1. 11 12月, 2021 25 次提交
  2. 10 12月, 2021 15 次提交
    • S
      selftests: KVM: Add test to verify KVM doesn't explode on "bad" I/O · 10e7a099
      Sean Christopherson 提交于
      Add an x86 selftest to verify that KVM doesn't WARN or otherwise explode
      if userspace modifies RCX during a userspace exit to handle string I/O.
      This is a regression test for a user-triggerable WARN introduced by
      commit 3b27de27 ("KVM: x86: split the two parts of emulator_pio_in").
      Signed-off-by: NSean Christopherson <seanjc@google.com>
      Message-Id: <20211025201311.1881846-3-seanjc@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      10e7a099
    • S
      KVM: x86: Don't WARN if userspace mucks with RCX during string I/O exit · d07898ea
      Sean Christopherson 提交于
      Replace a WARN with a comment to call out that userspace can modify RCX
      during an exit to userspace to handle string I/O.  KVM doesn't actually
      support changing the rep count during an exit, i.e. the scenario can be
      ignored, but the WARN needs to go as it's trivial to trigger from
      userspace.
      
      Cc: stable@vger.kernel.org
      Fixes: 3b27de27 ("KVM: x86: split the two parts of emulator_pio_in")
      Signed-off-by: NSean Christopherson <seanjc@google.com>
      Message-Id: <20211025201311.1881846-2-seanjc@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      d07898ea
    • L
      KVM: X86: Raise #GP when clearing CR0_PG in 64 bit mode · 777ab82d
      Lai Jiangshan 提交于
      In the SDM:
      If the logical processor is in 64-bit mode or if CR4.PCIDE = 1, an
      attempt to clear CR0.PG causes a general-protection exception (#GP).
      Software should transition to compatibility mode and clear CR4.PCIDE
      before attempting to disable paging.
      Signed-off-by: NLai Jiangshan <laijs@linux.alibaba.com>
      Message-Id: <20211207095230.53437-1-jiangshanlai@gmail.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      777ab82d
    • P
      selftests: KVM: avoid failures due to reserved HyperTransport region · c8cc43c1
      Paolo Bonzini 提交于
      AMD proceessors define an address range that is reserved by HyperTransport
      and causes a failure if used for guest physical addresses.  Avoid
      selftests failures by reserving those guest physical addresses; the
      rules are:
      
      - On parts with <40 bits, its fully hidden from software.
      
      - Before Fam17h, it was always 12G just below 1T, even if there was more
      RAM above this location.  In this case we just not use any RAM above 1T.
      
      - On Fam17h and later, it is variable based on SME, and is either just
      below 2^48 (no encryption) or 2^43 (encryption).
      
      Fixes: ef4c9f4f ("KVM: selftests: Fix 32-bit truncation of vm_get_max_gfn()")
      Cc: stable@vger.kernel.org
      Cc: David Matlack <dmatlack@google.com>
      Reported-by: NMaxim Levitsky <mlevitsk@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Message-Id: <20210805105423.412878-1-pbonzini@redhat.com>
      Reviewed-by: NSean Christopherson <seanjc@google.com>
      Tested-by: NSean Christopherson <seanjc@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      c8cc43c1
    • S
      KVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req · 3244867a
      Sean Christopherson 提交于
      Do not bail early if there are no bits set in the sparse banks for a
      non-sparse, a.k.a. "all CPUs", IPI request.  Per the Hyper-V spec, it is
      legal to have a variable length of '0', e.g. VP_SET's BankContents in
      this case, if the request can be serviced without the extra info.
      
        It is possible that for a given invocation of a hypercall that does
        accept variable sized input headers that all the header input fits
        entirely within the fixed size header. In such cases the variable sized
        input header is zero-sized and the corresponding bits in the hypercall
        input should be set to zero.
      
      Bailing early results in KVM failing to send IPIs to all CPUs as expected
      by the guest.
      
      Fixes: 214ff83d ("KVM: x86: hyperv: implement PV IPI send hypercalls")
      Cc: stable@vger.kernel.org
      Signed-off-by: NSean Christopherson <seanjc@google.com>
      Reviewed-by: NVitaly Kuznetsov <vkuznets@redhat.com>
      Message-Id: <20211207220926.718794-2-seanjc@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      3244867a
    • V
      KVM: x86: Wait for IPIs to be delivered when handling Hyper-V TLB flush hypercall · 1ebfaa11
      Vitaly Kuznetsov 提交于
      Prior to commit 0baedd79 ("KVM: x86: make Hyper-V PV TLB flush use
      tlb_flush_guest()"), kvm_hv_flush_tlb() was using 'KVM_REQ_TLB_FLUSH |
      KVM_REQUEST_NO_WAKEUP' when making a request to flush TLBs on other vCPUs
      and KVM_REQ_TLB_FLUSH is/was defined as:
      
       (0 | KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP)
      
      so KVM_REQUEST_WAIT was lost. Hyper-V TLFS, however, requires that
      "This call guarantees that by the time control returns back to the
      caller, the observable effects of all flushes on the specified virtual
      processors have occurred." and without KVM_REQUEST_WAIT there's a small
      chance that the vCPU making the TLB flush will resume running before
      all IPIs get delivered to other vCPUs and a stale mapping can get read
      there.
      
      Fix the issue by adding KVM_REQUEST_WAIT flag to KVM_REQ_TLB_FLUSH_GUEST:
      kvm_hv_flush_tlb() is the sole caller which uses it for
      kvm_make_all_cpus_request()/kvm_make_vcpus_request_mask() where
      KVM_REQUEST_WAIT makes a difference.
      
      Cc: stable@kernel.org
      Fixes: 0baedd79 ("KVM: x86: make Hyper-V PV TLB flush use tlb_flush_guest()")
      Signed-off-by: NVitaly Kuznetsov <vkuznets@redhat.com>
      Message-Id: <20211209102937.584397-1-vkuznets@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      1ebfaa11
    • D
      Merge tag 'amd-drm-fixes-5.16-2021-12-08' of... · 675a0957
      Dave Airlie 提交于
      Merge tag 'amd-drm-fixes-5.16-2021-12-08' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-5.16-2021-12-08:
      
      amdgpu:
      - DPIA fix
      - eDP fix
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20211209042824.6720-1-alexander.deucher@amd.com
      675a0957
    • D
      Merge tag 'drm-intel-fixes-2021-12-09' of... · 233bee7e
      Dave Airlie 提交于
      Merge tag 'drm-intel-fixes-2021-12-09' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      A fix to a error pointer dereference in gem_execbuffer and
      a fix for GT initialization when GuC/HuC are used on ICL.
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/YbJVWYAd/jeERCYY@intel.com
      233bee7e
    • D
      Merge tag 'drm-misc-fixes-2021-12-09' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · 2eb557d2
      Dave Airlie 提交于
      A fix in syncobj to handle fence already signalled better, and a fix for
      a ttm_bo_swapout eviction check.
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <maxime@cerno.tech>
      Link: https://patchwork.freedesktop.org/patch/msgid/20211209124305.gxhid5zwf7m4oasn@houat
      2eb557d2
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · c741e491
      Linus Torvalds 提交于
      Pull rdma fixes from Jason Gunthorpe:
       "Quite a few small bug fixes old and new, also Doug Ledford is retiring
        now, we thank him for his work. Details:
      
         - Use after free in rxe
      
         - mlx5 DM regression
      
         - hns bugs triggred by device reset
      
         - Two fixes for CONFIG_DEBUG_PREEMPT
      
         - Several longstanding corner case bugs in hfi1
      
         - Two irdma data path bugs in rare cases and some memory issues"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/irdma: Don't arm the CQ more than two times if no CE for this CQ
        RDMA/irdma: Report correct WC errors
        RDMA/irdma: Fix a potential memory allocation issue in 'irdma_prm_add_pble_mem()'
        RDMA/irdma: Fix a user-after-free in add_pble_prm
        IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr
        IB/hfi1: Fix early init panic
        IB/hfi1: Insure use of smp_processor_id() is preempt disabled
        IB/hfi1: Correct guard on eager buffer deallocation
        RDMA/rtrs: Call {get,put}_cpu_ptr to silence a debug kernel warning
        RDMA/hns: Do not destroy QP resources in the hw resetting phase
        RDMA/hns: Do not halt commands during reset until later
        Remove Doug Ledford from MAINTAINERS
        RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow
        RDMA: Fix use-after-free in rxe_queue_cleanup
      c741e491
    • L
      Merge tag 'net-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · ded746bf
      Linus Torvalds 提交于
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf, can and netfilter.
      
        Current release - regressions:
      
         - bpf, sockmap: re-evaluate proto ops when psock is removed from
           sockmap
      
        Current release - new code bugs:
      
         - bpf: fix bpf_check_mod_kfunc_call for built-in modules
      
         - ice: fixes for TC classifier offloads
      
         - vrf: don't run conntrack on vrf with !dflt qdisc
      
        Previous releases - regressions:
      
         - bpf: fix the off-by-two error in range markings
      
         - seg6: fix the iif in the IPv6 socket control block
      
         - devlink: fix netns refcount leak in devlink_nl_cmd_reload()
      
         - dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
      
         - dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports
      
        Previous releases - always broken:
      
         - ethtool: do not perform operations on net devices being
           unregistered
      
         - udp: use datalen to cap max gso segments
      
         - ice: fix races in stats collection
      
         - fec: only clear interrupt of handling queue in fec_enet_rx_queue()
      
         - m_can: pci: fix incorrect reference clock rate
      
         - m_can: disable and ignore ELO interrupt
      
         - mvpp2: fix XDP rx queues registering
      
        Misc:
      
         - treewide: add missing includes masked by cgroup -> bpf.h
           dependency"
      
      * tag 'net-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (82 commits)
        net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports
        net: wwan: iosm: fixes unable to send AT command during mbim tx
        net: wwan: iosm: fixes net interface nonfunctional after fw flash
        net: wwan: iosm: fixes unnecessary doorbell send
        net: dsa: felix: Fix memory leak in felix_setup_mmio_filtering
        MAINTAINERS: s390/net: remove myself as maintainer
        net/sched: fq_pie: prevent dismantle issue
        net: mana: Fix memory leak in mana_hwc_create_wq
        seg6: fix the iif in the IPv6 socket control block
        nfp: Fix memory leak in nfp_cpp_area_cache_add()
        nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
        nfc: fix segfault in nfc_genl_dump_devices_done
        udp: using datalen to cap max gso segments
        net: dsa: mv88e6xxx: error handling for serdes_power functions
        can: kvaser_usb: get CAN clock frequency from device
        can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct stats->{rx,tx}_errors counter
        net: mvpp2: fix XDP rx queues registering
        vmxnet3: fix minimum vectors alloc issue
        net, neigh: clear whole pneigh_entry at alloc time
        net: dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's"
        ...
      ded746bf
    • L
      Merge tag 'mtd/fixes-for-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 27698cd2
      Linus Torvalds 提交于
      Pull mtd fixes from Miquel Raynal:
       "MTD fixes:
      
         - dataflash: Add device-tree SPI IDs to avoid new warnings
      
        Raw NAND fixes:
      
         - Fix nand_choose_best_timings() on unsupported interface
      
         - Fix nand_erase_op delay (wrong unit)
      
         - fsmc:
            - Fix timing computation
            - Take instruction delay into account
      
         - denali:
            - Add the dependency on HAS_IOMEM to silence robots"
      
      * tag 'mtd/fixes-for-5.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: dataflash: Add device-tree SPI IDs
        mtd: rawnand: fsmc: Fix timing computation
        mtd: rawnand: fsmc: Take instruction delay into account
        mtd: rawnand: Fix nand_choose_best_timings() on unsupported interface
        mtd: rawnand: Fix nand_erase_op delay
        mtd: rawnand: denali: Add the dependency on HAS_IOMEM
      27698cd2
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 03090cc7
      Linus Torvalds 提交于
      Pull HID fixes from Jiri Kosina:
      
       - fixes for various drivers which assume that a HID device is on USB
         transport, but that might not necessarily be the case, as the device
         can be faked by uhid. (Greg, Benjamin Tissoires)
      
       - fix for spurious wakeups on certain Lenovo notebooks (Thomas
         Weißschuh)
      
       - a few other device-specific quirks
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: Ignore battery for Elan touchscreen on Asus UX550VE
        HID: intel-ish-hid: ipc: only enable IRQ wakeup when requested
        HID: google: add eel USB id
        HID: add USB_HID dependancy to hid-prodikeys
        HID: add USB_HID dependancy to hid-chicony
        HID: bigbenff: prevent null pointer dereference
        HID: sony: fix error path in probe
        HID: add USB_HID dependancy on some USB HID drivers
        HID: check for valid USB device for many HID drivers
        HID: wacom: fix problems when device is not a valid USB device
        HID: add hid_is_usb() function to make it simpler for USB detection
        HID: quirks: Add quirk for the Microsoft Surface 3 type-cover
      03090cc7
    • X
      aio: Fix incorrect usage of eventfd_signal_allowed() · 4b374986
      Xie Yongji 提交于
      We should defer eventfd_signal() to the workqueue when
      eventfd_signal_allowed() return false rather than return
      true.
      
      Fixes: b542e383 ("eventfd: Make signal recursion protection a task bit")
      Signed-off-by: NXie Yongji <xieyongji@bytedance.com>
      Link: https://lore.kernel.org/r/20210913111928.98-1-xieyongji@bytedance.comReviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      4b374986
    • E
      aio: fix use-after-free due to missing POLLFREE handling · 50252e4b
      Eric Biggers 提交于
      signalfd_poll() and binder_poll() are special in that they use a
      waitqueue whose lifetime is the current task, rather than the struct
      file as is normally the case.  This is okay for blocking polls, since a
      blocking poll occurs within one task; however, non-blocking polls
      require another solution.  This solution is for the queue to be cleared
      before it is freed, by sending a POLLFREE notification to all waiters.
      
      Unfortunately, only eventpoll handles POLLFREE.  A second type of
      non-blocking poll, aio poll, was added in kernel v4.18, and it doesn't
      handle POLLFREE.  This allows a use-after-free to occur if a signalfd or
      binder fd is polled with aio poll, and the waitqueue gets freed.
      
      Fix this by making aio poll handle POLLFREE.
      
      A patch by Ramji Jiyani <ramjiyani@google.com>
      (https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)
      tried to do this by making aio_poll_wake() always complete the request
      inline if POLLFREE is seen.  However, that solution had two bugs.
      First, it introduced a deadlock, as it unconditionally locked the aio
      context while holding the waitqueue lock, which inverts the normal
      locking order.  Second, it didn't consider that POLLFREE notifications
      are missed while the request has been temporarily de-queued.
      
      The second problem was solved by my previous patch.  This patch then
      properly fixes the use-after-free by handling POLLFREE in a
      deadlock-free way.  It does this by taking advantage of the fact that
      freeing of the waitqueue is RCU-delayed, similar to what eventpoll does.
      
      Fixes: 2c14fa83 ("aio: implement IOCB_CMD_POLL")
      Cc: <stable@vger.kernel.org> # v4.18+
      Link: https://lore.kernel.org/r/20211209010455.42744-6-ebiggers@kernel.orgSigned-off-by: NEric Biggers <ebiggers@google.com>
      50252e4b
新手
引导
客服 返回
顶部