2022-06-24 21:19 GMT+09:00, Anton Altaparmakov <anton(a)tuxera.com>:
> Hi,
>
> On 24 Jun 2022, at 03:33, Namjae Jeon
> <linkinjeon(a)kernel.org<mailto:linkinjeon@kernel.org>> wrote:
>
> 2022-06-24 2:08 GMT+09:00, Eric Biggers
> <ebiggers(a)kernel.org<mailto:ebiggers@kernel.org>>:
> On Thu, Jun 23, 2022 at 09:49:56AM +0000,
> cgel.zte(a)gmail.com<mailto:cgel.zte@gmail.com> wrote:
> From: xu xin <xu.xin16(a)zte.com.cn<mailto:xu.xin16@zte.com.cn>>
>
> As the bug description at
> https://lore.kernel.org/lkml/20220623033635.973929-1-xu.xin16@zte.com.cn/
> attckers can use this bug to crash the system.
>
> So to avoid panic, remove the BUG_ON, and use ntfs_warning to output a
> warning to the syslog and return instead until someone really solve
> the problem.
>
> Cc: stable(a)vger.kernel.org
> Reported-by: Zeal Robot <zealci(a)zte.com.cn>
> Reported-by: syzbot+6a5a7672f663cce8b156(a)syzkaller.appspotmail.com
> Reviewed-by: Songyi Zhang <zhang.songyi(a)zte.com.cn>
> Reviewed-by: Yang Yang <yang.yang29(a)zte.com.cn>
> Reviewed-by: Jiang Xuexin<jiang.xuexin(a)zte.com.cn>
> Reviewed-by: Zhang wenya<zhang.wenya1(a)zte.com.cn>
> Signed-off-by: xu xin <xu.xin16(a)zte.com.cn>
> ---
>
> Change for v2:
> - Use ntfs_warning instead of WARN().
> - Add the tag Cc: stable(a)vger.kernel.org.
> ---
> fs/ntfs/aops.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c
> index 5f4fb6ca6f2e..84d68efb4ace 100644
> --- a/fs/ntfs/aops.c
> +++ b/fs/ntfs/aops.c
> @@ -183,7 +183,12 @@ static int ntfs_read_block(struct page *page)
> vol = ni->vol;
>
> /* $MFT/$DATA must have its complete runlist in memory at all times. */
> - BUG_ON(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni));
> + if (unlikely(!ni->runlist.rl && !ni->mft_no && !NInoAttr(ni))) {
> + ntfs_warning(vi->i_sb, "Error because ni->runlist.rl, ni->mft_no, "
> + "and NInoAttr(ni) is null.");
> + unlock_page(page);
> + return -EINVAL;
> + }
>
> A better warning message that doesn't rely on implementation details
> (struct
> field and macro names) would be "Runlist of $MFT/$DATA is not cached".
> Also,
> why does this situation happen in the first place? Is there a way to
> prevent
> this situation in the first place?
>
> ntfs_mapping_pairs_decompress() should return error pointer instead of
> NULL.
>
> Callers is checking error value using IS_ERR(). and the mapping pairs
> array of @MFT entry is empty, I think it's corrupted, it should cause
> mount failure.
>
> NAK
>
> Sorry but this patch is incorrect. It is perfectly valid to have an empty
> non-resident attribute. E.g. if you truncate a file to zero size this is
> exactly what you will get on-disk and when you then unmount and mount next
> time and try to access that file with your patch you will now get an -EIO
> error trying to access the file and you will not be able to write to the
> file nor truncate it as you will keep getting the i/o error.
Sorry, I can't reproduce the issue you described?
root@linkinjeon-Z10PA-D8-Series:/mnt/test# ls -al
total 5928
drwx------ 1 root root 4096 6월 24 23:01 .
drwxr-xr-x 7 root root 4096 5월 29 12:47 ..
-rw------- 1 root root 6059409 9월 22 2020 foo
drwx------ 1 root root 0 6월 24 22:30 'System Volume Information'
root@linkinjeon-Z10PA-D8-Series:/mnt/test# truncate -s 0 foo
root@linkinjeon-Z10PA-D8-Series:/mnt/test# ls -al
total 8
drwx------ 1 root root 4096 6월 24 23:01 .
drwxr-xr-x 7 root root 4096 5월 29 12:47 ..
-rw------- 1 root root 0 6월 24 23:11 foo
drwx------ 1 root root 0 6월 24 22:30 'System Volume Information'
root@linkinjeon-Z10PA-D8-Series:/mnt/test# cd ..
root@linkinjeon-Z10PA-D8-Series:/mnt# sudo umount /mnt/test
root@linkinjeon-Z10PA-D8-Series:/mnt# sudo mount -t ntfs /dev/sde2 /mnt/test/
root@linkinjeon-Z10PA-D8-Series:/mnt# cd /mnt/test/
root@linkinjeon-Z10PA-D8-Series:/mnt/test# cat foo
root@linkinjeon-Z10PA-D8-Series:/mnt/test# truncate -s 1048576 foo
root@linkinjeon-Z10PA-D8-Series:/mnt/test# ls -al
total 1032
drwx------ 1 root root 4096 6월 24 23:01 .
drwxr-xr-x 7 root root 4096 5월 29 12:47 ..
-rw------- 1 root root 1048576 6월 24 23:12 foo
drwx------ 1 root root 0 6월 24 22:30 'System Volume Information'
root@linkinjeon-Z10PA-D8-Series:/mnt/test# echo "hello world" > foo
root@linkinjeon-Z10PA-D8-Series:/mnt/test# cat foo
hello world
>
> The correct solution is to use IS_ERR_OR_NULL() in places where an empty
> attribute is not acceptable. Such a case is for example when mounting the
> $MFT::$DATA::unnamed attribute cannot be empty which should then be
> addressed inside in fs/ntfs/inode.c::ntfs_read_inode_mount(). There may be
> more call sites to ntfs_mapping_pairs_decompress() which require similar
> treatment. Need to go through the code to see...
I think that it is needed everywhere that calls it. Am I missing something ?
I can not understand why the below code is needed in
ntfs_mapping_pairs_decompress().
/* If the mapping pairs array is valid but empty, nothing to do. */
if (!vcn && !*buf) {
return old_rl;
}
There is no description in patch. and this code is not in
ntfs_mapping_pairs_decompress() in ntfs-3g. Is there any case the
caller get NULL runlist pointer from ntfs_mapping_pairs_decompress()
in current ntfs code?
NTFS: Fix handling of valid but empty mapping pairs array in
fs/ntfs/runlist.c::ntfs_mapping_pairs_decompress().
Signed-off-by: Anton Altaparmakov <aia21(a)cantab.net>
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/f…
>
> Best regards,
>
> Anton
>
>
> I haven't checked if this patch fix the problem. Xu, Can you check it ?
>
> diff --git a/fs/ntfs/runlist.c b/fs/ntfs/runlist.c
> index 97932fb5179c..31263fe0772f 100644
> --- a/fs/ntfs/runlist.c
> +++ b/fs/ntfs/runlist.c
> @@ -766,8 +766,11 @@ runlist_element
> *ntfs_mapping_pairs_decompress(const ntfs_volume *vol,
> return ERR_PTR(-EIO);
> }
> /* If the mapping pairs array is valid but empty, nothing to do. */
> - if (!vcn && !*buf)
> + if (!vcn && !*buf) {
> + if (!old_rl)
> + return ERR_PTR(-EIO);
> return old_rl;
> + }
> /* Current position in runlist array. */
> rlpos = 0;
> /* Allocate first page and set current runlist size to one page. */
>
>
> - Eric
>
>
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From cb995f4eeba9d268fd4b56c2423ad6c1d1ea1b82 Mon Sep 17 00:00:00 2001
From: "Matthew Wilcox (Oracle)" <willy(a)infradead.org>
Date: Fri, 17 Jun 2022 20:00:17 -0400
Subject: [PATCH] filemap: Handle sibling entries in filemap_get_read_batch()
If a read races with an invalidation followed by another read, it is
possible for a folio to be replaced with a higher-order folio. If that
happens, we'll see a sibling entry for the new folio in the next iteration
of the loop. This manifests as a NULL pointer dereference while holding
the RCU read lock.
Handle this by simply returning. The next call will find the new folio
and handle it correctly. The other ways of handling this rare race are
more complex and it's just not worth it.
Reported-by: Dave Chinner <david(a)fromorbit.com>
Reported-by: Brian Foster <bfoster(a)redhat.com>
Debugged-by: Brian Foster <bfoster(a)redhat.com>
Tested-by: Brian Foster <bfoster(a)redhat.com>
Reviewed-by: Brian Foster <bfoster(a)redhat.com>
Fixes: cbd59c48ae2b ("mm/filemap: use head pages in generic_file_buffered_read")
Cc: stable(a)vger.kernel.org
Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org>
diff --git a/mm/filemap.c b/mm/filemap.c
index 577068868449..ffdfbc8b0e3c 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2385,6 +2385,8 @@ static void filemap_get_read_batch(struct address_space *mapping,
continue;
if (xas.xa_index > max || xa_is_value(folio))
break;
+ if (xa_is_sibling(folio))
+ break;
if (!folio_try_get_rcu(folio))
goto retry;
When fixing the CAN clock frequency,
fb12797ab1fe ("can: kvaser_usb: get CAN clock frequency from device"),
I introduced a regression.
For Leaf devices based on M32C, the firmware expects bittiming parameters
calculated for 16MHz clock. Regardless of the actual clock frequency.
This regression affects M32C based Leaf devices with non-16MHz clock.
Also correct the bittiming constants in kvaser_usb_leaf.c, where the limits
are different depending on which firmware/device being used.
Once merged to mainline, I'll backport these fixes for the stable kernels.
Changes in v2:
- Add struct kvaser_usb_driver_info as suggested by Marc Kleine-Budde [1],
instead of adding dev->card_data.quirks.
[1] https://lore.kernel.org/linux-can/20220602063031.415858-1-extja@kvaser.com/…
Jimmy Assarsson (3):
can: kvaser_usb: Replace run-time checks with struct
kvaser_usb_driver_info
can: kvaser_usb: kvaser_usb_leaf: Fix CAN clock frequency regression
can: kvaser_usb: kvaser_usb_leaf: Fix bittiming limits
drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 73 ++++-
.../net/can/usb/kvaser_usb/kvaser_usb_core.c | 253 +++++++++---------
.../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 14 +-
.../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 119 ++++----
4 files changed, 255 insertions(+), 204 deletions(-)
--
2.36.1
This is the start of the stable review cycle for the 5.18.9 release.
There are 6 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 02 Jul 2022 13:32:22 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.18.9-rc1…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.18.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.18.9-rc1
Pavel Begunkov <asml.silence(a)gmail.com>
io_uring: fix not locked access to fixed buf table
Naveen N. Rao <naveen.n.rao(a)linux.vnet.ibm.com>
powerpc/ftrace: Remove ftrace init tramp once kernel init is complete
Kees Cook <keescook(a)chromium.org>
hinic: Replace memcpy() with direct assignment
Coly Li <colyli(a)suse.de>
bcache: memset on stack variables in bch_btree_check() and bch_sectors_dirty_init()
Linus Walleij <linus.walleij(a)linaro.org>
clocksource/drivers/ixp4xx: Drop boardfile probe path
Masahiro Yamada <masahiroy(a)kernel.org>
tick/nohz: unexport __init-annotated tick_nohz_full_setup()
-------------
Diffstat:
Makefile | 4 +--
arch/powerpc/include/asm/ftrace.h | 4 ++-
arch/powerpc/kernel/trace/ftrace.c | 15 ++++++++--
arch/powerpc/mm/mem.c | 2 ++
drivers/clocksource/Kconfig | 2 +-
drivers/clocksource/timer-ixp4xx.c | 25 -----------------
drivers/md/bcache/btree.c | 1 +
drivers/md/bcache/writeback.c | 1 +
drivers/net/ethernet/huawei/hinic/hinic_devlink.c | 4 +--
fs/io_uring.c | 34 ++++++++++++-----------
include/linux/platform_data/timer-ixp4xx.h | 11 --------
kernel/time/tick-sched.c | 1 -
12 files changed, 41 insertions(+), 63 deletions(-)
Hi,
Can you apply these three patches, one for each of the 5.10, 5.15, and
5.18 stable tree? Doesn't fix any issues of concern, just ensures that
we -EINVAL when invalid fields are set in the sqe for these opcodes.
This brings it up to par with 5.19 and newer.
Thanks!
--
Jens Axboe
The patch below does not apply to the 4.9-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From f3eac426657d985b97c92fa5f7ae1d43f04721f3 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason(a)zx2c4.com>
Date: Tue, 21 Jun 2022 16:08:49 +0200
Subject: [PATCH] powerpc/powernv: wire up rng during setup_arch
The platform's RNG must be available before random_init() in order to be
useful for initial seeding, which in turn means that it needs to be
called from setup_arch(), rather than from an init call.
Complicating things, however, is that POWER8 systems need some per-cpu
state and kmalloc, which isn't available at this stage. So we split
things up into an early phase and a later opportunistic phase. This
commit also removes some noisy log messages that don't add much.
Fixes: a4da0d50b2a0 ("powerpc: Implement arch_get_random_long/int() for powernv")
Cc: stable(a)vger.kernel.org # v3.13+
Signed-off-by: Jason A. Donenfeld <Jason(a)zx2c4.com>
Reviewed-by: Christophe Leroy <christophe.leroy(a)csgroup.eu>
[mpe: Add of_node_put(), use pnv naming, minor change log editing]
Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au>
Link: https://lore.kernel.org/r/20220621140849.127227-1-Jason@zx2c4.com
diff --git a/arch/powerpc/platforms/powernv/powernv.h b/arch/powerpc/platforms/powernv/powernv.h
index e297bf4abfcb..866efdc103fd 100644
--- a/arch/powerpc/platforms/powernv/powernv.h
+++ b/arch/powerpc/platforms/powernv/powernv.h
@@ -42,4 +42,6 @@ ssize_t memcons_copy(struct memcons *mc, char *to, loff_t pos, size_t count);
u32 __init memcons_get_size(struct memcons *mc);
struct memcons *__init memcons_init(struct device_node *node, const char *mc_prop_name);
+void pnv_rng_init(void);
+
#endif /* _POWERNV_H */
diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c
index e3d44b36ae98..463c78c52cc5 100644
--- a/arch/powerpc/platforms/powernv/rng.c
+++ b/arch/powerpc/platforms/powernv/rng.c
@@ -17,6 +17,7 @@
#include <asm/prom.h>
#include <asm/machdep.h>
#include <asm/smp.h>
+#include "powernv.h"
#define DARN_ERR 0xFFFFFFFFFFFFFFFFul
@@ -28,7 +29,6 @@ struct powernv_rng {
static DEFINE_PER_CPU(struct powernv_rng *, powernv_rng);
-
int powernv_hwrng_present(void)
{
struct powernv_rng *rng;
@@ -98,9 +98,6 @@ static int __init initialise_darn(void)
return 0;
}
}
-
- pr_warn("Unable to use DARN for get_random_seed()\n");
-
return -EIO;
}
@@ -163,32 +160,55 @@ static __init int rng_create(struct device_node *dn)
rng_init_per_cpu(rng, dn);
- pr_info_once("Registering arch random hook.\n");
-
ppc_md.get_random_seed = powernv_get_random_long;
return 0;
}
-static __init int rng_init(void)
+static int __init pnv_get_random_long_early(unsigned long *v)
{
struct device_node *dn;
- int rc;
+
+ if (!slab_is_available())
+ return 0;
+
+ if (cmpxchg(&ppc_md.get_random_seed, pnv_get_random_long_early,
+ NULL) != pnv_get_random_long_early)
+ return 0;
for_each_compatible_node(dn, NULL, "ibm,power-rng") {
- rc = rng_create(dn);
- if (rc) {
- pr_err("Failed creating rng for %pOF (%d).\n",
- dn, rc);
+ if (rng_create(dn))
continue;
- }
-
/* Create devices for hwrng driver */
of_platform_device_create(dn, NULL, NULL);
}
- initialise_darn();
+ if (!ppc_md.get_random_seed)
+ return 0;
+ return ppc_md.get_random_seed(v);
+}
+
+void __init pnv_rng_init(void)
+{
+ struct device_node *dn;
+ /* Prefer darn over the rest. */
+ if (!initialise_darn())
+ return;
+
+ dn = of_find_compatible_node(NULL, NULL, "ibm,power-rng");
+ if (dn)
+ ppc_md.get_random_seed = pnv_get_random_long_early;
+
+ of_node_put(dn);
+}
+
+static int __init pnv_rng_late_init(void)
+{
+ unsigned long v;
+ /* In case it wasn't called during init for some other reason. */
+ if (ppc_md.get_random_seed == pnv_get_random_long_early)
+ pnv_get_random_long_early(&v);
return 0;
}
-machine_subsys_initcall(powernv, rng_init);
+machine_subsys_initcall(powernv, pnv_rng_late_init);
diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c
index 824c3ad7a0fa..dac545aa0308 100644
--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -203,6 +203,8 @@ static void __init pnv_setup_arch(void)
pnv_check_guarded_cores();
/* XXX PMCS */
+
+ pnv_rng_init();
}
static void __init pnv_init(void)
The of node for the rng must be created much later in boot. Otherwise it
tries to connect to a parent that doesn't yet exist, resulting on this
splat:
[ 0.000478] kobject: '(null)' ((____ptrval____)): is not initialized, yet kobject_get() is being called.
[ 0.002925] [c000000002a0fb30] [c00000000073b0bc] kobject_get+0x8c/0x100 (unreliable)
[ 0.003071] [c000000002a0fba0] [c00000000087e464] device_add+0xf4/0xb00
[ 0.003194] [c000000002a0fc80] [c000000000a7f6e4] of_device_add+0x64/0x80
[ 0.003321] [c000000002a0fcb0] [c000000000a800d0] of_platform_device_create_pdata+0xd0/0x1b0
[ 0.003476] [c000000002a0fd00] [c00000000201fa44] pnv_get_random_long_early+0x240/0x2e4
[ 0.003623] [c000000002a0fe20] [c000000002060c38] random_init+0xc0/0x214
This patch fixes the issue by doing the of node creation inside of
machine_subsys_initcall.
Fixes: f3eac426657d ("powerpc/powernv: wire up rng during setup_arch")
Cc: stable(a)vger.kernel.org
Cc: Michael Ellerman <mpe(a)ellerman.id.au>
Reported-by: Sachin Sant <sachinp(a)linux.ibm.com>
Signed-off-by: Jason A. Donenfeld <Jason(a)zx2c4.com>
---
arch/powerpc/platforms/powernv/rng.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c
index 463c78c52cc5..bd5ad5f351c2 100644
--- a/arch/powerpc/platforms/powernv/rng.c
+++ b/arch/powerpc/platforms/powernv/rng.c
@@ -176,12 +176,8 @@ static int __init pnv_get_random_long_early(unsigned long *v)
NULL) != pnv_get_random_long_early)
return 0;
- for_each_compatible_node(dn, NULL, "ibm,power-rng") {
- if (rng_create(dn))
- continue;
- /* Create devices for hwrng driver */
- of_platform_device_create(dn, NULL, NULL);
- }
+ for_each_compatible_node(dn, NULL, "ibm,power-rng")
+ rng_create(dn);
if (!ppc_md.get_random_seed)
return 0;
@@ -205,10 +201,16 @@ void __init pnv_rng_init(void)
static int __init pnv_rng_late_init(void)
{
+ struct device_node *dn;
unsigned long v;
+
/* In case it wasn't called during init for some other reason. */
if (ppc_md.get_random_seed == pnv_get_random_long_early)
pnv_get_random_long_early(&v);
+ if (ppc_md.get_random_seed == powernv_get_random_long) {
+ for_each_compatible_node(dn, NULL, "ibm,power-rng")
+ of_platform_device_create(dn, NULL, NULL);
+ }
return 0;
}
machine_subsys_initcall(powernv, pnv_rng_late_init);
--
2.35.1
With KUAP, the TLB miss handler bails out when an access to user
memory is performed with a nul TID.
But the normal TLB miss routine which is only used early during boot
does the check regardless for all memory areas, not only user memory.
By chance there is no early IO or vmalloc access, but when KASAN
come we will start having early TLB misses.
Fix it by creating a special branch for user accesses similar to the
one in the 'bolted' TLB miss handlers. Unfortunately SPRN_MAS1 is
now read too early and there are no registers available to preserve
it so it will be read a second time.
Fixes: 57bc963837f5 ("powerpc/kuap: Wire-up KUAP on book3e/64")
Cc: stable(a)vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu>
---
arch/powerpc/mm/nohash/tlb_low_64e.S | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/arch/powerpc/mm/nohash/tlb_low_64e.S b/arch/powerpc/mm/nohash/tlb_low_64e.S
index 8b97c4acfebf..9e9ab3803fb2 100644
--- a/arch/powerpc/mm/nohash/tlb_low_64e.S
+++ b/arch/powerpc/mm/nohash/tlb_low_64e.S
@@ -583,7 +583,7 @@ itlb_miss_fault_e6500:
*/
rlwimi r11,r14,32-19,27,27
rlwimi r11,r14,32-16,19,19
- beq normal_tlb_miss
+ beq normal_tlb_miss_user
/* XXX replace the RMW cycles with immediate loads + writes */
1: mfspr r10,SPRN_MAS1
cmpldi cr0,r15,8 /* Check for vmalloc region */
@@ -626,7 +626,7 @@ itlb_miss_fault_e6500:
cmpldi cr0,r15,0 /* Check for user region */
std r14,EX_TLB_ESR(r12) /* write crazy -1 to frame */
- beq normal_tlb_miss
+ beq normal_tlb_miss_user
li r11,_PAGE_PRESENT|_PAGE_BAP_SX /* Base perm */
oris r11,r11,_PAGE_ACCESSED@h
@@ -653,6 +653,12 @@ itlb_miss_fault_e6500:
* r11 = PTE permission mask
* r10 = crap (free to use)
*/
+normal_tlb_miss_user:
+#ifdef CONFIG_PPC_KUAP
+ mfspr r14,SPRN_MAS1
+ rlwinm. r14,r14,0,0x3fff0000
+ beq- normal_tlb_miss_access_fault /* KUAP fault */
+#endif
normal_tlb_miss:
/* So we first construct the page table address. We do that by
* shifting the bottom of the address (not the region ID) by
@@ -683,11 +689,6 @@ finish_normal_tlb_miss:
/* Check if required permissions are met */
andc. r15,r11,r14
bne- normal_tlb_miss_access_fault
-#ifdef CONFIG_PPC_KUAP
- mfspr r11,SPRN_MAS1
- rlwinm. r10,r11,0,0x3fff0000
- beq- normal_tlb_miss_access_fault /* KUAP fault */
-#endif
/* Now we build the MAS:
*
@@ -709,9 +710,7 @@ finish_normal_tlb_miss:
rldicl r10,r14,64-8,64-8
cmpldi cr0,r10,BOOK3E_PAGESZ_4K
beq- 1f
-#ifndef CONFIG_PPC_KUAP
mfspr r11,SPRN_MAS1
-#endif
rlwimi r11,r14,31,21,24
rlwinm r11,r11,0,21,19
mtspr SPRN_MAS1,r11
--
2.36.1
On FSL_BOOK3E, _PAGE_RW is defined with two bits, one for user and one
for supervisor. As soon as one of the two bits is set, the page has
to be display as RW. But the way it is implemented today requires both
bits to be set in order to display it as RW.
Instead of display RW when _PAGE_RW bits are set and R otherwise,
reverse the logic and display R when _PAGE_RW bits are all 0 and
RW otherwise.
This change has no impact on other platforms as _PAGE_RW is a single
bit on all of them.
Fixes: 8eb07b187000 ("powerpc/mm: Dump linux pagetables")
Cc: stable(a)vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu>
---
arch/powerpc/mm/ptdump/shared.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/mm/ptdump/shared.c b/arch/powerpc/mm/ptdump/shared.c
index 03607ab90c66..f884760ca5cf 100644
--- a/arch/powerpc/mm/ptdump/shared.c
+++ b/arch/powerpc/mm/ptdump/shared.c
@@ -17,9 +17,9 @@ static const struct flag_info flag_array[] = {
.clear = " ",
}, {
.mask = _PAGE_RW,
- .val = _PAGE_RW,
- .set = "rw",
- .clear = "r ",
+ .val = 0,
+ .set = "r ",
+ .clear = "rw",
}, {
.mask = _PAGE_EXEC,
.val = _PAGE_EXEC,
--
2.36.1