- 15 Jun, 2017 1 commit
-
-
Paul Mackerras authored
This restores several special-purpose registers (SPRs) to sane values on guest exit that were missed before. TAR and VRSAVE are readable and writable by userspace, and we need to save and restore them to prevent the guest from potentially affecting userspace execution (not that TAR or VRSAVE are used by any known program that run uses the KVM_RUN ioctl). We save/restore these in kvmppc_vcpu_run_hv() rather than on every guest entry/exit. FSCR affects userspace execution in that it can prohibit access to certain facilities by userspace. We restore it to the normal value for the task on exit from the KVM_RUN ioctl. IAMR is normally 0, and is restored to 0 on guest exit. However, with a radix host on POWER9, it is set to a value that prevents the kernel from executing user-accessible memory. On POWER9, we save IAMR on guest entry and restore it on guest exit to the saved value rather than 0. On POWER8 we continue to set it to 0 on guest exit. PSPB is normally 0. We restore it to 0 on guest exit to prevent userspace taking advantage of the guest having set it non-zero (which would allow userspace to set its SMT priority to high). UAMOR is normally 0. We restore it to 0 on guest exit to prevent the AMR from being used as a covert channel between userspace processes, since the AMR is not context-switched at present. Fixes: b005255e ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08) Cc: stable@vger.kernel.org # v3.14+ Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-
- 13 Jun, 2017 1 commit
-
-
Paul Mackerras authored
This adds code to save the values of three SPRs (special-purpose registers) used by userspace to control event-based branches (EBBs), which are essentially interrupts that get delivered directly to userspace. These registers are loaded up with guest values when entering the guest, and their values are saved when exiting the guest, but we were not saving the host values and restoring them before going back to userspace. On POWER8 this would only affect userspace programs which explicitly request the use of EBBs and also use the KVM_RUN ioctl, since the only source of EBBs on POWER8 is the PMU, and there is an explicit enable bit in the PMU registers (and those PMU registers do get properly context-switched between host and guest). On POWER9 there is provision for externally-generated EBBs, and these are not subject to the control in the PMU registers. Since these registers only affect userspace, we can save them when we first come in from userspace and restore them before returning to userspace, rather than saving/restoring the host values on every guest entry/exit. Similarly, we don't need to worry about their values on offline secondary threads since they execute in the context of the idle task, which never executes in userspace. Fixes: b005255e ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08) Cc: stable@vger.kernel.org # v3.14+ Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-
- 29 May, 2017 1 commit
-
-
Paul Mackerras authored
POWER9 introduces a new mode for the decrementer register, called large decrementer mode, in which the decrementer counter is 56 bits wide rather than 32, and reads are sign-extended rather than zero-extended. For the decrementer, this new mode is optional and controlled by a bit in the LPCR. The hypervisor decrementer (HDEC) is 56 bits wide on POWER9 and has no mode control. Since KVM code reads and writes the decrementer and hypervisor decrementer registers in a few places, it needs to be aware of the need to treat the decrementer value as a 64-bit quantity, and only do a 32-bit sign extension when large decrementer mode is not in effect. Similarly, the HDEC should always be treated as a 64-bit quantity on POWER9. We define a new EXTEND_HDEC macro to encapsulate the feature test for POWER9 and the sign extension. To enable the sign extension to be removed in large decrementer mode, we test the LPCR_LD bit in the host LPCR image stored in the struct kvm for the guest. If is set then large decrementer mode is enabled and the sign extension should be skipped. This is partly based on an earlier patch by Oliver O'Halloran. Cc: stable@vger.kernel.org # v4.10+ Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-
- 22 May, 2017 2 commits
-
-
Linus Torvalds authored
-
Linus Torvalds authored
The code to fetch a 64-bit value from user space was entirely buggered, and has been since the code was merged in early 2016 in commit b2f68038 ("x86/mm/32: Add support for 64-bit __get_user() on 32-bit kernels"). Happily the buggered routine is almost certainly entirely unused, since the normal way to access user space memory is just with the non-inlined "get_user()", and the inlined version didn't even historically exist. The normal "get_user()" case is handled by external hand-written asm in arch/x86/lib/getuser.S that doesn't have either of these issues. There were two independent bugs in __get_user_asm_u64(): - it still did the STAC/CLAC user space access marking, even though that is now done by the wrapper macros, see commit 11f1a4b9 ("x86: reorganize SMAP handling in user space accesses"). This didn't result in a semantic error, it just means that the inlined optimized version was hugely less efficient than the allegedly slower standard version, since the CLAC/STAC overhead is quite high on modern Intel CPU's. - the double register %eax/%edx was marked as an output, but the %eax part of it was touched early in the asm, and could thus clobber other inputs to the asm that gcc didn't expect it to touch. In particular, that meant that the generated code could look like this: mov (%eax),%eax mov 0x4(%eax),%edx where the load of %edx obviously was _supposed_ to be from the 32-bit word that followed the source of %eax, but because %eax was overwritten by the first instruction, the source of %edx was basically random garbage. The fixes are trivial: remove the extraneous STAC/CLAC entries, and mark the 64-bit output as early-clobber to let gcc know that no inputs should alias with the output register. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Benjamin LaHaise <bcrl@kvack.org> Cc: Ingo Molnar <mingo@kernel.org> Cc: stable@kernel.org # v4.8+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- 21 May, 2017 7 commits
-
-
Linus Torvalds authored
Al noticed that unsafe_put_user() had type problems, and fixed them in commit a7cc722f ("fix unsafe_put_user()"), which made me look more at those functions. It turns out that unsafe_get_user() had a type issue too: it limited the largest size of the type it could handle to "unsigned long". Which is fine with the current users, but doesn't match our existing normal get_user() semantics, which can also handle "u64" even when that does not fit in a long. While at it, also clean up the type cast in unsafe_put_user(). We actually want to just make it an assignment to the expected type of the pointer, because we actually do want warnings from types that don't convert silently. And it makes the code more readable by not having that one very long and complex line. [ This patch might become stable material if we ever end up back-porting any new users of the unsafe uaccess code, but as things stand now this doesn't matter for any current existing uses. ] Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfsLinus Torvalds authored
Pull misc uaccess fixes from Al Viro: "Fix for unsafe_put_user() (no callers currently in mainline, but anyone starting to use it will step into that) + alpha osf_wait4() infoleak fix" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: osf_wait4(): fix infoleak fix unsafe_put_user()
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull scheduler fix from Thomas Gleixner: "A single scheduler fix: Prevent idle task from ever being preempted. That makes sure that synchronize_rcu_tasks() which is ignoring idle task does not pretend that no task is stuck in preempted state. If that happens and idle was preempted on a ftrace trampoline the machine crashes due to inconsistent state" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/core: Call __schedule() from do_idle() without enabling preemption
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull irq fixes from Thomas Gleixner: "A set of small fixes for the irq subsystem: - Cure a data ordering problem with chained interrupts - Three small fixlets for the mbigen irq chip" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: genirq: Fix chained interrupt data ordering irqchip/mbigen: Fix the clear register offset calculation irqchip/mbigen: Fix potential NULL dereferencing irqchip/mbigen: Fix memory mapping code
-
Al Viro authored
failing sys_wait4() won't fill struct rusage... Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
__put_user_size() relies upon its first argument having the same type as what the second one points to; the only other user makes sure of that and unsafe_put_user() should do the same. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-traceLinus Torvalds authored
Pull tracing fixes from Steven Rostedt: - Fix a bug caused by not cleaning up the new instance unique triggers when deleting an instance. It also creates a selftest that triggers that bug. - Fix the delayed optimization happening after kprobes boot up self tests being removed by freeing of init memory. - Comment kprobes on why the delay optimization is not a problem for removal of modules, to keep other developers from searching that riddle. - Fix another case of rcu not watching in stack trace tracing. * tag 'trace-v4.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing: Make sure RCU is watching before calling a stack trace kprobes: Document how optimized kprobes are removed from module unload selftests/ftrace: Add test to remove instance with active event triggers selftests/ftrace: Fix bashisms ftrace: Remove #ifdef from code and add clear_ftrace_function_probes() stub ftrace/instances: Clear function triggers when removing instances ftrace: Simplify glob handling in unregister_ftrace_function_probe_func() tracing/kprobes: Enforce kprobes teardown after testing tracing: Move postpone selftests to core from early_initcall
-
- 20 May, 2017 16 commits
-
-
git://git.kernel.dk/linux-blockLinus Torvalds authored
Pull block fixes from Jens Axboe: "A small collection of fixes that should go into this cycle. - a pull request from Christoph for NVMe, which ended up being manually applied to avoid pulling in newer bits in master. Mostly fibre channel fixes from James, but also a few fixes from Jon and Vijay - a pull request from Konrad, with just a single fix for xen-blkback from Gustavo. - a fuseblk bdi fix from Jan, fixing a regression in this series with the dynamic backing devices. - a blktrace fix from Shaohua, replacing sscanf() with kstrtoull(). - a request leak fix for drbd from Lars, fixing a regression in the last series with the kref changes. This will go to stable as well" * 'for-linus' of git://git.kernel.dk/linux-block: nvmet: release the sq ref on rdma read errors nvmet-fc: remove target cpu scheduling flag nvme-fc: stop queues on error detection nvme-fc: require target or discovery role for fc-nvme targets nvme-fc: correct port role bits nvme: unmap CMB and remove sysfs file in reset path blktrace: fix integer parse fuseblk: Fix warning in super_setup_bdi_name() block: xen-blkback: add null check to avoid null pointer dereference drbd: fix request leak introduced by locking/atomic, kref: Kill kref_sub()
-
Vijay Immanuel authored
On rdma read errors, release the sq ref that was taken when the req was initialized. This avoids a hang in nvmet_sq_destroy() when the queue is being freed. Signed-off-by: Vijay Immanuel <vijayi@attalasystems.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@fb.com>
-
James Smart authored
Remove NVMET_FCTGTFEAT_NEEDS_CMD_CPUSCHED. It's unnecessary. Signed-off-by: James Smart <james.smart@broadcom.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@fb.com>
-
James Smart authored
Per the recommendation by Sagi on: http://lists.infradead.org/pipermail/linux-nvme/2017-April/009261.html Rather than waiting for reset work thread to stop queues and abort the ios, immediately stop the queues on error detection. Reset thread will restop the queues (as it's called on other paths), but it does not appear to have a side effect. Signed-off-by: James Smart <james.smart@broadcom.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@fb.com>
-
James Smart authored
In order to create an association, the remoteport must be serving either a target role or a discovery role. Signed-off-by: James Smart <james.smart@broadcom.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@fb.com>
-
James Smart authored
FC Port roles is a bit mask, not individual values. Correct nvme definitions to unique bits. Signed-off-by: James Smart <james.smart@broadcom.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@fb.com>
-
Jon Derrick authored
CMB doesn't get unmapped until removal while getting remapped on every reset. Add the unmapping and sysfs file removal to the reset path in nvme_pci_disable to match the mapping path in nvme_pci_enable. Fixes: 202021c1 ("nvme : Add sysfs entry for NVMe CMBs when appropriate") Signed-off-by: Jon Derrick <jonathan.derrick@intel.com> Acked-by: Keith Busch <keith.busch@intel.com> Reviewed-By: Stephen Bates <sbates@raithlin.com> Cc: <stable@vger.kernel.org> # 4.9+ Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jens Axboe <axboe@fb.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/stagingLinus Torvalds authored
Pull staging driver fixes from Greg KH: "Here are a number of staging driver fixes for 4.12-rc2 Most of them are typec driver fixes found by reviewers and users of the code. There are also some removals of files no longer needed in the tree due to the ion driver rewrite in 4.12-rc1, as well as some wifi driver fixes. And to round it out, a MAINTAINERS file update. All have been in linux-next with no reported issues" * tag 'staging-4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (22 commits) MAINTAINERS: greybus-dev list is members-only staging: fsl-dpaa2/eth: add ETHERNET dependency staging: typec: fusb302: refactor resume retry mechanism staging: typec: fusb302: reset i2c_busy state in error staging: rtl8723bs: remove re-positioned call to kfree in os_dep/ioctl_cfg80211.c staging: rtl8192e: GetTs Fix invalid TID 7 warning. staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD. staging: rtl8192e: fix 2 byte alignment of register BSSIDR. staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory. staging: vc04_services: Fix bulk cache maintenance staging: ccree: remove extraneous spin_unlock_bh() in error handler staging: typec: Fix sparse warnings about incorrect types staging: typec: fusb302: do not free gpio from managed resource staging: typec: tcpm: Fix Port Power Role field in PS_RDY messages staging: typec: tcpm: Respond to Discover Identity commands staging: typec: tcpm: Set correct flags in PD request messages staging: typec: tcpm: Drop duplicate PD messages staging: typec: fusb302: Fix chip->vbus_present init value staging: typec: fusb302: Fix module autoload staging: typec: tcpci: declare private structure as static ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usbLinus Torvalds authored
Pull USB fixes from Greg KH: "Here are a number of small USB fixes for 4.12-rc2 Most of them come from Johan, in his valiant quest to fix up all drivers that could be affected by "malicious" USB devices. There's also some fixes for more "obscure" drivers to handle some of the vmalloc stack fallout (which for USB drivers, was always the case, but very few people actually ran those systems...) Other than that, the normal set of xhci and gadget and musb driver fixes as well. All have been in linux-next with no reported issues" * tag 'usb-4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (42 commits) usb: musb: tusb6010_omap: Do not reset the other direction's packet size usb: musb: Fix trying to suspend while active for OTG configurations usb: host: xhci-plat: propagate return value of platform_get_irq() xhci: Fix command ring stop regression in 4.11 xhci: remove GFP_DMA flag from allocation USB: xhci: fix lock-inversion problem usb: host: xhci-ring: don't need to clear interrupt pending for MSI enabled hcd usb: host: xhci-mem: allocate zeroed Scratchpad Buffer xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton usb: xhci: trace URB before giving it back instead of after USB: serial: qcserial: add more Lenovo EM74xx device IDs USB: host: xhci: use max-port define USB: hub: fix SS max number of ports USB: hub: fix non-SS hub-descriptor handling USB: hub: fix SS hub-descriptor handling USB: usbip: fix nonconforming hub descriptor USB: gadget: dummy_hcd: fix hub-descriptor removable fields doc-rst: fixed kernel-doc directives in usb/typec.rst USB: core: of: document reference taken by companion helper USB: ehci-platform: fix companion-device leak ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-miscLinus Torvalds authored
Pull char/misc driver fixes from Greg KH: "Here are five small bugfixes for reported issues with 4.12-rc1 and earlier kernels. Nothing huge here, just a lp, mem, vpd, and uio driver fix, along with a Kconfig fixup for one of the misc drivers. All of these have been in linux-next with no reported issues" * tag 'char-misc-4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: firmware: Google VPD: Fix memory allocation error handling drivers: char: mem: Check for address space wraparound with mmap() uio: fix incorrect memory leak cleanup misc: pci_endpoint_test: select CRC32 char: lp: fix possible integer overflow in lp_setup()
-
git://www.linux-watchdog.org/linux-watchdogLinus Torvalds authored
Pull watchdog fixes from Wim Van Sebroeck: - orion_wdt compile-test dependencies - sama5d4_wdt: WDDIS handling and a race confition - pcwd_usb: fix NULL-deref at probe - cadence_wdt: fix timeout setting - wdt_pci: fix build error if SOFTWARE_REBOOT is defined - iTCO_wdt: all versions count down twice - zx2967: remove redundant dev_err call in zx2967_wdt_probe() - bcm281xx: Fix use of uninitialized spinlock * git://www.linux-watchdog.org/linux-watchdog: watchdog: bcm281xx: Fix use of uninitialized spinlock. watchdog: zx2967: remove redundant dev_err call in zx2967_wdt_probe() iTCO_wdt: all versions count down twice watchdog: wdt_pci: fix build error if define SOFTWARE_REBOOT watchdog: cadence_wdt: fix timeout setting watchdog: pcwd_usb: fix NULL-deref at probe watchdog: sama5d4: fix race condition watchdog: sama5d4: fix WDDIS handling watchdog: orion: fix compile-test dependencies
-
git://people.freedesktop.org/~airlied/linuxLinus Torvalds authored
Pull drm fixes from Dave Airlie: "Mostly nouveau and i915, fairly quiet as usual for rc2" * tag 'drm-fixes-for-v4.12-rc2' of git://people.freedesktop.org/~airlied/linux: drm/atmel-hlcdc: Fix output initialization gpu: host1x: select IOMMU_IOVA drm/nouveau/fifo/gk104-: Silence a locking warning drm/nouveau/secboot: plug memory leak in ls_ucode_img_load_gr() error path drm/nouveau: Fix drm poll_helper handling drm/i915: don't do allocate_va_range again on PIN_UPDATE drm/i915: Fix rawclk readout for g4x drm/i915: Fix runtime PM for LPE audio drm/i915/glk: Fix DSI "*ERROR* ULPS is still active" messages drm/i915/gvt: avoid unnecessary vgpu switch drm/i915/gvt: not to restore in-context mmio drm/etnaviv: don't put fence in case of submit failure drm/i915/gvt: fix typo: "supporte" -> "support" drm: hdlcd: Fix the calculation of the scanout start address
-
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsiLinus Torvalds authored
Pull SCSI fixes from James Bottomley: "This is the first sweep of mostly minor fixes. There's one security one: the read past the end of a buffer in qedf, and a panic fix for lpfc SLI-3 adapters, but the rest are a set of include and build dependency tidy ups and assorted other small fixes and updates" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: pmcraid: remove redundant check to see if request_size is less than zero scsi: lpfc: ensure els_wq is being checked before destroying it scsi: cxlflash: Select IRQ_POLL scsi: qedf: Avoid reading past end of buffer scsi: qedf: Cleanup the type of io_log->op scsi: lpfc: double lock typo in lpfc_ns_rsp() scsi: qedf: properly update arguments position in function call scsi: scsi_lib: Add #include <scsi/scsi_transport.h> scsi: MAINTAINERS: update OSD entries scsi: Skip deleted devices in __scsi_device_lookup scsi: lpfc: Fix panic on BFS configuration scsi: libfc: do not flood console with messages 'libfc: queue full ...'
-
git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimmLinus Torvalds authored
Pull libnvdimm fixes from Dan Williams: "A couple of compile fixes. With the removal of the ->direct_access() method from block_device_operations in favor of a new dax_device + dax_operations we broke two configurations. The CONFIG_BLOCK=n case is fixed by compiling out the block+dax helpers in the dax core. Configurations with FS_DAX=n EXT4=y / XFS=y and DAX=m fail due to the helpers the builtin filesystem needs being in a module, so we stub out the helpers in the FS_DAX=n case." * 'libnvdimm-for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: dax, xfs, ext4: compile out iomap-dax paths in the FS_DAX=n case dax: fix false CONFIG_BLOCK dependency
-
git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linuxLinus Torvalds authored
Pull i2c fix from Wolfram Sang: "A regression fix for I2C that would be great to have in rc2" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: designware: don't infer timings described by ACPI from clock rate
-
git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommuLinus Torvalds authored
Pull IOMMU fixes from Joerg Roedel: - another compile-fix as a fallout of the recent header-file cleanup - add a missing IO/TLB flush to the Intel VT-d kdump code path - a fix for ARM64 dma code to only access initialized iova_domain members * tag 'iommu-fixes-v4.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/mediatek: Include linux/dma-mapping.h iommu/vt-d: Flush the IOTLB to get rid of the initial kdump mappings iommu/dma: Don't touch invalid iova_domain members
-
- 19 May, 2017 12 commits
-
-
git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds authored
Pull KVM fixes from Radim Krčmář: "ARM: - a fix for a build failure introduced in -rc1 when tracepoints are enabled on 32-bit ARM. - disable use of stack pointer protection in the hyp code which can cause panics. - a handful of VGIC fixes. - a fix to the init of the redistributors on GICv3 systems that prevented boot with kvmtool on GICv3 systems introduced in -rc1. - a number of race conditions fixed in our MMU handling code. - a fix for the guest being able to program the debug extensions for the host on the 32-bit side. PPC: - fixes for build failures with PR KVM configurations. - a fix for a host crash that can occur on POWER9 with radix guests. x86: - fixes for nested PML and nested EPT. - a fix for crashes caused by reserved bits in SSE MXCSR that could have been set by userspace. - an optimization of halt polling that fixes high CPU overhead. - fixes for four reports from Dan Carpenter's static checker. - a protection around code that shouldn't have been preemptible. - a fix for port IO emulation" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (27 commits) KVM: x86: prevent uninitialized variable warning in check_svme() KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh() KVM: x86: zero base3 of unusable segments KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation KVM: x86: Fix potential preemption when get the current kvmclock timestamp KVM: Silence underflow warning in avic_get_physical_id_entry() KVM: arm/arm64: Hold slots_lock when unregistering kvm io bus devices KVM: arm/arm64: Fix bug when registering redist iodevs KVM: x86: lower default for halt_poll_ns kvm: arm/arm64: Fix use after free of stage2 page table kvm: arm/arm64: Force reading uncached stage2 PGD KVM: nVMX: fix EPT permissions as reported in exit qualification KVM: VMX: Don't enable EPT A/D feature if EPT feature is disabled KVM: x86: Fix load damaged SSEx MXCSR register kvm: nVMX: off by one in vmx_write_pml_buffer() KVM: arm: rename pm_fake handler to trap_raz_wi KVM: arm: plug potential guest hardware debug leakage kvm: arm/arm64: Fix race in resetting stage2 PGD KVM: arm/arm64: vgic-v3: Use PREbits to infer the number of ICH_APxRn_EL2 registers KVM: arm/arm64: vgic-v3: Do not use Active+Pending state for a HW interrupt ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tipLinus Torvalds authored
Pull xen fixes from Juergen Gross: "Some fixes for the new Xen 9pfs frontend and some minor cleanups" * tag 'for-linus-4.12b-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen: make xen_flush_tlb_all() static xen: cleanup pvh leftovers from pv-only sources xen/9pfs: p9_trans_xen_init and p9_trans_xen_exit can be static xen/9pfs: fix return value check in xen_9pfs_front_probe()
-
git://git.kernel.org/pub/scm/linux/kernel/git/robh/linuxLinus Torvalds authored
Pull DeviceTree fixes from Rob Herring: - fix missing allocation failure handling in fdt code - fix dtc compile error on 32-bit hosts - revert bad sparse changes causing GCC7 warnings * tag 'devicetree-fixes-for-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: of: fdt: add missing allocation-failure check dtc: check.c fix compile error Partially Revert "of: fix sparse warnings in fdt, irq, reserved mem, and resolver code"
-
git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-socLinus Torvalds authored
Pull ARM SoC fixes from Olof Johansson: "We had a small batch of fixes before -rc1, but here is a larger one. It contains a backmerge of 4.12-rc1 since some of the downstream branches we merge had that as base; at the same time we already had merged contents before -rc1 and rebase wasn't the right solution. A mix of random smaller fixes and a few things worth pointing out: - We've started telling people to avoid cross-tree shared branches if all they're doing is picking up one or two DT-used constants from a shared include file, and instead to use the numeric values on first submission. Follow-up moving over to symbolic names are sent in right after -rc1, i.e. here. It's only a few minor patches of this type. - Linus Walleij and others are resurrecting the 'Gemini' platform, and wanted a cut-down platform-specific defconfig for it. So I picked that up for them. - Rob Herring ran 'savedefconfig' on arm64, it's a bit churny but it helps people to prepare patches since it's a pain when defconfig and current savedefconfig contents differs too much. - Devicetree additions for some pinctrl drivers for Armada that were merged this window. I'd have preferred to see those earlier but it's not a huge deail. The biggest change worth pointing out though since it's touching other parts of the tree: We added prefixes to be used when cross-including DT contents between arm64 and arm, allowing someone to #include <arm/foo.dtsi> from arm64, and likewise. As part of that, we needed arm/foo.dtsi to work on arm as well. The way I suggested this to Heiko resulted in a recursive symlink. Instead, I've now moved it out of arch/*/boot/dts/include, into a shared location under scripts/dtc. While I was at it, I consolidated so all architectures now behave the same way in this manner. Rob Herring (DT maintainer) has acked it. I cc:d most other arch maintainers but nobody seems to care much; it doesn't really affect them since functionality is unchanged for them by default" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (29 commits) arm64: dts: rockchip: fix include reference firmware: ti_sci: fix strncat length check ARM: remove duplicate 'const' annotations' arm64: defconfig: enable options needed for QCom DB410c board arm64: defconfig: sync with savedefconfig ARM: configs: add a gemini defconfig devicetree: Move include prefixes from arch to separate directory ARM: dts: dra7: Reduce cpu thermal shutdown temperature memory: omap-gpmc: Fix debug output for access width ARM: dts: LogicPD Torpedo: Fix camera pin mux ARM: dts: omap4: enable CEC pin for Pandaboard A4 and ES ARM: dts: gta04: fix polarity of clocks for mcbsp4 ARM: dts: dra7: Add power hold and power controller properties to palmas soc: imx: add PM dependency for IMX7_PM_DOMAINS ARM: dts: imx6sx-sdb: Remove OPP override ARM: dts: imx53-qsrb: Pulldown PMIC IRQ pin soc: bcm: brcmstb: Correctly match 7435 SoC tee: add ARM_SMCCC dependency ARM: omap2+: make omap4_get_cpu1_ns_pa_addr declaration usable ARM64: dts: mediatek: configure some fixed mmc parameters ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linuxLinus Torvalds authored
Pull arm64 fixes/cleanups from Catalin Marinas: - Avoid taking a mutex in the secondary CPU bring-up path when interrupts are disabled - Ignore perf exclude_hv when the kernel is running in Hyp mode - Remove redundant instruction in cmpxchg * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64/cpufeature: don't use mutex in bringup path arm64: perf: Ignore exclude_hv when kernel is running in HYP arm64: Remove redundant mov from LL/SC cmpxchg
-
git://linux-arm.org/linux-ldDave Airlie authored
single hdlcd fix * 'for-upstream/hdlcd' of git://linux-arm.org/linux-ld: drm: hdlcd: Fix the calculation of the scanout start address
-
git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linuxLinus Torvalds authored
Pull powerpc fixes from Michael Ellerman: "The headliner is a fix for FP/VMX register corruption when using transactional memory, and a new selftest to go with it. Then there's the virt_addr_valid() fix, currently HARDENDED_USERCOPY is tripping on that causing some machines to crash. A few other fairly minor fixes for long tail things, and a couple of fixes for code we just merged. Thanks to: Breno Leitao, Gautham Shenoy, Michael Neuling, Naveen Rao. Nicholas Piggin, Paul Mackerras" * tag 'powerpc-4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash powerpc/mm: Fix crash in page table dump with huge pages powerpc/kprobes: Fix handling of instruction emulation on probe re-entry powerpc/powernv: Set NAPSTATELOST after recovering paca on P9 DD1 selftests/powerpc: Test TM and VMX register state powerpc/tm: Fix FP and VMX register corruption powerpc/modules: If mprofile-kernel is enabled add it to vermagic
-
Radim Krčmář authored
get_msr() of MSR_EFER is currently always going to succeed, but static checker doesn't see that far. Don't complicate stuff and just use 0 for the fallback -- it means that the feature is not present. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-
Radim Krčmář authored
Static analysis noticed that pmu->nr_arch_gp_counters can be 32 (INTEL_PMC_MAX_GENERIC) and therefore cannot be used to shift 'int'. I didn't add BUILD_BUG_ON for it as we have a better checker. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Fixes: 25462f7f ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch") Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-
Radim Krčmář authored
Static checker noticed that base3 could be used uninitialized if the segment was not present (useable). Random stack values probably would not pass VMCS entry checks. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Fixes: 1aa36616 ("KVM: x86 emulator: consolidate segment accessors") Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-
Wanpeng Li authored
Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation. - "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only, a read should be ignored) in guest can get a random number. - "rep insb" instruction to access PIT register port 0x43 can control memcpy() in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes, which will disclose the unimportant kernel memory in host but no crash. The similar test program below can reproduce the read out-of-bounds vulnerability: void hexdump(void *mem, unsigned int len) { unsigned int i, j; for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++) { /* print offset */ if(i % HEXDUMP_COLS == 0) { printf("0x%06x: ", i); } /* print hex data */ if(i < len) { printf("%02x ", 0xFF & ((char*)mem)[i]); } else /* end of block, just aligning for ASCII dump */ { printf(" "); } /* print ASCII dump */ if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) { for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) { if(j >= len) /* end of block, not really printing */ { putchar(' '); } else if(isprint(((char*)mem)[j])) /* printable char */ { putchar(0xFF & ((char*)mem)[j]); } else /* other char */ { putchar('.'); } } putchar('\n'); } } } int main(void) { int i; if (iopl(3)) { err(1, "set iopl unsuccessfully\n"); return -1; } static char buf[0x40]; /* test ioport 0x40,0x41,0x42,0x43,0x44,0x45 */ memset(buf, 0xab, sizeof(buf)); asm volatile("push %rdi;"); asm volatile("mov %0, %%rdi;"::"q"(buf)); asm volatile ("mov $0x40, %rdx;"); asm volatile ("in %dx,%al;"); asm volatile ("stosb;"); asm volatile ("mov $0x41, %rdx;"); asm volatile ("in %dx,%al;"); asm volatile ("stosb;"); asm volatile ("mov $0x42, %rdx;"); asm volatile ("in %dx,%al;"); asm volatile ("stosb;"); asm volatile ("mov $0x43, %rdx;"); asm volatile ("in %dx,%al;"); asm volatile ("stosb;"); asm volatile ("mov $0x44, %rdx;"); asm volatile ("in %dx,%al;"); asm volatile ("stosb;"); asm volatile ("mov $0x45, %rdx;"); asm volatile ("in %dx,%al;"); asm volatile ("stosb;"); asm volatile ("pop %rdi;"); hexdump(buf, 0x40); printf("\n"); /* ins port 0x40 */ memset(buf, 0xab, sizeof(buf)); asm volatile("push %rdi;"); asm volatile("mov %0, %%rdi;"::"q"(buf)); asm volatile ("mov $0x20, %rcx;"); asm volatile ("mov $0x40, %rdx;"); asm volatile ("rep insb;"); asm volatile ("pop %rdi;"); hexdump(buf, 0x40); printf("\n"); /* ins port 0x43 */ memset(buf, 0xab, sizeof(buf)); asm volatile("push %rdi;"); asm volatile("mov %0, %%rdi;"::"q"(buf)); asm volatile ("mov $0x20, %rcx;"); asm volatile ("mov $0x43, %rdx;"); asm volatile ("rep insb;"); asm volatile ("pop %rdi;"); hexdump(buf, 0x40); printf("\n"); return 0; } The vcpu->arch.pio_data buffer is used by both in/out instrutions emulation w/o clear after using which results in some random datas are left over in the buffer. Guest reads port 0x43 will be ignored since it is write only, however, the function kernel_pio() can't distigush this ignore from successfully reads data from device's ioport. There is no new data fill the buffer from port 0x43, however, emulator_pio_in_emulated() will copy the stale data in the buffer to the guest unconditionally. This patch fixes it by clearing the buffer before in instruction emulation to avoid to grant guest the stale data in the buffer. In addition, string I/O is not supported for in kernel device. So there is no iteration to read ioport %RCX times for string I/O. The function kernel_pio() just reads one round, and then copy the io size * %RCX to the guest unconditionally, actually it copies the one round ioport data w/ other random datas which are left over in the vcpu->arch.pio_data buffer to the guest. This patch fixes it by introducing the string I/O support for in kernel device in order to grant the right ioport datas to the guest. Before the patch: 0x000000: fe 38 93 93 ff ff ab ab .8...... 0x000008: ab ab ab ab ab ab ab ab ........ 0x000010: ab ab ab ab ab ab ab ab ........ 0x000018: ab ab ab ab ab ab ab ab ........ 0x000020: ab ab ab ab ab ab ab ab ........ 0x000028: ab ab ab ab ab ab ab ab ........ 0x000030: ab ab ab ab ab ab ab ab ........ 0x000038: ab ab ab ab ab ab ab ab ........ 0x000000: f6 00 00 00 00 00 00 00 ........ 0x000008: 00 00 00 00 00 00 00 00 ........ 0x000010: 00 00 00 00 4d 51 30 30 ....MQ00 0x000018: 30 30 20 33 20 20 20 20 00 3 0x000020: ab ab ab ab ab ab ab ab ........ 0x000028: ab ab ab ab ab ab ab ab ........ 0x000030: ab ab ab ab ab ab ab ab ........ 0x000038: ab ab ab ab ab ab ab ab ........ 0x000000: f6 00 00 00 00 00 00 00 ........ 0x000008: 00 00 00 00 00 00 00 00 ........ 0x000010: 00 00 00 00 4d 51 30 30 ....MQ00 0x000018: 30 30 20 33 20 20 20 20 00 3 0x000020: ab ab ab ab ab ab ab ab ........ 0x000028: ab ab ab ab ab ab ab ab ........ 0x000030: ab ab ab ab ab ab ab ab ........ 0x000038: ab ab ab ab ab ab ab ab ........ After the patch: 0x000000: 1e 02 f8 00 ff ff ab ab ........ 0x000008: ab ab ab ab ab ab ab ab ........ 0x000010: ab ab ab ab ab ab ab ab ........ 0x000018: ab ab ab ab ab ab ab ab ........ 0x000020: ab ab ab ab ab ab ab ab ........ 0x000028: ab ab ab ab ab ab ab ab ........ 0x000030: ab ab ab ab ab ab ab ab ........ 0x000038: ab ab ab ab ab ab ab ab ........ 0x000000: d2 e2 d2 df d2 db d2 d7 ........ 0x000008: d2 d3 d2 cf d2 cb d2 c7 ........ 0x000010: d2 c4 d2 c0 d2 bc d2 b8 ........ 0x000018: d2 b4 d2 b0 d2 ac d2 a8 ........ 0x000020: ab ab ab ab ab ab ab ab ........ 0x000028: ab ab ab ab ab ab ab ab ........ 0x000030: ab ab ab ab ab ab ab ab ........ 0x000038: ab ab ab ab ab ab ab ab ........ 0x000000: 00 00 00 00 00 00 00 00 ........ 0x000008: 00 00 00 00 00 00 00 00 ........ 0x000010: 00 00 00 00 00 00 00 00 ........ 0x000018: 00 00 00 00 00 00 00 00 ........ 0x000020: ab ab ab ab ab ab ab ab ........ 0x000028: ab ab ab ab ab ab ab ab ........ 0x000030: ab ab ab ab ab ab ab ab ........ 0x000038: ab ab ab ab ab ab ab ab ........ Reported-by: Moguofang <moguofang@huawei.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Cc: Moguofang <moguofang@huawei.com> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com> Cc: stable@vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-
Wanpeng Li authored
BUG: using __this_cpu_read() in preemptible [00000000] code: qemu-system-x86/2809 caller is __this_cpu_preempt_check+0x13/0x20 CPU: 2 PID: 2809 Comm: qemu-system-x86 Not tainted 4.11.0+ #13 Call Trace: dump_stack+0x99/0xce check_preemption_disabled+0xf5/0x100 __this_cpu_preempt_check+0x13/0x20 get_kvmclock_ns+0x6f/0x110 [kvm] get_time_ref_counter+0x5d/0x80 [kvm] kvm_hv_process_stimers+0x2a1/0x8a0 [kvm] ? kvm_hv_process_stimers+0x2a1/0x8a0 [kvm] ? kvm_arch_vcpu_ioctl_run+0xac9/0x1ce0 [kvm] kvm_arch_vcpu_ioctl_run+0x5bf/0x1ce0 [kvm] kvm_vcpu_ioctl+0x384/0x7b0 [kvm] ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm] ? __fget+0xf3/0x210 do_vfs_ioctl+0xa4/0x700 ? __fget+0x114/0x210 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x23/0xc2 RIP: 0033:0x7f9d164ed357 ? __this_cpu_preempt_check+0x13/0x20 This can be reproduced by run kvm-unit-tests/hyperv_stimer.flat w/ CONFIG_PREEMPT and CONFIG_DEBUG_PREEMPT enabled. Safe access to per-CPU data requires a couple of constraints, though: the thread working with the data cannot be preempted and it cannot be migrated while it manipulates per-CPU variables. If the thread is preempted, the thread that replaces it could try to work with the same variables; migration to another CPU could also cause confusion. However there is no preemption disable when reads host per-CPU tsc rate to calculate the current kvmclock timestamp. This patch fixes it by utilizing get_cpu/put_cpu pair to guarantee both __this_cpu_read() and rdtsc() are not preempted. Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-