May 2018 - Linux-stable-mirror

[PATCH 2/3] x86/mm: add TLB purge to free pmd/pte page interfaces

by Toshi Kani

ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates a pud / pmd map. The following preconditions are met at their entry. - All pte entries for a target pud/pmd address range have been cleared. - System-wide TLB purges have been peformed for a target pud/pmd address range. The preconditions assure that there is no stale TLB entry for the range. Speculation may not cache TLB entries since it requires all levels of page entries, including ptes, to have P & A-bits set for an associated address. However, speculation may cache pud/pmd entries (paging-structure caches) when they have P-bit set. Add a system-wide TLB purge (INVLPG) to a single page after clearing pud/pmd entry's P-bit. SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches, states that: INVLPG invalidates all paging-structure caches associated with the current PCID regardless of the liner addresses to which they correspond. Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: <stable(a)vger.kernel.org> --- arch/x86/mm/pgtable.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 37e3cbac59b9..816fd41ee854 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -720,24 +720,40 @@ int pmd_clear_huge(pmd_t *pmd) * @pud: Pointer to a PUD. * @addr: Virtual address associated with pud. * - * Context: The pud range has been unmaped and TLB purged. + * Context: The pud range has been unmapped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ int pud_free_pmd_page(pud_t *pud, unsigned long addr) { - pmd_t *pmd; + pmd_t *pmd, *pmd_sv; + pte_t *pte; int i; if (pud_none(*pud)) return 1; pmd = (pmd_t *)pud_page_vaddr(*pud); + pmd_sv = (pmd_t *)__get_free_page(GFP_KERNEL); - for (i = 0; i < PTRS_PER_PMD; i++) - if (!pmd_free_pte_page(&pmd[i], addr + (i * PMD_SIZE))) - return 0; + for (i = 0; i < PTRS_PER_PMD; i++) { + pmd_sv[i] = pmd[i]; + if (!pmd_none(pmd[i])) + pmd_clear(&pmd[i]); + } pud_clear(pud); + + /* INVLPG to clear all paging-structure caches */ + flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + + for (i = 0; i < PTRS_PER_PMD; i++) { + if (!pmd_none(pmd_sv[i])) { + pte = (pte_t *)pmd_page_vaddr(pmd_sv[i]); + free_page((unsigned long)pte); + } + } + + free_page((unsigned long)pmd_sv); free_page((unsigned long)pmd); return 1; @@ -748,7 +764,7 @@ int pud_free_pmd_page(pud_t *pud, unsigned long addr) * @pmd: Pointer to a PMD. * @addr: Virtual address associated with pmd. * - * Context: The pmd range has been unmaped and TLB purged. + * Context: The pmd range has been unmapped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) @@ -760,6 +776,10 @@ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) pte = (pte_t *)pmd_page_vaddr(*pmd); pmd_clear(pmd); + + /* INVLPG to clear all paging-structure caches */ + flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + free_page((unsigned long)pte); return 1;

6 years, 6 months

3
2
0 0

[PATCH for-next 00/14] IB/hfi1: Updates for-next 5/2/2018

by Dennis Dalessandro

Hi Doug and Jason, Here are some patches to go to for-next. These include the couple patches that needed rework that were posted before the OFA conf. Well actually those patches that had issues were just dropped with the exception of the one from Alex, to add handling of kernel restart to hfi1 and qib. Patch 8 is his V2. Nothing else too scary or exciting in here. Well OK so that's not quite right the CQ completion vector patch is rather interesting. This adds support for compeltion vectors for hfi1 and helps improve performance in things like IPoIB. There is a signifianct patch from Mitko that redoes a lof our fault injection stuff. It's a big patch but I'm not sure it lends itself to being broken up further. One other thing of note is the "Create common functions" patch from Sebastian depends on one of the patches that I sent for the -rc. It won't apply cleanly without that. --- Alex Estrin (2): IB/hfi1: Complete check for locally terminated smp IB/{hfi1,qib}: Add handling of kernel restart Brian Welty (1): IB/{hfi1,qib,rdmavt}: Move logic to allocate receive WQE into rdmavt Kamenee Arumugam (1): IB/Hfi1: Read CCE Revision register to verify the device is responsive Michael J. Ruhl (4): IB/hfi1: Return actual error value from program_rcvarray() IB/hfi1: Use after free race condition in send context error path IB/hfi1: Return correct value for device state IB/hfi1: Reorder incorrect send context disable Mike Marciniszyn (1): IB/hfi1: Fix fault injection init/exit issues Mitko Haralanov (1): IB/hfi1: Rework fault injection machinery Sebastian Sanchez (4): IB/hfi1: Prevent LNI hang when LCB can't obtain lanes IB/hfi1: Optimize kthread pointer locking when queuing CQ entries IB/hfi1: Create common functions for affinity CPU mask operations IB/{hfi1,rdmavt,qib}: Implement CQ completion vector support drivers/infiniband/hw/hfi1/Makefile | 10 - drivers/infiniband/hw/hfi1/affinity.c | 497 +++++++++++++++++++++++++-- drivers/infiniband/hw/hfi1/affinity.h | 10 - drivers/infiniband/hw/hfi1/chip.c | 74 +++- drivers/infiniband/hw/hfi1/chip.h | 15 + drivers/infiniband/hw/hfi1/chip_registers.h | 7 drivers/infiniband/hw/hfi1/debugfs.c | 292 ---------------- drivers/infiniband/hw/hfi1/debugfs.h | 93 +++-- drivers/infiniband/hw/hfi1/driver.c | 20 + drivers/infiniband/hw/hfi1/fault.c | 375 ++++++++++++++++++++ drivers/infiniband/hw/hfi1/fault.h | 109 ++++++ drivers/infiniband/hw/hfi1/file_ops.c | 2 drivers/infiniband/hw/hfi1/hfi.h | 14 + drivers/infiniband/hw/hfi1/init.c | 28 +- drivers/infiniband/hw/hfi1/mad.c | 36 +- drivers/infiniband/hw/hfi1/pcie.c | 8 drivers/infiniband/hw/hfi1/pio.c | 44 ++ drivers/infiniband/hw/hfi1/rc.c | 8 drivers/infiniband/hw/hfi1/ruc.c | 154 -------- drivers/infiniband/hw/hfi1/trace.c | 3 drivers/infiniband/hw/hfi1/trace_dbg.h | 3 drivers/infiniband/hw/hfi1/uc.c | 4 drivers/infiniband/hw/hfi1/ud.c | 4 drivers/infiniband/hw/hfi1/user_exp_rcv.c | 1 drivers/infiniband/hw/hfi1/verbs.c | 20 - drivers/infiniband/hw/hfi1/verbs.h | 8 drivers/infiniband/hw/qib/qib.h | 1 drivers/infiniband/hw/qib/qib_init.c | 13 + drivers/infiniband/hw/qib/qib_rc.c | 8 drivers/infiniband/hw/qib/qib_ruc.c | 154 -------- drivers/infiniband/hw/qib/qib_uc.c | 4 drivers/infiniband/hw/qib/qib_ud.c | 4 drivers/infiniband/hw/qib/qib_verbs.c | 6 drivers/infiniband/hw/qib/qib_verbs.h | 2 drivers/infiniband/sw/rdmavt/cq.c | 74 ++-- drivers/infiniband/sw/rdmavt/cq.h | 6 drivers/infiniband/sw/rdmavt/qp.c | 149 ++++++++ drivers/infiniband/sw/rdmavt/trace_cq.h | 35 ++ drivers/infiniband/sw/rdmavt/vt.c | 35 +- include/rdma/rdma_vt.h | 7 include/rdma/rdmavt_cq.h | 5 include/rdma/rdmavt_qp.h | 1 42 files changed, 1491 insertions(+), 852 deletions(-) create mode 100644 drivers/infiniband/hw/hfi1/fault.c create mode 100644 drivers/infiniband/hw/hfi1/fault.h -- -Denny

6 years, 6 months

3
9
0 0

patch "staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy" added to staging-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 45ad559a29629cb1c64ee636563c69b71524f077 Mon Sep 17 00:00:00 2001 From: Laura Abbott <labbott(a)redhat.com> Date: Mon, 14 May 2018 14:35:09 -0700 Subject: staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy Syzbot reported yet another warning with Ion: WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122 ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122 Kernel panic - not syncing: panic_on_warn set ... This is catching that a buffer was freed with an existing kernel mapping still present. This can be easily be triggered from userspace by calling DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single pr_warn_once to indicate the error without being disruptive. Reported-by: syzbot+cd8bcd40cb049efa2770(a)syzkaller.appspotmail.com Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Laura Abbott <labbott(a)redhat.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/android/ion/ion.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index af682cbde767..9d1109e43ed4 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -111,8 +111,11 @@ static struct ion_buffer *ion_buffer_create(struct ion_heap *heap, void ion_buffer_destroy(struct ion_buffer *buffer) { - if (WARN_ON(buffer->kmap_cnt > 0)) + if (buffer->kmap_cnt > 0) { + pr_warn_once("%s: buffer still mapped in the kernel\n", + __func__); buffer->heap->ops->unmap_kernel(buffer->heap, buffer); + } buffer->heap->ops->free(buffer); kfree(buffer); } -- 2.17.0

6 years, 6 months

1
0
0 0

[PATCH] mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2

by Boris Brezillon

The code is doing monolithic reads for all chunks except the last one which is wrong since a monolithic read will issue the READ0+ADDRS+READ_START sequence. It not only takes longer because it forces the NAND chip to reload the page content into its internal cache, but by doing that we also reset the column pointer to 0, which means we'll always read the first chunk instead of moving to the next one. Rework the code to do a monolithic read only for the first chunk, then switch to naked reads for all intermediate chunks and finally issue a last naked read for the last chunk. Fixes: 02f26ecf8c77 mtd: nand: add reworked Marvell NAND controller driver Cc: stable(a)vger.kernel.org Reported-by: Chris Packham <chris.packham(a)alliedtelesis.co.nz> Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> Tested-by: Chris Packham <chris.packham(a)alliedtelesis.co.nz> --- drivers/mtd/nand/raw/marvell_nand.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c index db5ec4e8bde9..ebb1d141b900 100644 --- a/drivers/mtd/nand/raw/marvell_nand.c +++ b/drivers/mtd/nand/raw/marvell_nand.c @@ -1194,11 +1194,13 @@ static void marvell_nfc_hw_ecc_bch_read_chunk(struct nand_chip *chip, int chunk, NDCB0_CMD2(NAND_CMD_READSTART); /* - * Trigger the naked read operation only on the last chunk. - * Otherwise, use monolithic read. + * Trigger the monolithic read on the first chunk, then naked read on + * intermediate chunks and finally a last naked read on the last chunk. */ - if (lt->nchunks == 1 || (chunk < lt->nchunks - 1)) + if (chunk == 0) nfc_op.ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_MONOLITHIC_RW); + else if (chunk < lt->nchunks - 1) + nfc_op.ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_NAKED_RW); else nfc_op.ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_LAST_NAKED_RW); -- 2.14.1

6 years, 6 months

2
2
0 0

[PATCH v2 0/6] usb: gadget: udc: renesas_usb3: fix some major issues

by Yoshihiro Shimoda

This patch set is based on v4.16. Changes from v1: - Add Reviewed-by in patch 1, 2, 3 and 4. - Revise typo in patch 4. - Add new patches as patch 5 and 6. Yoshihiro Shimoda (6): usb: gadget: udc: renesas_usb3: fix double phy_put() usb: gadget: udc: renesas_usb3: should remove debugfs usb: gadget: udc: renesas_usb3: should call pm_runtime_enable() before add udc usb: gadget: udc: renesas_usb3: should call devm_phy_get() before add udc usb: gadget: udc: renesas_usb3: should fail if devm_phy_get() returns error usb: gadget: udc: renesas_usb3: disable the controller's irqs for reconnecting drivers/usb/gadget/udc/renesas_usb3.c | 37 +++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) -- 1.9.1

6 years, 6 months

2
13
0 0

patch "staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy" added to staging-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the staging-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 45ad559a29629cb1c64ee636563c69b71524f077 Mon Sep 17 00:00:00 2001 From: Laura Abbott <labbott(a)redhat.com> Date: Mon, 14 May 2018 14:35:09 -0700 Subject: staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy Syzbot reported yet another warning with Ion: WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122 ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122 Kernel panic - not syncing: panic_on_warn set ... This is catching that a buffer was freed with an existing kernel mapping still present. This can be easily be triggered from userspace by calling DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single pr_warn_once to indicate the error without being disruptive. Reported-by: syzbot+cd8bcd40cb049efa2770(a)syzkaller.appspotmail.com Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Laura Abbott <labbott(a)redhat.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/android/ion/ion.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index af682cbde767..9d1109e43ed4 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -111,8 +111,11 @@ static struct ion_buffer *ion_buffer_create(struct ion_heap *heap, void ion_buffer_destroy(struct ion_buffer *buffer) { - if (WARN_ON(buffer->kmap_cnt > 0)) + if (buffer->kmap_cnt > 0) { + pr_warn_once("%s: buffer still mapped in the kernel\n", + __func__); buffer->heap->ops->unmap_kernel(buffer->heap, buffer); + } buffer->heap->ops->free(buffer); kfree(buffer); } -- 2.17.0

6 years, 6 months

1
0
0 0

[PATCH 4.16 00/72] 4.16.9-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.16.9 release. There are 72 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed May 16 06:47:58 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.16.9-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.16.9-rc1 Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] Peter Zijlstra <peterz(a)infradead.org> perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver Peter Zijlstra <peterz(a)infradead.org> perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* Masami Hiramatsu <mhiramat(a)kernel.org> tracing/uprobe_event: Fix strncpy corner case Peter Zijlstra <peterz(a)infradead.org> sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] Peter Zijlstra <peterz(a)infradead.org> sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] Jean Delvare <jdelvare(a)suse.de> swiotlb: silent unwanted warning "buffer is full" Steve French <smfrench(a)gmail.com> smb3: directory sync should not return an error Charles Machalow <charles.machalow(a)intel.com> nvme: Fix sync controller reset return Jens Axboe <axboe(a)kernel.dk> nvme: add quirk to force medium priority for SQ creation Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Propagate error value from tmu_read() Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Reading temperature makes sense only when TMU is turned on Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Hans de Goede <hdegoede(a)redhat.com> Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> arm: dts: imx[35]*: declare flexcan devices to be compatible to imx25's flexcan Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: schedutil: Avoid using invalid next_freq Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PCI / PM: Check device_may_wakeup() in pci_enable_wake() Kai Heng Feng <kai.heng.feng(a)canonical.com> PCI / PM: Always check PME wakeup capability for runtime wakeup support Gustavo A. R. Silva <gustavo(a)embeddedor.com> atm: zatm: Fix potential Spectre v1 Gustavo A. R. Silva <gustavo(a)embeddedor.com> net: atm: Fix potential Spectre v1 Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() Ben Skeggs <bskeggs(a)redhat.com> drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client Lyude Paul <lyude(a)redhat.com> drm/nouveau: Fix deadlock in nv50_mstm_register_connector() Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/i915: Adjust eDP's logical vco in a reliable place. Florent Flament <contact(a)florentflament.com> drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Michel Dänzer <michel.daenzer(a)amd.com> drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages Boris Brezillon <boris.brezillon(a)bootlin.com> drm/vc4: Fix scaling of uni-planar formats Boris Brezillon <boris.brezillon(a)bootlin.com> mtd: rawnand: Make sure we wait tWB before polling the STATUS reg Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: rawnand: marvell: fix command xtype in BCH write hook Chris Packham <chris.packham(a)alliedtelesis.co.nz> mtd: rawnand: marvell: pass ms delay to wait_op Lukas Wunner <lukas(a)wunner.de> can: hi311x: Work around TX complete interrupt erratum Lukas Wunner <lukas(a)wunner.de> can: hi311x: Acquire SPI lock on ->do_get_berr_counter Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> can: flexcan: fix endianess detection Ilya Dryomov <idryomov(a)gmail.com> ceph: fix rsize/wsize capping in ceph_direct_read_write() David Rientjes <rientjes(a)google.com> mm, oom: fix concurrent munlock and oom reaper unmap, v3 Pavel Tatashin <pasha.tatashin(a)oracle.com> mm: sections are not offlined during memory hotremove Vitaly Wool <vitalywool(a)gmail.com> z3fold: fix reclaim lock-ups Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix regex_match_front() to not over compare the test string Mikulas Patocka <mpatocka(a)redhat.com> dm integrity: use kvfree for kvmalloc'd memory Hans de Goede <hdegoede(a)redhat.com> libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Johan Hovold <johan(a)kernel.org> rfkill: gpio: fix memory leak in probe error path Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> gpio: fix error path in lineevent_create Govert Overgaauw <govert.overgaauw(a)prodrive-technologies.com> gpio: fix aspeed_gpio unmask irq Timur Tabi <timur(a)codeaurora.org> gpioib: do not free unrequested descriptors Jann Horn <jannh(a)google.com> compat: fix 4-byte infoleak via uninitialized struct field Jan Kara <jack(a)suse.cz> bdi: Fix oops in wb_workfn() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> bdi: Fix use after free bug in debugfs_remove() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> bdi: wake up concurrent wb_shutdown() callers. Eric Dumazet <edumazet(a)google.com> tcp: fix TCP_REPAIR_QUEUE bound checking Alexander Popov <alex.popov(a)linux.com> i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr() Jiri Olsa <jolsa(a)kernel.org> perf: Remove superfluous allocation error check Michal Hocko <mhocko(a)suse.com> memcg: fix per_node_info cleanup Yonghong Song <yhs(a)fb.com> bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog Eric Dumazet <edumazet(a)google.com> inetpeer: fix uninit-value in inet_getpeer Eric Dumazet <edumazet(a)google.com> soreuseport: initialise timewait reuseport field Eric Dumazet <edumazet(a)google.com> ipv4: fix uninit-value in ip_route_output_key_hash_rcu() Eric Dumazet <edumazet(a)google.com> dccp: initialize ireq->ir_mark Eric Dumazet <edumazet(a)google.com> net: fix uninit-value in __hw_addr_add_ex() Eric Dumazet <edumazet(a)google.com> net: initialize skb->peeked when cloning Eric Dumazet <edumazet(a)google.com> net: fix rtnh_ok() Eric Dumazet <edumazet(a)google.com> netlink: fix uninit-value in netlink_sendmsg Eric Dumazet <edumazet(a)google.com> crypto: af_alg - fix possible uninit-value in alg_bind() Sowmini Varadhan <sowmini.varadhan(a)oracle.com> rds: tcp: must use spin_lock_irq* and not spin_lock_bh with rds_tcp_conn_lock Tom Herbert <tom(a)quantonium.net> kcm: Call strp_stop before strp_done in kcm_attach Tero Kristo <t-kristo(a)ti.com> clk: ti: fix flag space conflict with clkctrl clocks Florian Westphal <fw(a)strlen.de> netfilter: ebtables: don't attempt to allocate 0-sized compat array Julian Anastasov <ja(a)ssi.bg> ipvs: fix rtnl_lock lockups caused by start_sync_thread ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/imx35.dtsi | 4 +- arch/arm/boot/dts/imx53.dtsi | 4 +- arch/x86/events/core.c | 8 +- arch/x86/events/intel/cstate.c | 2 + arch/x86/events/msr.c | 9 +- crypto/af_alg.c | 8 +- drivers/ata/libata-core.c | 3 + drivers/atm/zatm.c | 3 + drivers/bluetooth/btusb.c | 19 +++- drivers/clk/ti/clock.h | 9 +- drivers/gpio/gpio-aspeed.c | 2 +- drivers/gpio/gpiolib.c | 7 +- drivers/gpu/drm/drm_atomic.c | 8 ++ drivers/gpu/drm/i915/intel_cdclk.c | 41 +++++++- drivers/gpu/drm/i915/intel_dp.c | 20 ---- drivers/gpu/drm/i915/intel_lvds.c | 3 +- drivers/gpu/drm/nouveau/nouveau_bo.c | 1 - drivers/gpu/drm/nouveau/nouveau_bo.h | 2 - drivers/gpu/drm/nouveau/nouveau_ttm.c | 6 +- drivers/gpu/drm/nouveau/nv50_display.c | 7 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 11 ++- drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 3 +- drivers/gpu/drm/vc4/vc4_plane.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/md/dm-integrity.c | 2 +- drivers/mtd/nand/marvell_nand.c | 12 ++- drivers/mtd/nand/nand_base.c | 5 + drivers/net/can/flexcan.c | 26 +++--- drivers/net/can/spi/hi311x.c | 11 ++- drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/nvme/host/core.c | 3 +- drivers/nvme/host/nvme.h | 5 + drivers/nvme/host/pci.c | 12 ++- drivers/pci/pci.c | 37 ++++++-- drivers/thermal/samsung/exynos_tmu.c | 14 ++- fs/ceph/file.c | 10 +- fs/cifs/cifsfs.c | 13 +++ fs/fs-writeback.c | 2 +- include/linux/bpf.h | 4 +- include/linux/oom.h | 2 + include/linux/wait_bit.h | 17 ++++ include/net/inet_timewait_sock.h | 1 + include/net/nexthop.h | 2 +- kernel/bpf/core.c | 45 +++++---- kernel/compat.c | 1 + kernel/events/callchain.c | 10 +- kernel/events/ring_buffer.c | 7 +- kernel/sched/autogroup.c | 7 +- kernel/sched/core.c | 7 +- kernel/sched/cpufreq_schedutil.c | 3 +- kernel/trace/bpf_trace.c | 25 ++++- kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_uprobe.c | 2 + lib/swiotlb.c | 2 +- mm/backing-dev.c | 3 +- mm/memcontrol.c | 3 + mm/mmap.c | 44 +++++---- mm/oom_kill.c | 81 ++++++++-------- mm/sparse.c | 2 +- mm/z3fold.c | 42 ++++++--- net/atm/lec.c | 9 +- net/bridge/netfilter/ebtables.c | 11 ++- net/core/dev_addr_lists.c | 4 +- net/core/skbuff.c | 1 + net/dccp/ipv4.c | 1 + net/dccp/ipv6.c | 1 + net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/inetpeer.c | 1 + net/ipv4/route.c | 11 ++- net/ipv4/tcp.c | 2 +- net/kcm/kcmsock.c | 1 + net/netfilter/ipvs/ip_vs_ctl.c | 8 -- net/netfilter/ipvs/ip_vs_sync.c | 155 ++++++++++++++++--------------- net/netlink/af_netlink.c | 2 + net/rds/tcp.c | 17 ++-- net/rfkill/rfkill-gpio.c | 7 +- 77 files changed, 563 insertions(+), 324 deletions(-)

6 years, 6 months

6
73
0 0

[PATCH 4.9 00/36] 4.9.100-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.100 release. There are 36 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed May 16 06:47:47 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.100-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.100-rc1 Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] Peter Zijlstra <peterz(a)infradead.org> perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver Peter Zijlstra <peterz(a)infradead.org> perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* Masami Hiramatsu <mhiramat(a)kernel.org> tracing/uprobe_event: Fix strncpy corner case Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Propagate error value from tmu_read() Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Reading temperature makes sense only when TMU is turned on Hans de Goede <hdegoede(a)redhat.com> Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Gustavo A. R. Silva <gustavo(a)embeddedor.com> atm: zatm: Fix potential Spectre v1 Gustavo A. R. Silva <gustavo(a)embeddedor.com> net: atm: Fix potential Spectre v1 Florent Flament <contact(a)florentflament.com> drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Boris Brezillon <boris.brezillon(a)bootlin.com> drm/vc4: Fix scaling of uni-planar formats Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix regex_match_front() to not over compare the test string Hans de Goede <hdegoede(a)redhat.com> libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Johan Hovold <johan(a)kernel.org> rfkill: gpio: fix memory leak in probe error path Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> gpio: fix error path in lineevent_create Govert Overgaauw <govert.overgaauw(a)prodrive-technologies.com> gpio: fix aspeed_gpio unmask irq Timur Tabi <timur(a)codeaurora.org> gpioib: do not free unrequested descriptors Suzuki K Poulose <suzuki.poulose(a)arm.com> arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Wei Fang <fangwei1(a)huawei.com> f2fs: fix a dead loop in f2fs_fiemap() Paul Mackerras <paulus(a)ozlabs.org> KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry Jan Kara <jack(a)suse.cz> bdi: Fix oops in wb_workfn() Eric Dumazet <edumazet(a)google.com> tcp: fix TCP_REPAIR_QUEUE bound checking Jiri Olsa <jolsa(a)kernel.org> perf: Remove superfluous allocation error check Eric Dumazet <edumazet(a)google.com> soreuseport: initialise timewait reuseport field Eric Dumazet <edumazet(a)google.com> dccp: initialize ireq->ir_mark Eric Dumazet <edumazet(a)google.com> net: fix uninit-value in __hw_addr_add_ex() Eric Dumazet <edumazet(a)google.com> net: initialize skb->peeked when cloning Eric Dumazet <edumazet(a)google.com> net: fix rtnh_ok() Eric Dumazet <edumazet(a)google.com> netlink: fix uninit-value in netlink_sendmsg Eric Dumazet <edumazet(a)google.com> crypto: af_alg - fix possible uninit-value in alg_bind() Tom Herbert <tom(a)quantonium.net> kcm: Call strp_stop before strp_done in kcm_attach Sagi Grimberg <sagi(a)grimberg.me> IB/device: Convert ib-comp-wq to be CPU-bound Julian Anastasov <ja(a)ssi.bg> ipvs: fix rtnl_lock lockups caused by start_sync_thread ------------- Diffstat: Documentation/arm64/silicon-errata.txt | 1 + Makefile | 4 +- arch/arm64/Kconfig | 14 +++ arch/arm64/include/asm/assembler.h | 40 +++++++++ arch/arm64/include/asm/cputype.h | 5 ++ arch/arm64/mm/proc.S | 5 ++ arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 +- arch/x86/events/core.c | 8 +- arch/x86/events/intel/cstate.c | 2 + arch/x86/events/msr.c | 9 +- crypto/af_alg.c | 8 +- drivers/ata/libata-core.c | 3 + drivers/atm/zatm.c | 3 + drivers/bluetooth/btusb.c | 2 +- drivers/gpio/gpio-aspeed.c | 2 +- drivers/gpio/gpiolib.c | 7 +- drivers/gpu/drm/i915/intel_lvds.c | 3 +- drivers/gpu/drm/vc4/vc4_plane.c | 2 +- drivers/infiniband/core/device.c | 3 +- drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/thermal/samsung/exynos_tmu.c | 14 ++- fs/f2fs/data.c | 2 +- fs/fs-writeback.c | 2 +- include/net/inet_timewait_sock.h | 1 + include/net/nexthop.h | 2 +- kernel/events/callchain.c | 10 +-- kernel/events/ring_buffer.c | 7 +- kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_uprobe.c | 2 + net/atm/lec.c | 9 +- net/core/dev_addr_lists.c | 4 +- net/core/skbuff.c | 1 + net/dccp/ipv4.c | 1 + net/dccp/ipv6.c | 1 + net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/tcp.c | 2 +- net/kcm/kcmsock.c | 1 + net/netfilter/ipvs/ip_vs_ctl.c | 8 -- net/netfilter/ipvs/ip_vs_sync.c | 155 ++++++++++++++++---------------- net/netlink/af_netlink.c | 2 + net/rfkill/rfkill-gpio.c | 7 +- 41 files changed, 238 insertions(+), 128 deletions(-)

6 years, 6 months

4
36
0 0

[PATCH 1/2] MIPS: memset.S: EVA & fault support for small_memset

by Matt Redfearn

The MIPS kernel memset / bzero implementation includes a small_memset branch which is used when the region to be set is smaller than a long (4 bytes on 32bit, 8 bytes on 64bit). The current small_memset implementation uses a simple store byte loop to write the destination. There are 2 issues with this implementation: 1. When EVA mode is active, user and kernel address spaces may overlap. Currently the use of the sb instruction means kernel mode addressing is always used and an intended write to userspace may actually overwrite some critical kernel data. 2. If the write triggers a page fault, for example by calling __clear_user(NULL, 2), instead of gracefully handling the fault, an OOPS is triggered. Fix these issues by replacing the sb instruction with the EX() macro, which will emit EVA compatible instuctions as required. Additionally implement a fault fixup for small_memset which sets a2 to the number of bytes that could not be cleared (as defined by __clear_user). Reported-by: Chuanhua Lei <chuanhua.lei(a)intel.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Matt Redfearn <matt.redfearn(a)mips.com> --- arch/mips/lib/memset.S | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/mips/lib/memset.S b/arch/mips/lib/memset.S index a1456664d6c2..90bcdf1224ee 100644 --- a/arch/mips/lib/memset.S +++ b/arch/mips/lib/memset.S @@ -219,7 +219,7 @@ 1: PTR_ADDIU a0, 1 /* fill bytewise */ R10KCBARRIER(0(ra)) bne t1, a0, 1b - sb a1, -1(a0) + EX(sb, a1, -1(a0), .Lsmall_fixup\@) 2: jr ra /* done */ move a2, zero @@ -260,6 +260,11 @@ jr ra andi v1, a2, STORMASK +.Lsmall_fixup\@: + PTR_SUBU a2, t1, a0 + jr ra + PTR_ADDIU a2, 1 + .endm /* -- 2.7.4

6 years, 6 months

3
3
0 0

[PATCH] MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs

by Maciej W. Rozycki

Check the TIF_32BIT_FPREGS task setting of the tracee rather than the tracer in determining the layout of floating-point general registers in the floating-point context, correcting access to odd-numbered registers for o32 tracees where the setting disagrees between the two processes. Cc: stable(a)vger.kernel.org # 3.14+ Fixes: 597ce1723e0f ("MIPS: Support for 64-bit FP with O32 binaries") Signed-off-by: Maciej W. Rozycki <macro(a)mips.com> --- Hi, These are not the usual requests used by GDB to access the floating-point context, which is likely why it went unnoticed so long. They are only used as a fallback in the case where PTRACE_GETFPREGS and PTRACE_SETFPREGS requests are not supported, i.e. with ancient kernels. However to verify an unrelated GDB bug fix I have tweaked GDB to always use PTRACE_PEEKUSR and PTRACE_POKEUSR, and then discovered this issue in native GDB regression testing, as it showed regressions from corrupt FGR contents across numerous tests compared to the usual results. This fix removed those regressions then. Not being typically used does not mean we ought to keep the interface broken. Therefore please apply. Maciej --- arch/mips/kernel/ptrace.c | 4 ++-- arch/mips/kernel/ptrace32.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) linux-mips-ptrace-test-thread-flag.diff Index: linux/arch/mips/kernel/ptrace.c =================================================================== --- linux.orig/arch/mips/kernel/ptrace.c 2018-05-12 22:52:19.000000000 +0100 +++ linux/arch/mips/kernel/ptrace.c 2018-05-12 22:56:07.893993000 +0100 @@ -1059,7 +1059,7 @@ long arch_ptrace(struct task_struct *chi fregs = get_fpu_regs(child); #ifdef CONFIG_32BIT - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even @@ -1154,7 +1154,7 @@ long arch_ptrace(struct task_struct *chi init_fp_ctx(child); #ifdef CONFIG_32BIT - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even Index: linux-mipsswbrd038/arch/mips/kernel/ptrace32.c =================================================================== --- linux-mipsswbrd038.orig/arch/mips/kernel/ptrace32.c 2018-05-12 22:52:19.000000000 +0100 +++ linux-mipsswbrd038/arch/mips/kernel/ptrace32.c 2018-05-12 22:55:20.906637000 +0100 @@ -99,7 +99,7 @@ long compat_arch_ptrace(struct task_stru break; } fregs = get_fpu_regs(child); - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even @@ -212,7 +212,7 @@ long compat_arch_ptrace(struct task_stru sizeof(child->thread.fpu)); child->thread.fpu.fcr31 = 0; } - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even

6 years, 6 months

2
1
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2018