1. 17 1月, 2018 1 次提交
    • T
      x86/intel_rdt/cqm: Prevent use after free · d4792441
      Thomas Gleixner 提交于
      intel_rdt_iffline_cpu() -> domain_remove_cpu() frees memory first and then
      proceeds accessing it.
      
       BUG: KASAN: use-after-free in find_first_bit+0x1f/0x80
       Read of size 8 at addr ffff883ff7c1e780 by task cpuhp/31/195
       find_first_bit+0x1f/0x80
       has_busy_rmid+0x47/0x70
       intel_rdt_offline_cpu+0x4b4/0x510
      
       Freed by task 195:
       kfree+0x94/0x1a0
       intel_rdt_offline_cpu+0x17d/0x510
      
      Do the teardown first and then free memory.
      
      Fixes: 24247aee ("x86/intel_rdt/cqm: Improve limbo list processing")
      Reported-by: NJoseph Salisbury <joseph.salisbury@canonical.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: Ravi Shankar <ravi.v.shankar@intel.com>
      Cc: Peter Zilstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Vikas Shivappa <vikas.shivappa@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: "Roderick W. Smith" <rod.smith@canonical.com>
      Cc: 1733662@bugs.launchpad.net
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801161957510.2366@nanos
      d4792441
  2. 16 1月, 2018 5 次提交
  3. 15 1月, 2018 1 次提交
  4. 14 1月, 2018 5 次提交
  5. 13 1月, 2018 1 次提交
    • K
      kdump: Write the correct address of mem_section into vmcoreinfo · 9f15b912
      Kirill A. Shutemov 提交于
      Depending on configuration mem_section can now be an array or a pointer
      to an array allocated dynamically. In most cases, we can continue to refer
      to it as 'mem_section' regardless of what it is.
      
      But there's one exception: '&mem_section' means "address of the array" if
      mem_section is an array, but if mem_section is a pointer, it would mean
      "address of the pointer".
      
      We've stepped onto this in the kdump code: VMCOREINFO_SYMBOL(mem_section)
      writes down the address of pointer into vmcoreinfo, not the array as we wanted,
      breaking kdump.
      
      Let's introduce VMCOREINFO_SYMBOL_ARRAY() that would handle the
      situation correctly for both cases.
      
      Mike Galbraith <efault@gmx.de>
      Signed-off-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: NBaoquan He <bhe@redhat.com>
      Acked-by: NDave Young <dyoung@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vivek Goyal <vgoyal@redhat.com>
      Cc: kexec@lists.infradead.org
      Cc: linux-mm@kvack.org
      Cc: stable@vger.kernel.org
      Fixes: 83e3c487 ("mm/sparsemem: Allocate mem_section at runtime for CONFIG_SPARSEMEM_EXTREME=y")
      Link: http://lkml.kernel.org/r/20180112162532.35896-1-kirill.shutemov@linux.intel.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      9f15b912
  6. 09 1月, 2018 1 次提交
  7. 06 1月, 2018 10 次提交
    • J
      x86/microcode/intel: Extend BDW late-loading with a revision check · b94b7373
      Jia Zhang 提交于
      Instead of blacklisting all model 79 CPUs when attempting a late
      microcode loading, limit that only to CPUs with microcode revisions <
      0x0b000021 because only on those late loading may cause a system hang.
      
      For such processors either:
      
      a) a BIOS update which might contain a newer microcode revision
      
      or
      
      b) the early microcode loading method
      
      should be considered.
      
      Processors with revisions 0x0b000021 or higher will not experience such
      hangs.
      
      For more details, see erratum BDF90 in document #334165 (Intel Xeon
      Processor E7-8800/4800 v4 Product Family Specification Update) from
      September 2017.
      
      [ bp: Heavily massage commit message and pr_* statements. ]
      
      Fixes: 723f2828 ("x86/microcode/intel: Disable late loading on model 79")
      Signed-off-by: NJia Zhang <qianyue.zj@alibaba-inc.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Acked-by: NTony Luck <tony.luck@intel.com>
      Cc: x86-ml <x86@kernel.org>
      Cc: <stable@vger.kernel.org> # v4.14
      Link: http://lkml.kernel.org/r/1514772287-92959-1-git-send-email-qianyue.zj@alibaba-inc.com
      b94b7373
    • L
      Merge tag 'for-4.15-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 89876f27
      Linus Torvalds 提交于
      Pull btrfs fixes from David Sterba:
       "We have two more fixes for 4.15, both aimed for stable.
      
        The leak fix is obvious, the second patch fixes a bug revealed by the
        refcount API, when it behaves differently than previous atomic_t and
        reports refs going from 0 to 1 in one case"
      
      * tag 'for-4.15-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix refcount_t usage when deleting btrfs_delayed_nodes
        btrfs: Fix flush bio leak
      89876f27
    • L
      Merge tag 'xfs-4.15-fixes-10' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 12e971b6
      Linus Torvalds 提交于
      Pull XFS fixes from Darrick Wong:
       "I have just a few fixes for bugs and resource cleanup problems this
        week:
      
         - Fix resource cleanup of failed quota initialization
      
         - Fix integer overflow problems wrt s_maxbytes"
      
      * tag 'xfs-4.15-fixes-10' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: fix s_maxbytes overflow problems
        xfs: quota: check result of register_shrinker()
        xfs: quota: fix missed destroy of qi_tree_lock
      12e971b6
    • L
      Merge tag 'mfd-fixes-4.15-1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd · f842839c
      Linus Torvalds 提交于
      Pull MFD fix from Lee Jones:
       "Late bugfix to plug a leak in rtsx_pcr"
      
      * tag 'mfd-fixes-4.15-1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
        mfd: rtsx: Release IRQ during shutdown
      f842839c
    • L
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · abb7099d
      Linus Torvalds 提交于
      Pull  more x86 pti fixes from Thomas Gleixner:
       "Another small stash of fixes for fallout from the PTI work:
      
         - Fix the modules vs. KASAN breakage which was caused by making
           MODULES_END depend of the fixmap size. That was done when the cpu
           entry area moved into the fixmap, but now that we have a separate
           map space for that this is causing more issues than it solves.
      
         - Use the proper cache flush methods for the debugstore buffers as
           they are mapped/unmapped during runtime and not statically mapped
           at boot time like the rest of the cpu entry area.
      
         - Make the map layout of the cpu_entry_area consistent for 4 and 5
           level paging and fix the KASLR vaddr_end wreckage.
      
         - Use PER_CPU_EXPORT for per cpu variable and while at it unbreak
           nvidia gfx drivers by dropping the GPL export. The subject line of
           the commit tells it the other way around, but I noticed that too
           late.
      
         - Fix the ASM alternative macros so they can be used in the middle of
           an inline asm block.
      
         - Rename the BUG_CPU_INSECURE flag to BUG_CPU_MELTDOWN so the attack
           vector is properly identified. The Spectre mitigations will come
           with their own bug bits later"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
        x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
        x86/tlb: Drop the _GPL from the cpu_tlbstate export
        x86/events/intel/ds: Use the proper cache flush method for mapping ds buffers
        x86/kaslr: Fix the vaddr_end mess
        x86/mm: Map cpu_entry_area at the same place on 4/5 level
        x86/mm: Set MODULES_END to 0xffffffffff000000
      abb7099d
    • L
      Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b03acc4c
      Linus Torvalds 提交于
      Pull EFI updates from Thomas Gleixner:
      
       - A fix for a add_efi_memmap parameter regression which ensures that
         the parameter is parsed before it is used.
      
       - Reinstate the virtual capsule mapping as the cached copy turned out
         to break Quark and other things
      
       - Remove Matt Fleming as EFI co-maintainer. He stepped back a few days
         ago. Thanks Matt for all your great work!
      
      * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        MAINTAINERS: Remove Matt Fleming as EFI co-maintainer
        efi/capsule-loader: Reinstate virtual capsule mapping
        x86/efi: Fix kernel param add_efi_memmap regression
      b03acc4c
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 3eac6903
      Linus Torvalds 提交于
      Pull s390 fixes from Martin Schwidefsky:
       "Four bug fixes"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/dasd: fix wrongly assigned configuration data
        s390: fix preemption race in disable_sacf_uaccess
        s390/sclp: disable FORTIFY_SOURCE for early sclp code
        s390/pci: handle insufficient resources during dma tlb flush
      3eac6903
    • L
      Merge tag 'for-linus-4.15-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 925cbd7e
      Linus Torvalds 提交于
      Pull xen fix from Juergen Gross:
       "One minor fix adjusting the kmalloc flags in the new pvcalls driver
        added in rc1"
      
      * tag 'for-linus-4.15-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/pvcalls: use GFP_ATOMIC under spin lock
      925cbd7e
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 64648a5f
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
       "This fixes the following issues:
      
         - racy use of ctx->rcvused in af_alg
      
         - algif_aead crash in chacha20poly1305
      
         - freeing bogus pointer in pcrypt
      
         - build error on MIPS in mpi
      
         - memory leak in inside-secure
      
         - memory overwrite in inside-secure
      
         - NULL pointer dereference in inside-secure
      
         - state corruption in inside-secure
      
         - build error without CRYPTO_GF128MUL in chelsio
      
         - use after free in n2"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: inside-secure - do not use areq->result for partial results
        crypto: inside-secure - fix request allocations in invalidation path
        crypto: inside-secure - free requests even if their handling failed
        crypto: inside-secure - per request invalidation
        lib/mpi: Fix umul_ppmm() for MIPS64r6
        crypto: pcrypt - fix freeing pcrypt instances
        crypto: n2 - cure use after free
        crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t
        crypto: chacha20poly1305 - validate the digest size
        crypto: chelsio - select CRYPTO_GF128MUL
      64648a5f
    • L
      Merge branch 'akpm' (patches from Andrew) · d8887f1c
      Linus Torvalds 提交于
      Merge misc fixes from Andrew Morton:
       "9 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mailmap: update Mark Yao's email address
        userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails
        mm/sparse.c: wrong allocation for mem_section
        mm/zsmalloc.c: include fs.h
        mm/debug.c: provide useful debugging information for VM_BUG
        kernel/exit.c: export abort() to modules
        mm/mprotect: add a cond_resched() inside change_pmd_range()
        kernel/acct.c: fix the acct->needcheck check in check_free_space()
        mm: check pfn_valid first in zero_resv_unavail
      d8887f1c
  8. 05 1月, 2018 16 次提交