From: Greg Kroah-Hartman Date: Mon, 20 May 2019 10:44:24 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.9.178~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e6e0df5d2d1e5f08ca2e24d79ac2eeb475117156;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch ext4-fix-use-after-free-in-dx_release.patch ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch --- diff --git a/queue-4.14/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch b/queue-4.14/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch new file mode 100644 index 00000000000..3b79df4ec64 --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch @@ -0,0 +1,41 @@ +From 56df90b631fc027fe28b70d41352d820797239bb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Wadowski?= +Date: Tue, 14 May 2019 16:58:00 +0200 +Subject: ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Wadowski + +commit 56df90b631fc027fe28b70d41352d820797239bb upstream. + +Add patch for realtek codec in Lenovo B50-70 that fixes inverted +internal microphone channel. +Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70, +but first one is about fix the noise and it didn't seem help in a +later kernel version. +So I replaced IdeaPad Y410P device description with B50-70 and apply +inverted microphone fix. + +Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215 +Signed-off-by: Michał Wadowski +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6550,7 +6550,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), +- SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), ++ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK), diff --git a/queue-4.14/ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch b/queue-4.14/ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch new file mode 100644 index 00000000000..db9b38b94e1 --- /dev/null +++ b/queue-4.14/ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch @@ -0,0 +1,49 @@ +From 57a0da28ced8707cb9f79f071a016b9d005caf5a Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 10 May 2019 21:45:33 -0400 +Subject: ext4: fix data corruption caused by overlapping unaligned and aligned IO + +From: Lukas Czerner + +commit 57a0da28ced8707cb9f79f071a016b9d005caf5a upstream. + +Unaligned AIO must be serialized because the zeroing of partial blocks +of unaligned AIO can result in data corruption in case it's overlapping +another in flight IO. + +Currently we wait for all unwritten extents before we submit unaligned +AIO which protects data in case of unaligned AIO is following overlapping +IO. However if a unaligned AIO is followed by overlapping aligned AIO we +can still end up corrupting data. + +To fix this, we must make sure that the unaligned AIO is the only IO in +flight by waiting for unwritten extents conversion not just before the +IO submission, but right after it as well. + +This problem can be reproduced by xfstest generic/538 + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -262,6 +262,13 @@ ext4_file_write_iter(struct kiocb *iocb, + } + + ret = __generic_file_write_iter(iocb, from); ++ /* ++ * Unaligned direct AIO must be the only IO in flight. Otherwise ++ * overlapping aligned IO after unaligned might result in data ++ * corruption. ++ */ ++ if (ret == -EIOCBQUEUED && unaligned_aio) ++ ext4_unwritten_wait(inode); + inode_unlock(inode); + + if (ret > 0) diff --git a/queue-4.14/ext4-fix-use-after-free-in-dx_release.patch b/queue-4.14/ext4-fix-use-after-free-in-dx_release.patch new file mode 100644 index 00000000000..494a516fe16 --- /dev/null +++ b/queue-4.14/ext4-fix-use-after-free-in-dx_release.patch @@ -0,0 +1,53 @@ +From 08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Fri, 10 May 2019 22:00:33 -0400 +Subject: ext4: fix use-after-free in dx_release() + +From: Sahitya Tummala + +commit 08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 upstream. + +The buffer_head (frames[0].bh) and it's corresping page can be +potentially free'd once brelse() is done inside the for loop +but before the for loop exits in dx_release(). It can be free'd +in another context, when the page cache is flushed via +drop_caches_sysctl_handler(). This results into below data abort +when accessing info->indirect_levels in dx_release(). + +Unable to handle kernel paging request at virtual address ffffffc17ac3e01e +Call trace: + dx_release+0x70/0x90 + ext4_htree_fill_tree+0x2d4/0x300 + ext4_readdir+0x244/0x6f8 + iterate_dir+0xbc/0x160 + SyS_getdents64+0x94/0x174 + +Signed-off-by: Sahitya Tummala +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/namei.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -870,12 +870,15 @@ static void dx_release(struct dx_frame * + { + struct dx_root_info *info; + int i; ++ unsigned int indirect_levels; + + if (frames[0].bh == NULL) + return; + + info = &((struct dx_root *)frames[0].bh->b_data)->info; +- for (i = 0; i <= info->indirect_levels; i++) { ++ /* save local copy, "info" may be freed after brelse() */ ++ indirect_levels = info->indirect_levels; ++ for (i = 0; i <= indirect_levels; i++) { + if (frames[i].bh == NULL) + break; + brelse(frames[i].bh); diff --git a/queue-4.14/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch b/queue-4.14/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch new file mode 100644 index 00000000000..7959a28316a --- /dev/null +++ b/queue-4.14/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch @@ -0,0 +1,82 @@ +From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001 +From: Sriram Rajagopalan +Date: Fri, 10 May 2019 19:28:06 -0400 +Subject: ext4: zero out the unused memory region in the extent tree block + +From: Sriram Rajagopalan + +commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream. + +This commit zeroes out the unused memory region in the buffer_head +corresponding to the extent metablock after writing the extent header +and the corresponding extent node entries. + +This is done to prevent random uninitialized data from getting into +the filesystem when the extent block is synced. + +This fixes CVE-2019-11833. + +Signed-off-by: Sriram Rajagopalan +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/extents.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1047,6 +1047,7 @@ static int ext4_ext_split(handle_t *hand + __le32 border; + ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ + int err = 0; ++ size_t ext_size = 0; + + /* make decision: where to split? */ + /* FIXME: now decision is simplest: at current extent */ +@@ -1138,6 +1139,10 @@ static int ext4_ext_split(handle_t *hand + le16_add_cpu(&neh->eh_entries, m); + } + ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1217,6 +1222,11 @@ static int ext4_ext_split(handle_t *hand + sizeof(struct ext4_extent_idx) * m); + le16_add_cpu(&neh->eh_entries, m); + } ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); ++ memset(bh->b_data + ext_size, 0, ++ inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1282,6 +1292,7 @@ static int ext4_ext_grow_indepth(handle_ + ext4_fsblk_t newblock, goal = 0; + struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; + int err = 0; ++ size_t ext_size = 0; + + /* Try to prepend new index to old one */ + if (ext_depth(inode)) +@@ -1307,9 +1318,11 @@ static int ext4_ext_grow_indepth(handle_ + goto out; + } + ++ ext_size = sizeof(EXT4_I(inode)->i_data); + /* move top-level index/leaf into new block */ +- memmove(bh->b_data, EXT4_I(inode)->i_data, +- sizeof(EXT4_I(inode)->i_data)); ++ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); ++ /* zero out unused area in the extent block */ ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + + /* set size of new block */ + neh = ext_block_hdr(bh); diff --git a/queue-4.14/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch b/queue-4.14/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch new file mode 100644 index 00000000000..a4b079da48c --- /dev/null +++ b/queue-4.14/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch @@ -0,0 +1,75 @@ +From ec084de929e419e51bcdafaafe567d9e7d0273b7 Mon Sep 17 00:00:00 2001 +From: Jiufei Xue +Date: Fri, 17 May 2019 14:31:44 -0700 +Subject: fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount + +From: Jiufei Xue + +commit ec084de929e419e51bcdafaafe567d9e7d0273b7 upstream. + +synchronize_rcu() didn't wait for call_rcu() callbacks, so inode wb +switch may not go to the workqueue after synchronize_rcu(). Thus +previous scheduled switches was not finished even flushing the +workqueue, which will cause a NULL pointer dereferenced followed below. + + VFS: Busy inodes after unmount of vdd. Self-destruct in 5 seconds. Have a nice day... + BUG: unable to handle kernel NULL pointer dereference at 0000000000000278 + evict+0xb3/0x180 + iput+0x1b0/0x230 + inode_switch_wbs_work_fn+0x3c0/0x6a0 + worker_thread+0x4e/0x490 + ? process_one_work+0x410/0x410 + kthread+0xe6/0x100 + ret_from_fork+0x39/0x50 + +Replace the synchronize_rcu() call with a rcu_barrier() to wait for all +pending callbacks to finish. And inc isw_nr_in_flight after call_rcu() +in inode_switch_wbs() to make more sense. + +Link: http://lkml.kernel.org/r/20190429024108.54150-1-jiufei.xue@linux.alibaba.com +Signed-off-by: Jiufei Xue +Acked-by: Tejun Heo +Suggested-by: Tejun Heo +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fs-writeback.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -530,8 +530,6 @@ static void inode_switch_wbs(struct inod + + isw->inode = inode; + +- atomic_inc(&isw_nr_in_flight); +- + /* + * In addition to synchronizing among switchers, I_WB_SWITCH tells + * the RCU protected stat update paths to grab the mapping's +@@ -539,6 +537,9 @@ static void inode_switch_wbs(struct inod + * Let's continue after I_WB_SWITCH is guaranteed to be visible. + */ + call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn); ++ ++ atomic_inc(&isw_nr_in_flight); ++ + goto out_unlock; + + out_free: +@@ -908,7 +909,11 @@ restart: + void cgroup_writeback_umount(void) + { + if (atomic_read(&isw_nr_in_flight)) { +- synchronize_rcu(); ++ /* ++ * Use rcu_barrier() to wait for all pending callbacks to ++ * ensure that all in-flight wb switches are in the workqueue. ++ */ ++ rcu_barrier(); + flush_workqueue(isw_wq); + } + } diff --git a/queue-4.14/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch b/queue-4.14/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch new file mode 100644 index 00000000000..876c6530a23 --- /dev/null +++ b/queue-4.14/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch @@ -0,0 +1,99 @@ +From 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 2 Apr 2019 08:19:15 -0700 +Subject: KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes + +From: Sean Christopherson + +commit 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 upstream. + +KVM allows userspace to violate consistency checks related to the +guest's CPUID model to some degree. Generally speaking, userspace has +carte blanche when it comes to guest state so long as jamming invalid +state won't negatively affect the host. + +Currently this is seems to be a non-issue as most of the interesting +EFER checks are missing, e.g. NX and LME, but those will be added +shortly. Proactively exempt userspace from the CPUID checks so as not +to break userspace. + +Note, the efer_reserved_bits check still applies to userspace writes as +that mask reflects the host's capabilities, e.g. KVM shouldn't allow a +guest to run with NX=1 if it has been disabled in the host. + +Fixes: d80174745ba39 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 37 ++++++++++++++++++++++++------------- + 1 file changed, 24 insertions(+), 13 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1107,31 +1107,42 @@ static int do_get_msr_feature(struct kvm + return 0; + } + +-bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) + { +- if (efer & efer_reserved_bits) +- return false; +- + if (efer & EFER_FFXSR && !guest_cpuid_has(vcpu, X86_FEATURE_FXSR_OPT)) +- return false; ++ return false; + + if (efer & EFER_SVME && !guest_cpuid_has(vcpu, X86_FEATURE_SVM)) +- return false; ++ return false; + + return true; ++ ++} ++bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++{ ++ if (efer & efer_reserved_bits) ++ return false; ++ ++ return __kvm_valid_efer(vcpu, efer); + } + EXPORT_SYMBOL_GPL(kvm_valid_efer); + +-static int set_efer(struct kvm_vcpu *vcpu, u64 efer) ++static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + { + u64 old_efer = vcpu->arch.efer; ++ u64 efer = msr_info->data; + +- if (!kvm_valid_efer(vcpu, efer)) +- return 1; ++ if (efer & efer_reserved_bits) ++ return false; + +- if (is_paging(vcpu) +- && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) +- return 1; ++ if (!msr_info->host_initiated) { ++ if (!__kvm_valid_efer(vcpu, efer)) ++ return 1; ++ ++ if (is_paging(vcpu) && ++ (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) ++ return 1; ++ } + + efer &= ~EFER_LMA; + efer |= vcpu->arch.efer & EFER_LMA; +@@ -2240,7 +2251,7 @@ int kvm_set_msr_common(struct kvm_vcpu * + vcpu->arch.arch_capabilities = data; + break; + case MSR_EFER: +- return set_efer(vcpu, data); ++ return set_efer(vcpu, msr_info); + case MSR_K7_HWCR: + data &= ~(u64)0x40; /* ignore flush filter disable */ + data &= ~(u64)0x100; /* ignore ignne emulation enable */ diff --git a/queue-4.14/series b/queue-4.14/series index 0b0f8739f32..3bf25ffea48 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -53,3 +53,9 @@ crypto-arm64-aes-neonbs-don-t-access-already-freed-walk.iv.patch crypto-salsa20-don-t-access-already-freed-walk.iv.patch crypto-ccm-fix-incompatibility-between-ccm-and-ccm_base.patch fib_rules-fix-error-in-backport-of-e9919a24d302-fib_rules-return-0.patch +fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch +ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch +ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch +ext4-fix-use-after-free-in-dx_release.patch +alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch +kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch