- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] Patch "atm: horizon: Fix irq release error" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled atm: horizon: Fix irq release error to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: atm-horizon-fix-irq-release-error.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Arvind Yadav <arvind.yadav.cs(a)gmail.com> Date: Tue, 14 Nov 2017 13:42:38 +0530 Subject: atm: horizon: Fix irq release error From: Arvind Yadav <arvind.yadav.cs(a)gmail.com> [ Upstream commit bde533f2ea607cbbbe76ef8738b36243939a7bc2 ] atm_dev_register() can fail here and passed parameters to free irq which is not initialised. Initialization of 'dev->irq' happened after the 'goto out_free_irq'. So using 'irq' insted of 'dev->irq' in free_irq(). Signed-off-by: Arvind Yadav <arvind.yadav.cs(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/atm/horizon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/atm/horizon.c +++ b/drivers/atm/horizon.c @@ -2828,7 +2828,7 @@ out: return err; out_free_irq: - free_irq(dev->irq, dev); + free_irq(irq, dev); out_free: kfree(dev); out_release: Patches currently in stable-queue which might be from arvind.yadav.cs(a)gmail.com are queue-3.18/atm-horizon-fix-irq-release-error.patch

7 years, 6 months

1
0
0 0

[Linux-stable-mirror] Patch "arm: KVM: Survive unknown traps from guests" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled arm: KVM: Survive unknown traps from guests to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: arm-kvm-survive-unknown-traps-from-guests.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Mark Rutland <mark.rutland(a)arm.com> Date: Mon, 20 Feb 2017 12:30:11 +0000 Subject: arm: KVM: Survive unknown traps from guests From: Mark Rutland <mark.rutland(a)arm.com> [ Upstream commit f050fe7a9164945dd1c28be05bf00e8cfb082ccf ] Currently we BUG() if we see a HSR.EC value we don't recognise. As configurable disables/enables are added to the architecture (controlled by RES1/RES0 bits respectively), with associated synchronous exceptions, it may be possible for a guest to trigger exceptions with classes that we don't recognise. While we can't service these exceptions in a manner useful to the guest, we can avoid bringing down the host. Per ARM DDI 0406C.c, all currently unallocated HSR EC encodings are reserved, and per ARM DDI 0487A.k_iss10775, page G6-4395, EC values within the range 0x00 - 0x2c are reserved for future use with synchronous exceptions, and EC values within the range 0x2d - 0x3f may be used for either synchronous or asynchronous exceptions. The patch makes KVM handle any unknown EC by injecting an UNDEFINED exception into the guest, with a corresponding (ratelimited) warning in the host dmesg. We could later improve on this with with a new (opt-in) exit to the host userspace. Cc: Dave Martin <dave.martin(a)arm.com> Cc: Suzuki K Poulose <suzuki.poulose(a)arm.com> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Mark Rutland <mark.rutland(a)arm.com> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/arm/include/asm/kvm_arm.h | 1 + arch/arm/kvm/handle_exit.c | 19 ++++++++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) --- a/arch/arm/include/asm/kvm_arm.h +++ b/arch/arm/include/asm/kvm_arm.h @@ -208,6 +208,7 @@ #define HSR_EC_IABT_HYP (0x21) #define HSR_EC_DABT (0x24) #define HSR_EC_DABT_HYP (0x25) +#define HSR_EC_MAX (0x3f) #define HSR_WFI_IS_WFE (1U << 0) --- a/arch/arm/kvm/handle_exit.c +++ b/arch/arm/kvm/handle_exit.c @@ -98,7 +98,19 @@ static int kvm_handle_wfx(struct kvm_vcp return 1; } +static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + u32 hsr = kvm_vcpu_get_hsr(vcpu); + + kvm_pr_unimpl("Unknown exception class: hsr: %#08x\n", + hsr); + + kvm_inject_undefined(vcpu); + return 1; +} + static exit_handle_fn arm_exit_handlers[] = { + [0 ... HSR_EC_MAX] = kvm_handle_unknown_ec, [HSR_EC_WFI] = kvm_handle_wfx, [HSR_EC_CP15_32] = kvm_handle_cp15_32, [HSR_EC_CP15_64] = kvm_handle_cp15_64, @@ -120,13 +132,6 @@ static exit_handle_fn kvm_get_exit_handl { u8 hsr_ec = kvm_vcpu_trap_get_class(vcpu); - if (hsr_ec >= ARRAY_SIZE(arm_exit_handlers) || - !arm_exit_handlers[hsr_ec]) { - kvm_err("Unknown exception class: hsr: %#08x\n", - (unsigned int)kvm_vcpu_get_hsr(vcpu)); - BUG(); - } - return arm_exit_handlers[hsr_ec]; } Patches currently in stable-queue which might be from mark.rutland(a)arm.com are queue-3.18/arm-kvm-survive-unknown-traps-from-guests.patch queue-3.18/sparc64-mm-set-fields-in-deferred-pages.patch

7 years, 6 months

1
0
0 0

[Linux-stable-mirror] Patch "afs: Connect up the CB.ProbeUuid" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled afs: Connect up the CB.ProbeUuid to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: afs-connect-up-the-cb.probeuuid.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: David Howells <dhowells(a)redhat.com> Date: Thu, 2 Nov 2017 15:27:48 +0000 Subject: afs: Connect up the CB.ProbeUuid From: David Howells <dhowells(a)redhat.com> [ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ] The handler for the CB.ProbeUuid operation in the cache manager is implemented, but isn't listed in the switch-statement of operation selection, so won't be used. Fix this by adding it. Signed-off-by: David Howells <dhowells(a)redhat.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/afs/cmservice.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/afs/cmservice.c +++ b/fs/afs/cmservice.c @@ -115,6 +115,9 @@ bool afs_cm_incoming_call(struct afs_cal case CBProbe: call->type = &afs_SRXCBProbe; return true; + case CBProbeUuid: + call->type = &afs_SRXCBProbeUuid; + return true; case CBTellMeAboutYourself: call->type = &afs_SRXCBTellMeAboutYourself; return true; Patches currently in stable-queue which might be from dhowells(a)redhat.com are queue-3.18/x.509-reject-invalid-bit-string-for-subjectpublickey.patch queue-3.18/asn.1-check-for-error-from-asn1_op_end__act-actions.patch queue-3.18/keys-add-missing-permission-check-for-request_key-destination.patch queue-3.18/afs-connect-up-the-cb.probeuuid.patch

7 years, 6 months

1
0
0 0

[Linux-stable-mirror] [PATCH 4.4 00/27] 4.4.104-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.104 release. There are 27 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Dec 6 15:59:33 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.104-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.104-rc1 Trond Myklebust <trond.myklebust(a)primarydata.com> nfsd: Fix another OPEN stateid race Trond Myklebust <trond.myklebust(a)primarydata.com> nfsd: Fix stateid races between OPEN and CLOSE Oleg Drokin <green(a)linuxhacker.ru> nfsd: Make init_open_stateid() a bit more whole Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Prevent zero length "index" write Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Don't try indexed reads to alternate slave addresses NeilBrown <neilb(a)suse.com> NFS: revalidate "." etc correctly on "open". Brent Taylor <motobud(a)gmail.com> mtd: nand: Fix writing mtdoops to nand flash. Jonathan Liu <net147(a)gmail.com> drm/panel: simple: Add missing panel_simple_unprepare() calls Roman Kapl <rka(a)sysgo.com> drm/radeon: fix atombios on big endian Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/radeon: dont switch vt on suspend" Huacai Chen <chenhc(a)lemote.com> bcache: Fix building error on MIPS Heiner Kallweit <hkallweit1(a)gmail.com> eeprom: at24: check at24_read/write arguments Adrian Hunter <adrian.hunter(a)intel.com> mmc: core: Do not leave the block driver in a suspended state Paolo Bonzini <pbonzini(a)redhat.com> KVM: x86: inject exceptions produced by x86_decode_insn Liran Alon <liran.alon(a)oracle.com> KVM: x86: Exit to user-mode on #UD intercept when emulator requires Liran Alon <liran.alon(a)oracle.com> KVM: x86: pvclock: Handle first-time write to pvclock-page contains random junk Josef Bacik <jbacik(a)fb.com> btrfs: clear space cache inode generation always chenjie <chenjie6(a)huawei.com> mm/madvise.c: fix madvise() infinite loop under special circumstances Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() Matt Fleming <matt(a)codeblueprint.co.uk> x86/efi-bgrt: Replace early_memremap() with memremap() Sai Praneeth <sai.praneeth.prakhya(a)intel.com> x86/efi-bgrt: Fix kernel panic when mapping BGRT data Adam Ford <aford173(a)gmail.com> ARM: dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio Matt Fleming <matt(a)codeblueprint.co.uk> x86/efi: Build our own page table structures Matt Fleming <matt(a)codeblueprint.co.uk> x86/efi: Hoist page table switching code into efi_call_virt() Matt Fleming <matt(a)codeblueprint.co.uk> x86/mm/pat: Ensure cpa->pfn only contains page frame numbers Herbert Xu <herbert(a)gondor.apana.org.au> ipsec: Fix aborted xfrm policy dump crash Tom Herbert <tom(a)herbertland.com> netlink: add a start callback for starting a netlink dump ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts | 2 +- arch/x86/include/asm/efi.h | 26 ++++ arch/x86/kvm/svm.c | 2 + arch/x86/kvm/vmx.c | 2 + arch/x86/kvm/x86.c | 5 + arch/x86/mm/pageattr.c | 17 +-- arch/x86/platform/efi/efi-bgrt.c | 39 +++--- arch/x86/platform/efi/efi.c | 39 +++--- arch/x86/platform/efi/efi_32.c | 5 + arch/x86/platform/efi/efi_64.c | 137 ++++++++++++++++------ arch/x86/platform/efi/efi_stub_64.S | 43 ------- drivers/firmware/efi/efi.c | 32 ----- drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 38 +++--- drivers/gpu/drm/i915/intel_i2c.c | 4 +- drivers/gpu/drm/panel/panel-simple.c | 2 + drivers/gpu/drm/radeon/atombios_dp.c | 38 +++--- drivers/gpu/drm/radeon/radeon_fb.c | 1 - drivers/md/bcache/alloc.c | 2 +- drivers/md/bcache/extents.c | 2 +- drivers/md/bcache/journal.c | 2 +- drivers/misc/eeprom/at24.c | 6 + drivers/mmc/core/bus.c | 3 + drivers/mtd/nand/nand_base.c | 9 +- fs/btrfs/extent-tree.c | 14 +-- fs/nfs/dir.c | 3 +- fs/nfsd/nfs4state.c | 114 ++++++++++++------ include/linux/netlink.h | 2 + include/net/genetlink.h | 2 + include/uapi/linux/bcache.h | 2 +- mm/huge_memory.c | 14 +-- mm/madvise.c | 4 +- net/netlink/af_netlink.c | 4 + net/netlink/genetlink.c | 16 +++ net/xfrm/xfrm_user.c | 25 ++-- 35 files changed, 373 insertions(+), 287 deletions(-)

7 years, 6 months

7
29
0 0

[Linux-stable-mirror] Patch "Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers" to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: revert-x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-numbers.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:26:14 CET 2017 From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Date: Thu, 14 Dec 2017 21:25:00 +0100 Subject: Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers" From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream. Turns there was too many other issues with this patch to make it viable for the stable tree. Reported-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Cc: Matt Fleming <matt(a)codeblueprint.co.uk> Cc: Borislav Petkov <bp(a)suse.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Andy Lutomirski <luto(a)amacapital.net> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Dave Jones <davej(a)codemonkey.org.uk> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya(a)intel.com> Cc: Stephen Smalley <sds(a)tycho.nsa.gov> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Toshi Kani <toshi.kani(a)hp.com> Cc: linux-efi(a)vger.kernel.org Cc: Ingo Molnar <mingo(a)kernel.org> Cc: "Ghannam, Yazen" <Yazen.Ghannam(a)amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/mm/pageattr.c | 17 +++++++++++------ arch/x86/platform/efi/efi_64.c | 16 ++++++---------- 2 files changed, 17 insertions(+), 16 deletions(-) --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -911,10 +911,15 @@ static void populate_pte(struct cpa_data pte = pte_offset_kernel(pmd, start); while (num_pages-- && start < end) { - set_pte(pte, pfn_pte(cpa->pfn, pgprot)); + + /* deal with the NX bit */ + if (!(pgprot_val(pgprot) & _PAGE_NX)) + cpa->pfn &= ~_PAGE_NX; + + set_pte(pte, pfn_pte(cpa->pfn >> PAGE_SHIFT, pgprot)); start += PAGE_SIZE; - cpa->pfn++; + cpa->pfn += PAGE_SIZE; pte++; } } @@ -970,11 +975,11 @@ static int populate_pmd(struct cpa_data pmd = pmd_offset(pud, start); - set_pmd(pmd, __pmd(cpa->pfn << PAGE_SHIFT | _PAGE_PSE | + set_pmd(pmd, __pmd(cpa->pfn | _PAGE_PSE | massage_pgprot(pmd_pgprot))); start += PMD_SIZE; - cpa->pfn += PMD_SIZE >> PAGE_SHIFT; + cpa->pfn += PMD_SIZE; cur_pages += PMD_SIZE >> PAGE_SHIFT; } @@ -1043,11 +1048,11 @@ static int populate_pud(struct cpa_data * Map everything starting from the Gb boundary, possibly with 1G pages */ while (end - start >= PUD_SIZE) { - set_pud(pud, __pud(cpa->pfn << PAGE_SHIFT | _PAGE_PSE | + set_pud(pud, __pud(cpa->pfn | _PAGE_PSE | massage_pgprot(pud_pgprot))); start += PUD_SIZE; - cpa->pfn += PUD_SIZE >> PAGE_SHIFT; + cpa->pfn += PUD_SIZE; cur_pages += PUD_SIZE >> PAGE_SHIFT; pud++; } --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -143,7 +143,7 @@ void efi_sync_low_kernel_mappings(void) int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) { - unsigned long pfn, text; + unsigned long text; struct page *page; unsigned npages; pgd_t *pgd; @@ -160,8 +160,7 @@ int __init efi_setup_page_tables(unsigne * and ident-map those pages containing the map before calling * phys_efi_set_virtual_address_map(). */ - pfn = pa_memmap >> PAGE_SHIFT; - if (kernel_map_pages_in_pgd(pgd, pfn, pa_memmap, num_pages, _PAGE_NX)) { + if (kernel_map_pages_in_pgd(pgd, pa_memmap, pa_memmap, num_pages, _PAGE_NX)) { pr_err("Error ident-mapping new memmap (0x%lx)!\n", pa_memmap); return 1; } @@ -186,9 +185,8 @@ int __init efi_setup_page_tables(unsigne npages = (_end - _text) >> PAGE_SHIFT; text = __pa(_text); - pfn = text >> PAGE_SHIFT; - if (kernel_map_pages_in_pgd(pgd, pfn, text, npages, 0)) { + if (kernel_map_pages_in_pgd(pgd, text >> PAGE_SHIFT, text, npages, 0)) { pr_err("Failed to map kernel text 1:1\n"); return 1; } @@ -206,14 +204,12 @@ void __init efi_cleanup_page_tables(unsi static void __init __map_region(efi_memory_desc_t *md, u64 va) { pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); - unsigned long flags = 0; - unsigned long pfn; + unsigned long pf = 0; if (!(md->attribute & EFI_MEMORY_WB)) - flags |= _PAGE_PCD; + pf |= _PAGE_PCD; - pfn = md->phys_addr >> PAGE_SHIFT; - if (kernel_map_pages_in_pgd(pgd, pfn, va, md->num_pages, flags)) + if (kernel_map_pages_in_pgd(pgd, md->phys_addr, va, md->num_pages, pf)) pr_warn("Error mapping PA 0x%llx -> VA 0x%llx!\n", md->phys_addr, va); } Patches currently in stable-queue which might be from gregkh(a)linuxfoundation.org are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch queue-4.4/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch queue-4.4/atm-horizon-fix-irq-release-error.patch queue-4.4/x.509-reject-invalid-bit-string-for-subjectpublickey.patch queue-4.4/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch queue-4.4/ipvlan-fix-ipv6-outbound-device.patch queue-4.4/arm-omap2-release-device-node-after-it-is-no-longer-needed.patch queue-4.4/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch queue-4.4/asn.1-check-for-error-from-asn1_op_end__act-actions.patch queue-4.4/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/s390-always-save-and-restore-all-registers-on-context-switch.patch queue-4.4/alsa-seq-remove-spurious-warn_on-at-timer-check.patch queue-4.4/revert-x86-efi-build-our-own-page-table-structures.patch queue-4.4/more-bio_map_user_iov-leak-fixes.patch queue-4.4/hid-chicony-add-support-for-another-asus-zen-aio-keyboard.patch queue-4.4/s390-fix-compat-system-call-table.patch queue-4.4/netfilter-don-t-track-fragmented-packets.patch queue-4.4/block-wake-up-all-tasks-blocked-in-get_request.patch queue-4.4/kvm-nvmx-vmclear-should-not-cause-the-vcpu-to-shut-down.patch queue-4.4/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.4/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch queue-4.4/arm-omap2-fix-device-node-reference-counts.patch queue-4.4/can-ti_hecc-fix-napi-poll-return-value-for-repoll.patch queue-4.4/iommu-vt-d-fix-scatterlist-offset-handling.patch queue-4.4/mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch queue-4.4/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.4/drm-extra-printk-wrapper-macros.patch queue-4.4/mm-drop-unused-pmdp_huge_get_and_clear_notify.patch queue-4.4/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch queue-4.4/net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch queue-4.4/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch queue-4.4/axonram-fix-gendisk-handling.patch queue-4.4/alsa-usb-audio-add-check-return-value-for-usb_string.patch queue-4.4/revert-spi-spi_fsl_dspi-should-depend-on-has_dma.patch queue-4.4/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch queue-4.4/powerpc-powernv-ioda2-gracefully-fail-if-too-many-tce-levels-requested.patch queue-4.4/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch queue-4.4/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch queue-4.4/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch queue-4.4/thp-fix-madv_dontneed-vs.-numa-balancing-race.patch queue-4.4/bnx2x-do-not-rollback-vf-mac-vlan-filters-we-did-not-configure.patch queue-4.4/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch queue-4.4/sunrpc-fix-rpc_task_begin-trace-point.patch queue-4.4/arm-kvm-survive-unknown-traps-from-guests.patch queue-4.4/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch queue-4.4/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch queue-4.4/gpio-altera-use-handle_level_irq-when-configured-as-a-level_high.patch queue-4.4/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch queue-4.4/arm-omap2-gpmc-onenand-propagate-error-on-initialization-failure.patch queue-4.4/thp-reduce-indentation-level-in-change_huge_pmd.patch queue-4.4/revert-x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-numbers.patch queue-4.4/afs-connect-up-the-cb.probeuuid.patch queue-4.4/drm-amd-amdgpu-fix-console-deadlock-if-late-init-failed.patch queue-4.4/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.4/sit-update-frag_off-info.patch queue-4.4/packet-fix-crash-in-fanout_demux_rollover.patch queue-4.4/module-set-__jump_table-alignment-to-8.patch queue-4.4/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch queue-4.4/x86-hpet-prevent-might-sleep-splat-on-resume.patch queue-4.4/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch queue-4.4/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch queue-4.4/efi-move-some-sysfs-files-to-be-read-only-by-root.patch queue-4.4/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-4.4/virtio-release-virtio-index-when-fail-to-device_register.patch queue-4.4/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch queue-4.4/nfs-fix-a-typo-in-nfs_rename.patch queue-4.4/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.4/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch queue-4.4/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch queue-4.4/zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch queue-4.4/route-also-update-fnhe_genid-when-updating-a-route-cache.patch queue-4.4/selftest-powerpc-fix-false-failures-for-skipped-tests.patch queue-4.4/revert-x86-efi-hoist-page-table-switching-code-into-efi_call_virt.patch queue-4.4/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch queue-4.4/scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch queue-4.4/arm-avoid-faulting-on-qemu.patch queue-4.4/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch queue-4.4/jump_label-invoke-jump_label_test-via-early_initcall.patch queue-4.4/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch queue-4.4/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch queue-4.4/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-4.4/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch queue-4.4/irqchip-crossbar-fix-incorrect-type-of-register-size.patch queue-4.4/ipmi-stop-timers-before-cleaning-up-the-module.patch queue-4.4/bnx2x-prevent-crash-when-accessing-ptp-with-interface-down.patch queue-4.4/vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch queue-4.4/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch queue-4.4/drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch queue-4.4/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch queue-4.4/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch queue-4.4/alsa-usb-audio-fix-out-of-bound-error.patch queue-4.4/arm64-kvm-survive-unknown-traps-from-guests.patch queue-4.4/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch queue-4.4/arm-bug-if-jumping-to-usermode-address-in-kernel-mode.patch queue-4.4/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch queue-4.4/i2c-riic-fix-restart-condition.patch queue-4.4/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch queue-4.4/usb-gadget-configs-plug-memory-leak.patch queue-4.4/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch queue-4.4/revert-drm-armada-fix-compile-fail.patch queue-4.4/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch queue-4.4/kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch

7 years, 6 months

1
0
0 0

[Linux-stable-mirror] Patch "Revert "x86/efi: Hoist page table switching code into efi_call_virt()"" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Revert "x86/efi: Hoist page table switching code into efi_call_virt()" to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: revert-x86-efi-hoist-page-table-switching-code-into-efi_call_virt.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:26:14 CET 2017 From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Date: Thu, 14 Dec 2017 21:23:48 +0100 Subject: Revert "x86/efi: Hoist page table switching code into efi_call_virt()" From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> This reverts commit b73adb60852034d84092d123b323196ca42529cd which is commit c9f2a9a65e4855b74d92cdad688f6ee4a1a323ff upstream. Turns there was too many other issues with this patch to make it viable for the stable tree. Reported-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Cc: Matt Fleming <matt(a)codeblueprint.co.uk> Cc: Borislav Petkov <bp(a)suse.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Andy Lutomirski <luto(a)amacapital.net> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Dave Jones <davej(a)codemonkey.org.uk> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya(a)intel.com> Cc: Stephen Smalley <sds(a)tycho.nsa.gov> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Toshi Kani <toshi.kani(a)hp.com> Cc: linux-efi(a)vger.kernel.org Cc: Ingo Molnar <mingo(a)kernel.org> Cc: "Ghannam, Yazen" <Yazen.Ghannam(a)amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/efi.h | 25 -------------------- arch/x86/platform/efi/efi_64.c | 24 ++++++++++---------- arch/x86/platform/efi/efi_stub_64.S | 43 ++++++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 36 deletions(-) --- a/arch/x86/include/asm/efi.h +++ b/arch/x86/include/asm/efi.h @@ -3,7 +3,6 @@ #include <asm/fpu/api.h> #include <asm/pgtable.h> -#include <asm/tlb.h> /* * We map the EFI regions needed for runtime services non-contiguously, @@ -65,17 +64,6 @@ extern u64 asmlinkage efi_call(void *fp, #define efi_call_phys(f, args...) efi_call((f), args) -/* - * Scratch space used for switching the pagetable in the EFI stub - */ -struct efi_scratch { - u64 r15; - u64 prev_cr3; - pgd_t *efi_pgt; - bool use_pgd; - u64 phys_stack; -} __packed; - #define efi_call_virt(f, ...) \ ({ \ efi_status_t __s; \ @@ -83,20 +71,7 @@ struct efi_scratch { efi_sync_low_kernel_mappings(); \ preempt_disable(); \ __kernel_fpu_begin(); \ - \ - if (efi_scratch.use_pgd) { \ - efi_scratch.prev_cr3 = read_cr3(); \ - write_cr3((unsigned long)efi_scratch.efi_pgt); \ - __flush_tlb_all(); \ - } \ - \ __s = efi_call((void *)efi.systab->runtime->f, __VA_ARGS__); \ - \ - if (efi_scratch.use_pgd) { \ - write_cr3(efi_scratch.prev_cr3); \ - __flush_tlb_all(); \ - } \ - \ __kernel_fpu_end(); \ preempt_enable(); \ __s; \ --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -47,7 +47,16 @@ */ static u64 efi_va = EFI_VA_START; -struct efi_scratch efi_scratch; +/* + * Scratch space used for switching the pagetable in the EFI stub + */ +struct efi_scratch { + u64 r15; + u64 prev_cr3; + pgd_t *efi_pgt; + bool use_pgd; + u64 phys_stack; +} __packed; static void __init early_code_mapping_set_exec(int executable) { @@ -74,11 +83,8 @@ pgd_t * __init efi_call_phys_prolog(void int pgd; int n_pgds; - if (!efi_enabled(EFI_OLD_MEMMAP)) { - save_pgd = (pgd_t *)read_cr3(); - write_cr3((unsigned long)efi_scratch.efi_pgt); - goto out; - } + if (!efi_enabled(EFI_OLD_MEMMAP)) + return NULL; early_code_mapping_set_exec(1); @@ -90,7 +96,6 @@ pgd_t * __init efi_call_phys_prolog(void vaddress = (unsigned long)__va(pgd * PGDIR_SIZE); set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress)); } -out: __flush_tlb_all(); return save_pgd; @@ -104,11 +109,8 @@ void __init efi_call_phys_epilog(pgd_t * int pgd_idx; int nr_pgds; - if (!efi_enabled(EFI_OLD_MEMMAP)) { - write_cr3((unsigned long)save_pgd); - __flush_tlb_all(); + if (!save_pgd) return; - } nr_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT) , PGDIR_SIZE); --- a/arch/x86/platform/efi/efi_stub_64.S +++ b/arch/x86/platform/efi/efi_stub_64.S @@ -38,6 +38,41 @@ mov %rsi, %cr0; \ mov (%rsp), %rsp + /* stolen from gcc */ + .macro FLUSH_TLB_ALL + movq %r15, efi_scratch(%rip) + movq %r14, efi_scratch+8(%rip) + movq %cr4, %r15 + movq %r15, %r14 + andb $0x7f, %r14b + movq %r14, %cr4 + movq %r15, %cr4 + movq efi_scratch+8(%rip), %r14 + movq efi_scratch(%rip), %r15 + .endm + + .macro SWITCH_PGT + cmpb $0, efi_scratch+24(%rip) + je 1f + movq %r15, efi_scratch(%rip) # r15 + # save previous CR3 + movq %cr3, %r15 + movq %r15, efi_scratch+8(%rip) # prev_cr3 + movq efi_scratch+16(%rip), %r15 # EFI pgt + movq %r15, %cr3 + 1: + .endm + + .macro RESTORE_PGT + cmpb $0, efi_scratch+24(%rip) + je 2f + movq efi_scratch+8(%rip), %r15 + movq %r15, %cr3 + movq efi_scratch(%rip), %r15 + FLUSH_TLB_ALL + 2: + .endm + ENTRY(efi_call) SAVE_XMM mov (%rsp), %rax @@ -48,8 +83,16 @@ ENTRY(efi_call) mov %r8, %r9 mov %rcx, %r8 mov %rsi, %rcx + SWITCH_PGT call *%rdi + RESTORE_PGT addq $48, %rsp RESTORE_XMM ret ENDPROC(efi_call) + + .data +ENTRY(efi_scratch) + .fill 3,8,0 + .byte 0 + .quad 0 Patches currently in stable-queue which might be from gregkh(a)linuxfoundation.org are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch queue-4.4/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch queue-4.4/atm-horizon-fix-irq-release-error.patch queue-4.4/x.509-reject-invalid-bit-string-for-subjectpublickey.patch queue-4.4/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch queue-4.4/ipvlan-fix-ipv6-outbound-device.patch queue-4.4/arm-omap2-release-device-node-after-it-is-no-longer-needed.patch queue-4.4/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch queue-4.4/asn.1-check-for-error-from-asn1_op_end__act-actions.patch queue-4.4/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/s390-always-save-and-restore-all-registers-on-context-switch.patch queue-4.4/alsa-seq-remove-spurious-warn_on-at-timer-check.patch queue-4.4/revert-x86-efi-build-our-own-page-table-structures.patch queue-4.4/more-bio_map_user_iov-leak-fixes.patch queue-4.4/hid-chicony-add-support-for-another-asus-zen-aio-keyboard.patch queue-4.4/s390-fix-compat-system-call-table.patch queue-4.4/netfilter-don-t-track-fragmented-packets.patch queue-4.4/block-wake-up-all-tasks-blocked-in-get_request.patch queue-4.4/kvm-nvmx-vmclear-should-not-cause-the-vcpu-to-shut-down.patch queue-4.4/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.4/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch queue-4.4/arm-omap2-fix-device-node-reference-counts.patch queue-4.4/can-ti_hecc-fix-napi-poll-return-value-for-repoll.patch queue-4.4/iommu-vt-d-fix-scatterlist-offset-handling.patch queue-4.4/mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch queue-4.4/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.4/drm-extra-printk-wrapper-macros.patch queue-4.4/mm-drop-unused-pmdp_huge_get_and_clear_notify.patch queue-4.4/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch queue-4.4/net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch queue-4.4/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch queue-4.4/axonram-fix-gendisk-handling.patch queue-4.4/alsa-usb-audio-add-check-return-value-for-usb_string.patch queue-4.4/revert-spi-spi_fsl_dspi-should-depend-on-has_dma.patch queue-4.4/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch queue-4.4/powerpc-powernv-ioda2-gracefully-fail-if-too-many-tce-levels-requested.patch queue-4.4/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch queue-4.4/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch queue-4.4/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch queue-4.4/thp-fix-madv_dontneed-vs.-numa-balancing-race.patch queue-4.4/bnx2x-do-not-rollback-vf-mac-vlan-filters-we-did-not-configure.patch queue-4.4/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch queue-4.4/sunrpc-fix-rpc_task_begin-trace-point.patch queue-4.4/arm-kvm-survive-unknown-traps-from-guests.patch queue-4.4/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch queue-4.4/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch queue-4.4/gpio-altera-use-handle_level_irq-when-configured-as-a-level_high.patch queue-4.4/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch queue-4.4/arm-omap2-gpmc-onenand-propagate-error-on-initialization-failure.patch queue-4.4/thp-reduce-indentation-level-in-change_huge_pmd.patch queue-4.4/revert-x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-numbers.patch queue-4.4/afs-connect-up-the-cb.probeuuid.patch queue-4.4/drm-amd-amdgpu-fix-console-deadlock-if-late-init-failed.patch queue-4.4/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.4/sit-update-frag_off-info.patch queue-4.4/packet-fix-crash-in-fanout_demux_rollover.patch queue-4.4/module-set-__jump_table-alignment-to-8.patch queue-4.4/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch queue-4.4/x86-hpet-prevent-might-sleep-splat-on-resume.patch queue-4.4/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch queue-4.4/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch queue-4.4/efi-move-some-sysfs-files-to-be-read-only-by-root.patch queue-4.4/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-4.4/virtio-release-virtio-index-when-fail-to-device_register.patch queue-4.4/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch queue-4.4/nfs-fix-a-typo-in-nfs_rename.patch queue-4.4/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.4/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch queue-4.4/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch queue-4.4/zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch queue-4.4/route-also-update-fnhe_genid-when-updating-a-route-cache.patch queue-4.4/selftest-powerpc-fix-false-failures-for-skipped-tests.patch queue-4.4/revert-x86-efi-hoist-page-table-switching-code-into-efi_call_virt.patch queue-4.4/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch queue-4.4/scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch queue-4.4/arm-avoid-faulting-on-qemu.patch queue-4.4/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch queue-4.4/jump_label-invoke-jump_label_test-via-early_initcall.patch queue-4.4/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch queue-4.4/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch queue-4.4/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-4.4/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch queue-4.4/irqchip-crossbar-fix-incorrect-type-of-register-size.patch queue-4.4/ipmi-stop-timers-before-cleaning-up-the-module.patch queue-4.4/bnx2x-prevent-crash-when-accessing-ptp-with-interface-down.patch queue-4.4/vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch queue-4.4/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch queue-4.4/drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch queue-4.4/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch queue-4.4/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch queue-4.4/alsa-usb-audio-fix-out-of-bound-error.patch queue-4.4/arm64-kvm-survive-unknown-traps-from-guests.patch queue-4.4/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch queue-4.4/arm-bug-if-jumping-to-usermode-address-in-kernel-mode.patch queue-4.4/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch queue-4.4/i2c-riic-fix-restart-condition.patch queue-4.4/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch queue-4.4/usb-gadget-configs-plug-memory-leak.patch queue-4.4/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch queue-4.4/revert-drm-armada-fix-compile-fail.patch queue-4.4/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch queue-4.4/kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch

7 years, 6 months

1
0
0 0

[Linux-stable-mirror] Patch "Revert "x86/efi: Build our own page table structures"" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Revert "x86/efi: Build our own page table structures" to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: revert-x86-efi-build-our-own-page-table-structures.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:26:14 CET 2017 From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Date: Thu, 14 Dec 2017 21:21:50 +0100 Subject: Revert "x86/efi: Build our own page table structures" From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> This reverts commit 36e0f05afd4e1d09fd47936761a502aedbc50649 which is commit 67a9108ed4313b85a9c53406d80dc1ae3f8c3e36 upstream. Turns there was too many other issues with this patch to make it viable for the stable tree. Reported-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Cc: Matt Fleming <matt(a)codeblueprint.co.uk> Cc: Borislav Petkov <bp(a)suse.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Andy Lutomirski <luto(a)amacapital.net> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Dave Jones <davej(a)codemonkey.org.uk> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya(a)intel.com> Cc: Stephen Smalley <sds(a)tycho.nsa.gov> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Toshi Kani <toshi.kani(a)hp.com> Cc: linux-efi(a)vger.kernel.org Cc: Ingo Molnar <mingo(a)kernel.org> Cc: "Ghannam, Yazen" <Yazen.Ghannam(a)amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/efi.h | 1 arch/x86/platform/efi/efi.c | 39 ++++++++++------ arch/x86/platform/efi/efi_32.c | 5 -- arch/x86/platform/efi/efi_64.c | 97 ++++++----------------------------------- 4 files changed, 40 insertions(+), 102 deletions(-) --- a/arch/x86/include/asm/efi.h +++ b/arch/x86/include/asm/efi.h @@ -136,7 +136,6 @@ extern void __init efi_memory_uc(u64 add extern void __init efi_map_region(efi_memory_desc_t *md); extern void __init efi_map_region_fixed(efi_memory_desc_t *md); extern void efi_sync_low_kernel_mappings(void); -extern int __init efi_alloc_page_tables(void); extern int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages); extern void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages); extern void __init old_map_region(efi_memory_desc_t *md); --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c @@ -869,7 +869,7 @@ static void __init kexec_enter_virtual_m * This function will switch the EFI runtime services to virtual mode. * Essentially, we look through the EFI memmap and map every region that * has the runtime attribute bit set in its memory descriptor into the - * efi_pgd page table. + * ->trampoline_pgd page table using a top-down VA allocation scheme. * * The old method which used to update that memory descriptor with the * virtual address obtained from ioremap() is still supported when the @@ -879,8 +879,8 @@ static void __init kexec_enter_virtual_m * * The new method does a pagetable switch in a preemption-safe manner * so that we're in a different address space when calling a runtime - * function. For function arguments passing we do copy the PUDs of the - * kernel page table into efi_pgd prior to each call. + * function. For function arguments passing we do copy the PGDs of the + * kernel page table into ->trampoline_pgd prior to each call. * * Specially for kexec boot, efi runtime maps in previous kernel should * be passed in via setup_data. In that case runtime ranges will be mapped @@ -895,12 +895,6 @@ static void __init __efi_enter_virtual_m efi.systab = NULL; - if (efi_alloc_page_tables()) { - pr_err("Failed to allocate EFI page tables\n"); - clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); - return; - } - efi_merge_regions(); new_memmap = efi_map_regions(&count, &pg_shift); if (!new_memmap) { @@ -960,11 +954,28 @@ static void __init __efi_enter_virtual_m efi_runtime_mkexec(); /* - * We mapped the descriptor array into the EFI pagetable above - * but we're not unmapping it here because if we're running in - * EFI mixed mode we need all of memory to be accessible when - * we pass parameters to the EFI runtime services in the - * thunking code. + * We mapped the descriptor array into the EFI pagetable above but we're + * not unmapping it here. Here's why: + * + * We're copying select PGDs from the kernel page table to the EFI page + * table and when we do so and make changes to those PGDs like unmapping + * stuff from them, those changes appear in the kernel page table and we + * go boom. + * + * From setup_real_mode(): + * + * ... + * trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd; + * + * In this particular case, our allocation is in PGD 0 of the EFI page + * table but we've copied that PGD from PGD[272] of the EFI page table: + * + * pgd_index(__PAGE_OFFSET = 0xffff880000000000) = 272 + * + * where the direct memory mapping in kernel space is. + * + * new_memmap's VA comes from that direct mapping and thus clearing it, + * it would get cleared in the kernel page table too. * * efi_cleanup_page_tables(__pa(new_memmap), 1 << pg_shift); */ --- a/arch/x86/platform/efi/efi_32.c +++ b/arch/x86/platform/efi/efi_32.c @@ -38,11 +38,6 @@ * say 0 - 3G. */ -int __init efi_alloc_page_tables(void) -{ - return 0; -} - void efi_sync_low_kernel_mappings(void) {} void __init efi_dump_pagetable(void) {} int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -40,7 +40,6 @@ #include <asm/fixmap.h> #include <asm/realmode.h> #include <asm/time.h> -#include <asm/pgalloc.h> /* * We allocate runtime services regions bottom-up, starting from -4G, i.e. @@ -122,92 +121,22 @@ void __init efi_call_phys_epilog(pgd_t * early_code_mapping_set_exec(0); } -static pgd_t *efi_pgd; - -/* - * We need our own copy of the higher levels of the page tables - * because we want to avoid inserting EFI region mappings (EFI_VA_END - * to EFI_VA_START) into the standard kernel page tables. Everything - * else can be shared, see efi_sync_low_kernel_mappings(). - */ -int __init efi_alloc_page_tables(void) -{ - pgd_t *pgd; - pud_t *pud; - gfp_t gfp_mask; - - if (efi_enabled(EFI_OLD_MEMMAP)) - return 0; - - gfp_mask = GFP_KERNEL | __GFP_NOTRACK | __GFP_REPEAT | __GFP_ZERO; - efi_pgd = (pgd_t *)__get_free_page(gfp_mask); - if (!efi_pgd) - return -ENOMEM; - - pgd = efi_pgd + pgd_index(EFI_VA_END); - - pud = pud_alloc_one(NULL, 0); - if (!pud) { - free_page((unsigned long)efi_pgd); - return -ENOMEM; - } - - pgd_populate(NULL, pgd, pud); - - return 0; -} - /* * Add low kernel mappings for passing arguments to EFI functions. */ void efi_sync_low_kernel_mappings(void) { - unsigned num_entries; - pgd_t *pgd_k, *pgd_efi; - pud_t *pud_k, *pud_efi; + unsigned num_pgds; + pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); if (efi_enabled(EFI_OLD_MEMMAP)) return; - /* - * We can share all PGD entries apart from the one entry that - * covers the EFI runtime mapping space. - * - * Make sure the EFI runtime region mappings are guaranteed to - * only span a single PGD entry and that the entry also maps - * other important kernel regions. - */ - BUILD_BUG_ON(pgd_index(EFI_VA_END) != pgd_index(MODULES_END)); - BUILD_BUG_ON((EFI_VA_START & PGDIR_MASK) != - (EFI_VA_END & PGDIR_MASK)); - - pgd_efi = efi_pgd + pgd_index(PAGE_OFFSET); - pgd_k = pgd_offset_k(PAGE_OFFSET); - - num_entries = pgd_index(EFI_VA_END) - pgd_index(PAGE_OFFSET); - memcpy(pgd_efi, pgd_k, sizeof(pgd_t) * num_entries); - - /* - * We share all the PUD entries apart from those that map the - * EFI regions. Copy around them. - */ - BUILD_BUG_ON((EFI_VA_START & ~PUD_MASK) != 0); - BUILD_BUG_ON((EFI_VA_END & ~PUD_MASK) != 0); - - pgd_efi = efi_pgd + pgd_index(EFI_VA_END); - pud_efi = pud_offset(pgd_efi, 0); - - pgd_k = pgd_offset_k(EFI_VA_END); - pud_k = pud_offset(pgd_k, 0); - - num_entries = pud_index(EFI_VA_END); - memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries); + num_pgds = pgd_index(MODULES_END - 1) - pgd_index(PAGE_OFFSET); - pud_efi = pud_offset(pgd_efi, EFI_VA_START); - pud_k = pud_offset(pgd_k, EFI_VA_START); - - num_entries = PTRS_PER_PUD - pud_index(EFI_VA_START); - memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries); + memcpy(pgd + pgd_index(PAGE_OFFSET), + init_mm.pgd + pgd_index(PAGE_OFFSET), + sizeof(pgd_t) * num_pgds); } int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) @@ -220,8 +149,8 @@ int __init efi_setup_page_tables(unsigne if (efi_enabled(EFI_OLD_MEMMAP)) return 0; - efi_scratch.efi_pgt = (pgd_t *)__pa(efi_pgd); - pgd = efi_pgd; + efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd; + pgd = __va(efi_scratch.efi_pgt); /* * It can happen that the physical address of new_memmap lands in memory @@ -267,14 +196,16 @@ int __init efi_setup_page_tables(unsigne void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages) { - kernel_unmap_pages_in_pgd(efi_pgd, pa_memmap, num_pages); + pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); + + kernel_unmap_pages_in_pgd(pgd, pa_memmap, num_pages); } static void __init __map_region(efi_memory_desc_t *md, u64 va) { + pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); unsigned long flags = 0; unsigned long pfn; - pgd_t *pgd = efi_pgd; if (!(md->attribute & EFI_MEMORY_WB)) flags |= _PAGE_PCD; @@ -383,7 +314,9 @@ void __init efi_runtime_mkexec(void) void __init efi_dump_pagetable(void) { #ifdef CONFIG_EFI_PGT_DUMP - ptdump_walk_pgd_level(NULL, efi_pgd); + pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); + + ptdump_walk_pgd_level(NULL, pgd); #endif } Patches currently in stable-queue which might be from gregkh(a)linuxfoundation.org are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch queue-4.4/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch queue-4.4/atm-horizon-fix-irq-release-error.patch queue-4.4/x.509-reject-invalid-bit-string-for-subjectpublickey.patch queue-4.4/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch queue-4.4/ipvlan-fix-ipv6-outbound-device.patch queue-4.4/arm-omap2-release-device-node-after-it-is-no-longer-needed.patch queue-4.4/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch queue-4.4/asn.1-check-for-error-from-asn1_op_end__act-actions.patch queue-4.4/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/s390-always-save-and-restore-all-registers-on-context-switch.patch queue-4.4/alsa-seq-remove-spurious-warn_on-at-timer-check.patch queue-4.4/revert-x86-efi-build-our-own-page-table-structures.patch queue-4.4/more-bio_map_user_iov-leak-fixes.patch queue-4.4/hid-chicony-add-support-for-another-asus-zen-aio-keyboard.patch queue-4.4/s390-fix-compat-system-call-table.patch queue-4.4/netfilter-don-t-track-fragmented-packets.patch queue-4.4/block-wake-up-all-tasks-blocked-in-get_request.patch queue-4.4/kvm-nvmx-vmclear-should-not-cause-the-vcpu-to-shut-down.patch queue-4.4/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.4/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch queue-4.4/arm-omap2-fix-device-node-reference-counts.patch queue-4.4/can-ti_hecc-fix-napi-poll-return-value-for-repoll.patch queue-4.4/iommu-vt-d-fix-scatterlist-offset-handling.patch queue-4.4/mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch queue-4.4/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.4/drm-extra-printk-wrapper-macros.patch queue-4.4/mm-drop-unused-pmdp_huge_get_and_clear_notify.patch queue-4.4/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch queue-4.4/net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch queue-4.4/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch queue-4.4/axonram-fix-gendisk-handling.patch queue-4.4/alsa-usb-audio-add-check-return-value-for-usb_string.patch queue-4.4/revert-spi-spi_fsl_dspi-should-depend-on-has_dma.patch queue-4.4/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch queue-4.4/powerpc-powernv-ioda2-gracefully-fail-if-too-many-tce-levels-requested.patch queue-4.4/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch queue-4.4/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch queue-4.4/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch queue-4.4/thp-fix-madv_dontneed-vs.-numa-balancing-race.patch queue-4.4/bnx2x-do-not-rollback-vf-mac-vlan-filters-we-did-not-configure.patch queue-4.4/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch queue-4.4/sunrpc-fix-rpc_task_begin-trace-point.patch queue-4.4/arm-kvm-survive-unknown-traps-from-guests.patch queue-4.4/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch queue-4.4/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch queue-4.4/gpio-altera-use-handle_level_irq-when-configured-as-a-level_high.patch queue-4.4/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch queue-4.4/arm-omap2-gpmc-onenand-propagate-error-on-initialization-failure.patch queue-4.4/thp-reduce-indentation-level-in-change_huge_pmd.patch queue-4.4/revert-x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-numbers.patch queue-4.4/afs-connect-up-the-cb.probeuuid.patch queue-4.4/drm-amd-amdgpu-fix-console-deadlock-if-late-init-failed.patch queue-4.4/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.4/sit-update-frag_off-info.patch queue-4.4/packet-fix-crash-in-fanout_demux_rollover.patch queue-4.4/module-set-__jump_table-alignment-to-8.patch queue-4.4/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch queue-4.4/x86-hpet-prevent-might-sleep-splat-on-resume.patch queue-4.4/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch queue-4.4/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch queue-4.4/efi-move-some-sysfs-files-to-be-read-only-by-root.patch queue-4.4/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-4.4/virtio-release-virtio-index-when-fail-to-device_register.patch queue-4.4/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch queue-4.4/nfs-fix-a-typo-in-nfs_rename.patch queue-4.4/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.4/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch queue-4.4/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch queue-4.4/zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch queue-4.4/route-also-update-fnhe_genid-when-updating-a-route-cache.patch queue-4.4/selftest-powerpc-fix-false-failures-for-skipped-tests.patch queue-4.4/revert-x86-efi-hoist-page-table-switching-code-into-efi_call_virt.patch queue-4.4/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch queue-4.4/scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch queue-4.4/arm-avoid-faulting-on-qemu.patch queue-4.4/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch queue-4.4/jump_label-invoke-jump_label_test-via-early_initcall.patch queue-4.4/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch queue-4.4/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch queue-4.4/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-4.4/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch queue-4.4/irqchip-crossbar-fix-incorrect-type-of-register-size.patch queue-4.4/ipmi-stop-timers-before-cleaning-up-the-module.patch queue-4.4/bnx2x-prevent-crash-when-accessing-ptp-with-interface-down.patch queue-4.4/vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch queue-4.4/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch queue-4.4/drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch queue-4.4/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch queue-4.4/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch queue-4.4/alsa-usb-audio-fix-out-of-bound-error.patch queue-4.4/arm64-kvm-survive-unknown-traps-from-guests.patch queue-4.4/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch queue-4.4/arm-bug-if-jumping-to-usermode-address-in-kernel-mode.patch queue-4.4/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch queue-4.4/i2c-riic-fix-restart-condition.patch queue-4.4/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch queue-4.4/usb-gadget-configs-plug-memory-leak.patch queue-4.4/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch queue-4.4/revert-drm-armada-fix-compile-fail.patch queue-4.4/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch queue-4.4/kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch

7 years, 6 months

1
0
0 0

[Linux-stable-mirror] stable-request: bpf 2017-12-12

by Daniel Borkmann

Hi Greg, It would be great if you could cherry-pick the following BPF related commit into stable trees: c131187db2d3 ("bpf: fix branch pruning logic") - up to 4.9 Instructions for 4.14: There's a minor conflict in verifier.c, just take the 'env->insn_aux_data[insn_idx].seen = true;' part from the patch. Instructions for 4.9: Needs 8041902dae52 ("bpf: adjust insn_aux_data when patching insns") as prerequisite. Same minor conflict in verifier.c as with 4.14 described above. The minor one in bpf_verifier.h for struct bpf_insn_aux_data should be resolved by having 'ptr_type' and 'seen' as final members of the struct. Thanks a lot!

7 years, 6 months

2
2
0 0

[Linux-stable-mirror] Patch "sit: update frag_off info" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled sit: update frag_off info to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: sit-update-frag_off-info.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:58:21 CET 2017 From: Hangbin Liu <liuhangbin(a)gmail.com> Date: Thu, 30 Nov 2017 10:41:14 +0800 Subject: sit: update frag_off info From: Hangbin Liu <liuhangbin(a)gmail.com> [ Upstream commit f859b4af1c52493ec21173ccc73d0b60029b5b88 ] After parsing the sit netlink change info, we forget to update frag_off in ipip6_tunnel_update(). Fix it by assigning frag_off with new value. Reported-by: Jianlin Shi <jishi(a)redhat.com> Signed-off-by: Hangbin Liu <liuhangbin(a)gmail.com> Acked-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/ipv6/sit.c | 1 + 1 file changed, 1 insertion(+) --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -1093,6 +1093,7 @@ static void ipip6_tunnel_update(struct i ipip6_tunnel_link(sitn, t); t->parms.iph.ttl = p->iph.ttl; t->parms.iph.tos = p->iph.tos; + t->parms.iph.frag_off = p->iph.frag_off; if (t->parms.link != p->link) { t->parms.link = p->link; ipip6_tunnel_bind_dev(t->dev); Patches currently in stable-queue which might be from liuhangbin(a)gmail.com are queue-3.18/sit-update-frag_off-info.patch

7 years, 6 months

1
0
0 0

[Linux-stable-mirror] Patch "rds: Fix NULL pointer dereference in __rds_rdma_map" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled rds: Fix NULL pointer dereference in __rds_rdma_map to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:58:21 CET 2017 From: Håkon Bugge <Haakon.Bugge(a)oracle.com> Date: Wed, 6 Dec 2017 17:18:28 +0100 Subject: rds: Fix NULL pointer dereference in __rds_rdma_map From: Håkon Bugge <Haakon.Bugge(a)oracle.com> [ Upstream commit f3069c6d33f6ae63a1668737bc78aaaa51bff7ca ] This is a fix for syzkaller719569, where memory registration was attempted without any underlying transport being loaded. Analysis of the case reveals that it is the setsockopt() RDS_GET_MR (2) and RDS_GET_MR_FOR_DEST (7) that are vulnerable. Here is an example stack trace when the bug is hit: BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0 IP: __rds_rdma_map+0x36/0x440 [rds] PGD 2f93d03067 P4D 2f93d03067 PUD 2f93d02067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: bridge stp llc tun rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache rds binfmt_misc sb_edac intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul c rc32_pclmul ghash_clmulni_intel pcbc aesni_intel crypto_simd glue_helper cryptd iTCO_wdt mei_me sg iTCO_vendor_support ipmi_si mei ipmi_devintf nfsd shpchp pcspkr i2c_i801 ioatd ma ipmi_msghandler wmi lpc_ich mfd_core auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 mgag200 i2c_algo_bit drm_kms_helper ixgbe syscopyarea ahci sysfillrect sysimgblt libahci mdio fb_sys_fops ttm ptp libata sd_mod mlx4_core drm crc32c_intel pps_core megaraid_sas i2c_core dca dm_mirror dm_region_hash dm_log dm_mod CPU: 48 PID: 45787 Comm: repro_set2 Not tainted 4.14.2-3.el7uek.x86_64 #2 Hardware name: Oracle Corporation ORACLE SERVER X5-2L/ASM,MOBO TRAY,2U, BIOS 31110000 03/03/2017 task: ffff882f9190db00 task.stack: ffffc9002b994000 RIP: 0010:__rds_rdma_map+0x36/0x440 [rds] RSP: 0018:ffffc9002b997df0 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff882fa2182580 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc9002b997e40 RDI: ffff882fa2182580 RBP: ffffc9002b997e30 R08: 0000000000000000 R09: 0000000000000002 R10: ffff885fb29e3838 R11: 0000000000000000 R12: ffff882fa2182580 R13: ffff882fa2182580 R14: 0000000000000002 R15: 0000000020000ffc FS: 00007fbffa20b700(0000) GS:ffff882fbfb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 0000002f98a66006 CR4: 00000000001606e0 Call Trace: rds_get_mr+0x56/0x80 [rds] rds_setsockopt+0x172/0x340 [rds] ? __fget_light+0x25/0x60 ? __fdget+0x13/0x20 SyS_setsockopt+0x80/0xe0 do_syscall_64+0x67/0x1b0 entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:0x7fbff9b117f9 RSP: 002b:00007fbffa20aed8 EFLAGS: 00000293 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00000000000c84a4 RCX: 00007fbff9b117f9 RDX: 0000000000000002 RSI: 0000400000000114 RDI: 000000000000109b RBP: 00007fbffa20af10 R08: 0000000000000020 R09: 00007fbff9dd7860 R10: 0000000020000ffc R11: 0000000000000293 R12: 0000000000000000 R13: 00007fbffa20b9c0 R14: 00007fbffa20b700 R15: 0000000000000021 Code: 41 56 41 55 49 89 fd 41 54 53 48 83 ec 18 8b 87 f0 02 00 00 48 89 55 d0 48 89 4d c8 85 c0 0f 84 2d 03 00 00 48 8b 87 00 03 00 00 <48> 83 b8 c0 00 00 00 00 0f 84 25 03 00 0 0 48 8b 06 48 8b 56 08 The fix is to check the existence of an underlying transport in __rds_rdma_map(). Signed-off-by: HÃ¥kon Bugge <haakon.bugge(a)oracle.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Acked-by: Santosh Shilimkar <santosh.shilimkar(a)oracle.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/rds/rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -184,7 +184,7 @@ static int __rds_rdma_map(struct rds_soc long i; int ret; - if (rs->rs_bound_addr == 0) { + if (rs->rs_bound_addr == 0 || !rs->rs_transport) { ret = -ENOTCONN; /* XXX not a great errno */ goto out; } Patches currently in stable-queue which might be from Haakon.Bugge(a)oracle.com are queue-3.18/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch

7 years, 6 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror