From: Greg Kroah-Hartman Date: Sat, 24 Oct 2020 09:54:09 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.241~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8fbec304c08626463b449378c585b08b0d8210b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-hda-realtek-add-mute-led-support-for-hp-elitebook-845-g7.patch alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch alsa-hda-realtek-set-mic-to-auto-detect-on-a-hp-aio-machine.patch alsa-hda-realtek-the-front-mic-on-a-hp-machine-doesn-t-work.patch cifs-remove-bogus-debug-code.patch cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch kvm-nvmx-reload-vmcs01-if-getting-vmcs12-s-pages-fails.patch kvm-nvmx-reset-the-segment-cache-when-stuffing-guest-segs.patch kvm-svm-initialize-prev_ga_tag-before-use.patch kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch smb3-resolve-data-corruption-of-tcp-server-info-fields.patch --- diff --git a/queue-5.4/alsa-hda-realtek-add-mute-led-support-for-hp-elitebook-845-g7.patch b/queue-5.4/alsa-hda-realtek-add-mute-led-support-for-hp-elitebook-845-g7.patch new file mode 100644 index 00000000000..e113a132086 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-mute-led-support-for-hp-elitebook-845-g7.patch @@ -0,0 +1,33 @@ +From 08befca40026136c14c3cd84f9e36c4cd20a358e Mon Sep 17 00:00:00 2001 +From: Qiu Wenbo +Date: Fri, 2 Oct 2020 20:44:54 +0800 +Subject: ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 + +From: Qiu Wenbo + +commit 08befca40026136c14c3cd84f9e36c4cd20a358e upstream. + +After installing archlinux, the mute led and micmute led are not working +at all. This patch fix this issue by applying a fixup from similar +model. These mute leds are confirmed working on HP Elitebook 845 G7. + +Signed-off-by: Qiu Wenbo +Cc: +Link: https://lore.kernel.org/r/20201002124454.7240-1-qiuwenbo@kylinos.com.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7756,6 +7756,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x874e, "HP", ALC274_FIXUP_HP_MIC), ++ SND_PCI_QUIRK(0x103c, 0x8760, "HP", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x877d, "HP", ALC236_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), diff --git a/queue-5.4/alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch b/queue-5.4/alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch new file mode 100644 index 00000000000..efd97dc0db6 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch @@ -0,0 +1,99 @@ +From ca184355db8e60290fa34bf61c13308e6f4f50d3 Mon Sep 17 00:00:00 2001 +From: Jian-Hong Pan +Date: Wed, 7 Oct 2020 13:22:25 +0800 +Subject: ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 + +From: Jian-Hong Pan + +commit ca184355db8e60290fa34bf61c13308e6f4f50d3 upstream. + +The ASUS D700SA desktop's audio (1043:2390) with ALC887 cannot detect +the headset microphone and another headphone jack until +ALC887_FIXUP_ASUS_HMIC and ALC887_FIXUP_ASUS_AUDIO quirks are applied. +The NID 0x15 maps as the headset microphone and NID 0x19 maps as another +headphone jack. Also need the function like alc887_fixup_asus_jack to +enable the audio jacks. + +Signed-off-by: Jian-Hong Pan +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/20201007052224.22611-1-jhp@endlessos.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -1921,6 +1921,8 @@ enum { + ALC1220_FIXUP_CLEVO_P950, + ALC1220_FIXUP_CLEVO_PB51ED, + ALC1220_FIXUP_CLEVO_PB51ED_PINS, ++ ALC887_FIXUP_ASUS_AUDIO, ++ ALC887_FIXUP_ASUS_HMIC, + }; + + static void alc889_fixup_coef(struct hda_codec *codec, +@@ -2133,6 +2135,31 @@ static void alc1220_fixup_clevo_pb51ed(s + alc_fixup_headset_mode_no_hp_mic(codec, fix, action); + } + ++static void alc887_asus_hp_automute_hook(struct hda_codec *codec, ++ struct hda_jack_callback *jack) ++{ ++ struct alc_spec *spec = codec->spec; ++ unsigned int vref; ++ ++ snd_hda_gen_hp_automute(codec, jack); ++ ++ if (spec->gen.hp_jack_present) ++ vref = AC_PINCTL_VREF_80; ++ else ++ vref = AC_PINCTL_VREF_HIZ; ++ snd_hda_set_pin_ctl(codec, 0x19, PIN_HP | vref); ++} ++ ++static void alc887_fixup_asus_jack(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ if (action != HDA_FIXUP_ACT_PROBE) ++ return; ++ snd_hda_set_pin_ctl_cache(codec, 0x1b, PIN_HP); ++ spec->gen.hp_automute_hook = alc887_asus_hp_automute_hook; ++} ++ + static const struct hda_fixup alc882_fixups[] = { + [ALC882_FIXUP_ABIT_AW9D_MAX] = { + .type = HDA_FIXUP_PINS, +@@ -2390,6 +2417,20 @@ static const struct hda_fixup alc882_fix + .chained = true, + .chain_id = ALC1220_FIXUP_CLEVO_PB51ED, + }, ++ [ALC887_FIXUP_ASUS_AUDIO] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x15, 0x02a14150 }, /* use as headset mic, without its own jack detect */ ++ { 0x19, 0x22219420 }, ++ {} ++ }, ++ }, ++ [ALC887_FIXUP_ASUS_HMIC] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc887_fixup_asus_jack, ++ .chained = true, ++ .chain_id = ALC887_FIXUP_ASUS_AUDIO, ++ }, + }; + + static const struct snd_pci_quirk alc882_fixup_tbl[] = { +@@ -2423,6 +2464,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1043, 0x13c2, "Asus A7M", ALC882_FIXUP_EAPD), + SND_PCI_QUIRK(0x1043, 0x1873, "ASUS W90V", ALC882_FIXUP_ASUS_W90V), + SND_PCI_QUIRK(0x1043, 0x1971, "Asus W2JC", ALC882_FIXUP_ASUS_W2JC), ++ SND_PCI_QUIRK(0x1043, 0x2390, "Asus D700SA", ALC887_FIXUP_ASUS_HMIC), + SND_PCI_QUIRK(0x1043, 0x835f, "Asus Eee 1601", ALC888_FIXUP_EEE1601), + SND_PCI_QUIRK(0x1043, 0x84bc, "ASUS ET2700", ALC887_FIXUP_ASUS_BASS), + SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3), diff --git a/queue-5.4/alsa-hda-realtek-set-mic-to-auto-detect-on-a-hp-aio-machine.patch b/queue-5.4/alsa-hda-realtek-set-mic-to-auto-detect-on-a-hp-aio-machine.patch new file mode 100644 index 00000000000..8dc1cf8d109 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-set-mic-to-auto-detect-on-a-hp-aio-machine.patch @@ -0,0 +1,68 @@ +From 13468bfa8c58731dc9ecda1cd9b22a191114f944 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Mon, 28 Sep 2020 16:01:17 +0800 +Subject: ALSA: hda/realtek - set mic to auto detect on a HP AIO machine + +From: Hui Wang + +commit 13468bfa8c58731dc9ecda1cd9b22a191114f944 upstream. + +Recently we enabled a HP AIO machine, we found the mic on the machine +couldn't record any sound and it couldn't detect plugging and +unplugging as well. + +Through debugging we found the mic is set to manual detect mode, after +setting it to auto detect mode, it could detect plugging and +unplugging and could record sound. + +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20200928080117.12435-1-hui.wang@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6216,6 +6216,7 @@ enum { + ALC269_FIXUP_LEMOTE_A190X, + ALC256_FIXUP_INTEL_NUC8_RUGGED, + ALC255_FIXUP_XIAOMI_HEADSET_MIC, ++ ALC274_FIXUP_HP_MIC, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -7595,6 +7596,14 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC289_FIXUP_ASUS_GA401 + }, ++ [ALC274_FIXUP_HP_MIC] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x45 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x5089 }, ++ { } ++ }, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -7746,6 +7755,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x874e, "HP", ALC274_FIXUP_HP_MIC), + SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x877d, "HP", ALC236_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), +@@ -8071,6 +8081,7 @@ static const struct hda_model_fixup alc2 + {.id = ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE, .name = "alc256-medion-headset"}, + {.id = ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET, .name = "alc298-samsung-headphone"}, + {.id = ALC255_FIXUP_XIAOMI_HEADSET_MIC, .name = "alc255-xiaomi-headset"}, ++ {.id = ALC274_FIXUP_HP_MIC, .name = "alc274-hp-mic-detect"}, + {} + }; + #define ALC225_STANDARD_PINS \ diff --git a/queue-5.4/alsa-hda-realtek-the-front-mic-on-a-hp-machine-doesn-t-work.patch b/queue-5.4/alsa-hda-realtek-the-front-mic-on-a-hp-machine-doesn-t-work.patch new file mode 100644 index 00000000000..fd132cc0bcd --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-the-front-mic-on-a-hp-machine-doesn-t-work.patch @@ -0,0 +1,34 @@ +From 148ebf548a1af366fc797fcc7d03f0bb92b12a79 Mon Sep 17 00:00:00 2001 +From: Jeremy Szu +Date: Thu, 8 Oct 2020 18:56:44 +0800 +Subject: ALSA: hda/realtek - The front Mic on a HP machine doesn't work + +From: Jeremy Szu + +commit 148ebf548a1af366fc797fcc7d03f0bb92b12a79 upstream. + +On a HP ZCentral, the front Mic could not be detected. + +The codec of the HP ZCentrol is alc671 and it needs to override the pin +configuration to enable the headset mic. + +Signed-off-by: Jeremy Szu +Cc: +Link: https://lore.kernel.org/r/20201008105645.65505-1-jeremy.szu@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9634,6 +9634,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1028, 0x0698, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), ++ SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x1043, 0x1080, "Asus UX501VW", ALC668_FIXUP_HEADSET_MODE), + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50), + SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A), diff --git a/queue-5.4/cifs-remove-bogus-debug-code.patch b/queue-5.4/cifs-remove-bogus-debug-code.patch new file mode 100644 index 00000000000..074390b0797 --- /dev/null +++ b/queue-5.4/cifs-remove-bogus-debug-code.patch @@ -0,0 +1,72 @@ +From d367cb960ce88914898cbfa43645c2e43ede9465 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 16 Sep 2020 23:18:21 +0300 +Subject: cifs: remove bogus debug code + +From: Dan Carpenter + +commit d367cb960ce88914898cbfa43645c2e43ede9465 upstream. + +The "end" pointer is either NULL or it points to the next byte to parse. +If there isn't a next byte then dereferencing "end" is an off-by-one out +of bounds error. And, of course, if it's NULL that leads to an Oops. +Printing "*end" doesn't seem very useful so let's delete this code. + +Also for the last debug statement, I noticed that it should be printing +"sequence_end" instead of "end" so fix that as well. + +Reported-by: Dominik Maier +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/asn1.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/cifs/asn1.c ++++ b/fs/cifs/asn1.c +@@ -530,8 +530,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_EOC)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n", ++ cls, con, tag, end); + return 0; + } + +@@ -541,8 +541,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_CON) + || (tag != ASN1_SEQ)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 1\n", ++ cls, con, tag, end); + return 0; + } + +@@ -552,8 +552,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_CTX) || (con != ASN1_CON) + || (tag != ASN1_EOC)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 0\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p exit 0\n", ++ cls, con, tag, end); + return 0; + } + +@@ -564,8 +564,8 @@ decode_negTokenInit(unsigned char *secur + return 0; + } else if ((cls != ASN1_UNI) || (con != ASN1_CON) + || (tag != ASN1_SEQ)) { +- cifs_dbg(FYI, "cls = %d con = %d tag = %d end = %p (%d) exit 1\n", +- cls, con, tag, end, *end); ++ cifs_dbg(FYI, "cls = %d con = %d tag = %d sequence_end = %p exit 1\n", ++ cls, con, tag, sequence_end); + return 0; + } + diff --git a/queue-5.4/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch b/queue-5.4/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch new file mode 100644 index 00000000000..223257a189e --- /dev/null +++ b/queue-5.4/cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch @@ -0,0 +1,44 @@ +From 0bd294b55a5de442370c29fa53bab17aef3ff318 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Thu, 15 Oct 2020 10:41:31 -0700 +Subject: cifs: Return the error from crypt_message when enc/dec key not found. + +From: Shyam Prasad N + +commit 0bd294b55a5de442370c29fa53bab17aef3ff318 upstream. + +In crypt_message, when smb2_get_enc_key returns error, we need to +return the error back to the caller. If not, we end up processing +the message further, causing a kernel oops due to unwarranted access +of memory. + +Call Trace: +smb3_receive_transform+0x120/0x870 [cifs] +cifs_demultiplex_thread+0xb53/0xc20 [cifs] +? cifs_handle_standard+0x190/0x190 [cifs] +kthread+0x116/0x130 +? kthread_park+0x80/0x80 +ret_from_fork+0x1f/0x30 + +Signed-off-by: Shyam Prasad N +Reviewed-by: Pavel Shilovsky +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3707,7 +3707,7 @@ crypt_message(struct TCP_Server_Info *se + if (rc) { + cifs_server_dbg(VFS, "%s: Could not get %scryption key\n", __func__, + enc ? "en" : "de"); +- return 0; ++ return rc; + } + + rc = smb3_crypto_aead_allocate(server); diff --git a/queue-5.4/kvm-nvmx-reload-vmcs01-if-getting-vmcs12-s-pages-fails.patch b/queue-5.4/kvm-nvmx-reload-vmcs01-if-getting-vmcs12-s-pages-fails.patch new file mode 100644 index 00000000000..0f2e08c8602 --- /dev/null +++ b/queue-5.4/kvm-nvmx-reload-vmcs01-if-getting-vmcs12-s-pages-fails.patch @@ -0,0 +1,40 @@ +From b89d5ad00e789967a5e2c5335f75c48755bebd88 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Sep 2020 11:44:47 -0700 +Subject: KVM: nVMX: Reload vmcs01 if getting vmcs12's pages fails + +From: Sean Christopherson + +commit b89d5ad00e789967a5e2c5335f75c48755bebd88 upstream. + +Reload vmcs01 when bailing from nested_vmx_enter_non_root_mode() as KVM +expects vmcs01 to be loaded when is_guest_mode() is false. + +Fixes: 671ddc700fd08 ("KVM: nVMX: Don't leak L1 MMIO regions to L2") +Cc: stable@vger.kernel.org +Cc: Dan Cross +Cc: Jim Mattson +Cc: Peter Shier +Signed-off-by: Sean Christopherson +Message-Id: <20200923184452.980-3-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx/nested.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3096,8 +3096,10 @@ enum nvmx_vmentry_status nested_vmx_ente + prepare_vmcs02_early(vmx, vmcs12); + + if (from_vmentry) { +- if (unlikely(!nested_get_vmcs12_pages(vcpu))) ++ if (unlikely(!nested_get_vmcs12_pages(vcpu))) { ++ vmx_switch_vmcs(vcpu, &vmx->vmcs01); + return NVMX_VMENTRY_KVM_INTERNAL_ERROR; ++ } + + if (nested_vmx_check_vmentry_hw(vcpu)) { + vmx_switch_vmcs(vcpu, &vmx->vmcs01); diff --git a/queue-5.4/kvm-nvmx-reset-the-segment-cache-when-stuffing-guest-segs.patch b/queue-5.4/kvm-nvmx-reset-the-segment-cache-when-stuffing-guest-segs.patch new file mode 100644 index 00000000000..b0b3f513b9b --- /dev/null +++ b/queue-5.4/kvm-nvmx-reset-the-segment-cache-when-stuffing-guest-segs.patch @@ -0,0 +1,74 @@ +From fc387d8daf3960c5e1bc18fa353768056f4fd394 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Sep 2020 11:44:46 -0700 +Subject: KVM: nVMX: Reset the segment cache when stuffing guest segs + +From: Sean Christopherson + +commit fc387d8daf3960c5e1bc18fa353768056f4fd394 upstream. + +Explicitly reset the segment cache after stuffing guest segment regs in +prepare_vmcs02_rare(). Although the cache is reset when switching to +vmcs02, there is nothing that prevents KVM from re-populating the cache +prior to writing vmcs02 with vmcs12's values. E.g. if the vCPU is +preempted after switching to vmcs02 but before prepare_vmcs02_rare(), +kvm_arch_vcpu_put() will dereference GUEST_SS_AR_BYTES via .get_cpl() +and cache the stale vmcs02 value. While the current code base only +caches stale data in the preemption case, it's theoretically possible +future code could read a segment register during the nested flow itself, +i.e. this isn't technically illegal behavior in kvm_arch_vcpu_put(), +although it did introduce the bug. + +This manifests as an unexpected nested VM-Enter failure when running +with unrestricted guest disabled if the above preemption case coincides +with L1 switching L2's CPL, e.g. when switching from a L2 vCPU at CPL3 +to to a L2 vCPU at CPL0. stack_segment_valid() will see the new SS_SEL +but the old SS_AR_BYTES and incorrectly mark the guest state as invalid +due to SS.dpl != SS.rpl. + +Don't bother updating the cache even though prepare_vmcs02_rare() writes +every segment. With unrestricted guest, guest segments are almost never +read, let alone L2 guest segments. On the other hand, populating the +cache requires a large number of memory writes, i.e. it's unlikely to be +a net win. Updating the cache would be a win when unrestricted guest is +not supported, as guest_state_valid() will immediately cache all segment +registers. But, nested virtualization without unrestricted guest is +dirt slow, saving some VMREADs won't change that, and every CPU +manufactured in the last decade supports unrestricted guest. In other +words, the extra (minor) complexity isn't worth the trouble. + +Note, kvm_arch_vcpu_put() may see stale data when querying guest CPL +depending on when preemption occurs. This is "ok" in that the usage is +imperfect by nature, i.e. it's used heuristically to improve performance +but doesn't affect functionality. kvm_arch_vcpu_put() could be "fixed" +by also disabling preemption while loading segments, but that's +pointless and misleading as reading state from kvm_sched_{in,out}() is +guaranteed to see stale data in one form or another. E.g. even if all +the usage of regs_avail is fixed to call kvm_register_mark_available() +after the associated state is set, the individual state might still be +stale with respect to the overall vCPU state. I.e. making functional +decisions in an asynchronous hook is doomed from the get go. Thankfully +KVM doesn't do that. + +Fixes: de63ad4cf4973 ("KVM: X86: implement the logic for spinlock optimization") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200923184452.980-2-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx/nested.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -2231,6 +2231,8 @@ static void prepare_vmcs02_rare(struct v + vmcs_writel(GUEST_TR_BASE, vmcs12->guest_tr_base); + vmcs_writel(GUEST_GDTR_BASE, vmcs12->guest_gdtr_base); + vmcs_writel(GUEST_IDTR_BASE, vmcs12->guest_idtr_base); ++ ++ vmx->segment_cache.bitmask = 0; + } + + if (!hv_evmcs || !(hv_evmcs->hv_clean_fields & diff --git a/queue-5.4/kvm-svm-initialize-prev_ga_tag-before-use.patch b/queue-5.4/kvm-svm-initialize-prev_ga_tag-before-use.patch new file mode 100644 index 00000000000..9a1ade71c13 --- /dev/null +++ b/queue-5.4/kvm-svm-initialize-prev_ga_tag-before-use.patch @@ -0,0 +1,62 @@ +From f6426ab9c957e97418ac5b0466538792767b1738 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Sat, 3 Oct 2020 23:27:07 +0000 +Subject: KVM: SVM: Initialize prev_ga_tag before use + +From: Suravee Suthikulpanit + +commit f6426ab9c957e97418ac5b0466538792767b1738 upstream. + +The function amd_ir_set_vcpu_affinity makes use of the parameter struct +amd_iommu_pi_data.prev_ga_tag to determine if it should delete struct +amd_iommu_pi_data from a list when not running in AVIC mode. + +However, prev_ga_tag is initialized only when AVIC is enabled. The non-zero +uninitialized value can cause unintended code path, which ends up making +use of the struct vcpu_svm.ir_list and ir_list_lock without being +initialized (since they are intended only for the AVIC case). + +This triggers NULL pointer dereference bug in the function vm_ir_list_del +with the following call trace: + + svm_update_pi_irte+0x3c2/0x550 [kvm_amd] + ? proc_create_single_data+0x41/0x50 + kvm_arch_irq_bypass_add_producer+0x40/0x60 [kvm] + __connect+0x5f/0xb0 [irqbypass] + irq_bypass_register_producer+0xf8/0x120 [irqbypass] + vfio_msi_set_vector_signal+0x1de/0x2d0 [vfio_pci] + vfio_msi_set_block+0x77/0xe0 [vfio_pci] + vfio_pci_set_msi_trigger+0x25c/0x2f0 [vfio_pci] + vfio_pci_set_irqs_ioctl+0x88/0xb0 [vfio_pci] + vfio_pci_ioctl+0x2ea/0xed0 [vfio_pci] + ? alloc_file_pseudo+0xa5/0x100 + vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] + ? vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] + __x64_sys_ioctl+0x96/0xd0 + do_syscall_64+0x37/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Therefore, initialize prev_ga_tag to zero before use. This should be safe +because ga_tag value 0 is invalid (see function avic_vm_init). + +Fixes: dfa20099e26e ("KVM: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu()") +Signed-off-by: Suravee Suthikulpanit +Message-Id: <20201003232707.4662-1-suravee.suthikulpanit@amd.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -5383,6 +5383,7 @@ static int svm_update_pi_irte(struct kvm + * - Tell IOMMU to use legacy mode for this interrupt. + * - Retrieve ga_tag of prior interrupt remapping data. + */ ++ pi.prev_ga_tag = 0; + pi.is_guest_mode = false; + ret = irq_set_vcpu_affinity(host_irq, &pi); + diff --git a/queue-5.4/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch b/queue-5.4/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch new file mode 100644 index 00000000000..e4d572fd9b4 --- /dev/null +++ b/queue-5.4/kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch @@ -0,0 +1,39 @@ +From e89505698c9f70125651060547da4ff5046124fc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 23 Sep 2020 11:37:28 -0700 +Subject: KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages + +From: Sean Christopherson + +commit e89505698c9f70125651060547da4ff5046124fc upstream. + +Call kvm_mmu_commit_zap_page() after exiting the "prepare zap" loop in +kvm_recover_nx_lpages() to finish zapping pages in the unlikely event +that the loop exited due to lpage_disallowed_mmu_pages being empty. +Because the recovery thread drops mmu_lock() when rescheduling, it's +possible that lpage_disallowed_mmu_pages could be emptied by a different +thread without to_zap reaching zero despite to_zap being derived from +the number of disallowed lpages. + +Fixes: 1aa9b9572b105 ("kvm: x86: mmu: Recovery of shattered NX large pages") +Cc: Junaid Shahid +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20200923183735.584-2-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -6453,6 +6453,7 @@ static void kvm_recover_nx_lpages(struct + cond_resched_lock(&kvm->mmu_lock); + } + } ++ kvm_mmu_commit_zap_page(kvm, &invalid_list); + + spin_unlock(&kvm->mmu_lock); + srcu_read_unlock(&kvm->srcu, rcu_idx); diff --git a/queue-5.4/series b/queue-5.4/series index 5b948023693..9c46b19a28f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -38,3 +38,14 @@ selftests-forwarding-add-missing-rp_filter-configuration.patch selftests-rtnetlink-load-fou-module-for-kci_test_encap_fou-test.patch tcp-fix-to-update-snd_wl1-in-bulk-receiver-fast-path.patch icmp-randomize-the-global-rate-limiter.patch +alsa-hda-realtek-the-front-mic-on-a-hp-machine-doesn-t-work.patch +alsa-hda-realtek-set-mic-to-auto-detect-on-a-hp-aio-machine.patch +alsa-hda-realtek-add-mute-led-support-for-hp-elitebook-845-g7.patch +alsa-hda-realtek-enable-audio-jacks-of-asus-d700sa-with-alc887.patch +cifs-remove-bogus-debug-code.patch +cifs-return-the-error-from-crypt_message-when-enc-dec-key-not-found.patch +smb3-resolve-data-corruption-of-tcp-server-info-fields.patch +kvm-nvmx-reset-the-segment-cache-when-stuffing-guest-segs.patch +kvm-nvmx-reload-vmcs01-if-getting-vmcs12-s-pages-fails.patch +kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch +kvm-svm-initialize-prev_ga_tag-before-use.patch diff --git a/queue-5.4/smb3-resolve-data-corruption-of-tcp-server-info-fields.patch b/queue-5.4/smb3-resolve-data-corruption-of-tcp-server-info-fields.patch new file mode 100644 index 00000000000..5db35ba7baf --- /dev/null +++ b/queue-5.4/smb3-resolve-data-corruption-of-tcp-server-info-fields.patch @@ -0,0 +1,77 @@ +From 62593011247c8a8cfeb0c86aff84688b196727c2 Mon Sep 17 00:00:00 2001 +From: Rohith Surabattula +Date: Thu, 8 Oct 2020 09:58:41 +0000 +Subject: SMB3: Resolve data corruption of TCP server info fields + +From: Rohith Surabattula + +commit 62593011247c8a8cfeb0c86aff84688b196727c2 upstream. + +TCP server info field server->total_read is modified in parallel by +demultiplex thread and decrypt offload worker thread. server->total_read +is used in calculation to discard the remaining data of PDU which is +not read into memory. + +Because of parallel modification, server->total_read can get corrupted +and can result in discarding the valid data of next PDU. + +Signed-off-by: Rohith Surabattula +Reviewed-by: Aurelien Aptel +Reviewed-by: Pavel Shilovsky +CC: Stable #5.4+ +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3886,7 +3886,8 @@ smb3_is_transform_hdr(void *buf) + static int + decrypt_raw_data(struct TCP_Server_Info *server, char *buf, + unsigned int buf_data_size, struct page **pages, +- unsigned int npages, unsigned int page_data_size) ++ unsigned int npages, unsigned int page_data_size, ++ bool is_offloaded) + { + struct kvec iov[2]; + struct smb_rqst rqst = {NULL}; +@@ -3912,7 +3913,8 @@ decrypt_raw_data(struct TCP_Server_Info + + memmove(buf, iov[1].iov_base, buf_data_size); + +- server->total_read = buf_data_size + page_data_size; ++ if (!is_offloaded) ++ server->total_read = buf_data_size + page_data_size; + + return rc; + } +@@ -4126,7 +4128,7 @@ static void smb2_decrypt_offload(struct + struct mid_q_entry *mid; + + rc = decrypt_raw_data(dw->server, dw->buf, dw->server->vals->read_rsp_size, +- dw->ppages, dw->npages, dw->len); ++ dw->ppages, dw->npages, dw->len, true); + if (rc) { + cifs_dbg(VFS, "error decrypting rc=%d\n", rc); + goto free_pages; +@@ -4232,7 +4234,7 @@ receive_encrypted_read(struct TCP_Server + + non_offloaded_decrypt: + rc = decrypt_raw_data(server, buf, server->vals->read_rsp_size, +- pages, npages, len); ++ pages, npages, len, false); + if (rc) + goto free_pages; + +@@ -4288,7 +4290,7 @@ receive_encrypted_standard(struct TCP_Se + server->total_read += length; + + buf_size = pdu_length - sizeof(struct smb2_transform_hdr); +- length = decrypt_raw_data(server, buf, buf_size, NULL, 0, 0); ++ length = decrypt_raw_data(server, buf, buf_size, NULL, 0, 0, false); + if (length) + return length; +