1. 15 5月, 2021 1 次提交
  2. 14 5月, 2021 5 次提交
    • S
      xen/swiotlb: check if the swiotlb has already been initialized · 97729b65
      Stefano Stabellini 提交于
      xen_swiotlb_init calls swiotlb_late_init_with_tbl, which fails with
      -ENOMEM if the swiotlb has already been initialized.
      
      Add an explicit check io_tlb_default_mem != NULL at the beginning of
      xen_swiotlb_init. If the swiotlb is already initialized print a warning
      and return -EEXIST.
      
      On x86, the error propagates.
      
      On ARM, we don't actually need a special swiotlb buffer (yet), any
      buffer would do. So ignore the error and continue.
      
      CC: boris.ostrovsky@oracle.com
      CC: jgross@suse.com
      Signed-off-by: NStefano Stabellini <stefano.stabellini@xilinx.com>
      Reviewed-by: NBoris Ostrovsky <boris.ostrvsky@oracle.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Link: https://lore.kernel.org/r/20210512201823.1963-3-sstabellini@kernel.orgSigned-off-by: NJuergen Gross <jgross@suse.com>
      97729b65
    • V
      clocksource/drivers/hyper-v: Re-enable VDSO_CLOCKMODE_HVCLOCK on X86 · 3486d2c9
      Vitaly Kuznetsov 提交于
      Mohammed reports (https://bugzilla.kernel.org/show_bug.cgi?id=213029)
      the commit e4ab4658 ("clocksource/drivers/hyper-v: Handle vDSO
      differences inline") broke vDSO on x86. The problem appears to be that
      VDSO_CLOCKMODE_HVCLOCK is an enum value in 'enum vdso_clock_mode' and
      '#ifdef VDSO_CLOCKMODE_HVCLOCK' branch evaluates to false (it is not
      a define).
      
      Use a dedicated HAVE_VDSO_CLOCKMODE_HVCLOCK define instead.
      
      Fixes: e4ab4658 ("clocksource/drivers/hyper-v: Handle vDSO differences inline")
      Reported-by: NMohammed Gamal <mgamal@redhat.com>
      Suggested-by: NThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: NMichael Kelley <mikelley@microsoft.com>
      Link: https://lore.kernel.org/r/20210513073246.1715070-1-vkuznets@redhat.com
      3486d2c9
    • M
      vt: Fix character height handling with VT_RESIZEX · 860dafa9
      Maciej W. Rozycki 提交于
      Restore the original intent of the VT_RESIZEX ioctl's `v_clin' parameter
      which is the number of pixel rows per character (cell) rather than the
      height of the font used.
      
      For framebuffer devices the two values are always the same, because the
      former is inferred from the latter one.  For VGA used as a true text
      mode device these two parameters are independent from each other: the
      number of pixel rows per character is set in the CRT controller, while
      font height is in fact hardwired to 32 pixel rows and fonts of heights
      below that value are handled by padding their data with blanks when
      loaded to hardware for use by the character generator.  One can change
      the setting in the CRT controller and it will update the screen contents
      accordingly regardless of the font loaded.
      
      The `v_clin' parameter is used by the `vgacon' driver to set the height
      of the character cell and then the cursor position within.  Make the
      parameter explicit then, by defining a new `vc_cell_height' struct
      member of `vc_data', set it instead of `vc_font.height' from `v_clin' in
      the VT_RESIZEX ioctl, and then use it throughout the `vgacon' driver
      except where actual font data is accessed which as noted above is
      independent from the CRTC setting.
      
      This way the framebuffer console driver is free to ignore the `v_clin'
      parameter as irrelevant, as it always should have, avoiding any issues
      attempts to give the parameter a meaning there could have caused, such
      as one that has led to commit 988d0763 ("vt_ioctl: make VT_RESIZEX
      behave like VT_RESIZE"):
      
       "syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2],
        for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height
        larger than actual font height calculated by con_font_set() from
        ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates
        minimal amount of memory based on actual font height calculated by
        con_font_set(), use of vt_resizex() can cause UAF/OOB read for font
        data."
      
      The problem first appeared around Linux 2.5.66 which predates our repo
      history, but the origin could be identified with the old MIPS/Linux repo
      also at: <git://git.kernel.org/pub/scm/linux/kernel/git/ralf/linux.git>
      as commit 9736a3546de7 ("Merge with Linux 2.5.66."), where VT_RESIZEX
      code in `vt_ioctl' was updated as follows:
      
       		if (clin)
      -			video_font_height = clin;
      +			vc->vc_font.height = clin;
      
      making the parameter apply to framebuffer devices as well, perhaps due
      to the use of "font" in the name of the original `video_font_height'
      variable.  Use "cell" in the new struct member then to avoid ambiguity.
      
      References:
      
      [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837
      [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3Signed-off-by: NMaciej W. Rozycki <macro@orcam.me.uk>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable@vger.kernel.org # v2.6.12+
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      860dafa9
    • M
      vt_ioctl: Revert VT_RESIZEX parameter handling removal · a90c275e
      Maciej W. Rozycki 提交于
      Revert the removal of code handling extra VT_RESIZEX ioctl's parameters
      beyond those that VT_RESIZE supports, fixing a functional regression
      causing `svgatextmode' not to resize the VT anymore.
      
      As a consequence of the reverted change when the video adapter is
      reprogrammed from the original say 80x25 text mode using a 9x16
      character cell (720x400 pixel resolution) to say 80x37 text mode and the
      same character cell (720x592 pixel resolution), the VT geometry does not
      get updated and only upper two thirds of the screen are used for the VT,
      and the lower part remains blank.  The proportions change according to
      text mode geometries chosen.
      
      Revert the change verbatim then, bringing back previous VT resizing.
      Signed-off-by: NMaciej W. Rozycki <macro@orcam.me.uk>
      Fixes: 988d0763 ("vt_ioctl: make VT_RESIZEX behave like VT_RESIZE")
      Cc: stable@vger.kernel.org # v5.10+
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a90c275e
    • M
      vgacon: Record video mode changes with VT_RESIZEX · d4d0ad57
      Maciej W. Rozycki 提交于
      Fix an issue with VGA console font size changes made after the initial
      video text mode has been changed with a user tool like `svgatextmode'
      calling the VT_RESIZEX ioctl.  As it stands in that case the original
      screen geometry continues being used to validate further VT resizing.
      
      Consequently when the video adapter is firstly reprogrammed from the
      original say 80x25 text mode using a 9x16 character cell (720x400 pixel
      resolution) to say 80x37 text mode and the same character cell (720x592
      pixel resolution), and secondly the CRTC character cell updated to 9x8
      (by loading a suitable font with the KD_FONT_OP_SET request of the
      KDFONTOP ioctl), the VT geometry does not get further updated from 80x37
      and only upper half of the screen is used for the VT, with the lower
      half showing rubbish corresponding to whatever happens to be there in
      the video memory that maps to that part of the screen.  Of course the
      proportions change according to text mode geometries and font sizes
      chosen.
      
      Address the problem then, by updating the text mode geometry defaults
      rather than checking against them whenever the VT is resized via a user
      ioctl.
      Signed-off-by: NMaciej W. Rozycki <macro@orcam.me.uk>
      Fixes: e400b6ec ("vt/vgacon: Check if screen resize request comes from userspace")
      Cc: stable@vger.kernel.org # v2.6.24+
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d4d0ad57
  3. 13 5月, 2021 30 次提交
  4. 12 5月, 2021 4 次提交
    • S
      nbd: share nbd_put and return by goto put_nbd · bedf78c4
      Sun Ke 提交于
      Replace the following two statements by the statement “goto put_nbd;”
      
      	nbd_put(nbd);
      	return 0;
      Signed-off-by: NSun Ke <sunke32@huawei.com>
      Suggested-by: NMarkus Elfring <Markus.Elfring@web.de>
      Reviewed-by: NJosef Bacik <josef@toxicpanda.com>
      Link: https://lore.kernel.org/r/20210512114331.1233964-3-sunke32@huawei.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      bedf78c4
    • S
      nbd: Fix NULL pointer in flush_workqueue · 79ebe911
      Sun Ke 提交于
      Open /dev/nbdX first, the config_refs will be 1 and
      the pointers in nbd_device are still null. Disconnect
      /dev/nbdX, then reference a null recv_workq. The
      protection by config_refs in nbd_genl_disconnect is useless.
      
      [  656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020
      [  656.368943] #PF: supervisor write access in kernel mode
      [  656.369844] #PF: error_code(0x0002) - not-present page
      [  656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0
      [  656.371693] Oops: 0002 [#1] SMP
      [  656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c8 #1
      [  656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
      [  656.375904] RIP: 0010:mutex_lock+0x29/0x60
      [  656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 <f0> 48 0f b1 55 d
      [  656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246
      [  656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      [  656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020
      [  656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318
      [  656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40
      [  656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00
      [  656.382166] FS:  00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000
      [  656.382806] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0
      [  656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  656.384927] Call Trace:
      [  656.385111]  flush_workqueue+0x92/0x6c0
      [  656.385395]  nbd_disconnect_and_put+0x81/0xd0
      [  656.385716]  nbd_genl_disconnect+0x125/0x2a0
      [  656.386034]  genl_family_rcv_msg_doit.isra.0+0x102/0x1b0
      [  656.386422]  genl_rcv_msg+0xfc/0x2b0
      [  656.386685]  ? nbd_ioctl+0x490/0x490
      [  656.386954]  ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0
      [  656.387354]  netlink_rcv_skb+0x62/0x180
      [  656.387638]  genl_rcv+0x34/0x60
      [  656.387874]  netlink_unicast+0x26d/0x590
      [  656.388162]  netlink_sendmsg+0x398/0x6c0
      [  656.388451]  ? netlink_rcv_skb+0x180/0x180
      [  656.388750]  ____sys_sendmsg+0x1da/0x320
      [  656.389038]  ? ____sys_recvmsg+0x130/0x220
      [  656.389334]  ___sys_sendmsg+0x8e/0xf0
      [  656.389605]  ? ___sys_recvmsg+0xa2/0xf0
      [  656.389889]  ? handle_mm_fault+0x1671/0x21d0
      [  656.390201]  __sys_sendmsg+0x6d/0xe0
      [  656.390464]  __x64_sys_sendmsg+0x23/0x30
      [  656.390751]  do_syscall_64+0x45/0x70
      [  656.391017]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put().
      
      Fixes: e9e006f5 ("nbd: fix max number of supported devs")
      Signed-off-by: NSun Ke <sunke32@huawei.com>
      Reviewed-by: NJosef Bacik <josef@toxicpanda.com>
      Link: https://lore.kernel.org/r/20210512114331.1233964-2-sunke32@huawei.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      79ebe911
    • S
      ACPI: PM: Add ACPI ID of Alder Lake Fan · 2404b874
      Sumeet Pawnikar 提交于
      Add a new unique fan ACPI device ID for Alder Lake to
      support it in acpi_dev_pm_attach() function.
      
      Fixes: 38748bcb ("ACPI: DPTF: Support Alder Lake")
      Signed-off-by: NSumeet Pawnikar <sumeet.r.pawnikar@intel.com>
      Acked-by: NZhang Rui <rui.zhang@intel.com>
      Cc: 5.10+ <stable@vger.kernel.org> # 5.10+
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      2404b874
    • C
      nvmet: demote fabrics cmd parse err msg to debug · 7a4ffd20
      Chaitanya Kulkarni 提交于
      Host can send invalid commands and flood the target with error messages.
      Demote the error message from pr_err() to pr_debug() in
      nvmet_parse_fabrics_cmd() and nvmet_parse_connect_cmd().
      Signed-off-by: NChaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      7a4ffd20