1. 22 Oct, 2020 1 commit
    • Juergen Gross's avatar
      x86/alternative: Don't call text_poke() in lazy TLB mode · abee7c49
      Juergen Gross authored
      When running in lazy TLB mode the currently active page tables might
      be the ones of a previous process, e.g. when running a kernel thread.
      
      This can be problematic in case kernel code is being modified via
      text_poke() in a kernel thread, and on another processor exit_mmap()
      is active for the process which was running on the first cpu before
      the kernel thread.
      
      As text_poke() is using a temporary address space and the former
      address space (obtained via cpu_tlbstate.loaded_mm) is restored
      afterwards, there is a race possible in case the cpu on which
      exit_mmap() is running wants to make sure there are no stale
      references to that address space on any cpu active (this e.g. is
      required when running as a Xen PV guest, where this problem has been
      observed and analyzed).
      
      In order to avoid that, drop off TLB lazy mode before switching to the
      temporary address space.
      
      Fixes: cefa929c ("x86/mm: Introduce temporary mm structs")
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/20201009144225.12019-1-jgross@suse.com
      abee7c49
  2. 14 Oct, 2020 4 commits
    • Andy Lutomirski's avatar
      x86/syscalls: Document the fact that syscalls 512-547 are a legacy mistake · c3b484c4
      Andy Lutomirski authored
      Since this commit:
      
        6365b842 ("x86/syscalls: Split the x32 syscalls into their own table")
      
      there is no need for special x32-specific syscall numbers.  I forgot to
      update the comments in syscall_64.tbl.  Add comments to make it clear to
      future contributors that this range is a legacy wart.
      Reported-by: default avatarJessica Clarke <jrtc27@jrtc27.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Link: https://lore.kernel.org/r/6c56fb4ddd18fc60a238eb4d867e4b3d97c6351e.1602471055.git.luto@kernel.org
      c3b484c4
    • Jiri Slaby's avatar
      x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels · f2ac57a4
      Jiri Slaby authored
      GCC 10 optimizes the scheduler code differently than its predecessors.
      
      When CONFIG_DEBUG_SECTION_MISMATCH=y, the Makefile forces GCC not
      to inline some functions (-fno-inline-functions-called-once). Before GCC
      10, "no-inlined" __schedule() starts with the usual prologue:
      
        push %bp
        mov %sp, %bp
      
      So the ORC unwinder simply picks stack pointer from %bp and
      unwinds from __schedule() just perfectly:
      
        $ cat /proc/1/stack
        [<0>] ep_poll+0x3e9/0x450
        [<0>] do_epoll_wait+0xaa/0xc0
        [<0>] __x64_sys_epoll_wait+0x1a/0x20
        [<0>] do_syscall_64+0x33/0x40
        [<0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      But now, with GCC 10, there is no %bp prologue in __schedule():
      
        $ cat /proc/1/stack
        <nothing>
      
      The ORC entry of the point in __schedule() is:
      
        sp:sp+88 bp:last_sp-48 type:call end:0
      
      In this case, nobody subtracts sizeof "struct inactive_task_frame" in
      __unwind_start(). The struct is put on the stack by __switch_to_asm() and
      only then __switch_to_asm() stores %sp to task->thread.sp. But we start
      unwinding from a point in __schedule() (stored in frame->ret_addr by
      'call') and not in __switch_to_asm().
      
      So for these example values in __unwind_start():
      
        sp=ffff94b50001fdc8 bp=ffff8e1f41d29340 ip=__schedule+0x1f0
      
      The stack is:
      
        ffff94b50001fdc8: ffff8e1f41578000 # struct inactive_task_frame
        ffff94b50001fdd0: 0000000000000000
        ffff94b50001fdd8: ffff8e1f41d29340
        ffff94b50001fde0: ffff8e1f41611d40 # ...
        ffff94b50001fde8: ffffffff93c41920 # bx
        ffff94b50001fdf0: ffff8e1f41d29340 # bp
        ffff94b50001fdf8: ffffffff9376cad0 # ret_addr (and end of the struct)
      
      0xffffffff9376cad0 is __schedule+0x1f0 (after the call to
      __switch_to_asm).  Now follow those 88 bytes from the ORC entry (sp+88).
      The entry is correct, __schedule() really pushes 48 bytes (8*7) + 32 bytes
      via subq to store some local values (like 4U below). So to unwind, look
      at the offset 88-sizeof(long) = 0x50 from here:
      
        ffff94b50001fe00: ffff8e1f41578618
        ffff94b50001fe08: 00000cc000000255
        ffff94b50001fe10: 0000000500000004
        ffff94b50001fe18: 7793fab6956b2d00 # NOTE (see below)
        ffff94b50001fe20: ffff8e1f41578000
        ffff94b50001fe28: ffff8e1f41578000
        ffff94b50001fe30: ffff8e1f41578000
        ffff94b50001fe38: ffff8e1f41578000
        ffff94b50001fe40: ffff94b50001fed8
        ffff94b50001fe48: ffff8e1f41577ff0
        ffff94b50001fe50: ffffffff9376cf12
      
      Here                ^^^^^^^^^^^^^^^^ is the correct ret addr from
      __schedule(). It translates to schedule+0x42 (insn after a call to
      __schedule()).
      
      BUT, unwind_next_frame() tries to take the address starting from
      0xffff94b50001fdc8. That is exactly from thread.sp+88-sizeof(long) =
      0xffff94b50001fdc8+88-8 = 0xffff94b50001fe18, which is garbage marked as
      NOTE above. So this quits the unwinding as 7793fab6956b2d00 is obviously
      not a kernel address.
      
      There was a fix to skip 'struct inactive_task_frame' in
      unwind_get_return_address_ptr in the following commit:
      
        187b96db ("x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks")
      
      But we need to skip the struct already in the unwinder proper. So
      subtract the size (increase the stack pointer) of the structure in
      __unwind_start() directly. This allows for removal of the code added by
      commit 187b96db completely, as the address is now at
      '(unsigned long *)state->sp - 1', the same as in the generic case.
      
      [ mingo: Cleaned up the changelog a bit, for better readability. ]
      
      Fixes: ee9f8fce ("x86/unwind: Add the ORC unwinder")
      Bug: https://bugzilla.suse.com/show_bug.cgi?id=1176907Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Link: https://lore.kernel.org/r/20201014053051.24199-1-jslaby@suse.cz
      f2ac57a4
    • Kairui Song's avatar
      hyperv_fb: Update screen_info after removing old framebuffer · 3cb73bc3
      Kairui Song authored
      On gen2 HyperV VM, hyperv_fb will remove the old framebuffer, and the
      new allocated framebuffer address could be at a differnt location,
      and it might be no longer a VGA framebuffer.
      
      Update screen_info so that after kexec the kernel won't try to reuse
      the old invalid/stale framebuffer address as VGA, corrupting memory.
      
      [ mingo: Tidied up the changelog. ]
      Signed-off-by: default avatarKairui Song <kasong@redhat.com>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Dexuan Cui <decui@microsoft.com>
      Cc: Jake Oshins <jakeo@microsoft.com>
      Cc: Wei Hu <weh@microsoft.com>
      Cc: "K. Y. Srinivasan" <kys@microsoft.com>
      Cc: Haiyang Zhang <haiyangz@microsoft.com>
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Link: https://lore.kernel.org/r/20201014092429.1415040-3-kasong@redhat.com
      3cb73bc3
    • Kairui Song's avatar
      x86/kexec: Use up-to-dated screen_info copy to fill boot params · afc18069
      Kairui Song authored
      kexec_file_load() currently reuses the old boot_params.screen_info,
      but if drivers have change the hardware state, boot_param.screen_info
      could contain invalid info.
      
      For example, the video type might be no longer VGA, or the frame buffer
      address might be changed. If the kexec kernel keeps using the old screen_info,
      kexec'ed kernel may attempt to write to an invalid framebuffer
      memory region.
      
      There are two screen_info instances globally available, boot_params.screen_info
      and screen_info. Later one is a copy, and is updated by drivers.
      
      So let kexec_file_load use the updated copy.
      
      [ mingo: Tidied up the changelog. ]
      Signed-off-by: default avatarKairui Song <kasong@redhat.com>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Link: https://lore.kernel.org/r/20201014092429.1415040-2-kasong@redhat.com
      afc18069
  3. 13 Oct, 2020 2 commits
  4. 12 Oct, 2020 9 commits
    • Linus Torvalds's avatar
      Merge tag 'x86_platform_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8b6591fd
      Linus Torvalds authored
      Pull x86 platform updates from Borislav Petkov:
      
       - Cleanup different aspects of the UV code and start adding support for
         the new UV5 class of systems (Mike Travis)
      
       - Use a flexible array for a dynamically sized struct uv_rtc_timer_head
         (Gustavo A. R. Silva)
      
      * tag 'x86_platform_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/platform/uv: Update Copyrights to conform to HPE standards
        x86/platform/uv: Update for UV5 NMI MMR changes
        x86/platform/uv: Update UV5 TSC checking
        x86/platform/uv: Update node present counting
        x86/platform/uv: Update UV5 MMR references in UV GRU
        x86/platform/uv: Adjust GAM MMR references affected by UV5 updates
        x86/platform/uv: Update MMIOH references based on new UV5 MMRs
        x86/platform/uv: Add and decode Arch Type in UVsystab
        x86/platform/uv: Add UV5 direct references
        x86/platform/uv: Update UV MMRs for UV5
        drivers/misc/sgi-xp: Adjust references in UV kernel modules
        x86/platform/uv: Remove SCIR MMR references for UV systems
        x86/platform/uv: Remove UV BAU TLB Shootdown Handler
        x86/uv/time: Use a flexible array in struct uv_rtc_timer_head
      8b6591fd
    • Linus Torvalds's avatar
      Merge tag 'x86_cpu_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 92a0610b
      Linus Torvalds authored
      Pull x86 cpu updates from Borislav Petkov:
      
       - Add support for hardware-enforced cache coherency on AMD which
         obviates the need to flush cachelines before changing the PTE
         encryption bit (Krish Sadhukhan)
      
       - Add Centaur initialization support for families >= 7 (Tony W Wang-oc)
      
       - Add a feature flag for, and expose TSX suspend load tracking feature
         to KVM (Cathy Zhang)
      
       - Emulate SLDT and STR so that windows programs don't crash on UMIP
         machines (Brendan Shanks and Ricardo Neri)
      
       - Use the new SERIALIZE insn on Intel hardware which supports it
         (Ricardo Neri)
      
       - Misc cleanups and fixes
      
      * tag 'x86_cpu_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        KVM: SVM: Don't flush cache if hardware enforces cache coherency across encryption domains
        x86/mm/pat: Don't flush cache if hardware enforces cache coherency across encryption domnains
        x86/cpu: Add hardware-enforced cache coherency as a CPUID feature
        x86/cpu/centaur: Add Centaur family >=7 CPUs initialization support
        x86/cpu/centaur: Replace two-condition switch-case with an if statement
        x86/kvm: Expose TSX Suspend Load Tracking feature
        x86/cpufeatures: Enumerate TSX suspend load address tracking instructions
        x86/umip: Add emulation/spoofing for SLDT and STR instructions
        x86/cpu: Fix typos and improve the comments in sync_core()
        x86/cpu: Use XGETBV and XSETBV mnemonics in fpu/internal.h
        x86/cpu: Use SERIALIZE in sync_core() when available
      92a0610b
    • Linus Torvalds's avatar
      Merge tag 'ras_updates_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ca1b6692
      Linus Torvalds authored
      Pull RAS updates from Borislav Petkov:
      
       - Extend the recovery from MCE in kernel space also to processes which
         encounter an MCE in kernel space but while copying from user memory
         by sending them a SIGBUS on return to user space and umapping the
         faulty memory, by Tony Luck and Youquan Song.
      
       - memcpy_mcsafe() rework by splitting the functionality into
         copy_mc_to_user() and copy_mc_to_kernel(). This, as a result, enables
         support for new hardware which can recover from a machine check
         encountered during a fast string copy and makes that the default and
         lets the older hardware which does not support that advance recovery,
         opt in to use the old, fragile, slow variant, by Dan Williams.
      
       - New AMD hw enablement, by Yazen Ghannam and Akshay Gupta.
      
       - Do not use MSR-tracing accessors in #MC context and flag any fault
         while accessing MCA architectural MSRs as an architectural violation
         with the hope that such hw/fw misdesigns are caught early during the
         hw eval phase and they don't make it into production.
      
       - Misc fixes, improvements and cleanups, as always.
      
      * tag 'ras_updates_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mce: Allow for copy_mc_fragile symbol checksum to be generated
        x86/mce: Decode a kernel instruction to determine if it is copying from user
        x86/mce: Recover from poison found while copying from user space
        x86/mce: Avoid tail copy when machine check terminated a copy from user
        x86/mce: Add _ASM_EXTABLE_CPY for copy user access
        x86/mce: Provide method to find out the type of an exception handler
        x86/mce: Pass pointer to saved pt_regs to severity calculation routines
        x86/copy_mc: Introduce copy_mc_enhanced_fast_string()
        x86, powerpc: Rename memcpy_mcsafe() to copy_mc_to_{user, kernel}()
        x86/mce: Drop AMD-specific "DEFERRED" case from Intel severity rule list
        x86/mce: Add Skylake quirk for patrol scrub reported errors
        RAS/CEC: Convert to DEFINE_SHOW_ATTRIBUTE()
        x86/mce: Annotate mce_rd/wrmsrl() with noinstr
        x86/mce/dev-mcelog: Do not update kflags on AMD systems
        x86/mce: Stop mce_reign() from re-computing severity for every CPU
        x86/mce: Make mce_rdmsrl() panic on an inaccessible MSR
        x86/mce: Increase maximum number of banks to 64
        x86/mce: Delay clearing IA32_MCG_STATUS to the end of do_machine_check()
        x86/MCE/AMD, EDAC/mce_amd: Remove struct smca_hwid.xec_bitmap
        RAS/CEC: Fix cec_init() prototype
      ca1b6692
    • Linus Torvalds's avatar
      Merge tag 'edac_updates_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras · a9a4b7d9
      Linus Torvalds authored
      Pull EDAC updates from Borislav Petkov:
      
       - Add Amazon's Annapurna Labs memory controller EDAC driver (Talel
         Shenhar)
      
       - New AMD CPUs support (Yazen Ghannam)
      
       - The usual misc fixes and cleanups all over the subsystem
      
      * tag 'edac_updates_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras:
        EDAC/amd64: Set proper family type for Family 19h Models 20h-2Fh
        EDAC/mc_sysfs: Add missing newlines when printing {max,dimm}_location
        EDAC/aspeed: Use module_platform_driver() to simplify
        EDAC, sb_edac: Simplify switch statement
        EDAC/ti: Fix handling of platform_get_irq() error
        EDAC/aspeed: Fix handling of platform_get_irq() error
        EDAC/i5100: Fix error handling order in i5100_init_one()
        EDAC/highbank: Handover Calxeda Highbank maintenance to Andre Przywara
        EDAC/socfpga: Transfer SoCFPGA EDAC maintainership
        EDAC/thunderx: Make symbol lmc_dfs_ents static
        EDAC/al-mc-edac: Add Amazon's Annapurna Labs Memory Controller driver
        dt-bindings: EDAC: Add Amazon's Annapurna Labs Memory Controller binding
        EDAC/mce_amd: Add new error descriptions for existing types
        EDAC: Replace HTTP links with HTTPS ones
      a9a4b7d9
    • Linus Torvalds's avatar
      Merge tag 'm68k-for-v5.10-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k · af9db1d6
      Linus Torvalds authored
      Pull m68k updates from Geert Uytterhoeven:
      
        - Conversion of the Mac IDE driver to a platform driver
      
        - Minor cleanups and fixes
      
      * tag 'm68k-for-v5.10-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k:
        ide/macide: Convert Mac IDE driver to platform driver
        m68k: Replace HTTP links with HTTPS ones
        m68k: mm: Remove superfluous memblock_alloc*() casts
        m68k: mm: Use PAGE_ALIGNED() helper
        m68k: Sort selects in main Kconfig
        m68k: amiga: Clean up Amiga hardware configuration
        m68k: Revive _TIF_* masks
        m68k: Correct some typos in comments
        m68k: Use get_kernel_nofault() in show_registers()
        zorro: Fix address space collision message with RAM expansion boards
        m68k: amiga: Fix Denise detection on OCS
      af9db1d6
    • Linus Torvalds's avatar
      Merge tag 'microblaze-v5.10' of git://git.monstr.eu/linux-2.6-microblaze · 024fb667
      Linus Torvalds authored
      Pull Microblaze build warning fix from Michal Simek.
      
      * tag 'microblaze-v5.10' of git://git.monstr.eu/linux-2.6-microblaze:
        microblaze: fix kbuild redundant file warning
      024fb667
    • Linus Torvalds's avatar
      Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 6734e20e
      Linus Torvalds authored
      Pull arm64 updates from Will Deacon:
       "There's quite a lot of code here, but much of it is due to the
        addition of a new PMU driver as well as some arm64-specific selftests
        which is an area where we've traditionally been lagging a bit.
      
        In terms of exciting features, this includes support for the Memory
        Tagging Extension which narrowly missed 5.9, hopefully allowing
        userspace to run with use-after-free detection in production on CPUs
        that support it. Work is ongoing to integrate the feature with KASAN
        for 5.11.
      
        Another change that I'm excited about (assuming they get the hardware
        right) is preparing the ASID allocator for sharing the CPU page-table
        with the SMMU. Those changes will also come in via Joerg with the
        IOMMU pull.
      
        We do stray outside of our usual directories in a few places, mostly
        due to core changes required by MTE. Although much of this has been
        Acked, there were a couple of places where we unfortunately didn't get
        any review feedback.
      
        Other than that, we ran into a handful of minor conflicts in -next,
        but nothing that should post any issues.
      
        Summary:
      
         - Userspace support for the Memory Tagging Extension introduced by
           Armv8.5. Kernel support (via KASAN) is likely to follow in 5.11.
      
         - Selftests for MTE, Pointer Authentication and FPSIMD/SVE context
           switching.
      
         - Fix and subsequent rewrite of our Spectre mitigations, including
           the addition of support for PR_SPEC_DISABLE_NOEXEC.
      
         - Support for the Armv8.3 Pointer Authentication enhancements.
      
         - Support for ASID pinning, which is required when sharing
           page-tables with the SMMU.
      
         - MM updates, including treating flush_tlb_fix_spurious_fault() as a
           no-op.
      
         - Perf/PMU driver updates, including addition of the ARM CMN PMU
           driver and also support to handle CPU PMU IRQs as NMIs.
      
         - Allow prefetchable PCI BARs to be exposed to userspace using normal
           non-cacheable mappings.
      
         - Implementation of ARCH_STACKWALK for unwinding.
      
         - Improve reporting of unexpected kernel traps due to BPF JIT
           failure.
      
         - Improve robustness of user-visible HWCAP strings and their
           corresponding numerical constants.
      
         - Removal of TEXT_OFFSET.
      
         - Removal of some unused functions, parameters and prototypes.
      
         - Removal of MPIDR-based topology detection in favour of firmware
           description.
      
         - Cleanups to handling of SVE and FPSIMD register state in
           preparation for potential future optimisation of handling across
           syscalls.
      
         - Cleanups to the SDEI driver in preparation for support in KVM.
      
         - Miscellaneous cleanups and refactoring work"
      
      * tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: (148 commits)
        Revert "arm64: initialize per-cpu offsets earlier"
        arm64: random: Remove no longer needed prototypes
        arm64: initialize per-cpu offsets earlier
        kselftest/arm64: Check mte tagged user address in kernel
        kselftest/arm64: Verify KSM page merge for MTE pages
        kselftest/arm64: Verify all different mmap MTE options
        kselftest/arm64: Check forked child mte memory accessibility
        kselftest/arm64: Verify mte tag inclusion via prctl
        kselftest/arm64: Add utilities and a test to validate mte memory
        perf: arm-cmn: Fix conversion specifiers for node type
        perf: arm-cmn: Fix unsigned comparison to less than zero
        arm64: dbm: Invalidate local TLB when setting TCR_EL1.HD
        arm64: mm: Make flush_tlb_fix_spurious_fault() a no-op
        arm64: Add support for PR_SPEC_DISABLE_NOEXEC prctl() option
        arm64: Pull in task_stack_page() to Spectre-v4 mitigation code
        KVM: arm64: Allow patching EL2 vectors even with KASLR is not enabled
        arm64: Get rid of arm64_ssbd_state
        KVM: arm64: Convert ARCH_WORKAROUND_2 to arm64_get_spectre_v4_state()
        KVM: arm64: Get rid of kvm_arm_have_ssbd()
        KVM: arm64: Simplify handling of ARCH_WORKAROUND_2
        ...
      6734e20e
    • Linus Torvalds's avatar
      Merge tag 'tpmdd-next-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd · d04a248f
      Linus Torvalds authored
      Pull tpm updates from Jarkko Sakkinen:
       "Support for a new TPM device and fixes and Git URL change (infraded ->
        korg)"
      
      * tag 'tpmdd-next-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
        MAINTAINERS: TPM DEVICE DRIVER: Update GIT
        tpm_tis: Add a check for invalid status
        tpm: use %*ph to print small buffer
        dt-bindings: Add SynQucer TPM MMIO as a trivial device
        tpm: tis: add support for MMIO TPM on SynQuacer
      d04a248f
    • Borislav Petkov's avatar
      1dc32628
  5. 11 Oct, 2020 10 commits
  6. 10 Oct, 2020 6 commits
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · da690031
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Some more driver bugfixes for I2C. Including a revert - the updated
        series for it will come during the next merge window"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: owl: Clear NACK and BUS error bits
        Revert "i2c: imx: Fix reset of I2SR_IAL flag"
        i2c: meson: fixup rate calculation with filter delay
        i2c: meson: keep peripheral clock enabled
        i2c: meson: fix clock setting overwrite
        i2c: imx: Fix reset of I2SR_IAL flag
      da690031
    • Vladimir Zapolskiy's avatar
      cifs: Fix incomplete memory allocation on setxattr path · 64b7f674
      Vladimir Zapolskiy authored
      On setxattr() syscall path due to an apprent typo the size of a dynamically
      allocated memory chunk for storing struct smb2_file_full_ea_info object is
      computed incorrectly, to be more precise the first addend is the size of
      a pointer instead of the wanted object size. Coincidentally it makes no
      difference on 64-bit platforms, however on 32-bit targets the following
      memcpy() writes 4 bytes of data outside of the dynamically allocated memory.
      
        =============================================================================
        BUG kmalloc-16 (Not tainted): Redzone overwritten
        -----------------------------------------------------------------------------
      
        Disabling lock debugging due to kernel taint
        INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc
        INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201
        INFO: Object 0x6f171df3 @offset=352 fp=0x00000000
      
        Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
        Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69  ........snrub.fi
        Redzone 79e69a6f: 73 68 32 0a                                      sh2.
        Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
        CPU: 0 PID: 8196 Comm: attr Tainted: G    B             5.9.0-rc8+ #3
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
        Call Trace:
         dump_stack+0x54/0x6e
         print_trailer+0x12c/0x134
         check_bytes_and_report.cold+0x3e/0x69
         check_object+0x18c/0x250
         free_debug_processing+0xfe/0x230
         __slab_free+0x1c0/0x300
         kfree+0x1d3/0x220
         smb2_set_ea+0x27d/0x540
         cifs_xattr_set+0x57f/0x620
         __vfs_setxattr+0x4e/0x60
         __vfs_setxattr_noperm+0x4e/0x100
         __vfs_setxattr_locked+0xae/0xd0
         vfs_setxattr+0x4e/0xe0
         setxattr+0x12c/0x1a0
         path_setxattr+0xa4/0xc0
         __ia32_sys_lsetxattr+0x1d/0x20
         __do_fast_syscall_32+0x40/0x70
         do_fast_syscall_32+0x29/0x60
         do_SYSENTER_32+0x15/0x20
         entry_SYSENTER_32+0x9f/0xf2
      
      Fixes: 5517554e ("cifs: Add support for writing attributes on SMB2+")
      Signed-off-by: default avatarVladimir Zapolskiy <vladimir@tuxera.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      64b7f674
    • Hugh Dickins's avatar
      mm/khugepaged: fix filemap page_to_pgoff(page) != offset · 033b5d77
      Hugh Dickins authored
      There have been elusive reports of filemap_fault() hitting its
      VM_BUG_ON_PAGE(page_to_pgoff(page) != offset, page) on kernels built
      with CONFIG_READ_ONLY_THP_FOR_FS=y.
      
      Suren has hit it on a kernel with CONFIG_READ_ONLY_THP_FOR_FS=y and
      CONFIG_NUMA is not set: and he has analyzed it down to how khugepaged
      without NUMA reuses the same huge page after collapse_file() failed
      (whereas NUMA targets its allocation to the respective node each time).
      And most of us were usually testing with CONFIG_NUMA=y kernels.
      
      collapse_file(old start)
        new_page = khugepaged_alloc_page(hpage)
        __SetPageLocked(new_page)
        new_page->index = start // hpage->index=old offset
        new_page->mapping = mapping
        xas_store(&xas, new_page)
      
                                filemap_fault
                                  page = find_get_page(mapping, offset)
                                  // if offset falls inside hpage then
                                  // compound_head(page) == hpage
                                  lock_page_maybe_drop_mmap()
                                    __lock_page(page)
      
        // collapse fails
        xas_store(&xas, old page)
        new_page->mapping = NULL
        unlock_page(new_page)
      
      collapse_file(new start)
        new_page = khugepaged_alloc_page(hpage)
        __SetPageLocked(new_page)
        new_page->index = start // hpage->index=new offset
        new_page->mapping = mapping // mapping becomes valid again
      
                                  // since compound_head(page) == hpage
                                  // page_to_pgoff(page) got changed
                                  VM_BUG_ON_PAGE(page_to_pgoff(page) != offset)
      
      An initial patch replaced __SetPageLocked() by lock_page(), which did
      fix the race which Suren illustrates above.  But testing showed that it's
      not good enough: if the racing task's __lock_page() gets delayed long
      after its find_get_page(), then it may follow collapse_file(new start)'s
      successful final unlock_page(), and crash on the same VM_BUG_ON_PAGE.
      
      It could be fixed by relaxing filemap_fault()'s VM_BUG_ON_PAGE to a
      check and retry (as is done for mapping), with similar relaxations in
      find_lock_entry() and pagecache_get_page(): but it's not obvious what
      else might get caught out; and khugepaged non-NUMA appears to be unique
      in exposing a page to page cache, then revoking, without going through
      a full cycle of freeing before reuse.
      
      Instead, non-NUMA khugepaged_prealloc_page() release the old page
      if anyone else has a reference to it (1% of cases when I tested).
      
      Although never reported on huge tmpfs, I believe its find_lock_entry()
      has been at similar risk; but huge tmpfs does not rely on khugepaged
      for its normal working nearly so much as READ_ONLY_THP_FOR_FS does.
      Reported-by: default avatarDenis Lisov <dennis.lissov@gmail.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206569
      Link: https://lore.kernel.org/linux-mm/?q=20200219144635.3b7417145de19b65f258c943%40linux-foundation.orgReported-by: default avatarQian Cai <cai@lca.pw>
      Link: https://lore.kernel.org/linux-xfs/?q=20200616013309.GB815%40lca.pwReported-and-analyzed-by: default avatarSuren Baghdasaryan <surenb@google.com>
      Fixes: 87c460a0 ("mm/khugepaged: collapse_shmem() without freezing new_page")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: stable@vger.kernel.org # v4.9+
      Reviewed-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      033b5d77
    • Cristian Ciocaltea's avatar
      i2c: owl: Clear NACK and BUS error bits · f5b3f433
      Cristian Ciocaltea authored
      When the NACK and BUS error bits are set by the hardware, the driver is
      responsible for clearing them by writing "1" into the corresponding
      status registers.
      
      Hence perform the necessary operations in owl_i2c_interrupt().
      
      Fixes: d211e62a ("i2c: Add Actions Semiconductor Owl family S900 I2C driver")
      Reported-by: default avatarManivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
      Signed-off-by: default avatarCristian Ciocaltea <cristian.ciocaltea@gmail.com>
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      f5b3f433
    • Wolfram Sang's avatar
      Revert "i2c: imx: Fix reset of I2SR_IAL flag" · 5a02e7c4
      Wolfram Sang authored
      This reverts commit fa4d3055. An updated
      version was sent. So, revert this version and give the new version more
      time for testing.
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      5a02e7c4
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 6f2f486d
      Linus Torvalds authored
      Pull spi fix from Mark Brown:
       "One last minute fix for v5.9 which has been causing crashes in test
        systems with the fsl-dspi driver when they hit deferred probe (and
        which I probably let cook in next a bit longer than is ideal).
      
        And an update to MAINTAINERS reflecting Serge's extensive and
        detailed recent work on the DesignWare driver"
      
      * tag 'spi-fix-v5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        MAINTAINERS: Add maintainer of DW APB SSI driver
        spi: fsl-dspi: fix NULL pointer dereference
      6f2f486d
  7. 09 Oct, 2020 8 commits