- Linux-stable-mirror - lists.linaro.org

[PATCH v3 1/4] ovl: use insert_inode_locked4() to hash a newly created inode

by Amir Goldstein

Currently, there is a small window where ovl_obtain_alias() can race with ovl_instantiate() and create two different overlay inodes with the same underlying real non-dir non-hardlink inode. The race requires an adversary to guess the file handle of the yet to be created upper inode and decode the guessed file handle after ovl_creat_real(), but before ovl_instantiate(). This patch fixes the race, by using insert_inode_locked4() to add a newly created inode to icache. If the newly created inode apears to already exist in icache (hashed by the same real upper inode), we export this error to user instead of silently not hashing the new inode. This race does not affect overlay directory inodes, because those are decoded via ovl_lookup_real() and not with ovl_obtain_alias(), so avoid using the new helper d_instantiate_new() to reduce backport dependencies. Backporting only makes sense for v4.16 where NFS export was introduced. Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> #v4.16 Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> --- fs/overlayfs/dir.c | 24 ++++++++++++++++++------ fs/overlayfs/inode.c | 18 ++++++++++++++++++ fs/overlayfs/overlayfs.h | 1 + 3 files changed, 37 insertions(+), 6 deletions(-) diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c index 47dc980e8b33..62e6733b755c 100644 --- a/fs/overlayfs/dir.c +++ b/fs/overlayfs/dir.c @@ -183,14 +183,24 @@ static int ovl_set_opaque(struct dentry *dentry, struct dentry *upperdentry) } /* Common operations required to be done after creation of file on upper */ -static void ovl_instantiate(struct dentry *dentry, struct inode *inode, - struct dentry *newdentry, bool hardlink) +static int ovl_instantiate(struct dentry *dentry, struct inode *inode, + struct dentry *newdentry, bool hardlink) { ovl_dir_modified(dentry->d_parent, false); - ovl_copyattr(d_inode(newdentry), inode); ovl_dentry_set_upper_alias(dentry); if (!hardlink) { - ovl_inode_update(inode, newdentry); + int err; + + ovl_inode_init(inode, newdentry, NULL); + /* + * XXX: if we ever use ovl_obtain_alias() to decode directory + * file handles, need to use ovl_insert_inode_locked() and + * d_instantiate_new() here to prevent ovl_obtain_alias() + * from sneaking in before d_instantiate(). + */ + err = ovl_insert_inode(inode, d_inode(newdentry)); + if (err) + return err; } else { WARN_ON(ovl_inode_real(inode) != d_inode(newdentry)); dput(newdentry); @@ -200,6 +210,8 @@ static void ovl_instantiate(struct dentry *dentry, struct inode *inode, /* Force lookup of new upper hardlink to find its lower */ if (hardlink) d_drop(dentry); + + return 0; } static bool ovl_type_merge(struct dentry *dentry) @@ -238,7 +250,7 @@ static int ovl_create_upper(struct dentry *dentry, struct inode *inode, ovl_set_opaque(dentry, newdentry); } - ovl_instantiate(dentry, inode, newdentry, !!hardlink); + err = ovl_instantiate(dentry, inode, newdentry, !!hardlink); newdentry = NULL; out_dput: dput(newdentry); @@ -439,7 +451,7 @@ static int ovl_create_over_whiteout(struct dentry *dentry, struct inode *inode, if (err) goto out_cleanup; } - ovl_instantiate(dentry, inode, newdentry, !!hardlink); + err = ovl_instantiate(dentry, inode, newdentry, !!hardlink); newdentry = NULL; out_dput2: dput(upper); diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index 7abcf96e94fc..060c534998d1 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -741,6 +741,24 @@ static bool ovl_verify_inode(struct inode *inode, struct dentry *lowerdentry, return true; } +static int ovl_insert_inode_locked(struct inode *inode, struct inode *realinode) +{ + return insert_inode_locked4(inode, (unsigned long) realinode, + ovl_inode_test, realinode); +} + +int ovl_insert_inode(struct inode *inode, struct inode *realinode) +{ + int err; + + err = ovl_insert_inode_locked(inode, realinode); + if (err) + return err; + + unlock_new_inode(inode); + return 0; +} + struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real, bool is_upper) { diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index caaa47cea2aa..642b25702092 100644 --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -343,6 +343,7 @@ int ovl_update_time(struct inode *inode, struct timespec *ts, int flags); bool ovl_is_private_xattr(const char *name); struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev); +int ovl_insert_inode(struct inode *inode, struct inode *realinode); struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real, bool is_upper); struct inode *ovl_get_inode(struct super_block *sb, struct dentry *upperdentry, -- 2.7.4

7 years, 6 months

3
6
0 0

[PATCHES] Networking

by David Miller

Please queue up the following networking bug fixes for v4.14 and v4.16 -stable, respectively. Thanks!

7 years, 6 months

2
1
0 0

[PATCH 4.14 00/62] 4.14.41-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.41 release. There are 62 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed May 16 06:47:52 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.41-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.41-rc1 Anthoine Bourgeois <anthoine.bourgeois(a)blade-group.com> KVM: x86: remove APIC Timer periodic/oneshot spikes Paul Mackerras <paulus(a)ozlabs.org> KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault handler Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] Peter Zijlstra <peterz(a)infradead.org> perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver Peter Zijlstra <peterz(a)infradead.org> perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* Masami Hiramatsu <mhiramat(a)kernel.org> tracing/uprobe_event: Fix strncpy corner case Peter Zijlstra <peterz(a)infradead.org> sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] Steve French <smfrench(a)gmail.com> smb3: directory sync should not return an error Jens Axboe <axboe(a)kernel.dk> nvme: add quirk to force medium priority for SQ creation Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Propagate error value from tmu_read() Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Reading temperature makes sense only when TMU is turned on Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Hans de Goede <hdegoede(a)redhat.com> Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: schedutil: Avoid using invalid next_freq Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PCI / PM: Check device_may_wakeup() in pci_enable_wake() Kai Heng Feng <kai.heng.feng(a)canonical.com> PCI / PM: Always check PME wakeup capability for runtime wakeup support Gustavo A. R. Silva <gustavo(a)embeddedor.com> atm: zatm: Fix potential Spectre v1 Gustavo A. R. Silva <gustavo(a)embeddedor.com> net: atm: Fix potential Spectre v1 Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() Lyude Paul <lyude(a)redhat.com> drm/nouveau: Fix deadlock in nv50_mstm_register_connector() Florent Flament <contact(a)florentflament.com> drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Boris Brezillon <boris.brezillon(a)bootlin.com> drm/vc4: Fix scaling of uni-planar formats Lukas Wunner <lukas(a)wunner.de> can: hi311x: Work around TX complete interrupt erratum Lukas Wunner <lukas(a)wunner.de> can: hi311x: Acquire SPI lock on ->do_get_berr_counter Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Ilya Dryomov <idryomov(a)gmail.com> ceph: fix rsize/wsize capping in ceph_direct_read_write() David Rientjes <rientjes(a)google.com> mm, oom: fix concurrent munlock and oom reaper unmap, v3 Pavel Tatashin <pasha.tatashin(a)oracle.com> mm: sections are not offlined during memory hotremove Vitaly Wool <vitalywool(a)gmail.com> z3fold: fix reclaim lock-ups Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix regex_match_front() to not over compare the test string Mikulas Patocka <mpatocka(a)redhat.com> dm integrity: use kvfree for kvmalloc'd memory Hans de Goede <hdegoede(a)redhat.com> libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Johan Hovold <johan(a)kernel.org> rfkill: gpio: fix memory leak in probe error path Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> gpio: fix error path in lineevent_create Govert Overgaauw <govert.overgaauw(a)prodrive-technologies.com> gpio: fix aspeed_gpio unmask irq Timur Tabi <timur(a)codeaurora.org> gpioib: do not free unrequested descriptors Jann Horn <jannh(a)google.com> compat: fix 4-byte infoleak via uninitialized struct field Suzuki K Poulose <suzuki.poulose(a)arm.com> arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Paul Mackerras <paulus(a)ozlabs.org> KVM: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing Laurent Vivier <lvivier(a)redhat.com> KVM: PPC: Book3S HV: Fix guest time accounting with VIRT_CPU_ACCOUNTING_GEN Paul Mackerras <paulus(a)ozlabs.org> KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry Jan Kara <jack(a)suse.cz> bdi: Fix oops in wb_workfn() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> bdi: wake up concurrent wb_shutdown() callers. Eric Dumazet <edumazet(a)google.com> tcp: fix TCP_REPAIR_QUEUE bound checking Jiri Olsa <jolsa(a)kernel.org> perf: Remove superfluous allocation error check Michal Hocko <mhocko(a)suse.com> memcg: fix per_node_info cleanup Eric Dumazet <edumazet(a)google.com> inetpeer: fix uninit-value in inet_getpeer Eric Dumazet <edumazet(a)google.com> soreuseport: initialise timewait reuseport field Eric Dumazet <edumazet(a)google.com> ipv4: fix uninit-value in ip_route_output_key_hash_rcu() Eric Dumazet <edumazet(a)google.com> dccp: initialize ireq->ir_mark Eric Dumazet <edumazet(a)google.com> net: fix uninit-value in __hw_addr_add_ex() Eric Dumazet <edumazet(a)google.com> net: initialize skb->peeked when cloning Eric Dumazet <edumazet(a)google.com> net: fix rtnh_ok() Eric Dumazet <edumazet(a)google.com> netlink: fix uninit-value in netlink_sendmsg Eric Dumazet <edumazet(a)google.com> crypto: af_alg - fix possible uninit-value in alg_bind() Tom Herbert <tom(a)quantonium.net> kcm: Call strp_stop before strp_done in kcm_attach Florian Westphal <fw(a)strlen.de> netfilter: ebtables: don't attempt to allocate 0-sized compat array Julian Anastasov <ja(a)ssi.bg> ipvs: fix rtnl_lock lockups caused by start_sync_thread ------------- Diffstat: Documentation/arm64/silicon-errata.txt | 1 + Makefile | 4 +- arch/arm64/Kconfig | 14 +++ arch/arm64/include/asm/assembler.h | 40 +++++++++ arch/arm64/include/asm/cputype.h | 2 + arch/arm64/mm/proc.S | 5 ++ arch/powerpc/kvm/book3s_64_mmu_radix.c | 72 +++++++++------ arch/powerpc/kvm/book3s_hv.c | 17 ++-- arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 +- arch/x86/events/core.c | 8 +- arch/x86/events/intel/cstate.c | 2 + arch/x86/events/msr.c | 9 +- arch/x86/kvm/lapic.c | 37 ++++---- crypto/af_alg.c | 8 +- drivers/ata/libata-core.c | 3 + drivers/atm/zatm.c | 3 + drivers/bluetooth/btusb.c | 19 +++- drivers/gpio/gpio-aspeed.c | 2 +- drivers/gpio/gpiolib.c | 7 +- drivers/gpu/drm/drm_atomic.c | 8 ++ drivers/gpu/drm/i915/intel_lvds.c | 3 +- drivers/gpu/drm/nouveau/nv50_display.c | 7 +- drivers/gpu/drm/vc4/vc4_plane.c | 2 +- drivers/md/dm-integrity.c | 2 +- drivers/net/can/spi/hi311x.c | 11 ++- drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/nvme/host/nvme.h | 5 ++ drivers/nvme/host/pci.c | 12 ++- drivers/pci/pci.c | 37 +++++--- drivers/thermal/samsung/exynos_tmu.c | 14 ++- fs/ceph/file.c | 10 +-- fs/cifs/cifsfs.c | 13 +++ fs/fs-writeback.c | 2 +- include/linux/oom.h | 2 + include/linux/wait_bit.h | 17 ++++ include/net/inet_timewait_sock.h | 1 + include/net/nexthop.h | 2 +- kernel/compat.c | 1 + kernel/events/callchain.c | 10 +-- kernel/events/ring_buffer.c | 7 +- kernel/sched/autogroup.c | 7 +- kernel/sched/cpufreq_schedutil.c | 3 +- kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_uprobe.c | 2 + mm/backing-dev.c | 2 +- mm/memcontrol.c | 3 + mm/mmap.c | 44 +++++---- mm/oom_kill.c | 74 ++++++++------- mm/sparse.c | 2 +- mm/z3fold.c | 42 ++++++--- net/atm/lec.c | 9 +- net/bridge/netfilter/ebtables.c | 11 +-- net/core/dev_addr_lists.c | 4 +- net/core/skbuff.c | 1 + net/dccp/ipv4.c | 1 + net/dccp/ipv6.c | 1 + net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/inetpeer.c | 1 + net/ipv4/route.c | 11 +-- net/ipv4/tcp.c | 2 +- net/kcm/kcmsock.c | 1 + net/netfilter/ipvs/ip_vs_ctl.c | 8 -- net/netfilter/ipvs/ip_vs_sync.c | 155 ++++++++++++++++---------------- net/netlink/af_netlink.c | 2 + net/rfkill/rfkill-gpio.c | 7 +- 65 files changed, 543 insertions(+), 283 deletions(-)

7 years, 6 months

7
63
0 0

[PATCH V4] clk: at91: PLL recalc_rate() now using cached MUL and DIV values

by Marcin Ziemianowicz

When a USB device is connected to the USB host port on the SAM9N12 then you get "-62" error which seems to indicate USB replies from the device are timing out. Based on a logic sniffer, I saw the USB bus was running at half speed. The PLL code uses cached MUL and DIV values which get set in set_rate() and applied in prepare(), but the recalc_rate() function instead queries the hardware instead of using these cached values. Therefore, if recalc_rate() is called between a set_rate() and prepare(), the wrong frequency is calculated and later the USB clock divider for the SAM9N12 SOC will be configured for an incorrect clock. In my case, the PLL hardware was set to 96 Mhz before the OHCI driver loads, and therefore the usb clock divider was being set to /2 even though the OHCI driver set the PLL to 48 Mhz. As an alternative explanation, I noticed this was fixed in the past by 87e2ed338f1b ("clk: at91: fix recalc_rate implementation of PLL driver") but the bug was later re-introduced by 1bdf02326b71 ("clk: at91: make use of syscon/regmap internally"). Fixes: 1bdf02326b71 ("clk: at91: make use of syscon/regmap internally) Cc: <stable(a)vger.kernel.org> Signed-off-by: Marcin Ziemianowicz <marcin(a)ziemianowicz.com> --- Thank you for bearing with me about this Boris. Changes since V3: Fix for double returns found by kbluild test robot > Comments by Boris Brezillon about email formatting issues Changes since V2: Removed all logging/debug messages I added > Comment by Boris Brezillon about my fix being wrong addressed Changes since V1: Added patch set cover letter Shortened lines which were over >80 characters long > Comment by Greg Kroah-Hartman about "from" field in email addressed > Comment by Alan Stern about redundant debug lines addressed drivers/clk/at91/clk-pll.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/drivers/clk/at91/clk-pll.c b/drivers/clk/at91/clk-pll.c index 7d3223fc..72b6091e 100644 --- a/drivers/clk/at91/clk-pll.c +++ b/drivers/clk/at91/clk-pll.c @@ -132,19 +132,8 @@ static unsigned long clk_pll_recalc_rate(struct clk_hw *hw, unsigned long parent_rate) { struct clk_pll *pll = to_clk_pll(hw); - unsigned int pllr; - u16 mul; - u8 div; - - regmap_read(pll->regmap, PLL_REG(pll->id), &pllr); - - div = PLL_DIV(pllr); - mul = PLL_MUL(pllr, pll->layout); - - if (!div || !mul) - return 0; - return (parent_rate / div) * (mul + 1); + return (parent_rate / pll->div) * (pll->mul + 1); } static long clk_pll_get_best_div_mul(struct clk_pll *pll, unsigned long rate, -- 2.17.0

7 years, 6 months

3
4
0 0

[PATCH] drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is successful

by Thomas Hellstrom

From: Deepak Rawat <drawat(a)vmware.com> SOU primary plane prepare_fb hook depends upon dmabuf_size to pin up BO (and not call a new vmw_dmabuf_init) when a new fb size is same as current fb. This was changed in a recent commit which is causing page_flip to fail on VM with low display memory and multi-mon failure when cycle monitors from secondary display. Cc: <stable(a)vger.kernel.org> # 4.14, 4.16 Fixes: 20fb5a635a0c ("drm/vmwgfx: Unpin the screen object backup buffer when not used") Signed-off-by: Deepak Rawat <drawat(a)vmware.com> Reviewed-by: Sinclair Yeh <syeh(a)vmware.com> Signed-off-by: Thomas Hellstrom <thellstrom(a)vmware.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c index 648f8127f65a..3d667e903beb 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c @@ -482,6 +482,8 @@ vmw_sou_primary_plane_prepare_fb(struct drm_plane *plane, return ret; } + vps->dmabuf_size = size; + /* * TTM already thinks the buffer is pinned, but make sure the * pin_count is upped. -- 2.14.3

7 years, 6 months

1
0
0 0

[PATCH 3/3] MIPS: Add DSP ASE regset support

by Maciej W. Rozycki

Define an NT_MIPS_DSP core file note type and implement a corresponding regset holding the DSP ASE register context, following the layout of the `mips_dsp_state' structure, except for the DSPControl register stored as a 64-bit rather than 32-bit quantity in a 64-bit note. The lack of DSP ASE register saving to core files can be considered a design flaw with commit e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE."), leading to an incomplete state being saved. Consequently no DSP ASE regset has been created with commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view."), when regset support was added to the MIPS port. Additionally there is no way for ptrace(2) to correctly access the DSP accumulator registers in n32 processes with the existing interfaces. This is due to 32-bit truncation of data passed with PTRACE_PEEKUSR and PTRACE_POKEUSR requests, which cannot be avoided owing to how the data types for ptrace(3) have been defined. This new NT_MIPS_DSP regset fills the missing interface gap. Cc: <stable(a)vger.kernel.org> # 3.13+ Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") Signed-off-by: Maciej W. Rozycki <macro(a)mips.com> --- Hi, This was verified with 32-bit DSP and non-DSP hardware configurations by dumping cores and examining, with `readelf', the notes created. In the former case DSP registers were filled with patterns by the program being crashed and the patterns verified in the core file produced. I have no 64-bit DSP hardware handy, but the same code has been used, except for the data type holding register data, for both 32-bit and 64-bit notes, so it should be obviously correct. As noted in the commit description I consider it a design flaw and therefore I think it makes sense to backport this change and propose doing so. Maciej --- arch/mips/kernel/ptrace.c | 189 ++++++++++++++++++++++++++++++++++++++++++++++ include/uapi/linux/elf.h | 1 2 files changed, 190 insertions(+) linux-mips-regset-dsp.diff Index: linux-jhogan-test/arch/mips/kernel/ptrace.c =================================================================== --- linux-jhogan-test.orig/arch/mips/kernel/ptrace.c 2018-05-09 23:26:36.787614000 +0100 +++ linux-jhogan-test/arch/mips/kernel/ptrace.c 2018-05-09 23:53:18.864657000 +0100 @@ -41,6 +41,7 @@ #include <asm/mipsmtregs.h> #include <asm/pgtable.h> #include <asm/page.h> +#include <asm/processor.h> #include <asm/syscall.h> #include <linux/uaccess.h> #include <asm/bootinfo.h> @@ -589,9 +590,179 @@ static int fpr_set(struct task_struct *t return err; } +#if defined(CONFIG_32BIT) || defined(CONFIG_MIPS32_O32) + +/* + * Copy the DSP context to the supplied 32-bit NT_MIPS_DSP buffer. + */ +static int dsp32_get(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) +{ + unsigned int start, num_regs, i; + u32 dspregs[NUM_DSP_REGS + 1]; + + BUG_ON(count % sizeof(u32)); + + if (!cpu_has_dsp) + return -EIO; + + start = pos / sizeof(u32); + num_regs = count / sizeof(u32); + + if (start + num_regs > NUM_DSP_REGS + 1) + return -EIO; + + for (i = start; i < num_regs; i++) + switch (i) { + case 0 ... NUM_DSP_REGS - 1: + dspregs[i] = target->thread.dsp.dspr[i]; + break; + case NUM_DSP_REGS: + dspregs[i] = target->thread.dsp.dspcontrol; + break; + } + return user_regset_copyout(&pos, &count, &kbuf, &ubuf, dspregs, 0, + sizeof(dspregs)); +} + +/* + * Copy the supplied 32-bit NT_MIPS_DSP buffer to the DSP context. + */ +static int dsp32_set(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) +{ + unsigned int start, num_regs, i; + u32 dspregs[NUM_DSP_REGS + 1]; + int err; + + BUG_ON(count % sizeof(u32)); + + if (!cpu_has_dsp) + return -EIO; + + start = pos / sizeof(u32); + num_regs = count / sizeof(u32); + + if (start + num_regs > NUM_DSP_REGS + 1) + return -EIO; + + err = user_regset_copyin(&pos, &count, &kbuf, &ubuf, dspregs, 0, + sizeof(dspregs)); + if (err) + return err; + + for (i = start; i < num_regs; i++) + switch (i) { + case 0 ... NUM_DSP_REGS - 1: + target->thread.dsp.dspr[i] = (s32)dspregs[i]; + break; + case NUM_DSP_REGS: + target->thread.dsp.dspcontrol = (s32)dspregs[i]; + break; + } + + return 0; +} + +#endif /* CONFIG_32BIT || CONFIG_MIPS32_O32 */ + +#ifdef CONFIG_64BIT + +/* + * Copy the DSP context to the supplied 64-bit NT_MIPS_DSP buffer. + */ +static int dsp64_get(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) +{ + unsigned int start, num_regs, i; + u64 dspregs[NUM_DSP_REGS + 1]; + + BUG_ON(count % sizeof(u64)); + + if (!cpu_has_dsp) + return -EIO; + + start = pos / sizeof(u64); + num_regs = count / sizeof(u64); + + if (start + num_regs > NUM_DSP_REGS + 1) + return -EIO; + + for (i = start; i < num_regs; i++) + switch (i) { + case 0 ... NUM_DSP_REGS - 1: + dspregs[i] = target->thread.dsp.dspr[i]; + break; + case NUM_DSP_REGS: + dspregs[i] = target->thread.dsp.dspcontrol; + break; + } + return user_regset_copyout(&pos, &count, &kbuf, &ubuf, dspregs, 0, + sizeof(dspregs)); +} + +/* + * Copy the supplied 64-bit NT_MIPS_DSP buffer to the DSP context. + */ +static int dsp64_set(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) +{ + unsigned int start, num_regs, i; + u64 dspregs[NUM_DSP_REGS + 1]; + int err; + + BUG_ON(count % sizeof(u64)); + + if (!cpu_has_dsp) + return -EIO; + + start = pos / sizeof(u64); + num_regs = count / sizeof(u64); + + if (start + num_regs > NUM_DSP_REGS + 1) + return -EIO; + + err = user_regset_copyin(&pos, &count, &kbuf, &ubuf, dspregs, 0, + sizeof(dspregs)); + if (err) + return err; + + for (i = start; i < num_regs; i++) + switch (i) { + case 0 ... NUM_DSP_REGS - 1: + target->thread.dsp.dspr[i] = dspregs[i]; + break; + case NUM_DSP_REGS: + target->thread.dsp.dspcontrol = dspregs[i]; + break; + } + + return 0; +} + +#endif /* CONFIG_64BIT */ + +/* + * Determine whether the DSP context is present. + */ +static int dsp_active(struct task_struct *target, + const struct user_regset *regset) +{ + return cpu_has_dsp ? NUM_DSP_REGS + 1 : -ENODEV; +} + enum mips_regset { REGSET_GPR, REGSET_FPR, + REGSET_DSP, }; struct pt_regs_offset { @@ -697,6 +868,15 @@ static const struct user_regset mips_reg .get = fpr_get, .set = fpr_set, }, + [REGSET_DSP] = { + .core_note_type = NT_MIPS_DSP, + .n = NUM_DSP_REGS + 1, + .size = sizeof(u32), + .align = sizeof(u32), + .get = dsp32_get, + .set = dsp32_set, + .active = dsp_active, + }, }; static const struct user_regset_view user_mips_view = { @@ -728,6 +908,15 @@ static const struct user_regset mips64_r .get = fpr_get, .set = fpr_set, }, + [REGSET_DSP] = { + .core_note_type = NT_MIPS_DSP, + .n = NUM_DSP_REGS + 1, + .size = sizeof(u64), + .align = sizeof(u64), + .get = dsp64_get, + .set = dsp64_set, + .active = dsp_active, + }, }; static const struct user_regset_view user_mips64_view = { Index: linux-jhogan-test/include/uapi/linux/elf.h =================================================================== --- linux-jhogan-test.orig/include/uapi/linux/elf.h 2018-05-09 23:22:44.799797000 +0100 +++ linux-jhogan-test/include/uapi/linux/elf.h 2018-05-09 23:51:32.646880000 +0100 @@ -424,6 +424,7 @@ typedef struct elf64_shdr { #define NT_METAG_RPIPE 0x501 /* Metag read pipeline state */ #define NT_METAG_TLS 0x502 /* Metag TLS pointer */ #define NT_ARC_V2 0x600 /* ARCv2 accumulator/extra registers */ +#define NT_MIPS_DSP 0x700 /* MIPS DSP ASE registers */ /* Note header in a PT_NOTE section */ typedef struct elf32_note {

7 years, 6 months

1
0
0 0

[PATCH 2/3] MIPS: Correct the 64-bit DSP accumulator register size

by Maciej W. Rozycki

Use the `unsigned long' rather than `__u32' type for DSP accumulator registers, like with the regular MIPS multiply/divide accumulator and general-purpose registers, as all are 64-bit in 64-bit implementations and using a 32-bit data type leads to contents truncation on context saving. Update `arch_ptrace' and `compat_arch_ptrace' accordingly, removing casts that are similarly not used with multiply/divide accumulator or general-purpose register accesses. Cc: stable(a)vger.kernel.org # 2.6.15+ Fixes: e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.") Signed-off-by: Maciej W. Rozycki <macro(a)mips.com> --- Hi, I have no 64-bit DSP hardware handy to verify this change, however some surely exists and is used to run Linux, as indicated by GDB PR gdb/22286, <https://sourceware.org/bugzilla/show_bug.cgi?id=22286>, so we better get it right before people start screaming. Maciej --- arch/mips/include/asm/processor.h | 2 +- arch/mips/kernel/ptrace.c | 2 +- arch/mips/kernel/ptrace32.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) linux-mips-dsp64.diff Index: linux-jhogan-test/arch/mips/include/asm/processor.h =================================================================== --- linux-jhogan-test.orig/arch/mips/include/asm/processor.h 2018-03-21 17:13:52.000000000 +0000 +++ linux-jhogan-test/arch/mips/include/asm/processor.h 2018-05-09 22:35:33.248559000 +0100 @@ -141,7 +141,7 @@ struct mips_fpu_struct { #define NUM_DSP_REGS 6 -typedef __u32 dspreg_t; +typedef unsigned long dspreg_t; struct mips_dsp_state { dspreg_t dspr[NUM_DSP_REGS]; Index: linux-jhogan-test/arch/mips/kernel/ptrace.c =================================================================== --- linux-jhogan-test.orig/arch/mips/kernel/ptrace.c 2018-05-09 22:34:00.000000000 +0100 +++ linux-jhogan-test/arch/mips/kernel/ptrace.c 2018-05-09 22:37:45.416608000 +0100 @@ -856,7 +856,7 @@ long arch_ptrace(struct task_struct *chi goto out; } dregs = __get_dsp_regs(child); - tmp = (unsigned long) (dregs[addr - DSP_BASE]); + tmp = dregs[addr - DSP_BASE]; break; } case DSP_CONTROL: Index: linux-jhogan-test/arch/mips/kernel/ptrace32.c =================================================================== --- linux-jhogan-test.orig/arch/mips/kernel/ptrace32.c 2018-03-21 17:13:52.000000000 +0000 +++ linux-jhogan-test/arch/mips/kernel/ptrace32.c 2018-05-09 22:45:50.924418000 +0100 @@ -142,7 +142,7 @@ long compat_arch_ptrace(struct task_stru goto out; } dregs = __get_dsp_regs(child); - tmp = (unsigned long) (dregs[addr - DSP_BASE]); + tmp = dregs[addr - DSP_BASE]; break; } case DSP_CONTROL:

7 years, 6 months

1
0
0 0

+ kernel-sys-fix-potential-spectre-v1.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: kernel/sys.c: fix potential Spectre v1 issue has been added to the -mm tree. Its filename is kernel-sys-fix-potential-spectre-v1.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/kernel-sys-fix-potential-spectre-v… and later at http://ozlabs.org/~akpm/mmotm/broken-out/kernel-sys-fix-potential-spectre-v… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: "Gustavo A. R. Silva" <gustavo(a)embeddedor.com> Subject: kernel/sys.c: fix potential Spectre v1 issue `resource' can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) Fix this by sanitizing *resource* before using it to index current->signal->rlim Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.com Signed-off-by: Gustavo A. R. Silva <gustavo(a)embeddedor.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/sys.c | 5 +++++ 1 file changed, 5 insertions(+) diff -puN kernel/sys.c~kernel-sys-fix-potential-spectre-v1 kernel/sys.c --- a/kernel/sys.c~kernel-sys-fix-potential-spectre-v1 +++ a/kernel/sys.c @@ -69,6 +69,9 @@ #include <asm/io.h> #include <asm/unistd.h> +/* Hardening for Spectre-v1 */ +#include <linux/nospec.h> + #include "uid16.h" #ifndef SET_UNALIGN_CTL @@ -1451,6 +1454,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned if (resource >= RLIM_NLIMITS) return -EINVAL; + resource = array_index_nospec(resource, RLIM_NLIMITS); task_lock(current->group_leader); x = current->signal->rlim[resource]; task_unlock(current->group_leader); @@ -1470,6 +1474,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, un if (resource >= RLIM_NLIMITS) return -EINVAL; + resource = array_index_nospec(resource, RLIM_NLIMITS); task_lock(current->group_leader); r = current->signal->rlim[resource]; task_unlock(current->group_leader); _ Patches currently in -mm which might be from gustavo(a)embeddedor.com are kernel-sys-fix-potential-spectre-v1.patch

7 years, 6 months

1
0
0 0

[PATCH] clk:aspeed: Fix reset bits for PCI/VGA and PECI

by Jae Hyun Yoo

This commit fixes incorrect setting of reset bits for PCI/VGA and PECI modules. 1. Reset bit for PCI/VGA is 8. 2. PECI reset bit is missing so added bit 10 as its reset bit. Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo(a)linux.intel.com> Fixes: 15ed8ce5f84e ("clk: aspeed: Register gated clocks") Cc: stable <stable(a)vger.kernel.org> --- drivers/clk/clk-aspeed.c | 4 ++-- include/dt-bindings/clock/aspeed-clock.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/clk/clk-aspeed.c b/drivers/clk/clk-aspeed.c index 5eb50c31e455..2c23e7d7ba28 100644 --- a/drivers/clk/clk-aspeed.c +++ b/drivers/clk/clk-aspeed.c @@ -88,7 +88,7 @@ static const struct aspeed_gate_data aspeed_gates[] = { [ASPEED_CLK_GATE_GCLK] = { 1, 7, "gclk-gate", NULL, 0 }, /* 2D engine */ [ASPEED_CLK_GATE_MCLK] = { 2, -1, "mclk-gate", "mpll", CLK_IS_CRITICAL }, /* SDRAM */ [ASPEED_CLK_GATE_VCLK] = { 3, 6, "vclk-gate", NULL, 0 }, /* Video Capture */ - [ASPEED_CLK_GATE_BCLK] = { 4, 10, "bclk-gate", "bclk", 0 }, /* PCIe/PCI */ + [ASPEED_CLK_GATE_BCLK] = { 4, 8, "bclk-gate", "bclk", 0 }, /* PCIe/PCI */ [ASPEED_CLK_GATE_DCLK] = { 5, -1, "dclk-gate", NULL, 0 }, /* DAC */ [ASPEED_CLK_GATE_REFCLK] = { 6, -1, "refclk-gate", "clkin", CLK_IS_CRITICAL }, [ASPEED_CLK_GATE_USBPORT2CLK] = { 7, 3, "usb-port2-gate", NULL, 0 }, /* USB2.0 Host port 2 */ @@ -297,7 +297,7 @@ static const u8 aspeed_resets[] = { [ASPEED_RESET_JTAG_MASTER] = 22, [ASPEED_RESET_MIC] = 18, [ASPEED_RESET_PWM] = 9, - [ASPEED_RESET_PCIVGA] = 8, + [ASPEED_RESET_PECI] = 10, [ASPEED_RESET_I2C] = 2, [ASPEED_RESET_AHB] = 1, }; diff --git a/include/dt-bindings/clock/aspeed-clock.h b/include/dt-bindings/clock/aspeed-clock.h index d3558d897a4d..8d69b9134bef 100644 --- a/include/dt-bindings/clock/aspeed-clock.h +++ b/include/dt-bindings/clock/aspeed-clock.h @@ -45,7 +45,7 @@ #define ASPEED_RESET_JTAG_MASTER 3 #define ASPEED_RESET_MIC 4 #define ASPEED_RESET_PWM 5 -#define ASPEED_RESET_PCIVGA 6 +#define ASPEED_RESET_PECI 6 #define ASPEED_RESET_I2C 7 #define ASPEED_RESET_AHB 8 -- 2.17.0

7 years, 6 months

3
3
0 0

[PATCH v2 3/3] x86/mm: add TLB purge to free pmd/pte page interfaces

by Toshi Kani

ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates a pud / pmd map. The following preconditions are met at their entry. - All pte entries for a target pud/pmd address range have been cleared. - System-wide TLB purges have been peformed for a target pud/pmd address range. The preconditions assure that there is no stale TLB entry for the range. Speculation may not cache TLB entries since it requires all levels of page entries, including ptes, to have P & A-bits set for an associated address. However, speculation may cache pud/pmd entries (paging-structure caches) when they have P-bit set. Add a system-wide TLB purge (INVLPG) to a single page after clearing pud/pmd entry's P-bit. SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches, states that: INVLPG invalidates all paging-structure caches associated with the current PCID regardless of the liner addresses to which they correspond. Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: <stable(a)vger.kernel.org> --- arch/x86/mm/pgtable.c | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index f60fdf411103..7e96594c7e97 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -721,24 +721,42 @@ int pmd_clear_huge(pmd_t *pmd) * @pud: Pointer to a PUD. * @addr: Virtual address associated with pud. * - * Context: The pud range has been unmaped and TLB purged. + * Context: The pud range has been unmapped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ int pud_free_pmd_page(pud_t *pud, unsigned long addr) { - pmd_t *pmd; + pmd_t *pmd, *pmd_sv; + pte_t *pte; int i; if (pud_none(*pud)) return 1; pmd = (pmd_t *)pud_page_vaddr(*pud); + pmd_sv = (pmd_t *)__get_free_page(GFP_KERNEL); + if (!pmd_sv) + return 0; - for (i = 0; i < PTRS_PER_PMD; i++) - if (!pmd_free_pte_page(&pmd[i], addr + (i * PMD_SIZE))) - return 0; + for (i = 0; i < PTRS_PER_PMD; i++) { + pmd_sv[i] = pmd[i]; + if (!pmd_none(pmd[i])) + pmd_clear(&pmd[i]); + } pud_clear(pud); + + /* INVLPG to clear all paging-structure caches */ + flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + + for (i = 0; i < PTRS_PER_PMD; i++) { + if (!pmd_none(pmd_sv[i])) { + pte = (pte_t *)pmd_page_vaddr(pmd_sv[i]); + free_page((unsigned long)pte); + } + } + + free_page((unsigned long)pmd_sv); free_page((unsigned long)pmd); return 1; @@ -749,7 +767,7 @@ int pud_free_pmd_page(pud_t *pud, unsigned long addr) * @pmd: Pointer to a PMD. * @addr: Virtual address associated with pmd. * - * Context: The pmd range has been unmaped and TLB purged. + * Context: The pmd range has been unmapped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) @@ -761,6 +779,10 @@ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) pte = (pte_t *)pmd_page_vaddr(*pmd); pmd_clear(pmd); + + /* INVLPG to clear all paging-structure caches */ + flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + free_page((unsigned long)pte); return 1;

7 years, 6 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror