1. 30 1月, 2017 1 次提交
    • B
      x86/microcode: Do not access the initrd after it has been freed · 24c25032
      Borislav Petkov 提交于
      When we look for microcode blobs, we first try builtin and if that
      doesn't succeed, we fallback to the initrd supplied to the kernel.
      
      However, at some point doing boot, that initrd gets jettisoned and we
      shouldn't access it anymore. But we do, as the below KASAN report shows.
      That's because find_microcode_in_initrd() doesn't check whether the
      initrd is still valid or not.
      
      So do that.
      
        ==================================================================
        BUG: KASAN: use-after-free in find_cpio_data
        Read of size 1 by task swapper/1/0
        page:ffffea0000db9d40 count:0 mapcount:0 mapping:          (null) index:0x1
        flags: 0x100000000000000()
        raw: 0100000000000000 0000000000000000 0000000000000001 00000000ffffffff
        raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
        page dumped because: kasan: bad access detected
        CPU: 1 PID: 0 Comm: swapper/1 Tainted: G        W       4.10.0-rc5-debug-00075-g2dbde22 #3
        Hardware name: Dell Inc. XPS 13 9360/0839Y6, BIOS 1.2.3 12/01/2016
        Call Trace:
         dump_stack
         ? _atomic_dec_and_lock
         ? __dump_page
         kasan_report_error
         ? pointer
         ? find_cpio_data
         __asan_report_load1_noabort
         ? find_cpio_data
         find_cpio_data
         ? vsprintf
         ? dump_stack
         ? get_ucode_user
         ? print_usage_bug
         find_microcode_in_initrd
         __load_ucode_intel
         ? collect_cpu_info_early
         ? debug_check_no_locks_freed
         load_ucode_intel_ap
         ? collect_cpu_info
         ? trace_hardirqs_on
         ? flat_send_IPI_mask_allbutself
         load_ucode_ap
         ? get_builtin_firmware
         ? flush_tlb_func
         ? do_raw_spin_trylock
         ? cpumask_weight
         cpu_init
         ? trace_hardirqs_off
         ? play_dead_common
         ? native_play_dead
         ? hlt_play_dead
         ? syscall_init
         ? arch_cpu_idle_dead
         ? do_idle
         start_secondary
         start_cpu
        Memory state around the buggy address:
         ffff880036e74f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
         ffff880036e74f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
        >ffff880036e75000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                           ^
         ffff880036e75080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
         ffff880036e75100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
        ==================================================================
      Reported-by: NAndrey Ryabinin <aryabinin@virtuozzo.com>
      Tested-by: NAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: NBorislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20170126165833.evjemhbqzaepirxo@pd.tnicSigned-off-by: NIngo Molnar <mingo@kernel.org>
      24c25032
  2. 24 1月, 2017 1 次提交
    • Y
      x86/fpu/xstate: Fix xcomp_bv in XSAVES header · dffba9a3
      Yu-cheng Yu 提交于
      The compacted-format XSAVES area is determined at boot time and
      never changed after.  The field xsave.header.xcomp_bv indicates
      which components are in the fixed XSAVES format.
      
      In fpstate_init() we did not set xcomp_bv to reflect the XSAVES
      format since at the time there is no valid data.
      
      However, after we do copy_init_fpstate_to_fpregs() in fpu__clear(),
      as in commit:
      
        b22cbe40 x86/fpu: Fix invalid FPU ptrace state after execve()
      
      and when __fpu_restore_sig() does fpu__restore() for a COMPAT-mode
      app, a #GP occurs.  This can be easily triggered by doing valgrind on
      a COMPAT-mode "Hello World," as reported by Joakim Tjernlund and
      others:
      
      	https://bugzilla.kernel.org/show_bug.cgi?id=190061
      
      Fix it by setting xcomp_bv correctly.
      
      This patch also moves the xcomp_bv initialization to the proper
      place, which was in copyin_to_xsaves() as of:
      
        4c833368 x86/fpu: Set the xcomp_bv when we fake up a XSAVES area
      
      which fixed the bug too, but it's more efficient and cleaner to
      initialize things once per boot, not for every signal handling
      operation.
      Reported-by: NKevin Hao <haokexin@gmail.com>
      Reported-by: NJoakim Tjernlund <Joakim.Tjernlund@infinera.com>
      Signed-off-by: NYu-cheng Yu <yu-cheng.yu@intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ravi V. Shankar <ravi.v.shankar@intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: haokexin@gmail.com
      Link: http://lkml.kernel.org/r/1485212084-4418-1-git-send-email-yu-cheng.yu@intel.com
      [ Combined it with 4c833368. ]
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      dffba9a3
  3. 23 1月, 2017 7 次提交
  4. 22 1月, 2017 5 次提交
    • L
      Merge tag 'usb-4.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · c497f8d1
      Linus Torvalds 提交于
      Pull USB fixes from Greg KH:
       "Here are a few small USB fixes for 4.10-rc5.
      
        Most of these are gadget/dwc2 fixes for reported issues, all of these
        have been in linux-next for a while. The last one is a single xhci
        WARN_ON removal to handle an issue that the dwc3 driver is hitting in
        the 4.10-rc tree. The warning is harmless and needs to be removed, and
        a "real" fix that is more complex will show up in 4.11-rc1 for this
        device.
      
        That last patch hasn't been in linux-next yet due to the weekend
        timing, but it's a "simple" WARN_ON() removal so what could go wrong?
        :)"
      
      Famous last words.
      
      * tag 'usb-4.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        xhci: remove WARN_ON if dma mask is not set for platform devices
        usb: dwc2: host: fix Wmaybe-uninitialized warning
        usb: dwc2: gadget: Fix GUSBCFG.USBTRDTIM value
        usb: gadget: udc: atmel: remove memory leak
        usb: dwc3: exynos fix axius clock error path to do cleanup
        usb: dwc2: Avoid suspending if we're in gadget mode
        usb: dwc2: use u32 for DT binding parameters
        usb: gadget: f_fs: Fix iterations on endpoints.
        usb: dwc2: gadget: Fix DMA memory freeing
        usb: gadget: composite: Fix function used to free memory
      c497f8d1
    • L
      Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · f68d8531
      Linus Torvalds 提交于
      Pull libnvdimm fixes from Dan Williams:
       "Two fixes:
      
         - a regression fix for the multiple-pmem-namespace-per-region support
           added in 4.9. Even if an existing environment is not using that
           feature the act of creating and a destroying a single namespace
           with the ndctl utility will lead to the proliferation of extra
           unwanted namespace devices.
      
         - a fix for the error code returned from the pmem driver when the
           memcpy_mcsafe() routine returns -EFAULT. Btrfs seems to be the only
           block I/O consumer that tries to parse the meaning of the error
           code when it is non-zero.
      
        Neither of these fixes are critical, the namespace leak is awkward in
        that it can cause device naming to change and complicates debugging
        namespace initialization issues. The error code fix is included out of
        caution for what other consumers might be expecting -EIO for block I/O
        errors"
      
      * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        libnvdimm, namespace: fix pmem namespace leak, delete when size set to zero
        pmem: return EIO on read_pmem() failure
      f68d8531
    • L
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · f5e8c0ff
      Linus Torvalds 提交于
      Pull clk fix from Stephen Boyd:
       "One fix for Samsung Exynos524x SoCs where recent IOMMU patches have
        caused some of these clocks to turn off when they were always left on
        before"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk/samsung: exynos542x: mark some clocks as critical
      f5e8c0ff
    • L
      Merge tag 'arc-4.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 455a70cb
      Linus Torvalds 提交于
      Pull ARC fixes from Vineet Gupta:
      
       - more intc updates [Yuriv]
      
       - fix module build when unwinder is turned off
      
       - IO Coherency Programming model updates
      
       - other miscellaneous
      
      * tag 'arc-4.10-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: Revert "ARC: mm: IOC: Don't enable IOC by default"
        ARC: mm: split arc_cache_init to allow __init reaping of bulk
        ARCv2: IOC: Use actual memory size to setup aperture size
        ARCv2: IOC: Adhere to progamming model guidelines to avoid DMA corruption
        ARCv2: IOC: refactor the IOC and SLC operations into own functions
        ARC: module: Fix !CONFIG_ARC_DW2_UNWIND builds
        ARCv2: save r30 on kernel entry as gcc uses it for code-gen
        ARCv2: IRQ: Call entry/exit functions for chained handlers in MCIP
        ARC: IRQ: Use hwirq instead of virq in mask/unmask
        ARC: mmu: clarify the MMUv3 programming model
      455a70cb
    • L
      Merge tag 'powerpc-4.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 83fd57a7
      Linus Torvalds 提交于
      Pull powerpc fixes from Michael Ellerman:
       "Two fixes for fallout from the hugetlb changes we merged this cycle.
      
        Ten other fixes, four only affect Power9, and the rest are a bit of a
        mixture though nothing terrible.
      
        Thanks to: Aneesh Kumar K.V, Anton Blanchard, Benjamin Herrenschmidt,
        Dave Martin, Gavin Shan, Madhavan Srinivasan, Nicholas Piggin, Reza
        Arbab"
      
      * tag 'powerpc-4.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc: Ignore reserved field in DCSR and PVR reads and writes
        powerpc/ptrace: Preserve previous TM fprs/vsrs on short regset write
        powerpc/ptrace: Preserve previous fprs/vsrs on short regset write
        powerpc/perf: Use MSR to report privilege level on P9 DD1
        selftest/powerpc: Wrong PMC initialized in pmc56_overflow test
        powerpc/eeh: Enable IO path on permanent error
        powerpc/perf: Fix PM_BRU_CMPL event code for power9
        powerpc/mm: Fix little-endian 4K hugetlb
        powerpc/mm/hugetlb: Don't panic when we don't find the default huge page size
        powerpc: Fix pgtable pmd cache init
        powerpc/icp-opal: Fix missing KVM case and harden replay
        powerpc/mm: Fix memory hotplug BUG() on radix
      83fd57a7
  5. 21 1月, 2017 10 次提交
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 4c9eff7a
      Linus Torvalds 提交于
      Pull KVM fixes from Radim Krčmář:
       "ARM:
         - Fix for timer setup on VHE machines
         - Drop spurious warning when the timer races against the vcpu running
           again
         - Prevent a vgic deadlock when the initialization fails (for stable)
      
        s390:
         - Fix a kernel memory exposure (for stable)
      
        x86:
         - Fix exception injection when hypercall instruction cannot be
           patched"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: s390: do not expose random data via facility bitmap
        KVM: x86: fix fixing of hypercalls
        KVM: arm/arm64: vgic: Fix deadlock on error handling
        KVM: arm64: Access CNTHCTL_EL2 bit fields correctly on VHE systems
        KVM: arm/arm64: Fix occasional warning from the timer work function
      4c9eff7a
    • L
      Merge branch 'scsi-target-for-v4.10' of... · 51162264
      Linus Torvalds 提交于
      Merge branch 'scsi-target-for-v4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/bvanassche/linux
      
      Pull SCSI target fixes from Bart Van Assche:
      
       - two small fixes for the ibmvscsis driver
      
       - ten patches with bug fixes for the target mode of the qla2xxx driver
      
       - four patches that avoid that the "sparse" and "smatch" static
         analyzer tools report false positives for the qla2xxx code base
      
      * 'scsi-target-for-v4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/bvanassche/linux:
        qla2xxx: Disable out-of-order processing by default in firmware
        qla2xxx: Fix erroneous invalid handle message
        qla2xxx: Reduce exess wait during chip reset
        qla2xxx: Terminate exchange if corrupted
        qla2xxx: Fix crash due to null pointer access
        qla2xxx: Collect additional information to debug fw dump
        qla2xxx: Reset reserved field in firmware options to 0
        qla2xxx: Set tcm_qla2xxx version to automatically track qla2xxx version
        qla2xxx: Include ATIO queue in firmware dump when in target mode
        qla2xxx: Fix wrong IOCB type assumption
        qla2xxx: Avoid that building with W=1 triggers complaints about set-but-not-used variables
        qla2xxx: Move two arrays from header files to .c files
        qla2xxx: Declare an array with file scope static
        qla2xxx: Fix indentation
        ibmvscsis: Fix sleeping in interrupt context
        ibmvscsis: Fix max transfer length
      51162264
    • L
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · e3737b91
      Linus Torvalds 提交于
      Pull block fixes from Jens Axboe:
       "Just two small fixes for this -rc.
      
        One is just killing an unused variable from Keith, but the other
        fixes a performance regression for nbd in this series, where we
        inadvertently flipped when we set MSG_MORE when outputting data"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        nbd: only set MSG_MORE when we have more to send
        blk-mq: Remove unused variable
      e3737b91
    • L
      Merge tag 'spi-fix-v4.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · cca112ec
      Linus Torvalds 提交于
      Pull spi fixes from Mark Brown:
       "The usual small smattering of driver specific fixes. A few bits that
        stand out here:
      
         - the R-Car patches adding fallbacks are just adding new compatible
           strings to the driver so that device trees are written in a more
           robustly future proof fashion, this isn't strictly a fix but it's
           just new IDs and it's better to get it into mainline sooner to
           improve the ABI
      
         - the DesignWare "switch to new API part 2" patch is actually a
           misleadingly titled fix for a bit that got missed in the original
           conversion"
      
      * tag 'spi-fix-v4.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: davinci: use dma_mapping_error()
        spi: spi-axi: Free resources on error path
        spi: pxa2xx: add missed break
        spi: dw-mid: switch to new dmaengine_terminate_* API (part 2)
        spi: dw: Make debugfs name unique between instances
        spi: sh-msiof: Do not use C++ style comment
        spi: armada-3700: Set mode bits correctly
        spi: armada-3700: fix unsigned compare than zero on irq
        spi: sh-msiof: Add R-Car Gen 2 and 3 fallback bindings
        spi: SPI_FSL_DSPI should depend on HAS_DMA
      cca112ec
    • L
      Merge tag 'ceph-for-4.10-rc5' of git://github.com/ceph/ceph-client · e90665a5
      Linus Torvalds 提交于
      Pull ceph fixes from Ilya Dryomov:
       "Three filesystem endianness fixes (one goes back to the 2.6 era, all
        marked for stable) and two fixups for this merge window's patches"
      
      * tag 'ceph-for-4.10-rc5' of git://github.com/ceph/ceph-client:
        ceph: fix bad endianness handling in parse_reply_info_extra
        ceph: fix endianness bug in frag_tree_split_cmp
        ceph: fix endianness of getattr mask in ceph_d_revalidate
        libceph: make sure ceph_aes_crypt() IV is aligned
        ceph: fix ceph_get_caps() interruption
      e90665a5
    • L
      Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · 56ef1882
      Linus Torvalds 提交于
      Pull overlayfs fix from Miklos Szeredi:
       "This fixes a regression introduced in this cycle"
      
      * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
        ovl: fix possible use after free on redirect dir lookup
      56ef1882
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse · eefa9feb
      Linus Torvalds 提交于
      Pull fuse fixes from Miklos Szeredi:
       "Fix two regressions, one introduced in 4.9 and a less recent one in
        4.2"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
        fuse: fix time_to_jiffies nsec sanity check
        fuse: clear FR_PENDING flag when moving requests out of pending queue
      eefa9feb
    • L
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · f09ff1de
      Linus Torvalds 提交于
      Pull SCSI fixes from James Bottomley:
       "This is a set of 12 fixes including the mpt3sas one that was causing
        hangs on ATA passthrough.
      
        The others are a couple of zoned block device fixes, a SAS device
        detection bug which lead to SATA drives not being matched to bays, two
        qla2xxx MSI fixes, a qla2xxx req for rsp confusion caused by cut and
        paste, and a few other minor fixes"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: mpt3sas: fix hang on ata passthrough commands
        scsi: lpfc: Set elsiocb contexts to NULL after freeing it
        scsi: sd: Ignore zoned field for host-managed devices
        scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type
        scsi: bfa: fix wrongly initialized variable in bfad_im_bsg_els_ct_request()
        scsi: ses: Fix SAS device detection in enclosure
        scsi: libfc: Fix variable name in fc_set_wwpn
        scsi: lpfc: avoid double free of resource identifiers
        scsi: qla2xxx: remove irq_affinity_notifier
        scsi: qla2xxx: fix MSI-X vector affinity
        scsi: qla2xxx: Fix apparent cut-n-paste error.
        scsi: qla2xxx: Get mutex lock before checking optrom_state
      f09ff1de
    • L
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · f8f2d4bd
      Linus Torvalds 提交于
      Pull arm64 fixes from Catalin Marinas:
      
       - avoid potential stack information leak via the ptrace ABI caused by
         uninitialised variables
      
       - SWIOTLB DMA API fall-back allocation fix when the SWIOTLB buffer is
         not initialised (all RAM is suitable for 32-bit DMA masks)
      
       - fix the bad_mode function returning for unhandled exceptions coming
         from user space
      
       - fix name clash in __page_to_voff()
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: avoid returning from bad_mode
        arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
        arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
        arm64/ptrace: Preserve previous registers for short regset write
        arm64/ptrace: Preserve previous registers for short regset write
        arm64/ptrace: Preserve previous registers for short regset write
        arm64: mm: avoid name clash in __page_to_voff()
        arm64: Fix swiotlb fallback allocation
      f8f2d4bd
    • R
      Merge tag 'kvm-s390-master-4.10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux · fec96901
      Radim Krčmář 提交于
      KVM: s390: Fix for 4.10 (via kvm/master)
      
      Fix a kernel memory exposure.
      fec96901
  6. 20 1月, 2017 16 次提交