From: Greg Kroah-Hartman Date: Mon, 30 Nov 2020 08:36:46 +0000 (+0100) Subject: 5.9-stable patches X-Git-Tag: v4.4.247~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=48aad437b51396bc7a8d80293952a150882fc8d9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.9-stable patches added patches: irqchip-exiu-fix-the-index-of-fwspec-for-irq-type.patch usb-core-change-pk-for-__user-pointers-to-px.patch usb-core-fix-regression-in-hercules-audio-card.patch usb-gadget-f_midi-fix-memleak-in-f_midi_alloc.patch usb-gadget-fix-memleak-in-gadgetfs_fill_super.patch usb-quirks-add-usb_quirk_disconnect_suspend-quirk-for-lenovo-a630z-tio-built-in-usb-audio-card.patch x86-mce-do-not-overwrite-no_way_out-if-mce_end-fails.patch x86-resctrl-add-necessary-kernfs_put-calls-to-prevent-refcount-leak.patch x86-resctrl-remove-superfluous-kernfs_get-calls-to-prevent-refcount-leak.patch x86-speculation-fix-prctl-when-spectre_v2_user-seccomp-prctl-ibpb.patch --- diff --git a/queue-5.9/irqchip-exiu-fix-the-index-of-fwspec-for-irq-type.patch b/queue-5.9/irqchip-exiu-fix-the-index-of-fwspec-for-irq-type.patch new file mode 100644 index 00000000000..0ebc71e1a05 --- /dev/null +++ b/queue-5.9/irqchip-exiu-fix-the-index-of-fwspec-for-irq-type.patch @@ -0,0 +1,35 @@ +From d001e41e1b15716e9b759df5ef00510699f85282 Mon Sep 17 00:00:00 2001 +From: Chen Baozi +Date: Tue, 17 Nov 2020 11:20:15 +0800 +Subject: irqchip/exiu: Fix the index of fwspec for IRQ type + +From: Chen Baozi + +commit d001e41e1b15716e9b759df5ef00510699f85282 upstream. + +Since fwspec->param_count of ACPI node is two, the index of IRQ type +in fwspec->param[] should be 1 rather than 2. + +Fixes: 3d090a36c8c8 ("irqchip/exiu: Implement ACPI support") +Signed-off-by: Chen Baozi +Signed-off-by: Marc Zyngier +Acked-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20201117032015.11805-1-cbz@baozis.org +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-sni-exiu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-sni-exiu.c ++++ b/drivers/irqchip/irq-sni-exiu.c +@@ -136,7 +136,7 @@ static int exiu_domain_translate(struct + if (fwspec->param_count != 2) + return -EINVAL; + *hwirq = fwspec->param[0]; +- *type = fwspec->param[2] & IRQ_TYPE_SENSE_MASK; ++ *type = fwspec->param[1] & IRQ_TYPE_SENSE_MASK; + } + return 0; + } diff --git a/queue-5.9/series b/queue-5.9/series index 3b1745c303d..4813b484992 100644 --- a/queue-5.9/series +++ b/queue-5.9/series @@ -139,3 +139,13 @@ perf-record-synthesize-cgroup-events-only-if-needed.patch perf-stat-use-proper-cpu-for-shadow-stats.patch perf-probe-fix-to-die_entrypc-returns-error-correctl.patch spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch +usb-core-change-pk-for-__user-pointers-to-px.patch +usb-gadget-f_midi-fix-memleak-in-f_midi_alloc.patch +usb-core-fix-regression-in-hercules-audio-card.patch +usb-quirks-add-usb_quirk_disconnect_suspend-quirk-for-lenovo-a630z-tio-built-in-usb-audio-card.patch +usb-gadget-fix-memleak-in-gadgetfs_fill_super.patch +irqchip-exiu-fix-the-index-of-fwspec-for-irq-type.patch +x86-mce-do-not-overwrite-no_way_out-if-mce_end-fails.patch +x86-speculation-fix-prctl-when-spectre_v2_user-seccomp-prctl-ibpb.patch +x86-resctrl-remove-superfluous-kernfs_get-calls-to-prevent-refcount-leak.patch +x86-resctrl-add-necessary-kernfs_put-calls-to-prevent-refcount-leak.patch diff --git a/queue-5.9/usb-core-change-pk-for-__user-pointers-to-px.patch b/queue-5.9/usb-core-change-pk-for-__user-pointers-to-px.patch new file mode 100644 index 00000000000..68717953652 --- /dev/null +++ b/queue-5.9/usb-core-change-pk-for-__user-pointers-to-px.patch @@ -0,0 +1,93 @@ +From f3bc432aa8a7a2bfe9ebb432502be5c5d979d7fe Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 19 Nov 2020 12:02:28 -0500 +Subject: USB: core: Change %pK for __user pointers to %px + +From: Alan Stern + +commit f3bc432aa8a7a2bfe9ebb432502be5c5d979d7fe upstream. + +Commit 2f964780c03b ("USB: core: replace %p with %pK") used the %pK +format specifier for a bunch of __user pointers. But as the 'K' in +the specifier indicates, it is meant for kernel pointers. The reason +for the %pK specifier is to avoid leaks of kernel addresses, but when +the pointer is to an address in userspace the security implications +are minimal. In particular, no kernel information is leaked. + +This patch changes the __user %pK specifiers (used in a bunch of +debugging output lines) to %px, which will always print the actual +address with no mangling. (Notably, there is no printk format +specifier particularly intended for __user pointers.) + +Fixes: 2f964780c03b ("USB: core: replace %p with %pK") +CC: Vamsi Krishna Samavedam +CC: +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/20201119170228.GB576844@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -482,11 +482,11 @@ static void snoop_urb(struct usb_device + + if (userurb) { /* Async */ + if (when == SUBMIT) +- dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, " ++ dev_info(&udev->dev, "userurb %px, ep%d %s-%s, " + "length %u\n", + userurb, ep, t, d, length); + else +- dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, " ++ dev_info(&udev->dev, "userurb %px, ep%d %s-%s, " + "actual_length %u status %d\n", + userurb, ep, t, d, length, + timeout_or_status); +@@ -1997,7 +1997,7 @@ static int proc_reapurb(struct usb_dev_s + if (as) { + int retval; + +- snoop(&ps->dev->dev, "reap %pK\n", as->userurb); ++ snoop(&ps->dev->dev, "reap %px\n", as->userurb); + retval = processcompl(as, (void __user * __user *)arg); + free_async(as); + return retval; +@@ -2014,7 +2014,7 @@ static int proc_reapurbnonblock(struct u + + as = async_getcompleted(ps); + if (as) { +- snoop(&ps->dev->dev, "reap %pK\n", as->userurb); ++ snoop(&ps->dev->dev, "reap %px\n", as->userurb); + retval = processcompl(as, (void __user * __user *)arg); + free_async(as); + } else { +@@ -2142,7 +2142,7 @@ static int proc_reapurb_compat(struct us + if (as) { + int retval; + +- snoop(&ps->dev->dev, "reap %pK\n", as->userurb); ++ snoop(&ps->dev->dev, "reap %px\n", as->userurb); + retval = processcompl_compat(as, (void __user * __user *)arg); + free_async(as); + return retval; +@@ -2159,7 +2159,7 @@ static int proc_reapurbnonblock_compat(s + + as = async_getcompleted(ps); + if (as) { +- snoop(&ps->dev->dev, "reap %pK\n", as->userurb); ++ snoop(&ps->dev->dev, "reap %px\n", as->userurb); + retval = processcompl_compat(as, (void __user * __user *)arg); + free_async(as); + } else { +@@ -2624,7 +2624,7 @@ static long usbdev_do_ioctl(struct file + #endif + + case USBDEVFS_DISCARDURB: +- snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p); ++ snoop(&dev->dev, "%s: DISCARDURB %px\n", __func__, p); + ret = proc_unlinkurb(ps, p); + break; + diff --git a/queue-5.9/usb-core-fix-regression-in-hercules-audio-card.patch b/queue-5.9/usb-core-fix-regression-in-hercules-audio-card.patch new file mode 100644 index 00000000000..eb80fd04358 --- /dev/null +++ b/queue-5.9/usb-core-fix-regression-in-hercules-audio-card.patch @@ -0,0 +1,55 @@ +From 184eead057cc7e803558269babc1f2cfb9113ad1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 19 Nov 2020 12:00:40 -0500 +Subject: USB: core: Fix regression in Hercules audio card + +From: Alan Stern + +commit 184eead057cc7e803558269babc1f2cfb9113ad1 upstream. + +Commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints") +aimed to make the USB stack more reliable by detecting and skipping +over endpoints that are duplicated between interfaces. This caused a +regression for a Hercules audio card (reported as Bugzilla #208357), +which contains such non-compliant duplications. Although the +duplications are harmless, skipping the valid endpoints prevented the +device from working. + +This patch fixes the regression by adding ENDPOINT_IGNORE quirks for +the Hercules card, telling the kernel to ignore the invalid duplicate +endpoints and thereby allowing the valid endpoints to be used as +intended. + +Fixes: 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints") +CC: +Reported-by: Alexander Chalikiopoulos +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/20201119170040.GA576844@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -348,6 +348,10 @@ static const struct usb_device_id usb_qu + /* Guillemot Webcam Hercules Dualpix Exchange*/ + { USB_DEVICE(0x06f8, 0x3005), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Guillemot Hercules DJ Console audio card (BZ 208357) */ ++ { USB_DEVICE(0x06f8, 0xb000), .driver_info = ++ USB_QUIRK_ENDPOINT_IGNORE }, ++ + /* Midiman M-Audio Keystation 88es */ + { USB_DEVICE(0x0763, 0x0192), .driver_info = USB_QUIRK_RESET_RESUME }, + +@@ -521,6 +525,8 @@ static const struct usb_device_id usb_am + * Matched for devices with USB_QUIRK_ENDPOINT_IGNORE. + */ + static const struct usb_device_id usb_endpoint_ignore[] = { ++ { USB_DEVICE_INTERFACE_NUMBER(0x06f8, 0xb000, 5), .driver_info = 0x01 }, ++ { USB_DEVICE_INTERFACE_NUMBER(0x06f8, 0xb000, 5), .driver_info = 0x81 }, + { USB_DEVICE_INTERFACE_NUMBER(0x0926, 0x0202, 1), .driver_info = 0x85 }, + { USB_DEVICE_INTERFACE_NUMBER(0x0926, 0x0208, 1), .driver_info = 0x85 }, + { } diff --git a/queue-5.9/usb-gadget-f_midi-fix-memleak-in-f_midi_alloc.patch b/queue-5.9/usb-gadget-f_midi-fix-memleak-in-f_midi_alloc.patch new file mode 100644 index 00000000000..84407f207da --- /dev/null +++ b/queue-5.9/usb-gadget-f_midi-fix-memleak-in-f_midi_alloc.patch @@ -0,0 +1,58 @@ +From e7694cb6998379341fd9bf3bd62b48c4e6a79385 Mon Sep 17 00:00:00 2001 +From: Zhang Qilong +Date: Tue, 17 Nov 2020 10:16:28 +0800 +Subject: usb: gadget: f_midi: Fix memleak in f_midi_alloc + +From: Zhang Qilong + +commit e7694cb6998379341fd9bf3bd62b48c4e6a79385 upstream. + +In the error path, if midi is not null, we should +free the midi->id if necessary to prevent memleak. + +Fixes: b85e9de9e818d ("usb: gadget: f_midi: convert to new function interface with backward compatibility") +Reported-by: Hulk Robot +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20201117021629.1470544-2-zhangqilong3@huawei.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_midi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/f_midi.c ++++ b/drivers/usb/gadget/function/f_midi.c +@@ -1315,7 +1315,7 @@ static struct usb_function *f_midi_alloc + midi->id = kstrdup(opts->id, GFP_KERNEL); + if (opts->id && !midi->id) { + status = -ENOMEM; +- goto setup_fail; ++ goto midi_free; + } + midi->in_ports = opts->in_ports; + midi->out_ports = opts->out_ports; +@@ -1327,7 +1327,7 @@ static struct usb_function *f_midi_alloc + + status = kfifo_alloc(&midi->in_req_fifo, midi->qlen, GFP_KERNEL); + if (status) +- goto setup_fail; ++ goto midi_free; + + spin_lock_init(&midi->transmit_lock); + +@@ -1343,9 +1343,13 @@ static struct usb_function *f_midi_alloc + + return &midi->func; + ++midi_free: ++ if (midi) ++ kfree(midi->id); ++ kfree(midi); + setup_fail: + mutex_unlock(&opts->lock); +- kfree(midi); ++ + return ERR_PTR(status); + } + diff --git a/queue-5.9/usb-gadget-fix-memleak-in-gadgetfs_fill_super.patch b/queue-5.9/usb-gadget-fix-memleak-in-gadgetfs_fill_super.patch new file mode 100644 index 00000000000..ab0a9be9c5e --- /dev/null +++ b/queue-5.9/usb-gadget-fix-memleak-in-gadgetfs_fill_super.patch @@ -0,0 +1,37 @@ +From 87bed3d7d26c974948a3d6e7176f304b2d41272b Mon Sep 17 00:00:00 2001 +From: Zhang Qilong +Date: Tue, 17 Nov 2020 10:16:29 +0800 +Subject: usb: gadget: Fix memleak in gadgetfs_fill_super + +From: Zhang Qilong + +commit 87bed3d7d26c974948a3d6e7176f304b2d41272b upstream. + +usb_get_gadget_udc_name will alloc memory for CHIP +in "Enomem" branch. we should free it before error +returns to prevent memleak. + +Fixes: 175f712119c57 ("usb: gadget: provide interface for legacy gadgets to get UDC name") +Reported-by: Hulk Robot +Acked-by: Alan Stern +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20201117021629.1470544-3-zhangqilong3@huawei.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/legacy/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -2039,6 +2039,9 @@ gadgetfs_fill_super (struct super_block + return 0; + + Enomem: ++ kfree(CHIP); ++ CHIP = NULL; ++ + return -ENOMEM; + } + diff --git a/queue-5.9/usb-quirks-add-usb_quirk_disconnect_suspend-quirk-for-lenovo-a630z-tio-built-in-usb-audio-card.patch b/queue-5.9/usb-quirks-add-usb_quirk_disconnect_suspend-quirk-for-lenovo-a630z-tio-built-in-usb-audio-card.patch new file mode 100644 index 00000000000..a35b64f340e --- /dev/null +++ b/queue-5.9/usb-quirks-add-usb_quirk_disconnect_suspend-quirk-for-lenovo-a630z-tio-built-in-usb-audio-card.patch @@ -0,0 +1,65 @@ +From 9ca57518361418ad5ae7dc38a2128fbf4855e1a2 Mon Sep 17 00:00:00 2001 +From: penghao +Date: Wed, 18 Nov 2020 20:30:39 +0800 +Subject: USB: quirks: Add USB_QUIRK_DISCONNECT_SUSPEND quirk for Lenovo A630Z TIO built-in usb-audio card + +From: penghao + +commit 9ca57518361418ad5ae7dc38a2128fbf4855e1a2 upstream. + +Add a USB_QUIRK_DISCONNECT_SUSPEND quirk for the Lenovo TIO built-in +usb-audio. when A630Z going into S3,the system immediately wakeup 7-8 +seconds later by usb-audio disconnect interrupt to avoids the issue. +eg dmesg: +.... +[ 626.974091 ] usb 7-1.1: USB disconnect, device number 3 +.... +.... +[ 1774.486691] usb 7-1.1: new full-speed USB device number 5 using xhci_hcd +[ 1774.947742] usb 7-1.1: New USB device found, idVendor=17ef, idProduct=a012, bcdDevice= 0.55 +[ 1774.956588] usb 7-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[ 1774.964339] usb 7-1.1: Product: Thinkcentre TIO24Gen3 for USB-audio +[ 1774.970999] usb 7-1.1: Manufacturer: Lenovo +[ 1774.975447] usb 7-1.1: SerialNumber: 000000000000 +[ 1775.048590] usb 7-1.1: 2:1: cannot get freq at ep 0x1 +....... +Seeking a better fix, we've tried a lot of things, including: + - Check that the device's power/wakeup is disabled + - Check that remote wakeup is off at the USB level + - All the quirks in drivers/usb/core/quirks.c + e.g. USB_QUIRK_RESET_RESUME, + USB_QUIRK_RESET, + USB_QUIRK_IGNORE_REMOTE_WAKEUP, + USB_QUIRK_NO_LPM. + +but none of that makes any difference. + +There are no errors in the logs showing any suspend/resume-related issues. +When the system wakes up due to the modem, log-wise it appears to be a +normal resume. + +Introduce a quirk to disable the port during suspend when the modem is +detected. + +Signed-off-by: penghao +Link: https://lore.kernel.org/r/20201118123039.11696-1-penghao@uniontech.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -425,6 +425,10 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x1532, 0x0116), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Lenovo ThinkCenter A630Z TI024Gen3 usb-audio */ ++ { USB_DEVICE(0x17ef, 0xa012), .driver_info = ++ USB_QUIRK_DISCONNECT_SUSPEND }, ++ + /* BUILDWIN Photo Frame */ + { USB_DEVICE(0x1908, 0x1315), .driver_info = + USB_QUIRK_HONOR_BNUMINTERFACES }, diff --git a/queue-5.9/x86-mce-do-not-overwrite-no_way_out-if-mce_end-fails.patch b/queue-5.9/x86-mce-do-not-overwrite-no_way_out-if-mce_end-fails.patch new file mode 100644 index 00000000000..f5f856a3419 --- /dev/null +++ b/queue-5.9/x86-mce-do-not-overwrite-no_way_out-if-mce_end-fails.patch @@ -0,0 +1,47 @@ +From 25bc65d8ddfc17cc1d7a45bd48e9bdc0e729ced3 Mon Sep 17 00:00:00 2001 +From: Gabriele Paoloni +Date: Fri, 27 Nov 2020 16:18:15 +0000 +Subject: x86/mce: Do not overwrite no_way_out if mce_end() fails + +From: Gabriele Paoloni + +commit 25bc65d8ddfc17cc1d7a45bd48e9bdc0e729ced3 upstream. + +Currently, if mce_end() fails, no_way_out - the variable denoting +whether the machine can recover from this MCE - is determined by whether +the worst severity that was found across the MCA banks associated with +the current CPU, is of panic severity. + +However, at this point no_way_out could have been already set by +mca_start() after looking at all severities of all CPUs that entered the +MCE handler. If mce_end() fails, check first if no_way_out is already +set and, if so, stick to it, otherwise use the local worst value. + + [ bp: Massage. ] + +Signed-off-by: Gabriele Paoloni +Signed-off-by: Borislav Petkov +Reviewed-by: Tony Luck +Cc: +Link: https://lkml.kernel.org/r/20201127161819.3106432-2-gabriele.paoloni@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mce/core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -1363,8 +1363,10 @@ noinstr void do_machine_check(struct pt_ + * When there's any problem use only local no_way_out state. + */ + if (!lmce) { +- if (mce_end(order) < 0) +- no_way_out = worst >= MCE_PANIC_SEVERITY; ++ if (mce_end(order) < 0) { ++ if (!no_way_out) ++ no_way_out = worst >= MCE_PANIC_SEVERITY; ++ } + } else { + /* + * If there was a fatal machine check we should have diff --git a/queue-5.9/x86-resctrl-add-necessary-kernfs_put-calls-to-prevent-refcount-leak.patch b/queue-5.9/x86-resctrl-add-necessary-kernfs_put-calls-to-prevent-refcount-leak.patch new file mode 100644 index 00000000000..3a5fbef6fcb --- /dev/null +++ b/queue-5.9/x86-resctrl-add-necessary-kernfs_put-calls-to-prevent-refcount-leak.patch @@ -0,0 +1,159 @@ +From 758999246965eeb8b253d47e72f7bfe508804b16 Mon Sep 17 00:00:00 2001 +From: Xiaochen Shen +Date: Sat, 31 Oct 2020 03:11:28 +0800 +Subject: x86/resctrl: Add necessary kernfs_put() calls to prevent refcount leak + +From: Xiaochen Shen + +commit 758999246965eeb8b253d47e72f7bfe508804b16 upstream. + +On resource group creation via a mkdir an extra kernfs_node reference is +obtained by kernfs_get() to ensure that the rdtgroup structure remains +accessible for the rdtgroup_kn_unlock() calls where it is removed on +deletion. Currently the extra kernfs_node reference count is only +dropped by kernfs_put() in rdtgroup_kn_unlock() while the rdtgroup +structure is removed in a few other locations that lack the matching +reference drop. + +In call paths of rmdir and umount, when a control group is removed, +kernfs_remove() is called to remove the whole kernfs nodes tree of the +control group (including the kernfs nodes trees of all child monitoring +groups), and then rdtgroup structure is freed by kfree(). The rdtgroup +structures of all child monitoring groups under the control group are +freed by kfree() in free_all_child_rdtgrp(). + +Before calling kfree() to free the rdtgroup structures, the kernfs node +of the control group itself as well as the kernfs nodes of all child +monitoring groups still take the extra references which will never be +dropped to 0 and the kernfs nodes will never be freed. It leads to +reference count leak and kernfs_node_cache memory leak. + +For example, reference count leak is observed in these two cases: + (1) mount -t resctrl resctrl /sys/fs/resctrl + mkdir /sys/fs/resctrl/c1 + mkdir /sys/fs/resctrl/c1/mon_groups/m1 + umount /sys/fs/resctrl + + (2) mkdir /sys/fs/resctrl/c1 + mkdir /sys/fs/resctrl/c1/mon_groups/m1 + rmdir /sys/fs/resctrl/c1 + +The same reference count leak issue also exists in the error exit paths +of mkdir in mkdir_rdt_prepare() and rdtgroup_mkdir_ctrl_mon(). + +Fix this issue by following changes to make sure the extra kernfs_node +reference on rdtgroup is dropped before freeing the rdtgroup structure. + (1) Introduce rdtgroup removal helper rdtgroup_remove() to wrap up + kernfs_put() and kfree(). + + (2) Call rdtgroup_remove() in rdtgroup removal path where the rdtgroup + structure is about to be freed by kfree(). + + (3) Call rdtgroup_remove() or kernfs_put() as appropriate in the error + exit paths of mkdir where an extra reference is taken by kernfs_get(). + +Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support") +Fixes: e02737d5b826 ("x86/intel_rdt: Add tasks files") +Fixes: 60cf5e101fd4 ("x86/intel_rdt: Add mkdir to resctrl file system") +Reported-by: Willem de Bruijn +Signed-off-by: Xiaochen Shen +Signed-off-by: Borislav Petkov +Reviewed-by: Reinette Chatre +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1604085088-31707-1-git-send-email-xiaochen.shen@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -507,6 +507,24 @@ unlock: + return ret ?: nbytes; + } + ++/** ++ * rdtgroup_remove - the helper to remove resource group safely ++ * @rdtgrp: resource group to remove ++ * ++ * On resource group creation via a mkdir, an extra kernfs_node reference is ++ * taken to ensure that the rdtgroup structure remains accessible for the ++ * rdtgroup_kn_unlock() calls where it is removed. ++ * ++ * Drop the extra reference here, then free the rdtgroup structure. ++ * ++ * Return: void ++ */ ++static void rdtgroup_remove(struct rdtgroup *rdtgrp) ++{ ++ kernfs_put(rdtgrp->kn); ++ kfree(rdtgrp); ++} ++ + struct task_move_callback { + struct callback_head work; + struct rdtgroup *rdtgrp; +@@ -529,7 +547,7 @@ static void move_myself(struct callback_ + (rdtgrp->flags & RDT_DELETED)) { + current->closid = 0; + current->rmid = 0; +- kfree(rdtgrp); ++ rdtgroup_remove(rdtgrp); + } + + if (unlikely(current->flags & PF_EXITING)) +@@ -2004,8 +2022,7 @@ void rdtgroup_kn_unlock(struct kernfs_no + rdtgrp->mode == RDT_MODE_PSEUDO_LOCKED) + rdtgroup_pseudo_lock_remove(rdtgrp); + kernfs_unbreak_active_protection(kn); +- kernfs_put(rdtgrp->kn); +- kfree(rdtgrp); ++ rdtgroup_remove(rdtgrp); + } else { + kernfs_unbreak_active_protection(kn); + } +@@ -2292,7 +2309,7 @@ static void free_all_child_rdtgrp(struct + if (atomic_read(&sentry->waitcount) != 0) + sentry->flags = RDT_DELETED; + else +- kfree(sentry); ++ rdtgroup_remove(sentry); + } + } + +@@ -2334,7 +2351,7 @@ static void rmdir_all_sub(void) + if (atomic_read(&rdtgrp->waitcount) != 0) + rdtgrp->flags = RDT_DELETED; + else +- kfree(rdtgrp); ++ rdtgroup_remove(rdtgrp); + } + /* Notify online CPUs to update per cpu storage and PQR_ASSOC MSR */ + update_closid_rmid(cpu_online_mask, &rdtgroup_default); +@@ -2769,7 +2786,7 @@ static int mkdir_rdt_prepare(struct kern + * kernfs_remove() will drop the reference count on "kn" which + * will free it. But we still need it to stick around for the + * rdtgroup_kn_unlock(kn) call. Take one extra reference here, +- * which will be dropped inside rdtgroup_kn_unlock(). ++ * which will be dropped by kernfs_put() in rdtgroup_remove(). + */ + kernfs_get(kn); + +@@ -2810,6 +2827,7 @@ static int mkdir_rdt_prepare(struct kern + out_idfree: + free_rmid(rdtgrp->mon.rmid); + out_destroy: ++ kernfs_put(rdtgrp->kn); + kernfs_remove(rdtgrp->kn); + out_free_rgrp: + kfree(rdtgrp); +@@ -2822,7 +2840,7 @@ static void mkdir_rdt_prepare_clean(stru + { + kernfs_remove(rgrp->kn); + free_rmid(rgrp->mon.rmid); +- kfree(rgrp); ++ rdtgroup_remove(rgrp); + } + + /* diff --git a/queue-5.9/x86-resctrl-remove-superfluous-kernfs_get-calls-to-prevent-refcount-leak.patch b/queue-5.9/x86-resctrl-remove-superfluous-kernfs_get-calls-to-prevent-refcount-leak.patch new file mode 100644 index 00000000000..8b07d1561c5 --- /dev/null +++ b/queue-5.9/x86-resctrl-remove-superfluous-kernfs_get-calls-to-prevent-refcount-leak.patch @@ -0,0 +1,166 @@ +From fd8d9db3559a29fd737bcdb7c4fcbe1940caae34 Mon Sep 17 00:00:00 2001 +From: Xiaochen Shen +Date: Sat, 31 Oct 2020 03:10:53 +0800 +Subject: x86/resctrl: Remove superfluous kernfs_get() calls to prevent refcount leak + +From: Xiaochen Shen + +commit fd8d9db3559a29fd737bcdb7c4fcbe1940caae34 upstream. + +Willem reported growing of kernfs_node_cache entries in slabtop when +repeatedly creating and removing resctrl subdirectories as well as when +repeatedly mounting and unmounting the resctrl filesystem. + +On resource group (control as well as monitoring) creation via a mkdir +an extra kernfs_node reference is obtained to ensure that the rdtgroup +structure remains accessible for the rdtgroup_kn_unlock() calls where it +is removed on deletion. The kernfs_node reference count is dropped by +kernfs_put() in rdtgroup_kn_unlock(). + +With the above explaining the need for one kernfs_get()/kernfs_put() +pair in resctrl there are more places where a kernfs_node reference is +obtained without a corresponding release. The excessive amount of +reference count on kernfs nodes will never be dropped to 0 and the +kernfs nodes will never be freed in the call paths of rmdir and umount. +It leads to reference count leak and kernfs_node_cache memory leak. + +Remove the superfluous kernfs_get() calls and expand the existing +comments surrounding the remaining kernfs_get()/kernfs_put() pair that +remains in use. + +Superfluous kernfs_get() calls are removed from two areas: + + (1) In call paths of mount and mkdir, when kernfs nodes for "info", + "mon_groups" and "mon_data" directories and sub-directories are + created, the reference count of newly created kernfs node is set to 1. + But after kernfs_create_dir() returns, superfluous kernfs_get() are + called to take an additional reference. + + (2) kernfs_get() calls in rmdir call paths. + +Fixes: 17eafd076291 ("x86/intel_rdt: Split resource group removal in two") +Fixes: 4af4a88e0c92 ("x86/intel_rdt/cqm: Add mount,umount support") +Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support") +Fixes: d89b7379015f ("x86/intel_rdt/cqm: Add mon_data") +Fixes: c7d9aac61311 ("x86/intel_rdt/cqm: Add mkdir support for RDT monitoring") +Fixes: 5dc1d5c6bac2 ("x86/intel_rdt: Simplify info and base file lists") +Fixes: 60cf5e101fd4 ("x86/intel_rdt: Add mkdir to resctrl file system") +Fixes: 4e978d06dedb ("x86/intel_rdt: Add "info" files to resctrl file system") +Reported-by: Willem de Bruijn +Signed-off-by: Xiaochen Shen +Signed-off-by: Borislav Petkov +Reviewed-by: Reinette Chatre +Tested-by: Willem de Bruijn +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1604085053-31639-1-git-send-email-xiaochen.shen@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 35 +-------------------------------- + 1 file changed, 2 insertions(+), 33 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -1708,7 +1708,6 @@ static int rdtgroup_mkdir_info_resdir(st + if (IS_ERR(kn_subdir)) + return PTR_ERR(kn_subdir); + +- kernfs_get(kn_subdir); + ret = rdtgroup_kn_set_ugid(kn_subdir); + if (ret) + return ret; +@@ -1731,7 +1730,6 @@ static int rdtgroup_create_info_dir(stru + kn_info = kernfs_create_dir(parent_kn, "info", parent_kn->mode, NULL); + if (IS_ERR(kn_info)) + return PTR_ERR(kn_info); +- kernfs_get(kn_info); + + ret = rdtgroup_add_files(kn_info, RF_TOP_INFO); + if (ret) +@@ -1752,12 +1750,6 @@ static int rdtgroup_create_info_dir(stru + goto out_destroy; + } + +- /* +- * This extra ref will be put in kernfs_remove() and guarantees +- * that @rdtgrp->kn is always accessible. +- */ +- kernfs_get(kn_info); +- + ret = rdtgroup_kn_set_ugid(kn_info); + if (ret) + goto out_destroy; +@@ -1786,12 +1778,6 @@ mongroup_create_dir(struct kernfs_node * + if (dest_kn) + *dest_kn = kn; + +- /* +- * This extra ref will be put in kernfs_remove() and guarantees +- * that @rdtgrp->kn is always accessible. +- */ +- kernfs_get(kn); +- + ret = rdtgroup_kn_set_ugid(kn); + if (ret) + goto out_destroy; +@@ -2078,13 +2064,11 @@ static int rdt_get_tree(struct fs_contex + &kn_mongrp); + if (ret < 0) + goto out_info; +- kernfs_get(kn_mongrp); + + ret = mkdir_mondata_all(rdtgroup_default.kn, + &rdtgroup_default, &kn_mondata); + if (ret < 0) + goto out_mongrp; +- kernfs_get(kn_mondata); + rdtgroup_default.mon.mon_data_kn = kn_mondata; + } + +@@ -2450,11 +2434,6 @@ static int mkdir_mondata_subdir(struct k + if (IS_ERR(kn)) + return PTR_ERR(kn); + +- /* +- * This extra ref will be put in kernfs_remove() and guarantees +- * that kn is always accessible. +- */ +- kernfs_get(kn); + ret = rdtgroup_kn_set_ugid(kn); + if (ret) + goto out_destroy; +@@ -2789,8 +2768,8 @@ static int mkdir_rdt_prepare(struct kern + /* + * kernfs_remove() will drop the reference count on "kn" which + * will free it. But we still need it to stick around for the +- * rdtgroup_kn_unlock(kn} call below. Take one extra reference +- * here, which will be dropped inside rdtgroup_kn_unlock(). ++ * rdtgroup_kn_unlock(kn) call. Take one extra reference here, ++ * which will be dropped inside rdtgroup_kn_unlock(). + */ + kernfs_get(kn); + +@@ -3000,11 +2979,6 @@ static int rdtgroup_rmdir_mon(struct ker + WARN_ON(list_empty(&prdtgrp->mon.crdtgrp_list)); + list_del(&rdtgrp->mon.crdtgrp_list); + +- /* +- * one extra hold on this, will drop when we kfree(rdtgrp) +- * in rdtgroup_kn_unlock() +- */ +- kernfs_get(kn); + kernfs_remove(rdtgrp->kn); + + return 0; +@@ -3016,11 +2990,6 @@ static int rdtgroup_ctrl_remove(struct k + rdtgrp->flags = RDT_DELETED; + list_del(&rdtgrp->rdtgroup_list); + +- /* +- * one extra hold on this, will drop when we kfree(rdtgrp) +- * in rdtgroup_kn_unlock() +- */ +- kernfs_get(kn); + kernfs_remove(rdtgrp->kn); + return 0; + } diff --git a/queue-5.9/x86-speculation-fix-prctl-when-spectre_v2_user-seccomp-prctl-ibpb.patch b/queue-5.9/x86-speculation-fix-prctl-when-spectre_v2_user-seccomp-prctl-ibpb.patch new file mode 100644 index 00000000000..3359edc929d --- /dev/null +++ b/queue-5.9/x86-speculation-fix-prctl-when-spectre_v2_user-seccomp-prctl-ibpb.patch @@ -0,0 +1,77 @@ +From 33fc379df76b4991e5ae312f07bcd6820811971e Mon Sep 17 00:00:00 2001 +From: Anand K Mistry +Date: Tue, 10 Nov 2020 12:33:53 +1100 +Subject: x86/speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb + +From: Anand K Mistry + +commit 33fc379df76b4991e5ae312f07bcd6820811971e upstream. + +When spectre_v2_user={seccomp,prctl},ibpb is specified on the command +line, IBPB is force-enabled and STIPB is conditionally-enabled (or not +available). + +However, since + + 21998a351512 ("x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.") + +the spectre_v2_user_ibpb variable is set to SPECTRE_V2_USER_{PRCTL,SECCOMP} +instead of SPECTRE_V2_USER_STRICT, which is the actual behaviour. +Because the issuing of IBPB relies on the switch_mm_*_ibpb static +branches, the mitigations behave as expected. + +Since + + 1978b3a53a74 ("x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP") + +this discrepency caused the misreporting of IB speculation via prctl(). + +On CPUs with STIBP always-on and spectre_v2_user=seccomp,ibpb, +prctl(PR_GET_SPECULATION_CTRL) would return PR_SPEC_PRCTL | +PR_SPEC_ENABLE instead of PR_SPEC_DISABLE since both IBPB and STIPB are +always on. It also allowed prctl(PR_SET_SPECULATION_CTRL) to set the IB +speculation mode, even though the flag is ignored. + +Similarly, for CPUs without SMT, prctl(PR_GET_SPECULATION_CTRL) should +also return PR_SPEC_DISABLE since IBPB is always on and STIBP is not +available. + + [ bp: Massage commit message. ] + +Fixes: 21998a351512 ("x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.") +Fixes: 1978b3a53a74 ("x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP") +Signed-off-by: Anand K Mistry +Signed-off-by: Borislav Petkov +Cc: +Link: https://lkml.kernel.org/r/20201110123349.1.Id0cbf996d2151f4c143c90f9028651a5b49a5908@changeid +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/bugs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -739,11 +739,13 @@ spectre_v2_user_select_mitigation(enum s + if (boot_cpu_has(X86_FEATURE_IBPB)) { + setup_force_cpu_cap(X86_FEATURE_USE_IBPB); + ++ spectre_v2_user_ibpb = mode; + switch (cmd) { + case SPECTRE_V2_USER_CMD_FORCE: + case SPECTRE_V2_USER_CMD_PRCTL_IBPB: + case SPECTRE_V2_USER_CMD_SECCOMP_IBPB: + static_branch_enable(&switch_mm_always_ibpb); ++ spectre_v2_user_ibpb = SPECTRE_V2_USER_STRICT; + break; + case SPECTRE_V2_USER_CMD_PRCTL: + case SPECTRE_V2_USER_CMD_AUTO: +@@ -757,8 +759,6 @@ spectre_v2_user_select_mitigation(enum s + pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n", + static_key_enabled(&switch_mm_always_ibpb) ? + "always-on" : "conditional"); +- +- spectre_v2_user_ibpb = mode; + } + + /*