1. 04 Dec, 2018 1 commit
    • Masami Hiramatsu's avatar
      kprobes/x86: Fix instruction patching corruption when copying more than one... · 43a1b0cb
      Masami Hiramatsu authored
      kprobes/x86: Fix instruction patching corruption when copying more than one RIP-relative instruction
      
      After copy_optimized_instructions() copies several instructions
      to the working buffer it tries to fix up the real RIP address, but it
      adjusts the RIP-relative instruction with an incorrect RIP address
      for the 2nd and subsequent instructions due to a bug in the logic.
      
      This will break the kernel pretty badly (with likely outcomes such as
      a kernel freeze, a crash, or worse) because probed instructions can refer
      to the wrong data.
      
      For example putting kprobes on cpumask_next() typically hits this bug.
      
      cpumask_next() is normally like below if CONFIG_CPUMASK_OFFSTACK=y
      (in this case nr_cpumask_bits is an alias of nr_cpu_ids):
      
       <cpumask_next>:
      	48 89 f0		mov    %rsi,%rax
      	8b 35 7b fb e2 00	mov    0xe2fb7b(%rip),%esi # ffffffff82db9e64 <nr_cpu_ids>
      	55			push   %rbp
      ...
      
      If we put a kprobe on it and it gets jump-optimized, it gets
      patched by the kprobes code like this:
      
       <cpumask_next>:
      	e9 95 7d 07 1e		jmpq   0xffffffffa000207a
      	7b fb			jnp    0xffffffff81f8a2e2 <cpumask_next+2>
      	e2 00			loop   0xffffffff81f8a2e9 <cpumask_next+9>
      	55			push   %rbp
      
      This shows that the first two MOV instructions were copied to a
      trampoline buffer at 0xffffffffa000207a.
      
      Here is the disassembled result of the trampoline, skipping
      the optprobe template instructions:
      
      	# Dump of assembly code from 0xffffffffa000207a to 0xffffffffa00020ea:
      
      	54			push   %rsp
      	...
      	48 83 c4 08		add    $0x8,%rsp
      	9d			popfq
      	48 89 f0		mov    %rsi,%rax
      	8b 35 82 7d db e2	mov    -0x1d24827e(%rip),%esi # 0xffffffff82db9e67 <nr_cpu_ids+3>
      
      This dump shows that the second MOV accesses *(nr_cpu_ids+3) instead of
      the original *nr_cpu_ids. This leads to a kernel freeze because
      cpumask_next() always returns 0 and for_each_cpu() never ends.
      
      Fix this by adding 'len' correctly to the real RIP address while
      copying.
      
      [ mingo: Improved the changelog. ]
      Reported-by: default avatarMichael Rodin <michael@rodin.online>
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Reviewed-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org # v4.15+
      Fixes: 63fef14f ("kprobes/x86: Make insn buffer always ROX and use text_poke()")
      Link: http://lkml.kernel.org/r/153504457253.22602.1314289671019919596.stgit@devboxSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      43a1b0cb
  2. 02 Dec, 2018 4 commits
    • Linus Torvalds's avatar
      Linux 4.20-rc5 · 25956467
      Linus Torvalds authored
      25956467
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 6a512726
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "Volume is a little higher than usual due to a set of gpio fixes for
        Davinci platforms that's been around a while, still seemed appropriate
        to not hold off until next merge window.
      
        Besides that it's the usual mix of minor fixes, mostly corrections of
        small stuff in device trees.
      
        Major stability-related one is the removal of a regulator from DT on
        Rock960, since DVFS caused undervoltage. I expect it'll be restored
        once they figure out the underlying issue"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (28 commits)
        MAINTAINERS: Remove unused Qualcomm SoC mailing list
        ARM: davinci: dm644x: set the GPIO base to 0
        ARM: davinci: da830: set the GPIO base to 0
        ARM: davinci: dm355: set the GPIO base to 0
        ARM: davinci: dm646x: set the GPIO base to 0
        ARM: davinci: dm365: set the GPIO base to 0
        ARM: davinci: da850: set the GPIO base to 0
        gpio: davinci: restore a way to manually specify the GPIO base
        ARM: davinci: dm644x: define gpio interrupts as separate resources
        ARM: davinci: dm355: define gpio interrupts as separate resources
        ARM: davinci: dm646x: define gpio interrupts as separate resources
        ARM: davinci: dm365: define gpio interrupts as separate resources
        ARM: davinci: da8xx: define gpio interrupts as separate resources
        ARM: dts: at91: sama5d2: use the divided clock for SMC
        ARM: dts: imx51-zii-rdu1: Remove EEPROM node
        ARM: dts: rockchip: Remove @0 from the veyron memory node
        arm64: dts: rockchip: Fix PCIe reset polarity for rk3399-puma-haikou.
        arm64: dts: qcom: msm8998: Reserve gpio ranges on MTP
        arm64: dts: sdm845-mtp: Reserve reserved gpios
        arm64: dts: ti: k3-am654: Fix wakeup_uart reg address
        ...
      6a512726
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.20a-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 292974c5
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
      
       - A revert of a previous commit as it is no longer necessary and has
         shown to cause problems in some memory hotplug cases.
      
       - Some small fixes and a minor cleanup.
      
       - A patch for adding better diagnostic data in a very rare failure
         case.
      
      * tag 'for-linus-4.20a-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        pvcalls-front: fixes incorrect error handling
        Revert "xen/balloon: Mark unallocated host memory as UNUSABLE"
        xen: xlate_mmu: add missing header to fix 'W=1' warning
        xen/x86: add diagnostic printout to xen_mc_flush() in case of error
        x86/xen: cleanup includes in arch/x86/xen/spinlock.c
      292974c5
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-4.20-rc5' of git://git.infradead.org/users/vkoul/slave-dma · a234c737
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "This contains two fixes to at_hdmac which fixes long standing bus
        reported recently on serial transfers causing memory leak. These fixes
        were done by Richard Genoud"
      
      * tag 'dmaengine-fix-4.20-rc5' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: at_hdmac: fix module unloading
        dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
      a234c737
  3. 01 Dec, 2018 10 commits
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4b783176
      Linus Torvalds authored
      Pull STIBP fallout fixes from Thomas Gleixner:
       "The performance destruction department finally got it's act together
        and came up with a cure for the STIPB regression:
      
         - Provide a command line option to control the spectre v2 user space
           mitigations. Default is either seccomp or prctl (if seccomp is
           disabled in Kconfig). prctl allows mitigation opt-in, seccomp
           enables the migitation for sandboxed processes.
      
         - Rework the code to handle the conditional STIBP/IBPB control and
           remove the now unused ptrace_may_access_sched() optimization
           attempt
      
         - Disable STIBP automatically when SMT is disabled
      
         - Optimize the switch_to() logic to avoid MSR writes and invocations
           of __switch_to_xtra().
      
         - Make the asynchronous speculation TIF updates synchronous to
           prevent stale mitigation state.
      
        As a general cleanup this also makes retpoline directly depend on
        compiler support and removes the 'minimal retpoline' option which just
        pretended to provide some form of security while providing none"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (31 commits)
        x86/speculation: Provide IBPB always command line options
        x86/speculation: Add seccomp Spectre v2 user space protection mode
        x86/speculation: Enable prctl mode for spectre_v2_user
        x86/speculation: Add prctl() control for indirect branch speculation
        x86/speculation: Prepare arch_smt_update() for PRCTL mode
        x86/speculation: Prevent stale SPEC_CTRL msr content
        x86/speculation: Split out TIF update
        ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS
        x86/speculation: Prepare for conditional IBPB in switch_mm()
        x86/speculation: Avoid __switch_to_xtra() calls
        x86/process: Consolidate and simplify switch_to_xtra() code
        x86/speculation: Prepare for per task indirect branch speculation control
        x86/speculation: Add command line control for indirect branch speculation
        x86/speculation: Unify conditional spectre v2 print functions
        x86/speculataion: Mark command line parser data __initdata
        x86/speculation: Mark string arrays const correctly
        x86/speculation: Reorder the spec_v2 code
        x86/l1tf: Show actual SMT state
        x86/speculation: Rework SMT state change
        sched/smt: Expose sched_smt_present static key
        ...
      4b783176
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20181201' of git://git.kernel.dk/linux-block · 88058417
      Linus Torvalds authored
      Pull block layer fixes from Jens Axboe:
      
       - Single range elevator discard merge fix, that caused crashes (Ming)
      
       - Fix for a regression in O_DIRECT, where we could potentially lose the
         error value (Maximilian Heyne)
      
       - NVMe pull request from Christoph, with little fixes all over the map
         for NVMe.
      
      * tag 'for-linus-20181201' of git://git.kernel.dk/linux-block:
        block: fix single range discard merge
        nvme-rdma: fix double freeing of async event data
        nvme: flush namespace scanning work just before removing namespaces
        nvme: warn when finding multi-port subsystems without multipathing enabled
        fs: fix lost error code in dio_complete
        nvme-pci: fix surprise removal
        nvme-fc: initialize nvme_req(rq)->ctrl after calling __nvme_fc_init_request()
        nvme: Free ctrl device name on init failure
      88058417
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.20-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · c734b425
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - Fix a link speed checking interface that broke PCIe gen3 cards in
         gen1 slots (Mikulas Patocka)
      
       - Fix an imx6 link training error (Trent Piepho)
      
       - Fix a layerscape outbound window accessor calling error (Hou
         Zhiqiang)
      
       - Fix a DesignWare endpoint MSI-X address calculation error (Gustavo
         Pimentel)
      
      * tag 'pci-v4.20-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: Fix incorrect value returned from pcie_get_speed_cap()
        PCI: dwc: Fix MSI-X EP framework address calculation bug
        PCI: layerscape: Fix wrong invocation of outbound window disable accessor
        PCI: imx6: Fix link training status detection in link up check
      c734b425
    • Bjorn Helgaas's avatar
      Merge remote-tracking branch 'lorenzo/pci/controller-fixes' into for-linus · c74eadf8
      Bjorn Helgaas authored
        - Fix DesignWare endpoint MSI-X address calculation bug (Gustavo
          Pimentel)
      
        - Fix Layerscape outbound window disable usage (Hou Zhiqiang)
      
        - Fix imx6 link up detection (Trent Piepho)
      
      * lorenzo/pci/controller-fixes:
        PCI: dwc: Fix MSI-X EP framework address calculation bug
        PCI: layerscape: Fix wrong invocation of outbound window disable accessor
        PCI: imx6: Fix link training status detection in link up check
      c74eadf8
    • Mikulas Patocka's avatar
      PCI: Fix incorrect value returned from pcie_get_speed_cap() · f1f90e25
      Mikulas Patocka authored
      The macros PCI_EXP_LNKCAP_SLS_*GB are values, not bit masks.  We must mask
      the register and compare it against them.
      
      This fixes errors like this:
      
        amdgpu: [powerplay] failed to send message 261 ret is 0
      
      when a PCIe-v3 card is plugged into a PCIe-v1 slot, because the slot is
      being incorrectly reported as PCIe-v3 capable.
      
      6cf57be0, which appeared in v4.17, added pcie_get_speed_cap() with the
      incorrect test of PCI_EXP_LNKCAP_SLS as a bitmask.  5d9a6330, which
      appeared in v4.19, changed amdgpu to use pcie_get_speed_cap(), so the
      amdgpu bug reports below are regressions in v4.19.
      
      Fixes: 6cf57be0 ("PCI: Add pcie_get_speed_cap() to find max supported link speed")
      Fixes: 5d9a6330 ("drm/amdgpu: use pcie functions for link width and speed")
      Link: https://bugs.freedesktop.org/show_bug.cgi?id=108704
      Link: https://bugs.freedesktop.org/show_bug.cgi?id=108778Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      [bhelgaas: update comment, remove use of PCI_EXP_LNKCAP_SLS_8_0GB and
      PCI_EXP_LNKCAP_SLS_16_0GB since those should be covered by PCI_EXP_LNKCAP2,
      remove test of PCI_EXP_LNKCAP for zero, since that register is required]
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org	# v4.17+
      f1f90e25
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · d8f190ee
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "31 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (31 commits)
        ocfs2: fix potential use after free
        mm/khugepaged: fix the xas_create_range() error path
        mm/khugepaged: collapse_shmem() do not crash on Compound
        mm/khugepaged: collapse_shmem() without freezing new_page
        mm/khugepaged: minor reorderings in collapse_shmem()
        mm/khugepaged: collapse_shmem() remember to clear holes
        mm/khugepaged: fix crashes due to misaccounted holes
        mm/khugepaged: collapse_shmem() stop if punched or truncated
        mm/huge_memory: fix lockdep complaint on 32-bit i_size_read()
        mm/huge_memory: splitting set mapping+index before unfreeze
        mm/huge_memory: rename freeze_page() to unmap_page()
        initramfs: clean old path before creating a hardlink
        kernel/kcov.c: mark funcs in __sanitizer_cov_trace_pc() as notrace
        psi: make disabling/enabling easier for vendor kernels
        proc: fixup map_files test on arm
        debugobjects: avoid recursive calls with kmemleak
        userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set
        userfaultfd: shmem: add i_size checks
        userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
        userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem
        ...
      d8f190ee
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.20_4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 6c7954b7
      Linus Torvalds authored
      Pull few more MIPS fixes from Paul Burton:
      
       - Fix mips_get_syscall_arg() to operate on the task specified when
         detecting o32 tasks running on MIPS64 kernels.
      
       - Fix some incorrect GPIO pin muxing for the MT7620 SoC.
      
       - Update the linux-mips mailing list address.
      
      * tag 'mips_fixes_4.20_4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MAINTAINERS: Update linux-mips mailing list address
        MIPS: ralink: Fix mt7620 nd_sd pinmux
        mips: fix mips_get_syscall_arg o32 check
      6c7954b7
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 868dda00
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Cortex-A76 erratum workaround
      
       - ftrace fix to enable syscall events on arm64
      
       - Fix uninitialised pointer in iort_get_platform_device_domain()
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized pointer value
        arm64: ftrace: Fix to enable syscall events on arm64
        arm64: Add workaround for Cortex-A76 erratum 1286807
      868dda00
    • Linus Torvalds's avatar
      Merge tag 'gcc-plugins-v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 1f817429
      Linus Torvalds authored
      Pull stackleak plugin fix from Kees Cook:
       "Fix crash by not allowing kprobing of stackleak_erase() (Alexander
        Popov)"
      
      * tag 'gcc-plugins-v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        stackleak: Disable function tracing and kprobes for stackleak_erase()
      1f817429
    • Linus Torvalds's avatar
      Merge tag 'fscache-fixes-20181130' of... · fd3b3e0e
      Linus Torvalds authored
      Merge tag 'fscache-fixes-20181130' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
      
      Pull fscache and cachefiles fixes from David Howells:
       "Misc fixes:
      
         - Fix an assertion failure at fs/cachefiles/xattr.c:138 caused by a
           race between a cache object lookup failing and someone attempting
           to reenable that object, thereby triggering an update of the
           object's attributes.
      
         - Fix an assertion failure at fs/fscache/operation.c:449 caused by a
           split atomic subtract and atomic read that allows a race to happen.
      
         - Fix a leak of backing pages when simultaneously reading the same
           page from the same object from two or more threads.
      
         - Fix a hang due to a race between a cache object being discarded and
           the corresponding cookie being reenabled.
      
        There are also some minor cleanups:
      
         - Cast an enum value to a different enum type to prevent clang from
           generating a warning. This shouldn't cause any sort of change in
           the emitted code.
      
         - Use ktime_get_real_seconds() instead of get_seconds(). This is just
           used to uniquify a filename for an object to be placed in the
           graveyard. Objects placed there are deleted by cachfilesd in
           userspace immediately thereafter.
      
         - Remove an initialised, but otherwise unused variable. This should
           have been entirely optimised away anyway"
      
      * tag 'fscache-fixes-20181130' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        fscache, cachefiles: remove redundant variable 'cache'
        cachefiles: avoid deprecated get_seconds()
        cachefiles: Explicitly cast enumerated type in put_object
        fscache: fix race between enablement and dropping of object
        cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is active
        fscache: Fix race in fscache_op_complete() due to split atomic_sub & read
        cachefiles: Fix an assertion failure when trying to update a failed object
      fd3b3e0e
  4. 30 Nov, 2018 25 commits