1. 20 Oct, 2015 1 commit
    • Andrey Ryabinin's avatar
      compiler, atomics, kasan: Provide READ_ONCE_NOCHECK() · d976441f
      Andrey Ryabinin authored
      Some code may perform racy by design memory reads. This could be
      harmless, yet such code may produce KASAN warnings.
      
      To hide such accesses from KASAN this patch introduces
      READ_ONCE_NOCHECK() macro. KASAN will not check the memory
      accessed by READ_ONCE_NOCHECK(). The KernelThreadSanitizer
      (KTSAN) is going to ignore it as well.
      
      This patch creates __read_once_size_nocheck() a clone of
      __read_once_size(). The only difference between them is
      'no_sanitized_address' attribute appended to '*_nocheck'
      function. This attribute tells the compiler that instrumentation
      of memory accesses should not be applied to that function. We
      declare it as static '__maybe_unsed' because GCC is not capable
      to inline such function:
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67368
      
      With KASAN=n READ_ONCE_NOCHECK() is just a clone of READ_ONCE().
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Wolfram Gloger <wmglo@dent.med.uni-muenchen.de>
      Cc: kasan-dev <kasan-dev@googlegroups.com>
      Link: http://lkml.kernel.org/r/1445243838-17763-2-git-send-email-aryabinin@virtuozzo.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      d976441f
  2. 19 Oct, 2015 3 commits
  3. 16 Oct, 2015 3 commits
    • Vitaly Kuznetsov's avatar
      x86/ioapic: Disable interrupts when re-routing legacy IRQs · c0ff971e
      Vitaly Kuznetsov authored
      A sporadic hang with consequent crash is observed when booting Hyper-V Gen1
      guests:
      
       Call Trace:
        <IRQ>
        [<ffffffff810ab68d>] ? trace_hardirqs_off+0xd/0x10
        [<ffffffff8107b616>] queue_work_on+0x46/0x90
        [<ffffffff81365696>] ? add_interrupt_randomness+0x176/0x1d0
        ...
        <EOI>
        [<ffffffff81471ddb>] ? _raw_spin_unlock_irqrestore+0x3b/0x60
        [<ffffffff810c295e>] __irq_put_desc_unlock+0x1e/0x40
        [<ffffffff810c5c35>] irq_modify_status+0xb5/0xd0
        [<ffffffff8104adbb>] mp_register_handler+0x4b/0x70
        [<ffffffff8104c55a>] mp_irqdomain_alloc+0x1ea/0x2a0
        [<ffffffff810c7f10>] irq_domain_alloc_irqs_recursive+0x40/0xa0
        [<ffffffff810c860c>] __irq_domain_alloc_irqs+0x13c/0x2b0
        [<ffffffff8104b070>] alloc_isa_irq_from_domain.isra.1+0xc0/0xe0
        [<ffffffff8104bfa5>] mp_map_pin_to_irq+0x165/0x2d0
        [<ffffffff8104c157>] pin_2_irq+0x47/0x80
        [<ffffffff81744253>] setup_IO_APIC+0xfe/0x802
        ...
        [<ffffffff814631c0>] ? rest_init+0x140/0x140
      
      The issue is easily reproducible with a simple instrumentation: if
      mdelay(10) is put between mp_setup_entry() and mp_register_handler() calls
      in mp_irqdomain_alloc() Hyper-V guest always fails to boot when re-routing
      IRQ0. The issue seems to be caused by the fact that we don't disable
      interrupts while doing IOPIC programming for legacy IRQs and IRQ0 actually
      happens. 
      
      Protect the setup sequence against concurrent interrupts.
      
      [ tglx: Make the protection unconditional and not only for legacy
        	interrupts ]
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Cc: Jiang Liu <jiang.liu@linux.intel.com>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Cc: K. Y. Srinivasan <kys@microsoft.com>
      Link: http://lkml.kernel.org/r/1444930943-19336-1-git-send-email-vkuznets@redhat.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      c0ff971e
    • Ingo Molnar's avatar
      Merge tag 'efi-urgent' of... · 1a800589
      Ingo Molnar authored
      Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into x86/urgent
      
      Pull EFI fix from Matt Fleming:
      
       - Ensure that the identity mapping in initial_page_table is updated
         to cover the entire kernel range. This fixes a triple fault on
         non-PAE kernels when booting on 32-bit EFI due to accessing an
         unmapped GDT in efi_call_phys_prolog(). (Paolo Bonzini)
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      1a800589
    • Paolo Bonzini's avatar
      x86/setup: Extend low identity map to cover whole kernel range · f5f3497c
      Paolo Bonzini authored
      On 32-bit systems, the initial_page_table is reused by
      efi_call_phys_prolog as an identity map to call
      SetVirtualAddressMap.  efi_call_phys_prolog takes care of
      converting the current CPU's GDT to a physical address too.
      
      For PAE kernels the identity mapping is achieved by aliasing the
      first PDPE for the kernel memory mapping into the first PDPE
      of initial_page_table.  This makes the EFI stub's trick "just work".
      
      However, for non-PAE kernels there is no guarantee that the identity
      mapping in the initial_page_table extends as far as the GDT; in this
      case, accesses to the GDT will cause a page fault (which quickly becomes
      a triple fault).  Fix this by copying the kernel mappings from
      swapper_pg_dir to initial_page_table twice, both at PAGE_OFFSET and at
      identity mapping.
      
      For some reason, this is only reproducible with QEMU's dynamic translation
      mode, and not for example with KVM.  However, even under KVM one can clearly
      see that the page table is bogus:
      
          $ qemu-system-i386 -pflash OVMF.fd -M q35 vmlinuz0 -s -S -daemonize
          $ gdb
          (gdb) target remote localhost:1234
          (gdb) hb *0x02858f6f
          Hardware assisted breakpoint 1 at 0x2858f6f
          (gdb) c
          Continuing.
      
          Breakpoint 1, 0x02858f6f in ?? ()
          (gdb) monitor info registers
          ...
          GDT=     0724e000 000000ff
          IDT=     fffbb000 000007ff
          CR0=0005003b CR2=ff896000 CR3=032b7000 CR4=00000690
          ...
      
      The page directory is sane:
      
          (gdb) x/4wx 0x32b7000
          0x32b7000:	0x03398063	0x03399063	0x0339a063	0x0339b063
          (gdb) x/4wx 0x3398000
          0x3398000:	0x00000163	0x00001163	0x00002163	0x00003163
          (gdb) x/4wx 0x3399000
          0x3399000:	0x00400003	0x00401003	0x00402003	0x00403003
      
      but our particular page directory entry is empty:
      
          (gdb) x/1wx 0x32b7000 + (0x724e000 >> 22) * 4
          0x32b7070:	0x00000000
      
      [ It appears that you can skate past this issue if you don't receive
        any interrupts while the bogus GDT pointer is loaded, or if you avoid
        reloading the segment registers in general.
      
        Andy Lutomirski provides some additional insight:
      
         "AFAICT it's entirely permissible for the GDTR and/or LDT
          descriptor to point to unmapped memory.  Any attempt to use them
          (segment loads, interrupts, IRET, etc) will try to access that memory
          as if the access came from CPL 0 and, if the access fails, will
          generate a valid page fault with CR2 pointing into the GDT or
          LDT."
      
        Up until commit 23a0d4e8 ("efi: Disable interrupts around EFI
        calls, not in the epilog/prolog calls") interrupts were disabled
        around the prolog and epilog calls, and the functional GDT was
        re-installed before interrupts were re-enabled.
      
        Which explains why no one has hit this issue until now. ]
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Reported-by: default avatarLaszlo Ersek <lersek@redhat.com>
      Cc: <stable@vger.kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarMatt Fleming <matt.fleming@intel.com>
      [ Updated changelog. ]
      f5f3497c
  4. 14 Oct, 2015 1 commit
  5. 13 Oct, 2015 5 commits
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.3-2' of git://linux-nfs.org/~bfields/linux · 5b5f1455
      Linus Torvalds authored
      Pull nfsd fixes from Bruce Fields:
       "Two nfsd fixes, one for an RDMA crash, one for a pnfs/block protocol
        bug"
      
      * tag 'nfsd-4.3-2' of git://linux-nfs.org/~bfields/linux:
        svcrdma: Fix NFS server crash triggered by 1MB NFS WRITE
        nfsd/blocklayout: accept any minlength
      5b5f1455
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 6006d452
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes the following issues:
      
         - Fix AVX detection to prevent use of non-existent AESNI.
      
         - Some SPARC ciphers did not set their IV size which may lead to
           memory corruption"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: ahash - ensure statesize is non-zero
        crypto: camellia_aesni_avx - Fix CPU feature checks
        crypto: sparc - initialize blkcipher.ivsize
      6006d452
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 75542253
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
       "A few fixes piled up:
      
         - Fix for a suspend/resume issue where PCI probing code overwrote
           dev->irq for the MSI irq of the AMD IOMMU.
      
         - Fix for a kernel crash when a 32 bit PCI device was assigned to a
           KVM guest.
      
         - Fix for a possible memory leak in the VT-d driver
      
         - A couple of fixes for the ARM-SMMU driver"
      
      * tag 'iommu-fixes-v4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/amd: Fix NULL pointer deref on device detach
        iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices
        iommu/vt-d: Fix memory leak in dmar_insert_one_dev_info()
        iommu/arm-smmu: Use correct address mask for CMD_TLBI_S2_IPA
        iommu/arm-smmu: Ensure IAS is set correctly for AArch32-capable SMMUs
        iommu/io-pgtable-arm: Don't use dma_to_phys()
      75542253
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 06d1ee32
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "I got a bit behind last week, so here is a delayed fixes pull:
      
         - a bunch of radeon/amd gpu fixes
         - some nouveau regression fixes (ppc bios reading and runtime pm fix)
         - one drm core oops fix
         - two qxl locking fixes
         - one qxl regression fix"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/nouveau/bios: fix OF loading
        drm/nouveau/fbcon: take runpm reference when userspace has an open fd
        drm/nouveau/nouveau: Disable AGP for SiS 761
        drm/nouveau/display: allow up to 16k width/height for fermi+
        drm/nouveau/bios: translate devinit pri/sec i2c bus to internal identifiers
        drm: Fix locking for sysfs dpms file
        drm/amdgpu: fix memory leak in amdgpu_vm_update_page_directory
        drm/amdgpu: fix 32-bit compiler warning
        drm/qxl: avoid dependency lock
        drm/qxl: avoid buffer reservation in qxl_crtc_page_flip
        drm/qxl: fix framebuffer dirty rectangle tracking.
        drm/amdgpu: flag iceland as experimental
        drm/amdgpu: check before checking pci bridge registers
        drm/amdgpu: fix num_crtc on CZ
        drm/amdgpu: restore the fbdev mode in lastclose
        drm/radeon: restore the fbdev mode in lastclose
        drm/radeon: add quirk for ASUS R7 370
        drm/amdgpu: add pm sysfs files late
        drm/radeon: add pm sysfs files late
      06d1ee32
    • Russell King's avatar
      crypto: ahash - ensure statesize is non-zero · 8996eafd
      Russell King authored
      Unlike shash algorithms, ahash drivers must implement export
      and import as their descriptors may contain hardware state and
      cannot be exported as is.  Unfortunately some ahash drivers did
      not provide them and end up causing crashes with algif_hash.
      
      This patch adds a check to prevent these drivers from registering
      ahash algorithms until they are fixed.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8996eafd
  6. 12 Oct, 2015 7 commits
  7. 11 Oct, 2015 8 commits
  8. 10 Oct, 2015 12 commits