- Linux-stable-mirror - lists.linaro.org

[PATCH 03/15] mm/hmm: HMM should have a callback before MM is destroyed v2

by jglisse＠redhat.com

From: Ralph Campbell <rcampbell(a)nvidia.com> The hmm_mirror_register() function registers a callback for when the CPU pagetable is modified. Normally, the device driver will call hmm_mirror_unregister() when the process using the device is finished. However, if the process exits uncleanly, the struct_mm can be destroyed with no warning to the device driver. Changed since v1: - dropped VM_BUG_ON() - cc stable Signed-off-by: Ralph Campbell <rcampbell(a)nvidia.com> Signed-off-by: Jérôme Glisse <jglisse(a)redhat.com> Cc: stable(a)vger.kernel.org Cc: Evgeny Baskakov <ebaskakov(a)nvidia.com> Cc: Mark Hairgrove <mhairgrove(a)nvidia.com> Cc: John Hubbard <jhubbard(a)nvidia.com> --- include/linux/hmm.h | 10 ++++++++++ mm/hmm.c | 18 +++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/include/linux/hmm.h b/include/linux/hmm.h index 36dd21fe5caf..fa7b51f65905 100644 --- a/include/linux/hmm.h +++ b/include/linux/hmm.h @@ -218,6 +218,16 @@ enum hmm_update_type { * @update: callback to update range on a device */ struct hmm_mirror_ops { + /* release() - release hmm_mirror + * + * @mirror: pointer to struct hmm_mirror + * + * This is called when the mm_struct is being released. + * The callback should make sure no references to the mirror occur + * after the callback returns. + */ + void (*release)(struct hmm_mirror *mirror); + /* sync_cpu_device_pagetables() - synchronize page tables * * @mirror: pointer to struct hmm_mirror diff --git a/mm/hmm.c b/mm/hmm.c index 320545b98ff5..6088fa6ed137 100644 --- a/mm/hmm.c +++ b/mm/hmm.c @@ -160,6 +160,21 @@ static void hmm_invalidate_range(struct hmm *hmm, up_read(&hmm->mirrors_sem); } +static void hmm_release(struct mmu_notifier *mn, struct mm_struct *mm) +{ + struct hmm *hmm = mm->hmm; + struct hmm_mirror *mirror; + struct hmm_mirror *mirror_next; + + down_write(&hmm->mirrors_sem); + list_for_each_entry_safe(mirror, mirror_next, &hmm->mirrors, list) { + list_del_init(&mirror->list); + if (mirror->ops->release) + mirror->ops->release(mirror); + } + up_write(&hmm->mirrors_sem); +} + static void hmm_invalidate_range_start(struct mmu_notifier *mn, struct mm_struct *mm, unsigned long start, @@ -185,6 +200,7 @@ static void hmm_invalidate_range_end(struct mmu_notifier *mn, } static const struct mmu_notifier_ops hmm_mmu_notifier_ops = { + .release = hmm_release, .invalidate_range_start = hmm_invalidate_range_start, .invalidate_range_end = hmm_invalidate_range_end, }; @@ -230,7 +246,7 @@ void hmm_mirror_unregister(struct hmm_mirror *mirror) struct hmm *hmm = mirror->hmm; down_write(&hmm->mirrors_sem); - list_del(&mirror->list); + list_del_init(&mirror->list); up_write(&hmm->mirrors_sem); } EXPORT_SYMBOL(hmm_mirror_unregister); -- 2.14.3

7 years, 6 months

3
8
0 0

[PATCH v2] shm: add split function to shm_vm_ops

by Mike Kravetz

If System V shmget/shmat operations are used to create a hugetlbfs backed mapping, it is possible to munmap part of the mapping and split the underlying vma such that it is not huge page aligned. This will untimately result in the following BUG: kernel BUG at /build/linux-jWa1Fv/linux-4.15.0/mm/hugetlb.c:3310! Oops: Exception in kernel mode, sig: 5 [#1] LE SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: kcm nfc af_alg caif_socket caif phonet fcrypt 8<--8<--8<--8< snip 8<--8<--8<--8< CPU: 18 PID: 43243 Comm: trinity-subchil Tainted: G C E 4.15.0-10-generic #11-Ubuntu NIP: c00000000036e764 LR: c00000000036ee48 CTR: 0000000000000009 REGS: c000003fbcdcf810 TRAP: 0700 Tainted: G C E (4.15.0-10-generic) MSR: 9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 24002222 XER: 20040000 CFAR: c00000000036ee44 SOFTE: 1 GPR00: c00000000036ee48 c000003fbcdcfa90 c0000000016ea600 c000003fbcdcfc40 GPR04: c000003fd9858950 00007115e4e00000 00007115e4e10000 0000000000000000 GPR08: 0000000000000010 0000000000010000 0000000000000000 0000000000000000 GPR12: 0000000000002000 c000000007a2c600 00000fe3985954d0 00007115e4e00000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 00000fe398595a94 000000000000a6fc c000003fd9858950 0000000000018554 GPR24: c000003fdcd84500 c0000000019acd00 00007115e4e10000 c000003fbcdcfc40 GPR28: 0000000000200000 00007115e4e00000 c000003fbc9ac600 c000003fd9858950 NIP [c00000000036e764] __unmap_hugepage_range+0xa4/0x760 LR [c00000000036ee48] __unmap_hugepage_range_final+0x28/0x50 Call Trace: [c000003fbcdcfa90] [00007115e4e00000] 0x7115e4e00000 (unreliable) [c000003fbcdcfb50] [c00000000036ee48] __unmap_hugepage_range_final+0x28/0x50 [c000003fbcdcfb80] [c00000000033497c] unmap_single_vma+0x11c/0x190 [c000003fbcdcfbd0] [c000000000334e14] unmap_vmas+0x94/0x140 [c000003fbcdcfc20] [c00000000034265c] exit_mmap+0x9c/0x1d0 [c000003fbcdcfce0] [c000000000105448] mmput+0xa8/0x1d0 [c000003fbcdcfd10] [c00000000010fad0] do_exit+0x360/0xc80 [c000003fbcdcfdd0] [c0000000001104c0] do_group_exit+0x60/0x100 [c000003fbcdcfe10] [c000000000110584] SyS_exit_group+0x24/0x30 [c000003fbcdcfe30] [c00000000000b184] system_call+0x58/0x6c Instruction dump: 552907fe e94a0028 e94a0408 eb2a0018 81590008 7f9c5036 0b090000 e9390010 7d2948f8 7d2a2838 0b0a0000 7d293038 <0b090000> e9230086 2fa90000 419e0468 ---[ end trace ee88f958a1c62605 ]--- This bug was introduced by commit 31383c6865a5 ("mm, hugetlbfs: introduce ->split() to vm_operations_struct"). A split function was added to vm_operations_struct to determine if a mapping can be split. This was mostly for device-dax and hugetlbfs mappings which have specific alignment constraints. Mappings initiated via shmget/shmat have their original vm_ops overwritten with shm_vm_ops. shm_vm_ops functions will call back to the original vm_ops if needed. Add such a split function to shm_vm_ops. Fixes: 31383c6865a5 ("mm, hugetlbfs: introduce ->split() to vm_operations_struct") Signed-off-by: Mike Kravetz <mike.kravetz(a)oracle.com> Reported by: Laurent Dufour <ldufour(a)linux.vnet.ibm.com> Tested-by: Laurent Dufour <ldufour(a)linux.vnet.ibm.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: stable(a)vger.kernel.org --- Changes in v2 * Updated commit message * Cc stable ipc/shm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ipc/shm.c b/ipc/shm.c index 4643865e9171..93e0e3a4d009 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -386,6 +386,17 @@ static int shm_fault(struct vm_fault *vmf) return sfd->vm_ops->fault(vmf); } +static int shm_split(struct vm_area_struct *vma, unsigned long addr) +{ + struct file *file = vma->vm_file; + struct shm_file_data *sfd = shm_file_data(file); + + if (sfd->vm_ops && sfd->vm_ops->split) + return sfd->vm_ops->split(vma, addr); + + return 0; +} + #ifdef CONFIG_NUMA static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new) { @@ -510,6 +521,7 @@ static const struct vm_operations_struct shm_vm_ops = { .open = shm_open, /* callback for a new vm-area open */ .close = shm_close, /* callback for when the vm-area is released */ .fault = shm_fault, + .split = shm_split, #if defined(CONFIG_NUMA) .set_policy = shm_set_policy, .get_policy = shm_get_policy, -- 2.13.6

7 years, 6 months

3
3
0 0

[PATCH v2 1/3] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling

by Simon Gaiser

Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses") made a subtle change to the semantic of xenbus_dev_request_and_reply() and xenbus_transaction_end(). Before on an error response to XS_TRANSACTION_END xenbus_dev_request_and_reply() would not decrement the active transaction counter. But xenbus_transaction_end() has always counted the transaction as finished regardless of the response. The new behavior is that xenbus_dev_request_and_reply() and xenbus_transaction_end() will always count the transaction as finished regardless the response code (handled in xs_request_exit()). But xenbus_dev_frontend tries to end a transaction on closing of the device if the XS_TRANSACTION_END failed before. Trying to close the transaction twice corrupts the reference count. So fix this by also considering a transaction closed if we have sent XS_TRANSACTION_END once regardless of the return code. Cc: <stable(a)vger.kernel.org> # 4.11 Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses") Signed-off-by: Simon Gaiser <simon(a)invisiblethingslab.com> --- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c index a493e99bed21..81a84b3c1c50 100644 --- a/drivers/xen/xenbus/xenbus_dev_frontend.c +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c @@ -365,7 +365,7 @@ void xenbus_dev_queue_reply(struct xb_req_data *req) if (WARN_ON(rc)) goto out; } - } else if (req->msg.type == XS_TRANSACTION_END) { + } else if (req->type == XS_TRANSACTION_END) { trans = xenbus_get_transaction(u, req->msg.tx_id); if (WARN_ON(!trans)) goto out; -- 2.16.2

7 years, 6 months

3
2
0 0

[alternative-merged] mm-hugetlb-prevent-hugetlb-vma-to-be-misaligned.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/hugetlb: prevent hugetlb VMA to be misaligned has been removed from the -mm tree. Its filename was mm-hugetlb-prevent-hugetlb-vma-to-be-misaligned.patch This patch was dropped because an alternative patch was merged ------------------------------------------------------ From: Laurent Dufour <ldufour(a)linux.vnet.ibm.com> Subject: mm/hugetlb: prevent hugetlb VMA to be misaligned When running the sampler detailed below, the kernel, if built with the VM debug option turned on (as many distro do), is panicing with the following message: kernel BUG at /build/linux-jWa1Fv/linux-4.15.0/mm/hugetlb.c:3310! Oops: Exception in kernel mode, sig: 5 [#1] LE SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: kcm nfc af_alg caif_socket caif phonet fcrypt 8<--8<--8<--8< snip 8<--8<--8<--8< CPU: 18 PID: 43243 Comm: trinity-subchil Tainted: G C E 4.15.0-10-generic #11-Ubuntu NIP: c00000000036e764 LR: c00000000036ee48 CTR: 0000000000000009 REGS: c000003fbcdcf810 TRAP: 0700 Tainted: G C E (4.15.0-10-generic) MSR: 9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 24002222 XER: 20040000 CFAR: c00000000036ee44 SOFTE: 1 GPR00: c00000000036ee48 c000003fbcdcfa90 c0000000016ea600 c000003fbcdcfc40 GPR04: c000003fd9858950 00007115e4e00000 00007115e4e10000 0000000000000000 GPR08: 0000000000000010 0000000000010000 0000000000000000 0000000000000000 GPR12: 0000000000002000 c000000007a2c600 00000fe3985954d0 00007115e4e00000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 00000fe398595a94 000000000000a6fc c000003fd9858950 0000000000018554 GPR24: c000003fdcd84500 c0000000019acd00 00007115e4e10000 c000003fbcdcfc40 GPR28: 0000000000200000 00007115e4e00000 c000003fbc9ac600 c000003fd9858950 NIP [c00000000036e764] __unmap_hugepage_range+0xa4/0x760 LR [c00000000036ee48] __unmap_hugepage_range_final+0x28/0x50 Call Trace: [c000003fbcdcfa90] [00007115e4e00000] 0x7115e4e00000 (unreliable) [c000003fbcdcfb50] [c00000000036ee48] __unmap_hugepage_range_final+0x28/0x50 [c000003fbcdcfb80] [c00000000033497c] unmap_single_vma+0x11c/0x190 [c000003fbcdcfbd0] [c000000000334e14] unmap_vmas+0x94/0x140 [c000003fbcdcfc20] [c00000000034265c] exit_mmap+0x9c/0x1d0 [c000003fbcdcfce0] [c000000000105448] mmput+0xa8/0x1d0 [c000003fbcdcfd10] [c00000000010fad0] do_exit+0x360/0xc80 [c000003fbcdcfdd0] [c0000000001104c0] do_group_exit+0x60/0x100 [c000003fbcdcfe10] [c000000000110584] SyS_exit_group+0x24/0x30 [c000003fbcdcfe30] [c00000000000b184] system_call+0x58/0x6c Instruction dump: 552907fe e94a0028 e94a0408 eb2a0018 81590008 7f9c5036 0b090000 e9390010 7d2948f8 7d2a2838 0b0a0000 7d293038 <0b090000> e9230086 2fa90000 419e0468 ===[ end trace ee88f958a1c62605 ]=== The panic is due to a VMA pointing to a hugetlb area while the vma->vm_start or vma->vm_end field are not aligned to the huge page boundaries. The sampler is just unmapping a part of the hugetlb area, leading to 2 VMAs which are not well aligned. The same could be achieved by calling madvise() situation, as it is when running: stress-ng --shm-sysv 1 The hugetlb code is assuming that the VMA will be well aligned when it is unmapped, so we must prevent such a VMA from bing split or shrunk to a misaligned address. This patch prevents this by checking the new VMA's boundaries when a VMA is modified by calling vma_adjust(). === Sampler used to hit the panic nclude <sys/ipc.h> unsigned long page_size; int main(void) { int shmid, ret=1; void *addr; setbuf(stdout, NULL); page_size = getpagesize(); shmid = shmget(0x1410, LENGTH, IPC_CREAT | SHM_HUGETLB | SHM_R | SHM_W); if (shmid < 0) { perror("shmget"); exit(1); } printf("shmid: %d ", shmid); addr = shmat(shmid, NULL, 0); if (addr == (void*)-1) { perror("shmat"); goto out; } /* * The following munmap() call will split the VMA in 2, leading to * unaligned to huge page size VMAs which will trigger a check when * shmdt() is called. */ if (munmap(addr + HPSIZE + page_size, page_size)) { perror("munmap"); goto out; } if (shmdt(addr)) { perror("shmdt"); goto out; } printf("test done. "); ret = 0; out: shmctl(shmid, IPC_RMID, NULL); return ret; } === End of code Link: http://lkml.kernel.org/r/1521566754-30390-1-git-send-email-ldufour@linux.vn… Signed-off-by: Laurent Dufour <ldufour(a)linux.vnet.ibm.com> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- diff -puN mm/mmap.c~mm-hugetlb-prevent-hugetlb-vma-to-be-misaligned mm/mmap.c --- a/mm/mmap.c~mm-hugetlb-prevent-hugetlb-vma-to-be-misaligned +++ a/mm/mmap.c @@ -692,6 +692,17 @@ int __vma_adjust(struct vm_area_struct * long adjust_next = 0; int remove_next = 0; + if (is_vm_hugetlb_page(vma)) { + /* + * We must check against the huge page boundarie to not + * create misaligned VMA. + */ + struct hstate *h = hstate_vma(vma); + + if (start & ~huge_page_mask(h) || end & ~huge_page_mask(h)) + return -EINVAL; + } + if (next && !insert) { struct vm_area_struct *exporter = NULL, *importer = NULL; _ Patches currently in -mm which might be from ldufour(a)linux.vnet.ibm.com are

7 years, 6 months

1
0
0 0

+ shm-add-split-function-to-shm_vm_ops.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: ipc/shm.c: add split function to shm_vm_ops has been added to the -mm tree. Its filename is shm-add-split-function-to-shm_vm_ops.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/shm-add-split-function-to-shm_vm_o… and later at http://ozlabs.org/~akpm/mmotm/broken-out/shm-add-split-function-to-shm_vm_o… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Mike Kravetz <mike.kravetz(a)oracle.com> Subject: ipc/shm.c: add split function to shm_vm_ops If System V shmget/shmat operations are used to create a hugetlbfs backed mapping, it is possible to munmap part of the mapping and split the underlying vma such that it is not huge page aligned. This will untimately result in the following BUG: kernel BUG at /build/linux-jWa1Fv/linux-4.15.0/mm/hugetlb.c:3310! Oops: Exception in kernel mode, sig: 5 [#1] LE SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: kcm nfc af_alg caif_socket caif phonet fcrypt 8<--8<--8<--8< snip 8<--8<--8<--8< CPU: 18 PID: 43243 Comm: trinity-subchil Tainted: G C E 4.15.0-10-generic #11-Ubuntu NIP: c00000000036e764 LR: c00000000036ee48 CTR: 0000000000000009 REGS: c000003fbcdcf810 TRAP: 0700 Tainted: G C E (4.15.0-10-generic) MSR: 9000000000029033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 24002222 XER: 20040000 CFAR: c00000000036ee44 SOFTE: 1 GPR00: c00000000036ee48 c000003fbcdcfa90 c0000000016ea600 c000003fbcdcfc40 GPR04: c000003fd9858950 00007115e4e00000 00007115e4e10000 0000000000000000 GPR08: 0000000000000010 0000000000010000 0000000000000000 0000000000000000 GPR12: 0000000000002000 c000000007a2c600 00000fe3985954d0 00007115e4e00000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 00000fe398595a94 000000000000a6fc c000003fd9858950 0000000000018554 GPR24: c000003fdcd84500 c0000000019acd00 00007115e4e10000 c000003fbcdcfc40 GPR28: 0000000000200000 00007115e4e00000 c000003fbc9ac600 c000003fd9858950 NIP [c00000000036e764] __unmap_hugepage_range+0xa4/0x760 LR [c00000000036ee48] __unmap_hugepage_range_final+0x28/0x50 Call Trace: [c000003fbcdcfa90] [00007115e4e00000] 0x7115e4e00000 (unreliable) [c000003fbcdcfb50] [c00000000036ee48] __unmap_hugepage_range_final+0x28/0x50 [c000003fbcdcfb80] [c00000000033497c] unmap_single_vma+0x11c/0x190 [c000003fbcdcfbd0] [c000000000334e14] unmap_vmas+0x94/0x140 [c000003fbcdcfc20] [c00000000034265c] exit_mmap+0x9c/0x1d0 [c000003fbcdcfce0] [c000000000105448] mmput+0xa8/0x1d0 [c000003fbcdcfd10] [c00000000010fad0] do_exit+0x360/0xc80 [c000003fbcdcfdd0] [c0000000001104c0] do_group_exit+0x60/0x100 [c000003fbcdcfe10] [c000000000110584] SyS_exit_group+0x24/0x30 [c000003fbcdcfe30] [c00000000000b184] system_call+0x58/0x6c Instruction dump: 552907fe e94a0028 e94a0408 eb2a0018 81590008 7f9c5036 0b090000 e9390010 7d2948f8 7d2a2838 0b0a0000 7d293038 <0b090000> e9230086 2fa90000 419e0468 ---[ end trace ee88f958a1c62605 ]--- This bug was introduced by 31383c6865a5 ("mm, hugetlbfs: introduce ->split() to vm_operations_struct"). A split function was added to vm_operations_struct to determine if a mapping can be split. This was mostly for device-dax and hugetlbfs mappings which have specific alignment constraints. Mappings initiated via shmget/shmat have their original vm_ops overwritten with shm_vm_ops. shm_vm_ops functions will call back to the original vm_ops if needed. Add such a split function to shm_vm_ops. Link: http://lkml.kernel.org/r/20180321161314.7711-1-mike.kravetz@oracle.com Fixes: 31383c6865a5 ("mm, hugetlbfs: introduce ->split() to vm_operations_struct") Signed-off-by: Mike Kravetz <mike.kravetz(a)oracle.com> Reported-by: Laurent Dufour <ldufour(a)linux.vnet.ibm.com> Tested-by: Laurent Dufour <ldufour(a)linux.vnet.ibm.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Davidlohr Bueso <dave(a)stgolabs.net> Cc: Manfred Spraul <manfred(a)colorfullife.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- ipc/shm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff -puN ipc/shm.c~shm-add-split-function-to-shm_vm_ops ipc/shm.c --- a/ipc/shm.c~shm-add-split-function-to-shm_vm_ops +++ a/ipc/shm.c @@ -386,6 +386,17 @@ static int shm_fault(struct vm_fault *vm return sfd->vm_ops->fault(vmf); } +static int shm_split(struct vm_area_struct *vma, unsigned long addr) +{ + struct file *file = vma->vm_file; + struct shm_file_data *sfd = shm_file_data(file); + + if (sfd->vm_ops && sfd->vm_ops->split) + return sfd->vm_ops->split(vma, addr); + + return 0; +} + #ifdef CONFIG_NUMA static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new) { @@ -510,6 +521,7 @@ static const struct vm_operations_struct .open = shm_open, /* callback for a new vm-area open */ .close = shm_close, /* callback for when the vm-area is released */ .fault = shm_fault, + .split = shm_split, #if defined(CONFIG_NUMA) .set_policy = shm_set_policy, .get_policy = shm_get_policy, _ Patches currently in -mm which might be from mike.kravetz(a)oracle.com are hugetlbfs-check-for-pgoff-value-overflow.patch hugetlbfs-check-for-pgoff-value-overflow-v3.patch shm-add-split-function-to-shm_vm_ops.patch mm-hugetlbfs-move-hugetlbfs_i-outside-ifdef-config_hugetlbfs.patch mm-memfd-split-out-memfd-for-use-by-multiple-filesystems.patch mm-memfd-remove-memfd-code-from-shmem-files-and-use-new-memfd-files.patch mm-make-start_isolate_page_range-fail-if-already-isolated.patch

7 years, 6 months

1
0
0 0

[PATCH 1/1] Bluetooth: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for BTUSB_QCA_ROME

by Vic Wei

QCA Rome controllers can do both LE scan and BR/EDR inquiry at once. Change-Id: I89e1412d635f4cd7b2500f7492f37430ea139f0c Signed-off-by: Vic Wei <vwei(a)codeaurora.org> --- drivers/bluetooth/btusb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 60bf04b..b94ff37 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -3050,6 +3050,7 @@ static int btusb_probe(struct usb_interface *intf, if (id->driver_info & BTUSB_QCA_ROME) { data->setup_on_usb = btusb_setup_qca; hdev->set_bdaddr = btusb_set_bdaddr_ath3012; + set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); } #ifdef CONFIG_BT_HCIBTUSB_RTL -- 1.9.1

7 years, 6 months

3
3
0 0

[git:media_tree/master] media: atomisp_fops.c: disable atomisp_compat_ioctl32

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: atomisp_fops.c: disable atomisp_compat_ioctl32 Author: Hans Verkuil <hverkuil(a)xs4all.nl> Date: Sun Feb 25 06:55:32 2018 -0500 The atomisp_compat_ioctl32() code has problems. This patch disables the compat_ioctl32 support until those issues have been fixed. Contact Sakari or me for more details. Signed-off-by: Hans Verkuil <hans.verkuil(a)cisco.com> Cc: <stable(a)vger.kernel.org> # for v4.12 and up Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)s-opensource.com> drivers/staging/media/atomisp/pci/atomisp2/atomisp_fops.c | 6 ++++++ 1 file changed, 6 insertions(+) --- diff --git a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_fops.c b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_fops.c index 4f9f9dca5e6a..545ef024841d 100644 --- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_fops.c +++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_fops.c @@ -1279,7 +1279,10 @@ const struct v4l2_file_operations atomisp_fops = { .mmap = atomisp_mmap, .unlocked_ioctl = video_ioctl2, #ifdef CONFIG_COMPAT + /* + * There are problems with this code. Disable this for now. .compat_ioctl32 = atomisp_compat_ioctl32, + */ #endif .poll = atomisp_poll, }; @@ -1291,7 +1294,10 @@ const struct v4l2_file_operations atomisp_file_fops = { .mmap = atomisp_file_mmap, .unlocked_ioctl = video_ioctl2, #ifdef CONFIG_COMPAT + /* + * There are problems with this code. Disable this for now. .compat_ioctl32 = atomisp_compat_ioctl32, + */ #endif .poll = atomisp_poll, };

7 years, 6 months

1
0
0 0

[PATCH 01/14] mmc: jz4740: Fix race condition in IRQ mask update

by Ezequiel Garcia

From: Alex Smith <alex.smith(a)imgtec.com> A spinlock is held while updating the internal copy of the IRQ mask, but not while writing it to the actual IMASK register. After the lock is released, an IRQ can occur before the IMASK register is written. If handling this IRQ causes the mask to be changed, when the handler returns back to the middle of the first mask update, a stale value will be written to the mask register. If this causes an IRQ to become unmasked that cannot have its status cleared by writing a 1 to it in the IREG register, e.g. the SDIO IRQ, then we can end up stuck with the same IRQ repeatedly being fired but not handled. Normally the MMC IRQ handler attempts to clear any unexpected IRQs by writing IREG, but for those that cannot be cleared in this way then the IRQ will just repeatedly fire. This was resulting in lockups after a while of using Wi-Fi on the CI20 (GitHub issue #19). Resolve by holding the spinlock until after the IMASK register has been updated. Cc: stable(a)vger.kernel.org Link: https://github.com/MIPS/CI20_linux/issues/19 Fixes: 61bfbdb85687 ("MMC: Add support for the controller on JZ4740 SoCs.") Tested-by: Mathieu Malaterre <malat(a)debian.org> Signed-off-by: Alex Smith <alex.smith(a)imgtec.com> --- drivers/mmc/host/jz4740_mmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mmc/host/jz4740_mmc.c b/drivers/mmc/host/jz4740_mmc.c index 712e08d9a45e..a0168e9e4fce 100644 --- a/drivers/mmc/host/jz4740_mmc.c +++ b/drivers/mmc/host/jz4740_mmc.c @@ -362,9 +362,9 @@ static void jz4740_mmc_set_irq_enabled(struct jz4740_mmc_host *host, host->irq_mask &= ~irq; else host->irq_mask |= irq; - spin_unlock_irqrestore(&host->lock, flags); writew(host->irq_mask, host->base + JZ_REG_MMC_IMASK); + spin_unlock_irqrestore(&host->lock, flags); } static void jz4740_mmc_clock_enable(struct jz4740_mmc_host *host, -- 2.16.2

7 years, 6 months

1
0
0 0

[PATCH AUTOSEL for 3.18 001/102] NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION

by Sasha Levin

From: Trond Myklebust <trond.myklebust(a)primarydata.com> [ Upstream commit 0048fdd06614a4ea088f9fcad11511956b795698 ] If the server returns NFS4ERR_CONN_NOT_BOUND_TO_SESSION because we are trunking, then RECLAIM_COMPLETE must handle that by calling nfs4_schedule_session_recovery() and then retrying. Reported-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Trond Myklebust <trond.myklebust(a)primarydata.com> Tested-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> --- fs/nfs/nfs4proc.c | 7 ++++++- fs/nfs/nfs4state.c | 10 +++++++--- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index f7957690ff20..321044c183f5 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -7429,6 +7429,12 @@ static int nfs41_reclaim_complete_handle_errors(struct rpc_task *task, struct nf /* fall through */ case -NFS4ERR_RETRY_UNCACHED_REP: return -EAGAIN; + case -NFS4ERR_BADSESSION: + case -NFS4ERR_DEADSESSION: + case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION: + nfs4_schedule_session_recovery(clp->cl_session, + task->tk_status); + break; default: nfs4_schedule_lease_recovery(clp); } @@ -7507,7 +7513,6 @@ static int nfs41_proc_reclaim_complete(struct nfs_client *clp, if (status == 0) status = task->tk_status; rpc_put_task(task); - return 0; out: dprintk("<-- %s status=%d\n", __func__, status); return status; diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index f471662c0a1f..972992b36660 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c @@ -1563,13 +1563,14 @@ static void nfs4_state_start_reclaim_reboot(struct nfs_client *clp) nfs4_state_mark_reclaim_helper(clp, nfs4_state_mark_reclaim_reboot); } -static void nfs4_reclaim_complete(struct nfs_client *clp, +static int nfs4_reclaim_complete(struct nfs_client *clp, const struct nfs4_state_recovery_ops *ops, struct rpc_cred *cred) { /* Notify the server we're done reclaiming our state */ if (ops->reclaim_complete) - (void)ops->reclaim_complete(clp, cred); + return ops->reclaim_complete(clp, cred); + return 0; } static void nfs4_clear_reclaim_server(struct nfs_server *server) @@ -1616,13 +1617,16 @@ static void nfs4_state_end_reclaim_reboot(struct nfs_client *clp) { const struct nfs4_state_recovery_ops *ops; struct rpc_cred *cred; + int err; if (!nfs4_state_clear_reclaim_reboot(clp)) return; ops = clp->cl_mvops->reboot_recovery_ops; cred = nfs4_get_clid_cred(clp); - nfs4_reclaim_complete(clp, ops, cred); + err = nfs4_reclaim_complete(clp, ops, cred); put_rpccred(cred); + if (err == -NFS4ERR_CONN_NOT_BOUND_TO_SESSION) + set_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state); } static void nfs_delegation_clear_all(struct nfs_client *clp) -- 2.14.1

7 years, 6 months

2
103
0 0

[PATCH] ARM: EXYNOS: Fix coupled CPU idle freeze on Exynos4210

by Marek Szyprowski

Since commit 04c8b0f82c7d ("irqchip/gic: Make locking a BL_SWITCHER only feature") coupled CPU idle freezes from time to time on Exynos4210. Later commit 313c8c16ee62 ("PM / CPU: replace raw_notifier with atomic_notifier") changed the context in which the CPU idle code is executed, what results in fully reproducible freeze all the time. However, almost the same coupled CPU idle code works fine on Exynos3250 regarless of the changes made in the mentioned commits. It turned out that the IPI call used on Exynos4210 is conflicting with the change done in the first mentioned commit in GIC. Fix this by using the same code path as for Exynos3250, instead of the IPI call for synchronization with second CPU core, call dsb_sev() directly. Tested on Exynos4210-based Trats and Origen boards. Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> CC: stable(a)vger.kernel.org # v4.13+ --- arch/arm/mach-exynos/pm.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/arch/arm/mach-exynos/pm.c b/arch/arm/mach-exynos/pm.c index dc4346ecf16d..a1055a2b8d54 100644 --- a/arch/arm/mach-exynos/pm.c +++ b/arch/arm/mach-exynos/pm.c @@ -271,11 +271,7 @@ static int exynos_cpu0_enter_aftr(void) goto fail; call_firmware_op(cpu_boot, 1); - - if (soc_is_exynos3250()) - dsb_sev(); - else - arch_send_wakeup_ipi_mask(cpumask_of(1)); + dsb_sev(); } } fail: -- 2.15.0

7 years, 6 months

5
6
0 0

[PATCH AUTOSEL for 4.9 001/219] Input: tsc2007 - check for presence and power down tsc2007 during probe

by Sasha Levin

From: "H. Nikolaus Schaller" <hns(a)goldelico.com> [ Upstream commit 934df23171e7c5b71d937104d4957891c39748ff ] 1. check if chip is really present and don't succeed if it isn't. 2. if it succeeds, power down the chip until accessed Signed-off-by: H. Nikolaus Schaller <hns(a)goldelico.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> --- drivers/input/touchscreen/tsc2007.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/input/touchscreen/tsc2007.c b/drivers/input/touchscreen/tsc2007.c index 5d0cd51c6f41..a4b7b4c3d27b 100644 --- a/drivers/input/touchscreen/tsc2007.c +++ b/drivers/input/touchscreen/tsc2007.c @@ -455,6 +455,14 @@ static int tsc2007_probe(struct i2c_client *client, tsc2007_stop(ts); + /* power down the chip (TSC2007_SETUP does not ACK on I2C) */ + err = tsc2007_xfer(ts, PWRDOWN); + if (err < 0) { + dev_err(&client->dev, + "Failed to setup chip: %d\n", err); + return err; /* usually, chip does not respond */ + } + err = input_register_device(input_dev); if (err) { dev_err(&client->dev, -- 2.14.1

7 years, 6 months

4
225
0 0

[PATCH] ARM: dts: at91: at91sam9g25: fix mux-mask pinctrl property

by Nicolas Ferre

There are only 19 PIOB pins having primary names PB0-PB18. Not all of them have a 'C' function. So the pinctrl property mask ends up being the same as the other SoC of the at91sam9x5 series. Reported-by: Marek Sieranski <marek.sieranski(a)microchip.com> Signed-off-by: Nicolas Ferre <nicolas.ferre(a)microchip.com> Cc: <stable(a)vger.kernel.org> # v3.8+ --- arch/arm/boot/dts/at91sam9g25.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/boot/dts/at91sam9g25.dtsi b/arch/arm/boot/dts/at91sam9g25.dtsi index a7da0dd0c98f..0898213f3bb2 100644 --- a/arch/arm/boot/dts/at91sam9g25.dtsi +++ b/arch/arm/boot/dts/at91sam9g25.dtsi @@ -21,7 +21,7 @@ atmel,mux-mask = < /* A B C */ 0xffffffff 0xffe0399f 0xc000001c /* pioA */ - 0x0007ffff 0x8000fe3f 0x00000000 /* pioB */ + 0x0007ffff 0x00047e3f 0x00000000 /* pioB */ 0x80000000 0x07c0ffff 0xb83fffff /* pioC */ 0x003fffff 0x003f8000 0x00000000 /* pioD */ >; -- 2.15.1

7 years, 6 months

2
1
0 0

[git:media_tree/master] media: rc: oops in ir_timer_keyup after device unplug

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: rc: oops in ir_timer_keyup after device unplug Author: Sean Young <sean(a)mess.org> Date: Tue Mar 6 08:57:57 2018 -0500 If there is IR in the raw kfifo when ir_raw_event_unregister() is called, then kthread_stop() causes ir_raw_event_thread to be scheduled, decode some scancodes and re-arm timer_keyup. The timer_keyup then fires when the rc device is long gone. Cc: stable(a)vger.kernel.org Signed-off-by: Sean Young <sean(a)mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)s-opensource.com> drivers/media/rc/rc-main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c index 4a952108ba1e..8621761a680f 100644 --- a/drivers/media/rc/rc-main.c +++ b/drivers/media/rc/rc-main.c @@ -1932,12 +1932,12 @@ void rc_unregister_device(struct rc_dev *dev) if (!dev) return; - del_timer_sync(&dev->timer_keyup); - del_timer_sync(&dev->timer_repeat); - if (dev->driver_type == RC_DRIVER_IR_RAW) ir_raw_event_unregister(dev); + del_timer_sync(&dev->timer_keyup); + del_timer_sync(&dev->timer_repeat); + rc_free_rx_device(dev); mutex_lock(&dev->lock);

7 years, 6 months

1
0
0 0

Linux 4.14.29

by Greg KH

I'm announcing the release of the 4.14.29 kernel. All users of the 4.14 kernel series must upgrade. The updated 4.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.14.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/parisc/kernel/cache.c | 41 ++++++-- arch/x86/include/asm/cpufeatures.h | 2 arch/x86/include/asm/nospec-branch.h | 5 - arch/x86/kernel/cpu/intel.c | 3 arch/x86/kernel/vm86_32.c | 3 arch/x86/kvm/mmu.c | 4 arch/x86/mm/fault.c | 6 - drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 31 ++---- drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 2 drivers/gpu/drm/nouveau/nouveau_backlight.c | 4 drivers/gpu/drm/radeon/radeon_gem.c | 2 drivers/gpu/drm/radeon/radeon_object.c | 2 drivers/infiniband/sw/rdmavt/mr.c | 10 +- drivers/irqchip/irq-gic-v3-its.c | 9 - drivers/scsi/qla2xxx/qla_init.c | 13 +- drivers/scsi/qla2xxx/qla_mid.c | 6 - drivers/scsi/qla2xxx/qla_os.c | 59 +++++++----- drivers/scsi/qla2xxx/qla_target.c | 1 drivers/usb/dwc3/core.h | 16 +-- drivers/usb/gadget/udc/bdc/bdc_pci.c | 1 fs/aio.c | 44 ++++++--- fs/btrfs/backref.c | 12 ++ fs/btrfs/raid56.c | 1 fs/btrfs/volumes.c | 30 ++++-- fs/btrfs/volumes.h | 12 ++ fs/dcache.c | 11 +- fs/namei.c | 5 - fs/nfs/super.c | 2 include/linux/fs.h | 1 include/linux/irqchip/arm-gic-v3.h | 1 include/linux/irqchip/arm-gic.h | 1 sound/core/oss/pcm_oss.c | 10 +- sound/core/seq/seq_clientmgr.c | 4 sound/core/seq/seq_prioq.c | 28 ++--- sound/core/seq/seq_prioq.h | 6 - sound/core/seq/seq_queue.c | 28 +---- sound/pci/hda/hda_intel.c | 9 + tools/testing/selftests/x86/entry_from_vm86.c | 117 ++++++++++++++++++++++++- virt/kvm/arm/arch_timer.c | 2 virt/kvm/arm/hyp/vgic-v3-sr.c | 3 virt/kvm/arm/mmu.c | 6 - virt/kvm/arm/vgic/vgic-v2.c | 11 +- virt/kvm/arm/vgic/vgic-v3.c | 9 + virt/kvm/arm/vgic/vgic.c | 61 ++++++++++--- virt/kvm/arm/vgic/vgic.h | 2 47 files changed, 455 insertions(+), 185 deletions(-) Al Viro (1): lock_parent() needs to recheck if dentry got __dentry_kill'ed under it Alexander Sergeyev (1): x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist Andy Lutomirski (3): selftests/x86/entry_from_vm86: Exit with 1 if we fail selftests/x86/entry_from_vm86: Add test cases for POPF x86/vm86/32: Fix POPF emulation Andy Whitcroft (1): x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32-bit kernels Ard Biesheuvel (2): KVM: arm/arm64: Reduce verbosity of KVM init log irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis Bill Kuzeja (1): scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure Christian König (2): drm/amdgpu: fix prime teardown order drm/radeon: fix prime teardown order Dmitriy Gorokh (1): btrfs: Fix NULL pointer exception in find_bio_stripe Edmund Nadolski (1): btrfs: add missing initialization in btrfs_check_shared Eric W. Biederman (1): fs: Teach path_connected to handle nfs filesystems with multiple roots. Greg Kroah-Hartman (1): Linux 4.14.29 Hans van Kranenburg (1): btrfs: alloc_chunk: fix DUP stripe size handling Himanshu Madhani (2): scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que scsi: qla2xxx: Fix logo flag for qlt_free_session_done() John David Anglin (1): parisc: Handle case where flush_cache_range is called with no context Kirill A. Shutemov (2): x86/cpufeatures: Add Intel Total Memory Encryption cpufeature x86/cpufeatures: Add Intel PCONFIG cpufeature Lukas Wunner (1): drm/nouveau/bl: Fix oops on driver unbind Marc Zyngier (2): kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2 on v3 KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid Michel Dänzer (1): drm/amdgpu/dce: Don't turn off DP sink when disconnected Nikolay Borisov (2): btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device btrfs: Fix memory barriers usage with device stats counters Quinn Tran (1): scsi: qla2xxx: Fix NULL pointer access for fcport structure Ricardo Neri (2): selftests/x86: Add tests for User-Mode Instruction Prevention selftests/x86: Add tests for the STR and SLDT instructions Takashi Iwai (4): ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() ALSA: hda - Revert power_save option default value ALSA: seq: Fix possible UAF in snd_seq_check_queue() ALSA: seq: Clear client entry before deleting else at closing Tejun Heo (3): fs/aio: Add explicit RCU grace period when freeing kioctx fs/aio: Use RCU accessors for kioctx_table->table[] RDMAVT: Fix synchronization around percpu_ref Thinh Nguyen (1): usb: dwc3: Fix GDBGFIFOSPACE_TYPE values Tom Lendacky (1): KVM: x86: Fix device passthrough when SME is active Toshi Kani (1): x86/mm: Fix vmalloc_fault to use pXd_large Wei Yongjun (1): USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() Zygo Blaxell (1): btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes

7 years, 6 months

1
1
0 0

Linux 4.15.12

by Greg KH

I'm announcing the release of the 4.15.12 kernel. All users of the 4.15 kernel series must upgrade. The updated 4.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.15.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/usb/dwc2.txt | 2 Makefile | 2 arch/parisc/kernel/cache.c | 41 +++++++++-- arch/x86/include/asm/cpufeatures.h | 2 arch/x86/include/asm/nospec-branch.h | 5 + arch/x86/kernel/cpu/intel.c | 3 arch/x86/kernel/vm86_32.c | 3 arch/x86/kvm/mmu.c | 4 - arch/x86/mm/fault.c | 6 - drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 31 +++----- drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 2 drivers/gpu/drm/nouveau/nouveau_backlight.c | 4 - drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 drivers/gpu/drm/radeon/radeon_gem.c | 2 drivers/gpu/drm/radeon/radeon_object.c | 2 drivers/infiniband/sw/rdmavt/mr.c | 10 +- drivers/irqchip/irq-gic-v3-its.c | 9 +- drivers/nvme/host/core.c | 18 ++++- drivers/phy/broadcom/phy-brcm-usb-init.c | 22 ++---- drivers/phy/broadcom/phy-brcm-usb.c | 4 - drivers/scsi/qla2xxx/qla_init.c | 13 ++- drivers/scsi/qla2xxx/qla_mid.c | 6 + drivers/scsi/qla2xxx/qla_os.c | 59 ++++++++++------ drivers/scsi/qla2xxx/qla_target.c | 1 drivers/usb/dwc2/params.c | 6 - drivers/usb/dwc3/core.c | 36 ++++++---- drivers/usb/dwc3/core.h | 16 ++-- drivers/usb/dwc3/dwc3-of-simple.c | 1 drivers/usb/gadget/udc/bdc/bdc_pci.c | 1 drivers/usb/gadget/udc/renesas_usb3.c | 2 fs/aio.c | 44 ++++++++---- fs/btrfs/backref.c | 12 +++ fs/btrfs/raid56.c | 1 fs/btrfs/volumes.c | 30 ++++++-- fs/btrfs/volumes.h | 12 +++ fs/dcache.c | 11 ++- fs/namei.c | 5 - fs/nfs/super.c | 2 fs/xfs/xfs_icache.c | 2 include/kvm/arm_vgic.h | 1 include/linux/fs.h | 1 include/linux/irqchip/arm-gic-v3.h | 1 include/linux/irqchip/arm-gic.h | 1 sound/core/oss/pcm_oss.c | 10 +- sound/core/seq/seq_clientmgr.c | 4 - sound/core/seq/seq_prioq.c | 28 ++++---- sound/core/seq/seq_prioq.h | 6 - sound/core/seq/seq_queue.c | 28 ++------ sound/pci/hda/hda_intel.c | 9 +- tools/testing/selftests/x86/entry_from_vm86.c | 32 ++++++++- virt/kvm/arm/arch_timer.c | 6 + virt/kvm/arm/hyp/vgic-v3-sr.c | 3 virt/kvm/arm/mmu.c | 6 - virt/kvm/arm/vgic/vgic-v2.c | 11 ++- virt/kvm/arm/vgic/vgic-v3.c | 9 ++ virt/kvm/arm/vgic/vgic.c | 87 ++++++++++++++++++++----- virt/kvm/arm/vgic/vgic.h | 2 58 files changed, 460 insertions(+), 221 deletions(-) Al Cooper (4): phy: phy-brcm-usb: Fix two DT properties to match bindings doc phy: phy-brcm-usb-init: Some Low Speed keyboards fail on 7271 phy: phy-brcm-usb-init: DRD mode can cause crash on startup phy: phy-brcm-usb-init: Power down USB 3.0 PHY when XHCI disabled Al Viro (1): lock_parent() needs to recheck if dentry got __dentry_kill'ed under it Alexander Sergeyev (1): x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist Amelie Delaunay (2): usb: dwc2: fix STM32F7 USB OTG HS compatible dt-bindings: usb: fix the STM32F7 DWC2 OTG HS core binding Amir Goldstein (1): xfs: preserve i_rdev when recycling a reclaimable inode Andy Lutomirski (3): selftests/x86/entry_from_vm86: Exit with 1 if we fail selftests/x86/entry_from_vm86: Add test cases for POPF x86/vm86/32: Fix POPF emulation Andy Whitcroft (1): x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32-bit kernels Ard Biesheuvel (2): KVM: arm/arm64: Reduce verbosity of KVM init log irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis Bill Kuzeja (1): scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure Christian König (2): drm/amdgpu: fix prime teardown order drm/radeon: fix prime teardown order Christoffer Dall (1): KVM: arm/arm64: Reset mapped IRQs on VM reset Dmitriy Gorokh (1): btrfs: Fix NULL pointer exception in find_bio_stripe Edmund Nadolski (1): btrfs: add missing initialization in btrfs_check_shared Enric Balletbo i Serra (1): usb: dwc3: of-simple: fix oops by unbalanced clk disable call Eric W. Biederman (1): fs: Teach path_connected to handle nfs filesystems with multiple roots. Greg Kroah-Hartman (1): Linux 4.15.12 Hans van Kranenburg (1): btrfs: alloc_chunk: fix DUP stripe size handling Himanshu Madhani (2): scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que scsi: qla2xxx: Fix logo flag for qlt_free_session_done() Israel Rukshin (1): nvme: fix subsystem multiple controllers support check John David Anglin (1): parisc: Handle case where flush_cache_range is called with no context Kirill A. Shutemov (2): x86/cpufeatures: Add Intel Total Memory Encryption cpufeature x86/cpufeatures: Add Intel PCONFIG cpufeature Lukas Wunner (1): drm/nouveau/bl: Fix oops on driver unbind Manu Gautam (1): usb: dwc3: core: Power-off core/PHYs on system_suspend in host mode Marc Zyngier (2): kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2 on v3 KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid Michel Dänzer (1): drm/amdgpu/dce: Don't turn off DP sink when disconnected Māris Nartišs (1): drm/nouveau/mmu: ALIGN_DOWN correct variable Nikolay Borisov (2): btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device btrfs: Fix memory barriers usage with device stats counters Quinn Tran (1): scsi: qla2xxx: Fix NULL pointer access for fcport structure Takashi Iwai (4): ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() ALSA: hda - Revert power_save option default value ALSA: seq: Fix possible UAF in snd_seq_check_queue() ALSA: seq: Clear client entry before deleting else at closing Tejun Heo (3): fs/aio: Add explicit RCU grace period when freeing kioctx fs/aio: Use RCU accessors for kioctx_table->table[] RDMAVT: Fix synchronization around percpu_ref Thinh Nguyen (1): usb: dwc3: Fix GDBGFIFOSPACE_TYPE values Tom Lendacky (1): KVM: x86: Fix device passthrough when SME is active Toshi Kani (1): x86/mm: Fix vmalloc_fault to use pXd_large Wei Yongjun (1): USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() Yoshihiro Shimoda (1): usb: gadget: udc: renesas_usb3: fix oops in renesas_usb3_remove() Zygo Blaxell (1): btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes

7 years, 6 months

1
1
0 0

Re: [PATCH v2] drm/i915/gvt: throw error on unhandled vfio ioctls

by Alex Williamson

On Wed, 21 Mar 2018 10:08:03 +0100 Gerd Hoffmann <kraxel(a)redhat.com> wrote: > On unknown/unhandled ioctls the driver should return an error, so > userspace knows it tried to use something unsupported. > > Cc: stable(a)vger.kernel.org > Signed-off-by: Gerd Hoffmann <kraxel(a)redhat.com> > --- > drivers/gpu/drm/i915/gvt/kvmgt.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c > index 021f722e24..be881d53c2 100644 > --- a/drivers/gpu/drm/i915/gvt/kvmgt.c > +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c > @@ -1284,7 +1284,7 @@ static long intel_vgpu_ioctl(struct mdev_device *mdev, unsigned int cmd, > > } > > - return 0; > + return -EINVAL; > } > > static ssize_t Absolutely, but I'd prefer to continue the standard behavior among other vfio drivers, and adopted from elsewhere in the kernel, to use -ENOTTY for an unhandled ioctl, reserving -EINVAL as an error in options for a supported ioctl. Thanks, Alex

7 years, 6 months

1
0
0 0

[PATCH 4.15 00/52] 4.15.12-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.15.12 release. There are 52 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Mar 21 18:07:15 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.15.12-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.15.12-rc1 Al Cooper <al.cooper(a)broadcom.com> phy: phy-brcm-usb-init: Power down USB 3.0 PHY when XHCI disabled Al Cooper <al.cooper(a)broadcom.com> phy: phy-brcm-usb-init: DRD mode can cause crash on startup Al Cooper <al.cooper(a)broadcom.com> phy: phy-brcm-usb-init: Some Low Speed keyboards fail on 7271 Al Cooper <alcooperx(a)gmail.com> phy: phy-brcm-usb: Fix two DT properties to match bindings doc Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> usb: gadget: udc: renesas_usb3: fix oops in renesas_usb3_remove() Enric Balletbo i Serra <enric.balletbo(a)collabora.com> usb: dwc3: of-simple: fix oops by unbalanced clk disable call Manu Gautam <mgautam(a)codeaurora.org> usb: dwc3: core: Power-off core/PHYs on system_suspend in host mode Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: dwc3: Fix GDBGFIFOSPACE_TYPE values Wei Yongjun <weiyongjun1(a)huawei.com> USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() Amelie Delaunay <amelie.delaunay(a)st.com> dt-bindings: usb: fix the STM32F7 DWC2 OTG HS core binding Amelie Delaunay <amelie.delaunay(a)st.com> usb: dwc2: fix STM32F7 USB OTG HS compatible Bill Kuzeja <William.Kuzeja(a)stratus.com> scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure Himanshu Madhani <hmadhani(a)redhat.com> scsi: qla2xxx: Fix logo flag for qlt_free_session_done() Quinn Tran <quinn.tran(a)cavium.com> scsi: qla2xxx: Fix NULL pointer access for fcport structure Himanshu Madhani <himanshu.madhani(a)cavium.com> scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que Nikolay Borisov <nborisov(a)suse.com> btrfs: Fix memory barriers usage with device stats counters Zygo Blaxell <ce3g8jdj(a)umail.furryterror.org> btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes Nikolay Borisov <nborisov(a)suse.com> btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device Hans van Kranenburg <hans.van.kranenburg(a)mendix.com> btrfs: alloc_chunk: fix DUP stripe size handling Edmund Nadolski <enadolski(a)suse.com> btrfs: add missing initialization in btrfs_check_shared Dmitriy Gorokh <Dmitriy.Gorokh(a)wdc.com> btrfs: Fix NULL pointer exception in find_bio_stripe Amir Goldstein <amir73il(a)gmail.com> xfs: preserve i_rdev when recycling a reclaimable inode Israel Rukshin <israelr(a)mellanox.com> nvme: fix subsystem multiple controllers support check Ard Biesheuvel <ard.biesheuvel(a)linaro.org> irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis Tejun Heo <tj(a)kernel.org> RDMAVT: Fix synchronization around percpu_ref Tejun Heo <tj(a)kernel.org> fs/aio: Use RCU accessors for kioctx_table->table[] Tejun Heo <tj(a)kernel.org> fs/aio: Add explicit RCU grace period when freeing kioctx Al Viro <viro(a)zeniv.linux.org.uk> lock_parent() needs to recheck if dentry got __dentry_kill'ed under it Marc Zyngier <marc.zyngier(a)arm.com> KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid Marc Zyngier <marc.zyngier(a)arm.com> kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2 on v3 Christoffer Dall <cdall(a)kernel.org> KVM: arm/arm64: Reset mapped IRQs on VM reset Ard Biesheuvel <ard.biesheuvel(a)linaro.org> KVM: arm/arm64: Reduce verbosity of KVM init log Eric W. Biederman <ebiederm(a)xmission.com> fs: Teach path_connected to handle nfs filesystems with multiple roots. Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu/dce: Don't turn off DP sink when disconnected Christian König <christian.koenig(a)amd.com> drm/radeon: fix prime teardown order Christian König <christian.koenig(a)amd.com> drm/amdgpu: fix prime teardown order Māris Nartišs <maris.nartiss(a)gmail.com> drm/nouveau/mmu: ALIGN_DOWN correct variable Lukas Wunner <lukas(a)wunner.de> drm/nouveau/bl: Fix oops on driver unbind Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Clear client entry before deleting else at closing Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Fix possible UAF in snd_seq_check_queue() Takashi Iwai <tiwai(a)suse.de> ALSA: hda - Revert power_save option default value Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() John David Anglin <dave.anglin(a)bell.net> parisc: Handle case where flush_cache_range is called with no context Toshi Kani <toshi.kani(a)hpe.com> x86/mm: Fix vmalloc_fault to use pXd_large Tom Lendacky <thomas.lendacky(a)amd.com> KVM: x86: Fix device passthrough when SME is active Alexander Sergeyev <sergeev917(a)gmail.com> x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist Andy Whitcroft <apw(a)canonical.com> x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32-bit kernels Andy Lutomirski <luto(a)kernel.org> x86/vm86/32: Fix POPF emulation Andy Lutomirski <luto(a)kernel.org> selftests/x86/entry_from_vm86: Add test cases for POPF Andy Lutomirski <luto(a)kernel.org> selftests/x86/entry_from_vm86: Exit with 1 if we fail Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/cpufeatures: Add Intel PCONFIG cpufeature Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/cpufeatures: Add Intel Total Memory Encryption cpufeature ------------- Diffstat: Documentation/devicetree/bindings/usb/dwc2.txt | 2 +- Makefile | 4 +- arch/parisc/kernel/cache.c | 41 +++++++++--- arch/x86/include/asm/cpufeatures.h | 2 + arch/x86/include/asm/nospec-branch.h | 5 +- arch/x86/kernel/cpu/intel.c | 3 +- arch/x86/kernel/vm86_32.c | 3 +- arch/x86/kvm/mmu.c | 4 +- arch/x86/mm/fault.c | 6 +- drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 31 ++++----- drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 2 - drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 2 + drivers/gpu/drm/nouveau/nouveau_backlight.c | 4 +- drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +- drivers/gpu/drm/radeon/radeon_gem.c | 2 - drivers/gpu/drm/radeon/radeon_object.c | 2 + drivers/infiniband/sw/rdmavt/mr.c | 10 +-- drivers/irqchip/irq-gic-v3-its.c | 9 ++- drivers/nvme/host/core.c | 18 +++++- drivers/phy/broadcom/phy-brcm-usb-init.c | 22 +++---- drivers/phy/broadcom/phy-brcm-usb.c | 4 +- drivers/scsi/qla2xxx/qla_init.c | 13 ++-- drivers/scsi/qla2xxx/qla_mid.c | 6 +- drivers/scsi/qla2xxx/qla_os.c | 59 ++++++++++------- drivers/scsi/qla2xxx/qla_target.c | 1 + drivers/usb/dwc2/params.c | 6 +- drivers/usb/dwc3/core.c | 36 ++++++----- drivers/usb/dwc3/core.h | 16 ++--- drivers/usb/dwc3/dwc3-of-simple.c | 1 + drivers/usb/gadget/udc/bdc/bdc_pci.c | 1 + drivers/usb/gadget/udc/renesas_usb3.c | 2 +- fs/aio.c | 44 ++++++++----- fs/btrfs/backref.c | 12 +++- fs/btrfs/raid56.c | 1 + fs/btrfs/volumes.c | 30 ++++++--- fs/btrfs/volumes.h | 12 ++++ fs/dcache.c | 11 +++- fs/namei.c | 5 +- fs/nfs/super.c | 2 + fs/xfs/xfs_icache.c | 2 + include/kvm/arm_vgic.h | 1 + include/linux/fs.h | 1 + include/linux/irqchip/arm-gic-v3.h | 1 + include/linux/irqchip/arm-gic.h | 1 + sound/core/oss/pcm_oss.c | 10 +-- sound/core/seq/seq_clientmgr.c | 4 +- sound/core/seq/seq_prioq.c | 28 ++++----- sound/core/seq/seq_prioq.h | 6 +- sound/core/seq/seq_queue.c | 28 +++------ sound/pci/hda/hda_intel.c | 9 ++- tools/testing/selftests/x86/entry_from_vm86.c | 32 ++++++++-- virt/kvm/arm/arch_timer.c | 6 +- virt/kvm/arm/hyp/vgic-v3-sr.c | 3 +- virt/kvm/arm/mmu.c | 6 +- virt/kvm/arm/vgic/vgic-v2.c | 11 +++- virt/kvm/arm/vgic/vgic-v3.c | 9 ++- virt/kvm/arm/vgic/vgic.c | 87 +++++++++++++++++++++----- virt/kvm/arm/vgic/vgic.h | 2 + 58 files changed, 461 insertions(+), 222 deletions(-)

7 years, 6 months

5
54
0 0

[PATCH 4.14 00/41] 4.14.29-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.29 release. There are 41 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Mar 21 18:07:09 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.29-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.29-rc1 Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: dwc3: Fix GDBGFIFOSPACE_TYPE values Wei Yongjun <weiyongjun1(a)huawei.com> USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() Bill Kuzeja <William.Kuzeja(a)stratus.com> scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure Himanshu Madhani <hmadhani(a)redhat.com> scsi: qla2xxx: Fix logo flag for qlt_free_session_done() Quinn Tran <quinn.tran(a)cavium.com> scsi: qla2xxx: Fix NULL pointer access for fcport structure Himanshu Madhani <himanshu.madhani(a)cavium.com> scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que Nikolay Borisov <nborisov(a)suse.com> btrfs: Fix memory barriers usage with device stats counters Zygo Blaxell <ce3g8jdj(a)umail.furryterror.org> btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes Nikolay Borisov <nborisov(a)suse.com> btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device Hans van Kranenburg <hans.van.kranenburg(a)mendix.com> btrfs: alloc_chunk: fix DUP stripe size handling Edmund Nadolski <enadolski(a)suse.com> btrfs: add missing initialization in btrfs_check_shared Dmitriy Gorokh <Dmitriy.Gorokh(a)wdc.com> btrfs: Fix NULL pointer exception in find_bio_stripe Ard Biesheuvel <ard.biesheuvel(a)linaro.org> irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis Tejun Heo <tj(a)kernel.org> RDMAVT: Fix synchronization around percpu_ref Tejun Heo <tj(a)kernel.org> fs/aio: Use RCU accessors for kioctx_table->table[] Tejun Heo <tj(a)kernel.org> fs/aio: Add explicit RCU grace period when freeing kioctx Al Viro <viro(a)zeniv.linux.org.uk> lock_parent() needs to recheck if dentry got __dentry_kill'ed under it Marc Zyngier <marc.zyngier(a)arm.com> KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid Marc Zyngier <marc.zyngier(a)arm.com> kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2 on v3 Ard Biesheuvel <ard.biesheuvel(a)linaro.org> KVM: arm/arm64: Reduce verbosity of KVM init log Eric W. Biederman <ebiederm(a)xmission.com> fs: Teach path_connected to handle nfs filesystems with multiple roots. Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu/dce: Don't turn off DP sink when disconnected Christian König <christian.koenig(a)amd.com> drm/radeon: fix prime teardown order Christian König <christian.koenig(a)amd.com> drm/amdgpu: fix prime teardown order Lukas Wunner <lukas(a)wunner.de> drm/nouveau/bl: Fix oops on driver unbind Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Clear client entry before deleting else at closing Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Fix possible UAF in snd_seq_check_queue() Takashi Iwai <tiwai(a)suse.de> ALSA: hda - Revert power_save option default value Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() John David Anglin <dave.anglin(a)bell.net> parisc: Handle case where flush_cache_range is called with no context Toshi Kani <toshi.kani(a)hpe.com> x86/mm: Fix vmalloc_fault to use pXd_large Tom Lendacky <thomas.lendacky(a)amd.com> KVM: x86: Fix device passthrough when SME is active Alexander Sergeyev <sergeev917(a)gmail.com> x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist Andy Whitcroft <apw(a)canonical.com> x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32-bit kernels Andy Lutomirski <luto(a)kernel.org> x86/vm86/32: Fix POPF emulation Andy Lutomirski <luto(a)kernel.org> selftests/x86/entry_from_vm86: Add test cases for POPF Ricardo Neri <ricardo.neri-calderon(a)linux.intel.com> selftests/x86: Add tests for the STR and SLDT instructions Ricardo Neri <ricardo.neri-calderon(a)linux.intel.com> selftests/x86: Add tests for User-Mode Instruction Prevention Andy Lutomirski <luto(a)kernel.org> selftests/x86/entry_from_vm86: Exit with 1 if we fail Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/cpufeatures: Add Intel PCONFIG cpufeature Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/cpufeatures: Add Intel Total Memory Encryption cpufeature ------------- Diffstat: Makefile | 4 +- arch/parisc/kernel/cache.c | 41 +++++++-- arch/x86/include/asm/cpufeatures.h | 2 + arch/x86/include/asm/nospec-branch.h | 5 +- arch/x86/kernel/cpu/intel.c | 3 +- arch/x86/kernel/vm86_32.c | 3 +- arch/x86/kvm/mmu.c | 4 +- arch/x86/mm/fault.c | 6 +- drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 31 +++---- drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 2 - drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 2 + drivers/gpu/drm/nouveau/nouveau_backlight.c | 4 +- drivers/gpu/drm/radeon/radeon_gem.c | 2 - drivers/gpu/drm/radeon/radeon_object.c | 2 + drivers/infiniband/sw/rdmavt/mr.c | 10 ++- drivers/irqchip/irq-gic-v3-its.c | 9 +- drivers/scsi/qla2xxx/qla_init.c | 13 ++- drivers/scsi/qla2xxx/qla_mid.c | 6 +- drivers/scsi/qla2xxx/qla_os.c | 59 ++++++++----- drivers/scsi/qla2xxx/qla_target.c | 1 + drivers/usb/dwc3/core.h | 16 ++-- drivers/usb/gadget/udc/bdc/bdc_pci.c | 1 + fs/aio.c | 44 +++++++--- fs/btrfs/backref.c | 12 ++- fs/btrfs/raid56.c | 1 + fs/btrfs/volumes.c | 30 +++++-- fs/btrfs/volumes.h | 12 +++ fs/dcache.c | 11 ++- fs/namei.c | 5 +- fs/nfs/super.c | 2 + include/linux/fs.h | 1 + include/linux/irqchip/arm-gic-v3.h | 1 + include/linux/irqchip/arm-gic.h | 1 + sound/core/oss/pcm_oss.c | 10 ++- sound/core/seq/seq_clientmgr.c | 4 +- sound/core/seq/seq_prioq.c | 28 +++--- sound/core/seq/seq_prioq.h | 6 +- sound/core/seq/seq_queue.c | 28 ++---- sound/pci/hda/hda_intel.c | 9 +- tools/testing/selftests/x86/entry_from_vm86.c | 117 ++++++++++++++++++++++++- virt/kvm/arm/arch_timer.c | 2 +- virt/kvm/arm/hyp/vgic-v3-sr.c | 3 +- virt/kvm/arm/mmu.c | 6 +- virt/kvm/arm/vgic/vgic-v2.c | 11 ++- virt/kvm/arm/vgic/vgic-v3.c | 9 +- virt/kvm/arm/vgic/vgic.c | 61 ++++++++++--- virt/kvm/arm/vgic/vgic.h | 2 + 47 files changed, 456 insertions(+), 186 deletions(-)

7 years, 6 months

5
41
0 0

Re: [PATCH 3.18 00/68] 3.18.101-stable review

by Greg Kroah-Hartman

On Tue, Mar 20, 2018 at 05:50:27PM +0000, Harsh Shandilya wrote: > On Tue 20 Mar, 2018, 2:14 AM Greg Kroah-Hartman, <gregkh(a)linuxfoundation.org> > wrote: > > > This is the start of the stable review cycle for the 3.18.101 release. > > There are 68 patches in this series, all will be posted as a response > > to this one. If anyone has any issues with these being applied, please > > let me know. > > > > Responses should be made by Wed Mar 21 17:17:59 UTC 2018. > > Anything received after that time might be too late. > > > > The whole patch series can be found in one patch at: > > > > https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.101-r… > > or in the git tree and branch at: > > git:// > > git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git > > linux-3.18.y > > and the diffstat can be found below. > > > > No merge issues with the CAF msm-3.18 tree, no regressions noticed on the > OnePlus3T. Wonderful, thanks for testing and letting me know. greg k-h

7 years, 6 months

1
0
0 0

[PATCH] drm/vmwgfx: Fix a destoy-while-held mutex problem.

by Thomas Hellstrom

When validating legacy surfaces, the backup bo might be destroyed at surface validate time. However, the kms resource validation code may have the bo reserved, so we will destroy a locked mutex. While there shouldn't be any other users of that mutex when it is destroyed, it causes a lock leak and thus throws a lockdep error. Fix this by having the kms resource validation code hold a reference to the bo while we have it reserved. We do this by introducing a validation context which might come in handy when the kms code is extended to validate multiple resources or buffers. Cc: <stable(a)vger.kernel.org> Signed-off-by: Thomas Hellstrom <thellstrom(a)vmware.com> Reviewed-by: Brian Paul <brianp(a)vmware.com> Reviewed-by: Sinclair Yeh <syeh(a)vmware.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 28 +++++++++++++++++++--------- drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 12 +++++++++--- drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 5 +++-- drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 5 +++-- 4 files changed, 34 insertions(+), 16 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index b3d62aa01a9b..3c824fd7cbf3 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -31,7 +31,6 @@ #include <drm/drm_atomic_helper.h> #include <drm/drm_rect.h> - /* Might need a hrtimer here? */ #define VMWGFX_PRESENT_RATE ((HZ / 60 > 0) ? HZ / 60 : 1) @@ -2517,9 +2516,12 @@ void vmw_kms_helper_buffer_finish(struct vmw_private *dev_priv, * Helper to be used if an error forces the caller to undo the actions of * vmw_kms_helper_resource_prepare. */ -void vmw_kms_helper_resource_revert(struct vmw_resource *res) +void vmw_kms_helper_resource_revert(struct vmw_validation_ctx *ctx) { - vmw_kms_helper_buffer_revert(res->backup); + struct vmw_resource *res = ctx->res; + + vmw_kms_helper_buffer_revert(ctx->buf); + vmw_dmabuf_unreference(&ctx->buf); vmw_resource_unreserve(res, false, NULL, 0); mutex_unlock(&res->dev_priv->cmdbuf_mutex); } @@ -2536,10 +2538,14 @@ void vmw_kms_helper_resource_revert(struct vmw_resource *res) * interrupted by a signal. */ int vmw_kms_helper_resource_prepare(struct vmw_resource *res, - bool interruptible) + bool interruptible, + struct vmw_validation_ctx *ctx) { int ret = 0; + ctx->buf = NULL; + ctx->res = res; + if (interruptible) ret = mutex_lock_interruptible(&res->dev_priv->cmdbuf_mutex); else @@ -2558,6 +2564,8 @@ int vmw_kms_helper_resource_prepare(struct vmw_resource *res, res->dev_priv->has_mob); if (ret) goto out_unreserve; + + ctx->buf = vmw_dmabuf_reference(res->backup); } ret = vmw_resource_validate(res); if (ret) @@ -2565,7 +2573,7 @@ int vmw_kms_helper_resource_prepare(struct vmw_resource *res, return 0; out_revert: - vmw_kms_helper_buffer_revert(res->backup); + vmw_kms_helper_buffer_revert(ctx->buf); out_unreserve: vmw_resource_unreserve(res, false, NULL, 0); out_unlock: @@ -2581,11 +2589,13 @@ int vmw_kms_helper_resource_prepare(struct vmw_resource *res, * @out_fence: Optional pointer to a fence pointer. If non-NULL, a * ref-counted fence pointer is returned here. */ -void vmw_kms_helper_resource_finish(struct vmw_resource *res, - struct vmw_fence_obj **out_fence) +void vmw_kms_helper_resource_finish(struct vmw_validation_ctx *ctx, + struct vmw_fence_obj **out_fence) { - if (res->backup || out_fence) - vmw_kms_helper_buffer_finish(res->dev_priv, NULL, res->backup, + struct vmw_resource *res = ctx->res; + + if (ctx->buf || out_fence) + vmw_kms_helper_buffer_finish(res->dev_priv, NULL, ctx->buf, out_fence, NULL); vmw_resource_unreserve(res, false, NULL, 0); diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h index 948362c43c73..3d2ca280eaa7 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h @@ -240,6 +240,11 @@ struct vmw_display_unit { int set_gui_y; }; +struct vmw_validation_ctx { + struct vmw_resource *res; + struct vmw_dma_buffer *buf; +}; + #define vmw_crtc_to_du(x) \ container_of(x, struct vmw_display_unit, crtc) #define vmw_connector_to_du(x) \ @@ -296,9 +301,10 @@ void vmw_kms_helper_buffer_finish(struct vmw_private *dev_priv, struct drm_vmw_fence_rep __user * user_fence_rep); int vmw_kms_helper_resource_prepare(struct vmw_resource *res, - bool interruptible); -void vmw_kms_helper_resource_revert(struct vmw_resource *res); -void vmw_kms_helper_resource_finish(struct vmw_resource *res, + bool interruptible, + struct vmw_validation_ctx *ctx); +void vmw_kms_helper_resource_revert(struct vmw_validation_ctx *ctx); +void vmw_kms_helper_resource_finish(struct vmw_validation_ctx *ctx, struct vmw_fence_obj **out_fence); int vmw_kms_readback(struct vmw_private *dev_priv, struct drm_file *file_priv, diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c index 63a4cd794b73..3ec9eae831b8 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c @@ -909,12 +909,13 @@ int vmw_kms_sou_do_surface_dirty(struct vmw_private *dev_priv, struct vmw_framebuffer_surface *vfbs = container_of(framebuffer, typeof(*vfbs), base); struct vmw_kms_sou_surface_dirty sdirty; + struct vmw_validation_ctx ctx; int ret; if (!srf) srf = &vfbs->surface->res; - ret = vmw_kms_helper_resource_prepare(srf, true); + ret = vmw_kms_helper_resource_prepare(srf, true, &ctx); if (ret) return ret; @@ -933,7 +934,7 @@ int vmw_kms_sou_do_surface_dirty(struct vmw_private *dev_priv, ret = vmw_kms_helper_dirty(dev_priv, framebuffer, clips, vclips, dest_x, dest_y, num_clips, inc, &sdirty.base); - vmw_kms_helper_resource_finish(srf, out_fence); + vmw_kms_helper_resource_finish(&ctx, out_fence); return ret; } diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c index b68d74888ab1..6b969e5dea2a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c @@ -980,12 +980,13 @@ int vmw_kms_stdu_surface_dirty(struct vmw_private *dev_priv, struct vmw_framebuffer_surface *vfbs = container_of(framebuffer, typeof(*vfbs), base); struct vmw_stdu_dirty sdirty; + struct vmw_validation_ctx ctx; int ret; if (!srf) srf = &vfbs->surface->res; - ret = vmw_kms_helper_resource_prepare(srf, true); + ret = vmw_kms_helper_resource_prepare(srf, true, &ctx); if (ret) return ret; @@ -1008,7 +1009,7 @@ int vmw_kms_stdu_surface_dirty(struct vmw_private *dev_priv, dest_x, dest_y, num_clips, inc, &sdirty.base); out_finish: - vmw_kms_helper_resource_finish(srf, out_fence); + vmw_kms_helper_resource_finish(&ctx, out_fence); return ret; } -- 2.14.3

7 years, 6 months

1
1
0 0

[PATCH 4.15] scsi: megaraid_sas: Do not use 32-bit atomic request descriptor for Ventura controllers

by Shivasharan S

commit 9ff97fa8db94caeab59a3c5401e975df468b4d8e upstream. Problem Statement: Sending I/O through 32 bit descriptors to Ventura series of controller results in IO timeout on certain conditions. This error only occurs on systems with high I/O activity on Ventura series controllers. Changes in this patch will prevent driver from using 32 bit descriptor and use 64 bit Descriptors. Cc: <stable(a)vger.kernel.org> Signed-off-by: Kashyap Desai <kashyap.desai(a)broadcom.com> Signed-off-by: Shivasharan S <shivasharan.srikanteshwara(a)broadcom.com> Reviewed-by: Hannes Reinecke <hare(a)suse.com> Reviewed-by: Tomas Henzl <thenzl(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> --- Backported due to merge conflicts. Needs to be applied to 4.15.y stable tree. drivers/scsi/megaraid/megaraid_sas_fusion.c | 42 ++++++++++------------------- 1 file changed, 14 insertions(+), 28 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c index 65dc4fea6352..be2992509b8c 100644 --- a/drivers/scsi/megaraid/megaraid_sas_fusion.c +++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c @@ -216,36 +216,30 @@ inline void megasas_return_cmd_fusion(struct megasas_instance *instance, /** * megasas_fire_cmd_fusion - Sends command to the FW * @instance: Adapter soft state - * @req_desc: 32bit or 64bit Request descriptor + * @req_desc: 64bit Request descriptor * - * Perform PCI Write. Ventura supports 32 bit Descriptor. - * Prior to Ventura (12G) MR controller supports 64 bit Descriptor. + * Perform PCI Write. */ static void megasas_fire_cmd_fusion(struct megasas_instance *instance, union MEGASAS_REQUEST_DESCRIPTOR_UNION *req_desc) { - if (instance->adapter_type == VENTURA_SERIES) - writel(le32_to_cpu(req_desc->u.low), - &instance->reg_set->inbound_single_queue_port); - else { #if defined(writeq) && defined(CONFIG_64BIT) - u64 req_data = (((u64)le32_to_cpu(req_desc->u.high) << 32) | - le32_to_cpu(req_desc->u.low)); + u64 req_data = (((u64)le32_to_cpu(req_desc->u.high) << 32) | + le32_to_cpu(req_desc->u.low)); - writeq(req_data, &instance->reg_set->inbound_low_queue_port); + writeq(req_data, &instance->reg_set->inbound_low_queue_port); #else - unsigned long flags; - spin_lock_irqsave(&instance->hba_lock, flags); - writel(le32_to_cpu(req_desc->u.low), - &instance->reg_set->inbound_low_queue_port); - writel(le32_to_cpu(req_desc->u.high), - &instance->reg_set->inbound_high_queue_port); - mmiowb(); - spin_unlock_irqrestore(&instance->hba_lock, flags); + unsigned long flags; + spin_lock_irqsave(&instance->hba_lock, flags); + writel(le32_to_cpu(req_desc->u.low), + &instance->reg_set->inbound_low_queue_port); + writel(le32_to_cpu(req_desc->u.high), + &instance->reg_set->inbound_high_queue_port); + mmiowb(); + spin_unlock_irqrestore(&instance->hba_lock, flags); #endif - } } /** @@ -982,7 +976,6 @@ megasas_ioc_init_fusion(struct megasas_instance *instance) const char *sys_info; MFI_CAPABILITIES *drv_ops; u32 scratch_pad_2; - unsigned long flags; struct timeval tv; bool cur_fw_64bit_dma_capable; @@ -1121,14 +1114,7 @@ megasas_ioc_init_fusion(struct megasas_instance *instance) break; } - /* For Ventura also IOC INIT required 64 bit Descriptor write. */ - spin_lock_irqsave(&instance->hba_lock, flags); - writel(le32_to_cpu(req_desc.u.low), - &instance->reg_set->inbound_low_queue_port); - writel(le32_to_cpu(req_desc.u.high), - &instance->reg_set->inbound_high_queue_port); - mmiowb(); - spin_unlock_irqrestore(&instance->hba_lock, flags); + megasas_fire_cmd_fusion(instance, &req_desc); wait_and_poll(instance, cmd, MFI_POLL_TIMEOUT_SECS); -- 2.16.1

7 years, 6 months

1
0
0 0

[PATCH 4.11, 4.14] scsi: megaraid_sas: Do not use 32-bit atomic request descriptor for Ventura controllers

by Shivasharan S

commit 9ff97fa8db94caeab59a3c5401e975df468b4d8e upstream. Problem Statement: Sending I/O through 32 bit descriptors to Ventura series of controller results in IO timeout on certain conditions. This error only occurs on systems with high I/O activity on Ventura series controllers. Changes in this patch will prevent driver from using 32 bit descriptor and use 64 bit Descriptors. Cc: <stable(a)vger.kernel.org> Signed-off-by: Kashyap Desai <kashyap.desai(a)broadcom.com> Signed-off-by: Shivasharan S <shivasharan.srikanteshwara(a)broadcom.com> Reviewed-by: Hannes Reinecke <hare(a)suse.com> Reviewed-by: Tomas Henzl <thenzl(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> --- Backported due to merge conflicts. Needs to be applied to 4.11.y to 4.14.y stable trees. drivers/scsi/megaraid/megaraid_sas_fusion.c | 42 ++++++++++------------------- 1 file changed, 14 insertions(+), 28 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c index f990ab4d45e1..c892bd4ca1d6 100644 --- a/drivers/scsi/megaraid/megaraid_sas_fusion.c +++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c @@ -190,36 +190,30 @@ inline void megasas_return_cmd_fusion(struct megasas_instance *instance, /** * megasas_fire_cmd_fusion - Sends command to the FW * @instance: Adapter soft state - * @req_desc: 32bit or 64bit Request descriptor + * @req_desc: 64bit Request descriptor * - * Perform PCI Write. Ventura supports 32 bit Descriptor. - * Prior to Ventura (12G) MR controller supports 64 bit Descriptor. + * Perform PCI Write. */ static void megasas_fire_cmd_fusion(struct megasas_instance *instance, union MEGASAS_REQUEST_DESCRIPTOR_UNION *req_desc) { - if (instance->is_ventura) - writel(le32_to_cpu(req_desc->u.low), - &instance->reg_set->inbound_single_queue_port); - else { #if defined(writeq) && defined(CONFIG_64BIT) - u64 req_data = (((u64)le32_to_cpu(req_desc->u.high) << 32) | - le32_to_cpu(req_desc->u.low)); + u64 req_data = (((u64)le32_to_cpu(req_desc->u.high) << 32) | + le32_to_cpu(req_desc->u.low)); - writeq(req_data, &instance->reg_set->inbound_low_queue_port); + writeq(req_data, &instance->reg_set->inbound_low_queue_port); #else - unsigned long flags; - spin_lock_irqsave(&instance->hba_lock, flags); - writel(le32_to_cpu(req_desc->u.low), - &instance->reg_set->inbound_low_queue_port); - writel(le32_to_cpu(req_desc->u.high), - &instance->reg_set->inbound_high_queue_port); - mmiowb(); - spin_unlock_irqrestore(&instance->hba_lock, flags); + unsigned long flags; + spin_lock_irqsave(&instance->hba_lock, flags); + writel(le32_to_cpu(req_desc->u.low), + &instance->reg_set->inbound_low_queue_port); + writel(le32_to_cpu(req_desc->u.high), + &instance->reg_set->inbound_high_queue_port); + mmiowb(); + spin_unlock_irqrestore(&instance->hba_lock, flags); #endif - } } /** @@ -766,7 +760,6 @@ megasas_ioc_init_fusion(struct megasas_instance *instance) const char *sys_info; MFI_CAPABILITIES *drv_ops; u32 scratch_pad_2; - unsigned long flags; fusion = instance->ctrl_context; @@ -894,14 +887,7 @@ megasas_ioc_init_fusion(struct megasas_instance *instance) break; } - /* For Ventura also IOC INIT required 64 bit Descriptor write. */ - spin_lock_irqsave(&instance->hba_lock, flags); - writel(le32_to_cpu(req_desc.u.low), - &instance->reg_set->inbound_low_queue_port); - writel(le32_to_cpu(req_desc.u.high), - &instance->reg_set->inbound_high_queue_port); - mmiowb(); - spin_unlock_irqrestore(&instance->hba_lock, flags); + megasas_fire_cmd_fusion(instance, &req_desc); wait_and_poll(instance, cmd, MFI_POLL_TIMEOUT_SECS); -- 2.16.1

7 years, 6 months

1
0
0 0

FW: Neue Kunden

by Thomas Stein

Sehr geehrte Damen und Herren, nach unserem Besuch Ihrer Homepage möchten wir Ihnen ein Angebot von Produkten vorstellen, das Ihnen ermöglichen wird, den Verkauf Ihrer Produkte sowie Dienstleistungen deutlich zu erhöhen. Ich biete Ihnen den ganz neuen Adressenkatalog der Österreicher Unternehmen an, in dem sich direkte Kontaktdaten der Firmeninhaber und Manager befinden. Die Datenbanken der Firmen sind in für Sie interessante und relevante Zielgruppen untergliedert. Die Firmenangaben beinhalten: Name der Firma, Ansprechpartner, E-mail Adresse, Tel. + Fax-Nr., PLZ, Ort, Straße etc. *** 1. Österreich 2018 ( 104 000 ) - 149 EUR ( bis zum 21.03.2018 ) *** Die Verwendungsmöglichkeiten der Datenbanken sind praktisch unbegrenzt und Sie können durch Verwendung der von uns entwickelten Programme des personalisierten Versendens von Angeboten u.ä. mittels E-mailing bzw. Fax effektive und sichere Werbekampagnen damit durchführen. Bitte informieren Sie sich über die weiteren Details einmal unverbindlich auf unseren Webseite: http://www.gbcdb.net/?page=catalog MfG Thomas Stein http://www.gbcdb.net/?page=catalog

7 years, 6 months

1
0
0 0

[PATCH] tpm: fix potential buffer overruns caused by bit glitches on the bus

by Jarkko Sakkinen

From: Jeremy Boone <jeremy.boone(a)nccgroup.trust> commit 3be23274755ee85771270a23af7691dc9b3a95db upstream Discrete TPMs are often connected over slow serial buses which, on some platforms, can have glitches causing bit flips. If a bit does flip it could cause an overrun if it's in one of the size parameters, so sanity check that we're not overrunning the provided buffer when doing a memcpy(). Signed-off-by: Jeremy Boone <jeremy.boone(a)nccgroup.trust> Cc: stable(a)vger.kernel.org Signed-off-by: James Bottomley <James.Bottomley(a)HansenPartnership.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> --- Backported to v4.9 v2: fixed the upstream ID drivers/char/tpm/tpm-interface.c | 5 +++++ drivers/char/tpm/tpm2-cmd.c | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index d0ac2d56520f..830d7e30e508 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -1078,6 +1078,11 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max) break; recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); + if (recd > num_bytes) { + total = -EFAULT; + break; + } + memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd); dest += recd; diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 17896d654033..a5780ebe15ef 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -668,6 +668,11 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, if (!rc) { data_len = be16_to_cpup( (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]); + if (data_len < MIN_KEY_SIZE || data_len > MAX_KEY_SIZE + 1) { + rc = -EFAULT; + goto out; + } + data = &buf.data[TPM_HEADER_SIZE + 6]; memcpy(payload->key, data, data_len - 1); @@ -675,6 +680,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, payload->migratable = data[data_len - 1]; } +out: tpm_buf_destroy(&buf); return rc; } -- 2.15.1

7 years, 6 months

1
0
0 0

[PATCH 1/2] tpm: fix potential buffer overruns caused by bit glitches on the bus

by Jarkko Sakkinen

From: Jeremy Boone <jeremy.boone(a)nccgroup.trust> commit 3be23274755ee85771270a23af7691dc9b3a95db upstream Discrete TPMs are often connected over slow serial buses which, on some platforms, can have glitches causing bit flips. If a bit does flip it could cause an overrun if it's in one of the size parameters, so sanity check that we're not overrunning the provided buffer when doing a memcpy(). Signed-off-by: Jeremy Boone <jeremy.boone(a)nccgroup.trust> Cc: stable(a)vger.kernel.org Signed-off-by: James Bottomley <James.Bottomley(a)HansenPartnership.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> --- Backported to v4.4. v2: fixed the upstream ID drivers/char/tpm/tpm-interface.c | 5 +++++ drivers/char/tpm/tpm2-cmd.c | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index aaa5fa95dede..36afc1a21699 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -1040,6 +1040,11 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max) break; recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); + if (recd > num_bytes) { + total = -EFAULT; + break; + } + memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd); dest += recd; diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 286bd090a488..389a009b83f2 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -622,6 +622,11 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, if (!rc) { data_len = be16_to_cpup( (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]); + if (data_len < MIN_KEY_SIZE || data_len > MAX_KEY_SIZE + 1) { + rc = -EFAULT; + goto out; + } + data = &buf.data[TPM_HEADER_SIZE + 6]; memcpy(payload->key, data, data_len - 1); @@ -629,6 +634,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, payload->migratable = data[data_len - 1]; } +out: tpm_buf_destroy(&buf); return rc; } -- 2.15.1

7 years, 6 months

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror