1. 30 Mar, 2021 3 commits
    • Sean Christopherson's avatar
      KVM: x86/mmu: Don't allow TDP MMU to yield when recovering NX pages · 33a31641
      Sean Christopherson authored
      Prevent the TDP MMU from yielding when zapping a gfn range during NX
      page recovery.  If a flush is pending from a previous invocation of the
      zapping helper, either in the TDP MMU or the legacy MMU, but the TDP MMU
      has not accumulated a flush for the current invocation, then yielding
      will release mmu_lock with stale TLB entries.
      
      That being said, this isn't technically a bug fix in the current code, as
      the TDP MMU will never yield in this case.  tdp_mmu_iter_cond_resched()
      will yield if and only if it has made forward progress, as defined by the
      current gfn vs. the last yielded (or starting) gfn.  Because zapping a
      single shadow page is guaranteed to (a) find that page and (b) step
      sideways at the level of the shadow page, the TDP iter will break its loop
      before getting a chance to yield.
      
      But that is all very, very subtle, and will break at the slightest sneeze,
      e.g. zapping while holding mmu_lock for read would break as the TDP MMU
      wouldn't be guaranteed to see the present shadow page, and thus could step
      sideways at a lower level.
      
      Cc: Ben Gardon <bgardon@google.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210325200119.1359384-4-seanjc@google.com>
      [Add lockdep assertion. - Paolo]
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      33a31641
    • Sean Christopherson's avatar
      KVM: x86/mmu: Ensure TLBs are flushed for TDP MMU during NX zapping · 048f4980
      Sean Christopherson authored
      Honor the "flush needed" return from kvm_tdp_mmu_zap_gfn_range(), which
      does the flush itself if and only if it yields (which it will never do in
      this particular scenario), and otherwise expects the caller to do the
      flush.  If pages are zapped from the TDP MMU but not the legacy MMU, then
      no flush will occur.
      
      Fixes: 29cf0f50 ("kvm: x86/mmu: NX largepage recovery for TDP MMU")
      Cc: stable@vger.kernel.org
      Cc: Ben Gardon <bgardon@google.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210325200119.1359384-3-seanjc@google.com>
      Reviewed-by: default avatarBen Gardon <bgardon@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      048f4980
    • Sean Christopherson's avatar
      KVM: x86/mmu: Ensure TLBs are flushed when yielding during GFN range zap · a835429c
      Sean Christopherson authored
      When flushing a range of GFNs across multiple roots, ensure any pending
      flush from a previous root is honored before yielding while walking the
      tables of the current root.
      
      Note, kvm_tdp_mmu_zap_gfn_range() now intentionally overwrites its local
      "flush" with the result to avoid redundant flushes.  zap_gfn_range()
      preserves and return the incoming "flush", unless of course the flush was
      performed prior to yielding and no new flush was triggered.
      
      Fixes: 1af4a960 ("KVM: x86/mmu: Yield in TDU MMU iter even if no SPTES changed")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarBen Gardon <bgardon@google.com>
      Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
      Message-Id: <20210325200119.1359384-2-seanjc@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      a835429c
  2. 14 Mar, 2021 14 commits
    • Linus Torvalds's avatar
      Linux 5.12-rc3 · 1e28eed1
      Linus Torvalds authored
      1e28eed1
    • Alexey Dobriyan's avatar
      prctl: fix PR_SET_MM_AUXV kernel stack leak · c995f12a
      Alexey Dobriyan authored
      Doing a
      
      	prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1);
      
      will copy 1 byte from userspace to (quite big) on-stack array
      and then stash everything to mm->saved_auxv.
      AT_NULL terminator will be inserted at the very end.
      
      /proc/*/auxv handler will find that AT_NULL terminator
      and copy original stack contents to userspace.
      
      This devious scheme requires CAP_SYS_RESOURCE.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c995f12a
    • Linus Torvalds's avatar
      Merge tag 'irq-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 70404fe3
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "A set of irqchip updates:
      
         - Make the GENERIC_IRQ_MULTI_HANDLER configuration correct
      
         - Add a missing DT compatible string for the Ingenic driver
      
         - Remove the pointless debugfs_file pointer from struct irqdomain"
      
      * tag 'irq-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/ingenic: Add support for the JZ4760
        dt-bindings/irq: Add compatible string for the JZ4760B
        irqchip: Do not blindly select CONFIG_GENERIC_IRQ_MULTI_HANDLER
        ARM: ep93xx: Select GENERIC_IRQ_MULTI_HANDLER directly
        irqdomain: Remove debugfs_file from struct irq_domain
      70404fe3
    • Linus Torvalds's avatar
      Merge tag 'timers-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 802b31c0
      Linus Torvalds authored
      Pull timer fix from Thomas Gleixner:
       "A single fix in for hrtimers to prevent an interrupt storm caused by
        the lack of reevaluation of the timers which expire in softirq context
        under certain circumstances, e.g. when the clock was set"
      
      * tag 'timers-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event()
      802b31c0
    • Linus Torvalds's avatar
      Merge tag 'sched-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c72cbc93
      Linus Torvalds authored
      Pull scheduler fixes from Thomas Gleixner:
       "A set of scheduler updates:
      
         - Prevent a NULL pointer dereference in the migration_stop_cpu()
           mechanims
      
         - Prevent self concurrency of affine_move_task()
      
         - Small fixes and cleanups related to task migration/affinity setting
      
         - Ensure that sync_runqueues_membarrier_state() is invoked on the
           current CPU when it is in the cpu mask"
      
      * tag 'sched-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/membarrier: fix missing local execution of ipi_sync_rq_state()
        sched: Simplify set_affinity_pending refcounts
        sched: Fix affine_move_task() self-concurrency
        sched: Optimize migration_cpu_stop()
        sched: Collate affine_move_task() stoppers
        sched: Simplify migration_cpu_stop()
        sched: Fix migration_cpu_stop() requeueing
      c72cbc93
    • Linus Torvalds's avatar
      Merge tag 'objtool-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 19469d2a
      Linus Torvalds authored
      Pull objtool fix from Thomas Gleixner:
       "A single objtool fix to handle the PUSHF/POPF validation correctly for
        the paravirt changes which modified arch_local_irq_restore not to use
        popf"
      
      * tag 'objtool-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool,x86: Fix uaccess PUSHF/POPF validation
      19469d2a
    • Linus Torvalds's avatar
      Merge tag 'locking-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · fa509ff8
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "A couple of locking fixes:
      
         - A fix for the static_call mechanism so it handles unaligned
           addresses correctly.
      
         - Make u64_stats_init() a macro so every instance gets a seperate
           lockdep key.
      
         - Make seqcount_latch_init() a macro as well to preserve the static
           variable which is used for the lockdep key"
      
      * tag 'locking-urgent-2021-03-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        seqlock,lockdep: Fix seqcount_latch_init()
        u64_stats,lockdep: Fix u64_stats_init() vs lockdep
        static_call: Fix the module key fixup
      fa509ff8
    • Linus Torvalds's avatar
      Merge tag 'perf_urgent_for_v5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 75013c6c
      Linus Torvalds authored
      Pull perf fixes from Borislav Petkov:
      
       - Make sure PMU internal buffers are flushed for per-CPU events too and
         properly handle PID/TID for large PEBS.
      
       - Handle the case properly when there's no PMU and therefore return an
         empty list of perf MSRs for VMX to switch instead of reading random
         garbage from the stack.
      
      * tag 'perf_urgent_for_v5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/perf: Use RET0 as default for guest_get_msrs to handle "no PMU" case
        perf/x86/intel: Set PERF_ATTACH_SCHED_CB for large PEBS and LBR
        perf/core: Flush PMU internal buffers for per-CPU events
      75013c6c
    • Linus Torvalds's avatar
      Merge tag 'efi-urgent-for-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 836d7f05
      Linus Torvalds authored
      Pull EFI fix from Ard Biesheuvel via Borislav Petkov:
       "Fix an oversight in the handling of EFI_RT_PROPERTIES_TABLE, which was
        added v5.10, but failed to take the SetVirtualAddressMap() RT service
        into account"
      
      * tag 'efi-urgent-for-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        efi: stub: omit SetVirtualAddressMap() if marked unsupported in RT_PROP table
      836d7f05
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v5.12_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0a7c10df
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
      
       - A couple of SEV-ES fixes and robustifications: verify usermode stack
         pointer in NMI is not coming from the syscall gap, correctly track
         IRQ states in the #VC handler and access user insn bytes atomically
         in same handler as latter cannot sleep.
      
       - Balance 32-bit fast syscall exit path to do the proper work on exit
         and thus not confuse audit and ptrace frameworks.
      
       - Two fixes for the ORC unwinder going "off the rails" into KASAN
         redzones and when ORC data is missing.
      
      * tag 'x86_urgent_for_v5.12_rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/sev-es: Use __copy_from_user_inatomic()
        x86/sev-es: Correctly track IRQ states in runtime #VC handler
        x86/sev-es: Check regs->sp is trusted before adjusting #VC IST stack
        x86/sev-es: Introduce ip_within_syscall_gap() helper
        x86/entry: Fix entry/exit mismatch on failed fast 32-bit syscalls
        x86/unwind/orc: Silence warnings caused by missing ORC data
        x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2
      0a7c10df
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · c3c7579f
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Some more powerpc fixes for 5.12:
      
         - Fix wrong instruction encoding for lis in ppc_function_entry(),
           which could potentially lead to missed kprobes.
      
         - Fix SET_FULL_REGS on 32-bit and 64e, which prevented ptrace of
           non-volatile GPRs immediately after exec.
      
         - Clean up a missed SRR specifier in the recent interrupt rework.
      
         - Don't treat unrecoverable_exception() as an interrupt handler, it's
           called from other handlers so shouldn't do the interrupt entry/exit
           accounting itself.
      
         - Fix build errors caused by missing declarations for
           [en/dis]able_kernel_vsx().
      
        Thanks to Christophe Leroy, Daniel Axtens, Geert Uytterhoeven, Jiri
        Olsa, Naveen N. Rao, and Nicholas Piggin"
      
      * tag 'powerpc-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/traps: unrecoverable_exception() is not an interrupt handler
        powerpc: Fix missing declaration of [en/dis]able_kernel_vsx()
        powerpc/64s/exception: Clean up a missed SRR specifier
        powerpc: Fix inverted SET_FULL_REGS bitop
        powerpc/64s: Use symbolic macros for function entry encoding
        powerpc/64s: Fix instruction encoding for lis in ppc_function_entry()
      c3c7579f
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 9d0c8e79
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "More fixes for ARM and x86"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: LAPIC: Advancing the timer expiration on guest initiated write
        KVM: x86/mmu: Skip !MMU-present SPTEs when removing SP in exclusive mode
        KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged
        kvm: x86: annotate RCU pointers
        KVM: arm64: Fix exclusive limit for IPA size
        KVM: arm64: Reject VM creation when the default IPA size is unsupported
        KVM: arm64: Ensure I-cache isolation between vcpus of a same VM
        KVM: arm64: Don't use cbz/adr with external symbols
        KVM: arm64: Fix range alignment when walking page tables
        KVM: arm64: Workaround firmware wrongly advertising GICv2-on-v3 compatibility
        KVM: arm64: Rename __vgic_v3_get_ich_vtr_el2() to __vgic_v3_get_gic_config()
        KVM: arm64: Don't access PMSELR_EL0/PMUSERENR_EL0 when no PMU is available
        KVM: arm64: Turn kvm_arm_support_pmu_v3() into a static key
        KVM: arm64: Fix nVHE hyp panic host context restore
        KVM: arm64: Avoid corrupting vCPU context register in guest exit
        KVM: arm64: nvhe: Save the SPE context early
        kvm: x86: use NULL instead of using plain integer as pointer
        KVM: SVM: Connect 'npt' module param to KVM's internal 'npt_enabled'
        KVM: x86: Ensure deadline timer has truly expired before posting its IRQ
      9d0c8e79
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 50eb842f
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "28 patches.
      
        Subsystems affected by this series: mm (memblock, pagealloc, hugetlb,
        highmem, kfence, oom-kill, madvise, kasan, userfaultfd, memcg, and
        zram), core-kernel, kconfig, fork, binfmt, MAINTAINERS, kbuild, and
        ia64"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (28 commits)
        zram: fix broken page writeback
        zram: fix return value on writeback_store
        mm/memcg: set memcg when splitting page
        mm/memcg: rename mem_cgroup_split_huge_fixup to split_page_memcg and add nr_pages argument
        ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign
        ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls
        mm/userfaultfd: fix memory corruption due to writeprotect
        kasan: fix KASAN_STACK dependency for HW_TAGS
        kasan, mm: fix crash with HW_TAGS and DEBUG_PAGEALLOC
        mm/madvise: replace ptrace attach requirement for process_madvise
        include/linux/sched/mm.h: use rcu_dereference in in_vfork()
        kfence: fix reports if constant function prefixes exist
        kfence, slab: fix cache_alloc_debugcheck_after() for bulk allocations
        kfence: fix printk format for ptrdiff_t
        linux/compiler-clang.h: define HAVE_BUILTIN_BSWAP*
        MAINTAINERS: exclude uapi directories in API/ABI section
        binfmt_misc: fix possible deadlock in bm_register_write
        mm/highmem.c: fix zero_user_segments() with start > end
        hugetlb: do early cow when page pinned on src mm
        mm: use is_cow_mapping() across tree where proper
        ...
      50eb842f
    • Thomas Gleixner's avatar
      Merge tag 'irqchip-fixes-5.12-1' of... · b470ebc9
      Thomas Gleixner authored
      Merge tag 'irqchip-fixes-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms into irq/urgent
      
      Pull irqchip fixes from Marc Zyngier:
      
        - More compatible strings for the Ingenic irqchip (introducing the
          JZ4760B SoC)
        - Select GENERIC_IRQ_MULTI_HANDLER on the ARM ep93xx platform
        - Drop all GENERIC_IRQ_MULTI_HANDLER selections from the irqchip
          Kconfig, now relying on the architecture to get it right
        - Drop the debugfs_file field from struct irq_domain, now that
          debugfs can track things on its own
      b470ebc9
  3. 13 Mar, 2021 23 commits