set-ri-in-default-msr.patch @@ -0,0 +1,34 @@ +From 5266e58d6cd90ac85c187d673093ad9cb649e16d Mon Sep 17 00:00:00 2001 +From: Laurentiu Tudor +Date: Mon, 15 Apr 2019 14:52:11 +0300 +Subject: powerpc/booke64: set RI in default MSR + +From: Laurentiu Tudor + +commit 5266e58d6cd90ac85c187d673093ad9cb649e16d upstream. + +Set RI in the default kernel's MSR so that the architected way of +detecting unrecoverable machine check interrupts has a chance to work. +This is inline with the MSR setup of the rest of booke powerpc +architectures configured here. + +Signed-off-by: Laurentiu Tudor +Cc: stable@vger.kernel.org +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg_booke.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/reg_booke.h ++++ b/arch/powerpc/include/asm/reg_booke.h +@@ -41,7 +41,7 @@ + #if defined(CONFIG_PPC_BOOK3E_64) + #define MSR_64BIT MSR_CM + +-#define MSR_ (MSR_ME | MSR_CE) ++#define MSR_ (MSR_ME | MSR_RI | MSR_CE) + #define MSR_KERNEL (MSR_ | MSR_64BIT) + #define MSR_USER32 (MSR_ | MSR_PR | MSR_EE) + #define MSR_USER64 (MSR_USER32 | MSR_64BIT) diff --git a/queue-5.0/powerpc-powernv-idle-restore-iamr-after-idle.patch b/queue-5.0/powerpc-powernv-idle-restore-iamr-after-idle.patch new file mode 100644 index 00000000000..d618bab8430 --- /dev/null +++ b/queue-5.0/powerpc-powernv-idle-restore-iamr-after-idle.patch @@ -0,0 +1,79 @@ +From a3f3072db6cad40895c585dce65e36aab997f042 Mon Sep 17 00:00:00 2001 +From: Russell Currey +Date: Thu, 18 Apr 2019 16:51:16 +1000 +Subject: powerpc/powernv/idle: Restore IAMR after idle + +From: Russell Currey + +commit a3f3072db6cad40895c585dce65e36aab997f042 upstream. + +Without restoring the IAMR after idle, execution prevention on POWER9 +with Radix MMU is overwritten and the kernel can freely execute +userspace without faulting. + +This is necessary when returning from any stop state that modifies +user state, as well as hypervisor state. + +To test how this fails without this patch, load the lkdtm driver and +do the following: + + $ echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT + +which won't fault, then boot the kernel with powersave=off, where it +will fault. Applying this patch will fix this. + +Fixes: 3b10d0095a1e ("powerpc/mm/radix: Prevent kernel execution of user space") +Cc: stable@vger.kernel.org # v4.10+ +Signed-off-by: Russell Currey +Reviewed-by: Akshay Adiga +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/idle_book3s.S | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/arch/powerpc/kernel/idle_book3s.S ++++ b/arch/powerpc/kernel/idle_book3s.S +@@ -170,6 +170,9 @@ core_idle_lock_held: + bne- core_idle_lock_held + blr + ++/* Reuse an unused pt_regs slot for IAMR */ ++#define PNV_POWERSAVE_IAMR _DAR ++ + /* + * Pass requested state in r3: + * r3 - PNV_THREAD_NAP/SLEEP/WINKLE in POWER8 +@@ -200,6 +203,12 @@ pnv_powersave_common: + /* Continue saving state */ + SAVE_GPR(2, r1) + SAVE_NVGPRS(r1) ++ ++BEGIN_FTR_SECTION ++ mfspr r5, SPRN_IAMR ++ std r5, PNV_POWERSAVE_IAMR(r1) ++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) ++ + mfcr r5 + std r5,_CCR(r1) + std r1,PACAR1(r13) +@@ -924,6 +933,17 @@ BEGIN_FTR_SECTION + END_FTR_SECTION_IFSET(CPU_FTR_HVMODE) + REST_NVGPRS(r1) + REST_GPR(2, r1) ++ ++BEGIN_FTR_SECTION ++ /* IAMR was saved in pnv_powersave_common() */ ++ ld r5, PNV_POWERSAVE_IAMR(r1) ++ mtspr SPRN_IAMR, r5 ++ /* ++ * We don't need an isync here because the upcoming mtmsrd is ++ * execution synchronizing. ++ */ ++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) ++ + ld r4,PACAKMSR(r13) + ld r5,_LINK(r1) + ld r6,_CCR(r1) diff --git a/queue-5.0/series b/queue-5.0/series index c79ee3f51e5..ebcb236cb69 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -125,3 +125,13 @@ tuntap-synchronize-through-tfiles-array-instead-of-tun-numqueues.patch net-phy-fix-phy_validate_pause.patch flow_dissector-disable-preemption-around-bpf-calls.patch isdn-bas_gigaset-use-usb_fill_int_urb-properly.patch +drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch +drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch +powerpc-book3s-64-check-for-null-pointer-in-pgd_alloc.patch +powerpc-powernv-idle-restore-iamr-after-idle.patch +powerpc-booke64-set-ri-in-default-msr.patch +virtio_ring-fix-potential-mem-leak-in-virtqueue_add_indirect_packed.patch +pci-hv-fix-a-memory-leak-in-hv_eject_device_work.patch +pci-hv-add-hv_pci_remove_slots-when-we-unload-the-driver.patch +pci-hv-add-pci_destroy_slot-in-pci_devices_present_work-if-necessary.patch +f2fs-fix-use-of-number-of-devices.patch diff --git a/queue-5.0/virtio_ring-fix-potential-mem-leak-in-virtqueue_add_indirect_packed.patch b/queue-5.0/virtio_ring-fix-potential-mem-leak-in-virtqueue_add_indirect_packed.patch new file mode 100644 index 00000000000..40e43739023 --- /dev/null +++ b/queue-5.0/virtio_ring-fix-potential-mem-leak-in-virtqueue_add_indirect_packed.patch @@ -0,0 +1,32 @@ +From df0bfe7501e9319546ea380d39674a4179e059c3 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Tue, 12 Mar 2019 15:06:53 +0800 +Subject: virtio_ring: Fix potential mem leak in virtqueue_add_indirect_packed + +From: YueHaibing + +commit df0bfe7501e9319546ea380d39674a4179e059c3 upstream. + +'desc' should be freed before leaving from err handing path. + +Fixes: 1ce9e6055fa0 ("virtio_ring: introduce packed ring support") +Signed-off-by: YueHaibing +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_ring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -993,6 +993,7 @@ static int virtqueue_add_indirect_packed + + if (unlikely(vq->vq.num_free < 1)) { + pr_debug("Can't add buf len 1 - avail = 0\n"); ++ kfree(desc); + END_USE(vq); + return -ENOSPC; + }