1. 19 Sep, 2018 7 commits
  2. 17 Sep, 2018 7 commits
  3. 14 Sep, 2018 2 commits
    • Alan Modra's avatar
      powerpc/vdso: Correct call frame information · 56d20861
      Alan Modra authored
      Call Frame Information is used by gdb for back-traces and inserting
      breakpoints on function return for the "finish" command.  This failed
      when inside __kernel_clock_gettime.  More concerning than difficulty
      debugging is that CFI is also used by stack frame unwinding code to
      implement exceptions.  If you have an app that needs to handle
      asynchronous exceptions for some reason, and you are unlucky enough to
      get one inside the VDSO time functions, your app will crash.
      
      What's wrong:  There is control flow in __kernel_clock_gettime that
      reaches label 99 without saving lr in r12.  CFI info however is
      interpreted by the unwinder without reference to control flow: It's a
      simple matter of "Execute all the CFI opcodes up to the current
      address".  That means the unwinder thinks r12 contains the return
      address at label 99.  Disabuse it of that notion by resetting CFI for
      the return address at label 99.
      
      Note that the ".cfi_restore lr" could have gone anywhere from the
      "mtlr r12" a few instructions earlier to the instruction at label 99.
      I put the CFI as late as possible, because in general that's best
      practice (and if possible grouped with other CFI in order to reduce
      the number of CFI opcodes executed when unwinding).  Using r12 as the
      return address is perfectly fine after the "mtlr r12" since r12 on
      that code path still contains the return address.
      
      __get_datapage also has a CFI error.  That function temporarily saves
      lr in r0, and reflects that fact with ".cfi_register lr,r0".  A later
      use of r0 means the CFI at that point isn't correct, as r0 no longer
      contains the return address.  Fix that too.
      Signed-off-by: default avatarAlan Modra <amodra@gmail.com>
      Tested-by: default avatarReza Arbab <arbab@linux.ibm.com>
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      56d20861
    • Michael Neuling's avatar
      powerpc/tm: Fix HFSCR bit for no suspend case · dd9a8c5a
      Michael Neuling authored
      Currently on P9N DD2.1 we end up taking infinite TM facility
      unavailable exceptions on the first TM usage by userspace.
      
      In the special case of TM no suspend (P9N DD2.1), Linux is told TM is
      off via CPU dt-ftrs but told to (partially) use it via
      OPAL_REINIT_CPUS_TM_SUSPEND_DISABLED. So HFSCR[TM] will be off from
      dt-ftrs but we need to turn it on for the no suspend case.
      
      This patch fixes this by enabling HFSCR TM in this case.
      
      Cc: stable@vger.kernel.org # 4.15+
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      dd9a8c5a
  4. 10 Sep, 2018 1 commit
  5. 09 Sep, 2018 7 commits
  6. 08 Sep, 2018 6 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · f8f65382
      Linus Torvalds authored
      Pull KVM fixes from Radim Krčmář:
       "ARM:
         - Fix a VFP corruption in 32-bit guest
         - Add missing cache invalidation for CoW pages
         - Two small cleanups
      
        s390:
         - Fallout from the hugetlbfs support: pfmf interpretion and locking
         - VSIE: fix keywrapping for nested guests
      
        PPC:
         - Fix a bug where pages might not get marked dirty, causing guest
           memory corruption on migration
         - Fix a bug causing reads from guest memory to use the wrong guest
           real address for very large HPT guests (>256G of memory), leading
           to failures in instruction emulation.
      
        x86:
         - Fix out of bound access from malicious pv ipi hypercalls
           (introduced in rc1)
         - Fix delivery of pending interrupts when entering a nested guest,
           preventing arbitrarily late injection
         - Sanitize kvm_stat output after destroying a guest
         - Fix infinite loop when emulating a nested guest page fault and
           improve the surrounding emulation code
         - Two minor cleanups"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (28 commits)
        KVM: LAPIC: Fix pv ipis out-of-bounds access
        KVM: nVMX: Fix loss of pending IRQ/NMI before entering L2
        arm64: KVM: Remove pgd_lock
        KVM: Remove obsolete kvm_unmap_hva notifier backend
        arm64: KVM: Only force FPEXC32_EL2.EN if trapping FPSIMD
        KVM: arm/arm64: Clean dcache to PoC when changing PTE due to CoW
        KVM: s390: Properly lock mm context allow_gmap_hpage_1m setting
        KVM: s390: vsie: copy wrapping keys to right place
        KVM: s390: Fix pfmf and conditional skey emulation
        tools/kvm_stat: re-animate display of dead guests
        tools/kvm_stat: indicate dead guests as such
        tools/kvm_stat: handle guest removals more gracefully
        tools/kvm_stat: don't reset stats when setting PID filter for debugfs
        tools/kvm_stat: fix updates for dead guests
        tools/kvm_stat: fix handling of invalid paths in debugfs provider
        tools/kvm_stat: fix python3 issues
        KVM: x86: Unexport x86_emulate_instruction()
        KVM: x86: Rename emulate_instruction() to kvm_emulate_instruction()
        KVM: x86: Do not re-{try,execute} after failed emulation in L2
        KVM: x86: Default to not allowing emulation retry in kvm_mmu_page_fault
        ...
      f8f65382
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 0f3aa48a
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A few more fixes who have trickled in:
      
         - MMC bus width fixup for some Allwinner platforms
      
         - Fix for NULL deref in ti-aemif when no platform data is passed in
      
         - Fix div by 0 in SCMI code
      
         - Add a missing module alias in a new RPi driver"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        memory: ti-aemif: fix a potential NULL-pointer dereference
        firmware: arm_scmi: fix divide by zero when sustained_perf_level is zero
        hwmon: rpi: add module alias to raspberrypi-hwmon
        arm64: allwinner: dts: h6: fix Pine H64 MMC bus width
      0f3aa48a
    • Olof Johansson's avatar
      Merge tag 'sunxi-fixes-for-4.19' of... · a132bb90
      Olof Johansson authored
      Merge tag 'sunxi-fixes-for-4.19' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into fixes
      
      Allwinner fixes for 4.19
      
      Just one fix for H6 mmc on the Pine H64: the mmc bus width was missing
      from the device tree. This was added in 4.19-rc1.
      
      * tag 'sunxi-fixes-for-4.19' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux:
        arm64: allwinner: dts: h6: fix Pine H64 MMC bus width
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      a132bb90
    • Nadav Amit's avatar
      x86/mm: Use WRITE_ONCE() when setting PTEs · 9bc4f28a
      Nadav Amit authored
      When page-table entries are set, the compiler might optimize their
      assignment by using multiple instructions to set the PTE. This might
      turn into a security hazard if the user somehow manages to use the
      interim PTE. L1TF does not make our lives easier, making even an interim
      non-present PTE a security hazard.
      
      Using WRITE_ONCE() to set PTEs and friends should prevent this potential
      security hazard.
      
      I skimmed the differences in the binary with and without this patch. The
      differences are (obviously) greater when CONFIG_PARAVIRT=n as more
      code optimizations are possible. For better and worse, the impact on the
      binary with this patch is pretty small. Skimming the code did not cause
      anything to jump out as a security hazard, but it seems that at least
      move_soft_dirty_pte() caused set_pte_at() to use multiple writes.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Sean Christopherson <sean.j.christopherson@intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180902181451.80520-1-namit@vmware.com
      9bc4f28a
    • Thomas Gleixner's avatar
      x86/apic/vector: Make error return value negative · 47b7360c
      Thomas Gleixner authored
      activate_managed() returns EINVAL instead of -EINVAL in case of
      error. While this is unlikely to happen, the positive return value would
      cause further malfunction at the call site.
      
      Fixes: 2db1f959 ("x86/vector: Handle managed interrupts proper")
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      47b7360c
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · d7b686eb
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
      
       - bugfixes for uniphier, i801, and xiic drivers
      
       - ID removal (never produced) for imx
      
       - one MAINTAINER addition
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: xiic: Record xilinx i2c with Zynq fragment
        i2c: xiic: Make the start and the byte count write atomic
        i2c: i801: fix DNV's SMBCTRL register offset
        i2c: imx-lpi2c: Remove mx8dv compatible entry
        dt-bindings: imx-lpi2c: Remove mx8dv compatible entry
        i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
        i2c: uniphier: issue STOP only for last message or I2C_M_STOP
      d7b686eb
  7. 07 Sep, 2018 10 commits
    • Linus Torvalds's avatar
      Merge tag 'arc-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 2c34a0e0
      Linus Torvalds authored
      Pull ARC updates from Vineet Gupta:
      
       - Fix for atomic_fetch_#op  [Will Deacon]
      
       - Enable per device IOC [Eugeniy Paltsev]
      
       - Remove redundant gcc version checks [Masahiro Yamada]
      
       - Miscll platform config/DT updates [Alexey Brodkin]
      
      * tag 'arc-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: don't check for HIGHMEM pages in arch_dma_alloc
        ARC: IOC: panic if both IOC and ZONE_HIGHMEM enabled
        ARC: dma [IOC] Enable per device io coherency
        ARC: dma [IOC]: mark DMA devices connected as dma-coherent
        ARC: atomics: unbork atomic_fetch_##op()
        arc: remove redundant GCC version checks
        ARC: sort Kconfig
        ARC: cleanup show_faulting_vma()
        ARC: [plat-axs*]: Enable SWAP
        ARC: [plat-axs*/plat-hsdk]: Allow U-Boot to pass MAC-address to the kernel
        ARC: configs: cleanup
      2c34a0e0
    • David Howells's avatar
      afs: Fix cell specification to permit an empty address list · ecfe951f
      David Howells authored
      Fix the cell specification mechanism to allow cells to be pre-created
      without having to specify at least one address (the addresses will be
      upcalled for).
      
      This allows the cell information preload service to avoid the need to issue
      loads of DNS lookups during boot to get the addresses for each cell (500+
      lookups for the 'standard' cell list[*]).  The lookups can be done later as
      each cell is accessed through the filesystem.
      
      Also remove the print statement that prints a line every time a new cell is
      added.
      
      [*] There are 144 cells in the list.  Each cell is first looked up for an
          SRV record, and if that fails, for an AFSDB record.  These get a list
          of server names, each of which then has to be looked up to get the
          addresses for that server.  E.g.:
      
      	dig srv _afs3-vlserver._udp.grand.central.org
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ecfe951f
    • Linus Torvalds's avatar
      Merge tag 'md/4.19-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md · 3d0e7a9e
      Linus Torvalds authored
      Pull MD fixes from Shaohua Li:
      
       - Fix a locking issue for md-cluster (Guoqing)
      
       - Fix a sync crash for raid10 (Ni)
      
       - Fix a reshape bug with raid5 cache enabled (me)
      
      * tag 'md/4.19-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
        md-cluster: release RESYNC lock after the last resync message
        RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
        md/raid5-cache: disable reshape completely
      3d0e7a9e
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.19-rc3' of https://github.com/ceph/ceph-client · a12ed06b
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "Two rbd patches to complete support for images within namespaces that
        went into -rc1 and a use-after-free fix.
      
        The rbd changes have been sitting in a branch for quite a while but
        couldn't be included into the -rc1 pull request because of a pending
        wire protocol backwards compatibility fixup that only got committed
        early this week"
      
      * tag 'ceph-for-4.19-rc3' of https://github.com/ceph/ceph-client:
        rbd: support cloning across namespaces
        rbd: factor out get_parent_info()
        ceph: avoid a use-after-free in ceph_destroy_options()
      a12ed06b
    • Linus Torvalds's avatar
      Merge tag 'for_v4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · d042a240
      Linus Torvalds authored
      Pull fsnotify fix from Jan Kara:
       "A small fsnotify fix from Amir"
      
      * tag 'for_v4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        fsnotify: fix ignore mask logic in fsnotify()
      d042a240
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 4ff8a142
      Linus Torvalds authored
      Pull arm64 fix from Will Deacon:
       "Just one small fix here, preventing a VM_WARN_ON when a !present
        PMD/PUD is "freed" as part of a huge ioremap() operation.
      
        The correct behaviour is to skip the free silently in this case, which
        is a little weird (the function is a bit of a misnomer), but it
        follows the x86 implementation"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: fix erroneous warnings in page freeing functions
      4ff8a142
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 53937340
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix a regression from the 4.18 cycle in the ACPI driver for
        Intel SoCs (LPSS) and prevent dmi_check_system() from being called on
        non-x86 systems in the ACPI core.
      
        Specifics:
      
         - Fix a power management regression in the ACPI driver for Intel SoCs
           (LPSS) introduced by a system-wide suspend/resume fix during the
           4.18 cycle (Zhang Rui).
      
         - Prevent dmi_check_system() from being called on non-x86 systems in
           the ACPI core (Jean Delvare)"
      
      * tag 'acpi-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / LPSS: Force LPSS quirks on boot
        ACPI / bus: Only call dmi_check_system() on X86
      53937340
    • Linus Torvalds's avatar
      Merge tag 'sound-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 69ddce94
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Just a few small fixes:
      
         - a fix for the recursive work cancellation in a specific HD-audio
           operation mode
      
         - a fix for potentially uninitialized memory access via rawmidi
      
         - the register bit access fixes for ASoC HD-audio"
      
      * tag 'sound-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda: Fix several mismatch for register mask and value
        ALSA: rawmidi: Initialize allocated buffers
        ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
      69ddce94
    • Wanpeng Li's avatar
      KVM: LAPIC: Fix pv ipis out-of-bounds access · bdf7ffc8
      Wanpeng Li authored
      Dan Carpenter reported that the untrusted data returns from kvm_register_read()
      results in the following static checker warning:
        arch/x86/kvm/lapic.c:576 kvm_pv_send_ipi()
        error: buffer underflow 'map->phys_map' 's32min-s32max'
      
      KVM guest can easily trigger this by executing the following assembly sequence
      in Ring0:
      
      mov $10, %rax
      mov $0xFFFFFFFF, %rbx
      mov $0xFFFFFFFF, %rdx
      mov $0, %rsi
      vmcall
      
      As this will cause KVM to execute the following code-path:
      vmx_handle_exit() -> handle_vmcall() -> kvm_emulate_hypercall() -> kvm_pv_send_ipi()
      which will reach out-of-bounds access.
      
      This patch fixes it by adding a check to kvm_pv_send_ipi() against map->max_apic_id,
      ignoring destinations that are not present and delivering the rest. We also check
      whether or not map->phys_map[min + i] is NULL since the max_apic_id is set to the
      max apic id, some phys_map maybe NULL when apic id is sparse, especially kvm
      unconditionally set max_apic_id to 255 to reserve enough space for any xAPIC ID.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarLiran Alon <liran.alon@oracle.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Liran Alon <liran.alon@oracle.com>
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarWanpeng Li <wanpengli@tencent.com>
      [Add second "if (min > map->max_apic_id)" to complete the fix. -Radim]
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      bdf7ffc8
    • Liran Alon's avatar
      KVM: nVMX: Fix loss of pending IRQ/NMI before entering L2 · b5861e5c
      Liran Alon authored
      Consider the case L1 had a IRQ/NMI event until it executed
      VMLAUNCH/VMRESUME which wasn't delivered because it was disallowed
      (e.g. interrupts disabled). When L1 executes VMLAUNCH/VMRESUME,
      L0 needs to evaluate if this pending event should cause an exit from
      L2 to L1 or delivered directly to L2 (e.g. In case L1 don't intercept
      EXTERNAL_INTERRUPT).
      
      Usually this would be handled by L0 requesting a IRQ/NMI window
      by setting VMCS accordingly. However, this setting was done on
      VMCS01 and now VMCS02 is active instead. Thus, when L1 executes
      VMLAUNCH/VMRESUME we force L0 to perform pending event evaluation by
      requesting a KVM_REQ_EVENT.
      
      Note that above scenario exists when L1 KVM is about to enter L2 but
      requests an "immediate-exit". As in this case, L1 will
      disable-interrupts and then send a self-IPI before entering L2.
      Reviewed-by: default avatarNikita Leshchenko <nikita.leshchenko@oracle.com>
      Co-developed-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarLiran Alon <liran.alon@oracle.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      b5861e5c