1. 10 Jan, 2016 12 commits
    • Mickaël Salaün's avatar
      um: Do not set unsecure permission for temporary file · 571d2f0c
      Mickaël Salaün authored
      Remove the insecure 0777 mode for temporary file to prohibit other users
      to change the executable mapped code.
      
      An attacker could gain access to the mapped file descriptor from the
      temporary file (before it is unlinked) in a read-only mode but it should
      not be accessible in write mode to avoid arbitrary code execution.
      
      To not change the hostfs behavior, the temporary file creation
      permission now depends on the current umask(2) and the implementation of
      mkstemp(3).
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Acked-by: default avatarTristan Schmelcher <tschmelcher@google.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      571d2f0c
    • Mickaël Salaün's avatar
      um: Fix build error and kconfig for i386 · 42d91f61
      Mickaël Salaün authored
      Fix build error by generating elfcore.o only when ELF_CORE (depending on
      COREDUMP) is selected:
      
      arch/x86/um/built-in.o: In function `elf_core_write_extra_phdrs':
      (.text+0x3e62): undefined reference to `dump_emit'
      arch/x86/um/built-in.o: In function `elf_core_write_extra_data':
      (.text+0x3eef): undefined reference to `dump_emit'
      
      Fixes: 5d2acfc7 ("kconfig: make allnoconfig disable options behind EMBEDDED and EXPERT")
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Josh Triplett <josh@joshtriplett.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Michal Marek <mmarek@suse.cz>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarJosh Triplett <josh@joshtriplett.org>
      42d91f61
    • Mickaël Salaün's avatar
      um: Add seccomp support · c50b4659
      Mickaël Salaün authored
      This brings SECCOMP_MODE_STRICT and SECCOMP_MODE_FILTER support through
      prctl(2) and seccomp(2) to User-mode Linux for i386 and x86_64
      subarchitectures.
      
      secure_computing() is called first in handle_syscall() so that the
      syscall emulation will be aborted quickly if matching a seccomp rule.
      
      This is inspired from Meredydd Luff's patch
      (https://gerrit.chromium.org/gerrit/21425).
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Will Drewry <wad@chromium.org>
      Cc: Chris Metcalf <cmetcalf@ezchip.com>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: Meredydd Luff <meredydd@senatehouse.org>
      Cc: David Drysdale <drysdale@google.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      c50b4659
    • Mickaël Salaün's avatar
      um: Add full asm/syscall.h support · d8f8b844
      Mickaël Salaün authored
      Add subarchitecture-independent implementation of asm-generic/syscall.h
      allowing access to user system call parameters and results:
      * syscall_get_nr()
      * syscall_rollback()
      * syscall_get_error()
      * syscall_get_return_value()
      * syscall_set_return_value()
      * syscall_get_arguments()
      * syscall_set_arguments()
      * syscall_get_arch() provided by arch/x86/um/asm/syscall.h
      
      This provides the necessary syscall helpers needed by
      HAVE_ARCH_SECCOMP_FILTER plus syscall_get_error().
      
      This is inspired from Meredydd Luff's patch
      (https://gerrit.chromium.org/gerrit/21425).
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Will Drewry <wad@chromium.org>
      Cc: Meredydd Luff <meredydd@senatehouse.org>
      Cc: David Drysdale <drysdale@google.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      d8f8b844
    • Mickaël Salaün's avatar
      selftests/seccomp: Remove the need for HAVE_ARCH_TRACEHOOK · 4a0b8807
      Mickaël Salaün authored
      Some architectures do not implement PTRACE_GETREGSET nor
      PTRACE_SETREGSET (required by HAVE_ARCH_TRACEHOOK) but only implement
      PTRACE_GETREGS and PTRACE_SETREGS (e.g. User-mode Linux).
      
      This improve seccomp selftest portability for architectures without
      HAVE_ARCH_TRACEHOOK support by defining a new trigger HAVE_GETREGS. For
      now, this is only enabled for i386 and x86_64 architectures. This is
      required to be able to run this tests on User-mode Linux.
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Will Drewry <wad@chromium.org>
      Cc: Shuah Khan <shuahkh@osg.samsung.com>
      Cc: Meredydd Luff <meredydd@senatehouse.org>
      Cc: David Drysdale <drysdale@google.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      4a0b8807
    • Mickaël Salaün's avatar
      um: Fix ptrace GETREGS/SETREGS bugs · e04c989e
      Mickaël Salaün authored
      This fix two related bugs:
      * PTRACE_GETREGS doesn't get the right orig_ax (syscall) value
      * PTRACE_SETREGS can't set the orig_ax value (erased by initial value)
      
      Get rid of the now useless and error-prone get_syscall().
      
      Fix inconsistent behavior in the ptrace implementation for i386 when
      updating orig_eax automatically update the syscall number as well. This
      is now updated in handle_syscall().
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Will Drewry <wad@chromium.org>
      Cc: Thomas Meyer <thomas@m3y3r.de>
      Cc: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
      Cc: Anton Ivanov <aivanov@brocade.com>
      Cc: Meredydd Luff <meredydd@senatehouse.org>
      Cc: David Drysdale <drysdale@google.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      e04c989e
    • Vegard Nossum's avatar
      um: link with -lpthread · a7df4716
      Vegard Nossum authored
      Similarly to commit fb1770aa, with gcc 5
      on Ubuntu and CONFIG_STATIC_LINK=y I was seeing these linker errors:
      
      /usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/librt.a(timer_create.o): In function `__timer_create_new':
      (.text+0xcd): undefined reference to `pthread_once'
      /usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/librt.a(timer_create.o): In function `__timer_create_new':
      (.text+0x126): undefined reference to `pthread_attr_init'
      /usr/lib/gcc/x86_64-linux-gnu/5/../../../x86_64-linux-gnu/librt.a(timer_create.o): In function `__timer_create_new':
      (.text+0x168): undefined reference to `pthread_attr_setdetachstate'
      [...]
      
      Obviously we also need -lpthread for librt.a.
      
      Cc: stable@vger.kernel.org # 4.4
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      a7df4716
    • Anton Ivanov's avatar
      um: Update UBD to use pread/pwrite family of functions · 8c6157b6
      Anton Ivanov authored
      This decreases the number of syscalls per read/write by half.
      Signed-off-by: default avatarAnton Ivanov <aivanov@brocade.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      8c6157b6
    • Anton Ivanov's avatar
      um: Do not change hard IRQ flags in soft IRQ processing · 470a166e
      Anton Ivanov authored
      Software IRQ processing in generic architectures assumes that the
      exit out of hard IRQ may have re-enabled interrupts (some
      architectures may have an implicit EOI). It presumes them enabled
      and toggles the flags once more just in case unless this is turned
      off in the architecture specific hardirq.h by setting
      __ARCH_IRQ_EXIT_IRQS_DISABLED
      
      This patch adds this to UML where due to the way IRQs are handled
      it is an optimization (it works fine without it too).
      Signed-off-by: default avatarAnton Ivanov <aivanov@brocade.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      470a166e
    • Anton Ivanov's avatar
      um: Prevent IRQ handler reentrancy · d5e3f5cb
      Anton Ivanov authored
      The existing IRQ handler design in UML does not prevent reentrancy
      
      This is mitigated by fd-enable/fd-disable semantics for the IO
      portion of the UML subsystem. The timer, however, can and is
      re-entered resulting in very deep stack usage and occasional
      stack exhaustion.
      
      This patch prevents this by checking if there is a timer
      interrupt in-flight before processing any pending timer interrupts.
      Signed-off-by: default avatarAnton Ivanov <aivanov@brocade.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      d5e3f5cb
    • Vegard Nossum's avatar
      uml: flush stdout before forking · 0754fb29
      Vegard Nossum authored
      I was seeing some really weird behaviour where piping UML's output
      somewhere would cause output to get duplicated:
      
        $ ./vmlinux | head -n 40
        Checking that ptrace can change system call numbers...Core dump limits :
                soft - 0
                hard - NONE
        OK
        Checking syscall emulation patch for ptrace...Core dump limits :
                soft - 0
                hard - NONE
        OK
        Checking advanced syscall emulation patch for ptrace...Core dump limits :
                soft - 0
                hard - NONE
        OK
        Core dump limits :
                soft - 0
                hard - NONE
      
      This is because these tests do a fork() which duplicates the non-empty
      stdout buffer, then glibc flushes the duplicated buffer as each child
      exits.
      
      A simple workaround is to flush before forking.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      0754fb29
    • Vegard Nossum's avatar
      uml: fix hostfs mknod() · 9f2dfda2
      Vegard Nossum authored
      An inverted return value check in hostfs_mknod() caused the function
      to return success after handling it as an error (and cleaning up).
      
      It resulted in the following segfault when trying to bind() a named
      unix socket:
      
        Pid: 198, comm: a.out Not tainted 4.4.0-rc4
        RIP: 0033:[<0000000061077df6>]
        RSP: 00000000daae5d60  EFLAGS: 00010202
        RAX: 0000000000000000 RBX: 000000006092a460 RCX: 00000000dfc54208
        RDX: 0000000061073ef1 RSI: 0000000000000070 RDI: 00000000e027d600
        RBP: 00000000daae5de0 R08: 00000000da980ac0 R09: 0000000000000000
        R10: 0000000000000003 R11: 00007fb1ae08f72a R12: 0000000000000000
        R13: 000000006092a460 R14: 00000000daaa97c0 R15: 00000000daaa9a88
        Kernel panic - not syncing: Kernel mode fault at addr 0x40, ip 0x61077df6
        CPU: 0 PID: 198 Comm: a.out Not tainted 4.4.0-rc4 #1
        Stack:
         e027d620 dfc54208 0000006f da981398
         61bee000 0000c1ed daae5de0 0000006e
         e027d620 dfcd4208 00000005 6092a460
        Call Trace:
         [<60dedc67>] SyS_bind+0xf7/0x110
         [<600587be>] handle_syscall+0x7e/0x80
         [<60066ad7>] userspace+0x3e7/0x4e0
         [<6006321f>] ? save_registers+0x1f/0x40
         [<6006c88e>] ? arch_prctl+0x1be/0x1f0
         [<60054985>] fork_handler+0x85/0x90
      
      Let's also get rid of the "cosmic ray protection" while we're at it.
      
      Fixes: e9193059 "hostfs: fix races in dentry_name() and inode_name()"
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      9f2dfda2
  2. 28 Dec, 2015 3 commits
    • Linus Torvalds's avatar
      Linux 4.4-rc7 · 74bf8efb
      Linus Torvalds authored
      74bf8efb
    • Linus Torvalds's avatar
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · 3ae86f1a
      Linus Torvalds authored
      Pull MIPS fixes from Ralf Baechle:
      
       - Fix bitrot in __get_user_unaligned()
       - EVA userspace accessor bug fixes.
       - Fix for build issues with certain toolchains.
       - Fix build error for VDSO with particular toolchain versions.
       - Fix build error due to a variable that should have been removed by an
         earlier patch
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
        MIPS: Fix bitrot in __get_user_unaligned()
        MIPS: Fix build error due to unused variables.
        MIPS: VDSO: Fix build error
        MIPS: CPS: drop .set mips64r2 directives
        MIPS: uaccess: Take EVA into account in [__]clear_user
        MIPS: uaccess: Take EVA into account in __copy_from_user()
        MIPS: uaccess: Fix strlen_user with EVA
      3ae86f1a
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · db066501
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A smallish set of fixes that we've been sitting on for a while now,
        flushing the queue here so they go in.  Summary:
      
        A handful of fixes for OMAP, i.MX, Allwinner and Tegra:
      
         - A clock rate and a PHY setup fix for i.MX6Q/DL
         - A couple of fixes for the reduced serial bus (sunxi-rsb) on
           Allwinner
         - UART wakeirq fix for an OMAP4 board, timer config fixes for AM43XX.
         - Suspend fix for Tegra124 Chromebooks
         - Fix for missing implicit include that's different between
           ARM/ARM64"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: tegra: Fix suspend hang on Tegra124 Chromebooks
        bus: sunxi-rsb: Fix peripheral IC mapping runtime address
        bus: sunxi-rsb: Fix primary PMIC mapping hardware address
        ARM: dts: Fix UART wakeirq for omap4 duovero parlor
        ARM: OMAP2+: AM43xx: select ARM TWD timer
        ARM: OMAP2+: am43xx: enable GENERIC_CLOCKEVENTS_BROADCAST
        fsl-ifc: add missing include on ARM64
        ARM: dts: imx6: Fix Ethernet PHY mode on Ventana boards
        ARM: dts: imx: Fix the assigned-clock mismatch issue on imx6q/dl
        bus: sunxi-rsb: unlock on error in sunxi_rsb_read()
        ARM: dts: sunxi: sun6i-a31s-primo81.dts: add touchscreen axis swapping property
      db066501
  3. 27 Dec, 2015 5 commits
    • Al Viro's avatar
      MIPS: Fix bitrot in __get_user_unaligned() · 930c0f70
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      930c0f70
    • Linus Torvalds's avatar
      Merge tag 'pm+acpi-4.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 2c96961f
      Linus Torvalds authored
      Pull power management and ACPI fixes from Rafael Wysocki:
       "These fix an ACPI processor driver regression introduced during the
        4.3 cycle and a mistake in the recently added SCPI support in the
        arm_big_little cpufreq driver.
      
        Specifics:
      
         - Fix a thermal management issue introduced by an ACPI processor
           driver change made during the 4.3 development cycle that failed to
           return 0 from a function on success which triggered an error
           cleanup path every time it had been called that deleted useful data
           structures created previously (Srinivas Pandruvada).
      
         - Fix a variable data type issue in the arm_big_little cpufreq
           driver's SCPI support code added recently that prevents error
           handling in there from working correctly (Dan Carpenter)"
      
      * tag 'pm+acpi-4.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: scpi-cpufreq: signedness bug in scpi_get_dvfs_info()
        ACPI / processor: Fix thermal cooling device regression
      2c96961f
    • Linus Torvalds's avatar
      Merge tag 'md/4.4-rc6-fix' of git://neil.brown.name/md · f0cf008f
      Linus Torvalds authored
      Pull md bugfix from Neil Brown:
       "One more md fix for 4.4-rc
      
        Fix a regression which causes reshape to not start properly sometimes"
      
      * tag 'md/4.4-rc6-fix' of git://neil.brown.name/md:
        md: remove check for MD_RECOVERY_NEEDED in action_store.
      f0cf008f
    • Linus Torvalds's avatar
      Merge tag 'upstream-4.4-rc7' of git://git.infradead.org/linux-ubifs · 3bef22ee
      Linus Torvalds authored
      Pull UBI bug fixes from Richard Weinberger:
       "This contains four bug fixes for UBI"
      
      * tag 'upstream-4.4-rc7' of git://git.infradead.org/linux-ubifs:
        mtd: ubi: don't leak e if schedule_erase() fails
        mtd: ubi: fixup error correction in do_sync_erase()
        UBI: fix use of "VID" vs. "EC" in header self-check
        UBI: fix return error code
      3bef22ee
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.4-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · e2b0a161
      Linus Torvalds authored
      Pull ftrace/recordmcount fix from Steven Rostedt:
       "Russell King was reporting lots of warnings when he compiled his
        kernel with ftrace enabled.  With some investigation it was discovered
        that it was his compile setup.  He was using ccache with hard links,
        which allowed recordmcount to process the same .o twice.  When this
        happens, recordmcount will detect that it was already done and give a
        warning about it.
      
        Russell fixed this by having recordmcount detect that the object file
        has more than one hard link, and if it does, it unlinks the object
        file after it maps it and processes then.  This appears to fix the
        issue.
      
        As you did not like the fact that recordmcount modified the file in
        place and thought that it should do the modifications in memory and
        then write it out to disk and move it over the old file to prevent
        other more subtle issues like the one above, a second patch is added
        on top of Russell's to do just that.  Luckily the original code had
        write and lseek wrappers that I was able to modify to not do inplace
        writes, but simply keep track of the changes made in memory.  When a
        write is made, a "update" flag is set, and at the end of processing,
        if the update is set, then it writes the file with changes out to a
        new file, and then renames it over the original one.
      
        The file descriptor is still passed to the write and lseek wrappers
        because removing that would cause the change to be more intrusive.
        That can be removed in a follow up cleanup patch that can wait till
        the next merge window"
      
      * tag 'trace-v4.4-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace/scripts: Have recordmcount copy the object file
        scripts: recordmcount: break hardlinks
      e2b0a161
  4. 26 Dec, 2015 2 commits
    • Linus Torvalds's avatar
      Merge tag 'arc-4.4-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 12261f4e
      Linus Torvalds authored
      Pull ARC fixes from Vineet Gupta:
       "Sorry for this late pull request, but these are all important fixes
        for code introduced/updated in this release which we will otherwise
        end up back porting.
      
         - Unwinder rework (A revert followed by better fix)
         - Build errors: MMUv2, modules with -Os
         - highmem section mismatch build splat"
      
      * tag 'arc-4.4-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: dw2 unwind: Catch Dwarf SNAFUs early
        ARC: dw2 unwind: Don't bail for CIE.version != 1
        Revert "ARC: dw2 unwind: Ignore CIE version !=1 gracefully instead of bailing"
        ARC: Fix linking errors with CONFIG_MODULE + CONFIG_CC_OPTIMIZE_FOR_SIZE
        ARC: mm: fix building for MMU v2
        ARC: mm: HIGHMEM: Fix section mismatch splat
      12261f4e
    • Rafael J. Wysocki's avatar
      Merge branches 'acpi-processor' and 'pm-cpufreq' · 43b28ca8
      Rafael J. Wysocki authored
      * acpi-processor:
        ACPI / processor: Fix thermal cooling device regression
      
      * pm-cpufreq:
        cpufreq: scpi-cpufreq: signedness bug in scpi_get_dvfs_info()
      43b28ca8
  5. 25 Dec, 2015 2 commits
    • Linus Torvalds's avatar
      Merge branch 'parisc-4.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 8db7b3c5
      Linus Torvalds authored
      Pull parisc system call restart fix from Helge Deller:
       "The architectural design of parisc always uses two instructions to
        call kernel syscalls (delayed branch feature).  This means that the
        instruction following the branch (located in the delay slot of the
        branch instruction) is executed before control passes to the branch
        destination.
      
        Depending on which assembler instruction and how it is used in
        usersapce in the delay slot, this sometimes made restarted syscalls
        like futex() and poll() failing with -ENOSYS"
      
      * 'parisc-4.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Fix syscall restarts
      8db7b3c5
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 682cb0cd
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
      
       1) Finally make perf stack backtraces stable on sparc, several problems
          (mostly due to the context in which the user copies from the stack
          are done) contributed to this.
      
          From Rob Gardner.
      
       2) Export ADI capability if the cpu supports it.
      
       3) Hook up userfaultfd system call.
      
       4) When faults happen during user copies we really have to clean up and
          restore the FPU state fully.  Also from Rob Gardner
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        tty/serial: Skip 'NULL' char after console break when sysrq enabled
        sparc64: fix FP corruption in user copy functions
        sparc64: Perf should save/restore fault info
        sparc64: Ensure perf can access user stacks
        sparc64: Don't set %pil in rtrap_nmi too early
        sparc64: Add ADI capability to cpu capabilities
        tty: serial: constify sunhv_ops structs
        sparc: Hook up userfaultfd system call
      682cb0cd
  6. 24 Dec, 2015 8 commits
    • Vijay Kumar's avatar
      tty/serial: Skip 'NULL' char after console break when sysrq enabled · 079317a6
      Vijay Kumar authored
      When sysrq is triggered from console, serial driver for SUN hypervisor
      console receives a console break and enables the sysrq. It expects a valid
      sysrq char following with break. Meanwhile if driver receives 'NULL'
      ASCII char then it disables sysrq and sysrq handler will never be invoked.
      
      This fix skips calling uart sysrq handler when 'NULL' is received while
      sysrq is enabled.
      Signed-off-by: default avatarVijay Kumar <vijay.ac.kumar@oracle.com>
      Acked-by: default avatarKarl Volz <karl.volz@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      079317a6
    • Rob Gardner's avatar
      sparc64: fix FP corruption in user copy functions · a7c5724b
      Rob Gardner authored
      Short story: Exception handlers used by some copy_to_user() and
      copy_from_user() functions do not diligently clean up floating point
      register usage, and this can result in a user process seeing invalid
      values in floating point registers. This sometimes makes the process
      fail.
      
      Long story: Several cpu-specific (NG4, NG2, U1, U3) memcpy functions
      use floating point registers and VIS alignaddr/faligndata to
      accelerate data copying when source and dest addresses don't align
      well. Linux uses a lazy scheme for saving floating point registers; It
      is not done upon entering the kernel since it's a very expensive
      operation. Rather, it is done only when needed. If the kernel ends up
      not using FP regs during the course of some trap or system call, then
      it can return to user space without saving or restoring them.
      
      The various memcpy functions begin their FP code with VISEntry (or a
      variation thereof), which saves the FP regs. They conclude their FP
      code with VISExit (or a variation) which essentially marks the FP regs
      "clean", ie, they contain no unsaved values. fprs.FPRS_FEF is turned
      off so that a lazy restore will be triggered when/if the user process
      accesses floating point regs again.
      
      The bug is that the user copy variants of memcpy, copy_from_user() and
      copy_to_user(), employ an exception handling mechanism to detect faults
      when accessing user space addresses, and when this handler is invoked,
      an immediate return from the function is forced, and VISExit is not
      executed, thus leaving the fprs register in an indeterminate state,
      but often with fprs.FPRS_FEF set and one or more dirty bits. This
      results in a return to user space with invalid values in the FP regs,
      and since fprs.FPRS_FEF is on, no lazy restore occurs.
      
      This bug affects copy_to_user() and copy_from_user() for NG4, NG2,
      U3, and U1. All are fixed by using a new exception handler for those
      loads and stores that are done during the time between VISEnter and
      VISExit.
      
      n.b. In NG4memcpy, the problematic code can be triggered by a copy
      size greater than 128 bytes and an unaligned source address.  This bug
      is known to be the cause of random user process memory corruptions
      while perf is running with the callgraph option (ie, perf record -g).
      This occurs because perf uses copy_from_user() to read user stacks,
      and may fault when it follows a stack frame pointer off to an
      invalid page. Validation checks on the stack address just obscure
      the underlying problem.
      Signed-off-by: default avatarRob Gardner <rob.gardner@oracle.com>
      Signed-off-by: default avatarDave Aldridge <david.j.aldridge@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7c5724b
    • Rob Gardner's avatar
      sparc64: Perf should save/restore fault info · 83352694
      Rob Gardner authored
      There have been several reports of random processes being killed with
      a bus error or segfault during userspace stack walking in perf.  One
      of the root causes of this problem is an asynchronous modification to
      thread_info fault_address and fault_code, which stems from a perf
      counter interrupt arriving during kernel processing of a "benign"
      fault, such as a TSB miss. Since perf_callchain_user() invokes
      copy_from_user() to read user stacks, a fault is not only possible,
      but probable. Validity checks on the stack address merely cover up the
      problem and reduce its frequency.
      
      The solution here is to save and restore fault_address and fault_code
      in perf_callchain_user() so that the benign fault handler is not
      disturbed by a perf interrupt.
      Signed-off-by: default avatarRob Gardner <rob.gardner@oracle.com>
      Signed-off-by: default avatarDave Aldridge <david.j.aldridge@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      83352694
    • Rob Gardner's avatar
      sparc64: Ensure perf can access user stacks · 3f74306a
      Rob Gardner authored
      When an interrupt (such as a perf counter interrupt) is delivered
      while executing in user space, the trap entry code puts ASI_AIUS in
      %asi so that copy_from_user() and copy_to_user() will access the
      correct memory. But if a perf counter interrupt is delivered while the
      cpu is already executing in kernel space, then the trap entry code
      will put ASI_P in %asi, and this will prevent copy_from_user() from
      reading any useful stack data in either of the perf_callchain_user_X
      functions, and thus no user callgraph data will be collected for this
      sample period. An additional problem is that a fault is guaranteed
      to occur, and though it will be silently covered up, it wastes time
      and could perturb state.
      
      In perf_callchain_user(), we ensure that %asi contains ASI_AIUS
      because we know for a fact that the subsequent calls to
      copy_from_user() are intended to read the user's stack.
      
      [ Use get_fs()/set_fs() -DaveM ]
      Signed-off-by: default avatarRob Gardner <rob.gardner@oracle.com>
      Signed-off-by: default avatarDave Aldridge <david.j.aldridge@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f74306a
    • Rob Gardner's avatar
      sparc64: Don't set %pil in rtrap_nmi too early · 1ca04a4c
      Rob Gardner authored
      Commit 28a1f533 delays setting %pil to avoid potential
      hardirq stack overflow in the common rtrap_irq path.
      Setting %pil also needs to be delayed in the rtrap_nmi
      path for the same reason.
      Signed-off-by: default avatarRob Gardner <rob.gardner@oracle.com>
      Signed-off-by: default avatarDave Aldridge <david.j.aldridge@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ca04a4c
    • Khalid Aziz's avatar
      sparc64: Add ADI capability to cpu capabilities · 82924e54
      Khalid Aziz authored
      Add ADI (Application Data Integrity) capability to cpu capabilities list.
      ADI capability allows virtual addresses to be encoded with a tag in
      bits 63-60. This tag serves as an access control key for the regions
      of virtual address with ADI enabled and a key set on them. Hypervisor
      encodes this capability as "adp" in "hwcap-list" property in machine
      description.
      Signed-off-by: default avatarKhalid Aziz <khalid.aziz@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      82924e54
    • Aya Mahfouz's avatar
      tty: serial: constify sunhv_ops structs · 01fd3c27
      Aya Mahfouz authored
      Constifies sunhv_ops structures in tty's serial
      driver since they are not modified after their
      initialization.
      
      Detected and found using Coccinelle.
      Suggested-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Signed-off-by: default avatarAya Mahfouz <mahfouz.saif.elyazal@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      01fd3c27
    • Dan Carpenter's avatar
      cpufreq: scpi-cpufreq: signedness bug in scpi_get_dvfs_info() · a7def561
      Dan Carpenter authored
      The "domain" variable needs to be signed for the error handling to work.
      
      Fixes: 8def3103 (cpufreq: arm_big_little: add SCPI interface driver)
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Acked-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      a7def561
  7. 23 Dec, 2015 7 commits
    • Mike Kravetz's avatar
      sparc: Hook up userfaultfd system call · 9bcfd78a
      Mike Kravetz authored
      After hooking up system call, userfaultfd selftest was successful for
      both 32 and 64 bit version of test.
      Signed-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9bcfd78a
    • Linus Torvalds's avatar
      Merge tag 'sound-4.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · a8816434
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This shouldn't be a nightmare before Christmas: just a handful small
        device-specific fixes for various ASoC and HD-audio drivers.  Most of
        them are stable fixes"
      
      * tag 'sound-4.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
        ASoC: fsl_sai: fix no frame clk in master mode
        ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
        ASoC: sgtl5000: fix VAG power up timing
        ASoC: rockchip: spdif: Set transmit data level to 16 samples
        ASoC: wm8974: set cache type for regmap
        ASoC: es8328: Fix shifts for mixer switches
        ASoC: davinci-mcasp: Fix XDATA check in mcasp_start_tx
        ASoC: es8328: Fix deemphasis values
      a8816434
    • Linus Torvalds's avatar
      Merge tag 'drm-intel-fixes-2015-12-23' of git://anongit.freedesktop.org/drm-intel · 5b726e06
      Linus Torvalds authored
      Pull i915 drm fixes from Jani Nikula:
       "Here's a batch of i915 fixes all around.  It may be slightly bigger
        than one would hope for at this stage, but they've all been through
        testing in our -next before being picked up for v4.4.  Also, I missed
        Dave's fixes pull earlier today just because I wanted an extra testing
        round on this.  So I'm fairly confident.
      
        Wishing you all the things it is customary to wish this time of the
        year"
      
      * tag 'drm-intel-fixes-2015-12-23' of git://anongit.freedesktop.org/drm-intel:
        drm/i915: Correct max delay for HDMI hotplug live status checking
        drm/i915: mdelay(10) considered harmful
        drm/i915: Kill intel_crtc->cursor_bo
        drm/i915: Workaround CHV pipe C cursor fail
        drm/i915: Only spin whilst waiting on the current request
        drm/i915: Limit the busy wait on requests to 5us not 10ms!
        drm/i915: Break busywaiting for requests on pending signals
        drm/i915: Disable primary plane if we fail to reconstruct BIOS fb (v2)
        drm/i915: Set the map-and-fenceable flag for preallocated objects
        drm/i915: Drop the broken cursor base==0 special casing
      5b726e06
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 2bfd43d8
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Not much happening, should have dequeued this lot earlier.
      
        One amdgpu, one nouveau and one exynos fix"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/exynos: atomic check only enabled crtc states
        drm/nouveau/bios/fan: hardcode the fan mode to linear
        drm/amdgpu: fix user fence handling
      2bfd43d8
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v4.4-rc6' of... · 0fb0b822
      Takashi Iwai authored
      Merge tag 'asoc-fix-v4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v4.4
      
      A collection of small driver specific fixes here, nothing that'll affect
      users who don't have the devices concerned.  At least the wm8974 bug
      indicates that there's not too many users of some of these devices.
      0fb0b822
    • Mark Brown's avatar
      Merge remote-tracking branches 'asoc/fix/davinci', 'asoc/fix/es8328',... · 3dd5fc0e
      Mark Brown authored
      Merge remote-tracking branches 'asoc/fix/davinci', 'asoc/fix/es8328', 'asoc/fix/fsl-sai', 'asoc/fix/rockchip', 'asoc/fix/sgtl5000' and 'asoc/fix/wm8974' into asoc-linus
      3dd5fc0e
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 24bc3ea5
      Linus Torvalds authored
      Pull block layer fixes from Jens Axboe:
       "Three small fixes for 4.4 final. Specifically:
      
         - The segment issue fix from Junichi, where the old IO path does a
           bio limit split before potentially bouncing the pages.  We need to
           do that in the right order, to ensure that limitations are met.
      
         - A NVMe surprise removal IO hang fix from Keith.
      
         - A use-after-free in null_blk, introduced by a previous patch in
           this series.  From Mike Krinkin"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        null_blk: fix use-after-free error
        block: ensure to split after potentially bouncing a bio
        NVMe: IO ending fixes on surprise removal
      24bc3ea5
  8. 22 Dec, 2015 1 commit