1. 05 Nov, 2019 9 commits
    • Jon Bloomfield's avatar
      drm/i915/cmdparser: Add support for backward jumps · f8c08d8f
      Jon Bloomfield authored
      To keep things manageable, the pre-gen9 cmdparser does not
      attempt to track any form of nested BB_START's. This did not
      prevent usermode from using nested starts, or even chained
      batches because the cmdparser is not strictly enforced pre gen9.
      
      Instead, the existence of a nested BB_START would cause the batch
      to be emitted in insecure mode, and any privileged capabilities
      would not be available.
      
      For Gen9, the cmdparser becomes mandatory (for BCS at least), and
      so not providing any form of nested BB_START support becomes
      overly restrictive. Any such batch will simply not run.
      
      We make heavy use of backward jumps in igt, and it is much easier
      to add support for this restricted subset of nested jumps, than to
      rewrite the whole of our test suite to avoid them.
      
      Add the required logic to support limited backward jumps, to
      instructions that have already been validated by the parser.
      
      Note that it's not sufficient to simply approve any BB_START
      that jumps backwards in the buffer because this would allow an
      attacker to embed a rogue instruction sequence within the
      operand words of a harmless instruction (say LRI) and jump to
      that.
      
      We introduce a bit array to track every instr offset successfully
      validated, and test the target of BB_START against this. If the
      target offset hits, it is re-written to the same offset in the
      shadow buffer and the BB_START cmd is allowed.
      
      Note: This patch deliberately ignores checkpatch issues in the
      cmdtables, in order to match the style of the surrounding code.
      We'll correct the entire file in one go in a later patch.
      
      v2: set dispatch secure late (Mika)
      v3: rebase (Mika)
      v4: Clear whitelist on each parse
          Minor review updates (Chris)
      v5: Correct backward jump batching
      v6: fix compilation error due to struct eb shuffle (Mika)
      
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
      Signed-off-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      f8c08d8f
    • Jon Bloomfield's avatar
      drm/i915/cmdparser: Use explicit goto for error paths · 0546a29c
      Jon Bloomfield authored
      In the next patch we will be adding a second valid
      termination condition which will require a small
      amount of refactoring to share logic with the BB_END
      case.
      
      Refactor all error conditions to jump to a dedicated
      exit path, with 'break' reserved only for a successful
      parse.
      
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      0546a29c
    • Jon Bloomfield's avatar
      drm/i915: Add gen9 BCS cmdparsing · 0f2f3975
      Jon Bloomfield authored
      For gen9 we enable cmdparsing on the BCS ring, specifically
      to catch inadvertent accesses to sensitive registers
      
      Unlike gen7/hsw, we use the parser only to block certain
      registers. We can rely on h/w to block restricted commands,
      so the command tables only provide enough info to allow the
      parser to delineate each command, and identify commands that
      access registers.
      
      Note: This patch deliberately ignores checkpatch issues in
      favour of matching the style of the surrounding code. We'll
      correct the entire file in one go in a later patch.
      
      v3: rebase (Mika)
      v4: Add RING_TIMESTAMP registers to whitelist (Jon)
      Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      0f2f3975
    • Jon Bloomfield's avatar
      drm/i915: Allow parsing of unsized batches · 435e8fc0
      Jon Bloomfield authored
      In "drm/i915: Add support for mandatory cmdparsing" we introduced the
      concept of mandatory parsing. This allows the cmdparser to be invoked
      even when user passes batch_len=0 to the execbuf ioctl's.
      
      However, the cmdparser needs to know the extents of the buffer being
      scanned. Refactor the code to ensure the cmdparser uses the actual
      object size, instead of the incoming length, if user passes 0.
      Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      435e8fc0
    • Jon Bloomfield's avatar
      drm/i915: Support ro ppgtt mapped cmdparser shadow buffers · 4f7af194
      Jon Bloomfield authored
      For Gen7, the original cmdparser motive was to permit limited
      use of register read/write instructions in unprivileged BB's.
      This worked by copying the user supplied bb to a kmd owned
      bb, and running it in secure mode, from the ggtt, only if
      the scanner finds no unsafe commands or registers.
      
      For Gen8+ we can't use this same technique because running bb's
      from the ggtt also disables access to ppgtt space. But we also
      do not actually require 'secure' execution since we are only
      trying to reduce the available command/register set. Instead we
      will copy the user buffer to a kmd owned read-only bb in ppgtt,
      and run in the usual non-secure mode.
      
      Note that ro pages are only supported by ppgtt (not ggtt), but
      luckily that's exactly what we need.
      
      Add the required paths to map the shadow buffer to ppgtt ro for Gen8+
      
      v2: IS_GEN7/IS_GEN (Mika)
      v3: rebase
      v4: rebase
      v5: rebase
      Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      4f7af194
    • Jon Bloomfield's avatar
      drm/i915: Add support for mandatory cmdparsing · 311a50e7
      Jon Bloomfield authored
      The existing cmdparser for gen7 can be bypassed by specifying
      batch_len=0 in the execbuf call. This is safe because bypassing
      simply reduces the cmd-set available.
      
      In a later patch we will introduce cmdparsing for gen9, as a
      security measure, which must be strictly enforced since without
      it we are vulnerable to DoS attacks.
      
      Introduce the concept of 'required' cmd parsing that cannot be
      bypassed by submitting zero-length bb's.
      
      v2: rebase (Mika)
      v2: rebase (Mika)
      v3: fix conflict on engine flags (Mika)
      Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      311a50e7
    • Jon Bloomfield's avatar
      drm/i915: Remove Master tables from cmdparser · 66d8aba1
      Jon Bloomfield authored
      The previous patch has killed support for secure batches
      on gen6+, and hence the cmdparsers master tables are
      now dead code. Remove them.
      Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      66d8aba1
    • Jon Bloomfield's avatar
      drm/i915: Disable Secure Batches for gen6+ · 44157641
      Jon Bloomfield authored
      Retroactively stop reporting support for secure batches
      through the api for gen6+ so that older binaries trigger
      the fallback path instead.
      
      Older binaries use secure batches pre gen6 to access resources
      that are not available to normal usermode processes. However,
      all known userspace explicitly checks for HAS_SECURE_BATCHES
      before relying on the secure batch feature.
      
      Since there are no known binaries relying on this for newer gens
      we can kill secure batches from gen6, via I915_PARAM_HAS_SECURE_BATCHES.
      
      v2: rebase (Mika)
      v3: rebase (Mika)
      Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      44157641
    • Jon Bloomfield's avatar
      drm/i915: Rename gen7 cmdparser tables · 0a2f661b
      Jon Bloomfield authored
      We're about to introduce some new tables for later gens, and the
      current naming for the gen7 tables will no longer make sense.
      
      v2: rebase
      Signed-off-by: default avatarJon Bloomfield <jon.bloomfield@intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Tyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarMika Kuoppala <mika.kuoppala@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris.p.wilson@intel.com>
      0a2f661b
  2. 03 Nov, 2019 2 commits
    • Linus Torvalds's avatar
      Linux 5.4-rc6 · a99d8080
      Linus Torvalds authored
      a99d8080
    • Linus Torvalds's avatar
      Merge tag 'usb-5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 3a69c9e5
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "The USB sub-maintainers woke up this past week and sent a bunch of
        tiny fixes. Here are a lot of small patches that that resolve a bunch
        of reported issues in the USB core, drivers, serial drivers, gadget
        drivers, and of course, xhci :)
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (31 commits)
        usb: dwc3: gadget: fix race when disabling ep with cancelled xfers
        usb: cdns3: gadget: Fix g_audio use case when connected to Super-Speed host
        usb: cdns3: gadget: reset EP_CLAIMED flag while unloading
        USB: serial: whiteheat: fix line-speed endianness
        USB: serial: whiteheat: fix potential slab corruption
        USB: gadget: Reject endpoints with 0 maxpacket value
        UAS: Revert commit 3ae62a42 ("UAS: fix alignment of scatter/gather segments")
        usb-storage: Revert commit 747668db ("usb-storage: Set virt_boundary_mask to avoid SG overflows")
        usbip: Fix free of unallocated memory in vhci tx
        usbip: tools: Fix read_usb_vudc_device() error path handling
        usb: xhci: fix __le32/__le64 accessors in debugfs code
        usb: xhci: fix Immediate Data Transfer endianness
        xhci: Fix use-after-free regression in xhci clear hub TT implementation
        USB: ldusb: fix control-message timeout
        USB: ldusb: use unsigned size format specifiers
        USB: ldusb: fix ring-buffer locking
        USB: Skip endpoints with 0 maxpacket length
        usb: cdns3: gadget: Don't manage pullups
        usb: dwc3: remove the call trace of USBx_GFLADJ
        usb: gadget: configfs: fix concurrent issue between composite APIs
        ...
      3a69c9e5
  3. 02 Nov, 2019 10 commits
    • Linus Torvalds's avatar
      Merge tag '5.4-rc6-smb3-fix' of git://git.samba.org/sfrench/cifs-2.6 · 56cfd250
      Linus Torvalds authored
      Pull cifs fix from Steve French:
       "A small smb3 memleak fix"
      
      * tag '5.4-rc6-smb3-fix' of git://git.samba.org/sfrench/cifs-2.6:
        fix memory leak in large read decrypt offload
      56cfd250
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v5.4-rc6' of... · 9d234505
      Linus Torvalds authored
      Merge tag 'hwmon-for-v5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
      
       - Fix read timeout problem in ina3221 driver
      
       - Fix wrong bitmask in nct7904 driver
      
      * tag 'hwmon-for-v5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (ina3221) Fix read timeout issue
        hwmon: (nct7904) Fix the incorrect value of vsen_mask & tcpu_mask & temp_mode in nct7904_data struct.
      9d234505
    • Linus Torvalds's avatar
      Merge tag 'pwm/for-5.4-rc6' of... · e935842a
      Linus Torvalds authored
      Merge tag 'pwm/for-5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm
      
      Pull pwm fixes from Thierry Reding:
       "It turned out that relying solely on drivers storing all the PWM state
        in hardware was a little premature and causes a number of subtle (and
        some not so subtle) regressions. Revert the offending patch for now"
      
      * tag 'pwm/for-5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm:
        Revert "pwm: Let pwm_get_state() return the last implemented state"
      e935842a
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · f83e148a
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Nine changes, eight in drivers [ufs, target, lpfc x 2, qla2xxx x 4]
        and one core change in sd that fixes an I/O failure on DIF type 3
        devices"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla2xxx: stop timer in shutdown path
        scsi: sd: define variable dif as unsigned int instead of bool
        scsi: target: cxgbit: Fix cxgbit_fw4_ack()
        scsi: qla2xxx: Fix partial flash write of MBI
        scsi: qla2xxx: Initialized mailbox to prevent driver load failure
        scsi: lpfc: Honor module parameter lpfc_use_adisc
        scsi: ufs-bsg: Wake the device before sending raw upiu commands
        scsi: lpfc: Check queue pointer before use
        scsi: qla2xxx: fixup incorrect usage of host_byte
      f83e148a
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 8194c28e
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Our recent cleanup of EEH led to an oops on bare metal machines when
        the cxl (CAPI) driver creates virtual devices for an attached FPGA
        accelerator.
      
        The "secure virtual machine" support we added in v5.4 had a bug if the
        kernel was relocated (moved during boot), in those cases the signature
        of the kernel text wouldn't verify and the Ultravisor would refuse to
        run the VM.
      
        A recent change to disable interrupts before calling
        arch_cpu_idle_dead() caused a WARN_ON() in our bare metal CPU offline
        code to always trigger.
      
        The KUAP (SMAP) support we added for 32-bit Book3S had a bug if the
        address range crossed a segment (256MB) boundary which could lead to
        spurious faults.
      
        Thanks to: Christophe Leroy, Frederic Barrat, Michael Anderson,
        Nicholas Piggin, Sam Bobroff, Thiago Jung Bauermann"
      
      * tag 'powerpc-5.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/powernv: Fix CPU idle to be called with IRQs disabled
        powerpc/prom_init: Undo relocation before entering secure mode
        powerpc/powernv/eeh: Fix oops when probing cxl devices
        powerpc/32s: fix allow/prevent_user_access() when crossing segment boundaries.
      8194c28e
    • Linus Torvalds's avatar
      Merge tag 's390-5.4-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 969a5197
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
      
       - Fix cpu idle time accounting
      
       - Fix stack unwinder case when both pt_regs and sp are specified
      
       - Fix information leak via cmm timeout proc handler
      
      * tag 's390-5.4-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/idle: fix cpu idle time calculation
        s390/unwind: fix mixing regs and sp
        s390/cmm: fix information leak in cmm_timeout_handler()
      969a5197
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 1204c70d
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix free/alloc races in batmanadv, from Sven Eckelmann.
      
       2) Several leaks and other fixes in kTLS support of mlx5 driver, from
          Tariq Toukan.
      
       3) BPF devmap_hash cost calculation can overflow on 32-bit, from Toke
          Høiland-Jørgensen.
      
       4) Add an r8152 device ID, from Kazutoshi Noguchi.
      
       5) Missing include in ipv6's addrconf.c, from Ben Dooks.
      
       6) Use siphash in flow dissector, from Eric Dumazet. Attackers can
          easily infer the 32-bit secret otherwise etc.
      
       7) Several netdevice nesting depth fixes from Taehee Yoo.
      
       8) Fix several KCSAN reported errors, from Eric Dumazet. For example,
          when doing lockless skb_queue_empty() checks, and accessing
          sk_napi_id/sk_incoming_cpu lockless as well.
      
       9) Fix jumbo packet handling in RXRPC, from David Howells.
      
      10) Bump SOMAXCONN and tcp_max_syn_backlog values, from Eric Dumazet.
      
      11) Fix DMA synchronization in gve driver, from Yangchun Fu.
      
      12) Several bpf offload fixes, from Jakub Kicinski.
      
      13) Fix sk_page_frag() recursion during memory reclaim, from Tejun Heo.
      
      14) Fix ping latency during high traffic rates in hisilicon driver, from
          Jiangfent Xiao.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (146 commits)
        net: fix installing orphaned programs
        net: cls_bpf: fix NULL deref on offload filter removal
        selftests: bpf: Skip write only files in debugfs
        selftests: net: reuseport_dualstack: fix uninitalized parameter
        r8169: fix wrong PHY ID issue with RTL8168dp
        net: dsa: bcm_sf2: Fix IMP setup for port different than 8
        net: phylink: Fix phylink_dbg() macro
        gve: Fixes DMA synchronization.
        inet: stop leaking jiffies on the wire
        ixgbe: Remove duplicate clear_bit() call
        Documentation: networking: device drivers: Remove stray asterisks
        e1000: fix memory leaks
        i40e: Fix receive buffer starvation for AF_XDP
        igb: Fix constant media auto sense switching when no cable is connected
        net: ethernet: arc: add the missed clk_disable_unprepare
        igb: Enable media autosense for the i350.
        igb/igc: Don't warn on fatal read failures when the device is removed
        tcp: increase tcp_max_syn_backlog max value
        net: increase SOMAXCONN to 4096
        netdevsim: Fix use-after-free during device dismantle
        ...
      1204c70d
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.4-3' of git://git.linux-nfs.org/projects/anna/linux-nfs · 372bf6c1
      Linus Torvalds authored
      Pull NFS client bugfixes from Anna Schumaker:
       "This contains two delegation fixes (with the RCU lock leak fix marked
        for stable), and three patches to fix destroying the the sunrpc back
        channel.
      
        Stable bugfixes:
      
         - Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
      
        Other fixes:
      
         - The TCP back channel mustn't disappear while requests are
           outstanding
      
         - The RDMA back channel mustn't disappear while requests are
           outstanding
      
         - Destroy the back channel when we destroy the host transport
      
         - Don't allow a cached open with a revoked delegation"
      
      * tag 'nfs-for-5.4-3' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
        NFSv4: Don't allow a cached open with a revoked delegation
        SUNRPC: Destroy the back channel when we destroy the host transport
        SUNRPC: The RDMA back channel mustn't disappear while requests are outstanding
        SUNRPC: The TCP back channel mustn't disappear while requests are outstanding
      372bf6c1
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20191101' of git://git.kernel.dk/linux-block · 0821de28
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Two small nvme fixes, one is a fabrics connection fix, the other one
         a cleanup made possible by that fix (Anton, via Keith)
      
       - Fix requeue handling in umb ubd (Anton)
      
       - Fix spin_lock_irq() nesting in blk-iocost (Dan)
      
       - Three small io_uring fixes:
           - Install io_uring fd after done with ctx (me)
           - Clear ->result before every poll issue (me)
           - Fix leak of shadow request on error (Pavel)
      
      * tag 'for-linus-20191101' of git://git.kernel.dk/linux-block:
        iocost: don't nest spin_lock_irq in ioc_weight_write()
        io_uring: ensure we clear io_kiocb->result before each issue
        um-ubd: Entrust re-queue to the upper layers
        nvme-multipath: remove unused groups_only mode in ana log
        nvme-multipath: fix possible io hang after ctrl reconnect
        io_uring: don't touch ctx in setup after ring fd install
        io_uring: Fix leaked shadow_req
      0821de28
    • Linus Torvalds's avatar
      Merge tag 'riscv/for-v5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · e5897c7d
      Linus Torvalds authored
      Pull RISC-V fixes from Paul Walmsley:
       "One fix for PCIe users:
      
         - Fix legacy PCI I/O port access emulation
      
        One set of cleanups:
      
         - Resolve most of the warnings generated by sparse across arch/riscv.
           No functional changes
      
        And one MAINTAINERS update:
      
         - Update Palmer's E-mail address"
      
      * tag 'riscv/for-v5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        MAINTAINERS: Change to my personal email address
        RISC-V: Add PCIe I/O BAR memory mapping
        riscv: for C functions called only from assembly, mark with __visible
        riscv: fp: add missing __user pointer annotations
        riscv: add missing header file includes
        riscv: mark some code and data as file-static
        riscv: init: merge split string literals in preprocessor directive
        riscv: add prototypes for assembly language functions from head.S
      e5897c7d
  4. 01 Nov, 2019 19 commits