This is the start of the stable review cycle for the 5.3.12 release.
There are 48 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 21 Nov 2019 05:02:35 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.3.12-rc1…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.3.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.3.12-rc1
Eugen Hristev <eugen.hristev(a)microchip.com>
mmc: sdhci-of-at91: fix quirk2 overwrite
Vinayak Menon <vinmenon(a)codeaurora.org>
mm/page_io.c: do not free shared swap slots
David Hildenbrand <david(a)redhat.com>
mm/memory_hotplug: fix try_offline_node()
Laura Abbott <labbott(a)redhat.com>
mm: slub: really fix slab walking for init_on_free
Roman Gushchin <guro(a)fb.com>
mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup()
Roman Gushchin <guro(a)fb.com>
mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm()
Yang Shi <yang.shi(a)linux.alibaba.com>
mm: mempolicy: fix the wrong return value and potential pages leak of mbind
Eric Auger <eric.auger(a)redhat.com>
iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros
Corentin Labbe <clabbe(a)baylibre.com>
net: ethernet: dwmac-sun8i: Use the correct function in exit path
Arnd Bergmann <arnd(a)arndb.de>
ntp/y2038: Remove incorrect time_t truncation
Matt Roper <matthew.d.roper(a)intel.com>
Revert "drm/i915/ehl: Update MOCS table for EHL"
Jani Nikula <jani.nikula(a)intel.com>
drm/i915: update rawclk also on resume
Jens Axboe <axboe(a)kernel.dk>
io_uring: ensure registered buffer import returns the IO length
Al Viro <viro(a)zeniv.linux.org.uk>
ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either
Al Viro <viro(a)zeniv.linux.org.uk>
ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable
Kai-Heng Feng <kai.heng.feng(a)canonical.com>
x86/quirks: Disable HPET on Intel Coffe Lake platforms
Hans de Goede <hdegoede(a)redhat.com>
i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present
Mike Marciniszyn <mike.marciniszyn(a)intel.com>
IB/hfi1: Use a common pad buffer for 9B and 16B packets
James Erwin <james.erwin(a)intel.com>
IB/hfi1: Ensure full Gen3 speed in a Gen4 system
Kaike Wan <kaike.wan(a)intel.com>
IB/hfi1: TID RDMA WRITE should not return IB_WC_RNR_RETRY_EXC_ERR
Kaike Wan <kaike.wan(a)intel.com>
IB/hfi1: Calculate flow weight based on QP MTU for TID RDMA
Kaike Wan <kaike.wan(a)intel.com>
IB/hfi1: Ensure r_tid_ack is valid before building TID RDMA ACK packet
Sean Christopherson <sean.j.christopherson(a)intel.com>
KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved
Chuhong Yuan <hslester96(a)gmail.com>
Input: synaptics-rmi4 - destroy F54 poller workqueue when removing
Lucas Stach <l.stach(a)pengutronix.de>
Input: synaptics-rmi4 - clear IRQ enables for F54
Andrew Duggan <aduggan(a)synaptics.com>
Input: synaptics-rmi4 - do not consume more data than we have (F11, F12)
Andrew Duggan <aduggan(a)synaptics.com>
Input: synaptics-rmi4 - disable the relative position IRQ in the F12 driver
Lucas Stach <l.stach(a)pengutronix.de>
Input: synaptics-rmi4 - fix video buffer size
Oliver Neukum <oneukum(a)suse.com>
Input: ff-memless - kill timer in destroy()
Oleg Nesterov <oleg(a)redhat.com>
cgroup: freezer: call cgroup_enter_frozen() with preemption disabled in ptrace_stop()
Filipe Manana <fdmanana(a)suse.com>
Btrfs: fix log context list corruption after rename exchange operation
Takashi Iwai <tiwai(a)suse.de>
ALSA: usb-audio: Fix incorrect size check for processing/extension units
Takashi Iwai <tiwai(a)suse.de>
ALSA: usb-audio: Fix incorrect NULL check in create_yamaha_midi_quirk()
Henry Lin <henryl(a)nvidia.com>
ALSA: usb-audio: not submit urb for stopped endpoint
Takashi Iwai <tiwai(a)suse.de>
ALSA: usb-audio: Fix missing error check at mixer resolution test
Ursula Braun <ubraun(a)linux.ibm.com>
net/smc: fix refcount non-blocking connect() -part 2
Aya Levin <ayal(a)mellanox.com>
devlink: Add method for time-stamp on reporter's dump
Ioana Ciornei <ioana.ciornei(a)nxp.com>
dpaa2-eth: free already allocated channels on probe defer
Tony Lu <tonylu(a)linux.alibaba.com>
tcp: remove redundant new line from tcp_event_sk_skb
Jouni Hogander <jouni.hogander(a)unikie.com>
slip: Fix memory leak in slip_open error path
Aleksander Morgado <aleksander(a)aleksander.es>
net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules
Ursula Braun <ubraun(a)linux.ibm.com>
net/smc: fix fastopen for non-blocking connect()
Chuhong Yuan <hslester96(a)gmail.com>
net: gemini: add missed free_netdev
Jiri Pirko <jiri(a)mellanox.com>
mlxsw: core: Enable devlink reload only on probe
Guillaume Nault <gnault(a)redhat.com>
ipmr: Fix skb headroom in ipmr_get_route().
Jiri Pirko <jiri(a)mellanox.com>
devlink: disallow reload operation during device cleanup
Oliver Neukum <oneukum(a)suse.com>
ax88172a: fix information leak on short answers
Michael Schmitz <schmitzmic(a)gmail.com>
scsi: core: Handle drivers which set sg_tablesize to zero
-------------
Diffstat:
Makefile | 4 +-
arch/x86/kernel/early-quirks.c | 2 +
arch/x86/kvm/mmu.c | 8 +--
drivers/base/memory.c | 36 ++++++++++++++
drivers/gpu/drm/i915/display/intel_display_power.c | 3 ++
drivers/gpu/drm/i915/gt/intel_mocs.c | 8 ---
drivers/gpu/drm/i915/i915_drv.c | 3 --
drivers/i2c/i2c-core-acpi.c | 28 ++++++++++-
drivers/infiniband/hw/hfi1/init.c | 1 -
drivers/infiniband/hw/hfi1/pcie.c | 4 +-
drivers/infiniband/hw/hfi1/rc.c | 16 +++---
drivers/infiniband/hw/hfi1/sdma.c | 5 +-
drivers/infiniband/hw/hfi1/tid_rdma.c | 57 ++++++++++++----------
drivers/infiniband/hw/hfi1/tid_rdma.h | 3 +-
drivers/infiniband/hw/hfi1/verbs.c | 10 ++--
drivers/input/ff-memless.c | 9 ++++
drivers/input/rmi4/rmi_f11.c | 4 +-
drivers/input/rmi4/rmi_f12.c | 32 ++++++++++--
drivers/input/rmi4/rmi_f54.c | 5 +-
drivers/mmc/host/sdhci-of-at91.c | 2 +-
drivers/net/ethernet/cortina/gemini.c | 1 +
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 10 +++-
drivers/net/ethernet/mellanox/mlx4/main.c | 3 ++
drivers/net/ethernet/mellanox/mlxsw/core.c | 5 ++
drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 +-
drivers/net/netdevsim/dev.c | 2 +
drivers/net/slip/slip.c | 1 +
drivers/net/usb/ax88172a.c | 2 +-
drivers/net/usb/qmi_wwan.c | 2 +
drivers/scsi/scsi_lib.c | 3 +-
fs/btrfs/inode.c | 15 ++++++
fs/ecryptfs/inode.c | 19 +++++---
fs/io_uring.c | 2 +-
include/linux/intel-iommu.h | 6 ++-
include/linux/kvm_host.h | 1 +
include/linux/memory.h | 1 +
include/net/devlink.h | 3 ++
include/trace/events/tcp.h | 2 +-
include/uapi/linux/devlink.h | 1 +
kernel/signal.c | 2 +-
kernel/time/ntp.c | 2 +-
mm/hugetlb_cgroup.c | 2 +-
mm/memcontrol.c | 2 +-
mm/memory_hotplug.c | 43 ++++++++++------
mm/mempolicy.c | 14 ++++--
mm/page_io.c | 6 +--
mm/slub.c | 39 ++++-----------
net/core/devlink.c | 45 ++++++++++++++++-
net/ipv4/ipmr.c | 3 +-
net/smc/af_smc.c | 3 +-
sound/usb/endpoint.c | 3 ++
sound/usb/mixer.c | 4 +-
sound/usb/quirks.c | 4 +-
sound/usb/validate.c | 6 +--
virt/kvm/kvm_main.c | 26 ++++++++--
55 files changed, 369 insertions(+), 156 deletions(-)
The debug_dma_assert_idle() infrastructure was put in place to catch a
data corruption scenario first identified by the now defunct NET_DMA
receive offload feature. It caught cases where dma was in flight to a
stale page because the dma raced the cpu writing the page, and the cpu
write triggered cow_user_page().
However, the dma-debug tracking is overeager and also triggers in cases
where the dma device is reading from a page that is also undergoing
cow_user_page().
The fix proposed was originally posted in 2016, and Russell reported
"Yes, that seems to avoid the warning for me from an initial test", and
now Don is also reporting that this fix is addressing a similar false
positive report that he is seeing.
Link: https://lore.kernel.org/r/CAPcyv4j8fWqwAaX5oCdg5atc+vmp57HoAGT6AfBFwaCiv0Rb…
Reported-by: Russell King <linux(a)armlinux.org.uk>
Reported-by: Don Dutile <ddutile(a)redhat.com>
Fixes: 0abdd7a81b7e ("dma-debug: introduce debug_dma_assert_idle()")
Cc: <stable(a)vger.kernel.org>
Cc: Christoph Hellwig <hch(a)lst.de>
Cc: Marek Szyprowski <m.szyprowski(a)samsung.com>
Cc: Robin Murphy <robin.murphy(a)arm.com>
Signed-off-by: Dan Williams <dan.j.williams(a)intel.com>
---
kernel/dma/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
index 099002d84f46..11a6db53d193 100644
--- a/kernel/dma/debug.c
+++ b/kernel/dma/debug.c
@@ -587,7 +587,7 @@ void debug_dma_assert_idle(struct page *page)
}
spin_unlock_irqrestore(&radix_lock, flags);
- if (!entry)
+ if (!entry || entry->direction != DMA_FROM_DEVICE)
return;
cln = to_cacheline_number(entry);
virtio_balloon_shrinker_scan should return number of system pages freed,
but because it's calling functions that deal with balloon pages, it gets
confused and sometimes returns the number of balloon pages.
It does not matter practically as the exact number isn't
used, but it seems better to be consistent in case someone
starts using this API.
Further, if we ever tried to iteratively leak pages as
virtio_balloon_shrinker_scan tries to do, we'd run into issues - this is
because freed_pages was accumulating total freed pages, but was also
subtracted on each iteration from pages_to_free, which can result in
either leaking less memory than we were supposed to free, or or more if
pages_to_free underruns.
On a system with 4K pages we are lucky that we are never asked to leak
more than 128 pages while we can leak up to 256 at a time,
but it looks like a real issue for systems with page size != 4K.
Cc: stable(a)vger.kernel.org
Fixes: 71994620bb25 ("virtio_balloon: replace oom notifier with shrinker")
Reported-by: Khazhismel Kumykov <khazhy(a)google.com>
Reviewed-by: Wei Wang <wei.w.wang(a)intel.com>
Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com>
---
drivers/virtio/virtio_balloon.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
index 226fbb995fb0..7cee05cdf3fb 100644
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -772,6 +772,13 @@ static unsigned long shrink_free_pages(struct virtio_balloon *vb,
return blocks_freed << VIRTIO_BALLOON_FREE_PAGE_ORDER;
}
+static unsigned long leak_balloon_pages(struct virtio_balloon *vb,
+ unsigned long pages_to_free)
+{
+ return leak_balloon(vb, pages_to_free * VIRTIO_BALLOON_PAGES_PER_PAGE) /
+ VIRTIO_BALLOON_PAGES_PER_PAGE;
+}
+
static unsigned long shrink_balloon_pages(struct virtio_balloon *vb,
unsigned long pages_to_free)
{
@@ -782,11 +789,9 @@ static unsigned long shrink_balloon_pages(struct virtio_balloon *vb,
* VIRTIO_BALLOON_ARRAY_PFNS_MAX balloon pages, so we call it
* multiple times to deflate pages till reaching pages_to_free.
*/
- while (vb->num_pages && pages_to_free) {
- pages_freed += leak_balloon(vb, pages_to_free) /
- VIRTIO_BALLOON_PAGES_PER_PAGE;
- pages_to_free -= pages_freed;
- }
+ while (vb->num_pages && pages_freed < pages_to_free)
+ pages_freed += leak_balloon_pages(vb, pages_to_free);
+
update_balloon_size(vb);
return pages_freed;
@@ -799,7 +804,7 @@ static unsigned long virtio_balloon_shrinker_scan(struct shrinker *shrinker,
struct virtio_balloon *vb = container_of(shrinker,
struct virtio_balloon, shrinker);
- pages_to_free = sc->nr_to_scan * VIRTIO_BALLOON_PAGES_PER_PAGE;
+ pages_to_free = sc->nr_to_scan;
if (virtio_has_feature(vb->vdev, VIRTIO_BALLOON_F_FREE_PAGE_HINT))
pages_freed = shrink_free_pages(vb, pages_to_free);
--
MST
The patch titled
Subject: mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()
has been added to the -mm tree. Its filename is
mm-ksm-dont-warn-if-page-is-still-mapped-in-remove_stable_node.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/mm-ksm-dont-warn-if-page-is-still-…
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/mm-ksm-dont-warn-if-page-is-still-…
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Andrey Ryabinin <aryabinin(a)virtuozzo.com>
Subject: mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()
It's possible to hit the WARN_ON_ONCE(page_mapped(page)) in
remove_stable_node() when it races with __mmput() and squeezes in between
ksm_exit() and exit_mmap().
WARNING: CPU: 0 PID: 3295 at mm/ksm.c:888 remove_stable_node+0x10c/0x150
Call Trace:
remove_all_stable_nodes+0x12b/0x330
run_store+0x4ef/0x7b0
kernfs_fop_write+0x200/0x420
vfs_write+0x154/0x450
ksys_write+0xf9/0x1d0
do_syscall_64+0x99/0x510
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Remove the warning as there is nothing scary going on.
Link: http://lkml.kernel.org/r/20191119131850.5675-1-aryabinin@virtuozzo.com
Fixes: cbf86cfe04a6 ("ksm: remove old stable nodes more thoroughly")
Signed-off-by: Andrey Ryabinin <aryabinin(a)virtuozzo.com>
Cc: Hugh Dickins <hughd(a)google.com>
Cc: Andrea Arcangeli <aarcange(a)redhat.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
mm/ksm.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/mm/ksm.c~mm-ksm-dont-warn-if-page-is-still-mapped-in-remove_stable_node
+++ a/mm/ksm.c
@@ -885,13 +885,13 @@ static int remove_stable_node(struct sta
return 0;
}
- if (WARN_ON_ONCE(page_mapped(page))) {
- /*
- * This should not happen: but if it does, just refuse to let
- * merge_across_nodes be switched - there is no need to panic.
- */
- err = -EBUSY;
- } else {
+ /*
+ * Page could be still mapped if this races with __mmput() running in
+ * between ksm_exit() and exit_mmap(). Just refuse to let
+ * merge_across_nodes/max_page_sharing be switched.
+ */
+ err = -EBUSY;
+ if (!page_mapped(page)) {
/*
* The stable node did not yet appear stale to get_ksm_page(),
* since that allows for an unmapped ksm page to be recognized
_
Patches currently in -mm which might be from aryabinin(a)virtuozzo.com are
mm-ksm-dont-warn-if-page-is-still-mapped-in-remove_stable_node.patch
mm-vmscan-remove-unused-lru_pages-argument.patch
The following commit has been merged into the x86/urgent branch of tip:
Commit-ID: 29b810f5a5ec127d3143770098e05981baa3eb77
Gitweb: https://git.kernel.org/tip/29b810f5a5ec127d3143770098e05981baa3eb77
Author: Jan Beulich <jbeulich(a)suse.com>
AuthorDate: Mon, 11 Nov 2019 15:32:12 +01:00
Committer: Thomas Gleixner <tglx(a)linutronix.de>
CommitterDate: Tue, 19 Nov 2019 21:58:28 +01:00
x86/xen/32: Make xen_iret_crit_fixup() independent of frame layout
Now that SS:ESP always get saved by SAVE_ALL, this also needs to be
accounted for in xen_iret_crit_fixup(). Otherwise the old_ax value gets
interpreted as EFLAGS, and hence VM86 mode appears to be active all the
time, leading to random "vm86_32: no user_vm86: BAD" log messages alongside
processes randomly crashing.
Since following the previous model (sitting after SAVE_ALL) would further
complicate the code _and_ retain the dependency of xen_iret_crit_fixup() on
frame manipulations done by entry_32.S, switch things around and do the
adjustment ahead of SAVE_ALL.
Fixes: 3c88c692c287 ("x86/stackframe/32: Provide consistent pt_regs")
Signed-off-by: Jan Beulich <jbeulich(a)suse.com>
Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Juergen Gross <jgross(a)suse.com>
Cc: Stable Team <stable(a)vger.kernel.org>
Link: https://lkml.kernel.org/r/32d8713d-25a7-84ab-b74b-aa3e88abce6b@suse.com
---
arch/x86/entry/entry_32.S | 22 +++++--------
arch/x86/xen/xen-asm_32.S | 66 +++++++++++++-------------------------
2 files changed, 33 insertions(+), 55 deletions(-)
diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
index 3f847d8..019dbac 100644
--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -1341,11 +1341,6 @@ END(spurious_interrupt_bug)
#ifdef CONFIG_XEN_PV
ENTRY(xen_hypervisor_callback)
- pushl $-1 /* orig_ax = -1 => not a system call */
- SAVE_ALL
- ENCODE_FRAME_POINTER
- TRACE_IRQS_OFF
-
/*
* Check to see if we got the event in the critical
* region in xen_iret_direct, after we've reenabled
@@ -1353,16 +1348,17 @@ ENTRY(xen_hypervisor_callback)
* iret instruction's behaviour where it delivers a
* pending interrupt when enabling interrupts:
*/
- movl PT_EIP(%esp), %eax
- cmpl $xen_iret_start_crit, %eax
+ cmpl $xen_iret_start_crit, (%esp)
jb 1f
- cmpl $xen_iret_end_crit, %eax
+ cmpl $xen_iret_end_crit, (%esp)
jae 1f
-
- jmp xen_iret_crit_fixup
-
-ENTRY(xen_do_upcall)
-1: mov %esp, %eax
+ call xen_iret_crit_fixup
+1:
+ pushl $-1 /* orig_ax = -1 => not a system call */
+ SAVE_ALL
+ ENCODE_FRAME_POINTER
+ TRACE_IRQS_OFF
+ mov %esp, %eax
call xen_evtchn_do_upcall
#ifndef CONFIG_PREEMPTION
call xen_maybe_preempt_hcall
diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S
index c15db06..392e033 100644
--- a/arch/x86/xen/xen-asm_32.S
+++ b/arch/x86/xen/xen-asm_32.S
@@ -126,10 +126,9 @@ hyper_iret:
.globl xen_iret_start_crit, xen_iret_end_crit
/*
- * This is called by xen_hypervisor_callback in entry.S when it sees
+ * This is called by xen_hypervisor_callback in entry_32.S when it sees
* that the EIP at the time of interrupt was between
- * xen_iret_start_crit and xen_iret_end_crit. We're passed the EIP in
- * %eax so we can do a more refined determination of what to do.
+ * xen_iret_start_crit and xen_iret_end_crit.
*
* The stack format at this point is:
* ----------------
@@ -138,34 +137,23 @@ hyper_iret:
* eflags } outer exception info
* cs }
* eip }
- * ---------------- <- edi (copy dest)
- * eax : outer eax if it hasn't been restored
* ----------------
- * eflags } nested exception info
- * cs } (no ss/esp because we're nested
- * eip } from the same ring)
- * orig_eax }<- esi (copy src)
- * - - - - - - - -
- * fs }
- * es }
- * ds } SAVE_ALL state
- * eax }
- * : :
- * ebx }<- esp
+ * eax : outer eax if it hasn't been restored
* ----------------
+ * eflags }
+ * cs } nested exception info
+ * eip }
+ * return address : (into xen_hypervisor_callback)
*
- * In order to deliver the nested exception properly, we need to shift
- * everything from the return addr up to the error code so it sits
- * just under the outer exception info. This means that when we
- * handle the exception, we do it in the context of the outer
- * exception rather than starting a new one.
+ * In order to deliver the nested exception properly, we need to discard the
+ * nested exception frame such that when we handle the exception, we do it
+ * in the context of the outer exception rather than starting a new one.
*
- * The only caveat is that if the outer eax hasn't been restored yet
- * (ie, it's still on stack), we need to insert its value into the
- * SAVE_ALL state before going on, since it's usermode state which we
- * eventually need to restore.
+ * The only caveat is that if the outer eax hasn't been restored yet (i.e.
+ * it's still on stack), we need to restore its value here.
*/
ENTRY(xen_iret_crit_fixup)
+ pushl %ecx
/*
* Paranoia: Make sure we're really coming from kernel space.
* One could imagine a case where userspace jumps into the
@@ -176,32 +164,26 @@ ENTRY(xen_iret_crit_fixup)
* jump instruction itself, not the destination, but some
* virtual environments get this wrong.
*/
- movl PT_CS(%esp), %ecx
+ movl 3*4(%esp), %ecx /* nested CS */
andl $SEGMENT_RPL_MASK, %ecx
cmpl $USER_RPL, %ecx
+ popl %ecx
je 2f
- lea PT_ORIG_EAX(%esp), %esi
- lea PT_EFLAGS(%esp), %edi
-
/*
* If eip is before iret_restore_end then stack
* hasn't been restored yet.
*/
- cmp $iret_restore_end, %eax
+ cmpl $iret_restore_end, 1*4(%esp)
jae 1f
- movl 0+4(%edi), %eax /* copy EAX (just above top of frame) */
- movl %eax, PT_EAX(%esp)
+ movl 4*4(%esp), %eax /* load outer EAX */
+ ret $4*4 /* discard nested EIP, CS, and EFLAGS as
+ * well as the just restored EAX */
- lea ESP_OFFSET(%edi), %edi /* move dest up over saved regs */
-
- /* set up the copy */
-1: std
- mov $PT_EIP / 4, %ecx /* saved regs up to orig_eax */
- rep movsl
- cld
-
- lea 4(%edi), %esp /* point esp to new frame */
-2: jmp xen_do_upcall
+1:
+ ret $3*4 /* discard nested EIP, CS, and EFLAGS */
+2:
+ ret
+END(xen_iret_crit_fixup)
The following commit has been merged into the x86/urgent branch of tip:
Commit-ID: 81ff2c37f9e5d77593928df0536d86443195fd64
Gitweb: https://git.kernel.org/tip/81ff2c37f9e5d77593928df0536d86443195fd64
Author: Jan Beulich <jbeulich(a)suse.com>
AuthorDate: Mon, 18 Nov 2019 16:21:12 +01:00
Committer: Thomas Gleixner <tglx(a)linutronix.de>
CommitterDate: Tue, 19 Nov 2019 21:58:28 +01:00
x86/stackframe/32: Repair 32-bit Xen PV
Once again RPL checks have been introduced which don't account for a 32-bit
kernel living in ring 1 when running in a PV Xen domain. The case in
FIXUP_FRAME has been preventing boot.
Adjust BUG_IF_WRONG_CR3 as well to guard against future uses of the macro
on a code path reachable when running in PV mode under Xen; I have to admit
that I stopped at a certain point trying to figure out whether there are
present ones.
Fixes: 3c88c692c287 ("x86/stackframe/32: Provide consistent pt_regs")
Signed-off-by: Jan Beulich <jbeulich(a)suse.com>
Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de>
Cc: Stable Team <stable(a)vger.kernel.org>
Link: https://lore.kernel.org/r/0fad341f-b7f5-f859-d55d-f0084ee7087e@suse.com
---
arch/x86/entry/entry_32.S | 4 ++--
arch/x86/include/asm/segment.h | 12 ++++++++++++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
index f83ca5a..3f847d8 100644
--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -172,7 +172,7 @@
ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_PTI
.if \no_user_check == 0
/* coming from usermode? */
- testl $SEGMENT_RPL_MASK, PT_CS(%esp)
+ testl $USER_SEGMENT_RPL_MASK, PT_CS(%esp)
jz .Lend_\@
.endif
/* On user-cr3? */
@@ -217,7 +217,7 @@
testl $X86_EFLAGS_VM, 4*4(%esp)
jnz .Lfrom_usermode_no_fixup_\@
#endif
- testl $SEGMENT_RPL_MASK, 3*4(%esp)
+ testl $USER_SEGMENT_RPL_MASK, 3*4(%esp)
jnz .Lfrom_usermode_no_fixup_\@
orl $CS_FROM_KERNEL, 3*4(%esp)
diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
index ac38929..6669164 100644
--- a/arch/x86/include/asm/segment.h
+++ b/arch/x86/include/asm/segment.h
@@ -31,6 +31,18 @@
*/
#define SEGMENT_RPL_MASK 0x3
+/*
+ * When running on Xen PV, the actual privilege level of the kernel is 1,
+ * not 0. Testing the Requested Privilege Level in a segment selector to
+ * determine whether the context is user mode or kernel mode with
+ * SEGMENT_RPL_MASK is wrong because the PV kernel's privilege level
+ * matches the 0x3 mask.
+ *
+ * Testing with USER_SEGMENT_RPL_MASK is valid for both native and Xen PV
+ * kernels because privilege level 2 is never used.
+ */
+#define USER_SEGMENT_RPL_MASK 0x2
+
/* User mode is privilege level 3: */
#define USER_RPL 0x3
This is a note to let you know that I've just added the patch titled
serial: ifx6x60: add missed pm_runtime_disable
to my tty git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git
in the tty-next branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will also be merged in the next major kernel release
during the merge window.
If you have any questions about this process, please let me know.
>From 50b2b571c5f3df721fc81bf9a12c521dfbe019ba Mon Sep 17 00:00:00 2001
From: Chuhong Yuan <hslester96(a)gmail.com>
Date: Mon, 18 Nov 2019 10:48:33 +0800
Subject: serial: ifx6x60: add missed pm_runtime_disable
The driver forgets to call pm_runtime_disable in remove.
Add the missed calls to fix it.
Signed-off-by: Chuhong Yuan <hslester96(a)gmail.com>
Cc: stable <stable(a)vger.kernel.org>
Link: https://lore.kernel.org/r/20191118024833.21587-1-hslester96@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/tty/serial/ifx6x60.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/tty/serial/ifx6x60.c b/drivers/tty/serial/ifx6x60.c
index ffefd218761e..31033d517e82 100644
--- a/drivers/tty/serial/ifx6x60.c
+++ b/drivers/tty/serial/ifx6x60.c
@@ -1230,6 +1230,9 @@ static int ifx_spi_spi_remove(struct spi_device *spi)
struct ifx_spi_device *ifx_dev = spi_get_drvdata(spi);
/* stop activity */
tasklet_kill(&ifx_dev->io_work_tasklet);
+
+ pm_runtime_disable(&spi->dev);
+
/* free irq */
free_irq(gpio_to_irq(ifx_dev->gpio.reset_out), ifx_dev);
free_irq(gpio_to_irq(ifx_dev->gpio.srdy), ifx_dev);
--
2.24.0