1. 31 Jan, 2018 29 commits
    • Seunghun Han's avatar
      ACPICA: Namespace: fix operand cache leak · 4c19b00e
      Seunghun Han authored
      commit 3b2d6911 upstream.
      
      ACPICA commit a23325b2e583556eae88ed3f764e457786bf4df6
      
      I found some ACPI operand cache leaks in ACPI early abort cases.
      
      Boot log of ACPI operand cache leak is as follows:
      >[    0.174332] ACPI: Added _OSI(Module Device)
      >[    0.175504] ACPI: Added _OSI(Processor Device)
      >[    0.176010] ACPI: Added _OSI(3.0 _SCP Extensions)
      >[    0.177032] ACPI: Added _OSI(Processor Aggregator Device)
      >[    0.178284] ACPI: SCI (IRQ16705) allocation failed
      >[    0.179352] ACPI Exception: AE_NOT_ACQUIRED, Unable to install
      System Control Interrupt handler (20160930/evevent-131)
      >[    0.180008] ACPI: Unable to start the ACPI Interpreter
      >[    0.181125] ACPI Error: Could not remove SCI handler
      (20160930/evmisc-281)
      >[    0.184068] kmem_cache_destroy Acpi-Operand: Slab cache still has
      objects
      >[    0.185358] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc3 #2
      >[    0.186820] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS
      virtual_box 12/01/2006
      >[    0.188000] Call Trace:
      >[    0.188000]  ? dump_stack+0x5c/0x7d
      >[    0.188000]  ? kmem_cache_destroy+0x224/0x230
      >[    0.188000]  ? acpi_sleep_proc_init+0x22/0x22
      >[    0.188000]  ? acpi_os_delete_cache+0xa/0xd
      >[    0.188000]  ? acpi_ut_delete_caches+0x3f/0x7b
      >[    0.188000]  ? acpi_terminate+0x5/0xf
      >[    0.188000]  ? acpi_init+0x288/0x32e
      >[    0.188000]  ? __class_create+0x4c/0x80
      >[    0.188000]  ? video_setup+0x7a/0x7a
      >[    0.188000]  ? do_one_initcall+0x4e/0x1b0
      >[    0.188000]  ? kernel_init_freeable+0x194/0x21a
      >[    0.188000]  ? rest_init+0x80/0x80
      >[    0.188000]  ? kernel_init+0xa/0x100
      >[    0.188000]  ? ret_from_fork+0x25/0x30
      
      When early abort is occurred due to invalid ACPI information, Linux kernel
      terminates ACPI by calling acpi_terminate() function. The function calls
      acpi_ns_terminate() function to delete namespace data and ACPI operand cache
      (acpi_gbl_module_code_list).
      
      But the deletion code in acpi_ns_terminate() function is wrapped in
      ACPI_EXEC_APP definition, therefore the code is only executed when the
      definition exists. If the define doesn't exist, ACPI operand cache
      (acpi_gbl_module_code_list) is leaked, and stack dump is shown in kernel log.
      
      This causes a security threat because the old kernel (<= 4.9) shows memory
      locations of kernel functions in stack dump, therefore kernel ASLR can be
      neutralized.
      
      To fix ACPI operand leak for enhancing security, I made a patch which
      removes the ACPI_EXEC_APP define in acpi_ns_terminate() function for
      executing the deletion code unconditionally.
      
      Link: https://github.com/acpica/acpica/commit/a23325b2Signed-off-by: default avatarSeunghun Han <kkamagui@gmail.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarLee, Chun-Yi <jlee@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c19b00e
    • Rafael J. Wysocki's avatar
      ACPI / scan: Prefer devices without _HID/_CID for _ADR matching · 1fe277d4
      Rafael J. Wysocki authored
      commit c2a6bbaf upstream.
      
      The way acpi_find_child_device() works currently is that, if there
      are two (or more) devices with the same _ADR value in the same
      namespace scope (which is not specifically allowed by the spec and
      the OS behavior in that case is not defined), the first one of them
      found to be present (with the help of _STA) will be returned.
      
      This covers the majority of cases, but is not sufficient if some of
      the devices in question have a _HID (or _CID) returning some valid
      ACPI/PNP device IDs (which is disallowed by the spec) and the
      ASL writers' expectation appears to be that the OS will match
      devices without a valid ACPI/PNP device ID against a given bus
      address first.
      
      To cover this special case as well, modify find_child_checks()
      to prefer devices without ACPI/PNP device IDs over devices that
      have them.
      Suggested-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Tested-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fe277d4
    • Rafael J. Wysocki's avatar
      ACPI / processor: Avoid reserving IO regions too early · 4d48ba75
      Rafael J. Wysocki authored
      commit 86314751 upstream.
      
      Roland Dreier reports that one of his systems cannot boot because of
      the changes made by commit ac212b69 (ACPI / processor: Use common
      hotplug infrastructure).
      
      The problematic part of it is the request_region() call in
      acpi_processor_get_info() that used to run at module init time before
      the above commit and now it runs much earlier.  Unfortunately, the
      region(s) reserved by it fall into a range the PCI subsystem attempts
      to reserve for AHCI IO BARs.  As a result, the PCI reservation fails
      and AHCI doesn't work, while previously the PCI reservation would
      be made before acpi_processor_get_info() and it would succeed.
      
      That request_region() call, however, was overlooked by commit
      ac212b69, as it is not necessary for the enumeration of the
      processors.  It only is needed when the ACPI processor driver
      actually attempts to handle them which doesn't happen before
      loading the ACPI processor driver module.  Therefore that call
      should have been moved from acpi_processor_get_info() into that
      module.
      
      Address the problem by moving the request_region() call in question
      out of acpi_processor_get_info() and use the observation that the
      region reserved by it is only needed if the FADT-based CPU
      throttling method is going to be used, which means that it should
      be sufficient to invoke it from acpi_processor_get_throttling_fadt().
      
      Fixes: ac212b69 (ACPI / processor: Use common hotplug infrastructure)
      Reported-by: default avatarRoland Dreier <roland@purestorage.com>
      Tested-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Acked-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4d48ba75
    • Rui Wang's avatar
      x86/ioapic: Fix incorrect pointers in ioapic_setup_resources() · 699a6cc7
      Rui Wang authored
      commit 9d98bcec upstream.
      
      On a 4-socket Brickland system, hot-removing one ioapic is fine.
      Hot-removing the 2nd one causes panic in mp_unregister_ioapic()
      while calling release_resource().
      
      It is because the iomem_res pointer has already been released
      when removing the first ioapic.
      
      To explain the use of &res[num] here: res is assigned to ioapic_resources,
      and later in ioapic_insert_resources() we do:
      
      	struct resource *r = ioapic_resources;
      
              for_each_ioapic(i) {
                      insert_resource(&iomem_resource, r);
                      r++;
              }
      
      Here 'r' is treated as an arry of 'struct resource', and the r++ ensures
      that each element of the array is inserted separately. Thus we should call
      release_resouce() on each element at &res[num].
      
      Fix it by assigning the correct pointers to ioapics[i].iomem_res in
      ioapic_setup_resources().
      Signed-off-by: default avatarRui Wang <rui.y.wang@intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: tony.luck@intel.com
      Cc: linux-pci@vger.kernel.org
      Cc: rjw@rjwysocki.net
      Cc: linux-acpi@vger.kernel.org
      Cc: bhelgaas@google.com
      Link: http://lkml.kernel.org/r/1465369193-4816-3-git-send-email-rui.y.wang@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Acked-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      699a6cc7
    • Jiri Slaby's avatar
      ipc: msg, make msgrcv work with LONG_MIN · bab93a61
      Jiri Slaby authored
      commit 99989835 upstream.
      
      When LONG_MIN is passed to msgrcv, one would expect to recieve any
      message.  But convert_mode does *msgtyp = -*msgtyp and -LONG_MIN is
      undefined.  In particular, with my gcc -LONG_MIN produces -LONG_MIN
      again.
      
      So handle this case properly by assigning LONG_MAX to *msgtyp if
      LONG_MIN was specified as msgtyp to msgrcv.
      
      This code:
        long msg[] = { 100, 200 };
        int m = msgget(IPC_PRIVATE, IPC_CREAT | 0644);
        msgsnd(m, &msg, sizeof(msg), 0);
        msgrcv(m, &msg, sizeof(msg), LONG_MIN, 0);
      
      produces currently nothing:
      
        msgget(IPC_PRIVATE, IPC_CREAT|0644)     = 65538
        msgsnd(65538, {100, "\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16, 0) = 0
        msgrcv(65538, ...
      
      Except a UBSAN warning:
      
        UBSAN: Undefined behaviour in ipc/msg.c:745:13
        negation of -9223372036854775808 cannot be represented in type 'long int':
      
      With the patch, I see what I expect:
      
        msgget(IPC_PRIVATE, IPC_CREAT|0644)     = 0
        msgsnd(0, {100, "\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16, 0) = 0
        msgrcv(0, {100, "\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16, -9223372036854775808, 0) = 16
      
      Link: http://lkml.kernel.org/r/20161024082633.10148-1-jslaby@suse.czSigned-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bab93a61
    • Vlastimil Babka's avatar
      mm, page_alloc: fix potential false positive in __zone_watermark_ok · 90ca50c5
      Vlastimil Babka authored
      commit b050e376 upstream.
      
      Since commit 97a16fc8 ("mm, page_alloc: only enforce watermarks for
      order-0 allocations"), __zone_watermark_ok() check for high-order
      allocations will shortcut per-migratetype free list checks for
      ALLOC_HARDER allocations, and return true as long as there's free page
      of any migratetype.  The intention is that ALLOC_HARDER can allocate
      from MIGRATE_HIGHATOMIC free lists, while normal allocations can't.
      
      However, as a side effect, the watermark check will then also return
      true when there are pages only on the MIGRATE_ISOLATE list, or (prior to
      CMA conversion to ZONE_MOVABLE) on the MIGRATE_CMA list.  Since the
      allocation cannot actually obtain isolated pages, and might not be able
      to obtain CMA pages, this can result in a false positive.
      
      The condition should be rare and perhaps the outcome is not a fatal one.
      Still, it's better if the watermark check is correct.  There also
      shouldn't be a performance tradeoff here.
      
      Link: http://lkml.kernel.org/r/20171102125001.23708-1-vbabka@suse.cz
      Fixes: 97a16fc8 ("mm, page_alloc: only enforce watermarks for order-0 allocations")
      Signed-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90ca50c5
    • Doug Berger's avatar
      cma: fix calculation of aligned offset · 1ab0bb98
      Doug Berger authored
      commit e048cb32 upstream.
      
      The align_offset parameter is used by bitmap_find_next_zero_area_off()
      to represent the offset of map's base from the previous alignment
      boundary; the function ensures that the returned index, plus the
      align_offset, honors the specified align_mask.
      
      The logic introduced by commit b5be83e3 ("mm: cma: align to physical
      address, not CMA region position") has the cma driver calculate the
      offset to the *next* alignment boundary.  In most cases, the base
      alignment is greater than that specified when making allocations,
      resulting in a zero offset whether we align up or down.  In the example
      given with the commit, the base alignment (8MB) was half the requested
      alignment (16MB) so the math also happened to work since the offset is
      8MB in both directions.  However, when requesting allocations with an
      alignment greater than twice that of the base, the returned index would
      not be correctly aligned.
      
      Also, the align_order arguments of cma_bitmap_aligned_mask() and
      cma_bitmap_aligned_offset() should not be negative so the argument type
      was made unsigned.
      
      Fixes: b5be83e3 ("mm: cma: align to physical address, not CMA region position")
      Link: http://lkml.kernel.org/r/20170628170742.2895-1-opendmb@gmail.comSigned-off-by: default avatarAngus Clark <angus@angusclark.org>
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Acked-by: default avatarGregory Fong <gregory.0xf0@gmail.com>
      Cc: Doug Berger <opendmb@gmail.com>
      Cc: Angus Clark <angus@angusclark.org>
      Cc: Laura Abbott <labbott@redhat.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Lucas Stach <l.stach@pengutronix.de>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Shiraz Hashim <shashim@codeaurora.org>
      Cc: Jaewon Kim <jaewon31.kim@samsung.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1ab0bb98
    • Michal Hocko's avatar
      hwpoison, memcg: forcibly uncharge LRU pages · 361376a5
      Michal Hocko authored
      commit 18365225 upstream.
      
      Laurent Dufour has noticed that hwpoinsoned pages are kept charged.  In
      his particular case he has hit a bad_page("page still charged to
      cgroup") when onlining a hwpoison page.  While this looks like something
      that shouldn't happen in the first place because onlining hwpages and
      returning them to the page allocator makes only little sense it shows a
      real problem.
      
      hwpoison pages do not get freed usually so we do not uncharge them (at
      least not since commit 0a31bc97 ("mm: memcontrol: rewrite uncharge
      API")).  Each charge pins memcg (since e8ea14cc ("mm: memcontrol:
      take a css reference for each charged page")) as well and so the
      mem_cgroup and the associated state will never go away.  Fix this leak
      by forcibly uncharging a LRU hwpoisoned page in delete_from_lru_cache().
      We also have to tweak uncharge_list because it cannot rely on zero ref
      count for these pages.
      
      [akpm@linux-foundation.org: coding-style fixes]
      Fixes: 0a31bc97 ("mm: memcontrol: rewrite uncharge API")
      Link: http://lkml.kernel.org/r/20170502185507.GB19165@dhcp22.suse.czSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reported-by: default avatarLaurent Dufour <ldufour@linux.vnet.ibm.com>
      Tested-by: default avatarLaurent Dufour <ldufour@linux.vnet.ibm.com>
      Reviewed-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Reviewed-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      361376a5
    • Michal Hocko's avatar
      mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack · 7175e56f
      Michal Hocko authored
      commit 561b5e07 upstream.
      
      Commit 1be7107f ("mm: larger stack guard gap, between vmas") has
      introduced a regression in some rust and Java environments which are
      trying to implement their own stack guard page.  They are punching a new
      MAP_FIXED mapping inside the existing stack Vma.
      
      This will confuse expand_{downwards,upwards} into thinking that the
      stack expansion would in fact get us too close to an existing non-stack
      vma which is a correct behavior wrt safety.  It is a real regression on
      the other hand.
      
      Let's work around the problem by considering PROT_NONE mapping as a part
      of the stack.  This is a gros hack but overflowing to such a mapping
      would trap anyway an we only can hope that usespace knows what it is
      doing and handle it propely.
      
      Fixes: 1be7107f ("mm: larger stack guard gap, between vmas")
      Link: http://lkml.kernel.org/r/20170705182849.GA18027@dhcp22.suse.czSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Debugged-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Cc: Willy Tarreau <w@1wt.eu>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Hugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7175e56f
    • Vlastimil Babka's avatar
      fs/select: add vmalloc fallback for select(2) · 13757fc5
      Vlastimil Babka authored
      commit 2d19309c upstream.
      
      The select(2) syscall performs a kmalloc(size, GFP_KERNEL) where size grows
      with the number of fds passed. We had a customer report page allocation
      failures of order-4 for this allocation. This is a costly order, so it might
      easily fail, as the VM expects such allocation to have a lower-order fallback.
      
      Such trivial fallback is vmalloc(), as the memory doesn't have to be physically
      contiguous and the allocation is temporary for the duration of the syscall
      only. There were some concerns, whether this would have negative impact on the
      system by exposing vmalloc() to userspace. Although an excessive use of vmalloc
      can cause some system wide performance issues - TLB flushes etc. - a large
      order allocation is not for free either and an excessive reclaim/compaction can
      have a similar effect. Also note that the size is effectively limited by
      RLIMIT_NOFILE which defaults to 1024 on the systems I checked. That means the
      bitmaps will fit well within single page and thus the vmalloc() fallback could
      be only excercised for processes where root allows a higher limit.
      
      Note that the poll(2) syscall seems to use a linked list of order-0 pages, so
      it doesn't need this kind of fallback.
      
      [eric.dumazet@gmail.com: fix failure path logic]
      [akpm@linux-foundation.org: use proper type for size]
      Link: http://lkml.kernel.org/r/20160927084536.5923-1-vbabka@suse.czSigned-off-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: David Laight <David.Laight@ACULAB.COM>
      Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Jason Baron <jbaron@akamai.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      13757fc5
    • yangbo lu's avatar
      mmc: sdhci-of-esdhc: add/remove some quirks according to vendor version · 0fd49331
      yangbo lu authored
      commit 1ef5e49e upstream.
      
      A previous patch had removed esdhc_of_platform_init() by mistake.
      static void esdhc_of_platform_init(struct sdhci_host *host)
      {
      	u32 vvn;
      
      	vvn = in_be32(host->ioaddr + SDHCI_SLOT_INT_STATUS);
      	vvn = (vvn & SDHCI_VENDOR_VER_MASK) >> SDHCI_VENDOR_VER_SHIFT;
      	if (vvn == VENDOR_V_22)
      		host->quirks2 |= SDHCI_QUIRK2_HOST_NO_CMD23;
      
      	if (vvn > VENDOR_V_22)
      		host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
      }
      
      This patch is used to fix it by add/remove some quirks according to
      verdor version in probe.
      Signed-off-by: default avatarYangbo Lu <yangbo.lu@freescale.com>
      Fixes: f4932cfd ("mmc: sdhci-of-esdhc: support both BE and LE host controller")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarMatthias Brugger <mbrugger@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0fd49331
    • Minghuan Lian's avatar
      PCI: layerscape: Fix MSG TLP drop setting · 5ee8fef1
      Minghuan Lian authored
      commit 1195c103 upstream.
      
      Some kinds of Layerscape PCIe controllers will forward the received message
      TLPs to system application address space, which could corrupt system memory
      or lead to a system hang.  Enable MSG_DROP to fix this issue.
      Signed-off-by: default avatarMinghuan Lian <Minghuan.Lian@nxp.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarMatthias Brugger <mbrugger@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ee8fef1
    • Yang Shi's avatar
      PCI: layerscape: Add "fsl,ls2085a-pcie" compatible ID · 12de6baf
      Yang Shi authored
      commit dbae40b7 upstream.
      
      The Layerscape PCI host driver must recognize ls2085a compatible when using
      firmware with ls2085a compatible property, otherwise the PCI bus won't be
      detected even though ls2085a compatible is included by the dts.
      Signed-off-by: default avatarYang Shi <yang.shi@linaro.org>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarMatthias Brugger <mbrugger@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      12de6baf
    • Sudeep Holla's avatar
      drivers: base: cacheinfo: fix boot error message when acpi is enabled · a91cdfa7
      Sudeep Holla authored
      commit 55877ef4 upstream.
      
      ARM64 enables both CONFIG_OF and CONFIG_ACPI and the firmware can pass
      both ACPI tables and the device tree. Based on the kernel parameter, one
      of the two will be chosen. If acpi is enabled, then device tree is not
      unflattened.
      
      Currently ARM64 platforms report:
      "
      	Failed to find cpu0 device node
      	Unable to detect cache hierarchy from DT for CPU 0
      "
      which is incorrect when booting with ACPI. Also latest ACPI v6.1 has no
      support for cache properties/hierarchy.
      
      This patch adds check for unflattened device tree and also returns as
      "not supported" if ACPI is runtime enabled.
      
      It also removes the reference to DT from the error message as the cache
      hierarchy can be detected from the firmware(OF/DT/ACPI)
      
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Signed-off-by: default avatarMian Yousaf Kaukab <yousaf.kaukab@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a91cdfa7
    • Sudeep Holla's avatar
      drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled · f31a8450
      Sudeep Holla authored
      commit fac51482 upstream.
      
      With CONFIG_OF enabled on x86, we get the following error on boot:
      "
      	Failed to find cpu0 device node
       	Unable to detect cache hierarchy from DT for CPU 0
      "
      and the cacheinfo fails to get populated in the corresponding sysfs
      entries. This is because cache_setup_of_node looks for of_node for
      setting up the shared cpu_map without checking that it's already
      populated in the architecture specific callback.
      
      In order to indicate that the shared cpu_map is already populated, this
      patch introduces a boolean `cpu_map_populated` in struct cpu_cacheinfo
      that can be used by the generic code to skip cache_shared_cpu_map_setup.
      
      This patch also sets that boolean for x86.
      
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Signed-off-by: default avatarMian Yousaf Kaukab <yousaf.kaukab@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f31a8450
    • Janakarajan Natarajan's avatar
      Prevent timer value 0 for MWAITX · 29b73cac
      Janakarajan Natarajan authored
      commit 88d879d2 upstream.
      
      Newer hardware has uncovered a bug in the software implementation of
      using MWAITX for the delay function. A value of 0 for the timer is meant
      to indicate that a timeout will not be used to exit MWAITX. On newer
      hardware this can result in MWAITX never returning, resulting in NMI
      soft lockup messages being printed. On older hardware, some of the other
      conditions under which MWAITX can exit masked this issue. The AMD APM
      does not currently document this and will be updated.
      
      Please refer to http://marc.info/?l=kvm&m=148950623231140 for
      information regarding NMI soft lockup messages on an AMD Ryzen 1800X.
      This has been root-caused as a 0 passed to MWAITX causing it to wait
      indefinitely.
      
      This change has the added benefit of avoiding the unnecessary setup of
      MONITORX/MWAITX when the delay value is zero.
      Signed-off-by: default avatarJanakarajan Natarajan <Janakarajan.Natarajan@amd.com>
      Link: http://lkml.kernel.org/r/1493156643-29366-1-git-send-email-Janakarajan.Natarajan@amd.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29b73cac
    • Thomas Gleixner's avatar
      timers: Plug locking race vs. timer migration · 83900306
      Thomas Gleixner authored
      commit b831275a upstream.
      
      Linus noticed that lock_timer_base() lacks a READ_ONCE() for accessing the
      timer flags. As a consequence the compiler is allowed to reload the flags
      between the initial check for TIMER_MIGRATION and the following timer base
      computation and the spin lock of the base.
      
      While this has not been observed (yet), we need to make sure that it never
      happens.
      
      Fixes: 0eeda71b ("timer: Replace timer base by a cpu index")
      Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1610241711220.4983@nanos
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarMike Galbraith <mgalbraith@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      83900306
    • Vegard Nossum's avatar
      time: Avoid undefined behaviour in ktime_add_safe() · 08b1cf49
      Vegard Nossum authored
      commit 979515c5 upstream.
      
      I ran into this:
      
          ================================================================================
          UBSAN: Undefined behaviour in kernel/time/hrtimer.c:310:16
          signed integer overflow:
          9223372036854775807 + 50000 cannot be represented in type 'long long int'
          CPU: 2 PID: 4798 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #91
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
           0000000000000000 ffff88010ce6fb88 ffffffff82344740 0000000041b58ab3
           ffffffff84f97a20 ffffffff82344694 ffff88010ce6fbb0 ffff88010ce6fb60
           000000000000c350 ffff88010ce6f968 dffffc0000000000 ffffffff857bc320
          Call Trace:
           [<ffffffff82344740>] dump_stack+0xac/0xfc
           [<ffffffff82344694>] ? _atomic_dec_and_lock+0xc4/0xc4
           [<ffffffff8242df78>] ubsan_epilogue+0xd/0x8a
           [<ffffffff8242e6b4>] handle_overflow+0x202/0x23d
           [<ffffffff8242e4b2>] ? val_to_string.constprop.6+0x11e/0x11e
           [<ffffffff8236df71>] ? timerqueue_add+0x151/0x410
           [<ffffffff81485c48>] ? hrtimer_start_range_ns+0x3b8/0x1380
           [<ffffffff81795631>] ? memset+0x31/0x40
           [<ffffffff8242e6fd>] __ubsan_handle_add_overflow+0xe/0x10
           [<ffffffff81488ac9>] hrtimer_nanosleep+0x5d9/0x790
           [<ffffffff814884f0>] ? hrtimer_init_sleeper+0x80/0x80
           [<ffffffff813a9ffb>] ? __might_sleep+0x5b/0x260
           [<ffffffff8148be10>] common_nsleep+0x20/0x30
           [<ffffffff814906c7>] SyS_clock_nanosleep+0x197/0x210
           [<ffffffff81490530>] ? SyS_clock_getres+0x150/0x150
           [<ffffffff823c7113>] ? __this_cpu_preempt_check+0x13/0x20
           [<ffffffff8162ef60>] ? __context_tracking_exit.part.3+0x30/0x1b0
           [<ffffffff81490530>] ? SyS_clock_getres+0x150/0x150
           [<ffffffff81007bd3>] do_syscall_64+0x1b3/0x4b0
           [<ffffffff845f85aa>] entry_SYSCALL64_slow_path+0x25/0x25
          ================================================================================
      
      Add a new ktime_add_unsafe() helper which doesn't check for overflow, but
      doesn't throw a UBSAN warning when it does overflow either.
      
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Richard Cochran <richardcochran@gmail.com>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08b1cf49
    • Eric Biggers's avatar
      PM / sleep: declare __tracedata symbols as char[] rather than char · 0cb5ae4d
      Eric Biggers authored
      commit f9723837 upstream.
      
      Accessing more than one byte from a symbol declared simply 'char' is undefined
      behavior, as reported by UBSAN:
      
      	UBSAN: Undefined behaviour in drivers/base/power/trace.c:178:18
      	load of address ffffffff8203fc78 with insufficient space
      	for an object of type 'char'
      
      Avoid this by declaring the symbols as arrays.
      Signed-off-by: default avatarEric Biggers <ebiggers3@gmail.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0cb5ae4d
    • Marc Kleine-Budde's avatar
      can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once · 08f39b7b
      Marc Kleine-Budde authored
      commit d4689846 upstream.
      
      If an invalid CANFD frame is received, from a driver or from a tun
      interface, a Kernel warning is generated.
      
      This patch replaces the WARN_ONCE by a simple pr_warn_once, so that a
      kernel, bootet with panic_on_warn, does not panic. A printk seems to be
      more appropriate here.
      
      Reported-by: syzbot+e3b775f40babeff6e68b@syzkaller.appspotmail.com
      Suggested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08f39b7b
    • Marc Kleine-Budde's avatar
      can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once · e7514af6
      Marc Kleine-Budde authored
      commit 8cb68751 upstream.
      
      If an invalid CAN frame is received, from a driver or from a tun
      interface, a Kernel warning is generated.
      
      This patch replaces the WARN_ONCE by a simple pr_warn_once, so that a
      kernel, bootet with panic_on_warn, does not panic. A printk seems to be
      more appropriate here.
      
      Reported-by: syzbot+4386709c0c1284dca827@syzkaller.appspotmail.com
      Suggested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      e7514af6
    • Daniel Bristot de Oliveira's avatar
      sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks · 1d00e3d9
      Daniel Bristot de Oliveira authored
      commit 3effcb42 upstream.
      
      We have been facing some problems with self-suspending constrained
      deadline tasks. The main reason is that the original CBS was not
      designed for such sort of tasks.
      
      One problem reported by Xunlei Pang takes place when a task
      suspends, and then is awakened before the deadline, but so close
      to the deadline that its remaining runtime can cause the task
      to have an absolute density higher than allowed. In such situation,
      the original CBS assumes that the task is facing an early activation,
      and so it replenishes the task and set another deadline, one deadline
      in the future. This rule works fine for implicit deadline tasks.
      Moreover, it allows the system to adapt the period of a task in which
      the external event source suffered from a clock drift.
      
      However, this opens the window for bandwidth leakage for constrained
      deadline tasks. For instance, a task with the following parameters:
      
        runtime   = 5 ms
        deadline  = 7 ms
        [density] = 5 / 7 = 0.71
        period    = 1000 ms
      
      If the task runs for 1 ms, and then suspends for another 1ms,
      it will be awakened with the following parameters:
      
        remaining runtime = 4
        laxity = 5
      
      presenting a absolute density of 4 / 5 = 0.80.
      
      In this case, the original CBS would assume the task had an early
      wakeup. Then, CBS will reset the runtime, and the absolute deadline will
      be postponed by one relative deadline, allowing the task to run.
      
      The problem is that, if the task runs this pattern forever, it will keep
      receiving bandwidth, being able to run 1ms every 2ms. Following this
      behavior, the task would be able to run 500 ms in 1 sec. Thus running
      more than the 5 ms / 1 sec the admission control allowed it to run.
      
      Trying to address the self-suspending case, Luca Abeni, Giuseppe
      Lipari, and Juri Lelli [1] revisited the CBS in order to deal with
      self-suspending tasks. In the new approach, rather than
      replenishing/postponing the absolute deadline, the revised wakeup rule
      adjusts the remaining runtime, reducing it to fit into the allowed
      density.
      
      A revised version of the idea is:
      
      At a given time t, the maximum absolute density of a task cannot be
      higher than its relative density, that is:
      
        runtime / (deadline - t) <= dl_runtime / dl_deadline
      
      Knowing the laxity of a task (deadline - t), it is possible to move
      it to the other side of the equality, thus enabling to define max
      remaining runtime a task can use within the absolute deadline, without
      over-running the allowed density:
      
        runtime = (dl_runtime / dl_deadline) * (deadline - t)
      
      For instance, in our previous example, the task could still run:
      
        runtime = ( 5 / 7 ) * 5
        runtime = 3.57 ms
      
      Without causing damage for other deadline tasks. It is note worthy
      that the laxity cannot be negative because that would cause a negative
      runtime. Thus, this patch depends on the patch:
      
        df8eac8c ("sched/deadline: Throttle a constrained deadline task activated after the deadline")
      
      Which throttles a constrained deadline task activated after the
      deadline.
      
      Finally, it is also possible to use the revised wakeup rule for
      all other tasks, but that would require some more discussions
      about pros and cons.
      
      [The main difference from the original commit is that
       the BW_SHIFT define was not present yet. As BW_SHIFT was
       introduced in a new feature, I just used the value (20),
       likewise we used to use before the #define.
       Other changes were required because of comments. - bistrot]
      Reported-by: default avatarXunlei Pang <xpang@redhat.com>
      Signed-off-by: default avatarDaniel Bristot de Oliveira <bristot@redhat.com>
      [peterz: replaced dl_is_constrained with dl_is_implicit]
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Juri Lelli <juri.lelli@arm.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Luca Abeni <luca.abeni@santannapisa.it>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
      Link: http://lkml.kernel.org/r/5c800ab3a74a168a84ee5f3f84d12a02e11383be.1495803804.git.bristot@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarDaniel Bristot de Oliveira <bristot@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d00e3d9
    • David Woodhouse's avatar
      x86/retpoline: Fill RSB on context switch for affected CPUs · 18bb117d
      David Woodhouse authored
      commit c995efd5 upstream.
      
      On context switch from a shallow call stack to a deeper one, as the CPU
      does 'ret' up the deeper side it may encounter RSB entries (predictions for
      where the 'ret' goes to) which were populated in userspace.
      
      This is problematic if neither SMEP nor KPTI (the latter of which marks
      userspace pages as NX for the kernel) are active, as malicious code in
      userspace may then be executed speculatively.
      
      Overwrite the CPU's return prediction stack with calls which are predicted
      to return to an infinite loop, to "capture" speculation if this
      happens. This is required both for retpoline, and also in conjunction with
      IBRS for !SMEP && !KPTI.
      
      On Skylake+ the problem is slightly different, and an *underflow* of the
      RSB may cause errant branch predictions to occur. So there it's not so much
      overwrite, as *filling* the RSB to attempt to prevent it getting
      empty. This is only a partial solution for Skylake+ since there are many
      other conditions which may result in the RSB becoming empty. The full
      solution on Skylake+ is to use IBRS, which will prevent the problem even
      when the RSB becomes empty. With IBRS, the RSB-stuffing will not be
      required on context switch.
      
      [ tglx: Added missing vendor check and slighty massaged comments and
        	changelog ]
      
      [js] backport to 4.4 -- __switch_to_asm does not exist there, we
           have to patch the switch_to macros for both x86_32 and x86_64.
      Signed-off-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarArjan van de Ven <arjan@linux.intel.com>
      Cc: gnomes@lxorguk.ukuu.org.uk
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: thomas.lendacky@amd.com
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Kees Cook <keescook@google.com>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
      Cc: Paul Turner <pjt@google.com>
      Link: https://lkml.kernel.org/r/1515779365-9032-1-git-send-email-dwmw@amazon.co.ukSigned-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18bb117d
    • Dave Hansen's avatar
      x86/cpu/intel: Introduce macros for Intel family numbers · 0dfd5fbc
      Dave Hansen authored
      commit 970442c5 upstream.
      
      Problem:
      
      We have a boatload of open-coded family-6 model numbers.  Half of
      them have these model numbers in hex and the other half in
      decimal.  This makes grepping for them tons of fun, if you were
      to try.
      
      Solution:
      
      Consolidate all the magic numbers.  Put all the definitions in
      one header.
      
      The names here are closely derived from the comments describing
      the models from arch/x86/events/intel/core.c.  We could easily
      make them shorter by doing things like s/SANDYBRIDGE/SNB/, but
      they seemed fine even with the longer versions to me.
      
      Do not take any of these names too literally, like "DESKTOP"
      or "MOBILE".  These are all colloquial names and not precise
      descriptions of everywhere a given model will show up.
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Darren Hart <dvhart@infradead.org>
      Cc: Dave Hansen <dave@sr71.net>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Doug Thompson <dougthompson@xmission.com>
      Cc: Eduardo Valentin <edubezval@gmail.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
      Cc: Kan Liang <kan.liang@intel.com>
      Cc: Len Brown <lenb@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Rajneesh Bhardwaj <rajneesh.bhardwaj@intel.com>
      Cc: Souvik Kumar Chakravarty <souvik.k.chakravarty@intel.com>
      Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Ulf Hansson <ulf.hansson@linaro.org>
      Cc: Viresh Kumar <viresh.kumar@linaro.org>
      Cc: Vishwanath Somayaji <vishwanath.somayaji@intel.com>
      Cc: Zhang Rui <rui.zhang@intel.com>
      Cc: jacob.jun.pan@intel.com
      Cc: linux-acpi@vger.kernel.org
      Cc: linux-edac@vger.kernel.org
      Cc: linux-mmc@vger.kernel.org
      Cc: linux-pm@vger.kernel.org
      Cc: platform-driver-x86@vger.kernel.org
      Link: http://lkml.kernel.org/r/20160603001927.F2A7D828@viggo.jf.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0dfd5fbc
    • Ben Hutchings's avatar
      x86/microcode/intel: Fix BDW late-loading revision check · 20e3fa5d
      Ben Hutchings authored
      The backport of commit b94b7373 ("x86/microcode/intel: Extend BDW
      late-loading with a revision check") to 4.4-stable deleted a "return true"
      statement.  This bug is not present upstream or other stable branches.
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20e3fa5d
    • Jonathan Dieter's avatar
      usbip: Fix potential format overflow in userspace tools · 579a9885
      Jonathan Dieter authored
      commit e5dfa3f9 upstream.
      
      The usbip userspace tools call sprintf()/snprintf() and don't check for
      the return value which can lead the paths to overflow, truncating the
      final file in the path.
      
      More urgently, GCC 7 now warns that these aren't checked with
      -Wformat-overflow, and with -Werror enabled in configure.ac, that makes
      these tools unbuildable.
      
      This patch fixes these problems by replacing sprintf() with snprintf() in
      one place and adding checks for the return value of snprintf().
      Reviewed-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Signed-off-by: default avatarJonathan Dieter <jdieter@lesbg.com>
      Acked-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      579a9885
    • Jonathan Dieter's avatar
      usbip: Fix implicit fallthrough warning · 4493f498
      Jonathan Dieter authored
      commit cfd6ed45 upstream.
      
      GCC 7 now warns when switch statements fall through implicitly, and with
      -Werror enabled in configure.ac, that makes these tools unbuildable.
      
      We fix this by notifying the compiler that this particular case statement
      is meant to fall through.
      Reviewed-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Signed-off-by: default avatarJonathan Dieter <jdieter@lesbg.com>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4493f498
    • Shuah Khan's avatar
      usbip: prevent vhci_hcd driver from leaking a socket pointer address · 28f467e0
      Shuah Khan authored
      commit 2f2d0088 upstream.
      
      When a client has a USB device attached over IP, the vhci_hcd driver is
      locally leaking a socket pointer address via the
      
      /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
      output when "usbip --debug port" is run.
      
      Fix it to not leak. The socket pointer address is not used at the moment
      and it was made visible as a convenient way to find IP address from socket
      pointer address by looking up /proc/net/{tcp,tcp6}.
      
      As this opens a security hole, the fix replaces socket pointer address with
      sockfd.
      Reported-by: default avatarSecunia Research <vuln@secunia.com>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      28f467e0
    • Andy Lutomirski's avatar
      x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels · 8bb0c6a1
      Andy Lutomirski authored
      commit 1c52d859 upstream.
      
      We support various non-Intel CPUs that don't have the CPUID
      instruction, so the M486 test was wrong.  For now, fix it with a big
      hammer: handle missing CPUID on all 32-bit CPUs.
      Reported-by: default avatarOne Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Matthew Whitehead <tedheadster@gmail.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
      Cc: Andrew Cooper <andrew.cooper3@citrix.com>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: xen-devel <Xen-devel@lists.xen.org>
      Link: http://lkml.kernel.org/r/685bd083a7c036f7769510b6846315b17d6ba71f.1481307769.git.luto@kernel.orgSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: "Zhang, Ning A" <ning.a.zhang@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8bb0c6a1
  2. 23 Jan, 2018 11 commits