1. 04 May, 2014 2 commits
  2. 02 May, 2014 1 commit
  3. 01 May, 2014 1 commit
  4. 30 Apr, 2014 2 commits
    • H. Peter Anvin's avatar
      x86-32, espfix: Remove filter for espfix32 due to race · 246f2d2e
      H. Peter Anvin authored
      It is not safe to use LAR to filter when to go down the espfix path,
      because the LDT is per-process (rather than per-thread) and another
      thread might change the descriptors behind our back.  Fortunately it
      is always *safe* (if a bit slow) to go down the espfix path, and a
      32-bit LDT stack segment is extremely rare.
      Signed-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Link: http://lkml.kernel.org/r/1398816946-3351-1-git-send-email-hpa@linux.intel.com
      Cc: <stable@vger.kernel.org> # consider after upstream merge
      246f2d2e
    • H. Peter Anvin's avatar
      x86-64, espfix: Don't leak bits 31:16 of %esp returning to 16-bit stack · 3891a04a
      H. Peter Anvin authored
      The IRET instruction, when returning to a 16-bit segment, only
      restores the bottom 16 bits of the user space stack pointer.  This
      causes some 16-bit software to break, but it also leaks kernel state
      to user space.  We have a software workaround for that ("espfix") for
      the 32-bit kernel, but it relies on a nonzero stack segment base which
      is not available in 64-bit mode.
      
      In checkin:
      
          b3b42ac2 x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
      
      we "solved" this by forbidding 16-bit segments on 64-bit kernels, with
      the logic that 16-bit support is crippled on 64-bit kernels anyway (no
      V86 support), but it turns out that people are doing stuff like
      running old Win16 binaries under Wine and expect it to work.
      
      This works around this by creating percpu "ministacks", each of which
      is mapped 2^16 times 64K apart.  When we detect that the return SS is
      on the LDT, we copy the IRET frame to the ministack and use the
      relevant alias to return to userspace.  The ministacks are mapped
      readonly, so if IRET faults we promote #GP to #DF which is an IST
      vector and thus has its own stack; we then do the fixup in the #DF
      handler.
      
      (Making #GP an IST exception would make the msr_safe functions unsafe
      in NMI/MC context, and quite possibly have other effects.)
      
      Special thanks to:
      
      - Andy Lutomirski, for the suggestion of using very small stack slots
        and copy (as opposed to map) the IRET frame there, and for the
        suggestion to mark them readonly and let the fault promote to #DF.
      - Konrad Wilk for paravirt fixup and testing.
      - Borislav Petkov for testing help and useful comments.
      Reported-by: default avatarBrian Gerst <brgerst@gmail.com>
      Signed-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Link: http://lkml.kernel.org/r/1398816946-3351-1-git-send-email-hpa@linux.intel.com
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Andrew Lutomriski <amluto@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Dirk Hohndel <dirk@hohndel.org>
      Cc: Arjan van de Ven <arjan.van.de.ven@intel.com>
      Cc: comex <comexk@gmail.com>
      Cc: Alexander van Heukelum <heukelum@fastmail.fm>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: <stable@vger.kernel.org> # consider after upstream merge
      3891a04a
  5. 28 Apr, 2014 1 commit
  6. 27 Apr, 2014 11 commits
    • Will Deacon's avatar
      word-at-a-time: avoid undefined behaviour in zero_bytemask macro · ec6931b2
      Will Deacon authored
      The asm-generic, big-endian version of zero_bytemask creates a mask of
      bytes preceding the first zero-byte by left shifting ~0ul based on the
      position of the first zero byte.
      
      Unfortunately, if the first (top) byte is zero, the output of
      prep_zero_mask has only the top bit set, resulting in undefined C
      behaviour as we shift left by an amount equal to the width of the type.
      As it happens, GCC doesn't manage to spot this through the call to fls(),
      but the issue remains if architectures choose to implement their shift
      instructions differently.
      
      An example would be arch/arm/ (AArch32), where LSL Rd, Rn, #32 results
      in Rd == 0x0, whilst on arch/arm64 (AArch64) LSL Xd, Xn, #64 results in
      Xd == Xn.
      
      Rather than check explicitly for the problematic shift, this patch adds
      an extra shift by 1, replacing fls with __fls. Since zero_bytemask is
      never called with a zero argument (has_zero() is used to check the data
      first), we don't need to worry about calling __fls(0), which is
      undefined.
      
      Cc: <stable@vger.kernel.org>
      Cc: Victor Kamensky <victor.kamensky@linaro.org>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ec6931b2
    • Linus Torvalds's avatar
      Merge branch 'safe-dirty-tlb-flush' · ac6c9e2b
      Linus Torvalds authored
      This merges the patch to fix possible loss of dirty bit on munmap() or
      madvice(DONTNEED).  If there are concurrent writers on other CPU's that
      have the unmapped/unneeded page in their TLBs, their writes to the page
      could possibly get lost if a third CPU raced with the TLB flush and did
      a page_mkclean() before the page was fully written.
      
      Admittedly, if you unmap() or madvice(DONTNEED) an area _while_ another
      thread is still busy writing to it, you deserve all the lost writes you
      could get.  But we kernel people hold ourselves to higher quality
      standards than "crazy people deserve to lose", because, well, we've seen
      people do all kinds of crazy things.
      
      So let's get it right, just because we can, and we don't have to worry
      about it.
      
      * safe-dirty-tlb-flush:
        mm: split 'tlb_flush_mmu()' into tlb flushing and memory freeing parts
      ac6c9e2b
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 33c0022f
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: limit the path size in send to PATH_MAX
        Btrfs: correctly set profile flags on seqlock retry
        Btrfs: use correct key when repeating search for extent item
        Btrfs: fix inode caching vs tree log
        Btrfs: fix possible memory leaks in open_ctree()
        Btrfs: avoid triggering bug_on() when we fail to start inode caching task
        Btrfs: move btrfs_{set,clear}_and_info() to ctree.h
        btrfs: replace error code from btrfs_drop_extents
        btrfs: Change the hole range to a more accurate value.
        btrfs: fix use-after-free in mount_subvol()
      33c0022f
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm · 2b9d1c05
      Linus Torvalds authored
      Pull arm fixes from Russell King:
       "A number of fixes for the PJ4/iwmmxt changes which arm-soc forced me
        to take during the merge window.  This stuff should have been better
        tested and sorted out *before* the merge window"
      
      * 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
        ARM: 8042/1: iwmmxt: allow to build iWMMXt on Marvell PJ4B
        ARM: 8041/1: pj4: fix cpu_is_pj4 check
        ARM: 8040/1: pj4: properly detect existence of iWMMXt coprocessor
        ARM: 8039/1: pj4: enable iWMMXt only if CONFIG_IWMMXT is set
        ARM: 8038/1: iwmmxt: explicitly check for supported architectures
      2b9d1c05
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · afa3cad7
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
       - compat renameat2 syscall wiring and __NR_compat_syscalls fix
       - TLB fix for transparent huge pages following switch to generic
         mmu_gather
       - spinlock initialisation for init_mm's context
       - move of_clk_init() earlier
       - Kconfig duplicate entry fix
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: init: Move of_clk_init to time_init
        arm64: initialize spinlock for init_mm's context
        arm64: debug: remove noisy, pointless warning
        arm64: mm: Add THP TLB entries to general mmu_gather
        arm64: add renameat2 compat syscall
        ARM64: Remove duplicated Kconfig entry for "kernel/power/Kconfig"
        arm64: __NR_compat_syscalls fix
      afa3cad7
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d9e9e8e2
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "A slighlty large fix for a subtle issue in the CPU hotplug code of
        certain ARM SoCs, where the not yet online cpu needs to setup the cpu
        local timer and needs to set the interrupt affinity to itself.
        Setting interrupt affinity to a not online cpu is prohibited and
        therefor the timer interrupt ends up on the wrong cpu, which leads to
        nasty complications.
      
        The SoC folks tried to hack around that in the SoC code in some more
        than nasty ways.  The proper solution is to have a way to enforce the
        affinity setting to a not online cpu.  The core patch to the genirq
        code provides that facility and the follow up patches make use of it
        in the GIC interrupt controller and the exynos timer driver.
      
        The change to the core code has no implications to existing users,
        except for the rename of the locked function and therefor the
        necessary fixup in mips/cavium.  Aside of that, no runtime impact is
        possible, as none of the existing interrupt chips implements anything
        which depends on the force argument of the irq_set_affinity()
        callback"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        clocksource: Exynos_mct: Register clock event after request_irq()
        clocksource: Exynos_mct: Use irq_force_affinity() in cpu bringup
        irqchip: Gic: Support forced affinity setting
        genirq: Allow forcing cpu affinity of interrupts
      d9e9e8e2
    • Linus Torvalds's avatar
      Merge tag 'tty-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · a8d70698
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are a few tty/serial fixes for 3.15-rc3 that resolve a number of
        reported issues in the 8250 and samsung serial drivers, as well as a
        character loss fix for the tty core that was caused by the lock
        removal patches a release ago"
      
      * tag 'tty-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial_core: fix uart PORT_UNKNOWN handling
        serial: samsung: Change barrier() to cpu_relax() in console output
        serial: samsung: don't check config for every character
        serial: samsung: Use the passed in "port", fixing kgdb w/ no console
        serial: 8250: Fix thread unsafe __dma_tx_complete function
        8250_core: Fix unwanted TX chars write
        tty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc
      a8d70698
    • Linus Torvalds's avatar
      Merge tag 'staging-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · d0c15ad7
      Linus Torvalds authored
      Pull staging / IIO driver fixes from Greg KH:
       "Here are some small staging and IIO driver fixes for 3.15-rc3.
      
        Nothing major at all, just some assorted issues that people have
        reported"
      
      * tag 'staging-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: comedi: usbdux: bug fix for accessing 'ao_chanlist' in private data
        iio: adc: mxs-lradc: fix warning when buidling on avr32
        iio: cm36651: Fix i2c client leak and possible NULL pointer dereference
        iio: querying buffer scan_mask should return 0/1
        staging:iio:ad2s1200 fix a missing break
        iio: adc: at91_adc: correct default shtim value
        ARM: at91: at91sam9260: change at91_adc name
        ARM: at91: at91sam9g45: change at91_adc name
        iio: cm32181: Fix read integration time function
        iio: adc: at91_adc: Repair broken platform_data support
      d0c15ad7
    • Linus Torvalds's avatar
      Merge tag 'driver-core-3.15-rc3' of... · 005fbcd0
      Linus Torvalds authored
      Merge tag 'driver-core-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core fixes from Greg KH:
       "Here are some kernfs fixes for 3.15-rc3 that resolve some reported
        problems.  Nothing huge, but all needed"
      
      * tag 'driver-core-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        s390/ccwgroup: Fix memory corruption
        kernfs: add back missing error check in kernfs_fop_mmap()
        kernfs: fix a subdir count leak
      005fbcd0
    • Linus Torvalds's avatar
      Merge tag 'usb-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · fefb8275
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a number of USB fixes for 3.15-rc3.  The majority are gadget
        fixes, as we didn't get any of those in for 3.15-rc2.  The others are
        all over the place, and there's a number of new device id addtions as
        well."
      
      * tag 'usb-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (35 commits)
        usb: option: add and update a number of CMOTech devices
        usb: option: add Alcatel L800MA
        usb: option: add Olivetti Olicard 500
        usb: qcserial: add Sierra Wireless MC7305/MC7355
        usb: qcserial: add Sierra Wireless MC73xx
        usb: qcserial: add Sierra Wireless EM7355
        USB: io_ti: fix firmware download on big-endian machines
        usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM
        xhci: extend quirk for Renesas cards
        xhci: Switch Intel Lynx Point ports to EHCI on shutdown.
        usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb
        phy: core: make NULL a valid phy reference if !CONFIG_GENERIC_PHY
        phy: fix kernel oops in phy_lookup()
        phy: restore OMAP_CONTROL_PHY dependencies
        phy: exynos: fix building as a module
        USB: serial: fix sysfs-attribute removal deadlock
        usb: wusbcore: fix panic in wusbhc_chid_set
        usb: wusbcore: convert nested lock to use spin_lock instead of spin_lock_irq
        uwb: don't call spin_unlock_irq in a USB completion handler
        usb: chipidea: coordinate usb phy initialization for different phy type
        ...
      fefb8275
    • Linus Torvalds's avatar
      Merge tag 'pm+acpi-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · e9dba837
      Linus Torvalds authored
      Pull ACPI and power management fixes from Rafael Wysocki:
       "These include a fix for a recent ACPI regression related to device
        notifications, intel_idle fix related to IvyTown support, fix for a
        buffer size issue in ACPICA, PM core fix related to the "freeze" sleep
        state, four fixes for various types of breakage in cpufreq drivers, a
        PNP workaround for a wrong memory region size in ACPI tables, and a
        fix and cleanup for the ACPI tools Makefile.
      
        Specifics:
      
         - Fix for broken ACPI notifications on some systems caused by a
           recent ACPI hotplug commit that blocked the propagation of unknown
           type notifications to device drivers inadvertently.
      
         - intel_idle fix to make the IvyTown C-states handling (added
           recently) work as intended which now is broken due to missing
           braces.  From Christoph Jaeger.
      
         - ACPICA fix to make it allocate buffers of the right sizes for the
           Generic Serial Bus operation region access.  From Lv Zheng.
      
         - PM core fix unblocking cpuidle before entering the "freeze" sleep
           state which causes that state to be able to actually save more
           energy than runtime idle.
      
         - Configuration and build fixes for the highbank and powernv cpufreq
           drivers from Kefeng Wang and Srivatsa S Bhat.
      
         - Coccinelle warning fix related to error pointers for the unicore32
           cpufreq driver from Duan Jiong.
      
         - Integer overflow fix for the ppc-corenet cpufreq driver from Geert
           Uytterhoeven.
      
         - Workaround for BIOSes that don't report the entire Intel MCH area
           in their ACPI tables from Bjorn Helgaas.
      
         - ACPI tools Makefile fix and cleanup from Thomas Renninger"
      
      * tag 'pm+acpi-3.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / notify: Do not block unknown type notifications in root handler
        PNP: Work around BIOS defects in Intel MCH area reporting
        cpufreq: highbank: fix ARM_HIGHBANK_CPUFREQ dependency warning
        cpufreq: ppc: Fix integer overflow in expression
        cpufreq, powernv: Fix build failure on UP
        cpufreq: unicore32: replace IS_ERR and PTR_ERR with PTR_ERR_OR_ZERO
        PM / suspend: Make cpuidle work in the "freeze" state
        intel_idle: fix IVT idle state table setting
        ACPICA: Fix buffer allocation issue for generic_serial_bus region accesses.
        tools/power/acpi: Minor bugfixes
      e9dba837
  7. 26 Apr, 2014 1 commit
    • Chris Mason's avatar
      Btrfs: limit the path size in send to PATH_MAX · cfd4a535
      Chris Mason authored
      fs_path_ensure_buf is used to make sure our path buffers for
      send are big enough for the path names as we construct them.
      The buffer size is limited to 32K by the length field in
      the struct.
      
      But bugs in the path construction can end up trying to build
      a huge buffer, and we'll do invalid memmmoves when the
      buffer length field wraps.
      
      This patch is step one, preventing the overflows.
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      cfd4a535
  8. 25 Apr, 2014 21 commits