From: Greg Kroah-Hartman Date: Mon, 2 Sep 2019 20:26:27 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.191~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fdf7c8e5a5cb115c5321fe2d3ce2e4b52a24175b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-hda-fixes-inverted-conexant-gpio-mic-mute-led.patch alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1604.patch alsa-usb-audio-check-mixer-unit-bitmap-yet-more-strictly.patch alsa-usb-audio-fix-invalid-null-check-in-snd_emuusb_set_samplerate.patch kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch mm-zsmalloc.c-fix-build-when-config_compaction-n.patch uprobes-x86-fix-detection-of-32-bit-user-mode.patch x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch --- diff --git a/queue-4.19/alsa-hda-fixes-inverted-conexant-gpio-mic-mute-led.patch b/queue-4.19/alsa-hda-fixes-inverted-conexant-gpio-mic-mute-led.patch new file mode 100644 index 00000000000..2302752fd4f --- /dev/null +++ b/queue-4.19/alsa-hda-fixes-inverted-conexant-gpio-mic-mute-led.patch @@ -0,0 +1,75 @@ +From f9ef724d4896763479f3921afd1ee61552fc9836 Mon Sep 17 00:00:00 2001 +From: Jeronimo Borque +Date: Sun, 18 Aug 2019 22:35:38 -0300 +Subject: ALSA: hda - Fixes inverted Conexant GPIO mic mute led + +From: Jeronimo Borque + +commit f9ef724d4896763479f3921afd1ee61552fc9836 upstream. + +"enabled" parameter historically referred to the device input or +output, not to the led indicator. After the changes added with the led +helper functions the mic mute led logic refers to the led and not to +the mic input which caused led indicator to be negated. +Fixing logic in cxt_update_gpio_led and updated +cxt_fixup_gpio_mute_hook +Also updated debug messages to ease further debugging if necessary. + +Fixes: 184e302b46c9 ("ALSA: hda/conexant - Use the mic-mute LED helper") +Suggested-by: Takashi Iwai +Signed-off-by: Jeronimo Borque +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -624,18 +624,20 @@ static void cxt_fixup_hp_gate_mic_jack(s + + /* update LED status via GPIO */ + static void cxt_update_gpio_led(struct hda_codec *codec, unsigned int mask, +- bool enabled) ++ bool led_on) + { + struct conexant_spec *spec = codec->spec; + unsigned int oldval = spec->gpio_led; + + if (spec->mute_led_polarity) +- enabled = !enabled; ++ led_on = !led_on; + +- if (enabled) +- spec->gpio_led &= ~mask; +- else ++ if (led_on) + spec->gpio_led |= mask; ++ else ++ spec->gpio_led &= ~mask; ++ codec_dbg(codec, "mask:%d enabled:%d gpio_led:%d\n", ++ mask, led_on, spec->gpio_led); + if (spec->gpio_led != oldval) + snd_hda_codec_write(codec, 0x01, 0, AC_VERB_SET_GPIO_DATA, + spec->gpio_led); +@@ -646,8 +648,8 @@ static void cxt_fixup_gpio_mute_hook(voi + { + struct hda_codec *codec = private_data; + struct conexant_spec *spec = codec->spec; +- +- cxt_update_gpio_led(codec, spec->gpio_mute_led_mask, enabled); ++ /* muted -> LED on */ ++ cxt_update_gpio_led(codec, spec->gpio_mute_led_mask, !enabled); + } + + /* turn on/off mic-mute LED via GPIO per capture hook */ +@@ -669,7 +671,6 @@ static void cxt_fixup_mute_led_gpio(stru + { 0x01, AC_VERB_SET_GPIO_DIRECTION, 0x03 }, + {} + }; +- codec_info(codec, "action: %d gpio_led: %d\n", action, spec->gpio_led); + + if (action == HDA_FIXUP_ACT_PRE_PROBE) { + spec->gen.vmaster_mute.hook = cxt_fixup_gpio_mute_hook; diff --git a/queue-4.19/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch b/queue-4.19/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch new file mode 100644 index 00000000000..a92272ea2ac --- /dev/null +++ b/queue-4.19/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch @@ -0,0 +1,57 @@ +From 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 21 Aug 2019 20:00:02 +0200 +Subject: ALSA: line6: Fix memory leak at line6_init_pcm() error path + +From: Takashi Iwai + +commit 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 upstream. + +I forgot to release the allocated object at the early error path in +line6_init_pcm(). For addressing it, slightly shuffle the code so +that the PCM destructor (pcm->private_free) is assigned properly +before all error paths. + +Fixes: 3450121997ce ("ALSA: line6: Fix write on zero-sized buffer") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/pcm.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/sound/usb/line6/pcm.c ++++ b/sound/usb/line6/pcm.c +@@ -554,6 +554,15 @@ int line6_init_pcm(struct usb_line6 *lin + line6pcm->volume_monitor = 255; + line6pcm->line6 = line6; + ++ spin_lock_init(&line6pcm->out.lock); ++ spin_lock_init(&line6pcm->in.lock); ++ line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD; ++ ++ line6->line6pcm = line6pcm; ++ ++ pcm->private_data = line6pcm; ++ pcm->private_free = line6_cleanup_pcm; ++ + line6pcm->max_packet_size_in = + usb_maxpacket(line6->usbdev, + usb_rcvisocpipe(line6->usbdev, ep_read), 0); +@@ -566,15 +575,6 @@ int line6_init_pcm(struct usb_line6 *lin + return -EINVAL; + } + +- spin_lock_init(&line6pcm->out.lock); +- spin_lock_init(&line6pcm->in.lock); +- line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD; +- +- line6->line6pcm = line6pcm; +- +- pcm->private_data = line6pcm; +- pcm->private_free = line6_cleanup_pcm; +- + err = line6_create_audio_out_urbs(line6pcm); + if (err < 0) + return err; diff --git a/queue-4.19/alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch b/queue-4.19/alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch new file mode 100644 index 00000000000..f30e2903b36 --- /dev/null +++ b/queue-4.19/alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch @@ -0,0 +1,70 @@ +From 75545304eba6a3d282f923b96a466dc25a81e359 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 25 Aug 2019 09:21:44 +0200 +Subject: ALSA: seq: Fix potential concurrent access to the deleted pool + +From: Takashi Iwai + +commit 75545304eba6a3d282f923b96a466dc25a81e359 upstream. + +The input pool of a client might be deleted via the resize ioctl, the +the access to it should be covered by the proper locks. Currently the +only missing place is the call in snd_seq_ioctl_get_client_pool(), and +this patch papers over it. + +Reported-by: syzbot+4a75454b9ca2777f35c7@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 3 +-- + sound/core/seq/seq_fifo.c | 17 +++++++++++++++++ + sound/core/seq/seq_fifo.h | 2 ++ + 3 files changed, 20 insertions(+), 2 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1818,8 +1818,7 @@ static int snd_seq_ioctl_get_client_pool + if (cptr->type == USER_CLIENT) { + info->input_pool = cptr->data.user.fifo_pool_size; + info->input_free = info->input_pool; +- if (cptr->data.user.fifo) +- info->input_free = snd_seq_unused_cells(cptr->data.user.fifo->pool); ++ info->input_free = snd_seq_fifo_unused_cells(cptr->data.user.fifo); + } else { + info->input_pool = 0; + info->input_free = 0; +--- a/sound/core/seq/seq_fifo.c ++++ b/sound/core/seq/seq_fifo.c +@@ -280,3 +280,20 @@ int snd_seq_fifo_resize(struct snd_seq_f + + return 0; + } ++ ++/* get the number of unused cells safely */ ++int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f) ++{ ++ unsigned long flags; ++ int cells; ++ ++ if (!f) ++ return 0; ++ ++ snd_use_lock_use(&f->use_lock); ++ spin_lock_irqsave(&f->lock, flags); ++ cells = snd_seq_unused_cells(f->pool); ++ spin_unlock_irqrestore(&f->lock, flags); ++ snd_use_lock_free(&f->use_lock); ++ return cells; ++} +--- a/sound/core/seq/seq_fifo.h ++++ b/sound/core/seq/seq_fifo.h +@@ -68,5 +68,7 @@ int snd_seq_fifo_poll_wait(struct snd_se + /* resize pool in fifo */ + int snd_seq_fifo_resize(struct snd_seq_fifo *f, int poolsize); + ++/* get the number of unused cells safely */ ++int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f); + + #endif diff --git a/queue-4.19/alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1604.patch b/queue-4.19/alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1604.patch new file mode 100644 index 00000000000..6c43f40470f --- /dev/null +++ b/queue-4.19/alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1604.patch @@ -0,0 +1,31 @@ +From 1a15718b41df026cffd0e42cfdc38a1384ce19f9 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 20 Aug 2019 08:58:12 +0200 +Subject: ALSA: usb-audio: Add implicit fb quirk for Behringer UFX1604 + +From: Takashi Iwai + +commit 1a15718b41df026cffd0e42cfdc38a1384ce19f9 upstream. + +Behringer UFX1604 requires the similar quirk to apply implicit fb like +another Behringer model UFX1204 in order to fix the noisy playback. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204631 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/pcm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -350,6 +350,7 @@ static int set_sync_ep_implicit_fb_quirk + ep = 0x81; + ifnum = 2; + goto add_sync_ep_from_ifnum; ++ case USB_ID(0x1397, 0x0001): /* Behringer UFX1604 */ + case USB_ID(0x1397, 0x0002): /* Behringer UFX1204 */ + ep = 0x81; + ifnum = 1; diff --git a/queue-4.19/alsa-usb-audio-check-mixer-unit-bitmap-yet-more-strictly.patch b/queue-4.19/alsa-usb-audio-check-mixer-unit-bitmap-yet-more-strictly.patch new file mode 100644 index 00000000000..b76095c9a26 --- /dev/null +++ b/queue-4.19/alsa-usb-audio-check-mixer-unit-bitmap-yet-more-strictly.patch @@ -0,0 +1,96 @@ +From f9f0e9ed350e15d51ad07364b4cf910de50c472a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 20 Aug 2019 21:43:42 +0200 +Subject: ALSA: usb-audio: Check mixer unit bitmap yet more strictly + +From: Takashi Iwai + +commit f9f0e9ed350e15d51ad07364b4cf910de50c472a upstream. + +The bmControls (for UAC1) or bmMixerControls (for UAC2/3) bitmap has a +variable size depending on both input and output pins. Its size is to +fit with input * output bits. The problem is that the input size +can't be determined simply from the unit descriptor itself but it +needs to parse the whole connected sources. Although the +uac_mixer_unit_get_channels() tries to check some possible overflow of +this bitmap, it's incomplete due to the lack of the evaluation of +input pins. + +For covering possible overflows, this patch adds the bitmap overflow +check in the loop of input pins in parse_audio_mixer_unit(). + +Fixes: 0bfe5e434e66 ("ALSA: usb-audio: Check mixer unit descriptors more strictly") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 36 ++++++++++++++++++++++++++++-------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -754,7 +754,6 @@ static int uac_mixer_unit_get_channels(s + struct uac_mixer_unit_descriptor *desc) + { + int mu_channels; +- void *c; + + if (desc->bLength < sizeof(*desc)) + return -EINVAL; +@@ -777,13 +776,6 @@ static int uac_mixer_unit_get_channels(s + break; + } + +- if (!mu_channels) +- return 0; +- +- c = uac_mixer_unit_bmControls(desc, state->mixer->protocol); +- if (c - (void *)desc + (mu_channels - 1) / 8 >= desc->bLength) +- return 0; /* no bmControls -> skip */ +- + return mu_channels; + } + +@@ -2028,6 +2020,31 @@ static int parse_audio_feature_unit(stru + * Mixer Unit + */ + ++/* check whether the given in/out overflows bmMixerControls matrix */ ++static bool mixer_bitmap_overflow(struct uac_mixer_unit_descriptor *desc, ++ int protocol, int num_ins, int num_outs) ++{ ++ u8 *hdr = (u8 *)desc; ++ u8 *c = uac_mixer_unit_bmControls(desc, protocol); ++ size_t rest; /* remaining bytes after bmMixerControls */ ++ ++ switch (protocol) { ++ case UAC_VERSION_1: ++ default: ++ rest = 1; /* iMixer */ ++ break; ++ case UAC_VERSION_2: ++ rest = 2; /* bmControls + iMixer */ ++ break; ++ case UAC_VERSION_3: ++ rest = 6; /* bmControls + wMixerDescrStr */ ++ break; ++ } ++ ++ /* overflow? */ ++ return c + (num_ins * num_outs + 7) / 8 + rest > hdr + hdr[0]; ++} ++ + /* + * build a mixer unit control + * +@@ -2156,6 +2173,9 @@ static int parse_audio_mixer_unit(struct + if (err < 0) + return err; + num_ins += iterm.channels; ++ if (mixer_bitmap_overflow(desc, state->mixer->protocol, ++ num_ins, num_outs)) ++ break; + for (; ich < num_ins; ich++) { + int och, ich_has_controls = 0; + diff --git a/queue-4.19/alsa-usb-audio-fix-invalid-null-check-in-snd_emuusb_set_samplerate.patch b/queue-4.19/alsa-usb-audio-fix-invalid-null-check-in-snd_emuusb_set_samplerate.patch new file mode 100644 index 00000000000..ce08d7b7bd0 --- /dev/null +++ b/queue-4.19/alsa-usb-audio-fix-invalid-null-check-in-snd_emuusb_set_samplerate.patch @@ -0,0 +1,53 @@ +From 6de3c9e3f6b3eaf66859e1379b3f35dda781416b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 15 Aug 2019 11:41:06 +0200 +Subject: ALSA: usb-audio: Fix invalid NULL check in snd_emuusb_set_samplerate() + +From: Takashi Iwai + +commit 6de3c9e3f6b3eaf66859e1379b3f35dda781416b upstream. + +The quirk function snd_emuusb_set_samplerate() has a NULL check for +the mixer element, but this is useless in the current code. It used +to be a check against mixer->id_elems[unitid] but it was changed later +to the value after mixer_eleme_list_to_info() which is always non-NULL +due to the container_of() usage. + +This patch fixes the check before the conversion. + +While we're at it, correct a typo in the comment in the function, +too. + +Fixes: 8c558076c740 ("ALSA: usb-audio: Clean up mixer element list traverse") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_quirks.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1167,17 +1167,17 @@ void snd_emuusb_set_samplerate(struct sn + { + struct usb_mixer_interface *mixer; + struct usb_mixer_elem_info *cval; +- int unitid = 12; /* SamleRate ExtensionUnit ID */ ++ int unitid = 12; /* SampleRate ExtensionUnit ID */ + + list_for_each_entry(mixer, &chip->mixer_list, list) { +- cval = mixer_elem_list_to_info(mixer->id_elems[unitid]); +- if (cval) { ++ if (mixer->id_elems[unitid]) { ++ cval = mixer_elem_list_to_info(mixer->id_elems[unitid]); + snd_usb_mixer_set_ctl_value(cval, UAC_SET_CUR, + cval->control << 8, + samplerate_id); + snd_usb_mixer_notify_id(mixer, unitid); ++ break; + } +- break; + } + } + diff --git a/queue-4.19/kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch b/queue-4.19/kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch new file mode 100644 index 00000000000..86c348b9622 --- /dev/null +++ b/queue-4.19/kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch @@ -0,0 +1,57 @@ +From 75ee23b30dc712d80d2421a9a547e7ab6e379b44 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 23 Aug 2019 13:55:44 -0700 +Subject: KVM: x86: Don't update RIP or do single-step on faulting emulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 75ee23b30dc712d80d2421a9a547e7ab6e379b44 upstream. + +Don't advance RIP or inject a single-step #DB if emulation signals a +fault. This logic applies to all state updates that are conditional on +clean retirement of the emulation instruction, e.g. updating RFLAGS was +previously handled by commit 38827dbd3fb85 ("KVM: x86: Do not update +EFLAGS on faulting emulation"). + +Not advancing RIP is likely a nop, i.e. ctxt->eip isn't updated with +ctxt->_eip until emulation "retires" anyways. Skipping #DB injection +fixes a bug reported by Andy Lutomirski where a #UD on SYSCALL due to +invalid state with EFLAGS.TF=1 would loop indefinitely due to emulation +overwriting the #UD with #DB and thus restarting the bad SYSCALL over +and over. + +Cc: Nadav Amit +Cc: stable@vger.kernel.org +Reported-by: Andy Lutomirski +Fixes: 663f4c61b803 ("KVM: x86: handle singlestep during emulation") +Signed-off-by: Sean Christopherson +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6308,12 +6308,13 @@ restart: + unsigned long rflags = kvm_x86_ops->get_rflags(vcpu); + toggle_interruptibility(vcpu, ctxt->interruptibility); + vcpu->arch.emulate_regs_need_sync_to_vcpu = false; +- kvm_rip_write(vcpu, ctxt->eip); +- if (r == EMULATE_DONE && ctxt->tf) +- kvm_vcpu_do_singlestep(vcpu, &r); + if (!ctxt->have_exception || +- exception_type(ctxt->exception.vector) == EXCPT_TRAP) ++ exception_type(ctxt->exception.vector) == EXCPT_TRAP) { ++ kvm_rip_write(vcpu, ctxt->eip); ++ if (r == EMULATE_DONE && ctxt->tf) ++ kvm_vcpu_do_singlestep(vcpu, &r); + __kvm_set_rflags(vcpu, ctxt->eflags); ++ } + + /* + * For STI, interrupts are shadowed; so KVM_REQ_EVENT will diff --git a/queue-4.19/kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch b/queue-4.19/kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch new file mode 100644 index 00000000000..52c2dab1f73 --- /dev/null +++ b/queue-4.19/kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch @@ -0,0 +1,53 @@ +From b14c876b994f208b6b95c222056e1deb0a45de0e Mon Sep 17 00:00:00 2001 +From: Radim Krcmar +Date: Tue, 13 Aug 2019 23:37:37 -0400 +Subject: kvm: x86: skip populating logical dest map if apic is not sw enabled + +From: Radim Krcmar + +commit b14c876b994f208b6b95c222056e1deb0a45de0e upstream. + +recalculate_apic_map does not santize ldr and it's possible that +multiple bits are set. In that case, a previous valid entry +can potentially be overwritten by an invalid one. + +This condition is hit when booting a 32 bit, >8 CPU, RHEL6 guest and then +triggering a crash to boot a kdump kernel. This is the sequence of +events: +1. Linux boots in bigsmp mode and enables PhysFlat, however, it still +writes to the LDR which probably will never be used. +2. However, when booting into kdump, the stale LDR values remain as +they are not cleared by the guest and there isn't a apic reset. +3. kdump boots with 1 cpu, and uses Logical Destination Mode but the +logical map has been overwritten and points to an inactive vcpu. + +Signed-off-by: Radim Krcmar +Signed-off-by: Bandan Das +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -209,6 +209,9 @@ static void recalculate_apic_map(struct + if (!apic_x2apic_mode(apic) && !new->phys_map[xapic_id]) + new->phys_map[xapic_id] = apic; + ++ if (!kvm_apic_sw_enabled(apic)) ++ continue; ++ + ldr = kvm_lapic_get_reg(apic, APIC_LDR); + + if (apic_x2apic_mode(apic)) { +@@ -252,6 +255,8 @@ static inline void apic_set_spiv(struct + recalculate_apic_map(apic->vcpu->kvm); + } else + static_key_slow_inc(&apic_sw_disabled.key); ++ ++ recalculate_apic_map(apic->vcpu->kvm); + } + } + diff --git a/queue-4.19/mm-zsmalloc.c-fix-build-when-config_compaction-n.patch b/queue-4.19/mm-zsmalloc.c-fix-build-when-config_compaction-n.patch new file mode 100644 index 00000000000..fff5a5840be --- /dev/null +++ b/queue-4.19/mm-zsmalloc.c-fix-build-when-config_compaction-n.patch @@ -0,0 +1,37 @@ +From 441e254cd40dc03beec3c650ce6ce6074bc6517f Mon Sep 17 00:00:00 2001 +From: Andrew Morton +Date: Fri, 30 Aug 2019 16:04:35 -0700 +Subject: mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n + +From: Andrew Morton + +commit 441e254cd40dc03beec3c650ce6ce6074bc6517f upstream. + +Fixes: 701d678599d0c1 ("mm/zsmalloc.c: fix race condition in zs_destroy_pool") +Link: http://lkml.kernel.org/r/201908251039.5oSbEEUT%25lkp@intel.com +Reported-by: kbuild test robot +Cc: Sergey Senozhatsky +Cc: Henry Burns +Cc: Minchan Kim +Cc: Shakeel Butt +Cc: Jonathan Adams +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/zsmalloc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -2432,7 +2432,9 @@ struct zs_pool *zs_create_pool(const cha + if (!pool->name) + goto err; + ++#ifdef CONFIG_COMPACTION + init_waitqueue_head(&pool->migration_wait); ++#endif + + if (create_cache(pool)) + goto err; diff --git a/queue-4.19/series b/queue-4.19/series index 947c5b4adf6..ded2b0df7d7 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -36,3 +36,15 @@ ipv6-default-fib6_type-to-rtn_unicast-when-not-set.patch net-smc-make-sure-epollout-is-raised.patch tcp-make-sure-epollout-wont-be-missed.patch ipv4-icmp-fix-rt-dst-dev-null-pointer-dereference.patch +mm-zsmalloc.c-fix-build-when-config_compaction-n.patch +alsa-usb-audio-check-mixer-unit-bitmap-yet-more-strictly.patch +alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch +alsa-hda-fixes-inverted-conexant-gpio-mic-mute-led.patch +alsa-seq-fix-potential-concurrent-access-to-the-deleted-pool.patch +alsa-usb-audio-fix-invalid-null-check-in-snd_emuusb_set_samplerate.patch +alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1604.patch +kvm-x86-skip-populating-logical-dest-map-if-apic-is-not-sw-enabled.patch +kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation.patch +uprobes-x86-fix-detection-of-32-bit-user-mode.patch +x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch +x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch diff --git a/queue-4.19/uprobes-x86-fix-detection-of-32-bit-user-mode.patch b/queue-4.19/uprobes-x86-fix-detection-of-32-bit-user-mode.patch new file mode 100644 index 00000000000..1ba4c9d1e28 --- /dev/null +++ b/queue-4.19/uprobes-x86-fix-detection-of-32-bit-user-mode.patch @@ -0,0 +1,128 @@ +From 9212ec7d8357ea630031e89d0d399c761421c83b Mon Sep 17 00:00:00 2001 +From: Sebastian Mayr +Date: Sun, 28 Jul 2019 17:26:17 +0200 +Subject: uprobes/x86: Fix detection of 32-bit user mode + +From: Sebastian Mayr + +commit 9212ec7d8357ea630031e89d0d399c761421c83b upstream. + +32-bit processes running on a 64-bit kernel are not always detected +correctly, causing the process to crash when uretprobes are installed. + +The reason for the crash is that in_ia32_syscall() is used to determine the +process's mode, which only works correctly when called from a syscall. + +In the case of uretprobes, however, the function is called from a exception +and always returns 'false' on a 64-bit kernel. In consequence this leads to +corruption of the process's return address. + +Fix this by using user_64bit_mode() instead of in_ia32_syscall(), which +is correct in any situation. + +[ tglx: Add a comment and the following historical info ] + +This should have been detected by the rename which happened in commit + + abfb9498ee13 ("x86/entry: Rename is_{ia32,x32}_task() to in_{ia32,x32}_syscall()") + +which states in the changelog: + + The is_ia32_task()/is_x32_task() function names are a big misnomer: they + suggests that the compat-ness of a system call is a task property, which + is not true, the compatness of a system call purely depends on how it + was invoked through the system call layer. + ..... + +and then it went and blindly renamed every call site. + +Sadly enough this was already mentioned here: + + 8faaed1b9f50 ("uprobes/x86: Introduce sizeof_long(), cleanup adjust_ret_addr() and +arch_uretprobe_hijack_return_addr()") + +where the changelog says: + + TODO: is_ia32_task() is not what we actually want, TS_COMPAT does + not necessarily mean 32bit. Fortunately syscall-like insns can't be + probed so it actually works, but it would be better to rename and + use is_ia32_frame(). + +and goes all the way back to: + + 0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions") + +Oh well. 7+ years until someone actually tried a uretprobe on a 32bit +process on a 64bit kernel.... + +Fixes: 0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions") +Signed-off-by: Sebastian Mayr +Signed-off-by: Thomas Gleixner +Cc: Masami Hiramatsu +Cc: Dmitry Safonov +Cc: Oleg Nesterov +Cc: Srikar Dronamraju +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190728152617.7308-1-me@sam.st +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/uprobes.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -521,9 +521,12 @@ struct uprobe_xol_ops { + void (*abort)(struct arch_uprobe *, struct pt_regs *); + }; + +-static inline int sizeof_long(void) ++static inline int sizeof_long(struct pt_regs *regs) + { +- return in_ia32_syscall() ? 4 : 8; ++ /* ++ * Check registers for mode as in_xxx_syscall() does not apply here. ++ */ ++ return user_64bit_mode(regs) ? 8 : 4; + } + + static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs) +@@ -534,9 +537,9 @@ static int default_pre_xol_op(struct arc + + static int emulate_push_stack(struct pt_regs *regs, unsigned long val) + { +- unsigned long new_sp = regs->sp - sizeof_long(); ++ unsigned long new_sp = regs->sp - sizeof_long(regs); + +- if (copy_to_user((void __user *)new_sp, &val, sizeof_long())) ++ if (copy_to_user((void __user *)new_sp, &val, sizeof_long(regs))) + return -EFAULT; + + regs->sp = new_sp; +@@ -569,7 +572,7 @@ static int default_post_xol_op(struct ar + long correction = utask->vaddr - utask->xol_vaddr; + regs->ip += correction; + } else if (auprobe->defparam.fixups & UPROBE_FIX_CALL) { +- regs->sp += sizeof_long(); /* Pop incorrect return address */ ++ regs->sp += sizeof_long(regs); /* Pop incorrect return address */ + if (emulate_push_stack(regs, utask->vaddr + auprobe->defparam.ilen)) + return -ERESTART; + } +@@ -688,7 +691,7 @@ static int branch_post_xol_op(struct arc + * "call" insn was executed out-of-line. Just restore ->sp and restart. + * We could also restore ->ip and try to call branch_emulate_op() again. + */ +- regs->sp += sizeof_long(); ++ regs->sp += sizeof_long(regs); + return -ERESTART; + } + +@@ -1068,7 +1071,7 @@ bool arch_uprobe_skip_sstep(struct arch_ + unsigned long + arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs) + { +- int rasize = sizeof_long(), nleft; ++ int rasize = sizeof_long(regs), nleft; + unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */ + + if (copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize)) diff --git a/queue-4.19/x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch b/queue-4.19/x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch new file mode 100644 index 00000000000..474e206901a --- /dev/null +++ b/queue-4.19/x86-apic-do-not-initialize-ldr-and-dfr-for-bigsmp.patch @@ -0,0 +1,83 @@ +From bae3a8d3308ee69a7dbdf145911b18dfda8ade0d Mon Sep 17 00:00:00 2001 +From: Bandan Das +Date: Mon, 26 Aug 2019 06:15:12 -0400 +Subject: x86/apic: Do not initialize LDR and DFR for bigsmp + +From: Bandan Das + +commit bae3a8d3308ee69a7dbdf145911b18dfda8ade0d upstream. + +Legacy apic init uses bigsmp for smp systems with 8 and more CPUs. The +bigsmp APIC implementation uses physical destination mode, but it +nevertheless initializes LDR and DFR. The LDR even ends up incorrectly with +multiple bit being set. + +This does not cause a functional problem because LDR and DFR are ignored +when physical destination mode is active, but it triggered a problem on a +32-bit KVM guest which jumps into a kdump kernel. + +The multiple bits set unearthed a bug in the KVM APIC implementation. The +code which creates the logical destination map for VCPUs ignores the +disabled state of the APIC and ends up overwriting an existing valid entry +and as a result, APIC calibration hangs in the guest during kdump +initialization. + +Remove the bogus LDR/DFR initialization. + +This is not intended to work around the KVM APIC bug. The LDR/DFR +ininitalization is wrong on its own. + +The issue goes back into the pre git history. The fixes tag is the commit +in the bitkeeper import which introduced bigsmp support in 2003. + + git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git + +Fixes: db7b9e9f26b8 ("[PATCH] Clustered APIC setup for >8 CPU systems") +Suggested-by: Thomas Gleixner +Signed-off-by: Bandan Das +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190826101513.5080-2-bsd@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/bigsmp_32.c | 24 ++---------------------- + 1 file changed, 2 insertions(+), 22 deletions(-) + +--- a/arch/x86/kernel/apic/bigsmp_32.c ++++ b/arch/x86/kernel/apic/bigsmp_32.c +@@ -38,32 +38,12 @@ static int bigsmp_early_logical_apicid(i + return early_per_cpu(x86_cpu_to_apicid, cpu); + } + +-static inline unsigned long calculate_ldr(int cpu) +-{ +- unsigned long val, id; +- +- val = apic_read(APIC_LDR) & ~APIC_LDR_MASK; +- id = per_cpu(x86_bios_cpu_apicid, cpu); +- val |= SET_APIC_LOGICAL_ID(id); +- +- return val; +-} +- + /* +- * Set up the logical destination ID. +- * +- * Intel recommends to set DFR, LDR and TPR before enabling +- * an APIC. See e.g. "AP-388 82489DX User's Manual" (Intel +- * document number 292116). So here it goes... ++ * bigsmp enables physical destination mode ++ * and doesn't use LDR and DFR + */ + static void bigsmp_init_apic_ldr(void) + { +- unsigned long val; +- int cpu = smp_processor_id(); +- +- apic_write(APIC_DFR, APIC_DFR_FLAT); +- val = calculate_ldr(cpu); +- apic_write(APIC_LDR, val); + } + + static void bigsmp_setup_apic_routing(void) diff --git a/queue-4.19/x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch b/queue-4.19/x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch new file mode 100644 index 00000000000..5b3213bb65b --- /dev/null +++ b/queue-4.19/x86-apic-include-the-ldr-when-clearing-out-apic-registers.patch @@ -0,0 +1,49 @@ +From 558682b5291937a70748d36fd9ba757fb25b99ae Mon Sep 17 00:00:00 2001 +From: Bandan Das +Date: Mon, 26 Aug 2019 06:15:13 -0400 +Subject: x86/apic: Include the LDR when clearing out APIC registers + +From: Bandan Das + +commit 558682b5291937a70748d36fd9ba757fb25b99ae upstream. + +Although APIC initialization will typically clear out the LDR before +setting it, the APIC cleanup code should reset the LDR. + +This was discovered with a 32-bit KVM guest jumping into a kdump +kernel. The stale bits in the LDR triggered a bug in the KVM APIC +implementation which caused the destination mapping for VCPUs to be +corrupted. + +Note that this isn't intended to paper over the KVM APIC bug. The kernel +has to clear the LDR when resetting the APIC registers except when X2APIC +is enabled. + +This lacks a Fixes tag because missing to clear LDR goes way back into pre +git history. + +[ tglx: Made x2apic_enabled a function call as required ] + +Signed-off-by: Bandan Das +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190826101513.5080-3-bsd@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1140,6 +1140,10 @@ void clear_local_APIC(void) + apic_write(APIC_LVT0, v | APIC_LVT_MASKED); + v = apic_read(APIC_LVT1); + apic_write(APIC_LVT1, v | APIC_LVT_MASKED); ++ if (!x2apic_enabled()) { ++ v = apic_read(APIC_LDR) & ~APIC_LDR_MASK; ++ apic_write(APIC_LDR, v); ++ } + if (maxlvt >= 4) { + v = apic_read(APIC_LVTPC); + apic_write(APIC_LVTPC, v | APIC_LVT_MASKED);