- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] ext4: add corruption check in ext4_xattr_set_entry()" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d Mon Sep 17 00:00:00 2001 From: Theodore Ts'o <tytso(a)mit.edu> Date: Wed, 13 Jun 2018 00:23:11 -0400 Subject: [PATCH] ext4: add corruption check in ext4_xattr_set_entry() In theory this should have been caught earlier when the xattr list was verified, but in case it got missed, it's simple enough to add check to make sure we don't overrun the xattr buffer. This addresses CVE-2018-10879. https://bugzilla.kernel.org/show_bug.cgi?id=200001 Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Reviewed-by: Andreas Dilger <adilger(a)dilger.ca> Cc: stable(a)kernel.org diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index fc4ced59c565..230ba79715f6 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1560,7 +1560,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, handle_t *handle, struct inode *inode, bool is_block) { - struct ext4_xattr_entry *last; + struct ext4_xattr_entry *last, *next; struct ext4_xattr_entry *here = s->here; size_t min_offs = s->end - s->base, name_len = strlen(i->name); int in_inode = i->in_inode; @@ -1595,7 +1595,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, /* Compute min_offs and last. */ last = s->first; - for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { + for (; !IS_LAST_ENTRY(last); last = next) { + next = EXT4_XATTR_NEXT(last); + if ((void *)next >= s->end) { + EXT4_ERROR_INODE(inode, "corrupted xattr entries"); + ret = -EFSCORRUPTED; + goto out; + } if (!last->e_value_inum && last->e_value_size) { size_t offs = le16_to_cpu(last->e_value_offs); if (offs < min_offs)

7 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] ext4: add corruption check in ext4_xattr_set_entry()" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d Mon Sep 17 00:00:00 2001 From: Theodore Ts'o <tytso(a)mit.edu> Date: Wed, 13 Jun 2018 00:23:11 -0400 Subject: [PATCH] ext4: add corruption check in ext4_xattr_set_entry() In theory this should have been caught earlier when the xattr list was verified, but in case it got missed, it's simple enough to add check to make sure we don't overrun the xattr buffer. This addresses CVE-2018-10879. https://bugzilla.kernel.org/show_bug.cgi?id=200001 Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Reviewed-by: Andreas Dilger <adilger(a)dilger.ca> Cc: stable(a)kernel.org diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index fc4ced59c565..230ba79715f6 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1560,7 +1560,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, handle_t *handle, struct inode *inode, bool is_block) { - struct ext4_xattr_entry *last; + struct ext4_xattr_entry *last, *next; struct ext4_xattr_entry *here = s->here; size_t min_offs = s->end - s->base, name_len = strlen(i->name); int in_inode = i->in_inode; @@ -1595,7 +1595,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, /* Compute min_offs and last. */ last = s->first; - for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { + for (; !IS_LAST_ENTRY(last); last = next) { + next = EXT4_XATTR_NEXT(last); + if ((void *)next >= s->end) { + EXT4_ERROR_INODE(inode, "corrupted xattr entries"); + ret = -EFSCORRUPTED; + goto out; + } if (!last->e_value_inum && last->e_value_size) { size_t offs = le16_to_cpu(last->e_value_offs); if (offs < min_offs)

7 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu: fix user fence write race condition" failed to apply to 4.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c660f40b711980b42d8beac4b395a10645b20d5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= <nicolai.haehnle(a)amd.com> Date: Fri, 29 Jun 2018 13:23:25 +0200 Subject: [PATCH] drm/amdgpu: fix user fence write race condition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The buffer object backing the user fence is reserved using the non-user fence, i.e., as soon as the non-user fence is signaled, the user fence buffer object can be moved or even destroyed. Therefore, emit the user fence first. Both fences have the same cache invalidation behavior, so this should have no user-visible effect. Signed-off-by: Nicolai Hähnle <nicolai.haehnle(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c index f70eeed9ed76..7aaa263ad8c7 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c @@ -231,6 +231,12 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs, if (ib->flags & AMDGPU_IB_FLAG_TC_WB_NOT_INVALIDATE) fence_flags |= AMDGPU_FENCE_FLAG_TC_WB_ONLY; + /* wrap the last IB with fence */ + if (job && job->uf_addr) { + amdgpu_ring_emit_fence(ring, job->uf_addr, job->uf_sequence, + fence_flags | AMDGPU_FENCE_FLAG_64BIT); + } + r = amdgpu_fence_emit(ring, f, fence_flags); if (r) { dev_err(adev->dev, "failed to emit fence (%d)\n", r); @@ -243,12 +249,6 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs, if (ring->funcs->insert_end) ring->funcs->insert_end(ring); - /* wrap the last IB with fence */ - if (job && job->uf_addr) { - amdgpu_ring_emit_fence(ring, job->uf_addr, job->uf_sequence, - fence_flags | AMDGPU_FENCE_FLAG_64BIT); - } - if (patch_offset != ~0 && ring->funcs->patch_cond_exec) amdgpu_ring_patch_cond_exec(ring, patch_offset);

7 years, 4 months

1
0
0 0

[RESEND PATCH v2] devres: Really align data field to unsigned long long

by Alexey Brodkin

Depending on ABI "long long" type of a particular 32-bit CPU might be aligned by either word (32-bits) or double word (64-bits). Make sure "data" is really 64-bit aligned for any 32-bit CPU. At least for 32-bit ARC cores ABI requires "long long" types to be aligned by normal 32-bit word. This makes "data" field aligned to 12 bytes. Which is still OK as long as we use 32-bit data only. But once we want to use native atomic64_t type (i.e. when we use special instructions LLOCKD/SCONDD for accessing 64-bit data) we easily hit misaligned access exception. That's because even on CPUs capable of non-aligned data access LL/SC instructions require strict alignment. Signed-off-by: Alexey Brodkin <abrodkin(a)synopsys.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org --- Changes v1 -> v2: * Reworded commit message * Inserted comment right in source [Thomas] drivers/base/devres.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/base/devres.c b/drivers/base/devres.c index f98a097e73f2..466fa59c866a 100644 --- a/drivers/base/devres.c +++ b/drivers/base/devres.c @@ -24,8 +24,12 @@ struct devres_node { struct devres { struct devres_node node; - /* -- 3 pointers */ - unsigned long long data[]; /* guarantee ull alignment */ + /* + * Depending on ABI "long long" type of a particular 32-bit CPU + * might be aligned by either word (32-bits) or double word (64-bits). + * Make sure "data" is really 64-bit aligned for any 32-bit CPU. + */ + unsigned long long data[] __aligned(sizeof(unsigned long long)); }; struct devres_group { -- 2.17.1

7 years, 4 months

6
18
0 0

[PATCH] i2c: tegra: Fix NACK error handling

by Jon Hunter

On Tegra30 Cardhu the PCA9546 I2C mux is not ACK'ing I2C commands on resume from suspend (which is caused by the reset signal for the I2C mux not being configured correctl). However, this NACK is causing the Tegra30 to hang on resuming from suspend which is not expected as we detect NACKs and handle them. The hang observed appears to occur when resetting the I2C controller to recover from the NACK. Commit 77821b4678f9 ("i2c: tegra: proper handling of error cases") added additional error handling for some error cases including NACK, however, it appears that this change conflicts with an early fix by commit f70893d08338 ("i2c: tegra: Add delay before resetting the controller after NACK"). After commit 77821b4678f9 was made we now disable 'packet mode' before the delay from commit f70893d08338 happens. Testing shows that moving the delay to before disabling 'packet mode' fixes the hang observed on Tegra30. The delay was added to give the I2C controller chance to send a stop condition and so it makes sense to move this to before we disable packet mode. Please note that packet mode is always enabled for Tegra. Fixes: 77821b4678f9 ("i2c: tegra: proper handling of error cases") Cc: stable(a)vger.kernel.org Signed-off-by: Jon Hunter <jonathanh(a)nvidia.com> --- drivers/i2c/busses/i2c-tegra.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c index 5fccd1f1bca8..797def5319f1 100644 --- a/drivers/i2c/busses/i2c-tegra.c +++ b/drivers/i2c/busses/i2c-tegra.c @@ -545,6 +545,14 @@ static int tegra_i2c_disable_packet_mode(struct tegra_i2c_dev *i2c_dev) { u32 cnfg; + /* + * NACK interrupt is generated before the I2C controller generates + * the STOP condition on the bus. So wait for 2 clock periods + * before disabling the controller so that the STOP condition has + * been delivered properly. + */ + udelay(DIV_ROUND_UP(2 * 1000000, i2c_dev->bus_clk_rate)); + cnfg = i2c_readl(i2c_dev, I2C_CNFG); if (cnfg & I2C_CNFG_PACKET_MODE_EN) i2c_writel(i2c_dev, cnfg & ~I2C_CNFG_PACKET_MODE_EN, I2C_CNFG); @@ -706,15 +714,6 @@ static int tegra_i2c_xfer_msg(struct tegra_i2c_dev *i2c_dev, if (likely(i2c_dev->msg_err == I2C_ERR_NONE)) return 0; - /* - * NACK interrupt is generated before the I2C controller generates - * the STOP condition on the bus. So wait for 2 clock periods - * before resetting the controller so that the STOP condition has - * been delivered properly. - */ - if (i2c_dev->msg_err == I2C_ERR_NO_ACK) - udelay(DIV_ROUND_UP(2 * 1000000, i2c_dev->bus_clk_rate)); - tegra_i2c_init(i2c_dev); if (i2c_dev->msg_err == I2C_ERR_NO_ACK) { if (msg->flags & I2C_M_IGNORE_NAK) -- 1.9.1

7 years, 4 months

3
2
0 0

Important Notice...Reply Now

by Richard & Angela Maxwell

My wife and I won the Euro Millions Lottery of £53 Million British Pounds and we have voluntarily decided to donate 1,000,000EUR(One Million Euros) to 5 individuals randomly as part of our own charity project. To verify our lottery winnings,please see our interview by visiting the web page below: telegraph.co.uk/news/newstopics/howaboutthat/11511467/Lincolnshire-couple-win-53m-on-EuroMillions.html Your email address was among the emails which were submitted to us by the Google Inc. as a web user; if you have received our email,kindly send us the below details so that we can transfer your 1,000,000.00 EUR(One Million Euros) to you in your own country. Full Names: Mobile No: Age: Occupation: Country: Send your response to: rmaxwell81(a)yahoo.com Best Regards, Richard & Angela Maxwell

7 years, 4 months

1
0
0 0

[PATCH 1/2] clk: mvebu: armada-37xx-periph: Fix switching CPU rate from 300Mhz to 1.2GHz

by Gregory CLEMENT

Switching the CPU from the L2 or L3 frequencies (300 and 200 Mhz respectively) to L0 frequency (1.2 Ghz) requires a significant amount of time to let VDD stabilize to the appropriate voltage. This amount of time is large enough that it cannot be covered by the hardware countdown register. Due to this, the CPU might start operating at L0 before the voltage is stabilized, leading to CPU stalls. To work around this problem, we prevent switching directly from the L2/L3 frequencies to the L0 frequency, and instead switch to the L1 frequency in-between. The sequence therefore becomes: 1. First switch from L2/L3(200/300MHz) to L1(600MHZ) 2. Sleep 20ms for stabling VDD voltage 3. Then switch from L1(600MHZ) to L0(1200Mhz). It is based on the work done by Ken Ma <make(a)marvell.com> Cc: stable(a)vger.kernel.org Fixes: 2089dc33ea0e ("clk: mvebu: armada-37xx-periph: add DVFS support for cpu clocks") Signed-off-by: Gregory CLEMENT <gregory.clement(a)bootlin.com> --- drivers/clk/mvebu/armada-37xx-periph.c | 38 ++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/drivers/clk/mvebu/armada-37xx-periph.c b/drivers/clk/mvebu/armada-37xx-periph.c index 6860bd5a37c5..44e4e27eddad 100644 --- a/drivers/clk/mvebu/armada-37xx-periph.c +++ b/drivers/clk/mvebu/armada-37xx-periph.c @@ -35,6 +35,7 @@ #define CLK_SEL 0x10 #define CLK_DIS 0x14 +#define ARMADA_37XX_DVFS_LOAD_1 1 #define LOAD_LEVEL_NR 4 #define ARMADA_37XX_NB_L0L1 0x18 @@ -507,6 +508,40 @@ static long clk_pm_cpu_round_rate(struct clk_hw *hw, unsigned long rate, return -EINVAL; } +/* + * Switching the CPU from the L2 or L3 frequencies (300 and 200 Mhz + * respectively) to L0 frequency (1.2 Ghz) requires a significant + * amount of time to let VDD stabilize to the appropriate + * voltage. This amount of time is large enough that it cannot be + * covered by the hardware countdown register. Due to this, the CPU + * might start operating at L0 before the voltage is stabilized, + * leading to CPU stalls. + * + * To work around this problem, we prevent switching directly from the + * L2/L3 frequencies to the L0 frequency, and instead switch to the L1 + * frequency in-between. The sequence therefore becomes: + * 1. First switch from L2/L3(200/300MHz) to L1(600MHZ) + * 2. Sleep 20ms for stabling VDD voltage + * 3. Then switch from L1(600MHZ) to L0(1200Mhz). + */ +static void clk_pm_cpu_set_rate_wa(unsigned long rate, struct regmap *base) +{ + unsigned int cur_level; + + if (rate != 1200 * 1000 * 1000) + return; + + regmap_read(base, ARMADA_37XX_NB_CPU_LOAD, &cur_level); + cur_level &= ARMADA_37XX_NB_CPU_LOAD_MASK; + if (cur_level <= ARMADA_37XX_DVFS_LOAD_1) + return; + + regmap_update_bits(base, ARMADA_37XX_NB_CPU_LOAD, + ARMADA_37XX_NB_CPU_LOAD_MASK, + ARMADA_37XX_DVFS_LOAD_1); + msleep(20); +} + static int clk_pm_cpu_set_rate(struct clk_hw *hw, unsigned long rate, unsigned long parent_rate) { @@ -537,6 +572,9 @@ static int clk_pm_cpu_set_rate(struct clk_hw *hw, unsigned long rate, */ reg = ARMADA_37XX_NB_CPU_LOAD; mask = ARMADA_37XX_NB_CPU_LOAD_MASK; + + clk_pm_cpu_set_rate_wa(rate, base); + regmap_update_bits(base, reg, mask, load_level); return rate; -- 2.17.1

7 years, 4 months

2
4
0 0

[PATCH] ARM: tegra: Fix Tegra30 Cardhu PCA954x reset

by Jon Hunter

On all versions of Tegra30 Cardhu, the reset signal to the NXP PCA9546 I2C mux is connected to the Tegra GPIO BB0. Currently, this pin on the Tegra is not configured as a GPIO but as a special-function IO (SFIO) that is multiplexing the pin to an I2S controller. On exiting system suspend, I2C commands sent to the PCA9546 are failing because there is no ACK. Although it is not possible to see exactly what is happening to the reset during suspend, by ensuring it is configured as a GPIO and driven high, to de-assert the reset, the failures are no longer seen. Please note that this GPIO is also used to drive the reset signal going to the camera connector on the board. However, given that there is no camera support currently for Cardhu, this should not have any impact. Fixes: 40431d16ff11 ("ARM: tegra: enable PCA9546 on Cardhu") Cc: stable(a)vger.kernel.org Signed-off-by: Jon Hunter <jonathanh(a)nvidia.com> --- arch/arm/boot/dts/tegra30-cardhu.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/boot/dts/tegra30-cardhu.dtsi b/arch/arm/boot/dts/tegra30-cardhu.dtsi index 92a9740c533f..3b1db7b9ec50 100644 --- a/arch/arm/boot/dts/tegra30-cardhu.dtsi +++ b/arch/arm/boot/dts/tegra30-cardhu.dtsi @@ -206,6 +206,7 @@ #address-cells = <1>; #size-cells = <0>; reg = <0x70>; + reset-gpio = <&gpio TEGRA_GPIO(BB, 0) GPIO_ACTIVE_LOW>; }; }; -- 1.9.1

7 years, 4 months

2
1
0 0

[PATCH] x86/apm: Don't access __preempt_count with zeroed fs

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> APM_DO_POP_SEGS does not restore fs/gs which were zeroed by APM_DO_ZERO_SEGS. Trying to access __preempt_count with zeroed fs doesn't really work. Move the ibrs stuff outside the APM_DO_SAVE_SEGS/APM_DO_RESTORE_SEGS invocations so that fs is actually restored before we call preempt_enable(). Fixes the following sort of oopses: [ 0.313581] general protection fault: 0000 [#1] PREEMPT SMP [ 0.313803] Modules linked in: [ 0.314040] CPU: 0 PID: 268 Comm: kapmd Not tainted 4.16.0-rc1-triton-bisect-00090-gdd84441a7971 #19 [ 0.316161] EIP: __apm_bios_call_simple+0xc8/0x170 [ 0.316161] EFLAGS: 00210016 CPU: 0 [ 0.316161] EAX: 00000102 EBX: 00000000 ECX: 00000102 EDX: 00000000 [ 0.316161] ESI: 0000530e EDI: dea95f64 EBP: dea95f18 ESP: dea95ef0 [ 0.316161] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 [ 0.316161] CR0: 80050033 CR2: 00000000 CR3: 015d3000 CR4: 000006d0 [ 0.316161] Call Trace: [ 0.316161] ? cpumask_weight.constprop.15+0x20/0x20 [ 0.316161] on_cpu0+0x44/0x70 [ 0.316161] apm+0x54e/0x720 [ 0.316161] ? __switch_to_asm+0x26/0x40 [ 0.316161] ? __schedule+0x17d/0x590 [ 0.316161] kthread+0xc0/0xf0 [ 0.316161] ? proc_apm_show+0x150/0x150 [ 0.316161] ? kthread_create_worker_on_cpu+0x20/0x20 [ 0.316161] ret_from_fork+0x2e/0x38 [ 0.316161] Code: da 8e c2 8e e2 8e ea 57 55 2e ff 1d e0 bb 5d b1 0f 92 c3 5d 5f 07 1f 89 47 0c 90 8d b4 26 00 00 00 00 90 8d b4 26 00 00 00 00 90 <64> ff 0d 84 16 5c b1 74 7f 8b 45 dc 8e e0 8b 45 d8 8e e8 8b 45 [ 0.316161] EIP: __apm_bios_call_simple+0xc8/0x170 SS:ESP: 0068:dea95ef0 [ 0.316161] ---[ end trace 656253db2deaa12c ]--- Cc: stable(a)vger.kernel.org Cc: David Woodhouse <dwmw(a)amazon.co.uk> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: x86(a)kernel.org Fixes: dd84441a7971 ("x86/speculation: Use IBRS if available before calling into firmware") Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- arch/x86/include/asm/apm.h | 6 ------ arch/x86/kernel/apm_32.c | 5 +++++ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h index c356098b6fb9..4d4015ddcf26 100644 --- a/arch/x86/include/asm/apm.h +++ b/arch/x86/include/asm/apm.h @@ -7,8 +7,6 @@ #ifndef _ASM_X86_MACH_DEFAULT_APM_H #define _ASM_X86_MACH_DEFAULT_APM_H -#include <asm/nospec-branch.h> - #ifdef APM_ZERO_SEGS # define APM_DO_ZERO_SEGS \ "pushl %%ds\n\t" \ @@ -34,7 +32,6 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in, * N.B. We do NOT need a cld after the BIOS call * because we always save and restore the flags. */ - firmware_restrict_branch_speculation_start(); __asm__ __volatile__(APM_DO_ZERO_SEGS "pushl %%edi\n\t" "pushl %%ebp\n\t" @@ -47,7 +44,6 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in, "=S" (*esi) : "a" (func), "b" (ebx_in), "c" (ecx_in) : "memory", "cc"); - firmware_restrict_branch_speculation_end(); } static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, @@ -60,7 +56,6 @@ static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, * N.B. We do NOT need a cld after the BIOS call * because we always save and restore the flags. */ - firmware_restrict_branch_speculation_start(); __asm__ __volatile__(APM_DO_ZERO_SEGS "pushl %%edi\n\t" "pushl %%ebp\n\t" @@ -73,7 +68,6 @@ static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, "=S" (si) : "a" (func), "b" (ebx_in), "c" (ecx_in) : "memory", "cc"); - firmware_restrict_branch_speculation_end(); return error; } diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c index 5d0de79fdab0..ec00d1ff5098 100644 --- a/arch/x86/kernel/apm_32.c +++ b/arch/x86/kernel/apm_32.c @@ -240,6 +240,7 @@ #include <asm/olpc.h> #include <asm/paravirt.h> #include <asm/reboot.h> +#include <asm/nospec-branch.h> #if defined(CONFIG_APM_DISPLAY_BLANK) && defined(CONFIG_VT) extern int (*console_blank_hook)(int); @@ -614,11 +615,13 @@ static long __apm_bios_call(void *_call) gdt[0x40 / 8] = bad_bios_desc; apm_irq_save(flags); + firmware_restrict_branch_speculation_start(); APM_DO_SAVE_SEGS; apm_bios_call_asm(call->func, call->ebx, call->ecx, &call->eax, &call->ebx, &call->ecx, &call->edx, &call->esi); APM_DO_RESTORE_SEGS; + firmware_restrict_branch_speculation_end(); apm_irq_restore(flags); gdt[0x40 / 8] = save_desc_40; put_cpu(); @@ -690,10 +693,12 @@ static long __apm_bios_call_simple(void *_call) gdt[0x40 / 8] = bad_bios_desc; apm_irq_save(flags); + firmware_restrict_branch_speculation_start(); APM_DO_SAVE_SEGS; error = apm_bios_call_simple_asm(call->func, call->ebx, call->ecx, &call->eax); APM_DO_RESTORE_SEGS; + firmware_restrict_branch_speculation_end(); apm_irq_restore(flags); gdt[0x40 / 8] = save_desc_40; put_cpu(); -- 2.16.4

7 years, 4 months

1
0
0 0

[PATCH 4.14 00/61] 4.14.54-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.54 release. There are 61 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Jul 8 05:46:58 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.54-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.54-rc1 Damien Thébault <damien.thebault(a)vitec.com> net: dsa: b53: Add BCM5389 support Finn Thain <fthain(a)telegraphics.com.au> net/sonic: Use dma_mapping_error() João Paulo Rechi Vita <jprvita(a)endlessm.com> platform/x86: asus-wmi: Fix NULL pointer dereference Paul Burton <paul.burton(a)mips.com> sched/core: Require cpu_active() in select_task_rq(), for user tasks Peter Zijlstra <peterz(a)infradead.org> sched/core: Fix rules for running on online && !active CPUs Darrick J. Wong <darrick.wong(a)oracle.com> fs: clear writeback errors in inode_init_always YueHaibing <yuehaibing(a)huawei.com> perf bpf: Fix NULL return handling in bpf__prepare_load() Thomas Richter <tmricht(a)linux.ibm.com> perf test: "Session topology" dumps core on s390 Josh Hill <josh(a)joshuajhill.com> net: qmi_wwan: Add Netgear Aircard 779S Ivan Bornyakov <brnkv.i1(a)gmail.com> atm: zatm: fix memcmp casting Hao Wei Tee <angelsl(a)in04.sg> iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs Julian Anastasov <ja(a)ssi.bg> ipvs: fix buffer overflow with sync daemon and service Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_limit: fix packet ratelimiting Sebastian Ott <sebott(a)linux.ibm.com> s390/dasd: use blk_mq_rq_from_pdu for per request data Paolo Abeni <pabeni(a)redhat.com> netfilter: ebtables: handle string from userspace with care David Howells <dhowells(a)redhat.com> afs: Fix directory permissions check Eric Dumazet <edumazet(a)google.com> xfrm6: avoid potential infinite loop in _decode_session6() Abhishek Sahu <absahu(a)codeaurora.org> mtd: rawnand: fix return value check for bad block status Sean Nyekjaer <sean.nyekjaer(a)prevas.dk> ARM: dts: imx6q: Use correct SDMA script for SPI5 core Taehee Yoo <ap420073(a)gmail.com> netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() Vincent Bernat <vincent(a)bernat.im> netfilter: ip6t_rpfilter: provide input interface for route lookup Florian Westphal <fw(a)strlen.de> netfilter: don't set F_IFACE on ipv6 fib lookups NeilBrown <neilb(a)suse.com> md: remove special meaning of ->quiesce(.., 2) NeilBrown <neilb(a)suse.com> md: allow metadata update while suspending. NeilBrown <neilb(a)suse.com> md: use mddev_suspend/resume instead of ->quiesce() NeilBrown <neilb(a)suse.com> md: move suspend_hi/lo handling into core md code NeilBrown <neilb(a)suse.com> md: don't call bitmap_create() while array is quiesced. NeilBrown <neilb(a)suse.com> md: always hold reconfig_mutex when calling mddev_suspend() Taehee Yoo <ap420073(a)gmail.com> netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj() Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: add missing netlink attrs to policies Colin Ian King <colin.king(a)canonical.com> netfilter: nf_tables: fix memory leak on error exit return Taehee Yoo <ap420073(a)gmail.com> netfilter: nf_tables: increase nft_counters_enabled in nft_chain_stats_replace() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: disable preemption in nft_update_chain_stats() Taehee Yoo <ap420073(a)gmail.com> netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: bogus EBUSY in chain deletions Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: don't assume chain stats are set when jumplabel is set Florian Westphal <fw(a)strlen.de> netfilter: nft_compat: fix handling of large matchinfo size Florian Westphal <fw(a)strlen.de> netfilter: nft_compat: prepare for indirect info storage Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: nft_compat: fix refcount leak on xt module Kenneth Graunke <kenneth(a)whitecape.org> drm/i915: Enable provoking vertex fix on Gen9 systems. Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu: Refactor amdgpu_vram_mgr_bo_invisible_size helper Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu: Use kvmalloc_array for allocating VRAM manager nodes array Stefan Agner <stefan(a)agner.ch> drm/atmel-hlcdc: check stride values in the first plane Jeremy Cline <jcline(a)redhat.com> drm/qxl: Call qxl_bo_unref outside atomic context Huang Rui <ray.huang(a)amd.com> drm/amdgpu: fix the missed vcn fw version report Rex Zhu <Rex.Zhu(a)amd.com> drm/amdgpu: Add APU support in vi_set_vce_clocks Rex Zhu <Rex.Zhu(a)amd.com> drm/amdgpu: Add APU support in vi_set_uvd_clocks Alexander Potapenko <glider(a)google.com> vt: prevent leaking uninitialized data to userspace via /dev/vcs* Johan Hovold <johan(a)kernel.org> serdev: fix memleak on module unload Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> serial: 8250_pci: Remove stalled entries in blacklist Laura Abbott <labbott(a)redhat.com> staging: android: ion: Return an ERR_PTR in ion_map_kernel Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> n_tty: Access echo_* variables carefully. Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> n_tty: Fix stall at n_tty_receive_char_special(). Zhengjun Xing <zhengjun.xing(a)linux.intel.com> xhci: Fix kernel oops in trace_xhci_free_virt_device Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: typec: ucsi: Fix for incorrect status data issue Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: typec: ucsi: acpi: Workaround for cache mode issue Heikki Krogerus <heikki.krogerus(a)linux.intel.com> acpi: Add helper for deactivating memory region William Wu <william.wu(a)rock-chips.com> usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub Karoly Pados <pados(a)pados.hu> USB: serial: cp210x: add Silicon Labs IDs for Windows Update Johan Hovold <johan(a)kernel.org> USB: serial: cp210x: add CESINEL device ids Houston Yaroschoff <hstn(a)4ever3.net> usb: cdc_acm: Add quirk for Uniden UBC125 scanner ------------- Diffstat: Documentation/devicetree/bindings/net/dsa/b53.txt | 1 + Makefile | 4 +- arch/arm/boot/dts/imx6q.dtsi | 2 +- drivers/acpi/osl.c | 72 ++++++++ drivers/atm/zatm.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 6 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 23 ++- drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/vi.c | 77 +++++++-- drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 2 +- drivers/gpu/drm/i915/i915_reg.h | 5 + drivers/gpu/drm/i915/intel_lrc.c | 12 +- drivers/gpu/drm/qxl/qxl_display.c | 7 +- drivers/md/dm-raid.c | 10 +- drivers/md/md-cluster.c | 6 +- drivers/md/md.c | 90 ++++++---- drivers/md/md.h | 15 +- drivers/md/raid0.c | 2 +- drivers/md/raid1.c | 27 +-- drivers/md/raid10.c | 10 +- drivers/md/raid5-cache.c | 30 ++-- drivers/md/raid5-log.h | 2 +- drivers/md/raid5.c | 40 +---- drivers/mtd/nand/nand_base.c | 2 +- drivers/net/dsa/b53/b53_common.c | 13 ++ drivers/net/dsa/b53/b53_mdio.c | 5 +- drivers/net/dsa/b53/b53_priv.h | 1 + drivers/net/ethernet/natsemi/sonic.c | 2 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 10 +- drivers/platform/x86/asus-wmi.c | 23 +-- drivers/s390/block/dasd.c | 7 +- drivers/staging/android/ion/ion_heap.c | 2 +- drivers/tty/n_tty.c | 55 +++--- drivers/tty/serdev/core.c | 1 + drivers/tty/serial/8250/8250_pci.c | 2 - drivers/tty/vt/vt.c | 4 +- drivers/usb/class/cdc-acm.c | 3 + drivers/usb/dwc2/hcd_queue.c | 2 +- drivers/usb/host/xhci-mem.c | 4 +- drivers/usb/host/xhci-trace.h | 36 +++- drivers/usb/serial/cp210x.c | 14 ++ drivers/usb/typec/ucsi/ucsi.c | 13 ++ drivers/usb/typec/ucsi/ucsi_acpi.c | 5 + fs/afs/security.c | 10 +- fs/inode.c | 1 + include/linux/acpi.h | 3 + include/net/netfilter/nf_tables.h | 5 + kernel/sched/core.c | 45 +++-- net/bridge/netfilter/ebtables.c | 3 +- net/ipv6/netfilter/ip6t_rpfilter.c | 4 +- net/ipv6/netfilter/nft_fib_ipv6.c | 12 +- net/ipv6/xfrm6_policy.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 21 ++- net/netfilter/nf_tables_api.c | 61 ++++++- net/netfilter/nf_tables_core.c | 20 ++- net/netfilter/nft_compat.c | 201 +++++++++++++++++----- net/netfilter/nft_immediate.c | 15 +- net/netfilter/nft_limit.c | 38 ++-- net/netfilter/nft_meta.c | 14 +- tools/perf/tests/topology.c | 30 +++- tools/perf/util/bpf-loader.c | 6 +- 64 files changed, 809 insertions(+), 340 deletions(-)

7 years, 4 months

4
57
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror