1. 07 Aug, 2018 1 commit
    • Peter Zijlstra's avatar
      x86/paravirt: Fix spectre-v2 mitigations for paravirt guests · 5800dc5c
      Peter Zijlstra authored
      Nadav reported that on guests we're failing to rewrite the indirect
      calls to CALLEE_SAVE paravirt functions. In particular the
      pv_queued_spin_unlock() call is left unpatched and that is all over the
      place. This obviously wrecks Spectre-v2 mitigation (for paravirt
      guests) which relies on not actually having indirect calls around.
      
      The reason is an incorrect clobber test in paravirt_patch_call(); this
      function rewrites an indirect call with a direct call to the _SAME_
      function, there is no possible way the clobbers can be different
      because of this.
      
      Therefore remove this clobber check. Also put WARNs on the other patch
      failure case (not enough room for the instruction) which I've not seen
      trigger in my (limited) testing.
      
      Three live kernel image disassemblies for lock_sock_nested (as a small
      function that illustrates the problem nicely). PRE is the current
      situation for guests, POST is with this patch applied and NATIVE is with
      or without the patch for !guests.
      
      PRE:
      
      (gdb) disassemble lock_sock_nested
      Dump of assembler code for function lock_sock_nested:
         0xffffffff817be970 <+0>:     push   %rbp
         0xffffffff817be971 <+1>:     mov    %rdi,%rbp
         0xffffffff817be974 <+4>:     push   %rbx
         0xffffffff817be975 <+5>:     lea    0x88(%rbp),%rbx
         0xffffffff817be97c <+12>:    callq  0xffffffff819f7160 <_cond_resched>
         0xffffffff817be981 <+17>:    mov    %rbx,%rdi
         0xffffffff817be984 <+20>:    callq  0xffffffff819fbb00 <_raw_spin_lock_bh>
         0xffffffff817be989 <+25>:    mov    0x8c(%rbp),%eax
         0xffffffff817be98f <+31>:    test   %eax,%eax
         0xffffffff817be991 <+33>:    jne    0xffffffff817be9ba <lock_sock_nested+74>
         0xffffffff817be993 <+35>:    movl   $0x1,0x8c(%rbp)
         0xffffffff817be99d <+45>:    mov    %rbx,%rdi
         0xffffffff817be9a0 <+48>:    callq  *0xffffffff822299e8
         0xffffffff817be9a7 <+55>:    pop    %rbx
         0xffffffff817be9a8 <+56>:    pop    %rbp
         0xffffffff817be9a9 <+57>:    mov    $0x200,%esi
         0xffffffff817be9ae <+62>:    mov    $0xffffffff817be993,%rdi
         0xffffffff817be9b5 <+69>:    jmpq   0xffffffff81063ae0 <__local_bh_enable_ip>
         0xffffffff817be9ba <+74>:    mov    %rbp,%rdi
         0xffffffff817be9bd <+77>:    callq  0xffffffff817be8c0 <__lock_sock>
         0xffffffff817be9c2 <+82>:    jmp    0xffffffff817be993 <lock_sock_nested+35>
      End of assembler dump.
      
      POST:
      
      (gdb) disassemble lock_sock_nested
      Dump of assembler code for function lock_sock_nested:
         0xffffffff817be970 <+0>:     push   %rbp
         0xffffffff817be971 <+1>:     mov    %rdi,%rbp
         0xffffffff817be974 <+4>:     push   %rbx
         0xffffffff817be975 <+5>:     lea    0x88(%rbp),%rbx
         0xffffffff817be97c <+12>:    callq  0xffffffff819f7160 <_cond_resched>
         0xffffffff817be981 <+17>:    mov    %rbx,%rdi
         0xffffffff817be984 <+20>:    callq  0xffffffff819fbb00 <_raw_spin_lock_bh>
         0xffffffff817be989 <+25>:    mov    0x8c(%rbp),%eax
         0xffffffff817be98f <+31>:    test   %eax,%eax
         0xffffffff817be991 <+33>:    jne    0xffffffff817be9ba <lock_sock_nested+74>
         0xffffffff817be993 <+35>:    movl   $0x1,0x8c(%rbp)
         0xffffffff817be99d <+45>:    mov    %rbx,%rdi
         0xffffffff817be9a0 <+48>:    callq  0xffffffff810a0c20 <__raw_callee_save___pv_queued_spin_unlock>
         0xffffffff817be9a5 <+53>:    xchg   %ax,%ax
         0xffffffff817be9a7 <+55>:    pop    %rbx
         0xffffffff817be9a8 <+56>:    pop    %rbp
         0xffffffff817be9a9 <+57>:    mov    $0x200,%esi
         0xffffffff817be9ae <+62>:    mov    $0xffffffff817be993,%rdi
         0xffffffff817be9b5 <+69>:    jmpq   0xffffffff81063aa0 <__local_bh_enable_ip>
         0xffffffff817be9ba <+74>:    mov    %rbp,%rdi
         0xffffffff817be9bd <+77>:    callq  0xffffffff817be8c0 <__lock_sock>
         0xffffffff817be9c2 <+82>:    jmp    0xffffffff817be993 <lock_sock_nested+35>
      End of assembler dump.
      
      NATIVE:
      
      (gdb) disassemble lock_sock_nested
      Dump of assembler code for function lock_sock_nested:
         0xffffffff817be970 <+0>:     push   %rbp
         0xffffffff817be971 <+1>:     mov    %rdi,%rbp
         0xffffffff817be974 <+4>:     push   %rbx
         0xffffffff817be975 <+5>:     lea    0x88(%rbp),%rbx
         0xffffffff817be97c <+12>:    callq  0xffffffff819f7160 <_cond_resched>
         0xffffffff817be981 <+17>:    mov    %rbx,%rdi
         0xffffffff817be984 <+20>:    callq  0xffffffff819fbb00 <_raw_spin_lock_bh>
         0xffffffff817be989 <+25>:    mov    0x8c(%rbp),%eax
         0xffffffff817be98f <+31>:    test   %eax,%eax
         0xffffffff817be991 <+33>:    jne    0xffffffff817be9ba <lock_sock_nested+74>
         0xffffffff817be993 <+35>:    movl   $0x1,0x8c(%rbp)
         0xffffffff817be99d <+45>:    mov    %rbx,%rdi
         0xffffffff817be9a0 <+48>:    movb   $0x0,(%rdi)
         0xffffffff817be9a3 <+51>:    nopl   0x0(%rax)
         0xffffffff817be9a7 <+55>:    pop    %rbx
         0xffffffff817be9a8 <+56>:    pop    %rbp
         0xffffffff817be9a9 <+57>:    mov    $0x200,%esi
         0xffffffff817be9ae <+62>:    mov    $0xffffffff817be993,%rdi
         0xffffffff817be9b5 <+69>:    jmpq   0xffffffff81063ae0 <__local_bh_enable_ip>
         0xffffffff817be9ba <+74>:    mov    %rbp,%rdi
         0xffffffff817be9bd <+77>:    callq  0xffffffff817be8c0 <__lock_sock>
         0xffffffff817be9c2 <+82>:    jmp    0xffffffff817be993 <lock_sock_nested+35>
      End of assembler dump.
      
      
      Fixes: 63f70270 ("[PATCH] i386: PARAVIRT: add common patching machinery")
      Fixes: 3010a066 ("x86/paravirt, objtool: Annotate indirect calls")
      Reported-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: stable@vger.kernel.org
      5800dc5c
  2. 05 Aug, 2018 1 commit
  3. 02 Aug, 2018 1 commit
  4. 01 Aug, 2018 9 commits
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 6b470376
      Linus Torvalds authored
      Pull ARM fix from Russell King:
       "Just a single fix this time around for recent binutils causing build
        problems when generating Thumb-2 code"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8781/1: Fix Thumb-2 syscall return for binutils 2.29+
      6b470376
    • Linus Torvalds's avatar
      mm: do not initialize TLB stack vma's with vma_init() · 8b11ec1b
      Linus Torvalds authored
      Commit 2c4541e2 ("mm: use vma_init() to initialize VMAs on stack and
      data segments") tried to initialize various left-over ad-hoc vma's
      "properly", but actually made things worse for the temporary vma's used
      for TLB flushing.
      
      vma_init() doesn't actually initialize all of the vma, just a few
      fields, so doing something like
      
         -       struct vm_area_struct vma = { .vm_mm = tlb->mm, };
         +       struct vm_area_struct vma;
         +
         +       vma_init(&vma, tlb->mm);
      
      was actually very bad: instead of having a nicely initialized vma with
      every field but "vm_mm" zeroed, you'd have an entirely uninitialized vma
      with only a couple of fields initialized.  And they weren't even fields
      that the code in question mostly cared about.
      
      The flush_tlb_range() function takes a "struct vma" rather than a
      "struct mm_struct", because a few architectures actually care about what
      kind of range it is - being able to only do an ITLB flush if it's a
      range that doesn't have data accesses enabled, for example.  And all the
      normal users already have the vma for doing the range invalidation.
      
      But a few people want to call flush_tlb_range() with a range they just
      made up, so they also end up using a made-up vma.  x86 just has a
      special "flush_tlb_mm_range()" function for this, but other
      architectures (arm and ia64) do the "use fake vma" thing instead, and
      thus got caught up in the vma_init() changes.
      
      At the same time, the TLB flushing code really doesn't care about most
      other fields in the vma, so vma_init() is just unnecessary and
      pointless.
      
      This fixes things by having an explicit "this is just an initializer for
      the TLB flush" initializer macro, which is used by the arm/arm64/ia64
      people who mis-use this interface with just a dummy vma.
      
      Fixes: 2c4541e2 ("mm: use vma_init() to initialize VMAs on stack and data segments")
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Hugh Dickins <hughd@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8b11ec1b
    • Hugh Dickins's avatar
      mm: delete historical BUG from zap_pmd_range() · 53406ed1
      Hugh Dickins authored
      Delete the old VM_BUG_ON_VMA() from zap_pmd_range(), which asserted
      that mmap_sem must be held when splitting an "anonymous" vma there.
      Whether that's still strictly true nowadays is not entirely clear,
      but the danger of sometimes crashing on the BUG is now fairly clear.
      
      Even with the new stricter rules for anonymous vma marking, the
      condition it checks for can possible trigger. Commit 44960f2a
      ("staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem
      pages") is good, and originally I thought it was safe from that
      VM_BUG_ON_VMA(), because the /dev/ashmem fd exposed to the user is
      disconnected from the vm_file in the vma, and madvise(,,MADV_REMOVE)
      insists on VM_SHARED.
      
      But after I read John's earlier mail, drawing attention to the
      vfs_fallocate() in there: I may be wrong, and I don't know if Android
      has THP in the config anyway, but it looks to me like an
      unmap_mapping_range() from ashmem's vfs_fallocate() could hit precisely
      the VM_BUG_ON_VMA(), once it's vma_is_anonymous().
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      53406ed1
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 9a97ebf7
      Linus Torvalds authored
      Pull MMC fix from Ulf Hansson:
       "MMC host: mxcmmc: Fix build error for powerpc"
      
      * tag 'mmc-v4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: mxcmmc: Fix missing parentheses and brace
      9a97ebf7
    • Linus Torvalds's avatar
      Merge tag 'pm-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f390b7bf
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix the scope of a recent intel_pstate driver optimization used
        incorrectly on some systems due to processor identification ambiguity
        and fix a few issues in the turbostat utility, including three recent
        regressions.
      
        Specifics:
      
         - Use ACPI FADT preferred PM Profile to distinguish Skylake desktop
           processors from some server ones with the same model number in
           order to limit the scope of the recent IO-wait boost optimization
           to servers, as intended (Srinivas Pandruvada).
      
         - Fix several issues in the turbostat utility:
            * Fix the -S option on 1-CPU systems (Len Brown).
            * Fix computations using incorrect processor core counts (Artem
              Bityutskiy).
            * Fix the x2apic debug message (Len Brown).
            * Fix logical node enumeration to allow for non-sequential
              physical nodes (Prarit Bhargava).
            * Fix reported family on modern AMD processors (Calvin Walton).
            * Clarify the RAPL column information in the man page (Len Brown)"
      
      * tag 'pm-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: intel_pstate: Limit the scope of HWP dynamic boost platforms
        tools/power turbostat: version 18.07.27
        tools/power turbostat: Read extended processor family from CPUID
        tools/power turbostat: Fix logical node enumeration to allow for non-sequential physical nodes
        tools/power turbostat: fix x2apic debug message output file
        tools/power turbostat: fix bogus summary values
        tools/power turbostat: fix -S on UP systems
        tools/power turbostat: Update turbostat(8) RAPL throttling column description
      f390b7bf
    • Linus Torvalds's avatar
      squashfs metadata 2: electric boogaloo · cdbb65c4
      Linus Torvalds authored
      Anatoly continues to find issues with fuzzed squashfs images.
      
      This time, corrupt, missing, or undersized data for the page filling
      wasn't checked for, because the squashfs_{copy,read}_cache() functions
      did the squashfs_copy_data() call without checking the resulting data
      size.
      
      Which could result in the page cache pages being incompletely filled in,
      and no error indication to the user space reading garbage data.
      
      So make a helper function for the "fill in pages" case, because the
      exact same incomplete sequence existed in two places.
      
      [ I should have made a squashfs branch for these things, but I didn't
        intend to start doing them in the first place.
      
        My historical connection through cramfs is why I got into looking at
        these issues at all, and every time I (continue to) think it's a
        one-off.
      
        Because _this_ time is always the last time. Right?   - Linus ]
      Reported-by: default avatarAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Phillip Lougher <phillip@squashfs.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cdbb65c4
    • John Stultz's avatar
      staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages · 44960f2a
      John Stultz authored
      Amit Pundir and Youling in parallel reported crashes with recent
      mainline kernels running Android:
      
        F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
        F DEBUG   : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key
        F DEBUG   : Revision: '0'
        F DEBUG   : ABI: 'arm'
        F DEBUG   : pid: 2261, tid: 2261, name: zygote  >>> zygote <<<
        F DEBUG   : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008
        ... <snip> ...
        F DEBUG   : backtrace:
        F DEBUG   :     #00 pc 00001c04  /system/lib/libc.so (memset+48)
        F DEBUG   :     #01 pc 0010c513  /system/lib/libart.so (create_mspace_with_base+82)
        F DEBUG   :     #02 pc 0015c601  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40)
        F DEBUG   :     #03 pc 0015c3ed  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string<char, std::__ 1::char_traits<char>, std::__1::allocator<char>> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36)
        ...
      
      This was bisected back to commit bfd40eaf ("mm: fix
      vma_is_anonymous() false-positives").
      
      create_mspace_with_base() in the trace above, utilizes ashmem, and with
      ashmem, for shared mappings we use shmem_zero_setup(), which sets the
      vma->vm_ops to &shmem_vm_ops.  But for private ashmem mappings nothing
      sets the vma->vm_ops.
      
      Looking at the problematic patch, it seems to add a requirement that one
      call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be
      used.  Using the dummy_vm_ops seem to triggger SIGBUS when traversing
      unmapped pages.
      
      Thus, this patch adds a call to vma_set_anonymous() for ashmem private
      mappings and seems to avoid the reported problem.
      
      Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Joel Fernandes <joelaf@google.com>
      Cc: Colin Cross <ccross@google.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Reported-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Reported-by: default avatarYouling 257 <youling257@gmail.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      44960f2a
    • Linus Torvalds's avatar
      ia64: mark special ia64 memory areas anonymous · ebad825c
      Linus Torvalds authored
      Commit bfd40eaf ("mm: fix vma_is_anonymous() false-positives") made
      newly allocated vma's have a dummy vm_ops field so that they wouldn't be
      mistaken for anonymous mappings, and if you wanted an anonymous vma you
      had to explicitly say so by calling "vma_set_anonymous()" on it.
      
      However, it missed the two special vmas that ia64 processes have: the
      register backing store and the NaT page.  So they wouldn't actually act
      like anonymous ranges, and page faults on them caused a SIGBUS rather
      than the creation of a new anon page in them.
      
      That obviously will make any ia64 binary very unhappy indeed, and the
      boot fails early.
      
      Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
      Reported-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ebad825c
    • Rafael J. Wysocki's avatar
      Merge branch 'pm-tools' · 9b7c19e9
      Rafael J. Wysocki authored
      Merge turbostat utility fixes for final 4.18:
      
       - Fix the -S option on 1-CPU systems.
       - Fix computations using incorrect processor core counts.
       - Fix the x2apic debug message.
       - Fix logical node enumeration to allow for non-sequential physical nodes.
       - Fix reported family on modern AMD processors.
       - Clarify the RAPL column information in the man page.
      
      * pm-tools:
        tools/power turbostat: version 18.07.27
        tools/power turbostat: Read extended processor family from CPUID
        tools/power turbostat: Fix logical node enumeration to allow for non-sequential physical nodes
        tools/power turbostat: fix x2apic debug message output file
        tools/power turbostat: fix bogus summary values
        tools/power turbostat: fix -S on UP systems
        tools/power turbostat: Update turbostat(8) RAPL throttling column description
      9b7c19e9
  5. 31 Jul, 2018 9 commits
    • Linus Torvalds's avatar
      Merge tag 'audit-pr-20180731' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit · 37b71411
      Linus Torvalds authored
      Pull audit fix from Paul Moore:
       "A single small audit fix to guard against memory allocation failures
        when logging information about a kernel module load.
      
        It's small, easy to understand, and self-contained; while nothing is
        zero risk, this should be pretty low"
      
      * tag 'audit-pr-20180731' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
        audit: fix potential null dereference 'context->module.name'
      37b71411
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · c1d61e7f
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Nine fixes, five in the qla2xxx driver, the most serious of which is
        the uninitialized list head crash which can be observed in most
        systems under a sufficiently loaded low memory environment.
      
        The two sg fixes are minor but obvious and two target ones which seem
        reasonable but not high impact"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla2xxx: Return error when TMF returns
        scsi: qla2xxx: Fix ISP recovery on unload
        scsi: qla2xxx: Fix driver unload by shutting down chip
        scsi: qla2xxx: Fix NPIV deletion by calling wait_for_sess_deletion
        scsi: qla2xxx: Fix unintialized List head crash
        scsi: sg: update comment for blk_get_request()
        scsi: sg: fix minor memory leak in error path
        scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
        scsi: target: iscsi: cxgbit: fix max iso npdu calculation
      c1d61e7f
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 095c3633
      Linus Torvalds authored
      Pull virtio fixes from Michael Tsirkin:
       "Some bugfixes that seem important and safe enough to merge at the last
        minute"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        virtio_balloon: fix another race between migration and ballooning
        tools/virtio: add kmalloc_array stub
        tools/virtio: add dma barrier stubs
      095c3633
    • Linus Torvalds's avatar
      Merge tag 'acpi-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · c786e405
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix a recent ACPICA regression affecting control method
        execution at the table level and an earlier hibernation regression in
        the ACPI driver for Intel SoCs (LPSS) that was missed by a previous
        fix in this cycle.
      
        Specifics:
      
         - Fix a recent ACPICA regression introduced by a previous fix that
           caused control method execution at the table level to be mishandled
           by mistake (Erik Schmauss).
      
         - Fix a hibernation regression from the 4.15 cycle in the ACPI driver
           for Intel SoCs (LPSS) that caused the platform firmware to be
           confused during resume from hibernation by the driver's PM quirks
           which was fixed for system-wide suspend/resume (ACPI S3) earlier in
           this cycle, but that previous fix missed the hibernation (ACPI S4)
           case (Rafael Wysocki)"
      
      * tag 'acpi-urgent-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPICA: AML Parser: ignore control method status in module-level code
        ACPI / LPSS: Avoid PM quirks on suspend and resume from hibernation
      c786e405
    • Srinivas Pandruvada's avatar
      cpufreq: intel_pstate: Limit the scope of HWP dynamic boost platforms · 01e61a42
      Srinivas Pandruvada authored
      Dynamic boosting of HWP performance on IO wake showed significant
      improvement to IO workloads. This series was intended for Skylake Xeon
      platforms only and feature was enabled by default based on CPU model
      number.
      
      But some Xeon platforms reused the Skylake desktop CPU model number. This
      caused some undesirable side effects to some graphics workloads. Since
      they are heavily IO bound, the increase in CPU performance decreased the
      power available for GPU to do its computing and hence decrease in graphics
      benchmark performance.
      
      For example on a Skylake desktop, GpuTest benchmark showed average FPS
      reduction from 529 to 506.
      
      This change makes sure that HWP boost feature is only enabled for Skylake
      server platforms by using ACPI FADT preferred PM Profile. If some desktop
      users wants to get benefit of boost, they can still enable boost from
      intel_pstate sysfs attribute "hwp_dynamic_boost".
      
      Fixes: 41ab43c9 (cpufreq: intel_pstate: enable boost for Skylake Xeon)
      Link: https://bugs.freedesktop.org/show_bug.cgi?id=107410Reported-by: default avatarEero Tamminen <eero.t.tamminen@intel.com>
      Signed-off-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Reviewed-by: default avatarFrancisco Jerez <currojerez@riseup.net>
      Acked-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      01e61a42
    • Rafael J. Wysocki's avatar
      Merge branch 'acpi-soc' · 5f95d39b
      Rafael J. Wysocki authored
      Merge a fix for hibernation regression in the ACPI driver for Intel
      SoCs (LPSS).
      
      * acpi-soc:
        ACPI / LPSS: Avoid PM quirks on suspend and resume from hibernation
      5f95d39b
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f67077de
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Several smallish fixes, I don't think any of this requires another -rc
        but I'll leave that up to you:
      
         1) Don't leak uninitialzed bytes to userspace in xfrm_user, from Eric
            Dumazet.
      
         2) Route leak in xfrm_lookup_route(), from Tommi Rantala.
      
         3) Premature poll() returns in AF_XDP, from Björn Töpel.
      
         4) devlink leak in netdevsim, from Jakub Kicinski.
      
         5) Don't BUG_ON in fib_compute_spec_dst, the condition can
            legitimately happen. From Lorenzo Bianconi.
      
         6) Fix some spectre v1 gadgets in generic socket code, from Jeremy
            Cline.
      
         7) Don't allow user to bind to out of range multicast groups, from
            Dmitry Safonov with a follow-up by Dmitry Safonov.
      
         8) Fix metrics leak in fib6_drop_pcpu_from(), from Sabrina Dubroca"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
        netlink: Don't shift with UB on nlk->ngroups
        net/ipv6: fix metrics leak
        xen-netfront: wait xenbus state change when load module manually
        can: ems_usb: Fix memory leak on ems_usb_disconnect()
        openvswitch: meter: Fix setting meter id for new entries
        netlink: Do not subscribe to non-existent groups
        NET: stmmac: align DMA stuff to largest cache line length
        tcp_bbr: fix bw probing to raise in-flight data for very small BDPs
        net: socket: Fix potential spectre v1 gadget in sock_is_registered
        net: socket: fix potential spectre v1 gadget in socketcall
        net: mdio-mux: bcm-iproc: fix wrong getter and setter pair
        ipv4: remove BUG_ON() from fib_compute_spec_dst
        enic: handle mtu change for vf properly
        net: lan78xx: fix rx handling before first packet is send
        nfp: flower: fix port metadata conversion bug
        bpf: use GFP_ATOMIC instead of GFP_KERNEL in bpf_parse_prog()
        bpf: fix bpf_skb_load_bytes_relative pkt length check
        perf build: Build error in libbpf missing initialization
        net: ena: Fix use of uninitialized DMA address bits field
        bpf: btf: Use exact btf value_size match in map_check_btf()
        ...
      f67077de
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 5723b4a3
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "Some small __init annotation and build fixes from Stephen Rostedt and
        Thomas Petazzoni"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: use asm-generic version of msi.h
        sparc: move MSI related definitions to where they are used
        sparc/time: Add missing __init to init_tick_ops()
      5723b4a3
    • Linus Torvalds's avatar
      squashfs: more metadata hardening · d5125847
      Linus Torvalds authored
      Anatoly reports another squashfs fuzzing issue, where the decompression
      parameters themselves are in a compressed block.
      
      This causes squashfs_read_data() to be called in order to read the
      decompression options before the decompression stream having been set
      up, making squashfs go sideways.
      Reported-by: default avatarAnatoly Trosinenko <anatoly.trosinenko@gmail.com>
      Acked-by: default avatarPhillip Lougher <phillip.lougher@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d5125847
  6. 30 Jul, 2018 16 commits
    • Yi Wang's avatar
      audit: fix potential null dereference 'context->module.name' · b305f7ed
      Yi Wang authored
      The variable 'context->module.name' may be null pointer when
      kmalloc return null, so it's better to check it before using
      to avoid null dereference.
      Another one more thing this patch does is using kstrdup instead
      of (kmalloc + strcpy), and signal a lost record via audit_log_lost.
      
      Cc: stable@vger.kernel.org # 4.11
      Signed-off-by: default avatarYi Wang <wang.yi59@zte.com.cn>
      Reviewed-by: default avatarJiang Biao <jiang.biao2@zte.com.cn>
      Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      b305f7ed
    • Thomas Petazzoni's avatar
      sparc: use asm-generic version of msi.h · 12be1036
      Thomas Petazzoni authored
      This is necessary to be able to include <linux/msi.h> when
      CONFIG_GENERIC_MSI_IRQ_DOMAIN is enabled. Without this, a build with
      CONFIG_GENERIC_MSI_IRQ_DOMAIN fails with:
      
         In file included from drivers//ata/ahci.c:45:0:
      >> include/linux/msi.h:226:10: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
                   msi_alloc_info_t *arg);
                   ^~~~~~~~~~~~~~~~
                   sg_alloc_fn
         include/linux/msi.h:230:9: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
                  msi_alloc_info_t *arg);
                  ^~~~~~~~~~~~~~~~
                  sg_alloc_fn
         include/linux/msi.h:239:12: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
                     msi_alloc_info_t *arg);
                     ^~~~~~~~~~~~~~~~
                     sg_alloc_fn
         include/linux/msi.h:240:22: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
           void  (*msi_finish)(msi_alloc_info_t *arg, int retval);
                               ^~~~~~~~~~~~~~~~
                               sg_alloc_fn
         include/linux/msi.h:241:20: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
           void  (*set_desc)(msi_alloc_info_t *arg,
                             ^~~~~~~~~~~~~~~~
                             sg_alloc_fn
         include/linux/msi.h:316:18: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
                 int nvec, msi_alloc_info_t *args);
                           ^~~~~~~~~~~~~~~~
                           sg_alloc_fn
         include/linux/msi.h:318:29: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'?
                  int virq, int nvec, msi_alloc_info_t *args);
                                      ^~~~~~~~~~~~~~~~
                                      sg_alloc_fn
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12be1036
    • Thomas Petazzoni's avatar
      sparc: move MSI related definitions to where they are used · f0afc6b1
      Thomas Petazzoni authored
      The definitions in arch/sparc/include/asm/msi.h are only used in
      arch/sparc/mm/srmmu.c, so it makes sense to have them in the C file
      directly.
      
      In addition, having a custom arch/sparc/include/asm/msi.h prevents
      from using the asm-generic version of this header, which is necessary
      to be able to include <linux/msi.h> when CONFIG_GENERIC_MSI_IRQ_DOMAIN
      is enabled.
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@bootlin.com>
      Acked-by: default avatarSam Ravnborg <sam@ravnborg.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0afc6b1
    • Steven Rostedt (VMware)'s avatar
      sparc/time: Add missing __init to init_tick_ops() · 6f57ed68
      Steven Rostedt (VMware) authored
      Code that was added to force gcc not to inline any function that isn't
      explicitly declared as inline uncovered that init_tick_ops() isn't
      marked as "__init". It is only called by __init functions and more
      importantly it too calls an __init function which would require it to be
      __init as well.
      
      Link: http://lkml.kernel.org/r/201806060444.hdHcKOBy%fengguang.wu@intel.comReported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f57ed68
    • Dmitry Safonov's avatar
      netlink: Don't shift with UB on nlk->ngroups · 61f4b237
      Dmitry Safonov authored
      On i386 nlk->ngroups might be 32 or 0. Which leads to UB, resulting in
      hang during boot.
      Check for 0 ngroups and use (unsigned long long) as a type to shift.
      
      Fixes: 7acf9d42 ("netlink: Do not subscribe to non-existent groups").
      Reported-by: default avatarkernel test robot <rong.a.chen@intel.com>
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61f4b237
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-4.18-20180730' of... · af87f72e
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-4.18-20180730' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2018-07-30
      
      this is a pull request of one patch for net/master.
      
      The patch by Anton Vasilyev and the Linux Driver Verification project
      fixes a memory leak in the ems_usb driver's disconnect function.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af87f72e
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 527838d4
      Linus Torvalds authored
      Pull x86 fixes from Ingo Molnar:
       "Misc fixes:
      
         - a build race fix
      
         - a Xen entry fix
      
         - a TSC_DEADLINE quirk future-proofing fix"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/boot: Fix if_changed build flip/flop bug
        x86/entry/64: Remove %ebx handling from error_entry/exit
        x86/apic: Future-proof the TSC_DEADLINE quirk for SKX
      527838d4
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ae3e10ab
      Linus Torvalds authored
      Pull scheduler fixes from Ingo Molnar:
       "Misc fixes:
      
         - a deadline scheduler related bug fix which triggered a kernel
           warning
      
         - an RT_RUNTIME_SHARE fix
      
         - a stop_machine preemption fix
      
         - a potential NULL dereference fix in sched_domain_debug_one()"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/rt: Restore rt_runtime after disabling RT_RUNTIME_SHARE
        sched/deadline: Update rq_clock of later_rq when pushing a task
        stop_machine: Disable preemption after queueing stopper threads
        sched/topology: Check variable group before dereferencing it
      ae3e10ab
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0634922a
      Linus Torvalds authored
      Pull perf fixes from Ingo Molnar:
       "Misc fixes:
      
         - AMD IBS data corruptor fix (uncovered by UBSAN)
      
         - an Intel PEBS entry unwind error fix
      
         - a HW-tracing crash fix
      
         - a MAINTAINERS update"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/core: Fix crash when using HW tracing kernel filters
        perf/x86/intel: Fix unwind errors from PEBS entries (mk-II)
        MAINTAINERS: Add Naveen N. Rao as kprobes co-maintainer
        perf/x86/amd/ibs: Don't access non-started event
      0634922a
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · fb20c03d
      Linus Torvalds authored
      Pull locking fixes from Ingo Molnar:
       "A paravirt UP-patching fix, and an I2C MUX driver lockdep warning fix"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/pvqspinlock/x86: Use LOCK_PREFIX in __pv_queued_spin_unlock() assembly code
        i2c/mux, locking/core: Annotate the nested rt_mutex usage
        locking/rtmutex: Allow specifying a subclass for nested locking
      fb20c03d
    • Linus Torvalds's avatar
      Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d464b031
      Linus Torvalds authored
      Pull EFI fix from Ingo Molnar:
       "An UEFI variables fix for SEV guests"
      
      * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/efi: Access EFI MMIO data as unencrypted when SEV is active
      d464b031
    • Sabrina Dubroca's avatar
      net/ipv6: fix metrics leak · df18b504
      Sabrina Dubroca authored
      Since commit d4ead6b3 ("net/ipv6: move metrics from dst to
      rt6_info"), ipv6 metrics are shared and refcounted. rt6_set_from()
      assigns the rt->from pointer and increases the refcount on from's
      metrics. This reference is never released.
      
      Introduce the fib6_metrics_release() helper and use it to release the
      metrics.
      
      Fixes: d4ead6b3 ("net/ipv6: move metrics from dst to rt6_info")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df18b504
    • Xiao Liang's avatar
      xen-netfront: wait xenbus state change when load module manually · 822fb18a
      Xiao Liang authored
      When loading module manually, after call xenbus_switch_state to initializes
      the state of the netfront device, the driver state did not change so fast
      that may lead no dev created in latest kernel. This patch adds wait to make
      sure xenbus knows the driver is not in closed/unknown state.
      
      Current state:
      [vm]# ethtool eth0
      Settings for eth0:
      	Link detected: yes
      [vm]# modprobe -r xen_netfront
      [vm]# modprobe  xen_netfront
      [vm]# ethtool eth0
      Settings for eth0:
      Cannot get device settings: No such device
      Cannot get wake-on-lan settings: No such device
      Cannot get message level: No such device
      Cannot get link status: No such device
      No data available
      
      With the patch installed.
      [vm]# ethtool eth0
      Settings for eth0:
      	Link detected: yes
      [vm]# modprobe -r xen_netfront
      [vm]# modprobe xen_netfront
      [vm]# ethtool eth0
      Settings for eth0:
      	Link detected: yes
      Signed-off-by: default avatarXiao Liang <xiliang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      822fb18a
    • Jiang Biao's avatar
      virtio_balloon: fix another race between migration and ballooning · 89da619b
      Jiang Biao authored
      Kernel panic when with high memory pressure, calltrace looks like,
      
      PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java"
       #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb
       #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942
       #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30
       #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8
       #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46
       #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc
       #6 [ffff881ec7ed7838] __node_set at ffffffff81680300
       #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f
       #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5
       #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8
          [exception RIP: _raw_spin_lock_irqsave+47]
          RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046
          RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8
          RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008
          RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098
          R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000
          R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0
          ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
      
      It happens in the pagefault and results in double pagefault
      during compacting pages when memory allocation fails.
      
      Analysed the vmcore, the page leads to second pagefault is corrupted
      with _mapcount=-256, but private=0.
      
      It's caused by the race between migration and ballooning, and lock
      missing in virtballoon_migratepage() of virtio_balloon driver.
      This patch fix the bug.
      
      Fixes: e2250429 ("virtio_balloon: introduce migration primitives to balloon pages")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJiang Biao <jiang.biao2@zte.com.cn>
      Signed-off-by: default avatarHuang Chong <huang.chong@zte.com.cn>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      89da619b
    • Vincent Whitchurch's avatar
      ARM: 8781/1: Fix Thumb-2 syscall return for binutils 2.29+ · afc9f65e
      Vincent Whitchurch authored
      When building the kernel as Thumb-2 with binutils 2.29 or newer, if the
      assembler has seen the .type directive (via ENDPROC()) for a symbol, it
      automatically handles the setting of the lowest bit when the symbol is
      used with ADR.  The badr macro on the other hand handles this lowest bit
      manually.  This leads to a jump to a wrong address in the wrong state
      in the syscall return path:
      
       Internal error: Oops - undefined instruction: 0 [#2] SMP THUMB2
       Modules linked in:
       CPU: 0 PID: 652 Comm: modprobe Tainted: G      D           4.18.0-rc3+ #8
       PC is at ret_fast_syscall+0x4/0x62
       LR is at sys_brk+0x109/0x128
       pc : [<80101004>]    lr : [<801c8a35>]    psr: 60000013
       Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
       Control: 50c5387d  Table: 9e82006a  DAC: 00000051
       Process modprobe (pid: 652, stack limit = 0x(ptrval))
      
       80101000 <ret_fast_syscall>:
       80101000:       b672            cpsid   i
       80101002:       f8d9 2008       ldr.w   r2, [r9, #8]
       80101006:       f1b2 4ffe       cmp.w   r2, #2130706432 ; 0x7f000000
      
       80101184 <local_restart>:
       80101184:       f8d9 a000       ldr.w   sl, [r9]
       80101188:       e92d 0030       stmdb   sp!, {r4, r5}
       8010118c:       f01a 0ff0       tst.w   sl, #240        ; 0xf0
       80101190:       d117            bne.n   801011c2 <__sys_trace>
       80101192:       46ba            mov     sl, r7
       80101194:       f5ba 7fc8       cmp.w   sl, #400        ; 0x190
       80101198:       bf28            it      cs
       8010119a:       f04f 0a00       movcs.w sl, #0
       8010119e:       f3af 8014       nop.w   {20}
       801011a2:       f2af 1ea2       subw    lr, pc, #418    ; 0x1a2
      
      To fix this, add a new symbol name which doesn't have ENDPROC used on it
      and use that with badr.  We can't remove the badr usage since that would
      would cause breakage with older binutils.
      Signed-off-by: default avatarVincent Whitchurch <vincent.whitchurch@axis.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      afc9f65e
    • Anton Vasilyev's avatar
      can: ems_usb: Fix memory leak on ems_usb_disconnect() · 72c05f32
      Anton Vasilyev authored
      ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
      is no its deallocation in ems_usb_disconnect().
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAnton Vasilyev <vasilyev@ispras.ru>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      72c05f32
  7. 29 Jul, 2018 3 commits