1. 30 Apr, 2019 22 commits
    • Rick Edgecombe's avatar
      bpf: Use vmalloc special flag · d53d2f78
      Rick Edgecombe authored
      Use new flag VM_FLUSH_RESET_PERMS for handling freeing of special
      permissioned memory in vmalloc and remove places where memory was set RW
      before freeing which is no longer needed. Don't track if the memory is RO
      anymore because it is now tracked in vmalloc.
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Nadav Amit <nadav.amit@gmail.com>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-19-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      d53d2f78
    • Rick Edgecombe's avatar
      modules: Use vmalloc special flag · 1a7b7d92
      Rick Edgecombe authored
      Use new flag for handling freeing of special permissioned memory in vmalloc
      and remove places where memory was set RW before freeing which is no longer
      needed.
      
      Since freeing of VM_FLUSH_RESET_PERMS memory is not supported in an
      interrupt by vmalloc, the freeing of init sections is moved to a work
      queue. Instead of call_rcu it now uses synchronize_rcu() in the work
      queue.
      
      Lastly, there is now a WARN_ON in module_memfree since it should not be
      called in an interrupt with special memory as is required for
      VM_FLUSH_RESET_PERMS.
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jessica Yu <jeyu@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Nadav Amit <nadav.amit@gmail.com>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-18-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      1a7b7d92
    • Rick Edgecombe's avatar
      mm/vmalloc: Add flag for freeing of special permsissions · 868b104d
      Rick Edgecombe authored
      Add a new flag VM_FLUSH_RESET_PERMS, for enabling vfree operations to
      immediately clear executable TLB entries before freeing pages, and handle
      resetting permissions on the directmap. This flag is useful for any kind
      of memory with elevated permissions, or where there can be related
      permissions changes on the directmap. Today this is RO+X and RO memory.
      
      Although this enables directly vfreeing non-writeable memory now,
      non-writable memory cannot be freed in an interrupt because the allocation
      itself is used as a node on deferred free list. So when RO memory needs to
      be freed in an interrupt the code doing the vfree needs to have its own
      work queue, as was the case before the deferred vfree list was added to
      vmalloc.
      
      For architectures with set_direct_map_ implementations this whole operation
      can be done with one TLB flush when centralized like this. For others with
      directmap permissions, currently only arm64, a backup method using
      set_memory functions is used to reset the directmap. When arm64 adds
      set_direct_map_ functions, this backup can be removed.
      
      When the TLB is flushed to both remove TLB entries for the vmalloc range
      mapping and the direct map permissions, the lazy purge operation could be
      done to try to save a TLB flush later. However today vm_unmap_aliases
      could flush a TLB range that does not include the directmap. So a helper
      is added with extra parameters that can allow both the vmalloc address and
      the direct mapping to be flushed during this operation. The behavior of the
      normal vm_unmap_aliases function is unchanged.
      Suggested-by: default avatarDave Hansen <dave.hansen@intel.com>
      Suggested-by: default avatarAndy Lutomirski <luto@kernel.org>
      Suggested-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Nadav Amit <nadav.amit@gmail.com>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-17-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      868b104d
    • Rick Edgecombe's avatar
      mm/hibernation: Make hibernation handle unmapped pages · d6332692
      Rick Edgecombe authored
      Make hibernate handle unmapped pages on the direct map when
      CONFIG_ARCH_HAS_SET_ALIAS=y is set. These functions allow for setting pages
      to invalid configurations, so now hibernate should check if the pages have
      valid mappings and handle if they are unmapped when doing a hibernate
      save operation.
      
      Previously this checking was already done when CONFIG_DEBUG_PAGEALLOC=y
      was configured. It does not appear to have a big hibernating performance
      impact. The speed of the saving operation before this change was measured
      as 819.02 MB/s, and after was measured at 813.32 MB/s.
      
      Before:
      [    4.670938] PM: Wrote 171996 kbytes in 0.21 seconds (819.02 MB/s)
      
      After:
      [    4.504714] PM: Wrote 178932 kbytes in 0.22 seconds (813.32 MB/s)
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarPavel Machek <pavel@ucw.cz>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Nadav Amit <nadav.amit@gmail.com>
      Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-16-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      d6332692
    • Rick Edgecombe's avatar
      x86/mm/cpa: Add set_direct_map_*() functions · d253ca0c
      Rick Edgecombe authored
      Add two new functions set_direct_map_default_noflush() and
      set_direct_map_invalid_noflush() for setting the direct map alias for the
      page to its default valid permissions and to an invalid state that cannot
      be cached in a TLB, respectively. These functions do not flush the TLB.
      
      Note, __kernel_map_pages() does something similar but flushes the TLB and
      doesn't reset the permission bits to default on all architectures.
      
      Also add an ARCH config ARCH_HAS_SET_DIRECT_MAP for specifying whether
      these have an actual implementation or a default empty one.
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Nadav Amit <nadav.amit@gmail.com>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-15-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      d253ca0c
    • Nadav Amit's avatar
      x86/alternatives: Remove the return value of text_poke_*() · 0a203df5
      Nadav Amit authored
      The return value of text_poke_early() and text_poke_bp() is useless.
      Remove it.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-14-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      0a203df5
    • Nadav Amit's avatar
      x86/jump-label: Remove support for custom text poker · bb0a008d
      Nadav Amit authored
      There are only two types of text poking: early and breakpoint based. The use
      of a function pointer to perform text poking complicates the code and is
      probably inefficient due to the use of indirect branches.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-13-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      bb0a008d
    • Nadav Amit's avatar
      x86/modules: Avoid breaking W^X while loading modules · f2c65fb3
      Nadav Amit authored
      When modules and BPF filters are loaded, there is a time window in
      which some memory is both writable and executable. An attacker that has
      already found another vulnerability (e.g., a dangling pointer) might be
      able to exploit this behavior to overwrite kernel code. Prevent having
      writable executable PTEs in this stage.
      
      In addition, avoiding having W+X mappings can also slightly simplify the
      patching of modules code on initialization (e.g., by alternatives and
      static-key), as would be done in the next patch. This was actually the
      main motivation for this patch.
      
      To avoid having W+X mappings, set them initially as RW (NX) and after
      they are set as RO set them as X as well. Setting them as executable is
      done as a separate step to avoid one core in which the old PTE is cached
      (hence writable), and another which sees the updated PTE (executable),
      which would break the W^X protection.
      Suggested-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Suggested-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jessica Yu <jeyu@kernel.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Rik van Riel <riel@surriel.com>
      Link: https://lkml.kernel.org/r/20190426001143.4983-12-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      f2c65fb3
    • Nadav Amit's avatar
      x86/kprobes: Set instruction page as executable · 7298e24f
      Nadav Amit authored
      Set the page as executable after allocation.  This patch is a
      preparatory patch for a following patch that makes module allocated
      pages non-executable.
      
      While at it, do some small cleanup of what appears to be unnecessary
      masking.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-11-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      7298e24f
    • Nadav Amit's avatar
      x86/ftrace: Set trampoline pages as executable · 3c0dab44
      Nadav Amit authored
      Since alloc_module() will not set the pages as executable soon, set
      ftrace trampoline pages as executable after they are allocated.
      
      For the time being, do not change ftrace to use the text_poke()
      interface. As a result, ftrace still breaks W^X.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-10-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      3c0dab44
    • Nadav Amit's avatar
      x86/kgdb: Avoid redundant comparison of patched code · 86a22057
      Nadav Amit authored
      text_poke() already ensures that the written value is the correct one
      and fails if that is not the case. There is no need for an additional
      comparison. Remove it.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-9-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      86a22057
    • Nadav Amit's avatar
      x86/alternatives: Use temporary mm for text poking · b3fd8e83
      Nadav Amit authored
      text_poke() can potentially compromise security as it sets temporary
      PTEs in the fixmap. These PTEs might be used to rewrite the kernel code
      from other cores accidentally or maliciously, if an attacker gains the
      ability to write onto kernel memory.
      
      Moreover, since remote TLBs are not flushed after the temporary PTEs are
      removed, the time-window in which the code is writable is not limited if
      the fixmap PTEs - maliciously or accidentally - are cached in the TLB.
      To address these potential security hazards, use a temporary mm for
      patching the code.
      
      Finally, text_poke() is also not conservative enough when mapping pages,
      as it always tries to map 2 pages, even when a single one is sufficient.
      So try to be more conservative, and do not map more than needed.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-8-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      b3fd8e83
    • Nadav Amit's avatar
      x86/alternatives: Initialize temporary mm for patching · 4fc19708
      Nadav Amit authored
      To prevent improper use of the PTEs that are used for text patching, the
      next patches will use a temporary mm struct. Initailize it by copying
      the init mm.
      
      The address that will be used for patching is taken from the lower area
      that is usually used for the task memory. Doing so prevents the need to
      frequently synchronize the temporary-mm (e.g., when BPF programs are
      installed), since different PGDs are used for the task memory.
      
      Finally, randomize the address of the PTEs to harden against exploits
      that use these PTEs.
      Suggested-by: default avatarAndy Lutomirski <luto@kernel.org>
      Tested-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: akpm@linux-foundation.org
      Cc: ard.biesheuvel@linaro.org
      Cc: deneen.t.dock@intel.com
      Cc: kernel-hardening@lists.openwall.com
      Cc: kristen@linux.intel.com
      Cc: linux_dti@icloud.com
      Cc: will.deacon@arm.com
      Link: https://lkml.kernel.org/r/20190426232303.28381-8-nadav.amit@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      4fc19708
    • Nadav Amit's avatar
      fork: Provide a function for copying init_mm · 13585fa0
      Nadav Amit authored
      Provide a function for copying init_mm. This function will be later used
      for setting a temporary mm.
      Tested-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-6-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      13585fa0
    • Nadav Amit's avatar
      uprobes: Initialize uprobes earlier · aad42dd4
      Nadav Amit authored
      In order to have a separate address space for text poking, we need to
      duplicate init_mm early during start_kernel(). This, however, introduces
      a problem since uprobes functions are called from dup_mmap(), but
      uprobes is still not initialized in this early stage.
      
      Since uprobes initialization is necassary for fork, and since all the
      dependant initialization has been done when fork is initialized (percpu
      and vmalloc), move uprobes initialization to fork_init(). It does not
      seem uprobes introduces any security problem for the poking_mm.
      
      Crash and burn if uprobes initialization fails, similarly to other early
      initializations. Change the init_probes() name to probes_init() to match
      other early initialization functions name convention.
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rick Edgecombe <rick.p.edgecombe@intel.com>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: akpm@linux-foundation.org
      Cc: ard.biesheuvel@linaro.org
      Cc: deneen.t.dock@intel.com
      Cc: kernel-hardening@lists.openwall.com
      Cc: kristen@linux.intel.com
      Cc: linux_dti@icloud.com
      Cc: will.deacon@arm.com
      Link: https://lkml.kernel.org/r/20190426232303.28381-6-nadav.amit@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      aad42dd4
    • Nadav Amit's avatar
      x86/mm: Save debug registers when loading a temporary mm · d97080eb
      Nadav Amit authored
      Prevent user watchpoints from mistakenly firing while the temporary mm
      is being used. As the addresses of the temporary mm might overlap those
      of the user-process, this is necessary to prevent wrong signals or worse
      things from happening.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-5-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      d97080eb
    • Andy Lutomirski's avatar
      x86/mm: Introduce temporary mm structs · cefa929c
      Andy Lutomirski authored
      Using a dedicated page-table for temporary PTEs prevents other cores
      from using - even speculatively - these PTEs, thereby providing two
      benefits:
      
      (1) Security hardening: an attacker that gains kernel memory writing
          abilities cannot easily overwrite sensitive data.
      
      (2) Avoiding TLB shootdowns: the PTEs do not need to be flushed in
          remote page-tables.
      
      To do so a temporary mm_struct can be used. Mappings which are private
      for this mm can be set in the userspace part of the address-space.
      During the whole time in which the temporary mm is loaded, interrupts
      must be disabled.
      
      The first use-case for temporary mm struct, which will follow, is for
      poking the kernel text.
      
      [ Commit message was written by Nadav Amit ]
      Tested-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-4-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      cefa929c
    • Nadav Amit's avatar
      x86/jump_label: Use text_poke_early() during early init · 1fd8de46
      Nadav Amit authored
      There is no apparent reason not to use text_poke_early() during
      early-init, since no patching of code that might be on the stack is done
      and only a single core is running.
      
      This is required for the next patches that would set a temporary mm for
      text poking, and this mm is only initialized after some static-keys are
      enabled/disabled.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-3-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      1fd8de46
    • Nadav Amit's avatar
      bpf: Fail bpf_probe_write_user() while mm is switched · c7b6f29b
      Nadav Amit authored
      When using a temporary mm, bpf_probe_write_user() should not be able to
      write to user memory, since user memory addresses may be used to map
      kernel memory.  Detect these cases and fail bpf_probe_write_user() in
      such cases.
      Suggested-by: default avatarJann Horn <jannh@google.com>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-24-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      c7b6f29b
    • Nadav Amit's avatar
      mm/tlb: Provide default nmi_uaccess_okay() · 5932c9fd
      Nadav Amit authored
      x86 has an nmi_uaccess_okay(), but other architectures do not.
      Arch-independent code might need to know whether access to user
      addresses is ok in an NMI context or in other code whose execution
      context is unknown.  Specifically, this function is needed for
      bpf_probe_write_user().
      
      Add a default implementation of nmi_uaccess_okay() for architectures
      that do not have such a function.
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190426001143.4983-23-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      5932c9fd
    • Nadav Amit's avatar
      x86/alternatives: Add text_poke_kgdb() to not assert the lock when debugging · e836673c
      Nadav Amit authored
      text_mutex is currently expected to be held before text_poke() is
      called, but kgdb does not take the mutex, and instead *supposedly*
      ensures the lock is not taken and will not be acquired by any other core
      while text_poke() is running.
      
      The reason for the "supposedly" comment is that it is not entirely clear
      that this would be the case if gdb_do_roundup is zero.
      
      Create two wrapper functions, text_poke() and text_poke_kgdb(), which do
      or do not run the lockdep assertion respectively.
      
      While we are at it, change the return code of text_poke() to something
      meaningful. One day, callers might actually respect it and the existing
      BUG_ON() when patching fails could be removed. For kgdb, the return
      value can actually be used.
      Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: default avatarJiri Kosina <jkosina@suse.cz>
      Cc: <akpm@linux-foundation.org>
      Cc: <ard.biesheuvel@linaro.org>
      Cc: <deneen.t.dock@intel.com>
      Cc: <kernel-hardening@lists.openwall.com>
      Cc: <kristen@linux.intel.com>
      Cc: <linux_dti@icloud.com>
      Cc: <will.deacon@arm.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Rik van Riel <riel@surriel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 9222f606 ("x86/alternatives: Lockdep-enforce text_mutex in text_poke*()")
      Link: https://lkml.kernel.org/r/20190426001143.4983-2-namit@vmware.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      e836673c
    • Ingo Molnar's avatar
      d5963d87
  2. 29 Apr, 2019 1 commit
  3. 28 Apr, 2019 5 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · 9520b532
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "A small number of ARM fixes
      
         - Fix function tracer and unwinder dependencies so that we don't end
           up building kernels that will crash
      
         - Fix ARMv7M nommu initialisation (missing register initialisation)
      
         - Fix EFI decompressor entry (ensuring barrier instructions are
           enabled prior to use)"
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning the cache
        ARM: 8856/1: NOMMU: Fix CCR register faulty initialization when MPU is disabled
        ARM: fix function graph tracer and unwinder dependencies
      9520b532
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 0d82044e
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "A one-liner to make our Radix MMU support depend on HUGETLB_PAGE. We
        use some of the hugetlb inlines (eg. pud_huge()) when operating on the
        linear mapping and if they're compiled into empty wrappers we can
        corrupt memory.
      
        Then two fixes to our VFIO IOMMU code. The first is not a regression
        but fixes the locking to avoid a user-triggerable deadlock.
      
        The second does fix a regression since rc1, and depends on the first
        fix. It makes it possible to run guests with large amounts of memory
        again (~256GB).
      
        Thanks to Alexey Kardashevskiy"
      
      * tag 'powerpc-5.1-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/mm_iommu: Allow pinning large regions
        powerpc/mm_iommu: Fix potential deadlock
        powerpc/mm/radix: Make Radix require HUGETLB_PAGE
      0d82044e
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190428' of git://git.kernel.dk/linux-block · 975a0f40
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A set of io_uring fixes that should go into this release. In
        particular, this contains:
      
         - The mutex lock vs ctx ref count fix (me)
      
         - Removal of a dead variable (me)
      
         - Two race fixes (Stefan)
      
         - Ring head/tail condition fix for poll full SQ detection (Stefan)"
      
      * tag 'for-linus-20190428' of git://git.kernel.dk/linux-block:
        io_uring: remove 'state' argument from io_{read,write} path
        io_uring: fix poll full SQ detection
        io_uring: fix race condition when sq threads goes sleeping
        io_uring: fix race condition reading SQ entries
        io_uring: fail io_uring_register(2) on a dying io_uring instance
      975a0f40
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 14f974d7
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "One core bug fix and a few driver ones
      
         - FRWR memory registration for hfi1/qib didn't work with with some
           iovas causing a NFSoRDMA failure regression due to a fix in the NFS
           side
      
         - A command flow error in mlx5 allowed user space to send a corrupt
           command (and also smash the kernel stack we've since learned)
      
         - Fix a regression and some bugs with device hot unplug that was
           discovered while reviewing Andrea's patches
      
         - hns has a failure if the user asks for certain QP configurations"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/hns: Bugfix for mapping user db
        RDMA/ucontext: Fix regression with disassociate
        RDMA/mlx5: Use rdma_user_map_io for mapping BAR pages
        RDMA/mlx5: Do not allow the user to write to the clock page
        IB/mlx5: Fix scatter to CQE in DCT QP creation
        IB/rdmavt: Fix frwr memory registration
      14f974d7
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.1-rc7' of git://git.infradead.org/users/vkoul/slave-dma · 72a6e35d
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
      
       - fix for wrong register use in mediatek driver
      
       - fix in sh driver for glitch is tx_status and treating 0 a valid
         residue for cyclic
      
       - fix in bcm driver for using right memory allocation flag
      
      * tag 'dmaengine-fix-5.1-rc7' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: mediatek-cqdma: fix wrong register usage in mtk_cqdma_start
        dmaengine: sh: rcar-dmac: Fix glitch in dmaengine_tx_status
        dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid
        dmaengine: bcm2835: Avoid GFP_KERNEL in device_prep_slave_sg
      72a6e35d
  4. 27 Apr, 2019 7 commits
  5. 26 Apr, 2019 5 commits
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 857e17c2
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - keep the tail of an unaligned initrd reserved
      
       - adjust ftrace_make_call() to deal with the relative nature of PLTs
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64/module: ftrace: deal with place relative nature of PLTs
        arm64: mm: Ensure tail of unaligned initrd is reserved
      857e17c2
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · e9e1a2e7
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Three tracing fixes:
      
         - Use "nosteal" for ring buffer splice pages
      
         - Memory leak fix in error path of trace_pid_write()
      
         - Fix preempt_enable_no_resched() (use preempt_enable()) in ring
           buffer code"
      
      * tag 'trace-v5.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        trace: Fix preempt_enable_no_resched() abuse
        tracing: Fix a memory leak by early error exit in trace_pid_write()
        tracing: Fix buffer_ref pipe ops
      e9e1a2e7
    • Linus Torvalds's avatar
      Merge tag 'gpio-v5.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 29279d21
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "Not much to say about them, regular fixes:
      
         - Fix a bug on the errorpath of gpiochip_add_data_with_key()
      
         - IRQ type setting on the spreadtrum GPIO driver"
      
      * tag 'gpio-v5.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: Fix gpiochip_add_data_with_key() error path
        gpio: eic: sprd: Fix incorrect irq type setting for the sync EIC
      29279d21
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-04-26' of git://anongit.freedesktop.org/drm/drm · 4e40f0f3
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Regular drm fixes, nothing too outstanding, I'm guessing Easter was
        slowing people down.
      
        i915:
         - FEC enable fix
         - BXT display lanes fix
      
        ttm:
         - fix reinit for reloading drivers regression
      
        imx:
         - DP CSC fix
      
        sun4i:
         - module unload/load fix
      
        vc4:
         - memory leak fix
         - compile fix
      
        dw-hdmi:
         - rockchip scdc overflow fix
      
        sched:
         - docs fix
      
        vmwgfx:
         - dma api layering fix"
      
      * tag 'drm-fixes-2019-04-26' of git://anongit.freedesktop.org/drm/drm:
        drm/bridge: dw-hdmi: fix SCDC configuration for ddc-i2c-bus
        drm/vmwgfx: Fix dma API layer violation
        drm/vc4: Fix compilation error reported by kbuild test bot
        drm/sun4i: Unbind components before releasing DRM and memory
        drm/vc4: Fix memory leak during gpu reset.
        drm/sched: Fix description of drm_sched_stop
        drm/imx: don't skip DP channel disable for background plane
        gpu: ipu-v3: dp: fix CSC handling
        drm/ttm: fix re-init of global structures
        drm/sun4i: Fix component unbinding and component master deletion
        drm/sun4i: Set device driver data at bind time for use in unbind
        drm/sun4i: Add missing drm_atomic_helper_shutdown at driver unbind
        drm/i915: Restore correct bxt_ddi_phy_calc_lane_lat_optim_mask() calculation
        drm/i915: Do not enable FEC without DSC
        drm: bridge: dw-hdmi: Fix overflow workaround for Rockchip SoCs
      4e40f0f3
    • Linus Torvalds's avatar
      Merge tag 'for-5.1-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · d0473f97
      Linus Torvalds authored
      Pull btrfs fix from David Sterba:
       "One patch to fix a crash in io submission path, due to memory
        allocation errors.
      
        In short, the multipage bio work that landed in 5.1 caused larger bios
        that in turn require larger temporary memory for checksums. The patch
        is a workaround, we're going to rework the allocation so it does not
        require the vmalloc fallback.
      
        It took a while to identify that it's caused by patches in 5.1 and not
        a patchset that did some changes in error handling in the code. I've
        tested it on various memory/cpu combinations, it could hit OOM but
        does not crash.
      
        The timestamp of the patch is less than a day due to updates in the
        changelog, tests were running meanwhile"
      
      * tag 'for-5.1-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: Switch memory allocations in async csum calculation path to kvmalloc
      d0473f97