- 08 Oct, 2017 25 commits
-
-
Bart Van Assche authored
[ Upstream commit 642c7cbc ] Since index values equal to or above 'range' can trigger memory corruption, complain if index >= range. Signed-off-by:
Bart Van Assche <bart.vanassche@sandisk.com> Reviewed-by:
Andrew Boyer <andrew.boyer@dell.com> Cc: Moni Shoua <monis@mellanox.com> Signed-off-by:
Doug Ledford <dledford@redhat.com> Signed-off-by:
Sasha Levin <alexander.levin@verizon.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Andreas Klinger authored
[ Upstream commit ff1293f6 ] Add DT bindings for avia,hx711 Add vendor avia to vendor list Signed-off-by:
Andreas Klinger <ak@it-klinger.de> Acked-by:
Rob Herring <robh@kernel.org> Signed-off-by:
Jonathan Cameron <jic23@kernel.org> Signed-off-by:
-
Hans de Goede authored
[ Upstream commit fa2849e9 ] For some reason the axp288_adc driver was modifying the AXP288_ADC_TS_PIN_CTRL register, changing bits 0-1 depending on whether the GP_ADC channel or another channel was written. These bits control when a bias current is send to the TS_PIN, the GP_ADC has its own pin and a separate bit in another register to control the bias current. Not only does changing when to enable the TS_PIN bias current (always or only when sampling) when reading the GP_ADC make no sense at all, the code is modifying these bits is writing the entire register, assuming that all the other bits have their default value. So if the firmware has configured a different bias-current for either pin, then that change gets clobbered by the write, likewise if the firmware has set bit 2 to indicate that the battery has no thermal sensor, this will get clobbered by the write. This commit fixes all this, by simply removing all writes to the AXP288_ADC_TS_PIN_CTRL register, they are not needed to read the GP_ADC pin, and can actually be harmful. Signed-off-by:
Hans de Goede <hdegoede@redhat.com> Acked-by:
Chen-Yu Tsai <wens@csie.org> Signed-off-by:
-
Javier Martinez Canillas authored
[ Upstream commit 8f0d7daf ] If the driver is built as a module, autoload won't work because the module alias information is not filled. So user-space can't match the registered device with the corresponding module. Export the module alias information using the MODULE_DEVICE_TABLE() macro. Before this patch: $ modinfo drivers/iio/adc/fsl-imx25-gcq.ko | grep alias $ After this patch: $ modinfo drivers/iio/adc/fsl-imx25-gcq.ko | grep alias alias: of:N*T*Cfsl,imx25-gcqC* alias: of:N*T*Cfsl,imx25-gcq Signed-off-by:
Javier Martinez Canillas <javier@osg.samsung.com> Signed-off-by:
-
Guenter Roeck authored
[ Upstream commit 87cdfa9d ] Writes into limit attributes can overflow due to multplications and additions with unbound input values. Writing into fan limit attributes can result in a crash with a division by zero if very large values are written and the fan divider is larger than 1. Signed-off-by:
Guenter Roeck <linux@roeck-us.net> Signed-off-by:
-
John Crispin authored
[ Upstream commit 808cf33d ] The MIPS based MT7621 shares the same XHCI core as the newer generation of ARM based SoCs. The driver works out of the box and we only need to make it buildable in Kconfig. Signed-off-by:
John Crispin <john@phrozen.org> Signed-off-by:
-
Jose Abreu authored
[ Upstream commit 6205406c ] Init field must be cleared in driver probe as this structure is not dinamically allocated. If not, wrong flags can be passed to core. Signed-off-by:
Jose Abreu <joabreu@synopsys.com> Cc: Carlos Palminha <palminha@synopsys.com> Cc: Stephen Boyd <sboyd@codeaurora.org> Cc: Michael Turquette <mturquette@baylibre.com> Cc: linux-clk@vger.kernel.org Cc: linux-kernel@vger.kernel.org Fixes: 923587aa ("clk/axs10x: Add I2S PLL clock driver") Signed-off-by:
Michael Turquette <mturquette@baylibre.com> Link: lkml.kernel.org/r/040cc9afdfa0e95ce7a01c406ff427ef7dc0c0fd.1481540717.git.joabreu@synopsys.com Signed-off-by:
-
Niklas Söderlund authored
[ Upstream commit 6dcf45e5 ] This bit was wrongly named due to a typo, Sergei checked the SH7734/63 manuals and this bit should be named MPDE. Suggested-by:
Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Signed-off-by:
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Jiancheng Xue authored
[ Upstream commit 5987b4bf ] If STATUS_SET was not set, ti_syscon_reset_status would always return 0 no matter whether the status_bit was set or not. Signed-off-by:
Jiancheng Xue <xuejiancheng@hisilicon.com> Fixes: cc7c2bb1 ("reset: add TI SYSCON based reset driver") Signed-off-by:
Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by:
-
Hans de Goede authored
[ Upstream commit 5757aca1 ] The vbus-present bit in the power status register also gets set to 1 when a usb-host cable (id-pin shorted to ground) is plugged in and a 5v boost converter is supplying 5v to the otg usb bus. This causes a "disconnect or unknown or ID event" warning in dmesg as well as the extcon device to report the last detected charger cable type as being connected even though none is connected. This commit switches to checking the vbus-valid bit instead, which is only 1 when both vbus is present and the vbus-path is enabled in the vbus-path control register (the vbus-path gets disabled when a usb-host cable is detected, to avoid the pmic drawing power from the 5v boost converter). Signed-off-by:
Chanwoo Choi <cw00.choi@samsung.com> Signed-off-by:
-
Guilherme G Piccoli authored
[ Upstream commit 69b97cf6 ] Whenever the igb driver detects the result of a read operation returns a value composed only by F's (like 0xFFFFFFFF), it will detach the net_device, clear the hw_addr pointer and warn to the user that adapter's link is lost - those steps happen on igb_rd32(). In case a PCI error happens on Power architecture, there's a recovery mechanism called EEH, that will reset the PCI slot and call driver's handlers to reset the adapter and network functionality as well. We observed that once hw_addr is NULL after the error is detected on igb_rd32(), it's never assigned back, so in the process of resetting the network functionality we got a NULL pointer dereference in both igb_configure_tx_ring() and igb_configure_rx_ring(). In order to avoid such bug, this patch re-assigns the hw_addr value in the slot_reset handler. Reported-by:
Anthony H Thai <ahthai@us.ibm.com> Reported-by:
Harsha Thyagaraja <hathyaga@in.ibm.com> Signed-off-by:
Guilherme G Piccoli <gpiccoli@linux.vnet.ibm.com> Tested-by:
Aaron Brown <aaron.f.brown@intel.com> Signed-off-by:
Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by:
-
Marcin Niestroj authored
[ Upstream commit ca244a83 ] On chiliSOM TPS65217 nWAKEUP pin is connected to AM335x internal RTC EXT_WAKEUP input. In RTC-only state TPS65217 is notifying about power on events (such as power buton presses) by setting nWAKEUP output low. After that it waits 5s for proper device boot. Currently it doesn't happen, as the processor doesn't listen for such events. Consequently TPS65217 changes state from SLEEP (RTC-only state) to OFF. Enable EXT_WAKEUP input of AM335x's RTC, so the processor can properly detect power on events and recover immediately from RTC-only states, without powering off RTC and losing time. Signed-off-by:
Marcin Niestroj <m.niestroj@grinn-global.com> Signed-off-by:
Tony Lindgren <tony@atomide.com> Signed-off-by:
-
Jitendra Bhivare authored
[ Upstream commit 413f3656 ] Set CID slot to 0xffff to indicate empty. Check if connection already exists in conn_table before binding. Check if endpoint already NULL before putting back CID. Break ep->conn link in free_ep to ignore completions after freeing. Signed-off-by:
Jitendra Bhivare <jitendra.bhivare@broadcom.com> Reviewed-by:
Hannes Reinecke <hare@suse.com> Signed-off-by:
Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by:
-
Hans de Goede authored
[ Upstream commit 6f074bc8 ] If reading the register fails, return the actual error code, instead of the uninitialized val variable; Signed-off-by:
Sebastian Reichel <sre@kernel.org> Signed-off-by:
-
Colin Ian King authored
[ Upstream commit 08d90c81 ] ralink_soc sould be assigned to RT3883_SOC, replace incorrect comparision with assignment. Signed-off-by:
Colin Ian King <colin.king@canonical.com> Fixes: 418d29c8 ("MIPS: ralink: Unify SoC id handling") Cc: John Crispin <john@phrozen.org> Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14903/Signed-off-by:
Ralf Baechle <ralf@linux-mips.org> Signed-off-by:
-
John Crispin authored
[ Upstream commit 58181a11 ] There is a typo inside the pinmux setup code. The function is really called utif and not util. This was recently discovered when people were trying to make the UTIF interface work. Signed-off-by:
-
Paul Burton authored
[ Upstream commit 3f00f4d8 ] When clearing the .bss section in kernel_entry we do so using LONG_S instructions, and branch whilst the current write address doesn't equal the end of the .bss section minus the size of a long integer. The .bss section always begins at a long-aligned address and we always increment the write pointer by the size of a long integer - we therefore rely upon the .bss section ending at a long-aligned address. If this is not the case then the long-aligned write address can never be equal to the non-long-aligned end address & we will continue to increment past the end of the .bss section, attempting to zero the rest of memory. Despite this requirement that .bss end at a long-aligned address we pass 0 as the end alignment requirement to the BSS_SECTION macro and thus don't guarantee any particular alignment, allowing us to hit the error condition described above. Fix this by instead passing 8 bytes as the end alignment argument to the BSS_SECTION macro, ensuring that the end of the .bss section is always at least long-aligned. Signed-off-by:
Paul Burton <paul.burton@imgtec.com> Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14526/Signed-off-by:
-
Simon Horman authored
[ Upstream commit 654450ba ] Use recently added R-Car Gen 2 fallback binding for msiof nodes in DT for r8a7790 SoC. This has no run-time effect for the current driver as the initialisation sequence is the same for the SoC-specific binding for r8a7790 and the fallback binding for R-Car Gen 2. Signed-off-by:
Simon Horman <horms+renesas@verge.net.au> Reviewed-by:
Geert Uytterhoeven <geert+renesas@glider.be> Signed-off-by:
-
Santosh Shilimkar authored
[ Upstream commit 941f8d55 ] When application sends an RDS RDMA composite message consist of RDMA transfer to be followed up by non RDMA payload, it expect to be notified *only* when the full message gets delivered. RDS RDMA notification doesn't behave this way though. Thanks to Venkat for debug and root casuing the issue where only first part of the message(RDMA) was successfully delivered but remainder payload delivery failed. In that case, application should not be notified with a false positive of message delivery success. Fix this case by making sure the user gets notified only after the full message delivery. Reviewed-by:
Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> Signed-off-by:
Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by:
-
Ondrej Jirman authored
[ Upstream commit a43c9642 ] When adjusting PLL_CPUX on H3, the PLL is temporarily driven too high, and the system becomes unstable (oopses or hangs). Add a notifier to avoid this situation by temporarily switching to a known stable 24 MHz oscillator. Signed-off-by:
Ondrej Jirman <megous@megous.com> Tested-by:
Lutz Sammer <johns98@gmx.net> Acked-by:
Maxime Ripard <maxime.ripard@free-electrons.com> Signed-off-by:
-
Bartlomiej Zolnierkiewicz authored
[ Upstream commit 80b7a2e2 ] Add CPU operating points for Exynos4412 Prime (it supports additional 1704MHz & 1600MHz OPPs and 1500MHz OPP is just a regular non-turbo OPP on this SoC). Also update relevant cooling maps to account for new OPPs. ODROID-X2/U2/U3 boards use Exynos4412 Prime SoC version so update their board files accordingly. Based on Hardkernel's kernel for ODROID-X2/U2/U3 boards. Cc: Doug Anderson <dianders@chromium.org> Cc: Andreas Faerber <afaerber@suse.de> Cc: Thomas Abraham <thomas.ab@samsung.com> Cc: Tobias Jakobi <tjakobi@math.uni-bielefeld.de> Cc: Ben Gamari <ben@smart-cactus.org> Signed-off-by:
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Signed-off-by:
Krzysztof Kozlowski <krzk@kernel.org> Signed-off-by:
-
Ville Syrjälä authored
[ Upstream commit 58d09ebd ] Do the overlay frontbuffer tracking properly so that it matches the state of the overlay on/off/continue requests. One slight problem is that intel_frontbuffer_flip_complete() may get delayed by an arbitrarily liong time due to the fact that the overlay code likes to bail out when a signal occurs. So the flip may not get completed until the ioctl is restarted. But fixing that would require bigger surgery, so I decided to ignore it for now. Signed-off-by:
Ville Syrjälä <ville.syrjala@linux.intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/1481131693-27993-5-git-send-email-ville.syrjala@linux.intel.comReviewed-by:
Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by:
-
Dan Carpenter authored
[ Upstream commit 14d37564 ] This patch fixes a place where function gfs2_glock_iter_next can reference an invalid error pointer. Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
Bob Peterson <rpeterso@redhat.com> Signed-off-by:
-
Bartosz Golaszewski authored
[ Upstream commit 2e644be3 ] THS8135 is a configurable video DAC. Add DT bindings for this chip. Signed-off-by:
Bartosz Golaszewski <bgolaszewski@baylibre.com> Reviewed-by:
Laurent Pinchart <laurent.pinchart@ideasonboard.com> Acked-by:
Archit Taneja <architt@codeaurora.org> Link: http://patchwork.freedesktop.org/patch/msgid/1481623759-12786-3-git-send-email-bgolaszewski@baylibre.comSigned-off-by:
-
Kristian H. Kristensen authored
[ Upstream commit af913418 ] We need to define DRM_FORMAT_MOD_VENDOR_NONE for the fourcc_mod_code() macro to work correctly. Signed-off-by:
Kristian H. Kristensen <hoegsberg@google.com> Signed-off-by:
Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/1481657272-25975-1-git-send-email-hoegsberg@google.comSigned-off-by:
-
- 05 Oct, 2017 15 commits
-
-
Greg Kroah-Hartman authored
-
Stefano Stabellini authored
commit 7e91c7df upstream. This function creates userspace mapping for the DMA-coherent memory. Signed-off-by:
Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by:
Oleksandr Dmytryshyn <oleksandr.dmytryshyn@globallogic.com> Signed-off-by:
Andrii Anisov <andrii_anisov@epam.com> Signed-off-by:
Konrad Rzeszutek Wilk <konrad@kernel.org> Signed-off-by:
-
Vladis Dronov authored
commit 8e75f7a7 upstream. 'clk' is copied to a userland with padding byte(s) after 'vclk_post_div' field unitialized, leaking data from the stack. Fix this ensuring all of 'clk' is initialized to zero. References: https://github.com/torvalds/linux/pull/441Reported-by:
sohu0106 <sohu0106@126.com> Signed-off-by:
Vladis Dronov <vdronov@redhat.com> Signed-off-by:
-
Paolo Bonzini authored
commit c0a1666b upstream. This fixes a compilation failure on 32-bit systems. Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com> Signed-off-by:
-
Frederic Barrat authored
commit 197267d0 upstream. cxl keeps a driver use count, which is used with the hash memory model on p8 to know when to upgrade local TLBIs to global and to trigger callbacks to manage the MMU for PSL8. If a process opens a context and closes without attaching or fails the attachment, the driver use count is never decremented. As a consequence, TLB invalidations remain global, even if there are no active cxl contexts. We should increment the driver use count when the process is attaching to the cxl adapter, and not on open. It's not needed before the adapter starts using the context and the use count is decremented on the detach path, so it makes more sense. It affects only the user api. The kernel api is already doing The Right Thing. Signed-off-by:
Frederic Barrat <fbarrat@linux.vnet.ibm.com> Cc: stable@vger.kernel.org # v4.2+ Fixes: 7bb5d91a ("cxl: Rework context lifetimes") Acked-by:
Andrew Donnellan <andrew.donnellan@au1.ibm.com> Signed-off-by:
Michael Ellerman <mpe@ellerman.id.au> [ajd: backport to stable v4.9 tree] Signed-off-by:
-
Haozhong Zhang authored
commit 5753743f upstream. WARN_ON_ONCE(pi_test_sn(&vmx->pi_desc)) in kvm_vcpu_trigger_posted_interrupt() intends to detect the violation of invariant that VT-d PI notification event is not suppressed when vcpu is in the guest mode. Because the two checks for the target vcpu mode and the target suppress field cannot be performed atomically, the target vcpu mode may change in between. If that does happen, WARN_ON_ONCE() here may raise false alarms. As the previous patch fixed the real invariant breaker, remove this WARN_ON_ONCE() to avoid false alarms, and document the allowed cases instead. Signed-off-by:
Haozhong Zhang <haozhong.zhang@intel.com> Reported-by:
"Ramamurthy, Venkatesh" <venkatesh.ramamurthy@intel.com> Reported-by:
Dan Williams <dan.j.williams@intel.com> Reviewed-by:
Radim Krčmář <rkrcmar@redhat.com> Signed-off-by:
-
Haozhong Zhang authored
commit dc91f2eb upstream. In kvm_vcpu_trigger_posted_interrupt() and pi_pre_block(), KVM assumes that PI notification events should not be suppressed when the target vCPU is not blocked. vmx_update_pi_irte() sets the SN field before changing an interrupt from posting to remapping, but it does not check the vCPU mode. Therefore, the change of SN field may break above the assumption. Besides, I don't see reasons to suppress notification events here, so remove the changes of SN field to avoid race condition. Signed-off-by:
-
Myungho Jung authored
commit b94bf594 upstream. timer_migration sysctl acts as a boolean switch, so the allowed values should be restricted to 0 and 1. Add the necessary extra fields to the sysctl table entry to enforce that. [ tglx: Rewrote changelog ] Signed-off-by:
Myungho Jung <mhjungk@gmail.com> Link: http://lkml.kernel.org/r/1492640690-3550-1-git-send-email-mhjungk@gmail.comSigned-off-by:
Thomas Gleixner <tglx@linutronix.de> Cc: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp> Signed-off-by:
-
Andreas Gruenbacher authored
commit 10201655 upstream. The switch to rhashtables (commit 88ffbf3e) broke the debugfs glock dump (/sys/kernel/debug/gfs2/<device>/glocks) for dumps bigger than a single buffer: the right function for restarting an rhashtable iteration from the beginning of the hash table is rhashtable_walk_enter; rhashtable_walk_stop + rhashtable_walk_start will just resume from the current position. The upstream commit doesn't directly apply to 4.9.y because 4.9.y doesn't have the following mainline commits: 92ecd73a gfs2: Deduplicate gfs2_{glocks,glstats}_open cc37a627 gfs2: Replace rhashtable_walk_init with rhashtable_walk_enter Signed-off-by:
Andreas Gruenbacher <agruenba@redhat.com> Signed-off-by:
-
Eric Biggers authored
commit 814fb7bb upstream. On x86, userspace can use the ptrace() or rt_sigreturn() system calls to set a task's extended state (xstate) or "FPU" registers. ptrace() can set them for another task using the PTRACE_SETREGSET request with NT_X86_XSTATE, while rt_sigreturn() can set them for the current task. In either case, registers can be set to any value, but the kernel assumes that the XSAVE area itself remains valid in the sense that the CPU can restore it. However, in the case where the kernel is using the uncompacted xstate format (which it does whenever the XSAVES instruction is unavailable), it was possible for userspace to set the xcomp_bv field in the xstate_header to an arbitrary value. However, all bits in that field are reserved in the uncompacted case, so when switching to a task with nonzero xcomp_bv, the XRSTOR instruction failed with a #GP fault. This caused the WARN_ON_FPU(err) in copy_kernel_to_xregs() to be hit. In addition, since the error is otherwise ignored, the FPU registers from the task previously executing on the CPU were leaked. Fix the bug by checking that the user-supplied value of xcomp_bv is 0 in the uncompacted case, and returning an error otherwise. The reason for validating xcomp_bv rather than simply overwriting it with 0 is that we want userspace to see an error if it (incorrectly) provides an XSAVE area in compacted format rather than in uncompacted format. Note that as before, in case of error we clear the task's FPU state. This is perhaps non-ideal, especially for PTRACE_SETREGSET; it might be better to return an error before changing anything. But it seems the "clear on error" behavior is fine for now, and it's a little tricky to do otherwise because it would mean we couldn't simply copy the full userspace state into kernel memory in one __copy_from_user(). This bug was found by syzkaller, which hit the above-mentioned WARN_ON_FPU(): WARNING: CPU: 1 PID: 0 at ./arch/x86/include/asm/fpu/internal.h:373 __switch_to+0x5b5/0x5d0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.13.0 #453 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff9ba2bc8e42c0 task.stack: ffffa78cc036c000 RIP: 0010:__switch_to+0x5b5/0x5d0 RSP: 0000:ffffa78cc08bbb88 EFLAGS: 00010082 RAX: 00000000fffffffe RBX: ffff9ba2b8bf2180 RCX: 00000000c0000100 RDX: 00000000ffffffff RSI: 000000005cb10700 RDI: ffff9ba2b8bf36c0 RBP: ffffa78cc08bbbd0 R08: 00000000929fdf46 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9ba2bc8e42c0 R13: 0000000000000000 R14: ffff9ba2b8bf3680 R15: ffff9ba2bf5d7b40 FS: 00007f7e5cb10700(0000) GS:ffff9ba2bf400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004005cc CR3: 0000000079fd5000 CR4: 00000000001406e0 Call Trace: Code: 84 00 00 00 00 00 e9 11 fd ff ff 0f ff 66 0f 1f 84 00 00 00 00 00 e9 e7 fa ff ff 0f ff 66 0f 1f 84 00 00 00 00 00 e9 c2 fa ff ff <0f> ff 66 0f 1f 84 00 00 00 00 00 e9 d4 fc ff ff 66 66 2e 0f 1f Here is a C reproducer. The expected behavior is that the program spin forever with no output. However, on a buggy kernel running on a processor with the "xsave" feature but without the "xsaves" feature (e.g. Sandy Bridge through Broadwell for Intel), within a second or two the program reports that the xmm registers were corrupted, i.e. were not restored correctly. With CONFIG_X86_DEBUG_FPU=y it also hits the above kernel warning. #define _GNU_SOURCE #include <stdbool.h> #include <inttypes.h> #include <linux/elf.h> #include <stdio.h> #include <sys/ptrace.h> #include <sys/uio.h> #include <sys/wait.h> #include <unistd.h> int main(void) { int pid = fork(); uint64_t xstate[512]; struct iovec iov = { .iov_base = xstate, .iov_len = sizeof(xstate) }; if (pid == 0) { bool tracee = true; for (int i = 0; i < sysconf(_SC_NPROCESSORS_ONLN) && tracee; i++) tracee = (fork() != 0); uint32_t xmm0[4] = { [0 ... 3] = tracee ? 0x00000000 : 0xDEADBEEF }; asm volatile(" movdqu %0, %%xmm0\n" " mov %0, %%rbx\n" "1: movdqu %%xmm0, %0\n" " mov %0, %%rax\n" " cmp %%rax, %%rbx\n" " je 1b\n" : "+m" (xmm0) : : "rax", "rbx", "xmm0"); printf("BUG: xmm registers corrupted! tracee=%d, xmm0=%08X%08X%08X%08X\n", tracee, xmm0[0], xmm0[1], xmm0[2], xmm0[3]); } else { usleep(100000); ptrace(PTRACE_ATTACH, pid, 0, 0); wait(NULL); ptrace(PTRACE_GETREGSET, pid, NT_X86_XSTATE, &iov); xstate[65] = -1; ptrace(PTRACE_SETREGSET, pid, NT_X86_XSTATE, &iov); ptrace(PTRACE_CONT, pid, 0, 0); wait(NULL); } return 1; } Note: the program only tests for the bug using the ptrace() system call. The bug can also be reproduced using the rt_sigreturn() system call, but only when called from a 32-bit program, since for 64-bit programs the kernel restores the FPU state from the signal frame by doing XRSTOR directly from userspace memory (with proper error checking). Reported-by:
Dmitry Vyukov <dvyukov@google.com> Signed-off-by:
Eric Biggers <ebiggers@google.com> Reviewed-by:
Kees Cook <keescook@chromium.org> Reviewed-by:
Rik van Riel <riel@redhat.com> Acked-by:
Dave Hansen <dave.hansen@linux.intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: Eric Biggers <ebiggers3@gmail.com> Cc: Fenghua Yu <fenghua.yu@intel.com> Cc: Kevin Hao <haokexin@gmail.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Michael Halcrow <mhalcrow@google.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Wanpeng Li <wanpeng.li@hotmail.com> Cc: Yu-cheng Yu <yu-cheng.yu@intel.com> Cc: kernel-hardening@lists.openwall.com Fixes: 0b29643a ("x86/xsaves: Change compacted format xsave area header") Link: http://lkml.kernel.org/r/20170922174156.16780-2-ebiggers3@gmail.com Link: http://lkml.kernel.org/r/20170923130016.21448-25-mingo@kernel.orgSigned-off-by:
Ingo Molnar <mingo@kernel.org> Signed-off-by:
-
Laurent Dufour authored
commit a3c4fb7c upstream. commit 7b2d0dba ("x86/mm/pkeys: Pass VMA down in to fault signal generation code") passes down a vma pointer to the error path, but that is done once the mmap_sem is released when calling mm_fault_error() from __do_page_fault(). This is dangerous as the vma structure is no more safe to be used once the mmap_sem has been released. As only the protection key value is required in the error processing, we could just pass down this value. Fix it by passing a pointer to a protection key value down to the fault signal generation code. The use of a pointer allows to keep the check generating a warning message in fill_sig_info_pkey() when the vma was not known. If the pointer is valid, the protection value can be accessed by deferencing the pointer. [ tglx: Made *pkey u32 as that's the type which is passed in siginfo ] Fixes: 7b2d0dba ("x86/mm/pkeys: Pass VMA down in to fault signal generation code") Signed-off-by:
Laurent Dufour <ldufour@linux.vnet.ibm.com> Signed-off-by:
-
satoru takeuchi authored
commit 6d6d2829 upstream. `btrfs sub set-default` succeeds to set an ID which isn't corresponding to any fs/file tree. If such the bad ID is set to a filesystem, we can't mount this filesystem without specifying `subvol` or `subvolid` mount options. Fixes: 6ef5ed0d ("Btrfs: add ioctl and incompat flag to set the default mount subvol") Signed-off-by:
Satoru Takeuchi <satoru.takeuchi@gmail.com> Reviewed-by:
Qu Wenruo <quwenruo.btrfs@gmx.com> Reviewed-by:
David Sterba <dsterba@suse.com> Signed-off-by:
-
Naohiro Aota authored
commit 78ad4ce0 upstream. btrfs_cmp_data_prepare() (almost) always returns 0 i.e. ignoring errors from gather_extent_pages(). While the pages are freed by btrfs_cmp_data_free(), cmp->num_pages still has > 0. Then, btrfs_extent_same() try to access the already freed pages causing faults (or violates PageLocked assertion). This patch just return the error as is so that the caller stop the process. Signed-off-by:
Naohiro Aota <naohiro.aota@wdc.com> Fixes: f4414602 ("btrfs: fix deadlock with extent-same and readpage") Reviewed-by:
-
Naohiro Aota authored
commit bb166d72 upstream. __del_reloc_root should be called before freeing up reloc_root->node. If not, calling __del_reloc_root() dereference reloc_root->node, causing the system BUG. Fixes: 6bdf131f ("Btrfs: don't leak reloc root nodes on error") Signed-off-by:
Nikolay Borisov <nborisov@suse.com> Reviewed-by:
-
Nicolai Stange authored
commit 9561475d upstream. The driver_override implementation is susceptible to a race condition when different threads are reading vs. storing a different driver override. Add locking to avoid the race condition. This is in close analogy to commit 62655397 ("driver core: platform: fix race condition with driver_override") from Adrian Salido. Fixes: 782a985d ("PCI: Introduce new device binding path using pci_dev.driver_override") Signed-off-by:
Nicolai Stange <nstange@suse.de> Signed-off-by:
Bjorn Helgaas <bhelgaas@google.com> Signed-off-by:
-
