- Linux-stable-mirror - lists.linaro.org

by Ben Hutchings

I'm announcing the release of the 3.16.85 kernel. This is probably the last release in the 3.16 stable series, unless some critical fix comes up later this month. All users of the 3.16 kernel series should upgrade. The updated 3.16.y git tree can be found at: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-3.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git The diff from 3.16.84 is attached to this message. Ben. ------------ Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + .../special-register-buffer-data-sampling.rst | 149 ++++ Documentation/kernel-parameters.txt | 20 + Makefile | 2 +- arch/x86/include/asm/acpi.h | 2 +- arch/x86/include/asm/cpu_device_id.h | 27 + arch/x86/include/asm/cpufeatures.h | 2 + arch/x86/include/asm/processor.h | 2 +- arch/x86/include/uapi/asm/msr-index.h | 4 + arch/x86/kernel/amd_nb.c | 2 +- arch/x86/kernel/asm-offsets_32.c | 2 +- arch/x86/kernel/cpu/amd.c | 28 +- arch/x86/kernel/cpu/bugs.c | 106 +++ arch/x86/kernel/cpu/centaur.c | 4 +- arch/x86/kernel/cpu/common.c | 62 +- arch/x86/kernel/cpu/cpu.h | 1 + arch/x86/kernel/cpu/cyrix.c | 2 +- arch/x86/kernel/cpu/intel.c | 18 +- arch/x86/kernel/cpu/match.c | 7 +- arch/x86/kernel/cpu/microcode/intel.c | 4 +- arch/x86/kernel/cpu/mtrr/generic.c | 2 +- arch/x86/kernel/cpu/mtrr/main.c | 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_lbr.c | 2 +- arch/x86/kernel/cpu/perf_event_p6.c | 2 +- arch/x86/kernel/cpu/proc.c | 4 +- arch/x86/kernel/head_32.S | 4 +- arch/x86/kernel/mpparse.c | 2 +- drivers/base/cpu.c | 8 + drivers/char/hw_random/via-rng.c | 2 +- drivers/char/random.c | 3 - drivers/cpufreq/acpi-cpufreq.c | 2 +- drivers/cpufreq/longhaul.c | 6 +- drivers/cpufreq/p4-clockmod.c | 2 +- drivers/cpufreq/powernow-k7.c | 2 +- drivers/cpufreq/speedstep-centrino.c | 4 +- drivers/cpufreq/speedstep-lib.c | 6 +- drivers/crypto/padlock-aes.c | 2 +- drivers/edac/amd64_edac.c | 2 +- drivers/edac/mce_amd.c | 2 +- drivers/hwmon/coretemp.c | 6 +- drivers/hwmon/hwmon-vid.c | 2 +- drivers/hwmon/k10temp.c | 2 +- drivers/hwmon/k8temp.c | 2 +- drivers/message/fusion/mptctl.c | 215 ++---- drivers/net/can/slcan.c | 4 + drivers/net/slip/slip.c | 4 + drivers/net/wireless/mwifiex/scan.c | 7 + drivers/net/wireless/mwifiex/wmm.c | 4 + drivers/scsi/sg.c | 758 +++++++++++---------- drivers/usb/core/message.c | 53 +- drivers/usb/gadget/configfs.c | 3 + drivers/video/fbdev/geode/video_gx.c | 2 +- fs/binfmt_elf.c | 2 +- fs/exec.c | 2 +- fs/ext4/block_validity.c | 57 ++ fs/ext4/ext4.h | 19 +- fs/ext4/extents.c | 13 +- fs/ext4/inode.c | 5 + include/linux/mod_devicetable.h | 6 + include/linux/sched.h | 4 +- include/scsi/sg.h | 1 - kernel/signal.c | 2 +- net/core/net-sysfs.c | 39 +- security/selinux/hooks.c | 70 +- 65 files changed, 1102 insertions(+), 688 deletions(-) Akinobu Mita (1): sg: prevent integer overflow when converting from sectors to bytes Alan Stern (1): USB: core: Fix free-while-in-use bug in the USB S-Glibrary Alexander Potapenko (1): fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() Ben Hutchings (3): scsi: sg: Change next_cmd_len handling to mirror upstream scsi: sg: Re-fix off by one in sg_fill_request_table() Linux 3.16.85 Colin Ian King (1): ext4: unsigned int compared against zero Dan Carpenter (3): scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() scsi: mptfusion: Fix double fetch bug in ioctl scsi: sg: off by one in sg_ioctl() David Mosberger (2): drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit. drivers: usb: core: Minimize irq disabling in usb_sg_cancel() Douglas Gilbert (1): sg: O_EXCL and other lock handling Eric Dumazet (1): net-sysfs: fix netdev_queue_add_kobject() breakage Eric W. Biederman (1): signal: Extend exec_id to 64bits Hannes Reinecke (8): scsi: sg: protect accesses to 'reserved' page array scsi: sg: reset 'res_in_use' after unlinking reserved array scsi: sg: remove 'save_scat_len' scsi: sg: use standard lists for sg_requests scsi: sg: factor out sg_fill_request_table() scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE scsi: sg: disable SET_FORCE_LOW_DMA scsi: sg: close race condition in sg_remove_sfp_usercontext() Jason A. Donenfeld (1): random: always use batched entropy for get_random_u{32,64} Jia Zhang (1): x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping Johannes Thumshirn (5): scsi: sg: check for valid direction before starting the request scsi: sg: fix SG_DXFER_FROM_DEV transfers scsi: sg: fix static checker warning in sg_is_valid_dxfer scsi: sg: only check for dxfer_len greater than 256M scsi: sg: don't return bogus Sg_requests Josh Poimboeuf (1): x86/speculation: Add Ivy Bridge to affected list Jouni Hogander (7): slcan: Fix memory leak in error path can: slcan: Fix use-after-free Read in slcan_open slip: Fix memory leak in slip_open error path slip: Fix use-after-free Read in slip_open net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject net-sysfs: Call dev_hold always in netdev_queue_add_kobject net-sysfs: Call dev_hold always in rx_queue_add_kobject Kyungtae Kim (1): USB: gadget: fix illegal array access in binding with UDC Li Bin (1): scsi: sg: add sg_remove_request in sg_common_write Marek Milkovic (1): selinux: Print 'sclass' as string when unrecognized netlink message occurs Mark Gross (4): x86/cpu: Add a steppings field to struct x86_cpu_id x86/cpu: Add 'table' argument to cpu_matches() x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation x86/speculation: Add SRBDS vulnerability and mitigation documentation Oliver Hartkopp (1): slcan: not call free_netdev before rtnl_unlock in slcan_open Paul Moore (1): selinux: properly handle multiple messages in selinux_netlink_send() Qing Xu (2): mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Richard Guy Briggs (2): selinux: cleanup error reporting in selinux_nlmsg_perm() selinux: convert WARN_ONCE() to printk() in selinux_nlmsg_perm() Shijie Luo (1): ext4: add cond_resched() to ext4_protect_reserved_inode Tahsin Erdogan (1): ext4: Make checks for metadata_csum feature safer Theodore Ts'o (3): ext4: protect journal inode's blocks using block_validity ext4: fix block validity checks for journal inodes using indirect blocks ext4: don't perform block validity checks on the journal inode Todd Poynor (2): scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE scsi: sg: recheck MMAP_IO request length with lock held Tony Battersby (1): scsi: sg: fix minor memory leak in error path Vladis Dronov (1): selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() Wu Bo (1): scsi: sg: add sg_remove_request in sg_write yangerkun (1): slip: not call free_netdev before rtnl_unlock in slip_open

5 years, 6 months

1
0
0 0

[git:media_tree/master] media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size Author: Tomi Valkeinen <tomi.valkeinen(a)ti.com> Date: Wed May 27 10:23:34 2020 +0200 Commit 9495b7e92f716ab2bd6814fab5e97ab4a39adfdd ("driver core: platform: Initialize dma_parms for platform devices") in v5.7-rc5 causes vb2_dma_contig_clear_max_seg_size() to kfree memory that was not allocated by vb2_dma_contig_set_max_seg_size(). The assumption in vb2_dma_contig_set_max_seg_size() seems to be that dev->dma_parms is always NULL when the driver is probed, and the case where dev->dma_parms has bee initialized by someone else than the driver (by calling vb2_dma_contig_set_max_seg_size) will cause a failure. All the current users of these functions are platform devices, which now always have dma_parms set by the driver core. To fix the issue for v5.7, make vb2_dma_contig_set_max_seg_size() return an error if dma_parms is NULL to be on the safe side, and remove the kfree code from vb2_dma_contig_clear_max_seg_size(). For v5.8 we should remove the two functions and move the dma_set_max_seg_size() calls into the drivers. Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ti.com> Fixes: 9495b7e92f71 ("driver core: platform: Initialize dma_parms for platform devices") Cc: stable(a)vger.kernel.org Acked-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Reviewed-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> .../media/common/videobuf2/videobuf2-dma-contig.c | 20 ++------------------ include/media/videobuf2-dma-contig.h | 2 +- 2 files changed, 3 insertions(+), 19 deletions(-) --- diff --git a/drivers/media/common/videobuf2/videobuf2-dma-contig.c b/drivers/media/common/videobuf2/videobuf2-dma-contig.c index d3a3ee5b597b..f4b4a7c135eb 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c @@ -726,9 +726,8 @@ EXPORT_SYMBOL_GPL(vb2_dma_contig_memops); int vb2_dma_contig_set_max_seg_size(struct device *dev, unsigned int size) { if (!dev->dma_parms) { - dev->dma_parms = kzalloc(sizeof(*dev->dma_parms), GFP_KERNEL); - if (!dev->dma_parms) - return -ENOMEM; + dev_err(dev, "Failed to set max_seg_size: dma_parms is NULL\n"); + return -ENODEV; } if (dma_get_max_seg_size(dev) < size) return dma_set_max_seg_size(dev, size); @@ -737,21 +736,6 @@ int vb2_dma_contig_set_max_seg_size(struct device *dev, unsigned int size) } EXPORT_SYMBOL_GPL(vb2_dma_contig_set_max_seg_size); -/* - * vb2_dma_contig_clear_max_seg_size() - release resources for DMA parameters - * @dev: device for configuring DMA parameters - * - * This function releases resources allocated to configure DMA parameters - * (see vb2_dma_contig_set_max_seg_size() function). It should be called from - * device drivers on driver remove. - */ -void vb2_dma_contig_clear_max_seg_size(struct device *dev) -{ - kfree(dev->dma_parms); - dev->dma_parms = NULL; -} -EXPORT_SYMBOL_GPL(vb2_dma_contig_clear_max_seg_size); - MODULE_DESCRIPTION("DMA-contig memory handling routines for videobuf2"); MODULE_AUTHOR("Pawel Osciak <pawel(a)osciak.com>"); MODULE_LICENSE("GPL"); diff --git a/include/media/videobuf2-dma-contig.h b/include/media/videobuf2-dma-contig.h index 5604818d137e..5be313cbf7d7 100644 --- a/include/media/videobuf2-dma-contig.h +++ b/include/media/videobuf2-dma-contig.h @@ -25,7 +25,7 @@ vb2_dma_contig_plane_dma_addr(struct vb2_buffer *vb, unsigned int plane_no) } int vb2_dma_contig_set_max_seg_size(struct device *dev, unsigned int size); -void vb2_dma_contig_clear_max_seg_size(struct device *dev); +static inline void vb2_dma_contig_clear_max_seg_size(struct device *dev) { } extern const struct vb2_mem_ops vb2_dma_contig_memops;

5 years, 6 months

1
0
0 0

[git:media_tree/master] media: cedrus: Program output format during each run

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: cedrus: Program output format during each run Author: Samuel Holland <samuel(a)sholland.org> Date: Sat May 9 22:06:42 2020 +0200 Previously, the output format was programmed as part of the ioctl() handler. However, this has two problems: 1) If there are multiple active streams with different output formats, the hardware will use whichever format was set last for both streams. Similarly, an ioctl() done in an inactive context will wrongly affect other active contexts. 2) The registers are written while the device is not actively streaming. To enable runtime PM tied to the streaming state, all hardware access needs to be moved inside cedrus_device_run(). The call to cedrus_dst_format_set() is now placed just before the codec-specific callback that programs the hardware. Cc: <stable(a)vger.kernel.org> Fixes: 50e761516f2b ("media: platform: Add Cedrus VPU decoder driver") Suggested-by: Jernej Skrabec <jernej.skrabec(a)siol.net> Suggested-by: Paul Kocialkowski <paul.kocialkowski(a)bootlin.com> Signed-off-by: Samuel Holland <samuel(a)sholland.org> Tested-by: Jernej Skrabec <jernej.skrabec(a)siol.net> Reviewed-by: Jernej Skrabec <jernej.skrabec(a)siol.net> Reviewed-by: Ezequiel Garcia <ezequiel(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> drivers/staging/media/sunxi/cedrus/cedrus_dec.c | 2 ++ drivers/staging/media/sunxi/cedrus/cedrus_video.c | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) --- diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_dec.c b/drivers/staging/media/sunxi/cedrus/cedrus_dec.c index 4a2fc33a1d79..58c48e4fdfe9 100644 --- a/drivers/staging/media/sunxi/cedrus/cedrus_dec.c +++ b/drivers/staging/media/sunxi/cedrus/cedrus_dec.c @@ -74,6 +74,8 @@ void cedrus_device_run(void *priv) v4l2_m2m_buf_copy_metadata(run.src, run.dst, true); + cedrus_dst_format_set(dev, &ctx->dst_fmt); + dev->dec_ops[ctx->current_codec]->setup(ctx, &run); /* Complete request(s) controls if needed. */ diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_video.c b/drivers/staging/media/sunxi/cedrus/cedrus_video.c index 15cf1f10221b..ed3f511f066f 100644 --- a/drivers/staging/media/sunxi/cedrus/cedrus_video.c +++ b/drivers/staging/media/sunxi/cedrus/cedrus_video.c @@ -273,7 +273,6 @@ static int cedrus_s_fmt_vid_cap(struct file *file, void *priv, struct v4l2_format *f) { struct cedrus_ctx *ctx = cedrus_file2ctx(file); - struct cedrus_dev *dev = ctx->dev; struct vb2_queue *vq; int ret; @@ -287,8 +286,6 @@ static int cedrus_s_fmt_vid_cap(struct file *file, void *priv, ctx->dst_fmt = f->fmt.pix; - cedrus_dst_format_set(dev, &ctx->dst_fmt); - return 0; }

5 years, 6 months

1
0
0 0

stable/linux-4.9.y baseline: 41 runs, 1 regressions (v4.9.227)

by kernelci.org bot

stable/linux-4.9.y baseline: 41 runs, 1 regressions (v4.9.227) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | results ----------------+------+--------------+----------+---------------------+-------- omap3-beagle-xm | arm | lab-baylibre | gcc-8 | omap2plus_defconfig | 0/1 Details: https://kernelci.org/test/job/stable/branch/linux-4.9.y/kernel/v4.9.227/pla… Test: baseline Tree: stable Branch: linux-4.9.y Describe: v4.9.227 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git SHA: e0799bae56744764303252ac8d52ddb5774bcb4e Test Regressions ---------------- platform | arch | lab | compiler | defconfig | results ----------------+------+--------------+----------+---------------------+-------- omap3-beagle-xm | arm | lab-baylibre | gcc-8 | omap2plus_defconfig | 0/1 Details: https://kernelci.org/test/plan/id/5ee23178ee5a76624897bf09 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: omap2plus_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.227/arm/omap2plus_def… HTML log: https://storage.kernelci.org//stable/linux-4.9.y/v4.9.227/arm/omap2plus_def… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2019.02-11-g17e793f… * baseline.login: https://kernelci.org/test/case/id/5ee23178ee5a76624897bf0a new failure (last pass: v4.9.226)

5 years, 6 months

1
0
0 0

stable/linux-4.14.y baseline: 63 runs, 2 regressions (v4.14.184)

by kernelci.org bot

stable/linux-4.14.y baseline: 63 runs, 2 regressions (v4.14.184) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | results -----------------------+-------+--------------+----------+-----------+-------- meson-gxbb-p200 | arm64 | lab-baylibre | gcc-8 | defconfig | 0/1 sun50i-a64-pine64-plus | arm64 | lab-baylibre | gcc-8 | defconfig | 0/1 Details: https://kernelci.org/test/job/stable/branch/linux-4.14.y/kernel/v4.14.184/p… Test: baseline Tree: stable Branch: linux-4.14.y Describe: v4.14.184 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git SHA: b850307b279cbd12ab8c654d1a3dfe55319cc475 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | results -----------------------+-------+--------------+----------+-----------+-------- meson-gxbb-p200 | arm64 | lab-baylibre | gcc-8 | defconfig | 0/1 Details: https://kernelci.org/test/plan/id/5ee22f2d780a0c187197bf10 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-8 (aarch64-linux-gnu-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.184/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.184/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2019.02-11-g17e793f… * baseline.login: https://kernelci.org/test/case/id/5ee22f2d780a0c187197bf11 failing since 69 days (last pass: v4.14.172, first fail: v4.14.175) platform | arch | lab | compiler | defconfig | results -----------------------+-------+--------------+----------+-----------+-------- sun50i-a64-pine64-plus | arm64 | lab-baylibre | gcc-8 | defconfig | 0/1 Details: https://kernelci.org/test/plan/id/5ee22f9067edef26f997bf14 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig Compiler: gcc-8 (aarch64-linux-gnu-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.184/arm64/defconfig… HTML log: https://storage.kernelci.org//stable/linux-4.14.y/v4.14.184/arm64/defconfig… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2019.02-11-g17e793f… * baseline.login: https://kernelci.org/test/case/id/5ee22f9067edef26f997bf15 new failure (last pass: v4.14.183)

5 years, 6 months

1
0
0 0

[RESEND PATCH v3 0/6] media: staging: rkisp1: bugs fixes and vars renames

by Dafna Hirschfeld

RESEND the patchset because I forgot to add the first two patches to the set The first two patches in this patchset are two bug fixes related to the enumeration and settings of the sink format of the resizer entity. The next 3 patches are renaming/removing macros and variables. patch 6 adds documentation to the struct rkisp1_isp_mbus_info changes from v2: - patch 3 is new - remove macro RKISP1_DIR_SINK_SRC since the code is more readable without it. - patch 5 - rename 'direction' to 'isp_pads_mask' instead of 'isp_pads_flags' - patch 6 is new - add documentation of the struct 'rkisp1_isp_mbus_info' changes from v1: - added "Fixes: 56e3b29f9f6b "media: staging: rkisp1: add streaming paths" to the commit log of the first two patches. - added two patches. One patch rename the macros "RKISP1_DIR_*" to "RKISP1_ISP_SD_*", another that rename the field 'direction' in 'struct rkisp1_isp_mbus_info' to 'isp_pads_flags' Dafna Hirschfeld (6): media: staging: rkisp1: rsz: supported formats are the isp's src formats, not sink formats media: staging: rkisp1: rsz: set default format if the given format is not RKISP1_DIR_SRC media: staging: rkisp1: remove macro RKISP1_DIR_SINK_SRC media: staging: rkisp1: rename macros 'RKISP1_DIR_*' to 'RKISP1_ISP_SD_*' media: staging: rkisp1: rename the field 'direction' in 'rkisp1_isp_mbus_info' to 'isp_pads_mask' media: staging: rkisp1: common: add documentation for struct rkisp1_isp_mbus_info drivers/staging/media/rkisp1/rkisp1-common.h | 18 ++++++- drivers/staging/media/rkisp1/rkisp1-isp.c | 50 +++++++++---------- drivers/staging/media/rkisp1/rkisp1-resizer.c | 6 +-- 3 files changed, 43 insertions(+), 31 deletions(-) -- 2.17.1

5 years, 6 months

3
12
0 0

[tip: x86/urgent] x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.

by tip-bot2 for Anthony Steinhauser

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 21998a351512eba4ed5969006f0c55882d995ada Gitweb: https://git.kernel.org/tip/21998a351512eba4ed5969006f0c55882d995ada Author: Anthony Steinhauser <asteinhauser(a)google.com> AuthorDate: Tue, 19 May 2020 06:40:42 -07:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Tue, 09 Jun 2020 10:50:54 +02:00 x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS. When STIBP is unavailable or enhanced IBRS is available, Linux force-disables the IBPB mitigation of Spectre-BTB even when simultaneous multithreading is disabled. While attempts to enable IBPB using prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, ...) fail with EPERM, the seccomp syscall (or its prctl(PR_SET_SECCOMP, ...) equivalent) which are used e.g. by Chromium or OpenSSH succeed with no errors but the application remains silently vulnerable to cross-process Spectre v2 attacks (classical BTB poisoning). At the same time the SYSFS reporting (/sys/devices/system/cpu/vulnerabilities/spectre_v2) displays that IBPB is conditionally enabled when in fact it is unconditionally disabled. STIBP is useful only when SMT is enabled. When SMT is disabled and STIBP is unavailable, it makes no sense to force-disable also IBPB, because IBPB protects against cross-process Spectre-BTB attacks regardless of the SMT state. At the same time since missing STIBP was only observed on AMD CPUs, AMD does not recommend using STIBP, but recommends using IBPB, so disabling IBPB because of missing STIBP goes directly against AMD's advice: https://developer.amd.com/wp-content/resources/Architecture_Guidelines_Upda… Similarly, enhanced IBRS is designed to protect cross-core BTB poisoning and BTB-poisoning attacks from user space against kernel (and BTB-poisoning attacks from guest against hypervisor), it is not designed to prevent cross-process (or cross-VM) BTB poisoning between processes (or VMs) running on the same core. Therefore, even with enhanced IBRS it is necessary to flush the BTB during context-switches, so there is no reason to force disable IBPB when enhanced IBRS is available. Enable the prctl control of IBPB even when STIBP is unavailable or enhanced IBRS is available. Fixes: 7cc765a67d8e ("x86/speculation: Enable prctl mode for spectre_v2_user") Signed-off-by: Anthony Steinhauser <asteinhauser(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/cpu/bugs.c | 87 +++++++++++++++++++++---------------- 1 file changed, 50 insertions(+), 37 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index ed54b3b..8d57562 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -495,7 +495,9 @@ early_param("nospectre_v1", nospectre_v1_cmdline); static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE; -static enum spectre_v2_user_mitigation spectre_v2_user __ro_after_init = +static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init = + SPECTRE_V2_USER_NONE; +static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init = SPECTRE_V2_USER_NONE; #ifdef CONFIG_RETPOLINE @@ -641,15 +643,6 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) break; } - /* - * At this point, an STIBP mode other than "off" has been set. - * If STIBP support is not being forced, check if STIBP always-on - * is preferred. - */ - if (mode != SPECTRE_V2_USER_STRICT && - boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON)) - mode = SPECTRE_V2_USER_STRICT_PREFERRED; - /* Initialize Indirect Branch Prediction Barrier */ if (boot_cpu_has(X86_FEATURE_IBPB)) { setup_force_cpu_cap(X86_FEATURE_USE_IBPB); @@ -672,23 +665,36 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n", static_key_enabled(&switch_mm_always_ibpb) ? "always-on" : "conditional"); + + spectre_v2_user_ibpb = mode; } - /* If enhanced IBRS is enabled no STIBP required */ - if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) + /* + * If enhanced IBRS is enabled or SMT impossible, STIBP is not + * required. + */ + if (!smt_possible || spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) return; /* - * If SMT is not possible or STIBP is not available clear the STIBP - * mode. + * At this point, an STIBP mode other than "off" has been set. + * If STIBP support is not being forced, check if STIBP always-on + * is preferred. + */ + if (mode != SPECTRE_V2_USER_STRICT && + boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON)) + mode = SPECTRE_V2_USER_STRICT_PREFERRED; + + /* + * If STIBP is not available, clear the STIBP mode. */ - if (!smt_possible || !boot_cpu_has(X86_FEATURE_STIBP)) + if (!boot_cpu_has(X86_FEATURE_STIBP)) mode = SPECTRE_V2_USER_NONE; + + spectre_v2_user_stibp = mode; + set_mode: - spectre_v2_user = mode; - /* Only print the STIBP mode when SMT possible */ - if (smt_possible) - pr_info("%s\n", spectre_v2_user_strings[mode]); + pr_info("%s\n", spectre_v2_user_strings[mode]); } static const char * const spectre_v2_strings[] = { @@ -921,7 +927,7 @@ void cpu_bugs_smt_update(void) { mutex_lock(&spec_ctrl_mutex); - switch (spectre_v2_user) { + switch (spectre_v2_user_stibp) { case SPECTRE_V2_USER_NONE: break; case SPECTRE_V2_USER_STRICT: @@ -1164,14 +1170,16 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) { switch (ctrl) { case PR_SPEC_ENABLE: - if (spectre_v2_user == SPECTRE_V2_USER_NONE) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && + spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) return 0; /* * Indirect branch speculation is always disabled in strict * mode. */ - if (spectre_v2_user == SPECTRE_V2_USER_STRICT || - spectre_v2_user == SPECTRE_V2_USER_STRICT_PREFERRED) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || + spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || + spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) return -EPERM; task_clear_spec_ib_disable(task); task_update_spec_tif(task); @@ -1182,10 +1190,12 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) * Indirect branch speculation is always allowed when * mitigation is force disabled. */ - if (spectre_v2_user == SPECTRE_V2_USER_NONE) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && + spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) return -EPERM; - if (spectre_v2_user == SPECTRE_V2_USER_STRICT || - spectre_v2_user == SPECTRE_V2_USER_STRICT_PREFERRED) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || + spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || + spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) return 0; task_set_spec_ib_disable(task); if (ctrl == PR_SPEC_FORCE_DISABLE) @@ -1216,7 +1226,8 @@ void arch_seccomp_spec_mitigate(struct task_struct *task) { if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP) ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); - if (spectre_v2_user == SPECTRE_V2_USER_SECCOMP) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP || + spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP) ib_prctl_set(task, PR_SPEC_FORCE_DISABLE); } #endif @@ -1247,22 +1258,24 @@ static int ib_prctl_get(struct task_struct *task) if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) return PR_SPEC_NOT_AFFECTED; - switch (spectre_v2_user) { - case SPECTRE_V2_USER_NONE: + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && + spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) return PR_SPEC_ENABLE; - case SPECTRE_V2_USER_PRCTL: - case SPECTRE_V2_USER_SECCOMP: + else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || + spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || + spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) + return PR_SPEC_DISABLE; + else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL || + spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP || + spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL || + spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP) { if (task_spec_ib_force_disable(task)) return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; if (task_spec_ib_disable(task)) return PR_SPEC_PRCTL | PR_SPEC_DISABLE; return PR_SPEC_PRCTL | PR_SPEC_ENABLE; - case SPECTRE_V2_USER_STRICT: - case SPECTRE_V2_USER_STRICT_PREFERRED: - return PR_SPEC_DISABLE; - default: + } else return PR_SPEC_NOT_AFFECTED; - } } int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) @@ -1501,7 +1514,7 @@ static char *stibp_state(void) if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) return ""; - switch (spectre_v2_user) { + switch (spectre_v2_user_stibp) { case SPECTRE_V2_USER_NONE: return ", STIBP: disabled"; case SPECTRE_V2_USER_STRICT:

5 years, 6 months

3
3
0 0

[PATCH v3 0/4] rkisp1: bugs fixes and vars renames

by Dafna Hirschfeld

The first two patches in this patchset are two bug fixes related to the enumeration and settings of the sink format of the resizer entity. The next 3 patches are renaming/removing of macros and variables. patch 6 adds documentation to the struct rkisp1_isp_mbus_info changes from v2: - patch 3 is new - remove macro RKISP1_DIR_SINK_SRC since the code is more readable without it. - patch 5 - rename 'direction' to 'isp_pads_mask' instead of 'isp_pads_flags' - patch 6 is new - add documentation of the struct 'rkisp1_isp_mbus_info' changes from v1: - added "Fixes: 56e3b29f9f6b "media: staging: rkisp1: add streaming paths" to the commit log of the first two patches. - added two patches. One patch rename the macros "RKISP1_DIR_*" to "RKISP1_ISP_SD_*", another that rename the field 'direction' in 'struct rkisp1_isp_mbus_info' to 'isp_pads_flags' Dafna Hirschfeld (4): media: staging: rkisp1: remove macro RKISP1_DIR_SINK_SRC media: staging: rkisp1: rename macros 'RKISP1_DIR_*' to 'RKISP1_ISP_SD_*' media: staging: rkisp1: rename the field 'direction' in 'rkisp1_isp_mbus_info' to 'isp_pads_mask' media: staging: rkisp1: common: add documentation for struct rkisp1_isp_mbus_info drivers/staging/media/rkisp1/rkisp1-common.h | 20 ++++++-- drivers/staging/media/rkisp1/rkisp1-isp.c | 46 +++++++++---------- drivers/staging/media/rkisp1/rkisp1-resizer.c | 2 +- 3 files changed, 40 insertions(+), 28 deletions(-) -- 2.17.1

5 years, 6 months

1
4
0 0

[PATCH] spi: spi-fsl-dspi: Free DMA memory with matching function

by Krzysztof Kozlowski

Driver allocates DMA memory with dma_alloc_coherent() but frees it with dma_unmap_single(). This causes DMA warning during system shutdown (with DMA debugging) on Toradex Colibri VF50 module: WARNING: CPU: 0 PID: 1 at ../kernel/dma/debug.c:1036 check_unmap+0x3fc/0xb04 DMA-API: fsl-edma 40098000.dma-controller: device driver frees DMA memory with wrong function [device address=0x0000000087040000] [size=8 bytes] [mapped as coherent] [unmapped as single] Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree) (unwind_backtrace) from [<8010bb34>] (show_stack+0x10/0x14) (show_stack) from [<8011ced8>] (__warn+0xf0/0x108) (__warn) from [<8011cf64>] (warn_slowpath_fmt+0x74/0xb8) (warn_slowpath_fmt) from [<8017d170>] (check_unmap+0x3fc/0xb04) (check_unmap) from [<8017d900>] (debug_dma_unmap_page+0x88/0x90) (debug_dma_unmap_page) from [<80601d68>] (dspi_release_dma+0x88/0x110) (dspi_release_dma) from [<80601e4c>] (dspi_shutdown+0x5c/0x80) (dspi_shutdown) from [<805845f8>] (device_shutdown+0x17c/0x220) (device_shutdown) from [<80143ef8>] (kernel_restart+0xc/0x50) (kernel_restart) from [<801441cc>] (__do_sys_reboot+0x18c/0x210) (__do_sys_reboot) from [<80100060>] (ret_fast_syscall+0x0/0x28) DMA-API: Mapped at: dma_alloc_attrs+0xa4/0x130 dspi_probe+0x568/0x7b4 platform_drv_probe+0x6c/0xa4 really_probe+0x208/0x348 driver_probe_device+0x5c/0xb4 Fixes: 90ba37033cb9 ("spi: spi-fsl-dspi: Add DMA support for Vybrid") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzk(a)kernel.org> --- drivers/spi/spi-fsl-dspi.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c index a35faced0456..58190c94561f 100644 --- a/drivers/spi/spi-fsl-dspi.c +++ b/drivers/spi/spi-fsl-dspi.c @@ -588,14 +588,14 @@ static void dspi_release_dma(struct fsl_dspi *dspi) return; if (dma->chan_tx) { - dma_unmap_single(dma->chan_tx->device->dev, dma->tx_dma_phys, - dma_bufsize, DMA_TO_DEVICE); + dma_free_coherent(dma->chan_tx->device->dev, dma_bufsize, + dma->tx_dma_buf, dma->tx_dma_phys); dma_release_channel(dma->chan_tx); } if (dma->chan_rx) { - dma_unmap_single(dma->chan_rx->device->dev, dma->rx_dma_phys, - dma_bufsize, DMA_FROM_DEVICE); + dma_free_coherent(dma->chan_rx->device->dev, dma_bufsize, + dma->rx_dma_buf, dma->rx_dma_phys); dma_release_channel(dma->chan_rx); } } -- 2.7.4

5 years, 6 months

3
2
0 0

[PATCH v2] ext4: avoid utf8_strncasecmp() with unstable name

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> If the dentry name passed to ->d_compare() fits in dentry::d_iname, then it may be concurrently modified by a rename. This can cause undefined behavior (possibly out-of-bounds memory accesses or crashes) in utf8_strncasecmp(), since fs/unicode/ isn't written to handle strings that may be concurrently modified. Fix this by first copying the filename to a stack buffer if needed. This way we get a stable snapshot of the filename. Fixes: b886ee3e778e ("ext4: Support case-insensitive file name lookups") Cc: <stable(a)vger.kernel.org> # v5.2+ Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Daniel Rosenberg <drosen(a)google.com> Cc: Gabriel Krisman Bertazi <krisman(a)collabora.co.uk> Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- v2: use memcpy() + barrier() instead of a byte-by-byte copy. fs/ext4/dir.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c index c654205f648dd..1d82336b1cd45 100644 --- a/fs/ext4/dir.c +++ b/fs/ext4/dir.c @@ -675,6 +675,7 @@ static int ext4_d_compare(const struct dentry *dentry, unsigned int len, struct qstr qstr = {.name = str, .len = len }; const struct dentry *parent = READ_ONCE(dentry->d_parent); const struct inode *inode = READ_ONCE(parent->d_inode); + char strbuf[DNAME_INLINE_LEN]; if (!inode || !IS_CASEFOLDED(inode) || !EXT4_SB(inode->i_sb)->s_encoding) { @@ -683,6 +684,21 @@ static int ext4_d_compare(const struct dentry *dentry, unsigned int len, return memcmp(str, name->name, len); } + /* + * If the dentry name is stored in-line, then it may be concurrently + * modified by a rename. If this happens, the VFS will eventually retry + * the lookup, so it doesn't matter what ->d_compare() returns. + * However, it's unsafe to call utf8_strncasecmp() with an unstable + * string. Therefore, we have to copy the name into a temporary buffer. + */ + if (len <= DNAME_INLINE_LEN - 1) { + memcpy(strbuf, str, len); + strbuf[len] = 0; + qstr.name = strbuf; + /* prevent compiler from optimizing out the temporary buffer */ + barrier(); + } + return ext4_ci_compare(inode, name, &qstr, false); } -- 2.26.2

5 years, 6 months

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror