1. 01 Feb, 2017 9 commits
  2. 31 Jan, 2017 1 commit
  3. 30 Jan, 2017 1 commit
    • Borislav Petkov's avatar
      x86/microcode: Do not access the initrd after it has been freed · 24c25032
      Borislav Petkov authored
      When we look for microcode blobs, we first try builtin and if that
      doesn't succeed, we fallback to the initrd supplied to the kernel.
      
      However, at some point doing boot, that initrd gets jettisoned and we
      shouldn't access it anymore. But we do, as the below KASAN report shows.
      That's because find_microcode_in_initrd() doesn't check whether the
      initrd is still valid or not.
      
      So do that.
      
        ==================================================================
        BUG: KASAN: use-after-free in find_cpio_data
        Read of size 1 by task swapper/1/0
        page:ffffea0000db9d40 count:0 mapcount:0 mapping:          (null) index:0x1
        flags: 0x100000000000000()
        raw: 0100000000000000 0000000000000000 0000000000000001 00000000ffffffff
        raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
        page dumped because: kasan: bad access detected
        CPU: 1 PID: 0 Comm: swapper/1 Tainted: G        W       4.10.0-rc5-debug-00075-g2dbde22 #3
        Hardware name: Dell Inc. XPS 13 9360/0839Y6, BIOS 1.2.3 12/01/2016
        Call Trace:
         dump_stack
         ? _atomic_dec_and_lock
         ? __dump_page
         kasan_report_error
         ? pointer
         ? find_cpio_data
         __asan_report_load1_noabort
         ? find_cpio_data
         find_cpio_data
         ? vsprintf
         ? dump_stack
         ? get_ucode_user
         ? print_usage_bug
         find_microcode_in_initrd
         __load_ucode_intel
         ? collect_cpu_info_early
         ? debug_check_no_locks_freed
         load_ucode_intel_ap
         ? collect_cpu_info
         ? trace_hardirqs_on
         ? flat_send_IPI_mask_allbutself
         load_ucode_ap
         ? get_builtin_firmware
         ? flush_tlb_func
         ? do_raw_spin_trylock
         ? cpumask_weight
         cpu_init
         ? trace_hardirqs_off
         ? play_dead_common
         ? native_play_dead
         ? hlt_play_dead
         ? syscall_init
         ? arch_cpu_idle_dead
         ? do_idle
         start_secondary
         start_cpu
        Memory state around the buggy address:
         ffff880036e74f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
         ffff880036e74f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
        >ffff880036e75000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                           ^
         ffff880036e75080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
         ffff880036e75100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
        ==================================================================
      Reported-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Tested-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20170126165833.evjemhbqzaepirxo@pd.tnicSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      24c25032
  4. 24 Jan, 2017 1 commit
    • Yu-cheng Yu's avatar
      x86/fpu/xstate: Fix xcomp_bv in XSAVES header · dffba9a3
      Yu-cheng Yu authored
      The compacted-format XSAVES area is determined at boot time and
      never changed after.  The field xsave.header.xcomp_bv indicates
      which components are in the fixed XSAVES format.
      
      In fpstate_init() we did not set xcomp_bv to reflect the XSAVES
      format since at the time there is no valid data.
      
      However, after we do copy_init_fpstate_to_fpregs() in fpu__clear(),
      as in commit:
      
        b22cbe40 x86/fpu: Fix invalid FPU ptrace state after execve()
      
      and when __fpu_restore_sig() does fpu__restore() for a COMPAT-mode
      app, a #GP occurs.  This can be easily triggered by doing valgrind on
      a COMPAT-mode "Hello World," as reported by Joakim Tjernlund and
      others:
      
      	https://bugzilla.kernel.org/show_bug.cgi?id=190061
      
      Fix it by setting xcomp_bv correctly.
      
      This patch also moves the xcomp_bv initialization to the proper
      place, which was in copyin_to_xsaves() as of:
      
        4c833368 x86/fpu: Set the xcomp_bv when we fake up a XSAVES area
      
      which fixed the bug too, but it's more efficient and cleaner to
      initialize things once per boot, not for every signal handling
      operation.
      Reported-by: default avatarKevin Hao <haokexin@gmail.com>
      Reported-by: default avatarJoakim Tjernlund <Joakim.Tjernlund@infinera.com>
      Signed-off-by: default avatarYu-cheng Yu <yu-cheng.yu@intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ravi V. Shankar <ravi.v.shankar@intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: haokexin@gmail.com
      Link: http://lkml.kernel.org/r/1485212084-4418-1-git-send-email-yu-cheng.yu@intel.com
      [ Combined it with 4c833368. ]
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      dffba9a3
  5. 23 Jan, 2017 2 commits
    • Kevin Hao's avatar
      x86/fpu: Set the xcomp_bv when we fake up a XSAVES area · 4c833368
      Kevin Hao authored
      I got the following calltrace on a Apollo Lake SoC with 32-bit kernel:
      
        WARNING: CPU: 2 PID: 261 at arch/x86/include/asm/fpu/internal.h:363 fpu__restore+0x1f5/0x260
        [...]
        Hardware name: Intel Corp. Broxton P/NOTEBOOK, BIOS APLIRVPA.X64.0138.B35.1608091058 08/09/2016
        Call Trace:
         dump_stack()
         __warn()
         ? fpu__restore()
         warn_slowpath_null()
         fpu__restore()
         __fpu__restore_sig()
         fpu__restore_sig()
         restore_sigcontext.isra.9()
         sys_sigreturn()
         do_int80_syscall_32()
         entry_INT80_32()
      
      The reason is that a #GP occurs when executing XRSTORS. The root cause
      is that we forget to set the xcomp_bv when we fake up the XSAVES area
      in the copyin_to_xsaves() function.
      Signed-off-by: default avatarKevin Hao <haokexin@gmail.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>
      Link: http://lkml.kernel.org/r/1485075023-30161-1-git-send-email-haokexin@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      4c833368
    • Borislav Petkov's avatar
      x86/microcode/intel: Drop stashed AP patch pointer optimization · c26665ab
      Borislav Petkov authored
      This was meant to save us the scanning of the microcode containter in
      the initrd since the first AP had already done that but it can also hurt
      us:
      
      Imagine a single hyperthreaded CPU (Intel(R) Atom(TM) CPU N270, for
      example) which updates the microcode on the BSP but since the microcode
      engine is shared between the two threads, the update on CPU1 doesn't
      happen because it has already happened on CPU0 and we don't find a newer
      microcode revision on CPU1.
      
      Which doesn't set the intel_ucode_patch pointer and at initrd
      jettisoning time we don't save the microcode patch for later
      application.
      
      Now, when we suspend to RAM, the loaded microcode gets cleared so we
      need to reload but there's no patch saved in the cache.
      
      Removing the optimization fixes this issue and all is fine and dandy.
      
      Fixes: 06b8534c ("x86/microcode: Rework microcode loading")
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20170120202955.4091-2-bp@alien8.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      c26665ab
  6. 22 Jan, 2017 10 commits
    • Linus Torvalds's avatar
      Linux 4.10-rc5 · 7a308bb3
      Linus Torvalds authored
      7a308bb3
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 095cbe66
      Linus Torvalds authored
      Pull x86 fix from Thomas Gleixner:
       "Restore the retrigger callbacks in the IO APIC irq chips. That
        addresses a long standing regression which got introduced with the
        rewrite of the x86 irq subsystem two years ago and went unnoticed so
        far"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/ioapic: Restore IO-APIC irq_chip retrigger callback
      095cbe66
    • Linus Torvalds's avatar
      Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 24b86839
      Linus Torvalds authored
      Pull smp/hotplug fix from Thomas Gleixner:
       "Remove an unused variable which is a leftover from the notifier
        removal"
      
      * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        cpu/hotplug: Remove unused but set variable in _cpu_down()
      24b86839
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 585457fc
      Linus Torvalds authored
      Pull virtio/vhost fixes from Michael Tsirkin:
       "Random fixes and cleanups that accumulated over the time"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        virtio/s390: virtio: constify virtio_config_ops structures
        virtio/s390: add missing \n to end of dev_err message
        virtio/s390: support READ_STATUS command for virtio-ccw
        tools/virtio/ringtest: tweaks for s390
        tools/virtio/ringtest: fix run-on-all.sh for offline cpus
        virtio_console: fix a crash in config_work_handler
        vhost/scsi: silence uninitialized variable warning
        vhost: scsi: constify target_core_fabric_ops structures
      585457fc
    • Linus Torvalds's avatar
      Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux · bb6c01c2
      Linus Torvalds authored
      Pull thermal management fixes from Zhang Rui:
      
       - fix a regression that thermal zone dynamically allocated sysfs
         attributes are freed before they're removed, which is introduced in
         4.10-rc1 (Jacob von Chorus)
      
       - fix a boot warning because deprecated hwmon API is used (Fabio
         Estevam)
      
       - a couple of fixes for rockchip thermal driver (Brian Norris, Caesar
         Wang)
      
      * 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
        thermal: rockchip: fixes the conversion table
        thermal: core: move tz->device.groups cleanup to thermal_release
        thermal: thermal_hwmon: Convert to hwmon_device_register_with_info()
        thermal: rockchip: handle set_trips without the trip points
        thermal: rockchip: optimize the conversion table
        thermal: rockchip: fixes invalid temperature case
        thermal: rockchip: don't pass table structs by value
        thermal: rockchip: improve conversion error messages
      bb6c01c2
    • Linus Torvalds's avatar
      Merge tag 'usb-4.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · c497f8d1
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a few small USB fixes for 4.10-rc5.
      
        Most of these are gadget/dwc2 fixes for reported issues, all of these
        have been in linux-next for a while. The last one is a single xhci
        WARN_ON removal to handle an issue that the dwc3 driver is hitting in
        the 4.10-rc tree. The warning is harmless and needs to be removed, and
        a "real" fix that is more complex will show up in 4.11-rc1 for this
        device.
      
        That last patch hasn't been in linux-next yet due to the weekend
        timing, but it's a "simple" WARN_ON() removal so what could go wrong?
        :)"
      
      Famous last words.
      
      * tag 'usb-4.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        xhci: remove WARN_ON if dma mask is not set for platform devices
        usb: dwc2: host: fix Wmaybe-uninitialized warning
        usb: dwc2: gadget: Fix GUSBCFG.USBTRDTIM value
        usb: gadget: udc: atmel: remove memory leak
        usb: dwc3: exynos fix axius clock error path to do cleanup
        usb: dwc2: Avoid suspending if we're in gadget mode
        usb: dwc2: use u32 for DT binding parameters
        usb: gadget: f_fs: Fix iterations on endpoints.
        usb: dwc2: gadget: Fix DMA memory freeing
        usb: gadget: composite: Fix function used to free memory
      c497f8d1
    • Linus Torvalds's avatar
      Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · f68d8531
      Linus Torvalds authored
      Pull libnvdimm fixes from Dan Williams:
       "Two fixes:
      
         - a regression fix for the multiple-pmem-namespace-per-region support
           added in 4.9. Even if an existing environment is not using that
           feature the act of creating and a destroying a single namespace
           with the ndctl utility will lead to the proliferation of extra
           unwanted namespace devices.
      
         - a fix for the error code returned from the pmem driver when the
           memcpy_mcsafe() routine returns -EFAULT. Btrfs seems to be the only
           block I/O consumer that tries to parse the meaning of the error
           code when it is non-zero.
      
        Neither of these fixes are critical, the namespace leak is awkward in
        that it can cause device naming to change and complicates debugging
        namespace initialization issues. The error code fix is included out of
        caution for what other consumers might be expecting -EIO for block I/O
        errors"
      
      * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        libnvdimm, namespace: fix pmem namespace leak, delete when size set to zero
        pmem: return EIO on read_pmem() failure
      f68d8531
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · f5e8c0ff
      Linus Torvalds authored
      Pull clk fix from Stephen Boyd:
       "One fix for Samsung Exynos524x SoCs where recent IOMMU patches have
        caused some of these clocks to turn off when they were always left on
        before"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk/samsung: exynos542x: mark some clocks as critical
      f5e8c0ff
    • Linus Torvalds's avatar
      Merge tag 'arc-4.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 455a70cb
      Linus Torvalds authored
      Pull ARC fixes from Vineet Gupta:
      
       - more intc updates [Yuriv]
      
       - fix module build when unwinder is turned off
      
       - IO Coherency Programming model updates
      
       - other miscellaneous
      
      * tag 'arc-4.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: Revert "ARC: mm: IOC: Don't enable IOC by default"
        ARC: mm: split arc_cache_init to allow __init reaping of bulk
        ARCv2: IOC: Use actual memory size to setup aperture size
        ARCv2: IOC: Adhere to progamming model guidelines to avoid DMA corruption
        ARCv2: IOC: refactor the IOC and SLC operations into own functions
        ARC: module: Fix !CONFIG_ARC_DW2_UNWIND builds
        ARCv2: save r30 on kernel entry as gcc uses it for code-gen
        ARCv2: IRQ: Call entry/exit functions for chained handlers in MCIP
        ARC: IRQ: Use hwirq instead of virq in mask/unmask
        ARC: mmu: clarify the MMUv3 programming model
      455a70cb
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 83fd57a7
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Two fixes for fallout from the hugetlb changes we merged this cycle.
      
        Ten other fixes, four only affect Power9, and the rest are a bit of a
        mixture though nothing terrible.
      
        Thanks to: Aneesh Kumar K.V, Anton Blanchard, Benjamin Herrenschmidt,
        Dave Martin, Gavin Shan, Madhavan Srinivasan, Nicholas Piggin, Reza
        Arbab"
      
      * tag 'powerpc-4.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc: Ignore reserved field in DCSR and PVR reads and writes
        powerpc/ptrace: Preserve previous TM fprs/vsrs on short regset write
        powerpc/ptrace: Preserve previous fprs/vsrs on short regset write
        powerpc/perf: Use MSR to report privilege level on P9 DD1
        selftest/powerpc: Wrong PMC initialized in pmc56_overflow test
        powerpc/eeh: Enable IO path on permanent error
        powerpc/perf: Fix PM_BRU_CMPL event code for power9
        powerpc/mm: Fix little-endian 4K hugetlb
        powerpc/mm/hugetlb: Don't panic when we don't find the default huge page size
        powerpc: Fix pgtable pmd cache init
        powerpc/icp-opal: Fix missing KVM case and harden replay
        powerpc/mm: Fix memory hotplug BUG() on radix
      83fd57a7
  7. 20 Jan, 2017 16 commits