1. 31 Jan, 2018 12 commits
    • Vegard Nossum's avatar
      time: Avoid undefined behaviour in ktime_add_safe() · 08b1cf49
      Vegard Nossum authored
      commit 979515c5 upstream.
      
      I ran into this:
      
          ================================================================================
          UBSAN: Undefined behaviour in kernel/time/hrtimer.c:310:16
          signed integer overflow:
          9223372036854775807 + 50000 cannot be represented in type 'long long int'
          CPU: 2 PID: 4798 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #91
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
           0000000000000000 ffff88010ce6fb88 ffffffff82344740 0000000041b58ab3
           ffffffff84f97a20 ffffffff82344694 ffff88010ce6fbb0 ffff88010ce6fb60
           000000000000c350 ffff88010ce6f968 dffffc0000000000 ffffffff857bc320
          Call Trace:
           [<ffffffff82344740>] dump_stack+0xac/0xfc
           [<ffffffff82344694>] ? _atomic_dec_and_lock+0xc4/0xc4
           [<ffffffff8242df78>] ubsan_epilogue+0xd/0x8a
           [<ffffffff8242e6b4>] handle_overflow+0x202/0x23d
           [<ffffffff8242e4b2>] ? val_to_string.constprop.6+0x11e/0x11e
           [<ffffffff8236df71>] ? timerqueue_add+0x151/0x410
           [<ffffffff81485c48>] ? hrtimer_start_range_ns+0x3b8/0x1380
           [<ffffffff81795631>] ? memset+0x31/0x40
           [<ffffffff8242e6fd>] __ubsan_handle_add_overflow+0xe/0x10
           [<ffffffff81488ac9>] hrtimer_nanosleep+0x5d9/0x790
           [<ffffffff814884f0>] ? hrtimer_init_sleeper+0x80/0x80
           [<ffffffff813a9ffb>] ? __might_sleep+0x5b/0x260
           [<ffffffff8148be10>] common_nsleep+0x20/0x30
           [<ffffffff814906c7>] SyS_clock_nanosleep+0x197/0x210
           [<ffffffff81490530>] ? SyS_clock_getres+0x150/0x150
           [<ffffffff823c7113>] ? __this_cpu_preempt_check+0x13/0x20
           [<ffffffff8162ef60>] ? __context_tracking_exit.part.3+0x30/0x1b0
           [<ffffffff81490530>] ? SyS_clock_getres+0x150/0x150
           [<ffffffff81007bd3>] do_syscall_64+0x1b3/0x4b0
           [<ffffffff845f85aa>] entry_SYSCALL64_slow_path+0x25/0x25
          ================================================================================
      
      Add a new ktime_add_unsafe() helper which doesn't check for overflow, but
      doesn't throw a UBSAN warning when it does overflow either.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Richard Cochran <richardcochran@gmail.com>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08b1cf49
    • Eric Biggers's avatar
      PM / sleep: declare __tracedata symbols as char[] rather than char · 0cb5ae4d
      Eric Biggers authored
      commit f9723837 upstream.
      
      Accessing more than one byte from a symbol declared simply 'char' is undefined
      behavior, as reported by UBSAN:
      
      	UBSAN: Undefined behaviour in drivers/base/power/trace.c:178:18
      	load of address ffffffff8203fc78 with insufficient space
      	for an object of type 'char'
      
      Avoid this by declaring the symbols as arrays.
      Signed-off-by: default avatarEric Biggers <ebiggers3@gmail.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0cb5ae4d
    • Marc Kleine-Budde's avatar
      can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once · 08f39b7b
      Marc Kleine-Budde authored
      commit d4689846 upstream.
      
      If an invalid CANFD frame is received, from a driver or from a tun
      interface, a Kernel warning is generated.
      
      This patch replaces the WARN_ONCE by a simple pr_warn_once, so that a
      kernel, bootet with panic_on_warn, does not panic. A printk seems to be
      more appropriate here.
      
      Reported-by: syzbot+e3b775f40babeff6e68b@syzkaller.appspotmail.com
      Suggested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08f39b7b
    • Marc Kleine-Budde's avatar
      can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once · e7514af6
      Marc Kleine-Budde authored
      commit 8cb68751 upstream.
      
      If an invalid CAN frame is received, from a driver or from a tun
      interface, a Kernel warning is generated.
      
      This patch replaces the WARN_ONCE by a simple pr_warn_once, so that a
      kernel, bootet with panic_on_warn, does not panic. A printk seems to be
      more appropriate here.
      
      Reported-by: syzbot+4386709c0c1284dca827@syzkaller.appspotmail.com
      Suggested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      e7514af6
    • Daniel Bristot de Oliveira's avatar
      sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks · 1d00e3d9
      Daniel Bristot de Oliveira authored
      commit 3effcb42 upstream.
      
      We have been facing some problems with self-suspending constrained
      deadline tasks. The main reason is that the original CBS was not
      designed for such sort of tasks.
      
      One problem reported by Xunlei Pang takes place when a task
      suspends, and then is awakened before the deadline, but so close
      to the deadline that its remaining runtime can cause the task
      to have an absolute density higher than allowed. In such situation,
      the original CBS assumes that the task is facing an early activation,
      and so it replenishes the task and set another deadline, one deadline
      in the future. This rule works fine for implicit deadline tasks.
      Moreover, it allows the system to adapt the period of a task in which
      the external event source suffered from a clock drift.
      
      However, this opens the window for bandwidth leakage for constrained
      deadline tasks. For instance, a task with the following parameters:
      
        runtime   = 5 ms
        deadline  = 7 ms
        [density] = 5 / 7 = 0.71
        period    = 1000 ms
      
      If the task runs for 1 ms, and then suspends for another 1ms,
      it will be awakened with the following parameters:
      
        remaining runtime = 4
        laxity = 5
      
      presenting a absolute density of 4 / 5 = 0.80.
      
      In this case, the original CBS would assume the task had an early
      wakeup. Then, CBS will reset the runtime, and the absolute deadline will
      be postponed by one relative deadline, allowing the task to run.
      
      The problem is that, if the task runs this pattern forever, it will keep
      receiving bandwidth, being able to run 1ms every 2ms. Following this
      behavior, the task would be able to run 500 ms in 1 sec. Thus running
      more than the 5 ms / 1 sec the admission control allowed it to run.
      
      Trying to address the self-suspending case, Luca Abeni, Giuseppe
      Lipari, and Juri Lelli [1] revisited the CBS in order to deal with
      self-suspending tasks. In the new approach, rather than
      replenishing/postponing the absolute deadline, the revised wakeup rule
      adjusts the remaining runtime, reducing it to fit into the allowed
      density.
      
      A revised version of the idea is:
      
      At a given time t, the maximum absolute density of a task cannot be
      higher than its relative density, that is:
      
        runtime / (deadline - t) <= dl_runtime / dl_deadline
      
      Knowing the laxity of a task (deadline - t), it is possible to move
      it to the other side of the equality, thus enabling to define max
      remaining runtime a task can use within the absolute deadline, without
      over-running the allowed density:
      
        runtime = (dl_runtime / dl_deadline) * (deadline - t)
      
      For instance, in our previous example, the task could still run:
      
        runtime = ( 5 / 7 ) * 5
        runtime = 3.57 ms
      
      Without causing damage for other deadline tasks. It is note worthy
      that the laxity cannot be negative because that would cause a negative
      runtime. Thus, this patch depends on the patch:
      
        df8eac8c ("sched/deadline: Throttle a constrained deadline task activated after the deadline")
      
      Which throttles a constrained deadline task activated after the
      deadline.
      
      Finally, it is also possible to use the revised wakeup rule for
      all other tasks, but that would require some more discussions
      about pros and cons.
      
      [The main difference from the original commit is that
       the BW_SHIFT define was not present yet. As BW_SHIFT was
       introduced in a new feature, I just used the value (20),
       likewise we used to use before the #define.
       Other changes were required because of comments. - bistrot]
      Reported-by: default avatarXunlei Pang <xpang@redhat.com>
      Signed-off-by: default avatarDaniel Bristot de Oliveira <bristot@redhat.com>
      [peterz: replaced dl_is_constrained with dl_is_implicit]
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Juri Lelli <juri.lelli@arm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Luca Abeni <luca.abeni@santannapisa.it>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
      Link: http://lkml.kernel.org/r/5c800ab3a74a168a84ee5f3f84d12a02e11383be.1495803804.git.bristot@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarDaniel Bristot de Oliveira <bristot@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d00e3d9
    • David Woodhouse's avatar
      x86/retpoline: Fill RSB on context switch for affected CPUs · 18bb117d
      David Woodhouse authored
      commit c995efd5 upstream.
      
      On context switch from a shallow call stack to a deeper one, as the CPU
      does 'ret' up the deeper side it may encounter RSB entries (predictions for
      where the 'ret' goes to) which were populated in userspace.
      
      This is problematic if neither SMEP nor KPTI (the latter of which marks
      userspace pages as NX for the kernel) are active, as malicious code in
      userspace may then be executed speculatively.
      
      Overwrite the CPU's return prediction stack with calls which are predicted
      to return to an infinite loop, to "capture" speculation if this
      happens. This is required both for retpoline, and also in conjunction with
      IBRS for !SMEP && !KPTI.
      
      On Skylake+ the problem is slightly different, and an *underflow* of the
      RSB may cause errant branch predictions to occur. So there it's not so much
      overwrite, as *filling* the RSB to attempt to prevent it getting
      empty. This is only a partial solution for Skylake+ since there are many
      other conditions which may result in the RSB becoming empty. The full
      solution on Skylake+ is to use IBRS, which will prevent the problem even
      when the RSB becomes empty. With IBRS, the RSB-stuffing will not be
      required on context switch.
      
      [ tglx: Added missing vendor check and slighty massaged comments and
        	changelog ]
      
      [js] backport to 4.4 -- __switch_to_asm does not exist there, we
           have to patch the switch_to macros for both x86_32 and x86_64.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarArjan van de Ven <arjan@linux.intel.com>
      Cc: gnomes@lxorguk.ukuu.org.uk
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: thomas.lendacky@amd.com
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Kees Cook <keescook@google.com>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
      Cc: Paul Turner <pjt@google.com>
      Link: https://lkml.kernel.org/r/1515779365-9032-1-git-send-email-dwmw@amazon.co.ukSigned-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18bb117d
    • Dave Hansen's avatar
      x86/cpu/intel: Introduce macros for Intel family numbers · 0dfd5fbc
      Dave Hansen authored
      commit 970442c5 upstream.
      
      Problem:
      
      We have a boatload of open-coded family-6 model numbers.  Half of
      them have these model numbers in hex and the other half in
      decimal.  This makes grepping for them tons of fun, if you were
      to try.
      
      Solution:
      
      Consolidate all the magic numbers.  Put all the definitions in
      one header.
      
      The names here are closely derived from the comments describing
      the models from arch/x86/events/intel/core.c.  We could easily
      make them shorter by doing things like s/SANDYBRIDGE/SNB/, but
      they seemed fine even with the longer versions to me.
      
      Do not take any of these names too literally, like "DESKTOP"
      or "MOBILE".  These are all colloquial names and not precise
      descriptions of everywhere a given model will show up.
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Darren Hart <dvhart@infradead.org>
      Cc: Dave Hansen <dave@sr71.net>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Doug Thompson <dougthompson@xmission.com>
      Cc: Eduardo Valentin <edubezval@gmail.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
      Cc: Kan Liang <kan.liang@intel.com>
      Cc: Len Brown <lenb@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Rajneesh Bhardwaj <rajneesh.bhardwaj@intel.com>
      Cc: Souvik Kumar Chakravarty <souvik.k.chakravarty@intel.com>
      Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Ulf Hansson <ulf.hansson@linaro.org>
      Cc: Viresh Kumar <viresh.kumar@linaro.org>
      Cc: Vishwanath Somayaji <vishwanath.somayaji@intel.com>
      Cc: Zhang Rui <rui.zhang@intel.com>
      Cc: jacob.jun.pan@intel.com
      Cc: linux-acpi@vger.kernel.org
      Cc: linux-edac@vger.kernel.org
      Cc: linux-mmc@vger.kernel.org
      Cc: linux-pm@vger.kernel.org
      Cc: platform-driver-x86@vger.kernel.org
      Link: http://lkml.kernel.org/r/20160603001927.F2A7D828@viggo.jf.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0dfd5fbc
    • Ben Hutchings's avatar
      x86/microcode/intel: Fix BDW late-loading revision check · 20e3fa5d
      Ben Hutchings authored
      The backport of commit b94b7373 ("x86/microcode/intel: Extend BDW
      late-loading with a revision check") to 4.4-stable deleted a "return true"
      statement.  This bug is not present upstream or other stable branches.
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20e3fa5d
    • Jonathan Dieter's avatar
      usbip: Fix potential format overflow in userspace tools · 579a9885
      Jonathan Dieter authored
      commit e5dfa3f9 upstream.
      
      The usbip userspace tools call sprintf()/snprintf() and don't check for
      the return value which can lead the paths to overflow, truncating the
      final file in the path.
      
      More urgently, GCC 7 now warns that these aren't checked with
      -Wformat-overflow, and with -Werror enabled in configure.ac, that makes
      these tools unbuildable.
      
      This patch fixes these problems by replacing sprintf() with snprintf() in
      one place and adding checks for the return value of snprintf().
      Reviewed-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Signed-off-by: default avatarJonathan Dieter <jdieter@lesbg.com>
      Acked-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      579a9885
    • Jonathan Dieter's avatar
      usbip: Fix implicit fallthrough warning · 4493f498
      Jonathan Dieter authored
      commit cfd6ed45 upstream.
      
      GCC 7 now warns when switch statements fall through implicitly, and with
      -Werror enabled in configure.ac, that makes these tools unbuildable.
      
      We fix this by notifying the compiler that this particular case statement
      is meant to fall through.
      Reviewed-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Signed-off-by: default avatarJonathan Dieter <jdieter@lesbg.com>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4493f498
    • Shuah Khan's avatar
      usbip: prevent vhci_hcd driver from leaking a socket pointer address · 28f467e0
      Shuah Khan authored
      commit 2f2d0088 upstream.
      
      When a client has a USB device attached over IP, the vhci_hcd driver is
      locally leaking a socket pointer address via the
      
      /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
      output when "usbip --debug port" is run.
      
      Fix it to not leak. The socket pointer address is not used at the moment
      and it was made visible as a convenient way to find IP address from socket
      pointer address by looking up /proc/net/{tcp,tcp6}.
      
      As this opens a security hole, the fix replaces socket pointer address with
      sockfd.
      Reported-by: default avatarSecunia Research <vuln@secunia.com>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      28f467e0
    • Andy Lutomirski's avatar
      x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels · 8bb0c6a1
      Andy Lutomirski authored
      commit 1c52d859 upstream.
      
      We support various non-Intel CPUs that don't have the CPUID
      instruction, so the M486 test was wrong.  For now, fix it with a big
      hammer: handle missing CPUID on all 32-bit CPUs.
      Reported-by: default avatarOne Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Matthew Whitehead <tedheadster@gmail.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
      Cc: Andrew Cooper <andrew.cooper3@citrix.com>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: xen-devel <Xen-devel@lists.xen.org>
      Link: http://lkml.kernel.org/r/685bd083a7c036f7769510b6846315b17d6ba71f.1481307769.git.luto@kernel.orgSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: "Zhang, Ning A" <ning.a.zhang@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8bb0c6a1
  2. 23 Jan, 2018 28 commits