4.4-stable patches

added patches:
	x86-apic-vector-handle-legacy-irq-data-correctly.patch

diff --git a/queue-4.4/series b/queue-4.4/series
index e6adac52e231118c9e5191ddda06407a386c28d3..171d7d554a4b38091d637b0cf96c5407be3e9aa0 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -11,3 +11,4 @@ kvm-mmu-fix-overlap-between-public-and-private-memslots.patch
 x86-syscall-sanitize-syscall-table-de-references-under-speculation-fix.patch
 btrfs-don-t-clear-sgid-when-inheriting-acls.patch
 arm-dts-logicpd-torpedo-fix-i2c1-pinmux.patch
+x86-apic-vector-handle-legacy-irq-data-correctly.patch

diff --git a/queue-4.4/x86-apic-vector-handle-legacy-irq-data-correctly.patch b/queue-4.4/x86-apic-vector-handle-legacy-irq-data-correctly.patch
new file mode 100644 (file)
index 0000000..e19afad
--- /dev/null
+++ b/queue-4.4/x86-apic-vector-handle-legacy-irq-data-correctly.patch
@@ -0,0 +1,67 @@
+From ben.hutchings@codethink.co.uk  Wed Mar  7 11:01:18 2018
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Wed, 7 Mar 2018 18:36:43 +0000
+Subject: x86/apic/vector: Handle legacy irq data correctly
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>, stable@vger.kernel.org
+Message-ID: <20180307183643.7vy7znqgismeh62p@xylophone.i.decadent.org.uk>
+Content-Disposition: inline
+
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+The backport of upstream commit 45d55e7bac40 ("x86/apic/vector: Fix off by
+one in error path") missed to fixup the legacy interrupt data which is not
+longer available upstream.
+
+Handle legacy irq data correctly by clearing the legacy storage to prevent
+use after free.
+
+Fixes: 7fd133539289 ("x86/apic/vector: Fix off by one in error path") - 4.4.y
+Fixes: c557481a9491 ("x86/apic/vector: Fix off by one in error path") - 4.9.y
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/apic/vector.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/apic/vector.c
++++ b/arch/x86/kernel/apic/vector.c
+@@ -91,8 +91,12 @@ out_data:
+       return NULL;
+ }
+ 
+-static void free_apic_chip_data(struct apic_chip_data *data)
++static void free_apic_chip_data(unsigned int virq, struct apic_chip_data *data)
+ {
++#ifdef        CONFIG_X86_IO_APIC
++      if (virq  < nr_legacy_irqs())
++              legacy_irq_data[virq] = NULL;
++#endif
+       if (data) {
+               free_cpumask_var(data->domain);
+               free_cpumask_var(data->old_domain);
+@@ -316,11 +320,7 @@ static void x86_vector_free_irqs(struct
+                       apic_data = irq_data->chip_data;
+                       irq_domain_reset_irq_data(irq_data);
+                       raw_spin_unlock_irqrestore(&vector_lock, flags);
+-                      free_apic_chip_data(apic_data);
+-#ifdef        CONFIG_X86_IO_APIC
+-                      if (virq + i < nr_legacy_irqs())
+-                              legacy_irq_data[virq + i] = NULL;
+-#endif
++                      free_apic_chip_data(virq + i, apic_data);
+               }
+       }
+ }
+@@ -361,7 +361,7 @@ static int x86_vector_alloc_irqs(struct
+               err = assign_irq_vector_policy(virq + i, node, data, info);
+               if (err) {
+                       irq_data->chip_data = NULL;
+-                      free_apic_chip_data(data);
++                      free_apic_chip_data(virq + i, data);
+                       goto error;
+               }
+       }