1. 10 11月, 2019 11 次提交
  2. 06 11月, 2019 19 次提交
  3. 29 10月, 2019 10 次提交
    • S
      x86/apic/x2apic: Fix a NULL pointer deref when handling a dying cpu · 4dedaa73
      Sean Christopherson 提交于
      commit 7a22e03b0c02988e91003c505b34d752a51de344 upstream.
      
      Check that the per-cpu cluster mask pointer has been set prior to
      clearing a dying cpu's bit.  The per-cpu pointer is not set until the
      target cpu reaches smp_callin() during CPUHP_BRINGUP_CPU, whereas the
      teardown function, x2apic_dead_cpu(), is associated with the earlier
      CPUHP_X2APIC_PREPARE.  If an error occurs before the cpu is awakened,
      e.g. if do_boot_cpu() itself fails, x2apic_dead_cpu() will dereference
      the NULL pointer and cause a panic.
      
        smpboot: do_boot_cpu failed(-22) to wakeup CPU#1
        BUG: kernel NULL pointer dereference, address: 0000000000000008
        RIP: 0010:x2apic_dead_cpu+0x1a/0x30
        Call Trace:
         cpuhp_invoke_callback+0x9a/0x580
         _cpu_up+0x10d/0x140
         do_cpu_up+0x69/0xb0
         smp_init+0x63/0xa9
         kernel_init_freeable+0xd7/0x229
         ? rest_init+0xa0/0xa0
         kernel_init+0xa/0x100
         ret_from_fork+0x35/0x40
      
      Fixes: 023a6117 ("x86/apic/x2apic: Simplify cluster management")
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20191001205019.5789-1-sean.j.christopherson@intel.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4dedaa73
    • S
      x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area · 17099172
      Steve Wahl 提交于
      commit 2aa85f246c181b1fa89f27e8e20c5636426be624 upstream.
      
      Our hardware (UV aka Superdome Flex) has address ranges marked
      reserved by the BIOS. Access to these ranges is caught as an error,
      causing the BIOS to halt the system.
      
      Initial page tables mapped a large range of physical addresses that
      were not checked against the list of BIOS reserved addresses, and
      sometimes included reserved addresses in part of the mapped range.
      Including the reserved range in the map allowed processor speculative
      accesses to the reserved range, triggering a BIOS halt.
      
      Used early in booting, the page table level2_kernel_pgt addresses 1
      GiB divided into 2 MiB pages, and it was set up to linearly map a full
       1 GiB of physical addresses that included the physical address range
      of the kernel image, as chosen by KASLR.  But this also included a
      large range of unused addresses on either side of the kernel image.
      And unlike the kernel image's physical address range, this extra
      mapped space was not checked against the BIOS tables of usable RAM
      addresses.  So there were times when the addresses chosen by KASLR
      would result in processor accessible mappings of BIOS reserved
      physical addresses.
      
      The kernel code did not directly access any of this extra mapped
      space, but having it mapped allowed the processor to issue speculative
      accesses into reserved memory, causing system halts.
      
      This was encountered somewhat rarely on a normal system boot, and much
      more often when starting the crash kernel if "crashkernel=512M,high"
      was specified on the command line (this heavily restricts the physical
      address of the crash kernel, in our case usually within 1 GiB of
      reserved space).
      
      The solution is to invalidate the pages of this table outside the kernel
      image's space before the page table is activated. It fixes this problem
      on our hardware.
      
       [ bp: Touchups. ]
      Signed-off-by: NSteve Wahl <steve.wahl@hpe.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Acked-by: NDave Hansen <dave.hansen@linux.intel.com>
      Acked-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Baoquan He <bhe@redhat.com>
      Cc: Brijesh Singh <brijesh.singh@amd.com>
      Cc: dimitri.sivanich@hpe.com
      Cc: Feng Tang <feng.tang@intel.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Jordan Borgner <mail@jordan-borgner.de>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: mike.travis@hpe.com
      Cc: russ.anderson@hpe.com
      Cc: stable@vger.kernel.org
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Cc: Zhenzhong Duan <zhenzhong.duan@oracle.com>
      Link: https://lkml.kernel.org/r/9c011ee51b081534a7a15065b1681d200298b530.1569358539.git.steve.wahl@hpe.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17099172
    • M
      arm64: Enable workaround for Cavium TX2 erratum 219 when running SMT · 42927455
      Marc Zyngier 提交于
      commit 93916beb70143c46bf1d2bacf814be3a124b253b upstream.
      
      It appears that the only case where we need to apply the TX2_219_TVM
      mitigation is when the core is in SMT mode. So let's condition the
      enabling on detecting a CPU whose MPIDR_EL1.Aff0 is non-zero.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NWill Deacon <will@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42927455
    • H
      parisc: Fix vmap memory leak in ioremap()/iounmap() · ca65fe21
      Helge Deller 提交于
      commit 513f7f747e1cba81f28a436911fba0b485878ebd upstream.
      
      Sven noticed that calling ioremap() and iounmap() multiple times leads
      to a vmap memory leak:
      	vmap allocation for size 4198400 failed:
      	use vmalloc=<size> to increase size
      
      It seems we missed calling vunmap() in iounmap().
      Signed-off-by: NHelge Deller <deller@gmx.de>
      Noticed-by: NSven Schnelle <svens@stackframe.org>
      Cc: <stable@vger.kernel.org> # v3.16+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca65fe21
    • M
      xtensa: drop EXPORT_SYMBOL for outs*/ins* · 19e2ed7b
      Max Filippov 提交于
      commit 8b39da985194aac2998dd9e3a22d00b596cebf1e upstream.
      
      Custom outs*/ins* implementations are long gone from the xtensa port,
      remove matching EXPORT_SYMBOLs.
      This fixes the following build warnings issued by modpost since commit
      15bfc2348d54 ("modpost: check for static EXPORT_SYMBOL* functions"):
      
        WARNING: "insb" [vmlinux] is a static EXPORT_SYMBOL
        WARNING: "insw" [vmlinux] is a static EXPORT_SYMBOL
        WARNING: "insl" [vmlinux] is a static EXPORT_SYMBOL
        WARNING: "outsb" [vmlinux] is a static EXPORT_SYMBOL
        WARNING: "outsw" [vmlinux] is a static EXPORT_SYMBOL
        WARNING: "outsl" [vmlinux] is a static EXPORT_SYMBOL
      
      Cc: stable@vger.kernel.org
      Fixes: d38efc1f ("xtensa: adopt generic io routines")
      Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19e2ed7b
    • P
      MIPS: tlbex: Fix build_restore_pagemask KScratch restore · 4034a503
      Paul Burton 提交于
      commit b42aa3fd5957e4daf4b69129e5ce752a2a53e7d6 upstream.
      
      build_restore_pagemask() will restore the value of register $1/$at when
      its restore_scratch argument is non-zero, and aims to do so by filling a
      branch delay slot. Commit 0b24cae4d535 ("MIPS: Add missing EHB in mtc0
      -> mfc0 sequence.") added an EHB instruction (Execution Hazard Barrier)
      prior to restoring $1 from a KScratch register, in order to resolve a
      hazard that can result in stale values of the KScratch register being
      observed. In particular, P-class CPUs from MIPS with out of order
      execution pipelines such as the P5600 & P6600 are affected.
      
      Unfortunately this EHB instruction was inserted in the branch delay slot
      causing the MFC0 instruction which performs the restoration to no longer
      execute along with the branch. The result is that the $1 register isn't
      actually restored, ie. the TLB refill exception handler clobbers it -
      which is exactly the problem the EHB is meant to avoid for the P-class
      CPUs.
      
      Similarly build_get_pgd_vmalloc() will restore the value of $1/$at when
      its mode argument equals refill_scratch, and suffers from the same
      problem.
      
      Fix this by in both cases moving the EHB earlier in the emitted code.
      There's no reason it needs to immediately precede the MFC0 - it simply
      needs to be between the MTC0 & MFC0.
      
      This bug only affects Cavium Octeon systems which use
      build_fast_tlb_refill_handler().
      Signed-off-by: NPaul Burton <paulburton@kernel.org>
      Fixes: 0b24cae4d535 ("MIPS: Add missing EHB in mtc0 -> mfc0 sequence.")
      Cc: Dmitry Korotin <dkorotin@wavecomp.com>
      Cc: stable@vger.kernel.org # v3.15+
      Cc: linux-mips@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4034a503
    • C
      mips: Loongson: Fix the link time qualifier of 'serial_exit()' · db1e664e
      Christophe JAILLET 提交于
      [ Upstream commit 25b69a889b638b0b7e51e2c4fe717a66bec0e566 ]
      
      'exit' functions should be marked as __exit, not __init.
      
      Fixes: 85cc0288 ("mips: make loongsoon serial driver explicitly modular")
      Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: chenhc@lemote.com
      Cc: ralf@linux-mips.org
      Cc: jhogan@kernel.org
      Cc: linux-mips@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: kernel-janitors@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      db1e664e
    • R
      xen/efi: Set nonblocking callbacks · 90a886b6
      Ross Lagerwall 提交于
      [ Upstream commit df359f0d09dc029829b66322707a2f558cb720f7 ]
      
      Other parts of the kernel expect these nonblocking EFI callbacks to
      exist and crash when running under Xen. Since the implementations of
      xen_efi_set_variable() and xen_efi_query_variable_info() do not take any
      locks, use them for the nonblocking callbacks too.
      Signed-off-by: NRoss Lagerwall <ross.lagerwall@citrix.com>
      Reviewed-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      90a886b6
    • O
      MIPS: dts: ar9331: fix interrupt-controller size · 5d880444
      Oleksij Rempel 提交于
      [ Upstream commit 0889d07f3e4b171c453b2aaf2b257f9074cdf624 ]
      
      It is two registers each of 4 byte.
      Signed-off-by: NOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: devicetree@vger.kernel.org
      Cc: linux-mips@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5d880444
    • P
      ARM: dts: am4372: Set memory bandwidth limit for DISPC · 1cd24f5e
      Peter Ujfalusi 提交于
      [ Upstream commit f90ec6cdf674248dcad85bf9af6e064bf472b841 ]
      
      Set memory bandwidth limit to filter out resolutions above 720p@60Hz to
      avoid underflow errors due to the bandwidth needs of higher resolutions.
      
      am43xx can not provide enough bandwidth to DISPC to correctly handle
      'high' resolutions.
      Signed-off-by: NPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: NTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1cd24f5e