Skip to content

L
linux
Switch branch/tag
  1. 20 Aug, 2014 2 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · e9de42d8
      Linus Torvalds authored 
      Pull KVM fixes from Paolo Bonzini:
 "Reverting a 3.16 patch, fixing two bugs in device assignment (one has
  a CVE), and fixing some problems introduced during the merge window
  (the CMA bug came in via Andrew, the x86 ones via yours truly)"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  virt/kvm/assigned-dev.c: Set 'dev->irq_source_id' to '-1' after free it
  Revert "KVM: x86: Increase the number of fixed MTRR regs to 10"
  KVM: x86: do not check CS.DPL against RPL during task switch
  KVM: x86: Avoid emulating instructions on #UD mistakenly
  PC, KVM, CMA: Fix regression caused by wrong get_order() use
  kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)
      e9de42d8
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · be816bc4
      Linus Torvalds authored 
      Pull SCSI fixes from James Bottomley:
 "These are the two bug fixes I mentioned in the final merge window
  pull.  One is a reversed logic check in the device busy tests which
  can cause a nasty hang and another crash seen in the new SCSI pool
  support if the use count ever goes to zero"

[ The device busy test already got merged from a patch earlier, so is
  now duplicated.  ]

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  [SCSI] save command pool address of Scsi_Host
  [SCSI] fix qemu boot hang problem
      be816bc4
  3. 19 Aug, 2014 15 commits
    • Guenter Roeck's avatar
      scsi: Fix qemu boot hang problem · 480cadc2
      Guenter Roeck authored 
      The latest kernel fails to boot qemu arm images when using scsi
for disk access. Boot gets stuck after the following messages.

brd: module loaded
sym53c8xx 0000:00:0c.0: enabling device (0100 -> 0103)
sym0: <895a> rev 0x0 at pci 0000:00:0c.0 irq 93
sym0: No NVRAM, ID 7, Fast-40, LVD, parity checking
sym0: SCSI BUS has been reset.
scsi host0: sym-2.2.3

Bisect points to commit 71e75c97 ("scsi: convert device_busy to
atomic_t"). Code inspection shows the following suspicious change
in scsi_request_fn.

out_delay:
-       if (sdev->device_busy == 0 && !scsi_device_blocked(sdev))
+       if (atomic_read(&sdev->device_busy) && !scsi_device_blocked(sdev))
		blk_delay_queue(q, SCSI_QUEUE_DELAY);
	}

'sdev->device_busy == 0' was replaced with 'atomic_read(&sdev->device_busy)',
meaning the logic was reversed. Changing this expression to
'!atomic_read(&sdev->device_busy)' fixes the problem.
Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
Acked-by: default avatarJens Axboe <axboe@fb.com>
Reviewed-by: default avatarVenkatesh Srinivas <venkateshs@google.com>
Reviewed-by: default avatarWebb Scales <webbnh@hp.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      480cadc2
    • Linus Torvalds's avatar
      Merge tag 'md/3.17-fixes' of git://neil.brown.name/md · 63d871cb
      Linus Torvalds authored 
      Pull md bugfixes from Neil Brown:
 "Here are the bug-fixes I promised :-)

  Funny how you start looking for one and other start appearing.

   - raid6 data corruption during recovery
   - raid6 livelock
   - raid10 memory leaks"

* tag 'md/3.17-fixes' of git://neil.brown.name/md:
  md/raid10: always initialise ->state on newly allocated r10_bio
  md/raid10: avoid memory leak on error path during reshape.
  md/raid10: Fix memory leak when raid10 reshape completes.
  md/raid10: fix memory leak when reshaping a RAID10.
  md/raid6: avoid data corruption during recovery of double-degraded RAID6
  md/raid5: avoid livelock caused by non-aligned writes.
      63d871cb
    • Linus Torvalds's avatar
      Merge tag 'pci-v3.17-changes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · f17a6f78
      Linus Torvalds authored 
      Pull PCI changes from Bjorn Helgaas:
 "Marvell MVEBU
    - Remove ARCH_KIRKWOOD dependency (Andrew Lunn)

  NVIDIA Tegra
    - Add debugfs support (Thierry Reding)

  Synopsys DesignWare
    - Look for configuration space in 'reg', not 'ranges' (Kishon Vijay Abraham I)
    - Program ATU with untranslated address (Kishon Vijay Abraham I)
    - Add config access-related pcie_host_ops for v3.65 hardware (Murali Karicheri)
    - Add MSI-related pcie_host_ops for v3.65 hardware (Murali Karicheri)

  TI DRA7xx
    - Add TI DR7xx PCIe driver (Kishon Vijay Abraham I)"

* tag 'pci-v3.17-changes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: designware: Add MSI-related pcie_host_ops for v3.65 hardware
  PCI: designware: Add config access-related pcie_host_ops for v3.65 hardware
  PCI: dra7xx: Add TI DRA7xx PCIe driver
  PCI: designware: Program ATU with untranslated address
  PCI: designware: Look for configuration space in 'reg', not 'ranges'
  PCI: tegra: Add debugfs support
  PCI: mvebu: Remove ARCH_KIRKWOOD dependency
      f17a6f78
    • Linus Torvalds's avatar
      Merge tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux · 7ac0bbf9
      Linus Torvalds authored 
      Pull devicetree fixes from Grant Likely:
 "Three more commits needed for v3.17: A bug fix for reserved regions
  based at address zero, a clarification on how to interpret existence
  of both interrupts and interrupts-extended properties, and a fix to
  allow device tree testcases to run on any platform"

* tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux:
  of/irq: Fix lookup to use 'interrupts-extended' property first
  Enabling OF selftest to run without machine's devicetree
  of: Allow mem_reserve of memory with a base address of zero
      7ac0bbf9
    • Davidlohr Bueso's avatar
      frv: Define cpu_relax_lowlatency() · f325f164
      Davidlohr Bueso authored 
      3a6bfbc9 "(arch,locking: Ciao arch_mutex_cpu_relax()") broke
building the frv arch.  Fixes errors such as:

  kernel/locking/mcs_spinlock.h:87:2: error: implicit declaration of function 'cpu_relax_lowlatency'
Signed-off-by: default avatarDavidlohr Bueso <davidlohr@hp.com>
Compile-tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f325f164
    • Chen Gang's avatar
      virt/kvm/assigned-dev.c: Set 'dev->irq_source_id' to '-1' after free it · 30d1e0e8
      Chen Gang authored 
      As a generic function, deassign_guest_irq() assumes it can be called
even if assign_guest_irq() is not be called successfully (which can be
triggered by ioctl from user mode, indirectly).

So for assign_guest_irq() failure process, need set 'dev->irq_source_id'
to -1 after free 'dev->irq_source_id', or deassign_guest_irq() may free
it again.
Signed-off-by: default avatarChen Gang <gang.chen.5i5j@gmail.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      30d1e0e8
    • Paolo Bonzini's avatar
      Revert "KVM: x86: Increase the number of fixed MTRR regs to 10" · 0d234daf
      Paolo Bonzini authored 
      This reverts commit 682367c4,
which causes 32-bit SMP Windows 7 guests to panic.

SeaBIOS has a limit on the number of MTRRs that it can handle,
and this patch exceeded the limit.  Better revert it.
Thanks to Nadav Amit for debugging the cause.

Cc: stable@nongnu.org
Reported-by: default avatarWanpeng Li <wanpeng.li@linux.intel.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      0d234daf
    • Paolo Bonzini's avatar
      KVM: x86: do not check CS.DPL against RPL during task switch · 9a4cfb27
      Paolo Bonzini authored 
      This reverts the check added by commit 5045b468 (KVM: x86: check CS.DPL
against RPL during task switch, 2014-05-15).  Although the CS.DPL=CS.RPL
check is mentioned in table 7-1 of the SDM as causing a #TSS exception,
it is not mentioned in table 6-6 that lists "invalid TSS conditions"
which cause #TSS exceptions. In fact it causes some tests to fail, which
pass on bare-metal.

Keep the rest of the commit, since we will find new uses for it in 3.18.
Reported-by: default avatarNadav Amit <namit@cs.technion.ac.il>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      9a4cfb27
    • Nadav Amit's avatar
      KVM: x86: Avoid emulating instructions on #UD mistakenly · 3a6095a0
      Nadav Amit authored 
      Commit d40a6898 mistakenly caused instructions which are not marked as
EmulateOnUD to be emulated upon #UD exception. The commit caused the check of
whether the instruction flags include EmulateOnUD to never be evaluated. As a
result instructions whose emulation is broken may be emulated.  This fix moves
the evaluation of EmulateOnUD so it would be evaluated.
Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
[Tweak operand order in &&, remove EmulateOnUD where it's now superfluous.
 - Paolo]
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      3a6095a0
    • Alexey Kardashevskiy's avatar
      PC, KVM, CMA: Fix regression caused by wrong get_order() use · c04fa583
      Alexey Kardashevskiy authored 
      fc95ca72 claims that there is no
functional change but this is not true as it calls get_order() (which
takes bytes) where it should have called order_base_2() and the kernel
stops on VM_BUG_ON().

This replaces get_order() with order_base_2() (round-up version of ilog2).
Suggested-by: default avatarPaul Mackerras <paulus@samba.org>
Cc: Alexander Graf <agraf@suse.de>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Reviewed-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: default avatarAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      c04fa583
    • Michael S. Tsirkin's avatar
      kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601) · 350b8bdd
      Michael S. Tsirkin authored 
      The third parameter of kvm_iommu_put_pages is wrong,
It should be 'gfn - slot->base_gfn'.

By making gfn very large, malicious guest or userspace can cause kvm to
go to this error path, and subsequently to pass a huge value as size.
Alternatively if gfn is small, then pages would be pinned but never
unpinned, causing host memory leak and local DOS.

Passing a reasonable but large value could be the most dangerous case,
because it would unpin a page that should have stayed pinned, and thus
allow the device to DMA into arbitrary memory.  However, this cannot
happen because of the condition that can trigger the error:

- out of memory (where you can't allocate even a single page)
  should not be possible for the attacker to trigger

- when exceeding the iommu's address space, guest pages after gfn
  will also exceed the iommu's address space, and inside
  kvm_iommu_put_pages() the iommu_iova_to_phys() will fail.  The
  page thus would not be unpinned at all.
Reported-by: default avatarJack Morgenstein <jackm@mellanox.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      350b8bdd
    • NeilBrown's avatar
      md/raid10: always initialise ->state on newly allocated r10_bio · cb8b12b5
      NeilBrown authored 
      Most places which allocate an r10_bio zero the ->state, some don't.
As the r10_bio comes from a mempool, and the allocation function uses
kzalloc it is often zero anyway.  But sometimes it isn't and it is
best to be safe.

I only noticed this because of the bug fixed by an earlier patch
where the r10_bios allocated for a reshape were left around to
be used by a subsequent resync.  In that case the R10BIO_IsReshape
flag caused problems.
Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      cb8b12b5
    • NeilBrown's avatar
      md/raid10: avoid memory leak on error path during reshape. · e337aead
      NeilBrown authored 
      If raid10 reshape fails to find somewhere to read a block
from, it returns without freeing memory...
Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      e337aead
    • NeilBrown's avatar
      md/raid10: Fix memory leak when raid10 reshape completes. · b3968552
      NeilBrown authored 
      When a raid10 commences a resync/recovery/reshape it allocates
some buffer space.
When a resync/recovery completes the buffer space is freed.  But not
when the reshape completes.
This can result in a small memory leak.

There is a subtle side-effect of this bug.  When a RAID10 is reshaped
to a larger array (more devices), the reshape is immediately followed
by a "resync" of the new space.  This "resync" will use the buffer
space which was allocated for "reshape".  This can cause problems
including a "BUG" in the SCSI layer.  So this is suitable for -stable.

Cc: stable@vger.kernel.org (v3.5+)
Fixes: 3ea7daa5Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      b3968552
    • NeilBrown's avatar
      md/raid10: fix memory leak when reshaping a RAID10. · ce0b0a46
      NeilBrown authored 
      raid10 reshape clears unwanted bits from a bio->bi_flags using
a method which, while clumsy, worked until 3.10 when BIO_OWNS_VEC
was added.
Since then it clears that bit but shouldn't.  This results in a
memory leak.

So change to used the approved method of clearing unwanted bits.

As this causes a memory leak which can consume all of memory
the fix is suitable for -stable.

Fixes: a38352e0
Cc: stable@vger.kernel.org (v3.10+)
Reported-by: mdraid.pkoch@dfgh.net (Peter Koch)
Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      ce0b0a46
  5. 18 Aug, 2014 2 commits
    • NeilBrown's avatar
      md/raid6: avoid data corruption during recovery of double-degraded RAID6 · 9c4bdf69
      NeilBrown authored 
      During recovery of a double-degraded RAID6 it is possible for
some blocks not to be recovered properly, leading to corruption.

If a write happens to one block in a stripe that would be written to a
missing device, and at the same time that stripe is recovering data
to the other missing device, then that recovered data may not be written.

This patch skips, in the double-degraded case, an optimisation that is
only safe for single-degraded arrays.

Bug was introduced in 2.6.32 and fix is suitable for any kernel since
then.  In an older kernel with separate handle_stripe5() and
handle_stripe6() functions the patch must change handle_stripe6().

Cc: stable@vger.kernel.org (2.6.32+)
Fixes: 6c0069c0
Cc: Yuri Tikhonov <yur@emcraft.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Reported-by: default avatar"Manibalan P" <pmanibalan@amiindia.co.in>
Tested-by: default avatar"Manibalan P" <pmanibalan@amiindia.co.in>
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1090423Signed-off-by: default avatarNeilBrown <neilb@suse.de>
Acked-by: default avatarDan Williams <dan.j.williams@intel.com>
      9c4bdf69
    • NeilBrown's avatar
      md/raid5: avoid livelock caused by non-aligned writes. · a40687ff
      NeilBrown authored 
      If a stripe in a raid6 array received a write to each data block while
the array is degraded, and if any of these writes to a missing device
are not page-aligned, then a live-lock happens.

In this case the P and Q blocks need to be read so that the part of
the missing block which is *not* being updated by the write can be
constructed.  Due to a logic error, these blocks are not loaded, so
the update cannot proceed and the stripe is 'handled' repeatedly in an
infinite loop.

This bug is unlikely as most writes are page aligned.  However as it
can lead to a livelock it is suitable for -stable.  It was introduced
in 3.16.

Cc: stable@vger.kernel.org (v3.16)
Fixed: 67f45548Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      a40687ff
  7. 16 Aug, 2014 21 commits
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7