September 2018 - Linux-stable-mirror

[git:media_tree/master] media: em28xx: fix input name for Terratec AV 350

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: em28xx: fix input name for Terratec AV 350 Author: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> Date: Fri Sep 14 00:20:21 2018 -0400 Instead of using a register value, use an AMUX name, as otherwise VIDIOC_G_AUDIO would fail. Cc: stable(a)vger.kernel.org Fixes: 766ed64de554 ("V4L/DVB (11827): Add support for Terratec Grabster AV350") Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> drivers/media/usb/em28xx/em28xx-cards.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c index 06a7e09ded6e..87b887b7604e 100644 --- a/drivers/media/usb/em28xx/em28xx-cards.c +++ b/drivers/media/usb/em28xx/em28xx-cards.c @@ -2141,13 +2141,13 @@ const struct em28xx_board em28xx_boards[] = { .input = { { .type = EM28XX_VMUX_COMPOSITE, .vmux = TVP5150_COMPOSITE1, - .amux = EM28XX_AUDIO_SRC_LINE, + .amux = EM28XX_AMUX_LINE_IN, .gpio = terratec_av350_unmute_gpio, }, { .type = EM28XX_VMUX_SVIDEO, .vmux = TVP5150_SVIDEO, - .amux = EM28XX_AUDIO_SRC_LINE, + .amux = EM28XX_AMUX_LINE_IN, .gpio = terratec_av350_unmute_gpio, } }, },

6 years, 7 months

1
0
0 0

[git:media_tree/master] media: em28xx: use a default format if TRY_FMT fails

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: em28xx: use a default format if TRY_FMT fails Author: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> Date: Thu Sep 13 23:22:40 2018 -0400 Follow the V4L2 spec, as warned by v4l2-compliance: warn: v4l2-test-formats.cpp(732): TRY_FMT cannot handle an invalid pixelformat. warn: v4l2-test-formats.cpp(733): This may or may not be a problem. For more information see: warn: v4l2-test-formats.cpp(734): http://www.mail-archive.com/linux-media@vger.kernel.org/msg56550.html Cc: stable(a)vger.kernel.org Fixes: bddcf63313c6 ("V4L/DVB (9927): em28xx: use a more standard way to specify video formats") Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> drivers/media/usb/em28xx/em28xx-video.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c index fbdfe6762cb2..4b08da45032d 100644 --- a/drivers/media/usb/em28xx/em28xx-video.c +++ b/drivers/media/usb/em28xx/em28xx-video.c @@ -1471,9 +1471,9 @@ static int vidioc_try_fmt_vid_cap(struct file *file, void *priv, fmt = format_by_fourcc(f->fmt.pix.pixelformat); if (!fmt) { - em28xx_videodbg("Fourcc format (%08x) invalid.\n", - f->fmt.pix.pixelformat); - return -EINVAL; + fmt = &format[0]; + em28xx_videodbg("Fourcc format (%08x) invalid. Using default (%08x).\n", + f->fmt.pix.pixelformat, fmt->fourcc); } if (dev->board.is_em2800) {

6 years, 7 months

1
0
0 0

[git:media_tree/master] media: em28xx: fix handler for vidioc_s_input()

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: em28xx: fix handler for vidioc_s_input() Author: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> Date: Fri Sep 14 13:13:15 2018 -0400 The a->index is not the name of the internal amux entry, but, instead a value from zero to the maximum number of audio inputs. As the actual available inputs depend on each board, build it dynamically. This is broken for a really long time. On a quick check, since at least commit 195a4ef627e1 ("V4L/DVB (6585): Convert em28xx to video_ioctl2") this was not implemented right. Fixes: 195a4ef627e1 ("V4L/DVB (6585): Convert em28xx to video_ioctl2") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> drivers/media/usb/em28xx/em28xx-cards.c | 29 ++++++++++++ drivers/media/usb/em28xx/em28xx-video.c | 84 +++++++++++++++++++++++++++++---- drivers/media/usb/em28xx/em28xx.h | 8 +++- 3 files changed, 112 insertions(+), 9 deletions(-) --- diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c index 71c829f31d3b..06a7e09ded6e 100644 --- a/drivers/media/usb/em28xx/em28xx-cards.c +++ b/drivers/media/usb/em28xx/em28xx-cards.c @@ -3039,6 +3039,9 @@ static int em28xx_hint_board(struct em28xx *dev) static void em28xx_card_setup(struct em28xx *dev) { + int i, j, idx; + bool duplicate_entry; + /* * If the device can be a webcam, seek for a sensor. * If sensor is not found, then it isn't a webcam. @@ -3195,6 +3198,32 @@ static void em28xx_card_setup(struct em28xx *dev) /* Allow override tuner type by a module parameter */ if (tuner >= 0) dev->tuner_type = tuner; + + /* + * Dynamically generate a list of valid audio inputs for this + * specific board, mapping them via enum em28xx_amux. + */ + + idx = 0; + for (i = 0; i < MAX_EM28XX_INPUT; i++) { + if (!INPUT(i)->type) + continue; + + /* Skip already mapped audio inputs */ + duplicate_entry = false; + for (j = 0; j < idx; j++) { + if (INPUT(i)->amux == dev->amux_map[j]) { + duplicate_entry = true; + break; + } + } + if (duplicate_entry) + continue; + + dev->amux_map[idx++] = INPUT(i)->amux; + } + for (; idx < MAX_EM28XX_INPUT; idx++) + dev->amux_map[idx] = EM28XX_AMUX_UNUSED; } void em28xx_setup_xc3028(struct em28xx *dev, struct xc2028_ctrl *ctl) diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c index 917602954bfb..fbdfe6762cb2 100644 --- a/drivers/media/usb/em28xx/em28xx-video.c +++ b/drivers/media/usb/em28xx/em28xx-video.c @@ -1666,6 +1666,7 @@ static int vidioc_enum_input(struct file *file, void *priv, { struct em28xx *dev = video_drvdata(file); unsigned int n; + int j; n = i->index; if (n >= MAX_EM28XX_INPUT) @@ -1685,6 +1686,12 @@ static int vidioc_enum_input(struct file *file, void *priv, if (dev->is_webcam) i->capabilities = 0; + /* Dynamically generates an audioset bitmask */ + i->audioset = 0; + for (j = 0; j < MAX_EM28XX_INPUT; j++) + if (dev->amux_map[j] != EM28XX_AMUX_UNUSED) + i->audioset |= 1 << j; + return 0; } @@ -1710,11 +1717,24 @@ static int vidioc_s_input(struct file *file, void *priv, unsigned int i) return 0; } -static int vidioc_g_audio(struct file *file, void *priv, struct v4l2_audio *a) +static int em28xx_fill_audio_input(struct em28xx *dev, + const char *s, + struct v4l2_audio *a, + unsigned int index) { - struct em28xx *dev = video_drvdata(file); + unsigned int idx = dev->amux_map[index]; - switch (a->index) { + /* + * With msp3400, almost all mappings use the default (amux = 0). + * The only one may use a different value is WinTV USB2, where it + * can also be SCART1 input. + * As it is very doubtful that we would see new boards with msp3400, + * let's just reuse the existing switch. + */ + if (dev->has_msp34xx && idx != EM28XX_AMUX_UNUSED) + idx = EM28XX_AMUX_LINE_IN; + + switch (idx) { case EM28XX_AMUX_VIDEO: strscpy(a->name, "Television", sizeof(a->name)); break; @@ -1739,32 +1759,79 @@ static int vidioc_g_audio(struct file *file, void *priv, struct v4l2_audio *a) case EM28XX_AMUX_PCM_OUT: strscpy(a->name, "PCM", sizeof(a->name)); break; + case EM28XX_AMUX_UNUSED: default: return -EINVAL; } - - a->index = dev->ctl_ainput; + a->index = index; a->capability = V4L2_AUDCAP_STEREO; + em28xx_videodbg("%s: audio input index %d is '%s'\n", + s, a->index, a->name); + return 0; } +static int vidioc_enumaudio(struct file *file, void *fh, struct v4l2_audio *a) +{ + struct em28xx *dev = video_drvdata(file); + + if (a->index >= MAX_EM28XX_INPUT) + return -EINVAL; + + return em28xx_fill_audio_input(dev, __func__, a, a->index); +} + +static int vidioc_g_audio(struct file *file, void *priv, struct v4l2_audio *a) +{ + struct em28xx *dev = video_drvdata(file); + int i; + + for (i = 0; i < MAX_EM28XX_INPUT; i++) + if (dev->ctl_ainput == dev->amux_map[i]) + return em28xx_fill_audio_input(dev, __func__, a, i); + + /* Should never happen! */ + return -EINVAL; +} + static int vidioc_s_audio(struct file *file, void *priv, const struct v4l2_audio *a) { struct em28xx *dev = video_drvdata(file); + int idx, i; if (a->index >= MAX_EM28XX_INPUT) return -EINVAL; - if (!INPUT(a->index)->type) + + idx = dev->amux_map[a->index]; + + if (idx == EM28XX_AMUX_UNUSED) + return -EINVAL; + + dev->ctl_ainput = idx; + + /* + * FIXME: This is wrong, as different inputs at em28xx_cards + * may have different audio outputs. So, the right thing + * to do is to implement VIDIOC_G_AUDOUT/VIDIOC_S_AUDOUT. + * With the current board definitions, this would work fine, + * as, currently, all boards fit. + */ + for (i = 0; i < MAX_EM28XX_INPUT; i++) + if (idx == dev->amux_map[i]) + break; + if (i == MAX_EM28XX_INPUT) return -EINVAL; - dev->ctl_ainput = INPUT(a->index)->amux; - dev->ctl_aoutput = INPUT(a->index)->aout; + dev->ctl_aoutput = INPUT(i)->aout; if (!dev->ctl_aoutput) dev->ctl_aoutput = EM28XX_AOUT_MASTER; + em28xx_videodbg("%s: set audio input to %d\n", __func__, + dev->ctl_ainput); + return 0; } @@ -2302,6 +2369,7 @@ static const struct v4l2_ioctl_ops video_ioctl_ops = { .vidioc_try_fmt_vbi_cap = vidioc_g_fmt_vbi_cap, .vidioc_s_fmt_vbi_cap = vidioc_g_fmt_vbi_cap, .vidioc_enum_framesizes = vidioc_enum_framesizes, + .vidioc_enumaudio = vidioc_enumaudio, .vidioc_g_audio = vidioc_g_audio, .vidioc_s_audio = vidioc_s_audio, diff --git a/drivers/media/usb/em28xx/em28xx.h b/drivers/media/usb/em28xx/em28xx.h index 953caac025f2..a551072e62ed 100644 --- a/drivers/media/usb/em28xx/em28xx.h +++ b/drivers/media/usb/em28xx/em28xx.h @@ -335,6 +335,9 @@ enum em28xx_usb_audio_type { /** * em28xx_amux - describes the type of audio input used by em28xx * + * @EM28XX_AMUX_UNUSED: + * Used only on em28xx dev->map field, in order to mark an entry + * as unused. * @EM28XX_AMUX_VIDEO: * On devices without AC97, this is the only value that it is currently * allowed. @@ -369,7 +372,8 @@ enum em28xx_usb_audio_type { * same time, via the alsa mux. */ enum em28xx_amux { - EM28XX_AMUX_VIDEO, + EM28XX_AMUX_UNUSED = -1, + EM28XX_AMUX_VIDEO = 0, EM28XX_AMUX_LINE_IN, /* Some less-common mixer setups */ @@ -692,6 +696,8 @@ struct em28xx { unsigned int ctl_input; // selected input unsigned int ctl_ainput;// selected audio input unsigned int ctl_aoutput;// selected audio output + enum em28xx_amux amux_map[MAX_EM28XX_INPUT]; + int mute; int volume;

6 years, 7 months

1
0
0 0

[PATCH 1/1] usb: musb: dsps: do not disable CPPI41 irq in driver teardown

by Bin Liu

TI AM335x CPPI 4.1 module uses a single register bit for CPPI interrupts in both musb controllers. So disabling the CPPI irq in one musb driver breaks the other musb module. Since musb is already disabled before tearing down dma controller in musb_remove(), it is safe to not disable CPPI irq in musb_dma_controller_destroy(). Fixes: 255348289f71 ("usb: musb: dsps: Manage CPPI 4.1 DMA interrupt in DSPS") Cc: stable(a)vger.kernel.org Signed-off-by: Bin Liu <b-liu(a)ti.com> --- drivers/usb/musb/musb_dsps.c | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/drivers/usb/musb/musb_dsps.c b/drivers/usb/musb/musb_dsps.c index df827ff57b0d..23a0df79ef21 100644 --- a/drivers/usb/musb/musb_dsps.c +++ b/drivers/usb/musb/musb_dsps.c @@ -658,16 +658,6 @@ dsps_dma_controller_create(struct musb *musb, void __iomem *base) return controller; } -static void dsps_dma_controller_destroy(struct dma_controller *c) -{ - struct musb *musb = c->musb; - struct dsps_glue *glue = dev_get_drvdata(musb->controller->parent); - void __iomem *usbss_base = glue->usbss_base; - - musb_writel(usbss_base, USBSS_IRQ_CLEARR, USBSS_IRQ_PD_COMP); - cppi41_dma_controller_destroy(c); -} - #ifdef CONFIG_PM_SLEEP static void dsps_dma_controller_suspend(struct dsps_glue *glue) { @@ -697,7 +687,7 @@ static struct musb_platform_ops dsps_ops = { #ifdef CONFIG_USB_TI_CPPI41_DMA .dma_init = dsps_dma_controller_create, - .dma_exit = dsps_dma_controller_destroy, + .dma_exit = cppi41_dma_controller_destroy, #endif .enable = dsps_musb_enable, .disable = dsps_musb_disable, -- 2.17.1

6 years, 7 months

1
0
0 0

[PATCH v2 3/3] ext2, dax: set ext2_dax_aops for dax files

by Toshi Kani

Sync syscall to DAX file needs to flush processor cache, but it currently does not flush to existing DAX files. This is because 'ext2_da_aops' is set to address_space_operations of existing DAX files, instead of 'ext2_dax_aops', since S_DAX flag is set after ext2_set_aops() in the open path. Similar to ext4, change ext2_iget() to initialize i_flags before ext2_set_aops(). Fixes: fb094c90748f ("ext2, dax: introduce ext2_dax_aops") Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Suggested-by: Jan Kara <jack(a)suse.cz> Cc: Jan Kara <jack(a)suse.cz> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: "Theodore Ts'o" <tytso(a)mit.edu> Cc: Andreas Dilger <adilger.kernel(a)dilger.ca> Cc: <stable(a)vger.kernel.org> --- fs/ext2/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c index 7f7ee18fe179..e4bb9386c045 100644 --- a/fs/ext2/inode.c +++ b/fs/ext2/inode.c @@ -1448,6 +1448,7 @@ struct inode *ext2_iget (struct super_block *sb, unsigned long ino) } inode->i_blocks = le32_to_cpu(raw_inode->i_blocks); ei->i_flags = le32_to_cpu(raw_inode->i_flags); + ext2_set_inode_flags(inode); ei->i_faddr = le32_to_cpu(raw_inode->i_faddr); ei->i_frag_no = raw_inode->i_frag; ei->i_frag_size = raw_inode->i_fsize; @@ -1517,7 +1518,6 @@ struct inode *ext2_iget (struct super_block *sb, unsigned long ino) new_decode_dev(le32_to_cpu(raw_inode->i_block[1]))); } brelse (bh); - ext2_set_inode_flags(inode); unlock_new_inode(inode); return inode;

6 years, 7 months

2
1
0 0

[PATCH] gpiolib: Free the last requested descriptor

by Ricardo Ribalda Delgado

The current code only frees N-1 gpios if an error occurs during gpiod_set_transitory, gpiod_direction_output or gpiod_direction_input. Leading to gpios that cannot be used by userspace nor other drivers. Cc: Timur Tabi <timur(a)codeaurora.org> Cc: stable(a)vger.kernel.org Fixes: ab3dbcf78f60f46d ("gpioib: do not free unrequested descriptors) Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda(a)gmail.com> --- drivers/gpio/gpiolib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index e8f8a1999393..a57300c1d649 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -571,7 +571,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) if (ret) goto out_free_descs; lh->descs[i] = desc; - count = i; + count = i + 1; if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) set_bit(FLAG_ACTIVE_LOW, &desc->flags); -- 2.18.0

6 years, 7 months

2
4
0 0

[PATCH] sysfs: Do not return POSIX ACL xattrs via listxattr

by Andreas Gruenbacher

Commit 786534b92f3c introduced a regression that caused listxattr to return the POSIX ACL attribute names even though sysfs doesn't support POSIX ACLs. This happens because simple_xattr_list checks for NULL i_acl / i_default_acl, but inode_init_always initializes those fields to ACL_NOT_CACHED ((void *)-1). For example: $ getfattr -m- -d /sys /sys: system.posix_acl_access: Operation not supported /sys: system.posix_acl_default: Operation not supported Fix this in simple_xattr_list by checking if the filesystem supports POSIX ACLs. Fixes: 786534b92f3c ("tmpfs: listxattr should include POSIX ACL xattrs") Reported-by: Marc Aurele La France <tsi(a)tuyoix.net> Tested-by: Marc Aurèle La France <tsi(a)tuyoix.net> Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> CC: Stable <stable(a)vger.kernel.org> # v4.5+ --- fs/xattr.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/fs/xattr.c b/fs/xattr.c index daa732550088..0d6a6a4af861 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -948,17 +948,19 @@ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, int err = 0; #ifdef CONFIG_FS_POSIX_ACL - if (inode->i_acl) { - err = xattr_list_one(&buffer, &remaining_size, - XATTR_NAME_POSIX_ACL_ACCESS); - if (err) - return err; - } - if (inode->i_default_acl) { - err = xattr_list_one(&buffer, &remaining_size, - XATTR_NAME_POSIX_ACL_DEFAULT); - if (err) - return err; + if (IS_POSIXACL(inode)) { + if (inode->i_acl) { + err = xattr_list_one(&buffer, &remaining_size, + XATTR_NAME_POSIX_ACL_ACCESS); + if (err) + return err; + } + if (inode->i_default_acl) { + err = xattr_list_one(&buffer, &remaining_size, + XATTR_NAME_POSIX_ACL_DEFAULT); + if (err) + return err; + } } #endif -- 2.17.1

6 years, 7 months

1
0
0 0

[PATCH] mtd: partitions: fix of_node_get/put balance in parser

by Miquel Raynal

While at first mtd_part_of_parse() would just call of_get_chil_by_name(), it has been edited to first try to get the OF node thanks to mtd_get_of_node() and fallback on of_get_child_by_name(). A of_node_put() was a bit below in the code, to balance the of_get_child_by_name(). However, despite its name, mtd_get_of_node() does not take a reference on the OF node. It is a simple helper hiding some pointer logic to retrieve the OF node related to an MTD device. People often used it this way: of_node_put(mtd_get_of_node(<mtd>)). The direct effect of such unbalanced reference counting is visible by rmmod'ing any module that would have added MTD partitions: OF: ERROR: Bad of_node_put() on <of_path_to_partition> As it seems normal to get a reference on the OF node during the of_property_for_each_string() that follows, add a call to of_node_get() when relevant. Fixes: 76a832254ab0 ("mtd: partitions: use DT info for parsing partitions with "compatible" prop") Cc: stable(a)vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- drivers/mtd/mtdpart.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c index 52e2cb35fc79..99c460facd5e 100644 --- a/drivers/mtd/mtdpart.c +++ b/drivers/mtd/mtdpart.c @@ -873,8 +873,11 @@ static int mtd_part_of_parse(struct mtd_info *master, int ret, err = 0; np = mtd_get_of_node(master); - if (!mtd_is_partition(master)) + if (mtd_is_partition(master)) + of_node_get(np); + else np = of_get_child_by_name(np, "partitions"); + of_property_for_each_string(np, "compatible", prop, compat) { parser = mtd_part_get_compatible_parser(compat); if (!parser) -- 2.17.1

6 years, 7 months

2
11
0 0

[PATCH] mtd: devices: m25p80: Make the buffer passed in op is DMA-able

by Boris Brezillon

As documented in spi-mem.h, spi_mem_op->data.buf.{in,out} must be DMA-able, and commit 4120f8d158ef ("mtd: spi-nor: Use the spi_mem_xx() API") failed to follow this rule as buffers passed to ->{read,write}_reg() are usually placed on the stack. Fix that by allocating a scratch buffer and copying the data in there before passing it to the spi-mem layer. Fixes: 4120f8d158ef ("mtd: spi-nor: Use the spi_mem_xx() API") Reported-by: Jarkko Nikula <jarkko.nikula(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> --- Note that the ->{read,write}() path is still buggy since nothing guarantees that buffers passed by the MTD layer to the SPI NOR layer are DMA-able, but this is a long-standing issue which we'll have to address at the spi-nor level (this layer can choose the bounce buffer size based on nor->page_size). --- drivers/mtd/devices/m25p80.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c index cbfafc453274..3b7fafa4bbd6 100644 --- a/drivers/mtd/devices/m25p80.c +++ b/drivers/mtd/devices/m25p80.c @@ -39,14 +39,22 @@ static int m25p80_read_reg(struct spi_nor *nor, u8 code, u8 *val, int len) struct spi_mem_op op = SPI_MEM_OP(SPI_MEM_OP_CMD(code, 1), SPI_MEM_OP_NO_ADDR, SPI_MEM_OP_NO_DUMMY, - SPI_MEM_OP_DATA_IN(len, val, 1)); + SPI_MEM_OP_DATA_IN(len, NULL, 1)); + void *scratchbuf; int ret; + scratchbuf = kmemdup(val, len, GFP_KERNEL); + if (!scratchbuf) + return -ENOMEM; + + op.data.buf.in = scratchbuf; ret = spi_mem_exec_op(flash->spimem, &op); if (ret < 0) dev_err(&flash->spimem->spi->dev, "error %d reading %x\n", ret, code); + kfree(scratchbuf); + return ret; } @@ -56,9 +64,19 @@ static int m25p80_write_reg(struct spi_nor *nor, u8 opcode, u8 *buf, int len) struct spi_mem_op op = SPI_MEM_OP(SPI_MEM_OP_CMD(opcode, 1), SPI_MEM_OP_NO_ADDR, SPI_MEM_OP_NO_DUMMY, - SPI_MEM_OP_DATA_OUT(len, buf, 1)); + SPI_MEM_OP_DATA_OUT(len, NULL, 1)); + void *scratchbuf; + int ret; - return spi_mem_exec_op(flash->spimem, &op); + scratchbuf = kmemdup(buf, len, GFP_KERNEL); + if (!scratchbuf) + return -ENOMEM; + + op.data.buf.out = scratchbuf; + ret = spi_mem_exec_op(flash->spimem, &op); + kfree(scratchbuf); + + return ret; } static ssize_t m25p80_write(struct spi_nor *nor, loff_t to, size_t len, -- 2.14.1

6 years, 7 months

2
3
0 0

[PATCHv2] mm, thp: Fix mlocking THP page with migration enabled

by Kirill A. Shutemov

A transparent huge page is represented by a single entry on an LRU list. Therefore, we can only make unevictable an entire compound page, not individual subpages. If a user tries to mlock() part of a huge page, we want the rest of the page to be reclaimable. We handle this by keeping PTE-mapped huge pages on normal LRU lists: the PMD on border of VM_LOCKED VMA will be split into PTE table. Introduction of THP migration breaks[1] the rules around mlocking THP pages. If we had a single PMD mapping of the page in mlocked VMA, the page will get mlocked, regardless of PTE mappings of the page. For tmpfs/shmem it's easy to fix by checking PageDoubleMap() in remove_migration_pmd(). Anon THP pages can only be shared between processes via fork(). Mlocked page can only be shared if parent mlocked it before forking, otherwise CoW will be triggered on mlock(). For Anon-THP, we can fix the issue by munlocking the page on removing PTE migration entry for the page. PTEs for the page will always come after mlocked PMD: rmap walks VMAs from oldest to newest. Test-case: #include <unistd.h> #include <sys/mman.h> #include <sys/wait.h> #include <linux/mempolicy.h> #include <numaif.h> int main(void) { unsigned long nodemask = 4; void *addr; addr = mmap((void *)0x20000000UL, 2UL << 20, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_LOCKED, -1, 0); if (fork()) { wait(NULL); return 0; } mlock(addr, 4UL << 10); mbind(addr, 2UL << 20, MPOL_PREFERRED | MPOL_F_RELATIVE_NODES, &nodemask, 4, MPOL_MF_MOVE); return 0; } [1] https://lkml.kernel.org/r/CAOMGZ=G52R-30rZvhGxEbkTw7rLLwBGadVYeo--iizcD3upL… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Reported-by: Vegard Nossum <vegard.nossum(a)oracle.com> Fixes: 616b8371539a ("mm: thp: enable thp migration in generic path") Cc: <stable(a)vger.kernel.org> [v4.14+] Cc: Zi Yan <zi.yan(a)cs.rutgers.edu> Cc: Naoya Horiguchi <n-horiguchi(a)ah.jp.nec.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Andrea Arcangeli <aarcange(a)redhat.com> --- mm/huge_memory.c | 2 +- mm/migrate.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 533f9b00147d..00704060b7f7 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2931,7 +2931,7 @@ void remove_migration_pmd(struct page_vma_mapped_walk *pvmw, struct page *new) else page_add_file_rmap(new, true); set_pmd_at(mm, mmun_start, pvmw->pmd, pmde); - if (vma->vm_flags & VM_LOCKED) + if ((vma->vm_flags & VM_LOCKED) && !PageDoubleMap(new)) mlock_vma_page(new); update_mmu_cache_pmd(vma, address, pvmw->pmd); } diff --git a/mm/migrate.c b/mm/migrate.c index d6a2e89b086a..9d374011c244 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -275,6 +275,9 @@ static bool remove_migration_pte(struct page *page, struct vm_area_struct *vma, if (vma->vm_flags & VM_LOCKED && !PageTransCompound(new)) mlock_vma_page(new); + if (PageTransHuge(page) && PageMlocked(page)) + clear_page_mlock(page); + /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, pvmw.address, pvmw.pte); } -- 2.18.0

6 years, 7 months

2
1
0 0

[PATCH 2/2] NFC: Fix the number of pipes

by Greg Kroah-Hartman

From: Suren Baghdasaryan <surenb(a)google.com> According to ETSI TS 102 622 specification chapter 4.4 pipe identifier is 7 bits long which allows for 128 unique pipe IDs. Because NFC_HCI_MAX_PIPES is used as the number of pipes supported and not as the max pipe ID, its value should be 128 instead of 127. nfc_hci_recv_from_llc extracts pipe ID from packet header using NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127. Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With pipes array having only 127 elements and pipe ID of 127 the OOB memory access will result. Cc: Samuel Ortiz <sameo(a)linux.intel.com> Cc: Allen Pais <allen.pais(a)oracle.com> Cc: "David S. Miller" <davem(a)davemloft.net> Suggested-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Reviewed-by: Kees Cook <keescook(a)chromium.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/net/nfc/hci.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/nfc/hci.h b/include/net/nfc/hci.h index 316694dafa5b..008f466d1da7 100644 --- a/include/net/nfc/hci.h +++ b/include/net/nfc/hci.h @@ -87,7 +87,7 @@ struct nfc_hci_pipe { * According to specification 102 622 chapter 4.4 Pipes, * the pipe identifier is 7 bits long. */ -#define NFC_HCI_MAX_PIPES 127 +#define NFC_HCI_MAX_PIPES 128 struct nfc_hci_init_data { u8 gate_count; struct nfc_hci_gate gates[NFC_HCI_MAX_CUSTOM_GATES]; -- 2.19.0

6 years, 7 months

1
0
0 0

[PATCH 1/2] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands

by Greg Kroah-Hartman

From: Suren Baghdasaryan <surenb(a)google.com> When handling SHDLC I-Frame commands "pipe" field used for indexing into an array should be checked before usage. If left unchecked it might access memory outside of the array of size NFC_HCI_MAX_PIPES(127). Malformed NFC HCI frames could be injected by a malicious NFC device communicating with the device being attacked (remote attack vector), or even by an attacker with physical access to the I2C bus such that they could influence the data transfers on that bus (local attack vector). skb->data is controlled by the attacker and has only been sanitized in the most trivial ways (CRC check), therefore we can consider the create_info struct and all of its members to tainted. 'create_info->pipe' with max value of 255 (uint8) is used to take an offset of the hdev->pipes array of 127 elements which can lead to OOB write. Cc: Samuel Ortiz <sameo(a)linux.intel.com> Cc: Allen Pais <allen.pais(a)oracle.com> Cc: "David S. Miller" <davem(a)davemloft.net> Suggested-by: Kevin Deus <kdeus(a)google.com> Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Acked-by: Kees Cook <keescook(a)chromium.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/nfc/hci/core.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c index ac8030c4bcf8..19cb2e473ea6 100644 --- a/net/nfc/hci/core.c +++ b/net/nfc/hci/core.c @@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd, } create_info = (struct hci_create_pipe_resp *)skb->data; + if (create_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + /* Save the new created pipe and bind with local gate, * the description for skb->data[3] is destination gate id * but since we received this cmd from host controller, we @@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd, } delete_info = (struct hci_delete_pipe_noti *)skb->data; + if (delete_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE; hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST; break; -- 2.19.0

6 years, 7 months

1
0
0 0

[git:media_tree/master] media: tvp5150: avoid going past array on v4l2_querymenu()

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: tvp5150: avoid going past array on v4l2_querymenu() Author: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> Date: Thu Sep 13 16:49:51 2018 -0400 The parameters of v4l2_ctrl_new_std_menu_items() are tricky: instead of the number of possible values, it requires the number of the maximum value. In other words, the ARRAY_SIZE() value should be decremented, otherwise it will go past the array bounds, as warned by KASAN: [ 279.839688] BUG: KASAN: global-out-of-bounds in v4l2_querymenu+0x10d/0x180 [videodev] [ 279.839709] Read of size 8 at addr ffffffffc10a4cb0 by task v4l2-compliance/16676 [ 279.839736] CPU: 1 PID: 16676 Comm: v4l2-compliance Not tainted 4.18.0-rc2+ #120 [ 279.839741] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 [ 279.839743] Call Trace: [ 279.839758] dump_stack+0x71/0xab [ 279.839807] ? v4l2_querymenu+0x10d/0x180 [videodev] [ 279.839817] print_address_description+0x1c9/0x270 [ 279.839863] ? v4l2_querymenu+0x10d/0x180 [videodev] [ 279.839871] kasan_report+0x237/0x360 [ 279.839918] v4l2_querymenu+0x10d/0x180 [videodev] [ 279.839964] __video_do_ioctl+0x2c8/0x590 [videodev] [ 279.840011] ? copy_overflow+0x20/0x20 [videodev] [ 279.840020] ? avc_ss_reset+0xa0/0xa0 [ 279.840028] ? check_stack_object+0x21/0x60 [ 279.840036] ? __check_object_size+0xe7/0x240 [ 279.840080] video_usercopy+0xed/0x730 [videodev] [ 279.840123] ? copy_overflow+0x20/0x20 [videodev] [ 279.840167] ? v4l_enumstd+0x40/0x40 [videodev] [ 279.840177] ? __handle_mm_fault+0x9f9/0x1ba0 [ 279.840186] ? __pmd_alloc+0x2c0/0x2c0 [ 279.840193] ? __vfs_write+0xb6/0x350 [ 279.840200] ? kernel_read+0xa0/0xa0 [ 279.840244] ? video_usercopy+0x730/0x730 [videodev] [ 279.840284] v4l2_ioctl+0xa1/0xb0 [videodev] [ 279.840295] do_vfs_ioctl+0x117/0x8a0 [ 279.840303] ? selinux_file_ioctl+0x211/0x2f0 [ 279.840313] ? ioctl_preallocate+0x120/0x120 [ 279.840319] ? selinux_capable+0x20/0x20 [ 279.840332] ksys_ioctl+0x70/0x80 [ 279.840342] __x64_sys_ioctl+0x3d/0x50 [ 279.840351] do_syscall_64+0x6d/0x1c0 [ 279.840361] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 279.840367] RIP: 0033:0x7fdfb46275d7 [ 279.840369] Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48 [ 279.840474] RSP: 002b:00007ffee1179038 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 279.840483] RAX: ffffffffffffffda RBX: 00007ffee1179180 RCX: 00007fdfb46275d7 [ 279.840488] RDX: 00007ffee11790c0 RSI: 00000000c02c5625 RDI: 0000000000000003 [ 279.840493] RBP: 0000000000000002 R08: 0000000000000020 R09: 00000000009f0902 [ 279.840497] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffee117a5a0 [ 279.840501] R13: 00007ffee11790c0 R14: 0000000000000002 R15: 0000000000000000 [ 279.840515] The buggy address belongs to the variable: [ 279.840535] tvp5150_test_patterns+0x10/0xffffffffffffe360 [tvp5150] Fixes: c43875f66140 ("[media] tvp5150: replace MEDIA_ENT_F_CONN_TEST by a control") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> drivers/media/i2c/tvp5150.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- diff --git a/drivers/media/i2c/tvp5150.c b/drivers/media/i2c/tvp5150.c index f337e523821b..57b2102586bc 100644 --- a/drivers/media/i2c/tvp5150.c +++ b/drivers/media/i2c/tvp5150.c @@ -1534,7 +1534,7 @@ static int tvp5150_probe(struct i2c_client *c, 27000000, 1, 27000000); v4l2_ctrl_new_std_menu_items(&core->hdl, &tvp5150_ctrl_ops, V4L2_CID_TEST_PATTERN, - ARRAY_SIZE(tvp5150_test_patterns), + ARRAY_SIZE(tvp5150_test_patterns) - 1, 0, 0, tvp5150_test_patterns); sd->ctrl_handler = &core->hdl; if (core->hdl.error) {

6 years, 7 months

1
0
0 0

[PATCH] mtd: rawnand: marvell: prevent harmless warnings

by Miquel Raynal

Since the addition of WARN_ON() in nand_subop_get_data/addr_len() helpers, this driver will produce harmless warnings (mostly at probe) just because it always called the *_data_len() helper in the parsing function (even on non-data instructions, where this value is meaningless and unneeded. Fix these warnings by deriving the length only when it is relevant. Fixes: 760c435e0f85 ("mtd: rawnand: make subop helpers return unsigned values") Cc: stable(a)vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- drivers/mtd/nand/raw/marvell_nand.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c index 7af4d6213ee5..bc2ef5209783 100644 --- a/drivers/mtd/nand/raw/marvell_nand.c +++ b/drivers/mtd/nand/raw/marvell_nand.c @@ -1547,7 +1547,7 @@ static void marvell_nfc_parse_instructions(struct nand_chip *chip, for (op_id = 0; op_id < subop->ninstrs; op_id++) { unsigned int offset, naddrs; const u8 *addrs; - int len = nand_subop_get_data_len(subop, op_id); + int len; instr = &subop->instrs[op_id]; @@ -1593,6 +1593,7 @@ static void marvell_nfc_parse_instructions(struct nand_chip *chip, nfc_op->ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_MONOLITHIC_RW) | NDCB0_LEN_OVRD; + len = nand_subop_get_data_len(subop, op_id); nfc_op->ndcb[3] |= round_up(len, FIFO_DEPTH); } nfc_op->data_delay_ns = instr->delay_ns; @@ -1606,6 +1607,7 @@ static void marvell_nfc_parse_instructions(struct nand_chip *chip, nfc_op->ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_MONOLITHIC_RW) | NDCB0_LEN_OVRD; + len = nand_subop_get_data_len(subop, op_id); nfc_op->ndcb[3] |= round_up(len, FIFO_DEPTH); } nfc_op->data_delay_ns = instr->delay_ns; -- 2.17.1

6 years, 7 months

2
3
0 0

[PATCH] x86/mm/pat: Fix L1TF stable backport for CPA

by Andi Kleen

From: Andi Kleen <ak(a)linux.intel.com> Patch for stable only to fix boot resets caused by the L1TF patches. Stable trees reverted the following patch Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers" This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream. but the L1TF patch backported here x86/mm/pat: Make set_memory_np() L1TF safe commit 958f79b9ee55dfaf00c8106ed1c22a2919e0028b upstream set_memory_np() is used to mark kernel mappings not present, but it has it's own open coded mechanism which does not have the L1TF protection of inverting the address bits. assumed that cpa->pfn contains a PFN. With the above patch reverted it does not, which causes the PMD to be set to an incorrect address shifted by 12 bits, which can cause early boot reset on some systems, like an Apollo Lake embedded system. Convert the address to a PFN before passing it to pmd_pfn() Thanks to Bernhard for bisecting and testing. Cc: stable(a)vger.kernel.org # 4.4 and 4.9 Reported-by: Bernhard Kaindl <bernhard.kaindl(a)thalesgroup.com> Tested-by: Bernhard Kaindl <bernhard.kaindl(a)thalesgroup.com> Signed-off-by: Andi Kleen <ak(a)linux.intel.com> --- arch/x86/mm/pageattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c index 27610c2d1821..1007fa80f5a6 100644 --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -1006,7 +1006,7 @@ static int populate_pmd(struct cpa_data *cpa, pmd = pmd_offset(pud, start); - set_pmd(pmd, pmd_mkhuge(pfn_pmd(cpa->pfn, + set_pmd(pmd, pmd_mkhuge(pfn_pmd(cpa->pfn >> PAGE_SHIFT, canon_pgprot(pmd_pgprot)))); start += PMD_SIZE; -- 2.17.1

6 years, 7 months

6
11
0 0

[STABLE 4.4] x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+

by Andi Kleen

From: Andi Kleen <ak(a)linux.intel.com> [upstream cc51e5428ea54f575d49cfcede1d4cb3a72b4ec4 for 4.4. Note there might be still a trivial conflict with the backport for b0a182f875689647b014bc01d36b340217792852, but should be easy to resolve] On Nehalem and newer core CPUs the CPU cache internally uses 44 bits physical address space. The L1TF workaround is limited by this internal cache address width, and needs to have one bit free there for the mitigation to work. Older client systems report only 36bit physical address space so the range check decides that L1TF is not mitigated for a 36bit phys/32GB system with some memory holes. But since these actually have the larger internal cache width this warning is bogus because it would only really be needed if the system had more than 43bits of memory. Add a new internal x86_cache_bits field. Normally it is the same as the physical bits field reported by CPUID, but for Nehalem and newerforce it to be at least 44bits. Change the L1TF memory size warning to use the new cache_bits field to avoid bogus warnings and remove the bogus comment about memory size. Fixes: 17dbca119312 ("x86/speculation/l1tf: Add sysfs reporting for l1tf") Reported-by: George Anchev <studio(a)anchev.net> Reported-by: Christopher Snowhill <kode54(a)gmail.com> Signed-off-by: Andi Kleen <ak(a)linux.intel.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: x86(a)kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: Michael Hocko <mhocko(a)suse.com> Cc: vbabka(a)suse.cz Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20180824170351.34874-1-andi@firstfloor.org --- arch/x86/include/asm/processor.h | 4 ++- arch/x86/kernel/cpu/bugs.c | 47 ++++++++++++++++++++++++++++---- arch/x86/kernel/cpu/common.c | 2 ++ 3 files changed, 47 insertions(+), 6 deletions(-) diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h index a3a53955f01c..cb07d3f618ca 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -104,6 +104,8 @@ struct cpuinfo_x86 { __u8 x86_phys_bits; /* CPUID returned core id bits: */ __u8 x86_coreid_bits; + + __u8 x86_cache_bits; /* Max extended CPUID function supported: */ __u32 extended_cpuid_level; /* Maximum supported CPUID level, -1=no CPUID: */ @@ -174,7 +176,7 @@ extern void cpu_detect(struct cpuinfo_x86 *c); static inline unsigned long l1tf_pfn_limit(void) { - return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1; + return BIT_ULL(boot_cpu_data.x86_cache_bits - 1 - PAGE_SHIFT); } extern void early_cpu_init(void); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 34e4aaaf03d2..2a41a86aa5c2 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -634,6 +634,46 @@ void x86_spec_ctrl_setup_ap(void) #undef pr_fmt #define pr_fmt(fmt) "L1TF: " fmt + +/* + * These CPUs all support 44bits physical address space internally in the + * cache but CPUID can report a smaller number of physical address bits. + * + * The L1TF mitigation uses the top most address bit for the inversion of + * non present PTEs. When the installed memory reaches into the top most + * address bit due to memory holes, which has been observed on machines + * which report 36bits physical address bits and have 32G RAM installed, + * then the mitigation range check in l1tf_select_mitigation() triggers. + * This is a false positive because the mitigation is still possible due to + * the fact that the cache uses 44bit internally. Use the cache bits + * instead of the reported physical bits and adjust them on the affected + * machines to 44bit if the reported bits are less than 44. + */ +static void override_cache_bits(struct cpuinfo_x86 *c) +{ + if (c->x86 != 6) + return; + + switch (c->x86_model) { + case INTEL_FAM6_NEHALEM: + case INTEL_FAM6_WESTMERE: + case INTEL_FAM6_SANDYBRIDGE: + case INTEL_FAM6_IVYBRIDGE: + case INTEL_FAM6_HASWELL_CORE: + case INTEL_FAM6_HASWELL_ULT: + case INTEL_FAM6_HASWELL_GT3E: + case INTEL_FAM6_BROADWELL_CORE: + case INTEL_FAM6_BROADWELL_GT3E: + case INTEL_FAM6_SKYLAKE_MOBILE: + case INTEL_FAM6_SKYLAKE_DESKTOP: + case INTEL_FAM6_KABYLAKE_MOBILE: + case INTEL_FAM6_KABYLAKE_DESKTOP: + if (c->x86_cache_bits < 44) + c->x86_cache_bits = 44; + break; + } +} + static void __init l1tf_select_mitigation(void) { u64 half_pa; @@ -641,16 +681,13 @@ static void __init l1tf_select_mitigation(void) if (!boot_cpu_has_bug(X86_BUG_L1TF)) return; + override_cache_bits(&boot_cpu_data); + #if CONFIG_PGTABLE_LEVELS == 2 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n"); return; #endif - /* - * This is extremely unlikely to happen because almost all - * systems have far more MAX_PA/2 than RAM can be fit into - * DIMM slots. - */ half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT; if (e820_any_mapped(half_pa, ULLONG_MAX - half_pa, E820_RAM)) { pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n"); diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 4d3fa79c0f09..b12c0287d6cf 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -798,6 +798,8 @@ void get_cpu_cap(struct cpuinfo_x86 *c) c->x86_phys_bits = 36; #endif + c->x86_cache_bits = c->x86_phys_bits; + if (c->extended_cpuid_level >= 0x8000000a) c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a); -- 2.17.1

6 years, 7 months

2
1
0 0

[PATCH v4.14.y] autofs: fix autofs_sbi() does not check super block type

by Zubin Mithra

From: Ian Kent <raven(a)themaw.net> commit 0633da48f0793aeba27f82d30605624416723a91 upstream. autofs_sbi() does not check the superblock magic number to verify it has been given an autofs super block. Backport Note: autofs4 has been renamed to autofs upstream. As a result the upstream patch does not apply cleanly onto 4.14.y. Link: http://lkml.kernel.org/r/153475422934.17131.7563724552005298277.stgit@pluto… Reported-by: <syzbot+87c3c541582e56943277(a)syzkaller.appspotmail.com> Signed-off-by: Ian Kent <raven(a)themaw.net> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Zubin Mithra <zsm(a)chromium.org> --- fs/autofs4/autofs_i.h | 4 +++- fs/autofs4/inode.c | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/autofs4/autofs_i.h b/fs/autofs4/autofs_i.h index 4737615f0eaa..ce696d6c4641 100644 --- a/fs/autofs4/autofs_i.h +++ b/fs/autofs4/autofs_i.h @@ -26,6 +26,7 @@ #include <linux/list.h> #include <linux/completion.h> #include <asm/current.h> +#include <linux/magic.h> /* This is the range of ioctl() numbers we claim as ours */ #define AUTOFS_IOC_FIRST AUTOFS_IOC_READY @@ -124,7 +125,8 @@ struct autofs_sb_info { static inline struct autofs_sb_info *autofs4_sbi(struct super_block *sb) { - return (struct autofs_sb_info *)(sb->s_fs_info); + return sb->s_magic != AUTOFS_SUPER_MAGIC ? + NULL : (struct autofs_sb_info *)(sb->s_fs_info); } static inline struct autofs_info *autofs4_dentry_ino(struct dentry *dentry) diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c index 09e7d68dff02..3c7e727612fa 100644 --- a/fs/autofs4/inode.c +++ b/fs/autofs4/inode.c @@ -14,7 +14,6 @@ #include <linux/pagemap.h> #include <linux/parser.h> #include <linux/bitops.h> -#include <linux/magic.h> #include "autofs_i.h" #include <linux/module.h> -- 2.19.0.rc0.228.g281dcd1b4d0-goog

6 years, 7 months

4
3
0 0

[PATCH v4.14.y 1/2] tun: fix use after free for ptr_ring

by Zubin Mithra

From: Jason Wang <jasowang(a)redhat.com> commit b196d88aba8ac72b775137854121097f4c4c6862 upstream. We used to initialize ptr_ring during TUNSETIFF, this is because its size depends on the tx_queue_len of netdevice. And we try to clean it up when socket were detached from netdevice. A race were spotted when trying to do uninit during a read which will lead a use after free for pointer ring. Solving this by always initialize a zero size ptr_ring in open() and do resizing during TUNSETIFF, and then we can safely do cleanup during close(). With this, there's no need for the workaround that was introduced by commit 4df0bfc79904 ("tun: fix a memory leak for tfile->tx_array"). Backport Note :- Comparison with the upstream patch: [1] A "semantic revert" of the changes made in 4df0bfc799("tun: fix a memory leak for tfile->tx_array"). 4df0bfc799 was applied upstream, and then skb array was changed to use ptr_ring. The upstream patch then removes the changes introduced by 4df0bfc799. This backport does the same; "revert" the changes made by 4df0bfc799. [2] xdp_rxq_info_unreg() being called in relevant locations As xdp_rxq_info related patches are not present in 4.14, these changes are not needed in the backport. [3] An instance of ptr_ring_init needs to be replaced by skb_array_init Inside tun_attach() [4] ptr_ring_cleanup needs to be replaced by skb_array_cleanup Inside tun_chr_close() Note that the backport for 7063efd33b ("tuntap: fix use after free during release") needs to be applied on top of this patch. Reported-by: syzbot+e8b902c3c3fadf0a9dba(a)syzkaller.appspotmail.com Cc: Eric Dumazet <eric.dumazet(a)gmail.com> Cc: Cong Wang <xiyou.wangcong(a)gmail.com> Cc: Michael S. Tsirkin <mst(a)redhat.com> Fixes: 1576d9860599 ("tun: switch to use skb array for tx") Signed-off-by: Jason Wang <jasowang(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Zubin Mithra <zsm(a)chromium.org> --- drivers/net/tun.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index cb17ffadfc30..87a989be1cef 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -534,14 +534,6 @@ static void tun_queue_purge(struct tun_file *tfile) skb_queue_purge(&tfile->sk.sk_error_queue); } -static void tun_cleanup_tx_array(struct tun_file *tfile) -{ - if (tfile->tx_array.ring.queue) { - skb_array_cleanup(&tfile->tx_array); - memset(&tfile->tx_array, 0, sizeof(tfile->tx_array)); - } -} - static void __tun_detach(struct tun_file *tfile, bool clean) { struct tun_file *ntfile; @@ -583,7 +575,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean) tun->dev->reg_state == NETREG_REGISTERED) unregister_netdevice(tun->dev); } - tun_cleanup_tx_array(tfile); sock_put(&tfile->sk); } } @@ -623,13 +614,11 @@ static void tun_detach_all(struct net_device *dev) /* Drop read queue */ tun_queue_purge(tfile); sock_put(&tfile->sk); - tun_cleanup_tx_array(tfile); } list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) { tun_enable_queue(tfile); tun_queue_purge(tfile); sock_put(&tfile->sk); - tun_cleanup_tx_array(tfile); } BUG_ON(tun->numdisabled != 0); @@ -675,7 +664,7 @@ static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filte } if (!tfile->detached && - skb_array_init(&tfile->tx_array, dev->tx_queue_len, GFP_KERNEL)) { + skb_array_resize(&tfile->tx_array, dev->tx_queue_len, GFP_KERNEL)) { err = -ENOMEM; goto out; } @@ -2624,6 +2613,11 @@ static int tun_chr_open(struct inode *inode, struct file * file) &tun_proto, 0); if (!tfile) return -ENOMEM; + if (skb_array_init(&tfile->tx_array, 0, GFP_KERNEL)) { + sk_free(&tfile->sk); + return -ENOMEM; + } + RCU_INIT_POINTER(tfile->tun, NULL); tfile->flags = 0; tfile->ifindex = 0; @@ -2644,8 +2638,6 @@ static int tun_chr_open(struct inode *inode, struct file * file) sock_set_flag(&tfile->sk, SOCK_ZEROCOPY); - memset(&tfile->tx_array, 0, sizeof(tfile->tx_array)); - return 0; } @@ -2654,6 +2646,7 @@ static int tun_chr_close(struct inode *inode, struct file *file) struct tun_file *tfile = file->private_data; tun_detach(tfile, true); + skb_array_cleanup(&tfile->tx_array); return 0; } -- 2.19.0.rc1.350.ge57e33dbd1-goog

6 years, 7 months

2
2
0 0

[PATCH 4.4 000/107] 4.4.144-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.144 release. There are 107 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Jul 25 12:23:53 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.144-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.144-rc1 Sascha Hauer <s.hauer(a)pengutronix.de> ubi: fastmap: Erase outdated anchor PEBs during attach Richard Weinberger <richard(a)nod.at> ubi: Fix Fastmap's update_vol() Richard Weinberger <richard(a)nod.at> ubi: Fix races around ubi_refill_pools() Richard Weinberger <richard(a)nod.at> ubi: Be more paranoid while seaching for the most recent Fastmap Richard Weinberger <richard(a)nod.at> ubi: Rework Fastmap attach base code Richard Weinberger <richard(a)nod.at> ubi: Introduce vol_ignored() Lucas Stach <dev(a)lynxeye.de> clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 Alan Jenkins <alan.christopher.jenkins(a)gmail.com> block: do not use interruptible wait anywhere Andy Lutomirski <luto(a)kernel.org> x86/cpu: Re-apply forced caps every time CPU caps are re-read Juergen Gross <jgross(a)suse.com> x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Rename SSBD_NO to SSB_NO Thomas Gleixner <tglx(a)linutronix.de> x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG Thomas Gleixner <tglx(a)linutronix.de> x86/bugs: Rework spec_ctrl base and mask logic Thomas Gleixner <tglx(a)linutronix.de> x86/bugs: Remove x86_spec_ctrl_set() Thomas Gleixner <tglx(a)linutronix.de> x86/bugs: Expose x86_spec_ctrl_base directly Borislav Petkov <bp(a)suse.de> x86/bugs: Unify x86_spec_ctrl_{set_guest, restore_host} Thomas Gleixner <tglx(a)linutronix.de> x86/speculation: Rework speculative_store_bypass_update() Tom Lendacky <thomas.lendacky(a)amd.com> x86/speculation: Add virtualized speculative store bypass disable support Thomas Gleixner <tglx(a)linutronix.de> x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL Thomas Gleixner <tglx(a)linutronix.de> x86/speculation: Handle HT correctly on AMD Thomas Gleixner <tglx(a)linutronix.de> x86/cpufeatures: Add FEATURE_ZEN Borislav Petkov <bp(a)suse.de> x86/cpu/AMD: Fix erratum 1076 (CPB bit) Thomas Gleixner <tglx(a)linutronix.de> x86/cpufeatures: Disentangle SSBD enumeration Thomas Gleixner <tglx(a)linutronix.de> x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS Borislav Petkov <bp(a)suse.de> x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP Jim Mattson <jmattson(a)google.com> x86/cpu: Make alternative_msr_write work for 32-bit code Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Fix the parameters alignment and missing void Jiri Kosina <jkosina(a)suse.cz> x86/bugs: Make cpu_show_common() static Jiri Kosina <jkosina(a)suse.cz> x86/bugs: Fix __ssb_select_mitigation() return type Borislav Petkov <bp(a)suse.de> Documentation/spec_ctrl: Do some minor cleanups Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> proc: Use underscores for SSBD in 'status' Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Rename _RDS to _SSBD Kees Cook <keescook(a)chromium.org> x86/speculation: Make "seccomp" the default mode for Speculative Store Bypass Thomas Gleixner <tglx(a)linutronix.de> seccomp: Move speculation migitation control to arch code Kees Cook <keescook(a)chromium.org> seccomp: Add filter flag to opt-out of SSB mitigation Thomas Gleixner <tglx(a)linutronix.de> seccomp: Use PR_SPEC_FORCE_DISABLE Thomas Gleixner <tglx(a)linutronix.de> prctl: Add force disable speculation Kees Cook <keescook(a)chromium.org> seccomp: Enable speculation flaw mitigations Kees Cook <keescook(a)chromium.org> proc: Provide details on speculation flaw mitigations Kees Cook <keescook(a)chromium.org> nospec: Allow getting/setting on non-current task Thomas Gleixner <tglx(a)linutronix.de> x86/speculation: Add prctl for Speculative Store Bypass mitigation Thomas Gleixner <tglx(a)linutronix.de> x86/process: Allow runtime control of Speculative Store Bypass Thomas Gleixner <tglx(a)linutronix.de> x86/process: Optimize TIF_NOTSC switch Kyle Huey <me(a)kylehuey.com> x86/process: Correct and optimize TIF_BLOCKSTEP switch Kyle Huey <me(a)kylehuey.com> x86/process: Optimize TIF checks in __switch_to_xtra() Thomas Gleixner <tglx(a)linutronix.de> prctl: Add speculation control prctls Thomas Gleixner <tglx(a)linutronix.de> x86/speculation: Create spec-ctrl.h to avoid include hell David Woodhouse <dwmw(a)amazon.co.uk> x86/bugs/AMD: Add support to disable RDS on Fam[15, 16, 17]h if requested Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Whitelist allowed SPEC_CTRL MSR values Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs/intel: Set proper CPU features and setup RDS Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/cpufeatures: Add X86_FEATURE_RDS Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Expose /sys/../spec_store_bypass Piotr Luc <piotr.luc(a)intel.com> x86/cpu/intel: Add Knights Mill to Intel family Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> x86/cpu: Rename Merrifield2 to Moorefield Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs, KVM: Support the combination of guest and host IBRS Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Concentrate bug reporting into a separate function Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/bugs: Concentrate bug detection into a separate function Linus Torvalds <torvalds(a)linux-foundation.org> x86/nospec: Simplify alternative_msr_write() David Woodhouse <dwmw(a)amazon.co.uk> x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS when running under Xen Juergen Gross <jgross(a)suse.com> xen: set cpu capabilities from xen_start_kernel() Mickaël Salaün <mic(a)digikod.net> selftest/seccomp: Fix the seccomp(2) signature Mickaël Salaün <mic(a)digikod.net> selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC Alexander Sergeyev <sergeev917(a)gmail.com> x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist Ingo Molnar <mingo(a)kernel.org> x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP David Woodhouse <dwmw(a)amazon.co.uk> x86/speculation: Use IBRS if available before calling into firmware Konrad Rzeszutek Wilk <konrad.wilk(a)oracle.com> x86/spectre_v2: Don't check microcode versions when running under hypervisors Tim Chen <tim.c.chen(a)linux.intel.com> x86/speculation: Use Indirect Branch Prediction Barrier in context switch Andy Lutomirski <luto(a)kernel.org> x86/mm: Give each mm TLB flush generation a unique ID Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Factor out LDT init from context init Juergen Gross <jgross(a)suse.com> x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend Peter Zijlstra <peterz(a)infradead.org> x86/speculation: Add <asm/msr-index.h> dependency Dan Williams <dan.j.williams(a)intel.com> x86/speculation: Fix up array_index_nospec_mask() asm constraint Ingo Molnar <mingo(a)kernel.org> x86/speculation: Clean up various Spectre related details David Woodhouse <dwmw(a)amazon.co.uk> x86/speculation: Correct Speculation Control microcode blacklist again David Woodhouse <dwmw(a)amazon.co.uk> x86/speculation: Update Speculation Control microcode blacklist Dan Williams <dan.j.williams(a)intel.com> x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface Denys Vlasenko <dvlasenk(a)redhat.com> x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs Arnd Bergmann <arnd(a)arndb.de> x86/pti: Mark constant arrays as __initconst David Woodhouse <dwmw(a)amazon.co.uk> x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Clean up Spectre v2 related CPUID flags David Woodhouse <dwmw(a)amazon.co.uk> x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes David Woodhouse <dwmw(a)amazon.co.uk> x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown David Woodhouse <dwmw(a)amazon.co.uk> x86/msr: Add definitions for new speculation control MSRs David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add AMD feature bits for Speculation Control David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add Intel feature bits for Speculation Control David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add CPUID_7_EDX CPUID leaf Nick Desaulniers <ndesaulniers(a)google.com> x86/paravirt: Make native_save_fl() extern inline Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix perceived dead host due to runtime suspend race with event handler Stefano Brivio <sbrivio(a)redhat.com> skbuff: Unconditionally copy pfmemalloc in __skb_clone() Stefano Brivio <sbrivio(a)redhat.com> net: Don't copy pfmemalloc flag in __copy_skb_header() Sanjeev Bansal <sanjeevb.bansal(a)broadcom.com> tg3: Add higher cpu clock for 5762. Gustavo A. R. Silva <gustavo(a)embeddedor.com> ptp: fix missing break in switch Heiner Kallweit <hkallweit1(a)gmail.com> net: phy: fix flag masking in __set_phy_supported David Ahern <dsahern(a)gmail.com> net/ipv4: Set oif in fib_compute_spec_dst Davidlohr Bueso <dave(a)stgolabs.net> lib/rhashtable: consider param->min_size when setting initial table size Colin Ian King <colin.king(a)canonical.com> ipv6: fix useless rol32 call on hash Tyler Hicks <tyhicks(a)canonical.com> ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns Jing Xia <jing.xia.mail(a)gmail.com> mm: memcg: fix use after free in mem_cgroup_iter() Vineet Gupta <vgupta(a)synopsys.com> ARC: mm: allow mprotect to make stack mappings executable Alexey Brodkin <abrodkin(a)synopsys.com> ARC: Fix CONFIG_SWAP Takashi Iwai <tiwai(a)suse.de> ALSA: rawmidi: Change resized buffers atomically OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix memory allocation failure handling of match_strdup() Dewet Thibaut <thibaut.dewet(a)nokia.com> x86/MCE: Remove min interval polling limitation Lan Tianyu <tianyu.lan(a)intel.com> KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel. ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/kernel-parameters.txt | 45 +++ Documentation/spec_ctrl.txt | 94 +++++ Makefile | 4 +- arch/arc/include/asm/page.h | 2 +- arch/arc/include/asm/pgtable.h | 2 +- arch/x86/entry/entry_64_compat.S | 75 ++-- arch/x86/include/asm/apm.h | 6 + arch/x86/include/asm/barrier.h | 2 +- arch/x86/include/asm/cpufeature.h | 7 +- arch/x86/include/asm/cpufeatures.h | 37 +- arch/x86/include/asm/disabled-features.h | 3 +- arch/x86/include/asm/efi.h | 7 + arch/x86/include/asm/intel-family.h | 10 +- arch/x86/include/asm/irqflags.h | 2 +- arch/x86/include/asm/mmu.h | 15 +- arch/x86/include/asm/mmu_context.h | 25 +- arch/x86/include/asm/msr-index.h | 22 ++ arch/x86/include/asm/nospec-branch.h | 54 +++ arch/x86/include/asm/required-features.h | 3 +- arch/x86/include/asm/spec-ctrl.h | 80 ++++ arch/x86/include/asm/thread_info.h | 6 +- arch/x86/include/asm/tlbflush.h | 12 + arch/x86/kernel/Makefile | 1 + arch/x86/kernel/cpu/amd.c | 38 +- arch/x86/kernel/cpu/bugs.c | 427 +++++++++++++++++++-- arch/x86/kernel/cpu/common.c | 121 +++++- arch/x86/kernel/cpu/cpu.h | 3 + arch/x86/kernel/cpu/intel.c | 73 ++++ arch/x86/kernel/cpu/mcheck/mce.c | 3 - arch/x86/kernel/irqflags.S | 26 ++ arch/x86/kernel/ldt.c | 4 +- arch/x86/kernel/process.c | 224 +++++++++-- arch/x86/kernel/smpboot.c | 5 + arch/x86/kvm/svm.c | 2 +- arch/x86/kvm/vmx.c | 2 +- arch/x86/mm/tlb.c | 33 ++ arch/x86/platform/efi/efi_64.c | 3 + arch/x86/xen/enlighten.c | 16 +- arch/x86/xen/smp.c | 5 + arch/x86/xen/suspend.c | 16 + block/blk-core.c | 10 +- drivers/base/cpu.c | 8 + drivers/clk/tegra/clk-tegra30.c | 11 +- drivers/mtd/ubi/attach.c | 139 +++++-- drivers/mtd/ubi/eba.c | 4 +- drivers/mtd/ubi/fastmap-wl.c | 6 +- drivers/mtd/ubi/fastmap.c | 51 ++- drivers/mtd/ubi/ubi.h | 46 ++- drivers/mtd/ubi/wl.c | 114 ++++-- drivers/net/ethernet/broadcom/tg3.c | 9 + drivers/net/phy/phy_device.c | 7 +- drivers/ptp/ptp_chardev.c | 1 + drivers/usb/host/xhci.c | 40 +- drivers/usb/host/xhci.h | 4 + fs/fat/inode.c | 20 +- fs/proc/array.c | 26 ++ include/linux/cpu.h | 2 + include/linux/nospec.h | 10 + include/linux/sched.h | 9 + include/linux/seccomp.h | 3 +- include/linux/skbuff.h | 12 +- include/net/ipv6.h | 2 +- include/uapi/linux/prctl.h | 12 + include/uapi/linux/seccomp.h | 4 +- kernel/seccomp.c | 21 +- kernel/sys.c | 21 + lib/rhashtable.c | 17 +- mm/memcontrol.c | 2 +- net/core/skbuff.c | 1 + net/ipv4/fib_frontend.c | 1 + net/ipv4/sysctl_net_ipv4.c | 5 +- sound/core/rawmidi.c | 20 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 98 ++++- virt/kvm/eventfd.c | 6 +- 75 files changed, 1982 insertions(+), 276 deletions(-)

6 years, 7 months

6
110
0 0

Requests for inclusion on linux-4.14.y

by Eduardo Valentin

Hello Greg, Can you please consider including the following two patches in the stable linux-4.14.y branch? This is to avoid page faults in do_swap_page() on PV guests, usually seen on __radix_tree_lookup() [1]. f7c90c2aa400 ("x86/xen: don't write ptes directly in 32-bit PV guests") b2d7a075a1cc ("x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear") Thanks, [1] - more details on https://bugzilla.kernel.org/show_bug.cgi?id=198497 -- All the best, Eduardo Valentin

6 years, 7 months

2
1
0 0

[PATCH 4.4.y] crypto: vmx - Fix sleep-in-atomic bugs

by Ondrej Mosnacek

commit 0522236d4f9c5ab2e79889cb020d1acbe5da416e upstream. Conflicts: drivers/crypto/vmx/ aes_cbc.c - adapted enable/disable calls to v4.4 state aes_xts.c - did not exist yet in v4.4 This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX implementations. The problem is that the blkcipher_* functions should not be called in atomic context. The bugs can be reproduced via the AF_ALG interface by trying to encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then trigger BUG in crypto_yield(): [ 891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424 [ 891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc [ 891.864739] 1 lock held by kcapi-enc/12347: [ 891.864811] #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530 [ 891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1 [ 891.865251] Call Trace: [ 891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable) [ 891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310 [ 891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0 [ 891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto] [ 891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80 [ 891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530 [ 891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0 [ 891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0 [ 891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0 [ 891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70 Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module") Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") Cc: stable(a)vger.kernel.org Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/crypto/vmx/aes_cbc.c | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/drivers/crypto/vmx/aes_cbc.c b/drivers/crypto/vmx/aes_cbc.c index 9506e8693c81..d8ef1147b344 100644 --- a/drivers/crypto/vmx/aes_cbc.c +++ b/drivers/crypto/vmx/aes_cbc.c @@ -111,24 +111,23 @@ static int p8_aes_cbc_encrypt(struct blkcipher_desc *desc, ret = crypto_blkcipher_encrypt(&fallback_desc, dst, src, nbytes); } else { - preempt_disable(); - pagefault_disable(); - enable_kernel_altivec(); - enable_kernel_vsx(); - blkcipher_walk_init(&walk, dst, src, nbytes); ret = blkcipher_walk_virt(desc, &walk); while ((nbytes = walk.nbytes)) { + preempt_disable(); + pagefault_disable(); + enable_kernel_vsx(); + enable_kernel_altivec(); aes_p8_cbc_encrypt(walk.src.virt.addr, walk.dst.virt.addr, nbytes & AES_BLOCK_MASK, &ctx->enc_key, walk.iv, 1); + pagefault_enable(); + preempt_enable(); + nbytes &= AES_BLOCK_SIZE - 1; ret = blkcipher_walk_done(desc, &walk, nbytes); } - - pagefault_enable(); - preempt_enable(); } return ret; @@ -152,24 +151,23 @@ static int p8_aes_cbc_decrypt(struct blkcipher_desc *desc, ret = crypto_blkcipher_decrypt(&fallback_desc, dst, src, nbytes); } else { - preempt_disable(); - pagefault_disable(); - enable_kernel_altivec(); - enable_kernel_vsx(); - blkcipher_walk_init(&walk, dst, src, nbytes); ret = blkcipher_walk_virt(desc, &walk); while ((nbytes = walk.nbytes)) { + preempt_disable(); + pagefault_disable(); + enable_kernel_vsx(); + enable_kernel_altivec(); aes_p8_cbc_encrypt(walk.src.virt.addr, walk.dst.virt.addr, nbytes & AES_BLOCK_MASK, &ctx->dec_key, walk.iv, 0); + pagefault_enable(); + preempt_enable(); + nbytes &= AES_BLOCK_SIZE - 1; ret = blkcipher_walk_done(desc, &walk, nbytes); } - - pagefault_enable(); - preempt_enable(); } return ret; -- 2.17.1

6 years, 7 months

2
3
0 0

request for 4.4-stable: 5817f977527e ("ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle")

by SZ Lin (林上智)

Hi Greg, This patch is not marked for 4.4-stable, but it's already in 4.9 and 4.14 stable. Please apply to 4.4-stable. This patch adds necessary function when removing driver. -- SZ Lin (林上智)

6 years, 7 months

2
1
0 0

request for 4.4-stable: 86e1d5adcef96 ("net: ethernet: ti: cpsw: fix mdio device reference leak")

by SZ Lin (林上智)

Hi Greg, This patch is not marked for 4.4-stable, but it's already in 4.9 and 4.14 stable. Please apply to 4.4-stable. This patch fixed leak of mdio device reference. -- SZ Lin (林上智)

6 years, 7 months

2
1
0 0

request for 4.4-stable: 552165bcf7060 ("drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config")

by SZ Lin (林上智)

Hi, This patch is not marked for 4.4-stable, but it's already in 4.9 and 4.14 stable. Please apply to 4.4-stable. This patch fixed parsing of phy-handle DT property in dual_emac config. -- SZ Lin (林上智)

6 years, 7 months

2
1
0 0

Please apply "netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user" to 3.18.y, 4.4.y, 4.9.y

by Greg Hackmann

e466af75c074 ("netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user") fixes an out-of-bounds read that happens when a userspace-controlled value is not NULL terminated. It looks like the fix was taken into 3.16.y but not kernels after it.

6 years, 7 months

2
1
0 0

[PATCH -stable] xhci: Fix use-after-free in xhci_free_virt_device

by Matthias Kaehlcke

From: Mathias Nyman <mathias.nyman(a)linux.intel.com> commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream. KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e where xhci_free_virt_device() sets slot id to 0 if udev exists: if (dev->udev && dev->udev->slot_id) dev->udev->slot_id = 0; dev->udev will be true even if udev is freed because dev->udev is not set to NULL. set dev->udev pointer to NULL in xhci_free_dev() The original patch went to stable so this fix needs to be applied there as well. Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot") Cc: <stable(a)vger.kernel.org> Reported-by: Guenter Roeck <linux(a)roeck-us.net> Reviewed-by: Guenter Roeck <linux(a)roeck-us.net> Tested-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Matthias Kaehlcke <mka(a)chromium.org> --- The original fix has been integrated into some recent -stable versions, but wasn't backported to older LTS kernel like v4.9 or v4.4. The context in xhci_free_dev() changed a bit because upstream added xhci_disable_slot(). drivers/usb/host/xhci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index c190fabd1875..e9f5f9c32b49 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -3656,6 +3656,9 @@ void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev) } spin_lock_irqsave(&xhci->lock, flags); + + virt_dev->udev = NULL; + /* Don't disable the slot if the host controller is dead. */ state = readl(&xhci->op_regs->status); if (state == 0xffffffff || (xhci->xhc_state & XHCI_STATE_DYING) || -- 2.19.0.397.gdd90340f6a-goog

6 years, 7 months

2
1
0 0

Please apply e2c631ba75a7e727e8db0a9d30a06bfd434adb3a ("clocksource: Revert "Remove kthread") to 4.18.y

by Siegfried Metz

Hi stable-maintainers, Hi Greg, it seems that the patch to fix early boot stalling with Intel Core 2 processors, which Linus' already applied to his tree and could be found in >=4.19-rc3, somehow missed the CC: line for linux-stable to pick it up. As of now 4.18.8-rc1 does not include it. The latest kernel version unaffected by this issues is 4.17.19, so a backport to 4.18.y should be enough. Thank you for all your hard work, Siegfried

6 years, 7 months

2
1
0 0

[STABLE v4.14 PATCH] drm/i915: set DP Main Stream Attribute for color range on DDI platforms

by Jani Nikula

commit 6209c285e7a5e68dbcdf8fd2456c6dd68433806b upstream. Since Haswell we have no color range indication either in the pipe or port registers for DP. Instead, there's a separate register for setting the DP Main Stream Attributes (MSA) directly. The MSA register definition makes no references to colorimetry, just a vague reference to the DP spec. The connection to the color range was lost. Apparently we've failed to set the proper MSA bit for limited, or CEA, range ever since the first DDI platforms. We've started setting other MSA parameters since commit dae847991a43 ("drm/i915: add intel_ddi_set_pipe_settings"). Without the crucial bit of information, the DP sink has no way of knowing the source is actually transmitting limited range RGB, leading to "washed out" colors. With the colorimetry information, compliant sinks should be able to handle the limited range properly. Native (i.e. non-LSPCON) HDMI was not affected because we do pass the color range via AVI infoframes. Though not the root cause, the problem was made worse for DDI platforms with commit 55bc60db5988 ("drm/i915: Add "Automatic" mode for the "Broadcast RGB" property"), which selects limited range RGB automatically based on the mode, as per the DP, HDMI and CEA specs. After all these years, the fix boils down to flipping one bit. [Per testing reports, this fixes DP sinks, but not the LSPCON. My educated guess is that the LSPCON fails to turn the CEA range MSA into AVI infoframes for HDMI.] Reported-by: Michał Kopeć <mkopec12(a)gmail.com> Reported-by: N. W. <nw9165-3201(a)yahoo.com> Reported-by: Nicholas Stommel <nicholas.stommel(a)gmail.com> Reported-by: Tom Yan <tom.ty89(a)gmail.com> Tested-by: Nicholas Stommel <nicholas.stommel(a)gmail.com> References: https://bugs.freedesktop.org/show_bug.cgi?id=100023 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107476 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=94921 Cc: Paulo Zanoni <paulo.r.zanoni(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> # v3.9+ Reviewed-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20180814060001.18224-1-jani.n… (cherry picked from commit dc5977da99ea28094b8fa4e9bacbd29bedc41de5) Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> --- drivers/gpu/drm/i915/i915_reg.h | 1 + drivers/gpu/drm/i915/intel_ddi.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h index c9bcc6c45012..b3f7ba3b11c5 100644 --- a/drivers/gpu/drm/i915/i915_reg.h +++ b/drivers/gpu/drm/i915/i915_reg.h @@ -8441,6 +8441,7 @@ enum skl_power_gate { #define TRANS_MSA_10_BPC (2<<5) #define TRANS_MSA_12_BPC (3<<5) #define TRANS_MSA_16_BPC (4<<5) +#define TRANS_MSA_CEA_RANGE (1<<3) /* LCPLL Control */ #define LCPLL_CTL _MMIO(0x130040) diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c index 5e5fe03b638c..3a4a581345c4 100644 --- a/drivers/gpu/drm/i915/intel_ddi.c +++ b/drivers/gpu/drm/i915/intel_ddi.c @@ -1396,6 +1396,10 @@ void intel_ddi_set_pipe_settings(const struct intel_crtc_state *crtc_state) WARN_ON(transcoder_is_dsi(cpu_transcoder)); temp = TRANS_MSA_SYNC_CLK; + + if (crtc_state->limited_color_range) + temp |= TRANS_MSA_CEA_RANGE; + switch (crtc_state->pipe_bpp) { case 18: temp |= TRANS_MSA_6_BPC; -- 2.11.0

6 years, 7 months

2
1
0 0

[GIT PULL] commits for Linux 4.18

by Sasha Levin

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Greg, Pleae pull commits for Linux 4.18 . I've sent a review request for all commits over a week ago and all comments were addressed. Thanks, Sasha ===== The following changes since commit 8ea7eadbef2f7103d5871016f03fc38b3adeaddb: Linux 4.18.7 (2018-09-09 10:32:43 +0200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git tags/for-greg-4.18-14092018 for you to fetch changes up to d9c017f1381bc2369d5e82c95fd3641c60d3b24c: RDMA/cma: Do not ignore net namespace for unbound cm_id (2018-09-14 00:37:08 -0400) - ---------------------------------------------------------------- for-greg-4.18-14092018 - ---------------------------------------------------------------- Akshu Agrawal (1): ASoC: soc-pcm: Use delay set in component pointer function Alexandru Gagniuc (1): ALSA: hda/realtek - Add mute LED quirk for HP Spectre x360 Amit Daniel Kachhap (1): clk: scmi: Fix the rounding of clock rate Andrey Smirnov (1): mfd: rave-sp: Initialize flow control and parity of the port Anthony Koo (1): drm/amd/display: Prevent PSR from being enabled if initialization fails Anton Vasilyev (8): media: davinci: vpif_display: Mix memory leak on probe error path media: dw2102: Fix memleak on sequence of probes misc: ti-st: Fix memory leak in the error path of probe() firmware: vpd: Fix section enabled flag on vpd_section_destroy tty: rocket: Fix possible buffer overwrite on register_PCI scsi: 3ware: fix return 0 on the error path of probe regulator: tps65217: Fix NULL pointer dereference on probe gpio: ml-ioh: Fix buffer underwrite on probe error path Arun Parameswaran (1): net: phy: Fix the register offsets in Broadcom iProc mdio mux driver BingJing Chang (1): md/raid5: fix data corruption of replacements after originals dropped Brad Love (2): media: em28xx: Fix dual transport stream operation media: em28xx: Fix DualHD disconnect oops Calum Mackay (1): nfs: Referrals not inheriting proto setting from parent Chao Yu (10): f2fs: fix to active page in lru list for read path f2fs: fix to detect looped node chain correctly f2fs: try grabbing node page lock aggressively in sync scenario f2fs: fix to skip GC if type in SSA and SIT is inconsistent f2fs: fix to do sanity check with reserved blkaddr of inline inode f2fs: fix to wait on page writeback before updating page f2fs: fix to do sanity check with secs_per_zone f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize f2fs: fix to propagate return value of scan_nat_page() f2fs: fix to do sanity check with extra_attr feature Christophe Leroy (1): perf tools: Allow overriding MAX_NR_CPUS at compile time Dan Carpenter (4): misc: mic: SCIF Fix scif_get_new_port() error handling uio: potential double frees if __uio_register_device() fails pinctrl: imx: off by one in imx_pinconf_group_dbg_show() f2fs: Fix uninitialized return in f2fs_ioc_shutdown() Daniel Kurtz (1): pinctrl/amd: only handle irq if it is pending and unmasked Daniel Mack (1): gpio: pxa: disable pinctrl calls for PXA3xx Daniel Rosenberg (1): f2fs: Keep alloc_valid_block_count in sync Denis Drozdov (1): IB/IPoIB: Set ah valid flag in multicast send flow Dmitry Osipenko (1): gpio: tegra: Move driver registration to subsys_init level Emmanuel Grumbach (1): iwlwifi: pcie: don't access periphery registers when not available Felix Fietkau (2): ath9k: report tx status on EOSP ath9k_hw: fix channel maximum power level test Finn Thain (1): macintosh/via-pmu: Add missing mmio accessors Florian Fainelli (1): ethtool: Remove trailing semicolon for static inline Gaurav Kohli (1): timers: Clear timer_base::must_forward_clk with timer_base::lock held Geert Uytterhoeven (1): iommu/ipmmu-vmsa: Fix allocation in atomic context Guenter Roeck (1): powerpc/4xx: Fix error return path in ppc4xx_msi_probe() Huaisheng Ye (1): tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access() Jae Hyun Yoo (1): i2c: aspeed: Add an explicit type casting for *get_clk_reg_val Jaegeuk Kim (1): f2fs: avoid potential deadlock in f2fs_sbi_store James Smart (1): scsi: lpfc: Fix driver crash when re-registering NVME rports. Jinbum Park (1): pktcdvd: Fix possible Spectre-v1 for pkt_devs Jiri Olsa (1): perf c2c report: Fix crash for empty browser Joerg Roedel (2): x86/mm: Remove in_nmi() warning from vmalloc_fault() x86/kexec: Allocate 8k PGDs for PTI Johan Hedberg (1): Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV John Pittman (1): dm cache: only allow a single io_mode cache feature to be requested Kan Liang (1): perf evlist: Fix error out while applying initial delay and LBR Katsuhiro Suzuki (1): media: helene: fix xtal frequency setting at power on Lijun Ou (2): RDMA/hns: Add illegal hop_num judgement RDMA/hns: Update the data type of immediate data Linus Walleij (1): tpm_tis_spi: Pass the SPI IRQ down to the driver Loic Poulain (1): wlcore: Set rx_status boottime_ns field on rx Lorenzo Pieralisi (2): PCI: mobiveil: Add missing ../pci.h include PCI: mobiveil: Fix struct mobiveil_pcie.pcie_reg_base address type Marc Zyngier (1): thermal_hwmon: Sanitize attribute name passed to hwmon Marcel Holtmann (1): Bluetooth: hidp: Fix handling of strncpy for hid->name information Mauricio Faria de Oliveira (2): partitions/aix: append null character to print data from disk partitions/aix: fix usage of uninitialized lv_info and lvname structures Michael Ellerman (1): powerpc/mm: Don't report PUDs as memory leaks when using kmemleak Michael Kelley (1): Drivers: hv: vmbus: Cleanup synic memory free path Mike Christie (2): scsi: target: fix __transport_register_session locking scsi: tcmu: do not set max_blocks if data_bitmap has been setup Ming Lei (1): blk-mq: fix updating tags depth Miquel Raynal (1): mtd: rawnand: make subop helpers return unsigned values Nicholas Mc Guire (2): MIPS: Octeon: add missing of_node_put() MIPS: generic: fix missing of_node_put() Nick Dyer (1): Input: atmel_mxt_ts - only use first T9 instance Niklas SÃ¶derlund (1): media: rcar-csi2: update stream start for V3M Olga Kornievskaia (1): NFSv4.0 fix client reference leak in callback Parav Pandit (1): RDMA/cma: Do not ignore net namespace for unbound cm_id Paul Burton (2): MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON Peter Rosin (1): tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) Petr Machata (1): net: dcb: For wild-card lookups, use priority -1, not 0 Philipp Zabel (1): gpu: ipu-v3: default to id 0 on missing OF alias Quentin Schulz (1): MIPS: mscc: ocelot: fix length of memory address space for MIIM Quinn Tran (3): scsi: qla2xxx: Fix unintended Logout scsi: qla2xxx: Fix session state stuck in Get Port DB scsi: qla2xxx: Silent erroneous message Randy Dunlap (1): f2fs: fix defined but not used build warnings Reza Arbab (1): powerpc/powernv: Fix concurrency issue with npu->mmio_atsd_usage Robert Schlabbach (1): media: em28xx: explicitly disable TS packet filter Roman Gushchin (1): selftests/bpf: fix a typo in map in map test Sam Bobroff (1): powerpc/pseries: fix EEH recovery of some IOV devices Simon Horman (1): thermal: rcar_thermal: avoid NULL dereference in absence of IRQ resources Srinivas Kandagatla (1): rpmsg: core: add support to power domains for devices Srinivas Pandruvada (2): ata: libahci: Allow reconfigure of DEVSLP register ata: libahci: Correct setting of DEVSLP register Stefan Hajnoczi (1): device-dax: avoid hang on error before devm_memremap_pages() Surabhi Vishnoi (1): ath10k: disable bundle mgmt tx completion event support Sven Eckelmann (1): ath10k: prevent active scans on potential unusable channels Sylwester Nawrocki (1): media: s5p-mfc: Fix buffer look up in s5p_mfc_handle_frame_{new, copy_time} functions Takashi Iwai (10): ALSA: riptide: Properly endian notations ALSA: pcm: Fix sparse warning wrt PCM format type ALSA: wss: Fix sparse warning wrt PCM format type ALSA: xen: Use standard pcm_format_to_bits() for ALSA format bits ALSA: sb: Fix PCM format bit calculation ALSA: asihpi: Fix PCM format notations ALSA: ad1816a: Fix sparse warning wrt PCM format type ALSA: hda: Fix implicit PCM format type conversion ALSA: au88x0: Fix sparse warning wrt PCM format type ALSA: sb: Fix sparse warning wrt PCM format type Thomas Richter (1): perf build: Fix installation directory for eBPF Todor Tomov (1): media: camss: csid: Configure data type and decode format properly Trond Myklebust (1): NFSv4.1: Fix a potential layoutget/layoutrecall deadlock Vlad Buslov (2): tc-testing: flush gact actions on test teardown tc-testing: remove duplicate spaces in connmark match patterns Will Deacon (1): iommu/arm-smmu-v3: Abort all transactions if SMMU is enabled in kdump kernel Xiubo Li (1): uio: fix possible circular locking dependency Yelena Krivosheev (1): net: mvneta: fix mtu change on port without link YueHaibing (1): pinctrl: berlin: fix 'pctrl->functions' allocation in berlin_pinctrl_build_state Yunlong Song (2): f2fs: do not set free of current section f2fs: issue discard align to section in LFS mode Zumeng Chen (1): mfd: ti_am335x_tscadc: Fix struct clk memory leak arch/mips/boot/dts/mscc/ocelot.dtsi | 2 +- arch/mips/cavium-octeon/octeon-platform.c | 2 + arch/mips/generic/init.c | 1 + arch/mips/include/asm/io.h | 8 +-- arch/mips/mm/c-r4k.c | 6 +- arch/powerpc/include/asm/book3s/64/pgalloc.h | 23 ++++++- arch/powerpc/platforms/4xx/msi.c | 51 ++++++++------- arch/powerpc/platforms/powernv/npu-dma.c | 5 +- arch/powerpc/platforms/pseries/setup.c | 25 +++++--- arch/x86/kernel/machine_kexec_32.c | 5 +- arch/x86/mm/fault.c | 2 - block/blk-mq-tag.c | 8 +-- block/partitions/aix.c | 13 ++-- drivers/ata/libahci.c | 20 +++--- drivers/block/pktcdvd.c | 4 +- drivers/bluetooth/Kconfig | 1 + drivers/char/tpm/tpm_i2c_infineon.c | 8 +-- drivers/char/tpm/tpm_tis_spi.c | 9 ++- drivers/clk/clk-scmi.c | 5 +- drivers/dax/pmem.c | 12 ++-- drivers/firmware/google/vpd.c | 5 +- drivers/gpio/gpio-ml-ioh.c | 3 +- drivers/gpio/gpio-pxa.c | 35 ++++++++--- drivers/gpio/gpio-tegra.c | 2 +- drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.c | 38 ++++++----- drivers/gpu/drm/amd/display/dc/inc/hw/dmcu.h | 2 +- drivers/gpu/ipu-v3/ipu-common.c | 2 + drivers/hv/hv.c | 14 +++-- drivers/i2c/busses/i2c-aspeed.c | 2 +- drivers/infiniband/core/cma.c | 13 +++- drivers/infiniband/hw/hns/hns_roce_hem.c | 3 + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 12 ++-- drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 6 +- drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 1 + drivers/input/touchscreen/atmel_mxt_ts.c | 7 ++- drivers/iommu/arm-smmu-v3.c | 22 +++++-- drivers/iommu/ipmmu-vmsa.c | 9 ++- drivers/macintosh/via-pmu.c | 9 +-- drivers/md/dm-cache-target.c | 19 ++++-- drivers/md/raid5.c | 6 ++ drivers/media/dvb-frontends/helene.c | 5 +- drivers/media/platform/davinci/vpif_display.c | 24 ++++--- .../media/platform/qcom/camss-8x16/camss-csid.c | 16 +++-- drivers/media/platform/rcar-vin/rcar-csi2.c | 20 ++++-- drivers/media/platform/s5p-mfc/s5p_mfc.c | 23 +++---- drivers/media/usb/dvb-usb/dw2102.c | 19 ++++-- drivers/media/usb/em28xx/em28xx-cards.c | 4 +- drivers/media/usb/em28xx/em28xx-core.c | 4 +- drivers/media/usb/em28xx/em28xx-dvb.c | 4 +- drivers/mfd/rave-sp.c | 7 +++ drivers/mfd/ti_am335x_tscadc.c | 3 +- drivers/misc/mic/scif/scif_api.c | 20 +++--- drivers/misc/ti-st/st_kim.c | 4 +- drivers/mtd/nand/raw/nand_base.c | 44 ++++++------- drivers/net/ethernet/marvell/mvneta.c | 1 - drivers/net/phy/mdio-mux-bcm-iproc.c | 20 ++++-- drivers/net/wireless/ath/ath10k/mac.c | 7 +++ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 5 ++ drivers/net/wireless/ath/ath10k/wmi-tlv.h | 5 ++ drivers/net/wireless/ath/ath9k/hw.c | 7 ++- drivers/net/wireless/ath/ath9k/xmit.c | 3 +- drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 4 ++ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 24 +++---- drivers/net/wireless/ti/wlcore/rx.c | 8 ++- drivers/pci/controller/pcie-mobiveil.c | 4 +- drivers/pinctrl/berlin/berlin.c | 14 +++-- drivers/pinctrl/freescale/pinctrl-imx.c | 2 +- drivers/pinctrl/pinctrl-amd.c | 3 +- drivers/regulator/tps65217-regulator.c | 2 + drivers/rpmsg/rpmsg_core.c | 7 +++ drivers/scsi/3w-9xxx.c | 6 +- drivers/scsi/3w-sas.c | 3 + drivers/scsi/3w-xxxx.c | 2 + drivers/scsi/lpfc/lpfc_nvme.c | 22 ++++--- drivers/scsi/qla2xxx/qla_init.c | 9 ++- drivers/scsi/qla2xxx/qla_target.c | 3 +- drivers/scsi/qla2xxx/qla_tmpl.c | 9 +++ drivers/target/target_core_transport.c | 5 +- drivers/target/target_core_user.c | 73 ++++++++++++---------- drivers/thermal/rcar_thermal.c | 2 +- drivers/thermal/thermal_hwmon.c | 1 + drivers/tty/rocket.c | 2 +- drivers/uio/uio.c | 19 +++--- fs/f2fs/f2fs.h | 15 +++-- fs/f2fs/file.c | 2 +- fs/f2fs/gc.c | 8 ++- fs/f2fs/inline.c | 22 +++++++ fs/f2fs/inode.c | 19 ++++-- fs/f2fs/node.c | 46 ++++++++++---- fs/f2fs/recovery.c | 4 +- fs/f2fs/segment.c | 20 +++++- fs/f2fs/segment.h | 3 + fs/f2fs/super.c | 25 ++++++-- fs/f2fs/sysfs.c | 16 +++-- fs/nfs/callback_proc.c | 4 +- fs/nfs/callback_xdr.c | 11 +++- fs/nfs/nfs4client.c | 6 +- include/linux/mtd/rawnand.h | 16 ++--- include/sound/hdaudio.h | 3 +- include/sound/sb16_csp.h | 2 +- include/uapi/linux/ethtool.h | 4 +- kernel/time/timer.c | 29 +++++---- net/bluetooth/hidp/core.c | 2 +- net/dcb/dcbnl.c | 11 ++-- sound/core/oss/pcm_oss.c | 2 +- sound/hda/hdac_device.c | 2 +- sound/isa/ad1816a/ad1816a_lib.c | 3 +- sound/isa/sb/sb16_csp.c | 6 +- sound/isa/sb/sb16_main.c | 9 ++- sound/isa/wss/wss_lib.c | 2 +- sound/pci/asihpi/asihpi.c | 24 +++---- sound/pci/au88x0/au88x0.h | 2 +- sound/pci/au88x0/au88x0_core.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/pci/riptide/riptide.c | 8 +-- sound/soc/soc-pcm.c | 5 ++ sound/xen/xen_snd_front_alsa.c | 4 +- tools/perf/Makefile.config | 4 +- tools/perf/builtin-c2c.c | 3 + tools/perf/perf.h | 2 + tools/perf/util/evsel.c | 14 +++++ tools/testing/nvdimm/pmem-dax.c | 12 ++-- tools/testing/selftests/bpf/test_verifier.c | 6 +- .../tc-testing/tc-tests/actions/connmark.json | 24 +++---- .../tc-testing/tc-tests/actions/mirred.json | 3 +- 125 files changed, 859 insertions(+), 436 deletions(-) -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAlucAK0ACgkQ3qZv95d3 LNx06BAAiTXS8g1gldKSOwbiSHiu5UJ3yWYf5YD3hFBmf6CZEOrJiIITNiQY3wiE jKsIC1+6FOkLaf+volT+NkpWHedK4OBuzeA6uqck3Z/VK8py99ms0emFXH/gId8V OJ3AAhql0vhP1Hrjf4a/2f2WgFf3dHhrnj+eZdIYIqRtTHXcz5MN9fZOmyseelf6 pf3zg/pR9SpHwFxp9JtS2JwvWqXv9hS40+wtyYq1UUNVrhtxLMtCb1iA1bWwWsqe kceNUDSTGw+zHurd7MGcARaEFFjp1s2uJyzBVqO34mxXhA+xUzXs0VoIuVvtYuNn iO/V41H5Hwuq5GX5eX617ep2pWiWxxKJQbOTqO883E9gdrFWBwDbDDXbdI/pzihA YFFsxwTJ82cgs0yllp7OvvCYquGNKJWP+fXuVvYi9mSvjAL4EAga0nG/bq58wa9z LjaZHdAUKAo1UuwDW6zYeXlI+0SFKB2jSh0sbI5JCZ/BOzEvEApMcwLv23VmpzDk EMoMMyu7osygweuoj9COFScDPrbkDJDOsaRHLmJrjK5JAvJTyFUtHiZKPtO1vU4e SZrXpOQC3dLDDplcl/4iRIxV9QlBh4ycb/z5Tdgx0icz8pD+ICPsERl47ZvsO198 RiYjjGEBXaZ8ZQFgMoj5U+aJ5WEyAeK8K+76+5VWCgO7It6HcHs= =yeXI -----END PGP SIGNATURE-----

6 years, 7 months

2
1
0 0

Re: ubifs: regression since "ubifs: xattr: Don't operate on deleted inodes"

by gregkh＠linuxfoundation.org

adding stable@ for stable kernel issues... On Thu, Sep 13, 2018 at 09:58:35AM +0200, Koen Vandeputte wrote: > Hi all, > > I'm currently in the process of updating the kernel version within OpenWrt. > (4.14.68 to 4.14.69) > > Testing shows some issues on devices using specifically UBIFS. > Altering a perfect valid writable file shows weird errors: > > > [ Node 2 | node-2 ] ls -l /root/custom/scripts/banner.sh > -rwxr-xr-x 1 root root 283 Sep 11 09:52 > /root/custom/scripts/banner.sh > > [ Node 2 | node-2 ] cat /root/custom/scripts/banner.sh > #!/bin/sh > > if [ ! -f /root/.banner_ok ] > then > RELEASE=$(cat /root/build_date) > VERSION=$(cat /root/version) > > echo "Generating banner: $VERSION $RELEASE" > sed s/VERSION/$VERSION/g /root/custom/banner > /etc/banner > sed -i s/RELEASE/$RELEASE/g /etc/banner > > touch /root/.banner_ok > fi > > [ Node 2 | node-2 ] echo "test" > /root/custom/scripts/banner.sh > -ash: can't create /root/custom/scripts/banner.sh: nonexistent directory > > > > I'm also noticing other apps fail because /etc doesn't exists yet after > UBIFS boot loading. > these 2 issues were not seen on 4.14.68. > > The bootlog doesn't show any error: > https://pastebin.com/raw/dJx47uBp > > > I'm only seeing these issues on UBIFS enabled volumes. > Reverting ("ubifs: xattr: Don't operate on deleted inodes") fixes these > weird issues. Do you also have the same problem on Linus's latest tree, or 4.18, with this change in the tree? thanks, greg k-h

6 years, 7 months

5
4
0 0

FAILED: patch "[PATCH] ARC: [plat-axs*]: Enable SWAP" failed to apply to 4.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c83532fb0fe053d2e43e9387354cb1b52ba26427 Mon Sep 17 00:00:00 2001 From: Alexey Brodkin <abrodkin(a)synopsys.com> Date: Thu, 2 Aug 2018 11:50:16 +0300 Subject: [PATCH] ARC: [plat-axs*]: Enable SWAP SWAP support on ARC was fixed earlier by commit 6e3761145a9b ("ARC: Fix CONFIG_SWAP") so now we may safely enable it on platforms that have external media like USB and SD-card. Note: it was already allowed for HSDK Signed-off-by: Alexey Brodkin <abrodkin(a)synopsys.com> Cc: stable(a)vger.kernel.org # 6e3761145a9b: ARC: Fix CONFIG_SWAP Signed-off-by: Vineet Gupta <vgupta(a)synopsys.com> diff --git a/arch/arc/configs/axs101_defconfig b/arch/arc/configs/axs101_defconfig index 41a97eb7598d..41bc08be6a3b 100644 --- a/arch/arc/configs/axs101_defconfig +++ b/arch/arc/configs/axs101_defconfig @@ -1,4 +1,3 @@ -# CONFIG_SWAP is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set diff --git a/arch/arc/configs/axs103_defconfig b/arch/arc/configs/axs103_defconfig index d8e2ca2385cc..1e1c4a8011b5 100644 --- a/arch/arc/configs/axs103_defconfig +++ b/arch/arc/configs/axs103_defconfig @@ -1,4 +1,3 @@ -# CONFIG_SWAP is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set diff --git a/arch/arc/configs/axs103_smp_defconfig b/arch/arc/configs/axs103_smp_defconfig index 1e729b9726cd..6b0c0cfd5c30 100644 --- a/arch/arc/configs/axs103_smp_defconfig +++ b/arch/arc/configs/axs103_smp_defconfig @@ -1,4 +1,3 @@ -# CONFIG_SWAP is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set

6 years, 7 months

2
2
0 0

Re: [PATCH v2] [v2] crypto: aes-generic - fix aes-generic regression on powerpc

by Horia Geanta

On 1/20/2018 2:44 AM, Herbert Xu wrote: > On Mon, Jan 15, 2018 at 05:07:22PM +0100, Arnd Bergmann wrote: >> My last bugfix added -Os on the command line, which unfortunately caused >> a build regression on powerpc in some configurations. >> >> I've done some more analysis of the original problem and found slightly >> different workaround that avoids this regression and also results in >> better performance on gcc-7.0: -fcode-hoisting is an optimization step >> that got added in gcc-7 and that for all gcc-7 versions causes worse >> performance. >> >> This disables -fcode-hoisting on all compilers that understand the option. >> For gcc-7.1 and 7.2 I found the same performance as my previous patch >> (using -Os), in gcc-7.0 it was even better. On gcc-8 I could see no >> change in performance from this patch. In theory, code hoisting should >> not be able make things better for the AES cipher, so leaving it >> disabled for gcc-8 only serves to simplify the Makefile change. >> >> Reported-by: kbuild test robot <fengguang.wu(a)intel.com> >> Link: https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg30418.html >> Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356 >> Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83651 >> Fixes: 148b974deea9 ("crypto: aes-generic - build with -Os on gcc-7+") >> Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> > > Patch applied. Thanks. > This fix ("commit 6e36719fbe90213fbba9f50093fa2d4d69b0e93c upstream") is needed also in 4.14.y stable tree, since it contains commit 7cae67e31292 ("crypto: aes-generic - build with -Os on gcc-7+") Compilation fails without it: crypto/aes_generic.o: In function `crypto_aes_set_key': crypto/aes_generic.c:1300: undefined reference to `_restgpr_31_x' Thanks, Horia

6 years, 7 months

2
1
0 0

[PATCH 4.18 000/197] 4.18.8-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.18.8 release. There are 197 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Sep 15 13:17:57 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.18.8-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.18.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.18.8-rc1 Gustavo A. R. Silva <gustavo(a)embeddedor.com> ASoC: wm8994: Fix missing break in switch Robert Munteanu <rombert(a)apache.org> HID: redragon: fix num lock and caps lock LEDs Arnd Bergmann <arnd(a)arndb.de> x86: kvm: avoid unused variable warning Junaid Shahid <junaids(a)google.com> kvm: x86: Set highest physical address bits in non-present/reserved SPTEs Randy Dunlap <rdunlap(a)infradead.org> kbuild: make missing $DEPMOD a Warning instead of an Error Juergen Gross <jgross(a)suse.com> x86/xen: don't write ptes directly in 32-bit PV guests Juergen Gross <jgross(a)suse.com> x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear Joel Fernandes (Google) <joel(a)joelfernandes.org> debugobjects: Make stack check warning more informative Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu: Don't warn on destroying a pinned BO Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu: Warn and update pin_size values when destroying a pinned BO Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu: Make pin_size values atomic Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu: Keep track of amount of pinned CPU visible VRAM Chuanhua Lei <chuanhua.lei(a)linux.intel.com> x86/tsc: Prevent result truncation on 32bit Jani Nikula <jani.nikula(a)intel.com> drm/i915: set DP Main Stream Attribute for color range on DDI platforms Nadav Amit <namit(a)vmware.com> mm: respect arch_dup_mmap() return value Randy Dunlap <rdunlap(a)infradead.org> uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name Jan-Marek Glogowski <glogow(a)fbihome.de> drm/i915: Re-apply "Perform link quality check, unconditionally during long pulse" Christian König <christian.koenig(a)amd.com> drm/amdgpu: fix incorrect use of drm_file->pid Christian König <christian.koenig(a)amd.com> drm/amdgpu: fix incorrect use of fcheck Likun Gao <Likun.Gao(a)amd.com> drm/amdgpu:add VCN booting with firmware loaded by PSP Likun Gao <Likun.Gao(a)amd.com> drm/amdgpu:add VCN support in PSP driver Likun Gao <Likun.Gao(a)amd.com> drm/amdgpu:add new firmware id for VCN James Zhu <jzhums(a)gmail.com> drm/amdgpu:add tmr mc address into amdgpu_firmware_info James Zhu <jzhums(a)gmail.com> drm/amdgpu: update tmr mc address Mikita Lipski <mikita.lipski(a)amd.com> drm/amd/display: Check if clock source in use before disabling Mikita Lipski <mikita.lipski(a)amd.com> drm/amd/display: Pass connector id when executing VBIOS CT Sandy Huang <hjc(a)rock-chips.com> drm/rockchip: vop: fix irq disabled after vop driver probed Heiko Stuebner <heiko(a)sntech.de> drm/rockchip: vop: split out core clock enablement into separate functions Julia Lawall <Julia.Lawall(a)lip6.fr> drm/rockchip: lvds: add missing of_node_put Harry Wentland <harry.wentland(a)amd.com> drm/amd/display: Report non-DP display as disconnected without EDID Leo (Sunpeng) Li <sunpeng.li(a)amd.com> drm/amd/display: Use requested HDMI aspect ratio Mikita Lipski <mikita.lipski(a)amd.com> drm/amd/display: update clk for various HDMI color depths Mikita Lipski <mikita.lipski(a)amd.com> drm/amd/display: Don't share clk source between DP and HDMI Gustavo A. R. Silva <gustavo(a)embeddedor.com> drm/amd/display: fix type of variable Kai-Heng Feng <kai.heng.feng(a)canonical.com> drm/edid: Add 6 bpc quirk for SDC panel in Lenovo B50-80 Lubosz Sarnecki <lubosz.sarnecki(a)collabora.com> drm/edid: Quirk Vive Pro VR headset non-desktop. Rex Zhu <rex.zhu(a)amd.com> drm/amd/pp/Polaris12: Fix a chunk of registers missed to program Evan Quan <evan.quan(a)amd.com> drm/amd/powerplay: fixed uninitialized value Rex Zhu <rex.zhu(a)amd.com> drm/amd/pp: Convert voltage unit in mV*4 to mV on CZ/ST Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu: Fix RLC safe mode test in gfx_v9_0_enter_rlc_safe_mode Rex Zhu <rex.zhu(a)amd.com> drm/amdgpu: fix a reversed condition Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: update uvd_v6_0_ring_vm_funcs to use new nop packet Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/i915: Free write_buf that we allocated with kzalloc. Fredrik Schön <fredrikschon(a)gmail.com> drm/i915: Increase LSPCON timeout Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Nuke the LVDS lid notifier Chris Wilson <chris(a)chris-wilson.co.uk> drm/i915/lpe: Mark LPE audio runtime pm as "no callbacks" David Sterba <dsterba(a)suse.com> btrfs: fix mount and ioctl device scan ioctl race David Sterba <dsterba(a)suse.com> btrfs: reorder initialization before the mount locks uuid_mutex David Sterba <dsterba(a)suse.com> btrfs: lift uuid_mutex to callers of btrfs_parse_early_options David Sterba <dsterba(a)suse.com> btrfs: lift uuid_mutex to callers of btrfs_scan_one_device Anand Jain <anand.jain(a)oracle.com> btrfs: use device_list_mutex when removing stale devices Anand Jain <anand.jain(a)oracle.com> btrfs: rename local devices for fs_devices in btrfs_free_stale_devices( Anand Jain <anand.jain(a)oracle.com> btrfs: extend locked section when adding a new device in device_list_add Anand Jain <anand.jain(a)oracle.com> btrfs: do btrfs_free_stale_devices outside of device_list_add Marc Zyngier <marc.zyngier(a)arm.com> ARM: rockchip: Force CONFIG_PM on Rockchip systems Marc Zyngier <marc.zyngier(a)arm.com> arm64: rockchip: Force CONFIG_PM on Rockchip systems Bart Van Assche <bart.vanassche(a)wdc.com> btrfs: Fix a C compliance issue Qu Wenruo <wqu(a)suse.com> btrfs: Don't remove block group that still has pinned down bytes David Sterba <dsterba(a)suse.com> btrfs: lift uuid_mutex to callers of btrfs_open_devices Qu Wenruo <wqu(a)suse.com> btrfs: check-integrity: Fix NULL pointer dereference for degraded mount Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: Detect invalid and empty essential trees Qu Wenruo <wqu(a)suse.com> btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized Anand Jain <anand.jain(a)oracle.com> btrfs: fix in-memory value of total_devices after seed device deletion Misono Tomohiro <misono.tomohiro(a)jp.fujitsu.com> btrfs: replace: Reset on-disk dev stats value after replace Qu Wenruo <wqu(a)suse.com> btrfs: Exit gracefully when chunk map cannot be inserted to the tree Lucas Stach <l.stach(a)pengutronix.de> drm/etnaviv: fix crash in GPU suspend when init failed due to buffer placement Jim Mattson <jmattson(a)google.com> kvm: nVMX: Fix fault vector for VMX operation at CPL > 0 Sean Christopherson <sean.j.christopherson(a)intel.com> KVM: vmx: track host_state.loaded using a loaded_vmcs pointer David Francis <David.Francis(a)amd.com> drm/amd/display: Read back max backlight value at boot Levin Du <djw(a)t-chip.com.cn> clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399 Mahesh Salgaonkar <mahesh(a)linux.vnet.ibm.com> powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX. Masahiro Yamada <yamada.masahiro(a)socionext.com> um: fix parallel building with O= option Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Make rfi_flush_fallback a little more robust Randy Dunlap <rdunlap(a)infradead.org> powerpc/platforms/85xx: fix t1042rdb_diu.c build errors & warning Steve French <stfrench(a)microsoft.com> smb3: if server does not support posix do not allow posix mount option Steve French <stfrench(a)microsoft.com> SMB3: Number of requests sent should be displayed for SMB3 not just CIFS Aurelien Aptel <aaptel(a)suse.com> CIFS: fix memory leak and remove dead code Steve French <stfrench(a)microsoft.com> smb3: fix reset of bytes read and written stats Bart Van Assche <bart.vanassche(a)wdc.com> cfq: Suppress compiler warnings about comparisons YueHaibing <yuehaibing(a)huawei.com> RDS: IB: fix 'passing zero to ERR_PTR()' warning nixiaoming <nixiaoming(a)huawei.com> selinux: cleanup dentry and inodes on error in selinuxfs Breno Leitao <leitao(a)debian.org> selftests/powerpc: Kill child processes on SIGINT Ralf Goebel <ralf.goebel(a)imago-technologies.com> iommu/omap: Fix cache flushes on L2 table entries Matthias Kaehlcke <mka(a)chromium.org> ASoC: rt5677: Fix initialization of rt5677_of_match.data Ian Abbott <abbotti(a)mev.co.uk> staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice John Pittman <jpittman(a)redhat.com> dm kcopyd: avoid softlockup in run_complete_job Thomas Petazzoni <thomas.petazzoni(a)bootlin.com> PCI: mvebu: Fix I/O space end address calculation Roger Pau Monne <roger.pau(a)citrix.com> xen/balloon: fix balloon initialization for PVH Dom0 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: do not use WARN() in input_alloc_absinfo() Wei Yongjun <weiyongjun1(a)huawei.com> NFSv4: Fix error handling in nfs4_sp4_select_mode() Dan Carpenter <dan.carpenter(a)oracle.com> scsi: aic94xx: fix an error code in aic94xx_init() Jianchao Wang <jianchao.w.wang(a)oracle.com> blk-mq: count the hctx as active before allocating tag Hans de Goede <hdegoede(a)redhat.com> ACPI / scan: Initialize status to ACPI_STA_DEFAULT Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: fix panic for failed online processing Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: fix hanging offline processing due to canceled worker Winnie Chang <winnie.chang(a)cypress.com> brcmfmac: fix brcmf_wiphy_wowl_params() NULL pointer dereference Greg Edwards <gedwards(a)ddn.com> block: bvec_nr_vecs() returns value for wrong slab Sandipan Das <sandipan(a)linux.ibm.com> perf probe powerpc: Fix trace event post-processing Dan Carpenter <dan.carpenter(a)oracle.com> powerpc: Fix size calculation using resource_size() Michael Ellerman <mpe(a)ellerman.id.au> powerpc/uaccess: Enable get_user(u64, *p) on 32-bit Yonghong Song <yhs(a)fb.com> bpf: fix bpffs non-array map seq_show issue Anton Vasilyev <vasilyev(a)ispras.ru> pinctrl: axp209: Fix NULL pointer dereference after allocation Chao Yu <yuchao0(a)huawei.com> f2fs: fix to clear PG_checked flag in set_page_dirty() Jean-Philippe Brucker <jean-philippe.brucker(a)arm.com> net/9p: fix error path of p9_virtio_probe Tomas Bortoli <tomasbortoli(a)gmail.com> net/9p/trans_fd.c: fix race by holding the lock Jonas Gorski <jonas.gorski(a)gmail.com> irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP Dan Carpenter <dan.carpenter(a)oracle.com> irqchip/stm32: Fix init error handling Palmer Dabbelt <palmer(a)sifive.com> RISC-V: Use KBUILD_CFLAGS instead of KCFLAGS when building the vDSO Chao Yu <yuchao0(a)huawei.com> f2fs: fix avoid race between truncate and background GC Chao Yu <yuchao0(a)huawei.com> f2fs: avoid race between zero_range and background GC Benno Evers <bevers(a)mesosphere.com> perf tools: Check for null when copying nsinfo. Denis Efremov <efremov(a)linux.com> coccicheck: return proper error code on fail Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> drm/amd/display: Guard against null crtc in CRC IRQ Myron Stowe <myron.stowe(a)redhat.com> PCI: Match Root Port's MPS to endpoint's MPSS as necessary Jian Shen <shenjian15(a)huawei.com> net: hns3: Fix for phy link issue when using marvell phy driver Jens Axboe <axboe(a)kernel.dk> block: don't warn for flush on read-only device Xi Wang <wangxi11(a)huawei.com> net: hns3: Fix for command format parsing error in hclge_is_all_function_id_zero Kim Phillips <kim.phillips(a)arm.com> perf arm spe: Fix uninitialized record error variable Erik Schmauss <erik.schmauss(a)intel.com> ACPICA: ACPICA: add status check for acpi_hw_read before assigning return value Gal Pressman <pressmangal(a)gmail.com> RDMA/hns: Fix usage of bitmap allocation functions return values Richard Weinberger <richard(a)nod.at> ubi: Initialize Fastmap checkmapping correctly Daniel Borkmann <daniel(a)iogearbox.net> tcp, ulp: add alias for all ulp modules Florian Westphal <fw(a)strlen.de> netfilter: fix memory leaks on netlink_dump_start error Aleh Filipovich <aleh(a)vaolix.com> platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360 Michal Hocko <mhocko(a)suse.com> netfilter: x_tables: do not fail xt_alloc_table_info too easilly Guenter Roeck <linux(a)roeck-us.net> mfd: sm501: Set coherent_dma_mask when creating subdevices Tan Hu <tan.hu(a)zte.com.cn> ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() Philipp Rudo <prudo(a)linux.ibm.com> s390/kdump: Fix memleak in nt_vmcoreinfo Florian Westphal <fw(a)strlen.de> netfilter: ip6t_rpfilter: set F_IFACE for linklocal addresses Jesper Dangaard Brouer <brouer(a)redhat.com> samples/bpf: all XDP samples should unload xdp/bpf prog on SIGTERM Daniel Borkmann <daniel(a)iogearbox.net> bpf, sockmap: fix leakage of smap_psock_map_entry Tariq Toukan <tariqt(a)mellanox.com> net/xdp: Fix suspicious RCU usage warning Daniel Borkmann <daniel(a)iogearbox.net> bpf, sockmap: fix sock_map_ctx_update_elem race with exist/noexist Daniel Borkmann <daniel(a)iogearbox.net> tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach Daniel Borkmann <daniel(a)iogearbox.net> bpf, sockmap: fix map elem deletion race with smap_stop_sock Randy Dunlap <rdunlap(a)infradead.org> platform/x86: intel_punit_ipc: fix build errors Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() Mike Rapoport <rppt(a)linux.vnet.ibm.com> mm: make DEFERRED_STRUCT_PAGE_INIT explicitly depend on SPARSEMEM Andrey Ryabinin <aryabinin(a)virtuozzo.com> mm/fadvise.c: fix signed overflow UBSAN complaint Srikar Dronamraju <srikar(a)linux.vnet.ibm.com> powerpc/topology: Get topology for shared processors at boot Jerome Brunet <jbrunet(a)baylibre.com> pwm: meson: Fix mux clock names Michael J. Ruhl <michael.j.ruhl(a)intel.com> IB/hfi1: Invalid NUMA node information can cause a divide by zero Hans de Goede <hdegoede(a)redhat.com> i2c: core: ACPI: Make acpi_gsb_i2c_read_bytes() check i2c_transfer return value Arnd Bergmann <arnd(a)arndb.de> x86/mce: Add notifier_block forward declaration Suzuki K Poulose <suzuki.poulose(a)arm.com> virtio: pci-legacy: Validate queue pfn Dan Carpenter <dan.carpenter(a)oracle.com> apparmor: fix an error code in __aa_create_ns() Randy Dunlap <rdunlap(a)infradead.org> scripts: modpost: check memory allocation results Johannes Berg <johannes.berg(a)intel.com> workqueue: re-add lockdep dependencies for flushing Johannes Berg <johannes.berg(a)intel.com> workqueue: skip lockdep wq dependency in cancel_work_sync() OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: validate ->i_start before using James Morse <james.morse(a)arm.com> fs/proc/kcore.c: use __pa_symbol() for KCORE_TEXT list entries Marc Zyngier <marc.zyngier(a)arm.com> iommu/rockchip: Move irq request past pm_runtime_enable Ernesto A. Fernández <ernesto.mnd.fernandez(a)gmail.com> hfsplus: fix NULL dereference in hfsplus_lookup() Marc Zyngier <marc.zyngier(a)arm.com> iommu/rockchip: Handle errors returned from PM framework Arnd Bergmann <arnd(a)arndb.de> reiserfs: change j_timestamp type to time64_t Arnd Bergmann <arnd(a)arndb.de> fs/proc/vmcore.c: hide vmcoredd_mmap_dumps() for nommu builds Jann Horn <jannh(a)google.com> fork: don't copy inconsistent signal handler state to child Laura Abbott <labbott(a)redhat.com> sunrpc: Don't use stack buffer with scatterlist Ernesto A. Fernández <ernesto.mnd.fernandez(a)gmail.com> hfs: prevent crash on exit from failed search Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> hfsplus: don't return 0 when fill_super() failed Ronnie Sahlberg <lsahlber(a)redhat.com> cifs: check if SMB2 PDU size has been padded and suppress the warning Stephen Hemminger <stephen(a)networkplumber.org> hv_netvsc: ignore devices that are not PCI Jason Wang <jasowang(a)redhat.com> vhost: correctly check the iova range when waking virtqueue Ido Schimmel <idosch(a)mellanox.com> mlxsw: spectrum_switchdev: Do not leak RIFs when removing bridge Xin Long <lucien.xin(a)gmail.com> sctp: hold transport before accessing its asoc in sctp_transport_get_next Jakub Kicinski <jakub.kicinski(a)netronome.com> nfp: wait for posted reconfigs when disabling the device Haishuang Yan <yanhaishuang(a)cmss.chinamobile.com> ip6_vti: fix a null pointer deference when destroy vti6 tunnel Haishuang Yan <yanhaishuang(a)cmss.chinamobile.com> ip6_vti: fix creating fallback tunnel device for vti6 Jerome Brunet <jbrunet(a)baylibre.com> Revert "net: stmmac: Do not keep rearming the coalesce timer in stmmac_xmit" Azat Khuzhin <a3at.mail(a)gmail.com> r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices Tariq Toukan <tariqt(a)mellanox.com> net/mlx5: Fix SQ offset in QPs with small RQ David Ahern <dsahern(a)gmail.com> net/ipv6: Put lwtstate when destroying fib6_info David Ahern <dsahern(a)gmail.com> net/ipv6: Only update MTU metric if it set Hangbin Liu <liuhangbin(a)gmail.com> net/ipv6: init ip6 anycast rt->dst.input as ip6_input Alexey Kodanev <alexey.kodanev(a)oracle.com> ipv6: don't get lwtstate twice in ip6_rt_copy_init() Ahmad Fatoum <a.fatoum(a)pengutronix.de> net: macb: Fix regression breaking non-MDIO fixed-link PHYs Xin Long <lucien.xin(a)gmail.com> erspan: set erspan_ver to 1 by default when adding an erspan dev Xin Long <lucien.xin(a)gmail.com> sctp: remove useless start_fail from sctp_ht_iter in proc Haiqing Bai <Haiqing.Bai(a)windriver.com> tipc: fix the big/little endian issue in tipc_dest Dexuan Cui <decui(a)microsoft.com> hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() Cong Wang <xiyou.wangcong(a)gmail.com> tipc: fix a missing rhashtable_walk_exit() Davide Caratti <dcaratti(a)redhat.com> net/sched: act_pedit: fix dump of extended layered op Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Do not adjust max_cp_rings by the ones used by RDMA. Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Clean up unused functions. Vlad Buslov <vladbu(a)mellanox.com> net: sched: action_ife: take reference to meta module Cong Wang <xiyou.wangcong(a)gmail.com> act_ife: fix a potential deadlock Cong Wang <xiyou.wangcong(a)gmail.com> act_ife: move tcfa_lock down to where necessary Alexey Kodanev <alexey.kodanev(a)oracle.com> vti6: remove !skb->ignore_df check from vti6_xmit() Florian Westphal <fw(a)strlen.de> tcp: do not restart timewait timer on rst reception Anthony Wong <anthony.wong(a)ubuntu.com> r8169: add support for NCube 8168 network card Kai-Heng Feng <kai.heng.feng(a)canonical.com> r8152: disable RX aggregation on new Dell TB16 dock Manish Chopra <manish.chopra(a)cavium.com> qlge: Fix netdev features configuration. Kees Cook <keescook(a)chromium.org> net: sched: Fix memory exposure from short TCA_U32_SEL Anssi Hannula <anssi.hannula(a)bitwise.fi> net: macb: do not disable MDIO bus at open/close time Doug Berger <opendmb(a)gmail.com> net: bcmgenet: use MAC link status for fixed phy Eric Dumazet <edumazet(a)google.com> ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state Cong Wang <xiyou.wangcong(a)gmail.com> act_ife: fix a potential use-after-free ------------- Diffstat: Makefile | 4 +- arch/arm/mach-rockchip/Kconfig | 1 + arch/arm64/Kconfig.platforms | 1 + arch/powerpc/include/asm/topology.h | 5 + arch/powerpc/include/asm/uaccess.h | 13 +- arch/powerpc/kernel/exceptions-64s.S | 6 + arch/powerpc/kernel/smp.c | 5 + arch/powerpc/mm/numa.c | 20 +-- arch/powerpc/platforms/85xx/t1042rdb_diu.c | 4 + arch/powerpc/platforms/pseries/ras.c | 2 +- arch/powerpc/sysdev/mpic_msgr.c | 2 +- arch/riscv/kernel/vdso/Makefile | 4 +- arch/s390/kernel/crash_dump.c | 17 ++- arch/um/Makefile | 3 +- arch/x86/include/asm/mce.h | 1 + arch/x86/include/asm/pgtable-3level.h | 7 +- arch/x86/kernel/tsc.c | 4 +- arch/x86/kvm/mmu.c | 43 ++++++- arch/x86/kvm/vmx.c | 26 ++-- arch/x86/kvm/x86.c | 12 +- arch/x86/xen/mmu_pv.c | 7 +- block/bio.c | 2 +- block/blk-core.c | 4 +- block/blk-mq-tag.c | 3 + block/blk-mq.c | 8 +- block/cfq-iosched.c | 22 ++-- drivers/acpi/acpica/hwregs.c | 9 +- drivers/acpi/scan.c | 5 +- drivers/clk/rockchip/clk-rk3399.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 6 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 23 ++-- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 38 ++++-- drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 5 + drivers/gpu/drm/amd/amdgpu/amdgpu_sched.c | 21 +--- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 17 +-- drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 20 ++- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/psp_v10_0.c | 3 + drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c | 3 +- drivers/gpu/drm/amd/amdgpu/vcn_v1_0.c | 40 ++++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 10 +- .../gpu/drm/amd/display/dc/bios/command_table.c | 18 +++ drivers/gpu/drm/amd/display/dc/core/dc_link.c | 11 ++ drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 68 ++++++++--- drivers/gpu/drm/amd/display/dc/dc.h | 1 + .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 4 +- .../drm/amd/display/dc/dce100/dce100_resource.c | 2 +- .../drm/amd/display/dc/dce110/dce110_compressor.c | 2 +- .../amd/display/dc/dce110/dce110_hw_sequencer.c | 4 +- .../gpu/drm/amd/display/dc/dce80/dce80_resource.c | 3 + drivers/gpu/drm/amd/display/dc/inc/resource.h | 5 + .../gpu/drm/amd/powerplay/hwmgr/smu7_powertune.c | 43 +++++++ drivers/gpu/drm/amd/powerplay/hwmgr/smu8_hwmgr.c | 5 +- drivers/gpu/drm/amd/powerplay/hwmgr/vega12_hwmgr.c | 2 +- drivers/gpu/drm/drm_edid.c | 6 +- drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 1 + drivers/gpu/drm/i915/i915_drv.c | 10 -- drivers/gpu/drm/i915/i915_drv.h | 8 -- drivers/gpu/drm/i915/i915_reg.h | 1 + drivers/gpu/drm/i915/intel_ddi.c | 4 + drivers/gpu/drm/i915/intel_dp.c | 33 ++--- drivers/gpu/drm/i915/intel_hdmi.c | 8 +- drivers/gpu/drm/i915/intel_lpe_audio.c | 4 +- drivers/gpu/drm/i915/intel_lspcon.c | 2 +- drivers/gpu/drm/i915/intel_lvds.c | 136 +-------------------- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 69 +++++++---- drivers/gpu/drm/rockchip/rockchip_lvds.c | 4 +- drivers/hid/hid-redragon.c | 26 +--- drivers/i2c/i2c-core-acpi.c | 8 +- drivers/infiniband/hw/hfi1/affinity.c | 24 +++- drivers/infiniband/hw/hns/hns_roce_pd.c | 2 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 5 +- drivers/input/input.c | 16 ++- drivers/iommu/omap-iommu.c | 4 +- drivers/iommu/rockchip-iommu.c | 45 ++++--- drivers/irqchip/irq-bcm7038-l1.c | 4 + drivers/irqchip/irq-stm32-exti.c | 25 ++-- drivers/md/dm-kcopyd.c | 2 + drivers/mfd/sm501.c | 1 + drivers/mtd/ubi/vtbl.c | 20 +-- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 +- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 3 +- drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 7 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 20 --- drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h | 1 - drivers/net/ethernet/broadcom/genet/bcmgenet.h | 3 + drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 +- drivers/net/ethernet/cadence/macb_main.c | 36 ++++-- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 2 + drivers/net/ethernet/mellanox/mlx5/core/wq.c | 5 +- drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 2 + .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 11 ++ .../ethernet/mellanox/mlxsw/spectrum_switchdev.c | 20 +++ .../net/ethernet/netronome/nfp/nfp_net_common.c | 48 +++++--- drivers/net/ethernet/qlogic/qlge/qlge_main.c | 23 ++-- drivers/net/ethernet/realtek/r8169.c | 7 +- drivers/net/ethernet/stmicro/stmmac/stmmac.h | 1 - drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +- drivers/net/hyperv/netvsc_drv.c | 16 ++- drivers/net/usb/r8152.c | 4 +- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 8 +- drivers/pci/controller/pci-mvebu.c | 2 +- drivers/pci/probe.c | 12 +- drivers/pinctrl/pinctrl-axp209.c | 26 +++- drivers/platform/x86/asus-nb-wmi.c | 1 + drivers/platform/x86/intel_punit_ipc.c | 1 + drivers/pwm/pwm-meson.c | 3 +- drivers/s390/block/dasd_eckd.c | 10 +- drivers/scsi/aic94xx/aic94xx_init.c | 4 +- drivers/staging/comedi/drivers/ni_mio_common.c | 3 +- drivers/vhost/vhost.c | 2 +- drivers/virtio/virtio_pci_legacy.c | 14 ++- drivers/xen/xen-balloon.c | 2 +- fs/btrfs/check-integrity.c | 7 +- fs/btrfs/dev-replace.c | 6 + fs/btrfs/extent-tree.c | 2 +- fs/btrfs/relocation.c | 23 ++-- fs/btrfs/super.c | 44 ++++--- fs/btrfs/tree-checker.c | 15 ++- fs/btrfs/volumes.c | 94 ++++++++------ fs/cifs/cifs_debug.c | 8 ++ fs/cifs/connect.c | 8 +- fs/cifs/smb2misc.c | 7 ++ fs/cifs/smb2pdu.c | 103 ++++++++-------- fs/dcache.c | 3 +- fs/f2fs/data.c | 8 ++ fs/f2fs/file.c | 48 +++++--- fs/fat/cache.c | 19 +-- fs/fat/fat.h | 5 + fs/fat/fatent.c | 6 +- fs/hfs/brec.c | 7 +- fs/hfsplus/dir.c | 4 +- fs/hfsplus/super.c | 4 +- fs/nfs/nfs4proc.c | 2 +- fs/proc/kcore.c | 4 +- fs/proc/vmcore.c | 2 + fs/reiserfs/reiserfs.h | 2 +- include/linux/pci_ids.h | 2 + include/net/tcp.h | 4 + include/uapi/linux/keyctl.h | 2 +- kernel/bpf/inode.c | 8 +- kernel/bpf/sockmap.c | 120 ++++++++++-------- kernel/fork.c | 5 +- kernel/workqueue.c | 45 ++++--- lib/debugobjects.c | 7 +- mm/Kconfig | 2 +- mm/fadvise.c | 8 +- net/9p/trans_fd.c | 10 +- net/9p/trans_virtio.c | 3 +- net/core/xdp.c | 14 +-- net/ipv4/ip_gre.c | 3 + net/ipv4/tcp_ipv4.c | 6 + net/ipv4/tcp_minisocks.c | 3 +- net/ipv4/tcp_ulp.c | 4 +- net/ipv6/ip6_fib.c | 7 +- net/ipv6/ip6_gre.c | 1 + net/ipv6/ip6_vti.c | 7 +- net/ipv6/netfilter/ip6t_rpfilter.c | 12 +- net/ipv6/route.c | 3 +- net/netfilter/ipvs/ip_vs_core.c | 15 ++- net/netfilter/nf_conntrack_netlink.c | 26 ++-- net/netfilter/nfnetlink_acct.c | 29 ++--- net/netfilter/x_tables.c | 7 +- net/rds/ib_frmr.c | 1 + net/sched/act_ife.c | 78 +++++++----- net/sched/act_pedit.c | 18 ++- net/sched/cls_u32.c | 10 +- net/sctp/proc.c | 8 -- net/sctp/socket.c | 22 ++-- net/sunrpc/auth_gss/gss_krb5_crypto.c | 12 +- net/tipc/name_table.c | 10 +- net/tipc/name_table.h | 9 +- net/tipc/socket.c | 2 + net/tls/tls_main.c | 1 + samples/bpf/xdp_redirect_cpu_user.c | 3 +- samples/bpf/xdp_rxq_info_user.c | 3 +- scripts/coccicheck | 5 +- scripts/depmod.sh | 4 +- scripts/mod/modpost.c | 8 +- security/apparmor/policy_ns.c | 2 +- security/keys/dh.c | 2 +- security/selinux/selinuxfs.c | 33 +++-- sound/soc/codecs/rt5677.c | 2 +- sound/soc/codecs/wm8994.c | 1 + tools/perf/arch/arm64/util/arm-spe.c | 1 + tools/perf/arch/powerpc/util/sym-handling.c | 4 +- tools/perf/util/namespaces.c | 3 + tools/testing/selftests/powerpc/harness.c | 18 ++- 194 files changed, 1498 insertions(+), 954 deletions(-)

6 years, 7 months

4
204
0 0

[PATCH 1/2] Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect()

by kys＠linuxonhyperv.com

From: Dexuan Cui <decui(a)microsoft.com> With CONFIG_DEBUG_PREEMPT=y, I always see this warning: BUG: using smp_processor_id() in preemptible [00000000] Fix the false warning by using get/put_cpu(). Here vmbus_connect() sends a message to the host and waits for the host's response. The host will deliver the response message and an interrupt on CPU msg->target_vcpu, and later the interrupt handler will wake up vmbus_connect(). vmbus_connect() doesn't really have to run on the same cpu as CPU msg->target_vcpu, so it's safe to call put_cpu() just here. Signed-off-by: Dexuan Cui <decui(a)microsoft.com> Cc: stable(a)vger.kernel.org Cc: K. Y. Srinivasan <kys(a)microsoft.com> Cc: Haiyang Zhang <haiyangz(a)microsoft.com> Cc: Stephen Hemminger <sthemmin(a)microsoft.com> Signed-off-by: K. Y. Srinivasan <kys(a)microsoft.com> --- drivers/hv/connection.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index ced041899456..f4d08c8ac7f8 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -76,6 +76,7 @@ static int vmbus_negotiate_version(struct vmbus_channel_msginfo *msginfo, __u32 version) { int ret = 0; + unsigned int cur_cpu; struct vmbus_channel_initiate_contact *msg; unsigned long flags; @@ -118,9 +119,10 @@ static int vmbus_negotiate_version(struct vmbus_channel_msginfo *msginfo, * the CPU attempting to connect may not be CPU 0. */ if (version >= VERSION_WIN8_1) { - msg->target_vcpu = - hv_cpu_number_to_vp_number(smp_processor_id()); - vmbus_connection.connect_cpu = smp_processor_id(); + cur_cpu = get_cpu(); + msg->target_vcpu = hv_cpu_number_to_vp_number(cur_cpu); + vmbus_connection.connect_cpu = cur_cpu; + put_cpu(); } else { msg->target_vcpu = 0; vmbus_connection.connect_cpu = 0; -- 2.18.0

6 years, 7 months

1
0
0 0

[PATCH] dm-mpath: Fix setup_scsi_dh()

by Bart Van Assche

This patch fixes two bugs that got introduced recently in setup_scsi_dh(): - Avoid that a memory leak occurs if attached_handler_name is not assigned to m->hw_handler_name. - Avoid that m->hw_handler_name becomes a dangling pointer if the RETAIN_ATTACHED_HW_HANDLER flag is set and scsi_dh_attach() returns -EBUSY. Fixes: e8f74a0f0011 ("dm mpath: eliminate need to use scsi_device_from_queue") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Cc: Martin K. Petersen <martin.petersen(a)oracle.com> Cc: <stable(a)vger.kernel.org> --- drivers/md/dm-mpath.c | 14 +++++++++----- include/scsi/scsi_device.h | 9 +++++++++ 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c index d94ba6f72ff5..0ba58a537182 100644 --- a/drivers/md/dm-mpath.c +++ b/drivers/md/dm-mpath.c @@ -22,6 +22,7 @@ #include <linux/time.h> #include <linux/workqueue.h> #include <linux/delay.h> +#include <scsi/scsi_device.h> #include <scsi/scsi_dh.h> #include <linux/atomic.h> #include <linux/blk-mq.h> @@ -806,13 +807,15 @@ static int parse_path_selector(struct dm_arg_set *as, struct priority_group *pg, } static int setup_scsi_dh(struct block_device *bdev, struct multipath *m, - const char *attached_handler_name, char **error) + char **error) { struct request_queue *q = bdev_get_queue(bdev); + const char *attached_handler_name; int r; if (test_bit(MPATHF_RETAIN_ATTACHED_HW_HANDLER, &m->flags)) { retain: + attached_handler_name = scsi_dh_attached_handler_name(q, GFP_KERNEL); if (attached_handler_name) { /* * Clear any hw_handler_params associated with a @@ -867,7 +870,7 @@ static struct pgpath *parse_path(struct dm_arg_set *as, struct path_selector *ps struct pgpath *p; struct multipath *m = ti->private; struct request_queue *q; - const char *attached_handler_name; + struct scsi_device *sdev; /* we need at least a path arg */ if (as->argc < 1) { @@ -887,10 +890,11 @@ static struct pgpath *parse_path(struct dm_arg_set *as, struct path_selector *ps } q = bdev_get_queue(p->path.dev->bdev); - attached_handler_name = scsi_dh_attached_handler_name(q, GFP_KERNEL); - if (attached_handler_name || m->hw_handler_name) { + sdev = scsi_device_from_queue(q); + if (sdev) { + put_device(&sdev->sdev_gendev); INIT_DELAYED_WORK(&p->activate_path, activate_path_work); - r = setup_scsi_dh(p->path.dev->bdev, m, attached_handler_name, &ti->error); + r = setup_scsi_dh(p->path.dev->bdev, m, &ti->error); if (r) { dm_put_device(ti, p->path.dev); goto bad; diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h index 202f4d6a4342..1c839089c711 100644 --- a/include/scsi/scsi_device.h +++ b/include/scsi/scsi_device.h @@ -2,6 +2,7 @@ #ifndef _SCSI_SCSI_DEVICE_H #define _SCSI_SCSI_DEVICE_H +#include <linux/kconfig.h> #include <linux/list.h> #include <linux/spinlock.h> #include <linux/workqueue.h> @@ -335,7 +336,15 @@ extern void scsi_remove_device(struct scsi_device *); extern int scsi_unregister_device_handler(struct scsi_device_handler *scsi_dh); void scsi_attach_vpd(struct scsi_device *sdev); +#if IS_ENABLED(CONFIG_SCSI) extern struct scsi_device *scsi_device_from_queue(struct request_queue *q); +#else +static inline struct scsi_device * +scsi_device_from_queue(struct request_queue *q) +{ + return NULL; +} +#endif extern int __must_check scsi_device_get(struct scsi_device *); extern void scsi_device_put(struct scsi_device *); extern struct scsi_device *scsi_device_lookup(struct Scsi_Host *, -- 2.18.0

6 years, 7 months

1
0
0 0

[PATCH AUTOSEL 3.18 01/29] crypto: skcipher - Fix -Wstringop-truncation warnings

by Sasha Levin

From: Stafford Horne <shorne(a)gmail.com> [ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ] As of GCC 9.0.0 the build is reporting warnings like: crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’: crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation] strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sizeof(rblkcipher.geniv)); ~~~~~~~~~~~~~~~~~~~~~~~~~ This means the strnycpy might create a non null terminated string. Fix this by explicitly performing '\0' termination. Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Max Filippov <jcmvbkbc(a)gmail.com> Cc: Eric Biggers <ebiggers3(a)gmail.com> Cc: Nick Desaulniers <nick.desaulniers(a)gmail.com> Signed-off-by: Stafford Horne <shorne(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> --- crypto/ablkcipher.c | 2 ++ crypto/blkcipher.c | 1 + 2 files changed, 3 insertions(+) diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c index 5061d7ad33e4..cad66af5a1ae 100644 --- a/crypto/ablkcipher.c +++ b/crypto/ablkcipher.c @@ -382,6 +382,7 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type)); strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>", sizeof(rblkcipher.geniv)); + rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; rblkcipher.blocksize = alg->cra_blocksize; rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; @@ -463,6 +464,7 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg) strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type)); strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>", sizeof(rblkcipher.geniv)); + rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; rblkcipher.blocksize = alg->cra_blocksize; rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c index 5ebfdd0d4543..5ba9916a33c8 100644 --- a/crypto/blkcipher.c +++ b/crypto/blkcipher.c @@ -514,6 +514,7 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type)); strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>", sizeof(rblkcipher.geniv)); + rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; rblkcipher.blocksize = alg->cra_blocksize; rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; -- 2.17.1

6 years, 7 months

1
28
0 0

[PATCH AUTOSEL 4.4 01/43] crypto: skcipher - Fix -Wstringop-truncation warnings

by Sasha Levin

From: Stafford Horne <shorne(a)gmail.com> [ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ] As of GCC 9.0.0 the build is reporting warnings like: crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’: crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation] strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sizeof(rblkcipher.geniv)); ~~~~~~~~~~~~~~~~~~~~~~~~~ This means the strnycpy might create a non null terminated string. Fix this by explicitly performing '\0' termination. Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Max Filippov <jcmvbkbc(a)gmail.com> Cc: Eric Biggers <ebiggers3(a)gmail.com> Cc: Nick Desaulniers <nick.desaulniers(a)gmail.com> Signed-off-by: Stafford Horne <shorne(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> --- crypto/ablkcipher.c | 2 ++ crypto/blkcipher.c | 1 + 2 files changed, 3 insertions(+) diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c index 149e7a7f04fe..b524f702e658 100644 --- a/crypto/ablkcipher.c +++ b/crypto/ablkcipher.c @@ -384,6 +384,7 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type)); strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>", sizeof(rblkcipher.geniv)); + rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; rblkcipher.blocksize = alg->cra_blocksize; rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; @@ -465,6 +466,7 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg) strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type)); strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>", sizeof(rblkcipher.geniv)); + rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; rblkcipher.blocksize = alg->cra_blocksize; rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c index 2d08e59b3212..d524f838eb10 100644 --- a/crypto/blkcipher.c +++ b/crypto/blkcipher.c @@ -515,6 +515,7 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type)); strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>", sizeof(rblkcipher.geniv)); + rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; rblkcipher.blocksize = alg->cra_blocksize; rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; -- 2.17.1

6 years, 7 months

1
42
0 0

[PATCH] Revert "ubifs: xattr: Don't operate on deleted inodes"

by Richard Weinberger

This reverts commit 11a6fc3dc743e22fb50f2196ec55bee5140d3c52. UBIFS wants to assert that xattr operations are only issued on files with positive link count. The said patch made this operations return -ENOENT for unlinked files such that the asserts will no longer trigger. This was wrong since xattr operations are perfectly fine on unlinked files. Instead the assertions need to be fixed/removed. Cc: <stable(a)vger.kernel.org> Fixes: 11a6fc3dc743 ("ubifs: xattr: Don't operate on deleted inodes") Reported-by: Koen Vandeputte <koen.vandeputte(a)ncentric.com> Signed-off-by: Richard Weinberger <richard(a)nod.at> --- fs/ubifs/xattr.c | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index 61afdfee4b28..f5ad1ede7990 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -152,12 +152,6 @@ static int create_xattr(struct ubifs_info *c, struct inode *host, ui->data_len = size; mutex_lock(&host_ui->ui_mutex); - - if (!host->i_nlink) { - err = -ENOENT; - goto out_noent; - } - host->i_ctime = current_time(host); host_ui->xattr_cnt += 1; host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm)); @@ -190,7 +184,6 @@ static int create_xattr(struct ubifs_info *c, struct inode *host, host_ui->xattr_size -= CALC_XATTR_BYTES(size); host_ui->xattr_names -= fname_len(nm); host_ui->flags &= ~UBIFS_CRYPT_FL; -out_noent: mutex_unlock(&host_ui->ui_mutex); out_free: make_bad_inode(inode); @@ -242,12 +235,6 @@ static int change_xattr(struct ubifs_info *c, struct inode *host, mutex_unlock(&ui->ui_mutex); mutex_lock(&host_ui->ui_mutex); - - if (!host->i_nlink) { - err = -ENOENT; - goto out_noent; - } - host->i_ctime = current_time(host); host_ui->xattr_size -= CALC_XATTR_BYTES(old_size); host_ui->xattr_size += CALC_XATTR_BYTES(size); @@ -269,7 +256,6 @@ static int change_xattr(struct ubifs_info *c, struct inode *host, out_cancel: host_ui->xattr_size -= CALC_XATTR_BYTES(size); host_ui->xattr_size += CALC_XATTR_BYTES(old_size); -out_noent: mutex_unlock(&host_ui->ui_mutex); make_bad_inode(inode); out_free: @@ -496,12 +482,6 @@ static int remove_xattr(struct ubifs_info *c, struct inode *host, return err; mutex_lock(&host_ui->ui_mutex); - - if (!host->i_nlink) { - err = -ENOENT; - goto out_noent; - } - host->i_ctime = current_time(host); host_ui->xattr_cnt -= 1; host_ui->xattr_size -= CALC_DENT_SIZE(fname_len(nm)); @@ -521,7 +501,6 @@ static int remove_xattr(struct ubifs_info *c, struct inode *host, host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm)); host_ui->xattr_size += CALC_XATTR_BYTES(ui->data_len); host_ui->xattr_names += fname_len(nm); -out_noent: mutex_unlock(&host_ui->ui_mutex); ubifs_release_budget(c, &req); make_bad_inode(inode); @@ -561,9 +540,6 @@ static int ubifs_xattr_remove(struct inode *host, const char *name) ubifs_assert(c, inode_is_locked(host)); - if (!host->i_nlink) - return -ENOENT; - if (fname_len(&nm) > UBIFS_MAX_NLEN) return -ENAMETOOLONG; -- 2.19.0

6 years, 7 months

1
0
0 0

[PATCH RESEND] tpm: Restore functionality to xen vtpm driver.

by Boris Ostrovsky

From: "Dr. Greg Wettstein" <greg(a)wind.enjellic.com> Functionality of the xen-tpmfront driver was lost secondary to the introduction of xenbus multi-page support in commit ccc9d90a9a8b ("xenbus_client: Extend interface to support multi-page ring"). In this commit a pointer to the shared page address was being passed to the xenbus_grant_ring() function rather then the address of the shared page itself. This resulted in a situation where the driver would attach to the vtpm-stubdom but any attempt to send a command to the stub domain would timeout. A diagnostic finding for this regression is the following error message being generated when the xen-tpmfront driver probes for a device: <3>vtpm vtpm-0: tpm_transmit: tpm_send: error -62 <3>vtpm vtpm-0: A TPM error (-62) occurred attempting to determine the timeouts This fix is relevant to all kernels from 4.1 forward which is the release in which multi-page xenbus support was introduced. Daniel De Graaf formulated the fix by code inspection after the regression point was located. Signed-off-by: Dr. Greg Wettstein <greg(a)enjellic.com> [boris: fixed commit message formatting] Signed-off-by: Boris Ostrovsky <boris.ostrovsky(a)oracle.com> Cc: stable(a)vger.kernel.org # v4.1+ --- We've lost this patch a couple of years ago, re-submitting. drivers/char/tpm/xen-tpmfront.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/tpm/xen-tpmfront.c b/drivers/char/tpm/xen-tpmfront.c index 911475d36800..b150f87f38f5 100644 --- a/drivers/char/tpm/xen-tpmfront.c +++ b/drivers/char/tpm/xen-tpmfront.c @@ -264,7 +264,7 @@ static int setup_ring(struct xenbus_device *dev, struct tpm_private *priv) return -ENOMEM; } - rv = xenbus_grant_ring(dev, &priv->shr, 1, &gref); + rv = xenbus_grant_ring(dev, priv->shr, 1, &gref); if (rv < 0) return rv; -- 2.17.1

6 years, 7 months

3
2
0 0

[PATCH for-4.9.y 00/14] Few upstream fixes from OnePlus6's kernel tree

by Amit Pundir

Hi Greg, For your consideration, few upstream fixes picked up from Qcom's android-4.9 BSP tree for OnePlus 6 device. Cherry-picked and build tested for ARCH=x86_64/mips on v4.9.124. Few patches are applicable for 4.4.y and 3.18.y as well and explicitly marked so respectively. Regards, Amit Pundir Daniel Micay (1): staging/rts5208: Fix read overflow in memcpy Jason A. Donenfeld (1): random: convert get_random_int/long into get_random_u32/u64 Jia-Ju Bai (1): staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page Johannes Berg (1): nl80211: fix null-ptr dereference on invalid mesh configuration Johannes Weiner (1): mm: remove seemingly spurious reclaimability check from laptop_mode gating Kees Cook (1): IB/rxe: do not copy extra stack memory to skb Mel Gorman (1): mm, vmscan: clear PGDAT_WRITEBACK when zone is balanced Michal Hocko (1): selinux: use GFP_NOWAIT in the AVC kmem_caches Prateek Sood (2): locking/rwsem-xadd: Fix missed wakeup due to reordering of load locking/osq_lock: Fix osq_lock queue corruption Ritesh Harjani (1): cfq: Give a chance for arming slice idle timer in case of group_idle Tejun Heo (1): block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg Vegard Nossum (2): kthread: Fix use-after-free if kthread fork fails kthread: fix boot hang (regression) on MIPS/OpenRISC arch/mips/kernel/process.c | 1 - arch/openrisc/kernel/process.c | 2 -- block/blk-cgroup.c | 9 +++--- block/cfq-iosched.c | 6 ++-- drivers/char/random.c | 55 ++++++++++++++++++------------------ drivers/infiniband/sw/rxe/rxe_resp.c | 4 ++- drivers/staging/rts5208/rtsx_scsi.c | 2 +- drivers/staging/rts5208/xd.c | 2 +- include/linux/random.h | 17 +++++++++-- kernel/fork.c | 17 +++++++---- kernel/locking/osq_lock.c | 13 +++++++++ kernel/locking/rwsem-xadd.c | 27 ++++++++++++++++++ mm/vmscan.c | 3 +- net/wireless/nl80211.c | 3 ++ security/selinux/avc.c | 14 ++++----- 15 files changed, 119 insertions(+), 56 deletions(-) -- 2.7.4

6 years, 7 months

2
16
0 0

FAILED: patch "[PATCH] x86/mm: Use WRITE_ONCE() when setting PTEs" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9bc4f28af75a91aea0ae383f50b0a430c4509303 Mon Sep 17 00:00:00 2001 From: Nadav Amit <namit(a)vmware.com> Date: Sun, 2 Sep 2018 11:14:50 -0700 Subject: [PATCH] x86/mm: Use WRITE_ONCE() when setting PTEs When page-table entries are set, the compiler might optimize their assignment by using multiple instructions to set the PTE. This might turn into a security hazard if the user somehow manages to use the interim PTE. L1TF does not make our lives easier, making even an interim non-present PTE a security hazard. Using WRITE_ONCE() to set PTEs and friends should prevent this potential security hazard. I skimmed the differences in the binary with and without this patch. The differences are (obviously) greater when CONFIG_PARAVIRT=n as more code optimizations are possible. For better and worse, the impact on the binary with this patch is pretty small. Skimming the code did not cause anything to jump out as a security hazard, but it seems that at least move_soft_dirty_pte() caused set_pte_at() to use multiple writes. Signed-off-by: Nadav Amit <namit(a)vmware.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: Andi Kleen <ak(a)linux.intel.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Sean Christopherson <sean.j.christopherson(a)intel.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20180902181451.80520-1-namit@vmware.com diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h index e4ffa565a69f..690c0307afed 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -1195,7 +1195,7 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma, return xchg(pmdp, pmd); } else { pmd_t old = *pmdp; - *pmdp = pmd; + WRITE_ONCE(*pmdp, pmd); return old; } } diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h index f773d5e6c8cc..ce2b59047cb8 100644 --- a/arch/x86/include/asm/pgtable_64.h +++ b/arch/x86/include/asm/pgtable_64.h @@ -55,15 +55,15 @@ struct mm_struct; void set_pte_vaddr_p4d(p4d_t *p4d_page, unsigned long vaddr, pte_t new_pte); void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte); -static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr, - pte_t *ptep) +static inline void native_set_pte(pte_t *ptep, pte_t pte) { - *ptep = native_make_pte(0); + WRITE_ONCE(*ptep, pte); } -static inline void native_set_pte(pte_t *ptep, pte_t pte) +static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr, + pte_t *ptep) { - *ptep = pte; + native_set_pte(ptep, native_make_pte(0)); } static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) @@ -73,7 +73,7 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) { - *pmdp = pmd; + WRITE_ONCE(*pmdp, pmd); } static inline void native_pmd_clear(pmd_t *pmd) @@ -109,7 +109,7 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp) static inline void native_set_pud(pud_t *pudp, pud_t pud) { - *pudp = pud; + WRITE_ONCE(*pudp, pud); } static inline void native_pud_clear(pud_t *pud) @@ -137,13 +137,13 @@ static inline void native_set_p4d(p4d_t *p4dp, p4d_t p4d) pgd_t pgd; if (pgtable_l5_enabled() || !IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION)) { - *p4dp = p4d; + WRITE_ONCE(*p4dp, p4d); return; } pgd = native_make_pgd(native_p4d_val(p4d)); pgd = pti_set_user_pgtbl((pgd_t *)p4dp, pgd); - *p4dp = native_make_p4d(native_pgd_val(pgd)); + WRITE_ONCE(*p4dp, native_make_p4d(native_pgd_val(pgd))); } static inline void native_p4d_clear(p4d_t *p4d) @@ -153,7 +153,7 @@ static inline void native_p4d_clear(p4d_t *p4d) static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd) { - *pgdp = pti_set_user_pgtbl(pgdp, pgd); + WRITE_ONCE(*pgdp, pti_set_user_pgtbl(pgdp, pgd)); } static inline void native_pgd_clear(pgd_t *pgd) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index e848a4811785..ae394552fb94 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -269,7 +269,7 @@ static void mop_up_one_pmd(struct mm_struct *mm, pgd_t *pgdp) if (pgd_val(pgd) != 0) { pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd); - *pgdp = native_make_pgd(0); + pgd_clear(pgdp); paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT); pmd_free(mm, pmd); @@ -494,7 +494,7 @@ int ptep_set_access_flags(struct vm_area_struct *vma, int changed = !pte_same(*ptep, entry); if (changed && dirty) - *ptep = entry; + set_pte(ptep, entry); return changed; } @@ -509,7 +509,7 @@ int pmdp_set_access_flags(struct vm_area_struct *vma, VM_BUG_ON(address & ~HPAGE_PMD_MASK); if (changed && dirty) { - *pmdp = entry; + set_pmd(pmdp, entry); /* * We had a write-protection fault here and changed the pmd * to to more permissive. No need to flush the TLB for that, @@ -529,7 +529,7 @@ int pudp_set_access_flags(struct vm_area_struct *vma, unsigned long address, VM_BUG_ON(address & ~HPAGE_PUD_MASK); if (changed && dirty) { - *pudp = entry; + set_pud(pudp, entry); /* * We had a write-protection fault here and changed the pud * to to more permissive. No need to flush the TLB for that,

6 years, 7 months

1
0
0 0

FAILED: patch "[PATCH] x86/mm: Use WRITE_ONCE() when setting PTEs" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9bc4f28af75a91aea0ae383f50b0a430c4509303 Mon Sep 17 00:00:00 2001 From: Nadav Amit <namit(a)vmware.com> Date: Sun, 2 Sep 2018 11:14:50 -0700 Subject: [PATCH] x86/mm: Use WRITE_ONCE() when setting PTEs When page-table entries are set, the compiler might optimize their assignment by using multiple instructions to set the PTE. This might turn into a security hazard if the user somehow manages to use the interim PTE. L1TF does not make our lives easier, making even an interim non-present PTE a security hazard. Using WRITE_ONCE() to set PTEs and friends should prevent this potential security hazard. I skimmed the differences in the binary with and without this patch. The differences are (obviously) greater when CONFIG_PARAVIRT=n as more code optimizations are possible. For better and worse, the impact on the binary with this patch is pretty small. Skimming the code did not cause anything to jump out as a security hazard, but it seems that at least move_soft_dirty_pte() caused set_pte_at() to use multiple writes. Signed-off-by: Nadav Amit <namit(a)vmware.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: Andi Kleen <ak(a)linux.intel.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Sean Christopherson <sean.j.christopherson(a)intel.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20180902181451.80520-1-namit@vmware.com diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h index e4ffa565a69f..690c0307afed 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -1195,7 +1195,7 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma, return xchg(pmdp, pmd); } else { pmd_t old = *pmdp; - *pmdp = pmd; + WRITE_ONCE(*pmdp, pmd); return old; } } diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h index f773d5e6c8cc..ce2b59047cb8 100644 --- a/arch/x86/include/asm/pgtable_64.h +++ b/arch/x86/include/asm/pgtable_64.h @@ -55,15 +55,15 @@ struct mm_struct; void set_pte_vaddr_p4d(p4d_t *p4d_page, unsigned long vaddr, pte_t new_pte); void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte); -static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr, - pte_t *ptep) +static inline void native_set_pte(pte_t *ptep, pte_t pte) { - *ptep = native_make_pte(0); + WRITE_ONCE(*ptep, pte); } -static inline void native_set_pte(pte_t *ptep, pte_t pte) +static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr, + pte_t *ptep) { - *ptep = pte; + native_set_pte(ptep, native_make_pte(0)); } static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) @@ -73,7 +73,7 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) { - *pmdp = pmd; + WRITE_ONCE(*pmdp, pmd); } static inline void native_pmd_clear(pmd_t *pmd) @@ -109,7 +109,7 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp) static inline void native_set_pud(pud_t *pudp, pud_t pud) { - *pudp = pud; + WRITE_ONCE(*pudp, pud); } static inline void native_pud_clear(pud_t *pud) @@ -137,13 +137,13 @@ static inline void native_set_p4d(p4d_t *p4dp, p4d_t p4d) pgd_t pgd; if (pgtable_l5_enabled() || !IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION)) { - *p4dp = p4d; + WRITE_ONCE(*p4dp, p4d); return; } pgd = native_make_pgd(native_p4d_val(p4d)); pgd = pti_set_user_pgtbl((pgd_t *)p4dp, pgd); - *p4dp = native_make_p4d(native_pgd_val(pgd)); + WRITE_ONCE(*p4dp, native_make_p4d(native_pgd_val(pgd))); } static inline void native_p4d_clear(p4d_t *p4d) @@ -153,7 +153,7 @@ static inline void native_p4d_clear(p4d_t *p4d) static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd) { - *pgdp = pti_set_user_pgtbl(pgdp, pgd); + WRITE_ONCE(*pgdp, pti_set_user_pgtbl(pgdp, pgd)); } static inline void native_pgd_clear(pgd_t *pgd) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index e848a4811785..ae394552fb94 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -269,7 +269,7 @@ static void mop_up_one_pmd(struct mm_struct *mm, pgd_t *pgdp) if (pgd_val(pgd) != 0) { pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd); - *pgdp = native_make_pgd(0); + pgd_clear(pgdp); paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT); pmd_free(mm, pmd); @@ -494,7 +494,7 @@ int ptep_set_access_flags(struct vm_area_struct *vma, int changed = !pte_same(*ptep, entry); if (changed && dirty) - *ptep = entry; + set_pte(ptep, entry); return changed; } @@ -509,7 +509,7 @@ int pmdp_set_access_flags(struct vm_area_struct *vma, VM_BUG_ON(address & ~HPAGE_PMD_MASK); if (changed && dirty) { - *pmdp = entry; + set_pmd(pmdp, entry); /* * We had a write-protection fault here and changed the pmd * to to more permissive. No need to flush the TLB for that, @@ -529,7 +529,7 @@ int pudp_set_access_flags(struct vm_area_struct *vma, unsigned long address, VM_BUG_ON(address & ~HPAGE_PUD_MASK); if (changed && dirty) { - *pudp = entry; + set_pud(pudp, entry); /* * We had a write-protection fault here and changed the pud * to to more permissive. No need to flush the TLB for that,

6 years, 7 months

1
0
0 0

FAILED: patch "[PATCH] x86/process: Don't mix user/kernel regs in 64bit" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9fe6299dde587788f245e9f7a5a1b296fad4e8c7 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Fri, 31 Aug 2018 21:41:51 +0200 Subject: [PATCH] x86/process: Don't mix user/kernel regs in 64bit __show_regs() When the kernel.print-fatal-signals sysctl has been enabled, a simple userspace crash will cause the kernel to write a crash dump that contains, among other things, the kernel gsbase into dmesg. As suggested by Andy, limit output to pt_regs, FS_BASE and KERNEL_GS_BASE in this case. This also moves the bitness-specific logic from show_regs() into process_{32,64}.c. Fixes: 45807a1df9f5 ("vdso: print fatal signals") Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bpetkov(a)suse.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20180831194151.123586-1-jannh@google.com diff --git a/arch/x86/include/asm/kdebug.h b/arch/x86/include/asm/kdebug.h index 395c9631e000..75f1e35e7c15 100644 --- a/arch/x86/include/asm/kdebug.h +++ b/arch/x86/include/asm/kdebug.h @@ -22,10 +22,20 @@ enum die_val { DIE_NMIUNKNOWN, }; +enum show_regs_mode { + SHOW_REGS_SHORT, + /* + * For when userspace crashed, but we don't think it's our fault, and + * therefore don't print kernel registers. + */ + SHOW_REGS_USER, + SHOW_REGS_ALL +}; + extern void die(const char *, struct pt_regs *,long); extern int __must_check __die(const char *, struct pt_regs *, long); extern void show_stack_regs(struct pt_regs *regs); -extern void __show_regs(struct pt_regs *regs, int all); +extern void __show_regs(struct pt_regs *regs, enum show_regs_mode); extern void show_iret_regs(struct pt_regs *regs); extern unsigned long oops_begin(void); extern void oops_end(unsigned long, struct pt_regs *, int signr); diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c index f56895106ccf..2b5886401e5f 100644 --- a/arch/x86/kernel/dumpstack.c +++ b/arch/x86/kernel/dumpstack.c @@ -146,7 +146,7 @@ static void show_regs_if_on_stack(struct stack_info *info, struct pt_regs *regs, * they can be printed in the right context. */ if (!partial && on_stack(info, regs, sizeof(*regs))) { - __show_regs(regs, 0); + __show_regs(regs, SHOW_REGS_SHORT); } else if (partial && on_stack(info, (void *)regs + IRET_FRAME_OFFSET, IRET_FRAME_SIZE)) { @@ -344,7 +344,7 @@ void oops_end(unsigned long flags, struct pt_regs *regs, int signr) oops_exit(); /* Executive summary in case the oops scrolled away */ - __show_regs(&exec_summary_regs, true); + __show_regs(&exec_summary_regs, SHOW_REGS_ALL); if (!signr) return; @@ -407,14 +407,9 @@ void die(const char *str, struct pt_regs *regs, long err) void show_regs(struct pt_regs *regs) { - bool all = true; - show_regs_print_info(KERN_DEFAULT); - if (IS_ENABLED(CONFIG_X86_32)) - all = !user_mode(regs); - - __show_regs(regs, all); + __show_regs(regs, user_mode(regs) ? SHOW_REGS_USER : SHOW_REGS_ALL); /* * When in-kernel, we also print out the stack at the time of the fault.. diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c index 2924fd447e61..5046a3c9dec2 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -59,7 +59,7 @@ #include <asm/intel_rdt_sched.h> #include <asm/proto.h> -void __show_regs(struct pt_regs *regs, int all) +void __show_regs(struct pt_regs *regs, enum show_regs_mode mode) { unsigned long cr0 = 0L, cr2 = 0L, cr3 = 0L, cr4 = 0L; unsigned long d0, d1, d2, d3, d6, d7; @@ -85,7 +85,7 @@ void __show_regs(struct pt_regs *regs, int all) printk(KERN_DEFAULT "DS: %04x ES: %04x FS: %04x GS: %04x SS: %04x EFLAGS: %08lx\n", (u16)regs->ds, (u16)regs->es, (u16)regs->fs, gs, ss, regs->flags); - if (!all) + if (mode != SHOW_REGS_ALL) return; cr0 = read_cr0(); diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index a451bc374b9b..ea5ea850348d 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -62,7 +62,7 @@ __visible DEFINE_PER_CPU(unsigned long, rsp_scratch); /* Prints also some state that isn't saved in the pt_regs */ -void __show_regs(struct pt_regs *regs, int all) +void __show_regs(struct pt_regs *regs, enum show_regs_mode mode) { unsigned long cr0 = 0L, cr2 = 0L, cr3 = 0L, cr4 = 0L, fs, gs, shadowgs; unsigned long d0, d1, d2, d3, d6, d7; @@ -87,9 +87,17 @@ void __show_regs(struct pt_regs *regs, int all) printk(KERN_DEFAULT "R13: %016lx R14: %016lx R15: %016lx\n", regs->r13, regs->r14, regs->r15); - if (!all) + if (mode == SHOW_REGS_SHORT) return; + if (mode == SHOW_REGS_USER) { + rdmsrl(MSR_FS_BASE, fs); + rdmsrl(MSR_KERNEL_GS_BASE, shadowgs); + printk(KERN_DEFAULT "FS: %016lx GS: %016lx\n", + fs, shadowgs); + return; + } + asm("movl %%ds,%0" : "=r" (ds)); asm("movl %%cs,%0" : "=r" (cs)); asm("movl %%es,%0" : "=r" (es));

6 years, 7 months

1
0
0 0

FAILED: patch "[PATCH] x86/process: Don't mix user/kernel regs in 64bit" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9fe6299dde587788f245e9f7a5a1b296fad4e8c7 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Fri, 31 Aug 2018 21:41:51 +0200 Subject: [PATCH] x86/process: Don't mix user/kernel regs in 64bit __show_regs() When the kernel.print-fatal-signals sysctl has been enabled, a simple userspace crash will cause the kernel to write a crash dump that contains, among other things, the kernel gsbase into dmesg. As suggested by Andy, limit output to pt_regs, FS_BASE and KERNEL_GS_BASE in this case. This also moves the bitness-specific logic from show_regs() into process_{32,64}.c. Fixes: 45807a1df9f5 ("vdso: print fatal signals") Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bpetkov(a)suse.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20180831194151.123586-1-jannh@google.com diff --git a/arch/x86/include/asm/kdebug.h b/arch/x86/include/asm/kdebug.h index 395c9631e000..75f1e35e7c15 100644 --- a/arch/x86/include/asm/kdebug.h +++ b/arch/x86/include/asm/kdebug.h @@ -22,10 +22,20 @@ enum die_val { DIE_NMIUNKNOWN, }; +enum show_regs_mode { + SHOW_REGS_SHORT, + /* + * For when userspace crashed, but we don't think it's our fault, and + * therefore don't print kernel registers. + */ + SHOW_REGS_USER, + SHOW_REGS_ALL +}; + extern void die(const char *, struct pt_regs *,long); extern int __must_check __die(const char *, struct pt_regs *, long); extern void show_stack_regs(struct pt_regs *regs); -extern void __show_regs(struct pt_regs *regs, int all); +extern void __show_regs(struct pt_regs *regs, enum show_regs_mode); extern void show_iret_regs(struct pt_regs *regs); extern unsigned long oops_begin(void); extern void oops_end(unsigned long, struct pt_regs *, int signr); diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c index f56895106ccf..2b5886401e5f 100644 --- a/arch/x86/kernel/dumpstack.c +++ b/arch/x86/kernel/dumpstack.c @@ -146,7 +146,7 @@ static void show_regs_if_on_stack(struct stack_info *info, struct pt_regs *regs, * they can be printed in the right context. */ if (!partial && on_stack(info, regs, sizeof(*regs))) { - __show_regs(regs, 0); + __show_regs(regs, SHOW_REGS_SHORT); } else if (partial && on_stack(info, (void *)regs + IRET_FRAME_OFFSET, IRET_FRAME_SIZE)) { @@ -344,7 +344,7 @@ void oops_end(unsigned long flags, struct pt_regs *regs, int signr) oops_exit(); /* Executive summary in case the oops scrolled away */ - __show_regs(&exec_summary_regs, true); + __show_regs(&exec_summary_regs, SHOW_REGS_ALL); if (!signr) return; @@ -407,14 +407,9 @@ void die(const char *str, struct pt_regs *regs, long err) void show_regs(struct pt_regs *regs) { - bool all = true; - show_regs_print_info(KERN_DEFAULT); - if (IS_ENABLED(CONFIG_X86_32)) - all = !user_mode(regs); - - __show_regs(regs, all); + __show_regs(regs, user_mode(regs) ? SHOW_REGS_USER : SHOW_REGS_ALL); /* * When in-kernel, we also print out the stack at the time of the fault.. diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c index 2924fd447e61..5046a3c9dec2 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -59,7 +59,7 @@ #include <asm/intel_rdt_sched.h> #include <asm/proto.h> -void __show_regs(struct pt_regs *regs, int all) +void __show_regs(struct pt_regs *regs, enum show_regs_mode mode) { unsigned long cr0 = 0L, cr2 = 0L, cr3 = 0L, cr4 = 0L; unsigned long d0, d1, d2, d3, d6, d7; @@ -85,7 +85,7 @@ void __show_regs(struct pt_regs *regs, int all) printk(KERN_DEFAULT "DS: %04x ES: %04x FS: %04x GS: %04x SS: %04x EFLAGS: %08lx\n", (u16)regs->ds, (u16)regs->es, (u16)regs->fs, gs, ss, regs->flags); - if (!all) + if (mode != SHOW_REGS_ALL) return; cr0 = read_cr0(); diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index a451bc374b9b..ea5ea850348d 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -62,7 +62,7 @@ __visible DEFINE_PER_CPU(unsigned long, rsp_scratch); /* Prints also some state that isn't saved in the pt_regs */ -void __show_regs(struct pt_regs *regs, int all) +void __show_regs(struct pt_regs *regs, enum show_regs_mode mode) { unsigned long cr0 = 0L, cr2 = 0L, cr3 = 0L, cr4 = 0L, fs, gs, shadowgs; unsigned long d0, d1, d2, d3, d6, d7; @@ -87,9 +87,17 @@ void __show_regs(struct pt_regs *regs, int all) printk(KERN_DEFAULT "R13: %016lx R14: %016lx R15: %016lx\n", regs->r13, regs->r14, regs->r15); - if (!all) + if (mode == SHOW_REGS_SHORT) return; + if (mode == SHOW_REGS_USER) { + rdmsrl(MSR_FS_BASE, fs); + rdmsrl(MSR_KERNEL_GS_BASE, shadowgs); + printk(KERN_DEFAULT "FS: %016lx GS: %016lx\n", + fs, shadowgs); + return; + } + asm("movl %%ds,%0" : "=r" (ds)); asm("movl %%cs,%0" : "=r" (cs)); asm("movl %%es,%0" : "=r" (es));

6 years, 7 months

1
0
0 0

FAILED: patch "[PATCH] x86/process: Don't mix user/kernel regs in 64bit" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9fe6299dde587788f245e9f7a5a1b296fad4e8c7 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Fri, 31 Aug 2018 21:41:51 +0200 Subject: [PATCH] x86/process: Don't mix user/kernel regs in 64bit __show_regs() When the kernel.print-fatal-signals sysctl has been enabled, a simple userspace crash will cause the kernel to write a crash dump that contains, among other things, the kernel gsbase into dmesg. As suggested by Andy, limit output to pt_regs, FS_BASE and KERNEL_GS_BASE in this case. This also moves the bitness-specific logic from show_regs() into process_{32,64}.c. Fixes: 45807a1df9f5 ("vdso: print fatal signals") Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov <bpetkov(a)suse.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20180831194151.123586-1-jannh@google.com diff --git a/arch/x86/include/asm/kdebug.h b/arch/x86/include/asm/kdebug.h index 395c9631e000..75f1e35e7c15 100644 --- a/arch/x86/include/asm/kdebug.h +++ b/arch/x86/include/asm/kdebug.h @@ -22,10 +22,20 @@ enum die_val { DIE_NMIUNKNOWN, }; +enum show_regs_mode { + SHOW_REGS_SHORT, + /* + * For when userspace crashed, but we don't think it's our fault, and + * therefore don't print kernel registers. + */ + SHOW_REGS_USER, + SHOW_REGS_ALL +}; + extern void die(const char *, struct pt_regs *,long); extern int __must_check __die(const char *, struct pt_regs *, long); extern void show_stack_regs(struct pt_regs *regs); -extern void __show_regs(struct pt_regs *regs, int all); +extern void __show_regs(struct pt_regs *regs, enum show_regs_mode); extern void show_iret_regs(struct pt_regs *regs); extern unsigned long oops_begin(void); extern void oops_end(unsigned long, struct pt_regs *, int signr); diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c index f56895106ccf..2b5886401e5f 100644 --- a/arch/x86/kernel/dumpstack.c +++ b/arch/x86/kernel/dumpstack.c @@ -146,7 +146,7 @@ static void show_regs_if_on_stack(struct stack_info *info, struct pt_regs *regs, * they can be printed in the right context. */ if (!partial && on_stack(info, regs, sizeof(*regs))) { - __show_regs(regs, 0); + __show_regs(regs, SHOW_REGS_SHORT); } else if (partial && on_stack(info, (void *)regs + IRET_FRAME_OFFSET, IRET_FRAME_SIZE)) { @@ -344,7 +344,7 @@ void oops_end(unsigned long flags, struct pt_regs *regs, int signr) oops_exit(); /* Executive summary in case the oops scrolled away */ - __show_regs(&exec_summary_regs, true); + __show_regs(&exec_summary_regs, SHOW_REGS_ALL); if (!signr) return; @@ -407,14 +407,9 @@ void die(const char *str, struct pt_regs *regs, long err) void show_regs(struct pt_regs *regs) { - bool all = true; - show_regs_print_info(KERN_DEFAULT); - if (IS_ENABLED(CONFIG_X86_32)) - all = !user_mode(regs); - - __show_regs(regs, all); + __show_regs(regs, user_mode(regs) ? SHOW_REGS_USER : SHOW_REGS_ALL); /* * When in-kernel, we also print out the stack at the time of the fault.. diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c index 2924fd447e61..5046a3c9dec2 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -59,7 +59,7 @@ #include <asm/intel_rdt_sched.h> #include <asm/proto.h> -void __show_regs(struct pt_regs *regs, int all) +void __show_regs(struct pt_regs *regs, enum show_regs_mode mode) { unsigned long cr0 = 0L, cr2 = 0L, cr3 = 0L, cr4 = 0L; unsigned long d0, d1, d2, d3, d6, d7; @@ -85,7 +85,7 @@ void __show_regs(struct pt_regs *regs, int all) printk(KERN_DEFAULT "DS: %04x ES: %04x FS: %04x GS: %04x SS: %04x EFLAGS: %08lx\n", (u16)regs->ds, (u16)regs->es, (u16)regs->fs, gs, ss, regs->flags); - if (!all) + if (mode != SHOW_REGS_ALL) return; cr0 = read_cr0(); diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index a451bc374b9b..ea5ea850348d 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -62,7 +62,7 @@ __visible DEFINE_PER_CPU(unsigned long, rsp_scratch); /* Prints also some state that isn't saved in the pt_regs */ -void __show_regs(struct pt_regs *regs, int all) +void __show_regs(struct pt_regs *regs, enum show_regs_mode mode) { unsigned long cr0 = 0L, cr2 = 0L, cr3 = 0L, cr4 = 0L, fs, gs, shadowgs; unsigned long d0, d1, d2, d3, d6, d7; @@ -87,9 +87,17 @@ void __show_regs(struct pt_regs *regs, int all) printk(KERN_DEFAULT "R13: %016lx R14: %016lx R15: %016lx\n", regs->r13, regs->r14, regs->r15); - if (!all) + if (mode == SHOW_REGS_SHORT) return; + if (mode == SHOW_REGS_USER) { + rdmsrl(MSR_FS_BASE, fs); + rdmsrl(MSR_KERNEL_GS_BASE, shadowgs); + printk(KERN_DEFAULT "FS: %016lx GS: %016lx\n", + fs, shadowgs); + return; + } + asm("movl %%ds,%0" : "=r" (ds)); asm("movl %%cs,%0" : "=r" (cs)); asm("movl %%es,%0" : "=r" (es));

6 years, 7 months

1
0
0 0

FAILED: patch "[PATCH] ARC: [plat-axs*]: Enable SWAP" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c83532fb0fe053d2e43e9387354cb1b52ba26427 Mon Sep 17 00:00:00 2001 From: Alexey Brodkin <abrodkin(a)synopsys.com> Date: Thu, 2 Aug 2018 11:50:16 +0300 Subject: [PATCH] ARC: [plat-axs*]: Enable SWAP SWAP support on ARC was fixed earlier by commit 6e3761145a9b ("ARC: Fix CONFIG_SWAP") so now we may safely enable it on platforms that have external media like USB and SD-card. Note: it was already allowed for HSDK Signed-off-by: Alexey Brodkin <abrodkin(a)synopsys.com> Cc: stable(a)vger.kernel.org # 6e3761145a9b: ARC: Fix CONFIG_SWAP Signed-off-by: Vineet Gupta <vgupta(a)synopsys.com> diff --git a/arch/arc/configs/axs101_defconfig b/arch/arc/configs/axs101_defconfig index 41a97eb7598d..41bc08be6a3b 100644 --- a/arch/arc/configs/axs101_defconfig +++ b/arch/arc/configs/axs101_defconfig @@ -1,4 +1,3 @@ -# CONFIG_SWAP is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set diff --git a/arch/arc/configs/axs103_defconfig b/arch/arc/configs/axs103_defconfig index d8e2ca2385cc..1e1c4a8011b5 100644 --- a/arch/arc/configs/axs103_defconfig +++ b/arch/arc/configs/axs103_defconfig @@ -1,4 +1,3 @@ -# CONFIG_SWAP is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set diff --git a/arch/arc/configs/axs103_smp_defconfig b/arch/arc/configs/axs103_smp_defconfig index 1e729b9726cd..6b0c0cfd5c30 100644 --- a/arch/arc/configs/axs103_smp_defconfig +++ b/arch/arc/configs/axs103_smp_defconfig @@ -1,4 +1,3 @@ -# CONFIG_SWAP is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set

6 years, 7 months

1
0
0 0

FAILED: patch "[PATCH] ARC: [plat-axs*]: Enable SWAP" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c83532fb0fe053d2e43e9387354cb1b52ba26427 Mon Sep 17 00:00:00 2001 From: Alexey Brodkin <abrodkin(a)synopsys.com> Date: Thu, 2 Aug 2018 11:50:16 +0300 Subject: [PATCH] ARC: [plat-axs*]: Enable SWAP SWAP support on ARC was fixed earlier by commit 6e3761145a9b ("ARC: Fix CONFIG_SWAP") so now we may safely enable it on platforms that have external media like USB and SD-card. Note: it was already allowed for HSDK Signed-off-by: Alexey Brodkin <abrodkin(a)synopsys.com> Cc: stable(a)vger.kernel.org # 6e3761145a9b: ARC: Fix CONFIG_SWAP Signed-off-by: Vineet Gupta <vgupta(a)synopsys.com> diff --git a/arch/arc/configs/axs101_defconfig b/arch/arc/configs/axs101_defconfig index 41a97eb7598d..41bc08be6a3b 100644 --- a/arch/arc/configs/axs101_defconfig +++ b/arch/arc/configs/axs101_defconfig @@ -1,4 +1,3 @@ -# CONFIG_SWAP is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set diff --git a/arch/arc/configs/axs103_defconfig b/arch/arc/configs/axs103_defconfig index d8e2ca2385cc..1e1c4a8011b5 100644 --- a/arch/arc/configs/axs103_defconfig +++ b/arch/arc/configs/axs103_defconfig @@ -1,4 +1,3 @@ -# CONFIG_SWAP is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set diff --git a/arch/arc/configs/axs103_smp_defconfig b/arch/arc/configs/axs103_smp_defconfig index 1e729b9726cd..6b0c0cfd5c30 100644 --- a/arch/arc/configs/axs103_smp_defconfig +++ b/arch/arc/configs/axs103_smp_defconfig @@ -1,4 +1,3 @@ -# CONFIG_SWAP is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set

6 years, 7 months

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: Do not re-{try, execute} after failed emulation in" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6c3dfeb6a48b1562bd5b8ec5f3317ef34d0134ef Mon Sep 17 00:00:00 2001 From: Sean Christopherson <sean.j.christopherson(a)intel.com> Date: Thu, 23 Aug 2018 13:56:51 -0700 Subject: [PATCH] KVM: x86: Do not re-{try,execute} after failed emulation in L2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit a6f177efaa58 ("KVM: Reenter guest after emulation failure if due to access to non-mmio address") added reexecute_instruction() to handle the scenario where two (or more) vCPUS race to write a shadowed page, i.e. reexecute_instruction() is intended to return true if and only if the instruction being emulated was accessing a shadowed page. As L0 is only explicitly shadowing L1 tables, an emulation failure of a nested VM instruction cannot be due to a race to write a shadowed page and so should never be re-executed. This fixes an issue where an "MMIO" emulation failure[1] in L2 is all but guaranteed to result in an infinite loop when TDP is enabled. Because "cr2" is actually an L2 GPA when TDP is enabled, calling kvm_mmu_gva_to_gpa_write() to translate cr2 in the non-direct mapped case (L2 is never direct mapped) will almost always yield UNMAPPED_GVA and cause reexecute_instruction() to immediately return true. The !mmio_info_in_cache() check in kvm_mmu_page_fault() doesn't catch this case because mmio_info_in_cache() returns false for a nested MMU (the MMIO caching currently handles L1 only, e.g. to cache nested guests' GPAs we'd have to manually flush the cache when switching between VMs and when L1 updated its page tables controlling the nested guest). Way back when, commit 68be0803456b ("KVM: x86: never re-execute instruction with enabled tdp") changed reexecute_instruction() to always return false when using TDP under the assumption that KVM would only get into the emulator for MMIO. Commit 95b3cf69bdf8 ("KVM: x86: let reexecute_instruction work for tdp") effectively reverted that behavior in order to handle the scenario where emulation failed due to an access from L1 to the shadow page tables for L2, but it didn't account for the case where emulation failed in L2 with TDP enabled. All of the above logic also applies to retry_instruction(), added by commit 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing instructions"). An indefinite loop in retry_instruction() should be impossible as it protects against retrying the same instruction over and over, but it's still correct to not retry an L2 instruction in the first place. Fix the immediate issue by adding a check for a nested guest when determining whether or not to allow retry in kvm_mmu_page_fault(). In addition to fixing the immediate bug, add WARN_ON_ONCE in the retry functions since they are not designed to handle nested cases, i.e. they need to be modified even if there is some scenario in the future where we want to allow retrying a nested guest. [1] This issue was encountered after commit 3a2936dedd20 ("kvm: mmu: Don't expose private memslots to L2") changed the page fault path to return KVM_PFN_NOSLOT when translating an L2 access to a prive memslot. Returning KVM_PFN_NOSLOT is semantically correct when we want to hide a memslot from L2, i.e. there effectively is no defined memory region for L2, but it has the unfortunate side effect of making KVM think the GFN is a MMIO page, thus triggering emulation. The failure occurred with in-development code that deliberately exposed a private memslot to L2, which L2 accessed with an instruction that is not emulated by KVM. Fixes: 95b3cf69bdf8 ("KVM: x86: let reexecute_instruction work for tdp") Fixes: 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing instructions") Signed-off-by: Sean Christopherson <sean.j.christopherson(a)intel.com> Cc: Jim Mattson <jmattson(a)google.com> Cc: Krish Sadhukhan <krish.sadhukhan(a)oracle.com> Cc: Xiao Guangrong <xiaoguangrong(a)tencent.com> Cc: stable(a)vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar(a)redhat.com> diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index 01fb8701ccd0..f7e83b1e0eb2 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c @@ -5264,9 +5264,12 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code, * re-execute the instruction that caused the page fault. Do not allow * retrying MMIO emulation, as it's not only pointless but could also * cause us to enter an infinite loop because the processor will keep - * faulting on the non-existent MMIO address. + * faulting on the non-existent MMIO address. Retrying an instruction + * from a nested guest is also pointless and dangerous as we are only + * explicitly shadowing L1's page tables, i.e. unprotecting something + * for L1 isn't going to magically fix whatever issue cause L2 to fail. */ - if (!mmio_info_in_cache(vcpu, cr2, direct)) + if (!mmio_info_in_cache(vcpu, cr2, direct) && !is_guest_mode(vcpu)) emulation_type = EMULTYPE_ALLOW_RETRY; emulate: /* diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 924ce28723c4..cbe2921e972b 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -5873,6 +5873,9 @@ static bool reexecute_instruction(struct kvm_vcpu *vcpu, gva_t cr2, if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) return false; + if (WARN_ON_ONCE(is_guest_mode(vcpu))) + return false; + if (!vcpu->arch.mmu.direct_map) { /* * Write permission should be allowed since only @@ -5961,6 +5964,9 @@ static bool retry_instruction(struct x86_emulate_ctxt *ctxt, if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) return false; + if (WARN_ON_ONCE(is_guest_mode(vcpu))) + return false; + if (x86_page_table_writing_insn(ctxt)) return false;

6 years, 7 months

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: Do not re-{try, execute} after failed emulation in" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6c3dfeb6a48b1562bd5b8ec5f3317ef34d0134ef Mon Sep 17 00:00:00 2001 From: Sean Christopherson <sean.j.christopherson(a)intel.com> Date: Thu, 23 Aug 2018 13:56:51 -0700 Subject: [PATCH] KVM: x86: Do not re-{try,execute} after failed emulation in L2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit a6f177efaa58 ("KVM: Reenter guest after emulation failure if due to access to non-mmio address") added reexecute_instruction() to handle the scenario where two (or more) vCPUS race to write a shadowed page, i.e. reexecute_instruction() is intended to return true if and only if the instruction being emulated was accessing a shadowed page. As L0 is only explicitly shadowing L1 tables, an emulation failure of a nested VM instruction cannot be due to a race to write a shadowed page and so should never be re-executed. This fixes an issue where an "MMIO" emulation failure[1] in L2 is all but guaranteed to result in an infinite loop when TDP is enabled. Because "cr2" is actually an L2 GPA when TDP is enabled, calling kvm_mmu_gva_to_gpa_write() to translate cr2 in the non-direct mapped case (L2 is never direct mapped) will almost always yield UNMAPPED_GVA and cause reexecute_instruction() to immediately return true. The !mmio_info_in_cache() check in kvm_mmu_page_fault() doesn't catch this case because mmio_info_in_cache() returns false for a nested MMU (the MMIO caching currently handles L1 only, e.g. to cache nested guests' GPAs we'd have to manually flush the cache when switching between VMs and when L1 updated its page tables controlling the nested guest). Way back when, commit 68be0803456b ("KVM: x86: never re-execute instruction with enabled tdp") changed reexecute_instruction() to always return false when using TDP under the assumption that KVM would only get into the emulator for MMIO. Commit 95b3cf69bdf8 ("KVM: x86: let reexecute_instruction work for tdp") effectively reverted that behavior in order to handle the scenario where emulation failed due to an access from L1 to the shadow page tables for L2, but it didn't account for the case where emulation failed in L2 with TDP enabled. All of the above logic also applies to retry_instruction(), added by commit 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing instructions"). An indefinite loop in retry_instruction() should be impossible as it protects against retrying the same instruction over and over, but it's still correct to not retry an L2 instruction in the first place. Fix the immediate issue by adding a check for a nested guest when determining whether or not to allow retry in kvm_mmu_page_fault(). In addition to fixing the immediate bug, add WARN_ON_ONCE in the retry functions since they are not designed to handle nested cases, i.e. they need to be modified even if there is some scenario in the future where we want to allow retrying a nested guest. [1] This issue was encountered after commit 3a2936dedd20 ("kvm: mmu: Don't expose private memslots to L2") changed the page fault path to return KVM_PFN_NOSLOT when translating an L2 access to a prive memslot. Returning KVM_PFN_NOSLOT is semantically correct when we want to hide a memslot from L2, i.e. there effectively is no defined memory region for L2, but it has the unfortunate side effect of making KVM think the GFN is a MMIO page, thus triggering emulation. The failure occurred with in-development code that deliberately exposed a private memslot to L2, which L2 accessed with an instruction that is not emulated by KVM. Fixes: 95b3cf69bdf8 ("KVM: x86: let reexecute_instruction work for tdp") Fixes: 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing instructions") Signed-off-by: Sean Christopherson <sean.j.christopherson(a)intel.com> Cc: Jim Mattson <jmattson(a)google.com> Cc: Krish Sadhukhan <krish.sadhukhan(a)oracle.com> Cc: Xiao Guangrong <xiaoguangrong(a)tencent.com> Cc: stable(a)vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar(a)redhat.com> diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index 01fb8701ccd0..f7e83b1e0eb2 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c @@ -5264,9 +5264,12 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code, * re-execute the instruction that caused the page fault. Do not allow * retrying MMIO emulation, as it's not only pointless but could also * cause us to enter an infinite loop because the processor will keep - * faulting on the non-existent MMIO address. + * faulting on the non-existent MMIO address. Retrying an instruction + * from a nested guest is also pointless and dangerous as we are only + * explicitly shadowing L1's page tables, i.e. unprotecting something + * for L1 isn't going to magically fix whatever issue cause L2 to fail. */ - if (!mmio_info_in_cache(vcpu, cr2, direct)) + if (!mmio_info_in_cache(vcpu, cr2, direct) && !is_guest_mode(vcpu)) emulation_type = EMULTYPE_ALLOW_RETRY; emulate: /* diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 924ce28723c4..cbe2921e972b 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -5873,6 +5873,9 @@ static bool reexecute_instruction(struct kvm_vcpu *vcpu, gva_t cr2, if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) return false; + if (WARN_ON_ONCE(is_guest_mode(vcpu))) + return false; + if (!vcpu->arch.mmu.direct_map) { /* * Write permission should be allowed since only @@ -5961,6 +5964,9 @@ static bool retry_instruction(struct x86_emulate_ctxt *ctxt, if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) return false; + if (WARN_ON_ONCE(is_guest_mode(vcpu))) + return false; + if (x86_page_table_writing_insn(ctxt)) return false;

6 years, 7 months

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: Do not re-{try, execute} after failed emulation in" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6c3dfeb6a48b1562bd5b8ec5f3317ef34d0134ef Mon Sep 17 00:00:00 2001 From: Sean Christopherson <sean.j.christopherson(a)intel.com> Date: Thu, 23 Aug 2018 13:56:51 -0700 Subject: [PATCH] KVM: x86: Do not re-{try,execute} after failed emulation in L2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit a6f177efaa58 ("KVM: Reenter guest after emulation failure if due to access to non-mmio address") added reexecute_instruction() to handle the scenario where two (or more) vCPUS race to write a shadowed page, i.e. reexecute_instruction() is intended to return true if and only if the instruction being emulated was accessing a shadowed page. As L0 is only explicitly shadowing L1 tables, an emulation failure of a nested VM instruction cannot be due to a race to write a shadowed page and so should never be re-executed. This fixes an issue where an "MMIO" emulation failure[1] in L2 is all but guaranteed to result in an infinite loop when TDP is enabled. Because "cr2" is actually an L2 GPA when TDP is enabled, calling kvm_mmu_gva_to_gpa_write() to translate cr2 in the non-direct mapped case (L2 is never direct mapped) will almost always yield UNMAPPED_GVA and cause reexecute_instruction() to immediately return true. The !mmio_info_in_cache() check in kvm_mmu_page_fault() doesn't catch this case because mmio_info_in_cache() returns false for a nested MMU (the MMIO caching currently handles L1 only, e.g. to cache nested guests' GPAs we'd have to manually flush the cache when switching between VMs and when L1 updated its page tables controlling the nested guest). Way back when, commit 68be0803456b ("KVM: x86: never re-execute instruction with enabled tdp") changed reexecute_instruction() to always return false when using TDP under the assumption that KVM would only get into the emulator for MMIO. Commit 95b3cf69bdf8 ("KVM: x86: let reexecute_instruction work for tdp") effectively reverted that behavior in order to handle the scenario where emulation failed due to an access from L1 to the shadow page tables for L2, but it didn't account for the case where emulation failed in L2 with TDP enabled. All of the above logic also applies to retry_instruction(), added by commit 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing instructions"). An indefinite loop in retry_instruction() should be impossible as it protects against retrying the same instruction over and over, but it's still correct to not retry an L2 instruction in the first place. Fix the immediate issue by adding a check for a nested guest when determining whether or not to allow retry in kvm_mmu_page_fault(). In addition to fixing the immediate bug, add WARN_ON_ONCE in the retry functions since they are not designed to handle nested cases, i.e. they need to be modified even if there is some scenario in the future where we want to allow retrying a nested guest. [1] This issue was encountered after commit 3a2936dedd20 ("kvm: mmu: Don't expose private memslots to L2") changed the page fault path to return KVM_PFN_NOSLOT when translating an L2 access to a prive memslot. Returning KVM_PFN_NOSLOT is semantically correct when we want to hide a memslot from L2, i.e. there effectively is no defined memory region for L2, but it has the unfortunate side effect of making KVM think the GFN is a MMIO page, thus triggering emulation. The failure occurred with in-development code that deliberately exposed a private memslot to L2, which L2 accessed with an instruction that is not emulated by KVM. Fixes: 95b3cf69bdf8 ("KVM: x86: let reexecute_instruction work for tdp") Fixes: 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing instructions") Signed-off-by: Sean Christopherson <sean.j.christopherson(a)intel.com> Cc: Jim Mattson <jmattson(a)google.com> Cc: Krish Sadhukhan <krish.sadhukhan(a)oracle.com> Cc: Xiao Guangrong <xiaoguangrong(a)tencent.com> Cc: stable(a)vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar(a)redhat.com> diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c index 01fb8701ccd0..f7e83b1e0eb2 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c @@ -5264,9 +5264,12 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code, * re-execute the instruction that caused the page fault. Do not allow * retrying MMIO emulation, as it's not only pointless but could also * cause us to enter an infinite loop because the processor will keep - * faulting on the non-existent MMIO address. + * faulting on the non-existent MMIO address. Retrying an instruction + * from a nested guest is also pointless and dangerous as we are only + * explicitly shadowing L1's page tables, i.e. unprotecting something + * for L1 isn't going to magically fix whatever issue cause L2 to fail. */ - if (!mmio_info_in_cache(vcpu, cr2, direct)) + if (!mmio_info_in_cache(vcpu, cr2, direct) && !is_guest_mode(vcpu)) emulation_type = EMULTYPE_ALLOW_RETRY; emulate: /* diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 924ce28723c4..cbe2921e972b 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -5873,6 +5873,9 @@ static bool reexecute_instruction(struct kvm_vcpu *vcpu, gva_t cr2, if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) return false; + if (WARN_ON_ONCE(is_guest_mode(vcpu))) + return false; + if (!vcpu->arch.mmu.direct_map) { /* * Write permission should be allowed since only @@ -5961,6 +5964,9 @@ static bool retry_instruction(struct x86_emulate_ctxt *ctxt, if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) return false; + if (WARN_ON_ONCE(is_guest_mode(vcpu))) + return false; + if (x86_page_table_writing_insn(ctxt)) return false;

6 years, 7 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2018