From: Greg Kroah-Hartman Date: Mon, 2 Sep 2019 20:26:08 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.191~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c216282ae1cd844be9222559eff74cca197b9b13;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch mm-zsmalloc.c-fix-build-when-config_compaction-n.patch x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch --- diff --git a/queue-4.14/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch b/queue-4.14/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch new file mode 100644 index 00000000000..7c2b1e30174 --- /dev/null +++ b/queue-4.14/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch @@ -0,0 +1,57 @@ +From 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 21 Aug 2019 20:00:02 +0200 +Subject: ALSA: line6: Fix memory leak at line6_init_pcm() error path + +From: Takashi Iwai + +commit 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 upstream. + +I forgot to release the allocated object at the early error path in +line6_init_pcm(). For addressing it, slightly shuffle the code so +that the PCM destructor (pcm->private_free) is assigned properly +before all error paths. + +Fixes: 3450121997ce ("ALSA: line6: Fix write on zero-sized buffer") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/pcm.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/sound/usb/line6/pcm.c ++++ b/sound/usb/line6/pcm.c +@@ -552,6 +552,15 @@ int line6_init_pcm(struct usb_line6 *lin + line6pcm->volume_monitor = 255; + line6pcm->line6 = line6; + ++ spin_lock_init(&line6pcm->out.lock); ++ spin_lock_init(&line6pcm->in.lock); ++ line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD; ++ ++ line6->line6pcm = line6pcm; ++ ++ pcm->private_data = line6pcm; ++ pcm->private_free = line6_cleanup_pcm; ++ + line6pcm->max_packet_size_in = + usb_maxpacket(line6->usbdev, + usb_rcvisocpipe(line6->usbdev, ep_read), 0); +@@ -564,15 +573,6 @@ int line6_init_pcm(struct usb_line6 *lin + return -EINVAL; + } + +- spin_lock_init(&line6pcm->out.lock); +- spin_lock_init(&line6pcm->in.lock); +- line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD; +- +- line6->line6pcm = line6pcm; +- +- pcm->private_data = line6pcm; +- pcm->private_free = line6_cleanup_pcm; +- + err = line6_create_audio_out_urbs(line6pcm); + if (err < 0) + return err; diff --git a/queue-4.14/alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch b/queue-4.14/alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch new file mode 100644 index 00000000000..1aa6523e99a --- /dev/null +++ b/queue-4.14/alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch @@ -0,0 +1,70 @@ +From 75545304eba6a3d282f923b96a466dc25a81e359 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 25 Aug 2019 09:21:44 +0200 +Subject: ALSA: seq: Fix potential concurrent access to the deleted pool + +From: Takashi Iwai + +commit 75545304eba6a3d282f923b96a466dc25a81e359 upstream. + +The input pool of a client might be deleted via the resize ioctl, the +the access to it should be covered by the proper locks. Currently the +only missing place is the call in snd_seq_ioctl_get_client_pool(), and +this patch papers over it. + +Reported-by: syzbot+4a75454b9ca2777f35c7@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 3 +-- + sound/core/seq/seq_fifo.c | 17 +++++++++++++++++ + sound/core/seq/seq_fifo.h | 2 ++ + 3 files changed, 20 insertions(+), 2 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1821,8 +1821,7 @@ static int snd_seq_ioctl_get_client_pool + if (cptr->type == USER_CLIENT) { + info->input_pool = cptr->data.user.fifo_pool_size; + info->input_free = info->input_pool; +- if (cptr->data.user.fifo) +- info->input_free = snd_seq_unused_cells(cptr->data.user.fifo->pool); ++ info->input_free = snd_seq_fifo_unused_cells(cptr->data.user.fifo); + } else { + info->input_pool = 0; + info->input_free = 0; +--- a/sound/core/seq/seq_fifo.c ++++ b/sound/core/seq/seq_fifo.c +@@ -280,3 +280,20 @@ int snd_seq_fifo_resize(struct snd_seq_f + + return 0; + } ++ ++/* get the number of unused cells safely */ ++int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f) ++{ ++ unsigned long flags; ++ int cells; ++ ++ if (!f) ++ return 0; ++ ++ snd_use_lock_use(&f->use_lock); ++ spin_lock_irqsave(&f->lock, flags); ++ cells = snd_seq_unused_cells(f->pool); ++ spin_unlock_irqrestore(&f->lock, flags); ++ snd_use_lock_free(&f->use_lock); ++ return cells; ++} +--- a/sound/core/seq/seq_fifo.h ++++ b/sound/core/seq/seq_fifo.h +@@ -68,5 +68,7 @@ int snd_seq_fifo_poll_wait(struct snd_se + /* resize pool in fifo */ + int snd_seq_fifo_resize(struct snd_seq_fifo *f, int poolsize); + ++/* get the number of unused cells safely */ ++int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f); + + #endif diff --git a/queue-4.14/kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch b/queue-4.14/kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch new file mode 100644 index 00000000000..83810583ea5 --- /dev/null +++ b/queue-4.14/kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch @@ -0,0 +1,57 @@ +From 75ee23b30dc712d80d2421a9a547e7ab6e379b44 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 23 Aug 2019 13:55:44 -0700 +Subject: KVM: x86: Don't update RIP or do single-step on faulting emulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 75ee23b30dc712d80d2421a9a547e7ab6e379b44 upstream. + +Don't advance RIP or inject a single-step #DB if emulation signals a +fault. This logic applies to all state updates that are conditional on +clean retirement of the emulation instruction, e.g. updating RFLAGS was +previously handled by commit 38827dbd3fb85 ("KVM: x86: Do not update +EFLAGS on faulting emulation"). + +Not advancing RIP is likely a nop, i.e. ctxt->eip isn't updated with +ctxt->_eip until emulation "retires" anyways. Skipping #DB injection +fixes a bug reported by Andy Lutomirski where a #UD on SYSCALL due to +invalid state with EFLAGS.TF=1 would loop indefinitely due to emulation +overwriting the #UD with #DB and thus restarting the bad SYSCALL over +and over. + +Cc: Nadav Amit +Cc: stable@vger.kernel.org +Reported-by: Andy Lutomirski +Fixes: 663f4c61b803 ("KVM: x86: handle singlestep during emulation") +Signed-off-by: Sean Christopherson +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5954,12 +5954,13 @@ restart: + unsigned long rflags = kvm_x86_ops->get_rflags(vcpu); + toggle_interruptibility(vcpu, ctxt->interruptibility); + vcpu->arch.emulate_regs_need_sync_to_vcpu = false; +- kvm_rip_write(vcpu, ctxt->eip); +- if (r == EMULATE_DONE && ctxt->tf) +- kvm_vcpu_do_singlestep(vcpu, &r); + if (!ctxt->have_exception || +- exception_type(ctxt->exception.vector) == EXCPT_TRAP) ++ exception_type(ctxt->exception.vector) == EXCPT_TRAP) { ++ kvm_rip_write(vcpu, ctxt->eip); ++ if (r == EMULATE_DONE && ctxt->tf) ++ kvm_vcpu_do_singlestep(vcpu, &r); + __kvm_set_rflags(vcpu, ctxt->eflags); ++ } + + /* + * For STI, interrupts are shadowed; so KVM_REQ_EVENT will diff --git a/queue-4.14/kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch b/queue-4.14/kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch new file mode 100644 index 00000000000..52c2dab1f73 --- /dev/null +++ b/queue-4.14/kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch @@ -0,0 +1,53 @@ +From b14c876b994f208b6b95c222056e1deb0a45de0e Mon Sep 17 00:00:00 2001 +From: Radim Krcmar +Date: Tue, 13 Aug 2019 23:37:37 -0400 +Subject: kvm: x86: skip populating logical dest map if apic is not sw enabled + +From: Radim Krcmar + +commit b14c876b994f208b6b95c222056e1deb0a45de0e upstream. + +recalculate_apic_map does not santize ldr and it's possible that +multiple bits are set. In that case, a previous valid entry +can potentially be overwritten by an invalid one. + +This condition is hit when booting a 32 bit, >8 CPU, RHEL6 guest and then +triggering a crash to boot a kdump kernel. This is the sequence of +events: +1. Linux boots in bigsmp mode and enables PhysFlat, however, it still +writes to the LDR which probably will never be used. +2. However, when booting into kdump, the stale LDR values remain as +they are not cleared by the guest and there isn't a apic reset. +3. kdump boots with 1 cpu, and uses Logical Destination Mode but the +logical map has been overwritten and points to an inactive vcpu. + +Signed-off-by: Radim Krcmar +Signed-off-by: Bandan Das +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -209,6 +209,9 @@ static void recalculate_apic_map(struct + if (!apic_x2apic_mode(apic) && !new->phys_map[xapic_id]) + new->phys_map[xapic_id] = apic; + ++ if (!kvm_apic_sw_enabled(apic)) ++ continue; ++ + ldr = kvm_lapic_get_reg(apic, APIC_LDR); + + if (apic_x2apic_mode(apic)) { +@@ -252,6 +255,8 @@ static inline void apic_set_spiv(struct + recalculate_apic_map(apic->vcpu->kvm); + } else + static_key_slow_inc(&apic_sw_disabled.key); ++ ++ recalculate_apic_map(apic->vcpu->kvm); + } + } + diff --git a/queue-4.14/mm-zsmalloc.c-fix-build-when-config_compaction-n.patch b/queue-4.14/mm-zsmalloc.c-fix-build-when-config_compaction-n.patch new file mode 100644 index 00000000000..11fe3207aed --- /dev/null +++ b/queue-4.14/mm-zsmalloc.c-fix-build-when-config_compaction-n.patch @@ -0,0 +1,37 @@ +From 441e254cd40dc03beec3c650ce6ce6074bc6517f Mon Sep 17 00:00:00 2001 +From: Andrew Morton +Date: Fri, 30 Aug 2019 16:04:35 -0700 +Subject: mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n + +From: Andrew Morton + +commit 441e254cd40dc03beec3c650ce6ce6074bc6517f upstream. + +Fixes: 701d678599d0c1 ("mm/zsmalloc.c: fix race condition in zs_destroy_pool") +Link: http://lkml.kernel.org/r/201908251039.5oSbEEUT%25lkp@intel.com +Reported-by: kbuild test robot +Cc: Sergey Senozhatsky +Cc: Henry Burns +Cc: Minchan Kim +Cc: Shakeel Butt +Cc: Jonathan Adams +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/zsmalloc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -2431,7 +2431,9 @@ struct zs_pool *zs_create_pool(const cha + if (!pool->name) + goto err; + ++#ifdef CONFIG_COMPACTION + init_waitqueue_head(&pool->migration_wait); ++#endif + + if (create_cache(pool)) + goto err; diff --git a/queue-4.14/series b/queue-4.14/series index 19e55ab454b..3d008b1276f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -18,3 +18,10 @@ alsa-usb-audio-fix-a-stack-buffer-overflow-bug-in-check_input_term.patch alsa-usb-audio-fix-an-oob-bug-in-parse_audio_mixer_unit.patch net-smc-make-sure-epollout-is-raised.patch tcp-make-sure-epollout-wont-be-missed.patch +mm-zsmalloc.c-fix-build-when-config_compaction-n.patch +alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch +alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch +kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch +kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch +x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch +x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch diff --git a/queue-4.14/x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch b/queue-4.14/x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch new file mode 100644 index 00000000000..474e206901a --- /dev/null +++ b/queue-4.14/x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch @@ -0,0 +1,83 @@ +From bae3a8d3308ee69a7dbdf145911b18dfda8ade0d Mon Sep 17 00:00:00 2001 +From: Bandan Das +Date: Mon, 26 Aug 2019 06:15:12 -0400 +Subject: x86/apic: Do not initialize LDR and DFR for bigsmp + +From: Bandan Das + +commit bae3a8d3308ee69a7dbdf145911b18dfda8ade0d upstream. + +Legacy apic init uses bigsmp for smp systems with 8 and more CPUs. The +bigsmp APIC implementation uses physical destination mode, but it +nevertheless initializes LDR and DFR. The LDR even ends up incorrectly with +multiple bit being set. + +This does not cause a functional problem because LDR and DFR are ignored +when physical destination mode is active, but it triggered a problem on a +32-bit KVM guest which jumps into a kdump kernel. + +The multiple bits set unearthed a bug in the KVM APIC implementation. The +code which creates the logical destination map for VCPUs ignores the +disabled state of the APIC and ends up overwriting an existing valid entry +and as a result, APIC calibration hangs in the guest during kdump +initialization. + +Remove the bogus LDR/DFR initialization. + +This is not intended to work around the KVM APIC bug. The LDR/DFR +ininitalization is wrong on its own. + +The issue goes back into the pre git history. The fixes tag is the commit +in the bitkeeper import which introduced bigsmp support in 2003. + + git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git + +Fixes: db7b9e9f26b8 ("[PATCH] Clustered APIC setup for >8 CPU systems") +Suggested-by: Thomas Gleixner +Signed-off-by: Bandan Das +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190826101513.5080-2-bsd@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/bigsmp_32.c | 24 ++---------------------- + 1 file changed, 2 insertions(+), 22 deletions(-) + +--- a/arch/x86/kernel/apic/bigsmp_32.c ++++ b/arch/x86/kernel/apic/bigsmp_32.c +@@ -38,32 +38,12 @@ static int bigsmp_early_logical_apicid(i + return early_per_cpu(x86_cpu_to_apicid, cpu); + } + +-static inline unsigned long calculate_ldr(int cpu) +-{ +- unsigned long val, id; +- +- val = apic_read(APIC_LDR) & ~APIC_LDR_MASK; +- id = per_cpu(x86_bios_cpu_apicid, cpu); +- val |= SET_APIC_LOGICAL_ID(id); +- +- return val; +-} +- + /* +- * Set up the logical destination ID. +- * +- * Intel recommends to set DFR, LDR and TPR before enabling +- * an APIC. See e.g. "AP-388 82489DX User's Manual" (Intel +- * document number 292116). So here it goes... ++ * bigsmp enables physical destination mode ++ * and doesn't use LDR and DFR + */ + static void bigsmp_init_apic_ldr(void) + { +- unsigned long val; +- int cpu = smp_processor_id(); +- +- apic_write(APIC_DFR, APIC_DFR_FLAT); +- val = calculate_ldr(cpu); +- apic_write(APIC_LDR, val); + } + + static void bigsmp_setup_apic_routing(void) diff --git a/queue-4.14/x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch b/queue-4.14/x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch new file mode 100644 index 00000000000..8ea587263e6 --- /dev/null +++ b/queue-4.14/x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch @@ -0,0 +1,49 @@ +From 558682b5291937a70748d36fd9ba757fb25b99ae Mon Sep 17 00:00:00 2001 +From: Bandan Das +Date: Mon, 26 Aug 2019 06:15:13 -0400 +Subject: x86/apic: Include the LDR when clearing out APIC registers + +From: Bandan Das + +commit 558682b5291937a70748d36fd9ba757fb25b99ae upstream. + +Although APIC initialization will typically clear out the LDR before +setting it, the APIC cleanup code should reset the LDR. + +This was discovered with a 32-bit KVM guest jumping into a kdump +kernel. The stale bits in the LDR triggered a bug in the KVM APIC +implementation which caused the destination mapping for VCPUs to be +corrupted. + +Note that this isn't intended to paper over the KVM APIC bug. The kernel +has to clear the LDR when resetting the APIC registers except when X2APIC +is enabled. + +This lacks a Fixes tag because missing to clear LDR goes way back into pre +git history. + +[ tglx: Made x2apic_enabled a function call as required ] + +Signed-off-by: Bandan Das +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190826101513.5080-3-bsd@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1148,6 +1148,10 @@ void clear_local_APIC(void) + apic_write(APIC_LVT0, v | APIC_LVT_MASKED); + v = apic_read(APIC_LVT1); + apic_write(APIC_LVT1, v | APIC_LVT_MASKED); ++ if (!x2apic_enabled()) { ++ v = apic_read(APIC_LDR) & ~APIC_LDR_MASK; ++ apic_write(APIC_LDR, v); ++ } + if (maxlvt >= 4) { + v = apic_read(APIC_LVTPC); + apic_write(APIC_LVTPC, v | APIC_LVT_MASKED);