From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 7 Mar 2018 19:04:04 +0000 (-0800)
Subject: 4.9-stable patches
X-Git-Tag: v4.14.25~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c9355ca87c9d4d1379ff0107ec0520280caa2afb;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	x86-apic-vector-handle-legacy-irq-data-correctly.patch
---

diff --git a/queue-4.9/series b/queue-4.9/series
index 26af0750b6e..046dcd0f899 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -29,3 +29,4 @@ x86-mm-give-each-mm-tlb-flush-generation-a-unique-id.patch
 x86-speculation-use-indirect-branch-prediction-barrier-in-context-switch.patch
 md-only-allow-remove_and_add_spares-when-no-sync_thread-running.patch
 netlink-put-module-reference-if-dump-start-fails.patch
+x86-apic-vector-handle-legacy-irq-data-correctly.patch
diff --git a/queue-4.9/x86-apic-vector-handle-legacy-irq-data-correctly.patch b/queue-4.9/x86-apic-vector-handle-legacy-irq-data-correctly.patch
new file mode 100644
index 00000000000..34f50d764be
--- /dev/null
+++ b/queue-4.9/x86-apic-vector-handle-legacy-irq-data-correctly.patch
@@ -0,0 +1,67 @@
+From ben.hutchings@codethink.co.uk  Wed Mar  7 11:01:18 2018
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Wed, 7 Mar 2018 18:36:43 +0000
+Subject: x86/apic/vector: Handle legacy irq data correctly
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>, stable@vger.kernel.org
+Message-ID: <20180307183643.7vy7znqgismeh62p@xylophone.i.decadent.org.uk>
+Content-Disposition: inline
+
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+The backport of upstream commit 45d55e7bac40 ("x86/apic/vector: Fix off by
+one in error path") missed to fixup the legacy interrupt data which is not
+longer available upstream.
+
+Handle legacy irq data correctly by clearing the legacy storage to prevent
+use after free.
+
+Fixes: 7fd133539289 ("x86/apic/vector: Fix off by one in error path") - 4.4.y
+Fixes: c557481a9491 ("x86/apic/vector: Fix off by one in error path") - 4.9.y
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/apic/vector.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/apic/vector.c
++++ b/arch/x86/kernel/apic/vector.c
+@@ -93,8 +93,12 @@ out_data:
+ 	return NULL;
+ }
+ 
+-static void free_apic_chip_data(struct apic_chip_data *data)
++static void free_apic_chip_data(unsigned int virq, struct apic_chip_data *data)
+ {
++#ifdef	CONFIG_X86_IO_APIC
++	if (virq  < nr_legacy_irqs())
++		legacy_irq_data[virq] = NULL;
++#endif
+ 	if (data) {
+ 		free_cpumask_var(data->domain);
+ 		free_cpumask_var(data->old_domain);
+@@ -318,11 +322,7 @@ static void x86_vector_free_irqs(struct
+ 			apic_data = irq_data->chip_data;
+ 			irq_domain_reset_irq_data(irq_data);
+ 			raw_spin_unlock_irqrestore(&vector_lock, flags);
+-			free_apic_chip_data(apic_data);
+-#ifdef	CONFIG_X86_IO_APIC
+-			if (virq + i < nr_legacy_irqs())
+-				legacy_irq_data[virq + i] = NULL;
+-#endif
++			free_apic_chip_data(virq + i, apic_data);
+ 		}
+ 	}
+ }
+@@ -363,7 +363,7 @@ static int x86_vector_alloc_irqs(struct
+ 		err = assign_irq_vector_policy(virq + i, node, data, info);
+ 		if (err) {
+ 			irq_data->chip_data = NULL;
+-			free_apic_chip_data(data);
++			free_apic_chip_data(virq + i, data);
+ 			goto error;
+ 		}
+ 	}