1. 24 Apr, 2019 1 commit
    • Dave Airlie's avatar
      Merge tag 'drm-intel-next-2019-04-17' of git://anongit.freedesktop.org/drm/drm-intel into drm-next · b1c4f7fe
      Dave Airlie authored
      UAPI Changes:
      
      - uAPI "Fixes:" patch for the upcoming kernel 5.1, included here too
      
        We have an Ack from the media folks (only current user) for this
        late tweak
      
      Cross-subsystem Changes:
      
      - ALSA: hda: Fix racy display power access (Takashi, Chris)
      
      Driver Changes:
      
      - DDI and MIPI-DSI clocks fixes for Icelake (Vandita)
      - Fix Icelake frequency change/locking (RPS) (Mika)
      - Temporarily disable ppGTT read-only bit on Icelake (Mika)
      - Add missing Icelake W/As (Mika)
      - Enable 12 deep CSB status FIFO on Icelake (Mika)
      - Inherit more Icelake code for Elkhartlake (Bob, Jani)
      
      - Handle catastrophic error on engine reset (Mika)
      - Shortcut readiness to reset check (Mika)
      - Regression fix for GEM_BUSY causing us to report a mixed uabi-class request as not busy (Chris)
      - Revert back to max link rate and lane count on eDP (Jani)
      - Fix pipe BPP readout for BXT/GLK DSI (Ville)
      - Set DP min_bpp to 8*3 for non-RGB output formats (Ville)
      - Enable coarse preemption boundaries for Gen8 (Chris)
      - Do not enable FEC without DSC (Ville)
      - Restore correct BXT DDI latency optim setting calculation (Ville)
      - Always reset context's RING registers to avoid running workload twice during reset (Chris)
      - Set GPU wedged on driver unload (Janusz)
      - Consolidate two similar barries from timeline into one (Chris)
      - Only reset the pinned kernel contexts on resume (Chris)
      - Wakeref tracking improvements (Chris, Imre)
      - Lockdep fixes for shrinker interactions (Chris)
      - Bump ready tasks ahead of busywaits in prep of semaphore use (Chris)
      
      - Huge step in splitting display code into fine grained files (Jani)
      - Refactor the IRQ init/reset macros for code saving (Paulo)
      - Convert IRQ initialization code to uncore MMIO access (Paulo)
      - Convert workarounds code to use uncore MMIO access (Chris)
      - Nuke drm_crtc_state and use intel_atomic_state instead (Manasi)
      - Update SKL clock-gating WA (Radhakrishna, Ville)
      - Isolate GuC reset code flow (Chris)
      - Expose force_dsc_enable through debugfs (Manasi)
      - Header standalone compile testing framework (Jani)
      - Code cleanups to reduce driver footprint (Chris)
      - PSR code fixes and cleanups (Jose)
      - Sparse and kerneldoc updates (Chris)
      - Suppress spurious combo PHY B warning (Vile)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190418080426.GA6409@jlahtine-desk.ger.corp.intel.com
      b1c4f7fe
  2. 23 Apr, 2019 1 commit
  3. 17 Apr, 2019 5 commits
  4. 16 Apr, 2019 11 commits
  5. 15 Apr, 2019 3 commits
  6. 14 Apr, 2019 6 commits
    • Linus Torvalds's avatar
      Linux 5.1-rc5 · dc4060a5
      Linus Torvalds authored
      dc4060a5
    • Linus Torvalds's avatar
      Merge branch 'page-refs' (page ref overflow) · 6b3a7077
      Linus Torvalds authored
      Merge page ref overflow branch.
      
      Jann Horn reported that he can overflow the page ref count with
      sufficient memory (and a filesystem that is intentionally extremely
      slow).
      
      Admittedly it's not exactly easy.  To have more than four billion
      references to a page requires a minimum of 32GB of kernel memory just
      for the pointers to the pages, much less any metadata to keep track of
      those pointers.  Jann needed a total of 140GB of memory and a specially
      crafted filesystem that leaves all reads pending (in order to not ever
      free the page references and just keep adding more).
      
      Still, we have a fairly straightforward way to limit the two obvious
      user-controllable sources of page references: direct-IO like page
      references gotten through get_user_pages(), and the splice pipe page
      duplication.  So let's just do that.
      
      * branch page-refs:
        fs: prevent page refcount overflow in pipe_buf_get
        mm: prevent get_user_pages() from overflowing page refcount
        mm: add 'try_get_page()' helper function
        mm: make page ref count overflow check tighter and more explicit
      6b3a7077
    • Matthew Wilcox's avatar
      fs: prevent page refcount overflow in pipe_buf_get · 15fab63e
      Matthew Wilcox authored
      Change pipe_buf_get() to return a bool indicating whether it succeeded
      in raising the refcount of the page (if the thing in the pipe is a page).
      This removes another mechanism for overflowing the page refcount.  All
      callers converted to handle a failure.
      Reported-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarMatthew Wilcox <willy@infradead.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      15fab63e
    • Linus Torvalds's avatar
      mm: prevent get_user_pages() from overflowing page refcount · 8fde12ca
      Linus Torvalds authored
      If the page refcount wraps around past zero, it will be freed while
      there are still four billion references to it.  One of the possible
      avenues for an attacker to try to make this happen is by doing direct IO
      on a page multiple times.  This patch makes get_user_pages() refuse to
      take a new page reference if there are already more than two billion
      references to the page.
      Reported-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarMatthew Wilcox <willy@infradead.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8fde12ca
    • Linus Torvalds's avatar
      mm: add 'try_get_page()' helper function · 88b1a17d
      Linus Torvalds authored
      This is the same as the traditional 'get_page()' function, but instead
      of unconditionally incrementing the reference count of the page, it only
      does so if the count was "safe".  It returns whether the reference count
      was incremented (and is marked __must_check, since the caller obviously
      has to be aware of it).
      
      Also like 'get_page()', you can't use this function unless you already
      had a reference to the page.  The intent is that you can use this
      exactly like get_page(), but in situations where you want to limit the
      maximum reference count.
      
      The code currently does an unconditional WARN_ON_ONCE() if we ever hit
      the reference count issues (either zero or negative), as a notification
      that the conditional non-increment actually happened.
      
      NOTE! The count access for the "safety" check is inherently racy, but
      that doesn't matter since the buffer we use is basically half the range
      of the reference count (ie we look at the sign of the count).
      Acked-by: default avatarMatthew Wilcox <willy@infradead.org>
      Cc: Jann Horn <jannh@google.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      88b1a17d
    • Linus Torvalds's avatar
      mm: make page ref count overflow check tighter and more explicit · f958d7b5
      Linus Torvalds authored
      We have a VM_BUG_ON() to check that the page reference count doesn't
      underflow (or get close to overflow) by checking the sign of the count.
      
      That's all fine, but we actually want to allow people to use a "get page
      ref unless it's already very high" helper function, and we want that one
      to use the sign of the page ref (without triggering this VM_BUG_ON).
      
      Change the VM_BUG_ON to only check for small underflows (or _very_ close
      to overflowing), and ignore overflows which have strayed into negative
      territory.
      Acked-by: default avatarMatthew Wilcox <willy@infradead.org>
      Cc: Jann Horn <jannh@google.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f958d7b5
  7. 13 Apr, 2019 13 commits