1. 03 11月, 2014 29 次提交
  2. 02 11月, 2014 7 次提交
    • P
      KVM: vmx: defer load of APIC access page address during reset · a73896cb
      Paolo Bonzini 提交于
      Most call paths to vmx_vcpu_reset do not hold the SRCU lock.  Defer loading
      the APIC access page to the next vmentry.
      
      This avoids the following lockdep splat:
      
      [ INFO: suspicious RCU usage. ]
      3.18.0-rc2-test2+ #70 Not tainted
      -------------------------------
      include/linux/kvm_host.h:474 suspicious rcu_dereference_check() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 1, debug_locks = 0
      1 lock held by qemu-system-x86/2371:
       #0:  (&vcpu->mutex){+.+...}, at: [<ffffffffa037d800>] vcpu_load+0x20/0xd0 [kvm]
      
      stack backtrace:
      CPU: 4 PID: 2371 Comm: qemu-system-x86 Not tainted 3.18.0-rc2-test2+ #70
      Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A12 01/10/2013
       0000000000000001 ffff880209983ca8 ffffffff816f514f 0000000000000000
       ffff8802099b8990 ffff880209983cd8 ffffffff810bd687 00000000000fee00
       ffff880208a2c000 ffff880208a10000 ffff88020ef50040 ffff880209983d08
      Call Trace:
       [<ffffffff816f514f>] dump_stack+0x4e/0x71
       [<ffffffff810bd687>] lockdep_rcu_suspicious+0xe7/0x120
       [<ffffffffa037d055>] gfn_to_memslot+0xd5/0xe0 [kvm]
       [<ffffffffa03807d3>] __gfn_to_pfn+0x33/0x60 [kvm]
       [<ffffffffa0380885>] gfn_to_page+0x25/0x90 [kvm]
       [<ffffffffa038aeec>] kvm_vcpu_reload_apic_access_page+0x3c/0x80 [kvm]
       [<ffffffffa08f0a9c>] vmx_vcpu_reset+0x20c/0x460 [kvm_intel]
       [<ffffffffa039ab8e>] kvm_vcpu_reset+0x15e/0x1b0 [kvm]
       [<ffffffffa039ac0c>] kvm_arch_vcpu_setup+0x2c/0x50 [kvm]
       [<ffffffffa037f7e0>] kvm_vm_ioctl+0x1d0/0x780 [kvm]
       [<ffffffff810bc664>] ? __lock_is_held+0x54/0x80
       [<ffffffff812231f0>] do_vfs_ioctl+0x300/0x520
       [<ffffffff8122ee45>] ? __fget+0x5/0x250
       [<ffffffff8122f0fa>] ? __fget_light+0x2a/0xe0
       [<ffffffff81223491>] SyS_ioctl+0x81/0xa0
       [<ffffffff816fed6d>] system_call_fastpath+0x16/0x1b
      Reported-by: NTakashi Iwai <tiwai@suse.de>
      Reported-by: NAlexei Starovoitov <alexei.starovoitov@gmail.com>
      Reviewed-by: NWanpeng Li <wanpeng.li@linux.intel.com>
      Tested-by: NWanpeng Li <wanpeng.li@linux.intel.com>
      Fixes: 38b99173Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      a73896cb
    • J
      KVM: nVMX: Disable preemption while reading from shadow VMCS · 282da870
      Jan Kiszka 提交于
      In order to access the shadow VMCS, we need to load it. At this point,
      vmx->loaded_vmcs->vmcs and the actually loaded one start to differ. If
      we now get preempted by Linux, vmx_vcpu_put and, on return, the
      vmx_vcpu_load will work against the wrong vmcs. That can cause
      copy_shadow_to_vmcs12 to corrupt the vmcs12 state.
      
      Fix the issue by disabling preemption during the copy operation.
      copy_vmcs12_to_shadow is safe from this issue as it is executed by
      vmx_vcpu_run when preemption is already disabled before vmentry.
      
      This bug is exposed by running Jailhouse within KVM on CPUs with
      shadow VMCS support.  Jailhouse never expects an interrupt pending
      vmexit, but the bug can cause it if, after copy_shadow_to_vmcs12
      is preempted, the active VMCS happens to have the virtual interrupt
      pending flag set in the CPU-based execution controls.
      Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      282da870
    • N
      KVM: x86: Fix far-jump to non-canonical check · 7e46dddd
      Nadav Amit 提交于
      Commit d1442d85 ("KVM: x86: Handle errors when RIP is set during far
      jumps") introduced a bug that caused the fix to be incomplete.  Due to
      incorrect evaluation, far jump to segment with L bit cleared (i.e., 32-bit
      segment) and RIP with any of the high bits set (i.e, RIP[63:32] != 0) set may
      not trigger #GP.  As we know, this imposes a security problem.
      
      In addition, the condition for two warnings was incorrect.
      
      Fixes: d1442d85Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NNadav Amit <namit@cs.technion.ac.il>
      [Add #ifdef CONFIG_X86_64 to avoid complaints of undefined behavior. - Paolo]
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      7e46dddd
    • D
      Merge branch 'vmwgfx-fixes-3.18' of git://people.freedesktop.org/~thomash/linux · 10a8fce8
      Dave Airlie 提交于
      A critical 3.18 regression fix from Rob, (thanks!)
      A fix to avoid advertizing modes we can't support from Sinclair
        (welcome Sinclair!)
      and a fix for an incorrect  hash key computation from me that is
        completely harmless, but can wait 'til the next merge window if necessary.
        (I can't really bother stable with this one).
      
      * 'vmwgfx-fixes-3.18' of git://people.freedesktop.org/~thomash/linux:
        drm/vmwgfx: Filter out modes those cannot be supported by the current VRAM size.
        drm/vmwgfx: Fix hash key computation
        drm/vmwgfx: fix lock breakage
      10a8fce8
    • L
      Merge tag 'staging-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 12d7aaca
      Linus Torvalds 提交于
      Pull staging fixes from Greg KH:
       "Here are some staging driver fixes for 3.18-rc3.  Mostly iio and
        comedi driver fixes for issues reported by people.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: comedi: fix memory leak / bad pointer freeing for chanlist
        staging: comedi: Kconfig: fix config COMEDI_ADDI_APCI_3120 dependants
        staging: comedi: widen subdevice number argument in ioctl handlers
        staging: rtl8723au: Fix alignment of mac_addr for ether_addr_copy() usage
        drivers/staging/comedi/Kconfig: Let COMEDI_II_PCI20KC depend on HAS_IOMEM
        staging: comedi: (regression) channel list must be set for COMEDI_CMD ioctl
        iio: adc: mxs-lradc: Disable the clock on probe failure
        iio: st_sensors: Fix buffer copy
        staging:iio:ad5933: Drop "raw" from channel names
        staging:iio:ad5933: Fix NULL pointer deref when enabling buffer
      12d7aaca
    • L
      Merge tag 'usb-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 528a506e
      Linus Torvalds 提交于
      Pull USB fixes from Greg KH:
       "Here are a bunch of USB fixes for 3.18-rc3.
      
        Mostly usb-serial device ids and gadget fixes for issues that have
        been reported.  Full details are in the shortlog.
      
        All of these have been in linux-next for a while"
      
      * tag 'usb-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (42 commits)
        usb: chipidea: Fix oops when removing the ci_hdrc module
        usb: gadget: function: Fixed the return value on error path
        usb: dwc2: gadget: disable phy before turning off power regulators
        usb: gadget: function: Remove redundant usb_free_all_descriptors
        usb: dwc3: gadget: Properly initialize LINK TRB
        usb: dwc2: gadget: fix gadget unregistration in udc_stop() function
        usb: dwc2: Bits in bitfield should add up to 32
        usb: dwc2: gadget: sparse warning of context imbalance
        usb: gadget: udc: core: fix kernel oops with soft-connect
        usb: musb: musb_dsps: fix NULL pointer in suspend
        usb: musb: dsps: start OTG timer on resume again
        usb: gadget: loopback: don't queue requests to bogus endpoints
        usb: ffs: fix regression when quirk_ep_out_aligned_size flag is set
        usb: gadget: f_fs: remove redundant ffs_data_get()
        usb: gadget: udc: USB_GADGET_XILINX should depend on HAS_DMA
        Revert "usb: dwc3: dwc3-omap: Disable/Enable only wrapper interrupts in prepare/complete"
        usb: gadget: composite: enable BESL support
        usb: musb: cppi41: restart hrtimer only if not yet done
        usb: dwc3: ep0: fix Data Phase for transfer sizes aligned to wMaxPacketSize
        usb: serial: ftdi_sio: add "bricked" FTDI device PID
        ...
      528a506e
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 4f4274af
      Linus Torvalds 提交于
      Pull btrfs fixes from Chris Mason:
       "Filipe is nailing down some problems with our skinny extent variation,
        and Dave's patch fixes endian problems in the new super block checks"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: fix race that makes btrfs_lookup_extent_info miss skinny extent items
        Btrfs: properly clean up btrfs_end_io_wq_cache
        Btrfs: fix invalid leaf slot access in btrfs_lookup_extent()
        btrfs: use macro accessors in superblock validation checks
      4f4274af
  3. 01 11月, 2014 4 次提交
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 9f935675
      Linus Torvalds 提交于
      Pull input updates from Dmitry Torokhov:
       "A bunch of fixes for minor defects reported by Coverity, a few driver
        fixups and revert of i8042.nomux change so that we are once again
        enable active MUX mode if box claims to support it"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Revert "Input: i8042 - disable active multiplexing by default"
        Input: altera_ps2 - use correct type for irq return value
        Input: altera_ps2 - write to correct register when disabling interrupts
        Input: max77693-haptic - fix potential overflow
        Input: psmouse - remove unneeded check in psmouse_reconnect()
        Input: vsxxxaa - fix code dropping bytes from queue
        Input: ims-pcu - fix dead code in ims_pcu_ofn_reg_addr_store()
        Input: opencores-kbd - fix error handling
        Input: wm97xx - adapt parameters to tosa touchscreen.
        Input: i8042 - quirks for Fujitsu Lifebook A544 and Lifebook AH544
        Input: stmpe-keypad - fix valid key line bitmask
        Input: soc_button_array - update calls to gpiod_get*()
      9f935675
    • L
      Merge tag 'pm+acpi-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · ab01f963
      Linus Torvalds 提交于
      Pull ACPI and power management fixes from Rafael Wysocki:
       "These are fixes received after my previous pull request plus one that
        has been in the works for quite a while, but its previous version
        caused problems to happen, so it's been deferred till now.
      
        Fixed are two recent regressions (MFD enumeration and cpufreq-dt),
        ACPI EC regression introduced in 3.17, system suspend error code path
        regression introduced in 3.15, an older bug related to recovery from
        failing resume from hibernation and a cpufreq-dt driver issue related
        to operation performance points.
      
        Specifics:
      
         - Fix a crash on r8a7791/koelsch during resume from system suspend
           caused by a recent cpufreq-dt commit (Geert Uytterhoeven).
      
         - Fix an MFD enumeration problem introduced by a recent commit adding
           ACPI support to the MFD subsystem that exposed a weakness in the
           ACPI core causing ACPI enumeration to be applied to all devices
           associated with one ACPI companion object, although it should be
           used for one of them only (Mika Westerberg).
      
         - Fix an ACPI EC regression introduced during the 3.17 cycle causing
           some Samsung laptops to misbehave as a result of a workaround
           targeted at some Acer machines.  That includes a revert of a commit
           that went too far and a quirk for the Acer machines in question.
           From Lv Zheng.
      
         - Fix a regression in the system suspend error code path introduced
           during the 3.15 cycle that causes it to fail to take errors from
           asychronous execution of "late" suspend callbacks into account
           (Imre Deak).
      
         - Fix a long-standing bug in the hibernation resume error code path
           that fails to roll back everything correcty on "freeze" callback
           errors and leaves some devices in a "suspended" state causing more
           breakage to happen subsequently (Imre Deak).
      
         - Make the cpufreq-dt driver disable operation performance points
           that are not supported by the VR connected to the CPU voltage plane
           with acceptable tolerance instead of constantly failing voltage
           scaling later on (Lucas Stach)"
      
      * tag 'pm+acpi-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / EC: Fix regression due to conflicting firmware behavior between Samsung and Acer.
        Revert "ACPI / EC: Add support to disallow QR_EC to be issued before completing previous QR_EC"
        cpufreq: cpufreq-dt: Restore default cpumask_setall(policy->cpus)
        PM / Sleep: fix recovery during resuming from hibernation
        PM / Sleep: fix async suspend_late/freeze_late error handling
        ACPI: Use ACPI companion to match only the first physical device
        cpufreq: cpufreq-dt: disable unsupported OPPs
      ab01f963
    • L
      Merge tag 'pci-v3.18-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 08da742e
      Linus Torvalds 提交于
      Pull PCI fixes from Bjorn Helgaas:
       "These changes, intended for v3.18, fix:
      
        Sysfs
          - Fix "enable" filename change (Greg Kroah-Hartman)
      
            An unintentional sysfs filename change in commit 5136b2da
            ("PCI: convert bus code to use dev_groups"), which appeared in
            v3.13, changed "enable" to "enabled", and this changes it back.
      
            Old users of "enable" are currently broken and will be helped by
            this change.  Anything that started to use "enabled" after v3.13
            will be broken by this change.  If necessary, we can add a symlink
            to make both work, but this patch doesn't do that.
      
        PCI device hotplug
          - Revert duplicate merge (Kamal Mostafa)
      
            A mistaken duplicate merge that added a check twice.  Nothing's
            broken; this just removes the unnecessary code.
      
        Freescale i.MX6
          - Wait for clocks to stabilize after ref_en (Richard Zhu)
      
            An i.MX6 clock problem that prevents mx6 nitrogen boards from booting"
      
      * tag 'pci-v3.18-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: Rename sysfs 'enabled' file back to 'enable'
        PCI: imx6: Wait for clocks to stabilize after ref_en
        Revert duplicate "PCI: pciehp: Prevent NULL dereference during probe"
      08da742e
    • A
      x86_64, entry: Fix out of bounds read on sysenter · 653bc77a
      Andy Lutomirski 提交于
      Rusty noticed a Really Bad Bug (tm) in my NT fix.  The entry code
      reads out of bounds, causing the NT fix to be unreliable.  But, and
      this is much, much worse, if your stack is somehow just below the
      top of the direct map (or a hole), you read out of bounds and crash.
      
      Excerpt from the crash:
      
      [    1.129513] RSP: 0018:ffff88001da4bf88  EFLAGS: 00010296
      
        2b:*    f7 84 24 90 00 00 00     testl  $0x4000,0x90(%rsp)
      
      That read is deterministically above the top of the stack.  I
      thought I even single-stepped through this code when I wrote it to
      check the offset, but I clearly screwed it up.
      
      Fixes: 8c7aa698 ("x86_64, entry: Filter RFLAGS.NT on entry from userspace")
      Reported-by: NRusty Russell <rusty@ozlabs.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      653bc77a