- 12 Jan, 2017 4 commits
-
-
Josh Poimboeuf authored
When unwinding a task, the end of the stack is always at the same offset right below the saved pt_regs, regardless of which syscall was used to enter the kernel. That convention allows the unwinder to verify that a stack is sane. However, newly forked tasks don't always follow that convention, as reported by the following unwinder warning seen by Dave Jones: WARNING: kernel stack frame pointer at ffffc90001443f30 in kworker/u8:8:30468 has bad value (null) The warning was due to the following call chain: (ftrace handler) call_usermodehelper_exec_async+0x5/0x140 ret_from_fork+0x22/0x30 The problem is that ret_from_fork() doesn't create a stack frame before calling other functions. Fix that by carefully using the frame pointer macros. In addition to conforming to the end of stack convention, this also makes related stack traces more sensible by making it clear to the user that ret_from_fork() was involved. Reported-by:
Dave Jones <davej@codemonkey.org.uk> Signed-off-by:
Josh Poimboeuf <jpoimboe@redhat.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Miroslav Benes <mbenes@suse.cz> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/8854cdaab980e9700a81e9ebf0d4238e4bbb68ef.1483978430.git.jpoimboe@redhat.comSigned-off-by:
Ingo Molnar <mingo@kernel.org>
-
Josh Poimboeuf authored
In the following commit: 0100301b ("sched/x86: Rewrite the switch_to() code") ... the layout of the 'inactive_task_frame' struct was designed to have a frame pointer header embedded in it, so that the unwinder could use the 'bp' and 'ret_addr' fields to report __schedule() on the stack (or ret_from_fork() for newly forked tasks which haven't actually run yet). Finish the job by changing get_frame_pointer() to return a pointer to inactive_task_frame's 'bp' field rather than 'bp' itself. This allows the unwinder to start one frame higher on the stack, so that it properly reports __schedule(). Reported-by:
Miroslav Benes <mbenes@suse.cz> Signed-off-by:
-
Josh Poimboeuf authored
There are a handful of callers to save_stack_trace_tsk() and show_stack() which try to unwind the stack of a task other than current. In such cases, it's remotely possible that the task is running on one CPU while the unwinder is reading its stack from another CPU, causing the unwinder to see stack corruption. These cases seem to be mostly harmless. The unwinder has checks which prevent it from following bad pointers beyond the bounds of the stack. So it's not really a bug as long as the caller understands that unwinding another task will not always succeed. In such cases, it's possible that the unwinder may read a KASAN-poisoned region of the stack. Account for that by using READ_ONCE_NOCHECK() when reading the stack of another task. Use READ_ONCE() when reading the stack of the current task, since KASAN warnings can still be useful for finding bugs in that case. Reported-by:
Dmitry Vyukov <dvyukov@google.com> Signed-off-by:
-
Josh Poimboeuf authored
There are a handful of callers to save_stack_trace_tsk() and show_stack() which try to unwind the stack of a task other than current. In such cases, it's remotely possible that the task is running on one CPU while the unwinder is reading its stack from another CPU, causing the unwinder to see stack corruption. These cases seem to be mostly harmless. The unwinder has checks which prevent it from following bad pointers beyond the bounds of the stack. So it's not really a bug as long as the caller understands that unwinding another task will not always succeed. Since stack "corruption" on another task's stack isn't necessarily a bug, silence the warnings when unwinding tasks other than current. Reported-by:
-
- 09 Jan, 2017 6 commits
-
-
Junichi Nomura authored
In generic_load_microcode(), curr_mc_size is the size of the last allocated buffer and since we have this performance "optimization" there to vmalloc a new buffer only when the current one is bigger, curr_mc_size ends up becoming the size of the biggest buffer we've seen so far. However, we end up saving the microcode patch which matches our CPU and its size is not curr_mc_size but the respective mc_size during the iteration while we're staring at it. So save that mc_size into a separate variable and use it to store the previously found microcode buffer. Without this fix, we could get oops like this: BUG: unable to handle kernel paging request at ffffc9000e30f000 IP: __memcpy+0x12/0x20 ... Call Trace: ? kmemdup+0x43/0x60 __alloc_microcode_buf+0x44/0x70 save_microcode_patch+0xd4/0x150 generic_load_microcode+0x1b8/0x260 request_microcode_user+0x15/0x20 microcode_write+0x91/0x100 __vfs_write+0x34/0x120 vfs_write+0xc1/0x130 SyS_write+0x56/0xc0 do_syscall_64+0x6c/0x160 entry_SYSCALL64_slow_path+0x25/0x25 Fixes: 06b8534c ("x86/microcode: Rework microcode loading") Signed-off-by:
Jun'ichi Nomura <j-nomura@ce.jp.nec.com> Signed-off-by:
Borislav Petkov <bp@suse.de> Link: http://lkml.kernel.org/r/4f33cbfd-44f2-9bed-3b66-7446cd14256f@ce.jp.nec.comSigned-off-by:
Thomas Gleixner <tglx@linutronix.de>
-
Junichi Nomura authored
We allocate struct ucode_patch here. @size is the size of microcode data and used for kmemdup() later in this function. Fixes: 06b8534c ("x86/microcode: Rework microcode loading") Signed-off-by:
-
Borislav Petkov authored
Since on Intel we're required to do CPUID(1) first, before reading the microcode revision MSR, let's add a special helper which does the required steps so that we don't forget to do them next time, when we want to read the microcode revision. Signed-off-by:
-
Borislav Petkov authored
Intel supplies the microcode revision value in MSR 0x8b (IA32_BIOS_SIGN_ID) after CPUID(1) has been executed. Execute it each time before reading that MSR. It used to do sync_core() which did do CPUID but c198b121 ("x86/asm: Rewrite sync_core() to use IRET-to-self") changed the sync_core() implementation so we better make the microcode loading case explicit, as the SDM documents it. Reported-and-tested-by:
-
Borislav Petkov authored
... similarly to the cpuid_<reg>() variants. Signed-off-by:
-
Nicholas Mc Guire authored
Add the missing declarations of basic string functions to string.h to allow a clean build. Fixes: 5be86566 ("String-handling functions for the new x86 setup code.") Signed-off-by:
Nicholas Mc Guire <hofrat@osadl.org> Link: http://lkml.kernel.org/r/1483781911-21399-1-git-send-email-hofrat@osadl.orgSigned-off-by:
-
- 06 Jan, 2017 1 commit
-
-
Borislav Petkov authored
The following commit: 8196dab4 ("x86/cpu: Get rid of compute_unit_id") ... broke the initial strategy for Bulldozer-based cores' topology, where we consider each thread of a compute unit a standalone core and not a HT or SMT thread. Revert to the firmware-supplied core_id numbering and do not make them thread siblings as we don't consider them for such even if they technically are, more or less. Reported-and-tested-by:
Brice Goglin <Brice.Goglin@inria.fr> Tested-by:
Yazen Ghannam <yazen.ghannam@amd.com> Signed-off-by:
-
- 05 Jan, 2017 4 commits
-
-
Andy Shevchenko authored
The current implementation supports only Intel Merrifield platforms. Don't mess with the rest of the Intel MID family by not registering device with wrong properties. Signed-off-by:
Andy Shevchenko <andriy.shevchenko@linux.intel.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/20170102092450.87229-1-andriy.shevchenko@linux.intel.comSigned-off-by:
-
Andy Shevchenko authored
The proper spelling of Anniedale SoC with 'e' in the middle. Fix typo in the comment line in intel-family.h header. Signed-off-by:
-
Lukasz Odzioba authored
A negative number can be specified in the cmdline which will be used as setup_clear_cpu_cap() argument. With that we can clear/set some bit in memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel to misbehave. This patch adds lower bound check to setup_disablecpuid(). Boris Petkov reproduced a crash: [ 1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540 [ 1.236535] IP: memcpy_erms+0x6/0x10 Signed-off-by:
Lukasz Odzioba <lukasz.odzioba@intel.com> Acked-by:
-
git://git.kernel.org/pub/scm/fs/xfs/xfs-linuxLinus Torvalds authored
Pull xfs fixes from Darrick Wong: - fixes for crashes and double-cleanup errors - XFS maintainership handover - fix to prevent absurdly large block reservations - fix broken sysfs getter/setters * tag 'xfs-for-linus-4.10-rc3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: fix max_retries _show and _store functions xfs: update MAINTAINERS xfs: fix crash and data corruption due to removal of busy COW extents xfs: use the actual AG length when reserving blocks xfs: fix double-cleanup when CUI recovery fails
-
- 04 Jan, 2017 22 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds authored
Pull networking fixes from David Miller: 1) stmmac_drv_probe() can race with stmmac_open() because we register the netdevice too early. Fix from Florian Fainelli. 2) UFO handling in __ip6_append_data() and ip6_finish_output() use different tests for deciding whether a frame will be fragmented or not, put them in sync. Fix from Zheng Li. 3) The rtnetlink getstats handlers need to validate that the netlink request is large enough, fix from Mathias Krause. 4) Use after free in mlx4 driver, from Jack Morgenstein. 5) Fix setting of garbage UID value in sockets during setattr() calls, from Eric Biggers. 6) Packet drop_monitor doesn't format the netlink messages properly such that nlmsg_next fails to work, fix from Reiter Wolfgang. 7) Fix handling of wildcard addresses in l2tp lookups, from Guillaume Nault. 8) __skb_flow_dissect() can crash on pptp packets, from Ian Kumlien. 9) IGMP code doesn't reset group query timers properly, from Michal Tesar. 10) Fix overzealous MAIN/LOCAL route table combining in ipv4, from Alexander Duyck. 11) vxlan offload check needs to be more strict in be2net driver, from Sabrina Dubroca. 12) Moving l3mdev to packet hooks lost RX stat counters unintentionally, fix from David Ahern. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (52 commits) sh_eth: enable RX descriptor word 0 shift on SH7734 sfc: don't report RX hash keys to ethtool when RSS wasn't enabled dpaa_eth: Initialize CGR structure before init dpaa_eth: cleanup after init_phy() failure net: systemport: Pad packet before inserting TSB net: systemport: Utilize skb_put_padto() LiquidIO VF: s/select/imply/ for PTP_1588_CLOCK libcxgb: fix error check for ip6_route_output() net: usb: asix_devices: add .reset_resume for USB PM net: vrf: Add missing Rx counters drop_monitor: consider inserted data in genlmsg_end benet: stricter vxlan offloading check in be_features_check ipv4: Do not allow MAIN to be alias for new LOCAL w/ custom rules net: macb: Updated resource allocation function calls to new version of API. net: stmmac: dwmac-oxnas: use generic pm implementation net: stmmac: dwmac-oxnas: fix fixed-link-phydev leaks net: stmmac: dwmac-oxnas: fix of-node leak Documentation/networking: fix typo in mpls-sysctl igmp: Make igmp group member RFC 3376 compliant flow_dissector: Update pptp handling to avoid null pointer deref. ... -
Sergei Shtylyov authored
The RX descriptor word 0 on SH7734 has the RFS[9:0] field in bits 16-25 (bits 0-15 usually used for that are occupied by the packet checksum). Thus we need to set the 'shift_rd0' field in the SH7734 SoC data... Fixes: f0e81fec ("net: sh_eth: Add support SH7734") Signed-off-by:
Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Edward Cree authored
If we failed to set up RSS on EF10 (e.g. because firmware declared RX_RSS_LIMITED), ethtool --show-nfc $dev rx-flow-hash ... should report no fields, rather than confusingly reporting what fields we _would_ be hashing on if RSS was working. Fixes: dcb4123c ("sfc: disable RSS when unsupported") Signed-off-by:
Edward Cree <ecree@solarflare.com> Signed-off-by:
-
David S. Miller authored
Madalin Bucur says: ==================== dpaa_eth: a couple of fixes Add cleanup on PHY initialization failure path, avoid using uninitialized memory at CGR init. ==================== Signed-off-by: -
Roy Pledge authored
The QBMan CGR options needs to be zeroed before calling the init function Signed-off-by:
Roy Pledge <roy.pledge@nxp.com> Signed-off-by:
-
Madalin Bucur authored
Signed-off-by:
Madalin Bucur <madalin.bucur@nxp.com> Signed-off-by:
-
David S. Miller authored
Florian Fainelli says: ==================== net: systemport: Fix padding vs. TSB insertion This patch series fixes how we pad the packets submitted to the SYSTEMPORT adapter, and how the transmit status block (prepended 8 bytes) fits in the picture. The first patch is not technically a bug fix, but is required for the second path to be applied and to greatly simplify the skb length calculation. ==================== Signed-off-by: -
Florian Fainelli authored
Inserting the TSB means adding an extra 8 bytes in front the of packet that is going to be used as metadata information by the TDMA engine, but stripped off, so it does not really help with the packet padding. For some odd packet sizes that fall below the 60 bytes payload (e.g: ARP) we can end-up padding them after the TSB insertion, thus making them 64 bytes, but with the TDMA stripping off the first 8 bytes, they could still be smaller than 64 bytes which is required to ingress the switch. Fix this by swapping the padding and TSB insertion, guaranteeing that the packets have the right sizes. Fixes: 80105bef ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") Signed-off-by:
Florian Fainelli <f.fainelli@gmail.com> Signed-off-by:
-
Florian Fainelli authored
Since we need to pad our packets, utilize skb_put_padto() which increases skb->len by how much we need to pad, allowing us to eliminate the test on skb->len right below. Signed-off-by:
-
Nicolas Pitre authored
Fix a minor fallout from the merge of the timers and the networking trees. The following error may result if the PTP_1588_CLOCK prerequisites are not available: drivers/built-in.o: In function `ptp_clock_unregister': (.text+0x40e0a5): undefined reference to `pps_unregister_source' drivers/built-in.o: In function `ptp_clock_unregister': (.text+0x40e0cc): undefined reference to `posix_clock_unregister' drivers/built-in.o: In function `ptp_clock_event': (.text+0x40e249): undefined reference to `pps_event' drivers/built-in.o: In function `ptp_clock_register': (.text+0x40e5e1): undefined reference to `pps_register_source' drivers/built-in.o: In function `ptp_clock_register': (.text+0x40e62c): undefined reference to `posix_clock_register' drivers/built-in.o: In function `ptp_clock_register': (.text+0x40e68d): undefined reference to `pps_unregister_source' Signed-off-by:
Nicolas Pitre <nico@linaro.org> Acked-by:
Richard Cochran <richardcochran@gmail.com> Signed-off-by:
-
Varun Prakash authored
ip6_route_output() never returns NULL so check dst->error instead of !dst. Signed-off-by:
Varun Prakash <varun@chelsio.com> Signed-off-by:
-
Peter Chen authored
The USB core may call reset_resume when it fails to resume asix device. And USB core can recovery this abnormal resume at low level driver, the same .resume at asix driver can work too. Add .reset_resume can avoid disconnecting after backing from system resume, and NFS can still be mounted after this commit. Signed-off-by:
Peter Chen <peter.chen@nxp.com> Signed-off-by:
-
git://git.kernel.dk/linux-blockLinus Torvalds authored
Pull block layer fixes from Jens Axboe: "A set of fixes for the current series, one fixing a regression with block size < page cache size in the alias series from Jan. Outside of that, two small cleanups for wbt from Bart, a nvme pull request from Christoph, and a few small fixes of documentation updates" * 'for-linus' of git://git.kernel.dk/linux-block: block: fix up io_poll documentation block: Avoid that sparse complains about context imbalance in __wbt_wait() block: Make wbt_wait() definition consistent with declaration clean_bdev_aliases: Prevent cleaning blocks that are not in block range genhd: remove dead and duplicated scsi code block: add back plugging in __blkdev_direct_IO nvmet/fcloop: remove some logically dead code performing redundant ret checks nvmet: fix KATO offset in Set Features nvme/fc: simplify error handling of nvme_fc_create_hw_io_queues nvme/fc: correct some printk information nvme/scsi: Remove START STOP emulation nvme/pci: Delete misleading queue-wrap comment nvme/pci: Fix whitespace problem nvme: simplify stripe quirk nvme: update maintainers information
-
git://github.com/bzolnier/linuxLinus Torvalds authored
Pull fbdev fixes from Bartlomiej Zolnierkiewicz: - bring fbdev subsystem back into Maintained mode - add missing devm_ioremap() error checking to cobalt_lcdfb driver * tag 'fbdev-v4.10-rc2' of git://github.com/bzolnier/linux: video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremap MAINTAINERS: add myself as maintainer of fbdev
-
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linuxLinus Torvalds authored
Pull gcc-plugins fixes from Kees Cook: "Small fixes for gcc-plugins when using certain gcc versions: - update gcc-common.h for gcc 7 (Emese Revfy) - fix latent_entropy type for early gcc on ARM (PaX Team)" * tag 'gcc-plugins-v4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: gcc-plugins: update gcc-common.h for gcc-7 latent_entropy: fix ARM build error on earlier gcc
-
Arvind Yadav authored
Here, If devm_ioremap will fail. It will return NULL. Kernel can run into a NULL-pointer dereference. This error check will avoid NULL pointer dereference. Signed-off-by:
Arvind Yadav <arvind.yadav.cs@gmail.com> Acked-by:
Yoichi Yuasa <yuasa@linux-mips.org> Signed-off-by:
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
-
Bartlomiej Zolnierkiewicz authored
I would like to help with fbdev maintenance. I can dedicate some time for reviewing and handling patches but won't have time for much more. The subsystem will remain in maintenance mode (no new drivers will be added to it). Cc: Tomi Valkeinen <tomi.valkeinen@ti.com> Cc: Daniel Vetter <daniel.vetter@intel.com> Signed-off-by: -
Carlos Maiolino authored
max_retries _show and _store functions should test against cfg->max_retries, not cfg->retry_timeout Signed-off-by:
Carlos Maiolino <cmaiolino@redhat.com> Reviewed-by:
Eric Sandeen <sandeen@redhat.com> Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com>
-
Darrick J. Wong authored
I am taking over as XFS maintainer from Dave Chinner[1], so update contact information and git tree pointers. [1] http://lkml.iu.edu/hypermail/linux/kernel/1612.1/04390.htmlSigned-off-by:
-
Christoph Hellwig authored
There is a race window between write_cache_pages calling clear_page_dirty_for_io and XFS calling set_page_writeback, in which the mapping for an inode is tagged neither as dirty, nor as writeback. If the COW shrinker hits in exactly that window we'll remove the delayed COW extents and writepages trying to write it back, which in release kernels will manifest as corruption of the bmap btree, and in debug kernels will trip the ASSERT about now calling xfs_bmapi_write with the COWFORK flag for holes. A complex customer load manages to hit this window fairly reliably, probably by always having COW writeback in flight while the cow shrinker runs. This patch adds another check for having the I_DIRTY_PAGES flag set, which is still set during this race window. While this fixes the problem I'm still not overly happy about the way the COW shrinker works as it still seems a bit fragile. Signed-off-by:
Christoph Hellwig <hch@lst.de> Signed-off-by:
-
Darrick J. Wong authored
We need to use the actual AG length when making per-AG reservations, since we could otherwise end up reserving more blocks out of the last AG than there are actual blocks. Complained-about-by:
Brian Foster <bfoster@redhat.com> Signed-off-by:
-
Darrick J. Wong authored
Dan Carpenter reported a double-free of rcur if _defer_finish fails while we're recovering CUI items. Fix the error recovery to prevent this. Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
- 03 Jan, 2017 3 commits
-
-
David Ahern authored
The move from rx-handler to L3 receive handler inadvertantly dropped the rx counters. Restore them. Fixes: 74b20582 ("net: l3mdev: Add hook in ip and ipv6") Reported-by:
Dinesh Dutt <ddutt@cumulusnetworks.com> Signed-off-by:
David Ahern <dsa@cumulusnetworks.com> Signed-off-by:
-
Jeff Moyer authored
/sys/block/<dev>/queue/io_poll is a boolean. Fix the docs. Signed-off-by:
Jeff Moyer <jmoyer@redhat.com> Signed-off-by:
Jens Axboe <axboe@fb.com>
-
Kees Cook authored
This updates gcc-common.h from Emese Revfy for gcc 7. This fixes issues seen by Kugan and Arnd. Build tested with gcc 5.4 and 7 snapshot. Cc: stable@vger.kernel.org Signed-off-by:Kees Cook <keescook@chromium.org>
-
