From: Greg Kroah-Hartman Date: Mon, 3 Jul 2017 13:02:41 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.60~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f08c35083cb99fd40a76c12bc54901186e03b1de;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: cpufreq-s3c2416-double-free-on-driver-init-error-path.patch iommu-amd-fix-incorrect-error-handling-in-amd_iommu_bind_pasid.patch iommu-vt-d-don-t-over-free-page-table-directories.patch kvm-nvmx-fix-exception-injection.patch kvm-x86-zero-base3-of-unusable-segments.patch --- diff --git a/queue-3.18/cpufreq-s3c2416-double-free-on-driver-init-error-path.patch b/queue-3.18/cpufreq-s3c2416-double-free-on-driver-init-error-path.patch new file mode 100644 index 00000000000..8e3ca13fbcd --- /dev/null +++ b/queue-3.18/cpufreq-s3c2416-double-free-on-driver-init-error-path.patch @@ -0,0 +1,33 @@ +From a69261e4470d680185a15f748d9cdafb37c57a33 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 7 Feb 2017 16:19:06 +0300 +Subject: cpufreq: s3c2416: double free on driver init error path + +From: Dan Carpenter + +commit a69261e4470d680185a15f748d9cdafb37c57a33 upstream. + +The "goto err_armclk;" error path already does a clk_put(s3c_freq->hclk); +so this is a double free. + +Fixes: 34ee55075265 ([CPUFREQ] Add S3C2416/S3C2450 cpufreq driver) +Signed-off-by: Dan Carpenter +Reviewed-by: Krzysztof Kozlowski +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/s3c2416-cpufreq.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/cpufreq/s3c2416-cpufreq.c ++++ b/drivers/cpufreq/s3c2416-cpufreq.c +@@ -400,7 +400,6 @@ static int s3c2416_cpufreq_driver_init(s + rate = clk_get_rate(s3c_freq->hclk); + if (rate < 133 * 1000 * 1000) { + pr_err("cpufreq: HCLK not at 133MHz\n"); +- clk_put(s3c_freq->hclk); + ret = -EINVAL; + goto err_armclk; + } diff --git a/queue-3.18/iommu-amd-fix-incorrect-error-handling-in-amd_iommu_bind_pasid.patch b/queue-3.18/iommu-amd-fix-incorrect-error-handling-in-amd_iommu_bind_pasid.patch new file mode 100644 index 00000000000..3cb2c9c69c6 --- /dev/null +++ b/queue-3.18/iommu-amd-fix-incorrect-error-handling-in-amd_iommu_bind_pasid.patch @@ -0,0 +1,37 @@ +From 73dbd4a4230216b6a5540a362edceae0c9b4876b Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Sun, 23 Apr 2017 18:23:21 +0800 +Subject: iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid() + +From: Pan Bian + +commit 73dbd4a4230216b6a5540a362edceae0c9b4876b upstream. + +In function amd_iommu_bind_pasid(), the control flow jumps +to label out_free when pasid_state->mm and mm is NULL. And +mmput(mm) is called. In function mmput(mm), mm is +referenced without validation. This will result in a NULL +dereference bug. This patch fixes the bug. + +Signed-off-by: Pan Bian +Fixes: f0aac63b873b ('iommu/amd: Don't hold a reference to mm_struct') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu_v2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu_v2.c ++++ b/drivers/iommu/amd_iommu_v2.c +@@ -701,9 +701,9 @@ out_clear_state: + + out_unregister: + mmu_notifier_unregister(&pasid_state->mn, mm); ++ mmput(mm); + + out_free: +- mmput(mm); + free_pasid_state(pasid_state); + + out: diff --git a/queue-3.18/iommu-vt-d-don-t-over-free-page-table-directories.patch b/queue-3.18/iommu-vt-d-don-t-over-free-page-table-directories.patch new file mode 100644 index 00000000000..62041aa239b --- /dev/null +++ b/queue-3.18/iommu-vt-d-don-t-over-free-page-table-directories.patch @@ -0,0 +1,57 @@ +From f7116e115acdd74bc75a4daf6492b11d43505125 Mon Sep 17 00:00:00 2001 +From: David Dillow +Date: Mon, 30 Jan 2017 19:11:11 -0800 +Subject: iommu/vt-d: Don't over-free page table directories + +From: David Dillow + +commit f7116e115acdd74bc75a4daf6492b11d43505125 upstream. + +dma_pte_free_level() recurses down the IOMMU page tables and frees +directory pages that are entirely contained in the given PFN range. +Unfortunately, it incorrectly calculates the starting address covered +by the PTE under consideration, which can lead to it clearing an entry +that is still in use. + +This occurs if we have a scatterlist with an entry that has a length +greater than 1026 MB and is aligned to 2 MB for both the IOMMU and +physical addresses. For example, if __domain_mapping() is asked to map a +two-entry scatterlist with 2 MB and 1028 MB segments to PFN 0xffff80000, +it will ask if dma_pte_free_pagetable() is asked to PFNs from +0xffff80200 to 0xffffc05ff, it will also incorrectly clear the PFNs from +0xffff80000 to 0xffff801ff because of this issue. The current code will +set level_pfn to 0xffff80200, and 0xffff80200-0xffffc01ff fits inside +the range being cleared. Properly setting the level_pfn for the current +level under consideration catches that this PTE is outside of the range +being cleared. + +This patch also changes the value passed into dma_pte_free_level() when +it recurses. This only affects the first PTE of the range being cleared, +and is handled by the existing code that ensures we start our cursor no +lower than start_pfn. + +This was found when using dma_map_sg() to map large chunks of contiguous +memory, which immediatedly led to faults on the first access of the +erroneously-deleted mappings. + +Fixes: 3269ee0bd668 ("intel-iommu: Fix leaks in pagetable freeing") +Reviewed-by: Benjamin Serebrin +Signed-off-by: David Dillow +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -980,7 +980,7 @@ static void dma_pte_free_level(struct dm + if (!dma_pte_present(pte) || dma_pte_superpage(pte)) + goto next; + +- level_pfn = pfn & level_mask(level - 1); ++ level_pfn = pfn & level_mask(level); + level_pte = phys_to_virt(dma_pte_addr(pte)); + + if (level > 2) diff --git a/queue-3.18/kvm-nvmx-fix-exception-injection.patch b/queue-3.18/kvm-nvmx-fix-exception-injection.patch new file mode 100644 index 00000000000..68447adde66 --- /dev/null +++ b/queue-3.18/kvm-nvmx-fix-exception-injection.patch @@ -0,0 +1,73 @@ +From d4912215d1031e4fb3d1038d2e1857218dba0d0a Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 5 Jun 2017 05:19:09 -0700 +Subject: KVM: nVMX: Fix exception injection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit d4912215d1031e4fb3d1038d2e1857218dba0d0a upstream. + + WARNING: CPU: 3 PID: 2840 at arch/x86/kvm/vmx.c:10966 nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel] + CPU: 3 PID: 2840 Comm: qemu-system-x86 Tainted: G OE 4.12.0-rc3+ #23 + RIP: 0010:nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel] + Call Trace: + ? kvm_check_async_pf_completion+0xef/0x120 [kvm] + ? rcu_read_lock_sched_held+0x79/0x80 + vmx_queue_exception+0x104/0x160 [kvm_intel] + ? vmx_queue_exception+0x104/0x160 [kvm_intel] + kvm_arch_vcpu_ioctl_run+0x1171/0x1ce0 [kvm] + ? kvm_arch_vcpu_load+0x47/0x240 [kvm] + ? kvm_arch_vcpu_load+0x62/0x240 [kvm] + kvm_vcpu_ioctl+0x384/0x7b0 [kvm] + ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm] + ? __fget+0xf3/0x210 + do_vfs_ioctl+0xa4/0x700 + ? __fget+0x114/0x210 + SyS_ioctl+0x79/0x90 + do_syscall_64+0x81/0x220 + entry_SYSCALL64_slow_path+0x25/0x25 + +This is triggered occasionally by running both win7 and win2016 in L2, in +addition, EPT is disabled on both L1 and L2. It can't be reproduced easily. + +Commit 0b6ac343fc (KVM: nVMX: Correct handling of exception injection) mentioned +that "KVM wants to inject page-faults which it got to the guest. This function +assumes it is called with the exit reason in vmcs02 being a #PF exception". +Commit e011c663 (KVM: nVMX: Check all exceptions for intercept during delivery to +L2) allows to check all exceptions for intercept during delivery to L2. However, +there is no guarantee the exit reason is exception currently, when there is an +external interrupt occurred on host, maybe a time interrupt for host which should +not be injected to guest, and somewhere queues an exception, then the function +nested_vmx_check_exception() will be called and the vmexit emulation codes will +try to emulate the "Acknowledge interrupt on exit" behavior, the warning is +triggered. + +Reusing the exit reason from the L2->L0 vmexit is wrong in this case, +the reason must always be EXCEPTION_NMI when injecting an exception into +L1 as a nested vmexit. + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Signed-off-by: Wanpeng Li +Fixes: e011c663b9c7 ("KVM: nVMX: Check all exceptions for intercept during delivery to L2") +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2026,7 +2026,7 @@ static int nested_vmx_check_exception(st + if (!(vmcs12->exception_bitmap & (1u << nr))) + return 0; + +- nested_vmx_vmexit(vcpu, to_vmx(vcpu)->exit_reason, ++ nested_vmx_vmexit(vcpu, EXIT_REASON_EXCEPTION_NMI, + vmcs_read32(VM_EXIT_INTR_INFO), + vmcs_readl(EXIT_QUALIFICATION)); + return 1; diff --git a/queue-3.18/kvm-x86-zero-base3-of-unusable-segments.patch b/queue-3.18/kvm-x86-zero-base3-of-unusable-segments.patch new file mode 100644 index 00000000000..df7232a344e --- /dev/null +++ b/queue-3.18/kvm-x86-zero-base3-of-unusable-segments.patch @@ -0,0 +1,38 @@ +From f0367ee1d64d27fa08be2407df5c125442e885e3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Thu, 18 May 2017 19:37:30 +0200 +Subject: KVM: x86: zero base3 of unusable segments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Radim Krčmář + +commit f0367ee1d64d27fa08be2407df5c125442e885e3 upstream. + +Static checker noticed that base3 could be used uninitialized if the +segment was not present (useable). Random stack values probably would +not pass VMCS entry checks. + +Reported-by: Dan Carpenter +Fixes: 1aa366163b8b ("KVM: x86 emulator: consolidate segment accessors") +Reviewed-by: Paolo Bonzini +Reviewed-by: David Hildenbrand +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4853,6 +4853,8 @@ static bool emulator_get_segment(struct + + if (var.unusable) { + memset(desc, 0, sizeof(*desc)); ++ if (base3) ++ *base3 = 0; + return false; + } + diff --git a/queue-3.18/series b/queue-3.18/series index 81df034db04..a80e06f58dc 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -29,3 +29,8 @@ xfrm-null-dereference-on-allocation-failure.patch xfrm-oops-on-error-in-pfkey_msg2xfrm_state.patch watchdog-bcm281xx-fix-use-of-uninitialized-spinlock.patch arm-8685-1-ensure-memblock-limit-is-pmd-aligned.patch +iommu-vt-d-don-t-over-free-page-table-directories.patch +iommu-amd-fix-incorrect-error-handling-in-amd_iommu_bind_pasid.patch +cpufreq-s3c2416-double-free-on-driver-init-error-path.patch +kvm-x86-zero-base3-of-unusable-segments.patch +kvm-nvmx-fix-exception-injection.patch