From 0d62fe57a8afc269608952e0efd96e81652b84c5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Jul 2019 18:30:08 +0200 Subject: [PATCH] 4.19-stable patches added patches: alsa-ac97-fix-double-free-of-ac97_codec_device.patch alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch binder-prevent-transactions-to-context-manager-from-its-own-process.patch fpga-manager-altera-ps-spi-fix-build-error.patch hpet-fix-division-by-zero-in-hpet_time_div.patch mei-me-add-mule-creek-canyon-ehl-device-ids.patch powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch powerpc-xive-fix-loop-exit-condition-in-xive_find_target_in_mask.patch --- ...fix-double-free-of-ac97_codec_device.patch | 47 +++++++ ...ant-codec-entry-to-let-mute-led-work.patch | 34 +++++ ...rong-altsetting-for-line6_podhd500_1.patch | 36 ++++++ ...context-manager-from-its-own-process.patch | 37 ++++++ ...anager-altera-ps-spi-fix-build-error.patch | 39 ++++++ ...ix-division-by-zero-in-hpet_time_div.patch | 67 ++++++++++ ...add-mule-creek-canyon-ehl-device-ids.patch | 46 +++++++ ...s-on-sigreturn-on-systems-without-tm.patch | 91 ++++++++++++++ ...ondition-in-xive_find_target_in_mask.patch | 119 ++++++++++++++++++ queue-4.19/series | 9 ++ 10 files changed, 525 insertions(+) create mode 100644 queue-4.19/alsa-ac97-fix-double-free-of-ac97_codec_device.patch create mode 100644 queue-4.19/alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch create mode 100644 queue-4.19/alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch create mode 100644 queue-4.19/binder-prevent-transactions-to-context-manager-from-its-own-process.patch create mode 100644 queue-4.19/fpga-manager-altera-ps-spi-fix-build-error.patch create mode 100644 queue-4.19/hpet-fix-division-by-zero-in-hpet_time_div.patch create mode 100644 queue-4.19/mei-me-add-mule-creek-canyon-ehl-device-ids.patch create mode 100644 queue-4.19/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch create mode 100644 queue-4.19/powerpc-xive-fix-loop-exit-condition-in-xive_find_target_in_mask.patch diff --git a/queue-4.19/alsa-ac97-fix-double-free-of-ac97_codec_device.patch b/queue-4.19/alsa-ac97-fix-double-free-of-ac97_codec_device.patch new file mode 100644 index 00000000000..3c23f3194be --- /dev/null +++ b/queue-4.19/alsa-ac97-fix-double-free-of-ac97_codec_device.patch @@ -0,0 +1,47 @@ +From 607975b30db41aad6edc846ed567191aa6b7d893 Mon Sep 17 00:00:00 2001 +From: Ding Xiang +Date: Tue, 23 Jul 2019 15:44:41 +0800 +Subject: ALSA: ac97: Fix double free of ac97_codec_device + +From: Ding Xiang + +commit 607975b30db41aad6edc846ed567191aa6b7d893 upstream. + +put_device will call ac97_codec_release to free +ac97_codec_device and other resources, so remove the kfree +and other redundant code. + +Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus") +Signed-off-by: Ding Xiang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/ac97/bus.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/sound/ac97/bus.c ++++ b/sound/ac97/bus.c +@@ -125,17 +125,12 @@ static int ac97_codec_add(struct ac97_co + vendor_id); + + ret = device_add(&codec->dev); +- if (ret) +- goto err_free_codec; ++ if (ret) { ++ put_device(&codec->dev); ++ return ret; ++ } + + return 0; +-err_free_codec: +- of_node_put(codec->dev.of_node); +- put_device(&codec->dev); +- kfree(codec); +- ac97_ctrl->codecs[idx] = NULL; +- +- return ret; + } + + unsigned int snd_ac97_bus_scan_one(struct ac97_controller *adrv, diff --git a/queue-4.19/alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch b/queue-4.19/alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch new file mode 100644 index 00000000000..11c2645d375 --- /dev/null +++ b/queue-4.19/alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch @@ -0,0 +1,34 @@ +From 3f8809499bf02ef7874254c5e23fc764a47a21a0 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Thu, 25 Jul 2019 14:57:37 +0800 +Subject: ALSA: hda - Add a conexant codec entry to let mute led work + +From: Hui Wang + +commit 3f8809499bf02ef7874254c5e23fc764a47a21a0 upstream. + +This conexant codec isn't in the supported codec list yet, the hda +generic driver can drive this codec well, but on a Lenovo machine +with mute/mic-mute leds, we need to apply CXT_FIXUP_THINKPAD_ACPI +to make the leds work. After adding this codec to the list, the +driver patch_conexant.c will apply THINKPAD_ACPI to this machine. + +Cc: stable@vger.kernel.org +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -1096,6 +1096,7 @@ static int patch_conexant_auto(struct hd + */ + + static const struct hda_device_id snd_hda_id_conexant[] = { ++ HDA_CODEC_ENTRY(0x14f11f86, "CX8070", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15045, "CX20549 (Venice)", patch_conexant_auto), + HDA_CODEC_ENTRY(0x14f15047, "CX20551 (Waikiki)", patch_conexant_auto), diff --git a/queue-4.19/alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch b/queue-4.19/alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch new file mode 100644 index 00000000000..828798202c5 --- /dev/null +++ b/queue-4.19/alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch @@ -0,0 +1,36 @@ +From 70256b42caaf3e13c2932c2be7903a73fbe8bb8b Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Thu, 18 Jul 2019 17:53:13 +0800 +Subject: ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1 + +From: Kai-Heng Feng + +commit 70256b42caaf3e13c2932c2be7903a73fbe8bb8b upstream. + +Commit 7b9584fa1c0b ("staging: line6: Move altsetting to properties") +set a wrong altsetting for LINE6_PODHD500_1 during refactoring. + +Set the correct altsetting number to fix the issue. + +BugLink: https://bugs.launchpad.net/bugs/1790595 +Fixes: 7b9584fa1c0b ("staging: line6: Move altsetting to properties") +Signed-off-by: Kai-Heng Feng +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/podhd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/line6/podhd.c ++++ b/sound/usb/line6/podhd.c +@@ -417,7 +417,7 @@ static const struct line6_properties pod + .name = "POD HD500", + .capabilities = LINE6_CAP_PCM + | LINE6_CAP_HWMON, +- .altsetting = 1, ++ .altsetting = 0, + .ep_ctrl_r = 0x81, + .ep_ctrl_w = 0x01, + .ep_audio_r = 0x86, diff --git a/queue-4.19/binder-prevent-transactions-to-context-manager-from-its-own-process.patch b/queue-4.19/binder-prevent-transactions-to-context-manager-from-its-own-process.patch new file mode 100644 index 00000000000..2fec991848f --- /dev/null +++ b/queue-4.19/binder-prevent-transactions-to-context-manager-from-its-own-process.patch @@ -0,0 +1,37 @@ +From 49ed96943a8e0c62cc5a9b0a6cfc88be87d1fcec Mon Sep 17 00:00:00 2001 +From: Hridya Valsaraju +Date: Mon, 15 Jul 2019 12:18:04 -0700 +Subject: binder: prevent transactions to context manager from its own process. + +From: Hridya Valsaraju + +commit 49ed96943a8e0c62cc5a9b0a6cfc88be87d1fcec upstream. + +Currently, a transaction to context manager from its own process +is prevented by checking if its binder_proc struct is the same as +that of the sender. However, this would not catch cases where the +process opens the binder device again and uses the new fd to send +a transaction to the context manager. + +Reported-by: syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com +Signed-off-by: Hridya Valsaraju +Acked-by: Todd Kjos +Cc: stable +Link: https://lore.kernel.org/r/20190715191804.112933-1-hridya@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2838,7 +2838,7 @@ static void binder_transaction(struct bi + else + return_error = BR_DEAD_REPLY; + mutex_unlock(&context->context_mgr_node_lock); +- if (target_node && target_proc == proc) { ++ if (target_node && target_proc->pid == proc->pid) { + binder_user_error("%d:%d got transaction to context manager from process owning it\n", + proc->pid, thread->pid); + return_error = BR_FAILED_REPLY; diff --git a/queue-4.19/fpga-manager-altera-ps-spi-fix-build-error.patch b/queue-4.19/fpga-manager-altera-ps-spi-fix-build-error.patch new file mode 100644 index 00000000000..aacea5443bc --- /dev/null +++ b/queue-4.19/fpga-manager-altera-ps-spi-fix-build-error.patch @@ -0,0 +1,39 @@ +From 3d139703d397f6281368047ba7ad1c8bf95aa8ab Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 8 Jul 2019 15:13:56 +0800 +Subject: fpga-manager: altera-ps-spi: Fix build error + +From: YueHaibing + +commit 3d139703d397f6281368047ba7ad1c8bf95aa8ab upstream. + +If BITREVERSE is m and FPGA_MGR_ALTERA_PS_SPI is y, +build fails: + +drivers/fpga/altera-ps-spi.o: In function `altera_ps_write': +altera-ps-spi.c:(.text+0x4ec): undefined reference to `byte_rev_table' + +Select BITREVERSE to fix this. + +Reported-by: Hulk Robot +Fixes: fcfe18f885f6 ("fpga-manager: altera-ps-spi: use bitrev8x4") +Signed-off-by: YueHaibing +Cc: stable +Acked-by: Moritz Fischer +Link: https://lore.kernel.org/r/20190708071356.50928-1-yuehaibing@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/fpga/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/fpga/Kconfig ++++ b/drivers/fpga/Kconfig +@@ -39,6 +39,7 @@ config ALTERA_PR_IP_CORE_PLAT + config FPGA_MGR_ALTERA_PS_SPI + tristate "Altera FPGA Passive Serial over SPI" + depends on SPI ++ select BITREVERSE + help + FPGA manager driver support for Altera Arria/Cyclone/Stratix + using the passive serial interface over SPI. diff --git a/queue-4.19/hpet-fix-division-by-zero-in-hpet_time_div.patch b/queue-4.19/hpet-fix-division-by-zero-in-hpet_time_div.patch new file mode 100644 index 00000000000..25b49d56fe4 --- /dev/null +++ b/queue-4.19/hpet-fix-division-by-zero-in-hpet_time_div.patch @@ -0,0 +1,67 @@ +From 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Thu, 11 Jul 2019 21:27:57 +0800 +Subject: hpet: Fix division by zero in hpet_time_div() + +From: Kefeng Wang + +commit 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 upstream. + +The base value in do_div() called by hpet_time_div() is truncated from +unsigned long to uint32_t, resulting in a divide-by-zero exception. + +UBSAN: Undefined behaviour in ../drivers/char/hpet.c:572:2 +division by zero +CPU: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 + 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561 + ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20 + 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0 +Call Trace: + [] __dump_stack lib/dump_stack.c:15 [inline] + [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 + [] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166 + [] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262 + [] hpet_time_div drivers/char/hpet.c:572 [inline] + [] hpet_ioctl_common drivers/char/hpet.c:663 [inline] + [] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577 + [] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676 + [] vfs_ioctl fs/ioctl.c:43 [inline] + [] file_ioctl fs/ioctl.c:470 [inline] + [] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605 + [] SYSC_ioctl fs/ioctl.c:622 [inline] + [] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613 + [] tracesys_phase2+0x90/0x95 + +The main C reproducer autogenerated by syzkaller, + + syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); + memcpy((void*)0x20000100, "/dev/hpet\000", 10); + syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0); + syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000); + +Fix it by using div64_ul(). + +Signed-off-by: Kefeng Wang +Signed-off-by: Zhang HongJun +Cc: stable +Reviewed-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20190711132757.130092-1-wangkefeng.wang@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/hpet.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/char/hpet.c ++++ b/drivers/char/hpet.c +@@ -570,8 +570,7 @@ static inline unsigned long hpet_time_di + unsigned long long m; + + m = hpets->hp_tick_freq + (dis >> 1); +- do_div(m, dis); +- return (unsigned long)m; ++ return div64_ul(m, dis); + } + + static int diff --git a/queue-4.19/mei-me-add-mule-creek-canyon-ehl-device-ids.patch b/queue-4.19/mei-me-add-mule-creek-canyon-ehl-device-ids.patch new file mode 100644 index 00000000000..8c7a0db9306 --- /dev/null +++ b/queue-4.19/mei-me-add-mule-creek-canyon-ehl-device-ids.patch @@ -0,0 +1,46 @@ +From 1be8624a0cbef720e8da39a15971e01abffc865b Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Fri, 12 Jul 2019 12:58:14 +0300 +Subject: mei: me: add mule creek canyon (EHL) device ids + +From: Alexander Usyskin + +commit 1be8624a0cbef720e8da39a15971e01abffc865b upstream. + +Add Mule Creek Canyon (PCH) MEI device ids for Elkhart Lake (EHL) Platform. + +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Cc: stable +Link: https://lore.kernel.org/r/20190712095814.20746-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hw-me-regs.h | 3 +++ + drivers/misc/mei/pci-me.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -141,6 +141,9 @@ + + #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */ + ++#define MEI_DEV_ID_MCC 0x4B70 /* Mule Creek Canyon (EHL) */ ++#define MEI_DEV_ID_MCC_4 0x4B75 /* Mule Creek Canyon 4 (EHL) */ ++ + /* + * MEI HW Section + */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -107,6 +107,9 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_MCC, MEI_ME_PCH12_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_MCC_4, MEI_ME_PCH8_CFG)}, ++ + /* required last entry */ + {0, } + }; diff --git a/queue-4.19/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch b/queue-4.19/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch new file mode 100644 index 00000000000..111c1383a87 --- /dev/null +++ b/queue-4.19/powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch @@ -0,0 +1,91 @@ +From f16d80b75a096c52354c6e0a574993f3b0dfbdfe Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Fri, 19 Jul 2019 15:05:02 +1000 +Subject: powerpc/tm: Fix oops on sigreturn on systems without TM + +From: Michael Neuling + +commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream. + +On systems like P9 powernv where we have no TM (or P8 booted with +ppc_tm=off), userspace can construct a signal context which still has +the MSR TS bits set. The kernel tries to restore this context which +results in the following crash: + + Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033 + Oops: Unrecoverable exception, sig: 6 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: + CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69 + NIP: c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000 + REGS: c00000003fffbd70 TRAP: 0700 Not tainted (5.2.0-11045-g7142b497d8) + MSR: 8000000102a03031 CR: 42004242 XER: 00000000 + CFAR: c0000000000022e0 IRQMASK: 0 + GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669 + GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8 + GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000 + GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420 + GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000 + GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000 + GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728 + NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80 + LR [00007fffb2d67e48] 0x7fffb2d67e48 + Call Trace: + Instruction dump: + e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00 + e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18 + +The problem is the signal code assumes TM is enabled when +CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as +with P9 powernv or if `ppc_tm=off` is used on P8. + +This means any local user can crash the system. + +Fix the problem by returning a bad stack frame to the user if they try +to set the MSR TS bits with sigreturn() on systems where TM is not +supported. + +Found with sigfuz kernel selftest on P9. + +This fixes CVE-2019-13648. + +Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") +Cc: stable@vger.kernel.org # v3.9 +Reported-by: Praveen Pandey +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/signal_32.c | 3 +++ + arch/powerpc/kernel/signal_64.c | 5 +++++ + 2 files changed, 8 insertions(+) + +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -1202,6 +1202,9 @@ SYSCALL_DEFINE0(rt_sigreturn) + goto bad; + + if (MSR_TM_ACTIVE(msr_hi<<32)) { ++ /* Trying to start TM on non TM system */ ++ if (!cpu_has_feature(CPU_FTR_TM)) ++ goto bad; + /* We only recheckpoint on return if we're + * transaction. + */ +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -750,6 +750,11 @@ SYSCALL_DEFINE0(rt_sigreturn) + if (MSR_TM_ACTIVE(msr)) { + /* We recheckpoint on return. */ + struct ucontext __user *uc_transact; ++ ++ /* Trying to start TM on non TM system */ ++ if (!cpu_has_feature(CPU_FTR_TM)) ++ goto badframe; ++ + if (__get_user(uc_transact, &uc->uc_link)) + goto badframe; + if (restore_tm_sigcontexts(current, &uc->uc_mcontext, diff --git a/queue-4.19/powerpc-xive-fix-loop-exit-condition-in-xive_find_target_in_mask.patch b/queue-4.19/powerpc-xive-fix-loop-exit-condition-in-xive_find_target_in_mask.patch new file mode 100644 index 00000000000..e5c5b07e9ee --- /dev/null +++ b/queue-4.19/powerpc-xive-fix-loop-exit-condition-in-xive_find_target_in_mask.patch @@ -0,0 +1,119 @@ +From 4d202c8c8ed3822327285747db1765967110b274 Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Wed, 17 Jul 2019 16:05:24 +0530 +Subject: powerpc/xive: Fix loop exit-condition in xive_find_target_in_mask() + +From: Gautham R. Shenoy + +commit 4d202c8c8ed3822327285747db1765967110b274 upstream. + +xive_find_target_in_mask() has the following for(;;) loop which has a +bug when @first == cpumask_first(@mask) and condition 1 fails to hold +for every CPU in @mask. In this case we loop forever in the for-loop. + + first = cpu; + for (;;) { + if (cpu_online(cpu) && xive_try_pick_target(cpu)) // condition 1 + return cpu; + cpu = cpumask_next(cpu, mask); + if (cpu == first) // condition 2 + break; + + if (cpu >= nr_cpu_ids) // condition 3 + cpu = cpumask_first(mask); + } + +This is because, when @first == cpumask_first(@mask), we never hit the +condition 2 (cpu == first) since prior to this check, we would have +executed "cpu = cpumask_next(cpu, mask)" which will set the value of +@cpu to a value greater than @first or to nr_cpus_ids. When this is +coupled with the fact that condition 1 is not met, we will never exit +this loop. + +This was discovered by the hard-lockup detector while running LTP test +concurrently with SMT switch tests. + + watchdog: CPU 12 detected hard LOCKUP on other CPUs 68 + watchdog: CPU 12 TB:85587019220796, last SMP heartbeat TB:85578827223399 (15999ms ago) + watchdog: CPU 68 Hard LOCKUP + watchdog: CPU 68 TB:85587019361273, last heartbeat TB:85576815065016 (19930ms ago) + CPU: 68 PID: 45050 Comm: hxediag Kdump: loaded Not tainted 4.18.0-100.el8.ppc64le #1 + NIP: c0000000006f5578 LR: c000000000cba9ec CTR: 0000000000000000 + REGS: c000201fff3c7d80 TRAP: 0100 Not tainted (4.18.0-100.el8.ppc64le) + MSR: 9000000002883033 CR: 24028424 XER: 00000000 + CFAR: c0000000006f558c IRQMASK: 1 + GPR00: c0000000000afc58 c000201c01c43400 c0000000015ce500 c000201cae26ec18 + GPR04: 0000000000000800 0000000000000540 0000000000000800 00000000000000f8 + GPR08: 0000000000000020 00000000000000a8 0000000080000000 c00800001a1beed8 + GPR12: c0000000000b1410 c000201fff7f4c00 0000000000000000 0000000000000000 + GPR16: 0000000000000000 0000000000000000 0000000000000540 0000000000000001 + GPR20: 0000000000000048 0000000010110000 c00800001a1e3780 c000201cae26ed18 + GPR24: 0000000000000000 c000201cae26ed8c 0000000000000001 c000000001116bc0 + GPR28: c000000001601ee8 c000000001602494 c000201cae26ec18 000000000000001f + NIP [c0000000006f5578] find_next_bit+0x38/0x90 + LR [c000000000cba9ec] cpumask_next+0x2c/0x50 + Call Trace: + [c000201c01c43400] [c000201cae26ec18] 0xc000201cae26ec18 (unreliable) + [c000201c01c43420] [c0000000000afc58] xive_find_target_in_mask+0x1b8/0x240 + [c000201c01c43470] [c0000000000b0228] xive_pick_irq_target.isra.3+0x168/0x1f0 + [c000201c01c435c0] [c0000000000b1470] xive_irq_startup+0x60/0x260 + [c000201c01c43640] [c0000000001d8328] __irq_startup+0x58/0xf0 + [c000201c01c43670] [c0000000001d844c] irq_startup+0x8c/0x1a0 + [c000201c01c436b0] [c0000000001d57b0] __setup_irq+0x9f0/0xa90 + [c000201c01c43760] [c0000000001d5aa0] request_threaded_irq+0x140/0x220 + [c000201c01c437d0] [c00800001a17b3d4] bnx2x_nic_load+0x188c/0x3040 [bnx2x] + [c000201c01c43950] [c00800001a187c44] bnx2x_self_test+0x1fc/0x1f70 [bnx2x] + [c000201c01c43a90] [c000000000adc748] dev_ethtool+0x11d8/0x2cb0 + [c000201c01c43b60] [c000000000b0b61c] dev_ioctl+0x5ac/0xa50 + [c000201c01c43bf0] [c000000000a8d4ec] sock_do_ioctl+0xbc/0x1b0 + [c000201c01c43c60] [c000000000a8dfb8] sock_ioctl+0x258/0x4f0 + [c000201c01c43d20] [c0000000004c9704] do_vfs_ioctl+0xd4/0xa70 + [c000201c01c43de0] [c0000000004ca274] sys_ioctl+0xc4/0x160 + [c000201c01c43e30] [c00000000000b388] system_call+0x5c/0x70 + Instruction dump: + 78aad182 54a806be 3920ffff 78a50664 794a1f24 7d294036 7d43502a 7d295039 + 4182001c 48000034 78a9d182 79291f24 <7d23482a> 2fa90000 409e0020 38a50040 + +To fix this, move the check for condition 2 after the check for +condition 3, so that we are able to break out of the loop soon after +iterating through all the CPUs in the @mask in the problem case. Use +do..while() to achieve this. + +Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller") +Cc: stable@vger.kernel.org # v4.12+ +Reported-by: Indira P. Joga +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1563359724-13931-1-git-send-email-ego@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/sysdev/xive/common.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/sysdev/xive/common.c ++++ b/arch/powerpc/sysdev/xive/common.c +@@ -483,7 +483,7 @@ static int xive_find_target_in_mask(cons + * Now go through the entire mask until we find a valid + * target. + */ +- for (;;) { ++ do { + /* + * We re-check online as the fallback case passes us + * an untested affinity mask +@@ -491,12 +491,11 @@ static int xive_find_target_in_mask(cons + if (cpu_online(cpu) && xive_try_pick_target(cpu)) + return cpu; + cpu = cpumask_next(cpu, mask); +- if (cpu == first) +- break; + /* Wrap around */ + if (cpu >= nr_cpu_ids) + cpu = cpumask_first(mask); +- } ++ } while (cpu != first); ++ + return -1; + } + diff --git a/queue-4.19/series b/queue-4.19/series index 1f4e3bf5db9..a044e4bca6f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -100,3 +100,12 @@ usb-pci-quirks-correct-amd-pll-quirk-detection.patch btrfs-inode-don-t-compress-if-nodatasum-or-nodatacow-set.patch x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch +binder-prevent-transactions-to-context-manager-from-its-own-process.patch +fpga-manager-altera-ps-spi-fix-build-error.patch +mei-me-add-mule-creek-canyon-ehl-device-ids.patch +hpet-fix-division-by-zero-in-hpet_time_div.patch +alsa-ac97-fix-double-free-of-ac97_codec_device.patch +alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch +alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch +powerpc-xive-fix-loop-exit-condition-in-xive_find_target_in_mask.patch +powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch -- 2.47.3