From: Greg Kroah-Hartman Date: Fri, 22 Mar 2019 10:18:14 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.137~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=adffd7aefe4a8d249ceb26805cd877ca27f42ff4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch kvm-nvmx-ignore-limit-checks-on-vmx-instructions-using-flat-segments.patch kvm-nvmx-sign-extend-displacements-of-vmx-instr-s-mem-operands.patch media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch --- diff --git a/queue-4.9/drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch b/queue-4.9/drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch new file mode 100644 index 00000000000..438d78a13d6 --- /dev/null +++ b/queue-4.9/drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch @@ -0,0 +1,35 @@ +From cc5034a5d293dd620484d1d836aa16c6764a1c8c Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 15 Feb 2019 14:29:26 -0600 +Subject: drm/radeon/evergreen_cs: fix missing break in switch statement + +From: Gustavo A. R. Silva + +commit cc5034a5d293dd620484d1d836aa16c6764a1c8c upstream. + +Add missing break statement in order to prevent the code from falling +through to case CB_TARGET_MASK. + +This bug was found thanks to the ongoing efforts to enable +-Wimplicit-fallthrough. + +Fixes: dd220a00e8bd ("drm/radeon/kms: add support for streamout v7") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/evergreen_cs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/radeon/evergreen_cs.c ++++ b/drivers/gpu/drm/radeon/evergreen_cs.c +@@ -1299,6 +1299,7 @@ static int evergreen_cs_handle_reg(struc + return -EINVAL; + } + ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff); ++ break; + case CB_TARGET_MASK: + track->cb_target_mask = radeon_get_ib_value(p, idx); + track->cb_dirty = true; diff --git a/queue-4.9/kvm-nvmx-ignore-limit-checks-on-vmx-instructions-using-flat-segments.patch b/queue-4.9/kvm-nvmx-ignore-limit-checks-on-vmx-instructions-using-flat-segments.patch new file mode 100644 index 00000000000..b5ce8ef4b87 --- /dev/null +++ b/queue-4.9/kvm-nvmx-ignore-limit-checks-on-vmx-instructions-using-flat-segments.patch @@ -0,0 +1,55 @@ +From 34333cc6c2cb021662fd32e24e618d1b86de95bf Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Jan 2019 14:39:25 -0800 +Subject: KVM: nVMX: Ignore limit checks on VMX instructions using flat segments + +From: Sean Christopherson + +commit 34333cc6c2cb021662fd32e24e618d1b86de95bf upstream. + +Regarding segments with a limit==0xffffffff, the SDM officially states: + + When the effective limit is FFFFFFFFH (4 GBytes), these accesses may + or may not cause the indicated exceptions. Behavior is + implementation-specific and may vary from one execution to another. + +In practice, all CPUs that support VMX ignore limit checks for "flat +segments", i.e. an expand-up data or code segment with base=0 and +limit=0xffffffff. This is subtly different than wrapping the effective +address calculation based on the address size, as the flat segment +behavior also applies to accesses that would wrap the 4g boundary, e.g. +a 4-byte access starting at 0xffffffff will access linear addresses +0xffffffff, 0x0, 0x1 and 0x2. + +Fixes: f9eb4af67c9d ("KVM: nVMX: VMX instructions: add checks for #GP/#SS exceptions") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7092,10 +7092,16 @@ static int get_vmx_mem_address(struct kv + /* Protected mode: #GP(0)/#SS(0) if the segment is unusable. + */ + exn = (s.unusable != 0); +- /* Protected mode: #GP(0)/#SS(0) if the memory +- * operand is outside the segment limit. ++ ++ /* ++ * Protected mode: #GP(0)/#SS(0) if the memory operand is ++ * outside the segment limit. All CPUs that support VMX ignore ++ * limit checks for flat segments, i.e. segments with base==0, ++ * limit==0xffffffff and of type expand-up data or code. + */ +- exn = exn || (off + sizeof(u64) > s.limit); ++ if (!(s.base == 0 && s.limit == 0xffffffff && ++ ((s.type & 8) || !(s.type & 4)))) ++ exn = exn || (off + sizeof(u64) > s.limit); + } + if (exn) { + kvm_queue_exception_e(vcpu, diff --git a/queue-4.9/kvm-nvmx-sign-extend-displacements-of-vmx-instr-s-mem-operands.patch b/queue-4.9/kvm-nvmx-sign-extend-displacements-of-vmx-instr-s-mem-operands.patch new file mode 100644 index 00000000000..7777daee25f --- /dev/null +++ b/queue-4.9/kvm-nvmx-sign-extend-displacements-of-vmx-instr-s-mem-operands.patch @@ -0,0 +1,71 @@ +From 946c522b603f281195af1df91837a1d4d1eb3bc9 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Jan 2019 14:39:23 -0800 +Subject: KVM: nVMX: Sign extend displacements of VMX instr's mem operands +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 946c522b603f281195af1df91837a1d4d1eb3bc9 upstream. + +The VMCS.EXIT_QUALIFCATION field reports the displacements of memory +operands for various instructions, including VMX instructions, as a +naturally sized unsigned value, but masks the value by the addr size, +e.g. given a ModRM encoded as -0x28(%ebp), the -0x28 displacement is +reported as 0xffffffd8 for a 32-bit address size. Despite some weird +wording regarding sign extension, the SDM explicitly states that bits +beyond the instructions address size are undefined: + + In all cases, bits of this field beyond the instruction’s address + size are undefined. + +Failure to sign extend the displacement results in KVM incorrectly +treating a negative displacement as a large positive displacement when +the address size of the VMX instruction is smaller than KVM's native +size, e.g. a 32-bit address size on a 64-bit KVM. + +The very original decoding, added by commit 064aea774768 ("KVM: nVMX: +Decoding memory operands of VMX instructions"), sort of modeled sign +extension by truncating the final virtual/linear address for a 32-bit +address size. I.e. it messed up the effective address but made it work +by adjusting the final address. + +When segmentation checks were added, the truncation logic was kept +as-is and no sign extension logic was introduced. In other words, it +kept calculating the wrong effective address while mostly generating +the correct virtual/linear address. As the effective address is what's +used in the segment limit checks, this results in KVM incorreclty +injecting #GP/#SS faults due to non-existent segment violations when +a nested VMM uses negative displacements with an address size smaller +than KVM's native address size. + +Using the -0x28(%ebp) example, an EBP value of 0x1000 will result in +KVM using 0x100000fd8 as the effective address when checking for a +segment limit violation. This causes a 100% failure rate when running +a 32-bit KVM build as L1 on top of a 64-bit KVM L0. + +Fixes: f9eb4af67c9d ("KVM: nVMX: VMX instructions: add checks for #GP/#SS exceptions") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7046,6 +7046,10 @@ static int get_vmx_mem_address(struct kv + /* Addr = segment_base + offset */ + /* offset = base + [index * scale] + displacement */ + off = exit_qualification; /* holds the displacement */ ++ if (addr_size == 1) ++ off = (gva_t)sign_extend64(off, 31); ++ else if (addr_size == 0) ++ off = (gva_t)sign_extend64(off, 15); + if (base_is_valid) + off += kvm_register_read(vcpu, base_reg); + if (index_is_valid) diff --git a/queue-4.9/media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch b/queue-4.9/media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch new file mode 100644 index 00000000000..faa85a5fea5 --- /dev/null +++ b/queue-4.9/media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch @@ -0,0 +1,58 @@ +From 9dd0627d8d62a7ddb001a75f63942d92b5336561 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 30 Jan 2019 05:09:41 -0500 +Subject: media: uvcvideo: Avoid NULL pointer dereference at the end of streaming + +From: Sakari Ailus + +commit 9dd0627d8d62a7ddb001a75f63942d92b5336561 upstream. + +The UVC video driver converts the timestamp from hardware specific unit +to one known by the kernel at the time when the buffer is dequeued. This +is fine in general, but the streamoff operation consists of the +following steps (among other things): + +1. uvc_video_clock_cleanup --- the hardware clock sample array is + released and the pointer to the array is set to NULL, + +2. buffers in active state are returned to the user and + +3. buf_finish callback is called on buffers that are prepared. + buf_finish includes calling uvc_video_clock_update that accesses the + hardware clock sample array. + +The above is serialised by a queue specific mutex. Address the problem +by skipping the clock conversion if the hardware clock sample array is +already released. + +Fixes: 9c0863b1cc48 ("[media] vb2: call buf_finish from __queue_cancel") + +Reported-by: Chiranjeevi Rapolu +Tested-by: Chiranjeevi Rapolu +Signed-off-by: Sakari Ailus +Cc: stable@vger.kernel.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/uvc/uvc_video.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -638,6 +638,14 @@ void uvc_video_clock_update(struct uvc_s + if (!uvc_hw_timestamps_param) + return; + ++ /* ++ * We will get called from __vb2_queue_cancel() if there are buffers ++ * done but not dequeued by the user, but the sample array has already ++ * been released at that time. Just bail out in that case. ++ */ ++ if (!clock->samples) ++ return; ++ + spin_lock_irqsave(&clock->lock, flags); + + if (clock->count < clock->size) diff --git a/queue-4.9/series b/queue-4.9/series index e9fa1727667..2e188703104 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -111,3 +111,7 @@ perf-intel-pt-fix-overlap-calculation-for-padding.patch perf-intel-pt-fix-divide-by-zero-when-tsc-is-not-available.patch md-fix-failed-allocation-of-md_register_thread.patch rcu-do-rcu-gp-kthread-self-wakeup-from-softirq-and-interrupt.patch +media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch +drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch +kvm-nvmx-sign-extend-displacements-of-vmx-instr-s-mem-operands.patch +kvm-nvmx-ignore-limit-checks-on-vmx-instructions-using-flat-segments.patch