On Fri, Jan 18, 2019 at 07:48:59AM -0800, tip-bot for Jiaxun Yang wrote:
> Commit-ID: 0237199186e7a4aa5310741f0a6498a20c820fd7
> Gitweb: https://git.kernel.org/tip/0237199186e7a4aa5310741f0a6498a20c820fd7
> Author: Jiaxun Yang <jiaxun.yang(a)flygoat.com>
> AuthorDate: Tue, 20 Nov 2018 11:00:18 +0800
> Committer: Borislav Petkov <bp(a)suse.de>
> CommitDate: Fri, 18 Jan 2019 16:44:03 +0100
>
> x86/CPU/AMD: Set the CPB bit unconditionally on F17h
>
> Some F17h models do not have CPB set in CPUID even though the CPU
> supports it. Set the feature bit unconditionally on all F17h.
>
> [ bp: Rewrite commit message and patch. ]
>
> Signed-off-by: Jiaxun Yang <jiaxun.yang(a)flygoat.com>
> Signed-off-by: Borislav Petkov <bp(a)suse.de>
> Acked-by: Tom Lendacky <thomas.lendacky(a)amd.com>
> Cc: "H. Peter Anvin" <hpa(a)zytor.com>
> Cc: Ingo Molnar <mingo(a)redhat.com>
> Cc: Sherry Hurwitz <sherry.hurwitz(a)amd.com>
> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com>
> Cc: Thomas Gleixner <tglx(a)linutronix.de>
> Cc: x86-ml <x86(a)kernel.org>
> Link: https://lkml.kernel.org/r/20181120030018.5185-1-jiaxun.yang@flygoat.com
> ---
> arch/x86/kernel/cpu/amd.c | 8 +++-----
> 1 file changed, 3 insertions(+), 5 deletions(-)
>
> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
> index 69f6bbb41be0..01004bfb1a1b 100644
> --- a/arch/x86/kernel/cpu/amd.c
> +++ b/arch/x86/kernel/cpu/amd.c
> @@ -819,11 +819,9 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
> static void init_amd_zn(struct cpuinfo_x86 *c)
> {
> set_cpu_cap(c, X86_FEATURE_ZEN);
> - /*
> - * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects
> - * all up to and including B1.
> - */
> - if (c->x86_model <= 1 && c->x86_stepping <= 1)
> +
> + /* Fix erratum 1076: CPB feature bit not being set in CPUID. */
> + if (!cpu_has(c, X86_FEATURE_CPB))
> set_cpu_cap(c, X86_FEATURE_CPB);
Stable folks, please take this one above into those stable trees which
have backported
f7f3dc00f612 ("x86/cpu/AMD: Fix erratum 1076 (CPB bit)")
Thx.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
When we get an interrupt for a channel program, it is not
necessarily the final interrupt; for example, the issuing
guest may request an intermediate interrupt by specifying
the program-controlled-interrupt flag on a ccw.
We must not switch the state to idle if the interrupt is not
yet final; even more importantly, we must not free the translated
channel program if the interrupt is not yet final, or the host
can crash during cp rewind.
Fixes: e5f84dbaea59 ("vfio: ccw: return I/O results asynchronously")
Cc: stable(a)vger.kernel.org # v4.12+
Reviewed-by: Eric Farman <farman(a)linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck(a)redhat.com>
---
drivers/s390/cio/vfio_ccw_drv.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
index a10cec0e86eb..0b3b9de45c60 100644
--- a/drivers/s390/cio/vfio_ccw_drv.c
+++ b/drivers/s390/cio/vfio_ccw_drv.c
@@ -72,20 +72,24 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work)
{
struct vfio_ccw_private *private;
struct irb *irb;
+ bool is_final;
private = container_of(work, struct vfio_ccw_private, io_work);
irb = &private->irb;
+ is_final = !(scsw_actl(&irb->scsw) &
+ (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT));
if (scsw_is_solicited(&irb->scsw)) {
cp_update_scsw(&private->cp, &irb->scsw);
- cp_free(&private->cp);
+ if (is_final)
+ cp_free(&private->cp);
}
memcpy(private->io_region->irb_area, irb, sizeof(*irb));
if (private->io_trigger)
eventfd_signal(private->io_trigger, 1);
- if (private->mdev)
+ if (private->mdev && is_final)
private->state = VFIO_CCW_STATE_IDLE;
}
--
2.17.2
When we get an interrupt for a channel program, it is not
necessarily the final interrupt; for example, the issuing
guest may request an intermediate interrupt by specifying
the program-controlled-interrupt flag on a ccw.
We must not switch the state to idle if the interrupt is not
yet final; even more importantly, we must not free the translated
channel program if the interrupt is not yet final, or the host
can crash during cp rewind.
Fixes: e5f84dbaea59 ("vfio: ccw: return I/O results asynchronously")
Cc: stable(a)vger.kernel.org # v4.12+
Signed-off-by: Cornelia Huck <cohuck(a)redhat.com>
---
Previously part of "vfio-ccw: rework ssch state handling". Please review,
I plan to send a pull req asap.
---
drivers/s390/cio/vfio_ccw_drv.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
index a10cec0e86eb..0b3b9de45c60 100644
--- a/drivers/s390/cio/vfio_ccw_drv.c
+++ b/drivers/s390/cio/vfio_ccw_drv.c
@@ -72,20 +72,24 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work)
{
struct vfio_ccw_private *private;
struct irb *irb;
+ bool is_final;
private = container_of(work, struct vfio_ccw_private, io_work);
irb = &private->irb;
+ is_final = !(scsw_actl(&irb->scsw) &
+ (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT));
if (scsw_is_solicited(&irb->scsw)) {
cp_update_scsw(&private->cp, &irb->scsw);
- cp_free(&private->cp);
+ if (is_final)
+ cp_free(&private->cp);
}
memcpy(private->io_region->irb_area, irb, sizeof(*irb));
if (private->io_trigger)
eventfd_signal(private->io_trigger, 1);
- if (private->mdev)
+ if (private->mdev && is_final)
private->state = VFIO_CCW_STATE_IDLE;
}
--
2.17.2
Please could the following change be applied to the stable trees:
commit 47bb117911b051bbc90764a8bff96543cbd2005f
Author: Alistair Strachan <astrachan(a)google.com>
Date: Tue Dec 18 20:32:48 2018 -0500
media: uvcvideo: Fix 'type' check leading to overflow
This change applies cleanly to 3.18+. It is in Linus's tree.
This change fixes a potential buffer overflow if a specially crafted
USB video device is attached to a system with kernel support for
uvcvideo. (I mistakenly did not Cc: stable@ with the original change.)
Thanks!
From: Eric Biggers <ebiggers(a)google.com>
If drm_gem_handle_create() fails in vkms_gem_create(), then the
vkms_gem_object is freed twice: once when the reference is dropped by
drm_gem_object_put_unlocked(), and again by the extra calls to
drm_gem_object_release() and kfree().
Fix it by skipping the second release and free.
This bug was originally found in the vgem driver by syzkaller using
fault injection, but I noticed it's also present in the vkms driver.
Fixes: 559e50fd34d1 ("drm/vkms: Add dumb operations")
Cc: Rodrigo Siqueira <rodrigosiqueiramelo(a)gmail.com>
Cc: Haneen Mohammed <hamohammed.sa(a)gmail.com>
Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch>
Cc: Chris Wilson <chris(a)chris-wilson.co.uk>
Cc: stable(a)vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers(a)google.com>
---
drivers/gpu/drm/vkms/vkms_gem.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
index 138b0bb325cf9..69048e73377dc 100644
--- a/drivers/gpu/drm/vkms/vkms_gem.c
+++ b/drivers/gpu/drm/vkms/vkms_gem.c
@@ -111,11 +111,8 @@ struct drm_gem_object *vkms_gem_create(struct drm_device *dev,
ret = drm_gem_handle_create(file, &obj->gem, handle);
drm_gem_object_put_unlocked(&obj->gem);
- if (ret) {
- drm_gem_object_release(&obj->gem);
- kfree(obj);
+ if (ret)
return ERR_PTR(ret);
- }
return &obj->gem;
}
--
2.21.0.rc2.261.ga7da99ff1b-goog