- 27 12月, 2019 40 次提交
-
-
由 Julien Thierry 提交于
mainline inclusion from mainline-5.3-rc1 commit bd82d4bd category: bugfix bugzilla: 23209 CVE: NA ------------------------------------------------- When using IRQ priority masking to disable interrupts, in order to deal with the PSR.I state, local_irq_save() would convert the I bit into a PMR value (GIC_PRIO_IRQOFF). This resulted in local_irq_restore() potentially modifying the value of PMR in undesired location due to the state of PSR.I upon flag saving [1]. In an attempt to solve this issue in a less hackish manner, introduce a bit (GIC_PRIO_IGNORE_PMR) for the PMR values that can represent whether PSR.I is being used to disable interrupts, in which case it takes precedence of the status of interrupt masking via PMR. GIC_PRIO_PSR_I_SET is chosen such that (<pmr_value> | GIC_PRIO_PSR_I_SET) does not mask more interrupts than <pmr_value> as some sections (e.g. arch_cpu_idle(), interrupt acknowledge path) requires PMR not to mask interrupts that could be signaled to the CPU when using only PSR.I. [1] https://www.spinics.net/lists/arm-kernel/msg716956.html Fixes: 4a503217 ("arm64: irqflags: Use ICC_PMR_EL1 for interrupt masking") Cc: <stable@vger.kernel.org> # 5.1.x- Reported-by: NZenghui Yu <yuzenghui@huawei.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Wei Li <liwei391@huawei.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Christoffer Dall <christoffer.dall@arm.com> Cc: James Morse <james.morse@arm.com> Cc: Suzuki K Pouloze <suzuki.poulose@arm.com> Cc: Oleg Nesterov <oleg@redhat.com> Reviewed-by: NMarc Zyngier <marc.zyngier@arm.com> Signed-off-by: NJulien Thierry <julien.thierry@arm.com> Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Julien Thierry 提交于
mainline inclusion from mainline-5.3-rc1 commit 17ce302f category: bugfix bugzilla: 23209 CVE: NA ------------------------------------------------- In the presence of any form of instrumentation, nmi_enter() should be done before calling any traceable code and any instrumentation code. Currently, nmi_enter() is done in handle_domain_nmi(), which is much too late as instrumentation code might get called before. Move the nmi_enter/exit() calls to the arch IRQ vector handler. On arm64, it is not possible to know if the IRQ vector handler was called because of an NMI before acknowledging the interrupt. However, It is possible to know whether normal interrupts could be taken in the interrupted context (i.e. if taking an NMI in that context could introduce a potential race condition). When interrupting a context with IRQs disabled, call nmi_enter() as soon as possible. In contexts with IRQs enabled, defer this to the interrupt controller, which is in a better position to know if an interrupt taken is an NMI. Fixes: bc3c03cc ("arm64: Enable the support of pseudo-NMIs") Cc: <stable@vger.kernel.org> # 5.1.x- Cc: Will Deacon <will.deacon@arm.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Jason Cooper <jason@lakedaemon.net> Cc: Mark Rutland <mark.rutland@arm.com> Reviewed-by: NMarc Zyngier <marc.zyngier@arm.com> Signed-off-by: NJulien Thierry <julien.thierry@arm.com> Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Julien Thierry 提交于
mainline inclusion from mainline-5.3-rc1 commit f5706578 category: bugfix bugzilla: 23209 CVE: NA ------------------------------------------------- Some of the inline assembly instruction use the condition flags and need to include "cc" in the clobber list. Fixes: 4a503217 ("arm64: irqflags: Use ICC_PMR_EL1 for interrupt masking") Cc: <stable@vger.kernel.org> # 5.1.x- Suggested-by: NMarc Zyngier <marc.zyngier@arm.com> Cc: Will Deacon <will.deacon@arm.com> Reviewed-by: NMarc Zyngier <marc.zyngier@arm.com> Acked-by: NMark Rutland <mark.rutland@arm.com> Signed-off-by: NJulien Thierry <julien.thierry@arm.com> Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Julien Thierry 提交于
mainline inclusion from mainline-5.3-rc1 commit 19c36b18 category: bugfix bugzilla: 23209 CVE: NA ------------------------------------------------- Flags are only read by the instructions doing the irqflags restore operation. Pass the operand as read only to the asm inline instead of read-write. Cc: Will Deacon <will.deacon@arm.com> Reviewed-by: NMarc Zyngier <marc.zyngier@arm.com> Acked-by: NMark Rutland <mark.rutland@ar.com> Signed-off-by: NJulien Thierry <julien.thierry@arm.com> Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Kees Cook 提交于
mainline inclusion from mainline-5.2-rc1 commit be604c61 category: bugfix bugzilla: 23209 CVE: NA ------------------------------------------------- Clang's integrated assembler does not allow assembly macros defined in one inline asm block using the .macro directive to be used across separate asm blocks. LLVM developers consider this a feature and not a bug, recommending code refactoring: https://bugs.llvm.org/show_bug.cgi?id=19749 As binutils doesn't allow macros to be redefined, this change uses UNDEFINE_MRS_S and UNDEFINE_MSR_S to define corresponding macros in-place and workaround gcc and clang limitations on redefining macros across different assembler blocks. Specifically, the current state after preprocessing looks like this: asm volatile(".macro mXX_s ... .endm"); void f() { asm volatile("mXX_s a, b"); } With GCC, it gives macro redefinition error because sysreg.h is included in multiple source files, and assembler code for all of them is later combined for LTO (I've seen an intermediate file with hundreds of identical definitions). With clang, it gives macro undefined error because clang doesn't allow sharing macros between inline asm statements. I also seem to remember catching another sort of undefined error with GCC due to reordering of macro definition asm statement and generated asm code for function that uses the macro. The solution with defining and undefining for each use, while certainly not elegant, satisfies both GCC and clang, LTO and non-LTO. Co-developed-by: NAlex Matveev <alxmtvv@gmail.com> Co-developed-by: NYury Norov <ynorov@caviumnetworks.com> Co-developed-by: NSami Tolvanen <samitolvanen@google.com> Reviewed-by: NNick Desaulniers <ndesaulniers@google.com> Reviewed-by: NMark Rutland <mark.rutland@arm.com> Signed-off-by: NKees Cook <keescook@chromium.org> Signed-off-by: NWill Deacon <will.deacon@arm.com> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wei Li 提交于
hulk inclusion category: bugfix bugzilla: 23209 CVE: NA ------------------------------------------------- This reverts commit f4ed436b2416 ("arm64: irqflags: fix incomplete save & restore"). Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 tanghui20 提交于
driver inclusion category:bugfix bugzilla:NA CVE:NA modify review coments of hpre driver Feature or Bugfix:Bugfix Signed-off-by: Ntanghui20 <tanghui20@huawei.com> Reviewed-by: Nxuzaibo <xuzaibo@huawei.com> Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 yumeng18 提交于
driver inclusion category:bugfix bugzilla:NA CVE:NA when u unbind and bind 'hisi_hpre' device quickly, hisi_hpre may not load, as dmesg like: [ 1006.414257] hisi_hpre 0000:79:00.0: qm register to uacce [ 1006.419550] hisi_hpre 0000:79:00.0: register to noiommu mode, it's not safe for kernel [ 1006.437566] hisi_hpre 0000:79:00.0: Refused to change power state, currently in D3 [ 1006.445111] hisi_hpre 0000:79:00.0: Failed to enable MSI vectors! [ 1006.451190] hisi_hpre: probe of 0000:79:00.0 failed with error -28 Feature or Bugfix: Bugfix Signed-off-by: Nyumeng18 <yumeng18@huawei.com> Reviewed-by: Nxuzaibo <xuzaibo@huawei.com> Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 yekai13 提交于
driver inclusion category:bugfix bugzilla:NA CVE:NA Code review fix of round 8 and round 9 for hpre_crypto.c Feature or Bugfix: Bugfix Signed-off-by: Nyekai (A) <yekai13@huawei.com> Reviewed-by: Nxuzaibo <xuzaibo@huawei.com> Signed-off-by: NHui Tang <tanghui20@huawei.com> Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 yumeng 提交于
driver inclusion category:bugfix bugzilla:NA CVE:NA when u reserved a big memory(eg: 4G), (unsigned int)nr_pages is too big, so "nr_pages << PAGE_SHIFT" overflows, the kernel may alloc the memory to u, but the vm is wrong. Feature or Bugfix: Bugfix Signed-off-by: Nyumeng <yumeng18@huawei.com> Reviewed-by: Nxuzaibo <xuzaibo@huawei.com> Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 liulongfang 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA Fix the sparse warining checked by tools: 1. Inner function use Key static. 2. Using macro replace Key const. Feature or Bugfix:Bugfix Signed-off-by: Nliulongfang <liulongfang@huawei.com> Reviewed-by: Nxuzaibo <xuzaibo@huawei.com> Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 tanshukun 提交于
driver inclusion category: feature bugzilla: NA CVE: NA 1. Add acomp support for crypto architecture, which is merged in mainline. 2. add 4M support for noiommu 3. merge sgl.ko and qm.ko to hisi_qm.ko Feature or Bugfix:Bugfix Signed-off-by: Ntanshukun (A) <tanshukun1@huawei.com> Reviewed-by: Nwangzhou <wangzhou1@hisilicon.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wei Li 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- Add the arm64/common cmdline option same as x86: "numa_spinlock=auto/on/off" (default is "off") Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wei Li 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- Enabling CNA is controlled via a new configuration option (NUMA_AWARE_SPINLOCKS). Add it for arm64 support. Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Alex Kogan 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- This optimization reduces the probability threads will be shuffled between the main and secondary queues when the secondary queue is empty. It is helpful when the lock is only lightly contended. Signed-off-by: NAlex Kogan <alex.kogan@oracle.com> Reviewed-by: NSteve Sistare <steven.sistare@oracle.com> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Alex Kogan 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- Choose the next lock holder among spinning threads running on the same node with high probability rather than always. With small probability, hand the lock to the first thread in the secondary queue or, if that queue is empty, to the immediate successor of the current lock holder in the main queue. Thus, assuming no failures while threads hold the lock, every thread would be able to acquire the lock after a bounded number of lock transitions, with high probability. Signed-off-by: NAlex Kogan <alex.kogan@oracle.com> Reviewed-by: NSteve Sistare <steven.sistare@oracle.com> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Alex Kogan 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- In CNA, spinning threads are organized in two queues, a main queue for threads running on the same node as the current lock holder, and a secondary queue for threads running on other nodes. At the unlock time, the lock holder scans the main queue looking for a thread running on the same node. If found (call it thread T), all threads in the main queue between the current lock holder and T are moved to the end of the secondary queue, and the lock is passed to T. If such T is not found, the lock is passed to the first node in the secondary queue. Finally, if the secondary queue is empty, the lock is passed to the next thread in the main queue. For more details, see https://arxiv.org/abs/1810.05600. Note that this variant of CNA may introduce starvation by continuously passing the lock to threads running on the same node. This issue will be addressed later in the series. Enabling CNA is controlled via a new configuration option (NUMA_AWARE_SPINLOCKS). By default, the CNA variant is patched in at the boot time only if we run on a multi-node machine in native environment and the new config is enabled. (For the time being, the patching requires CONFIG_PARAVIRT_SPINLOCKS to be enabled as well. However, this should be resolved once static_call() is available.) This default behavior can be overridden with the new kernel boot command-line option "numa_spinlock=on/off" (default is "auto"). Signed-off-by: NAlex Kogan <alex.kogan@oracle.com> Reviewed-by: NSteve Sistare <steven.sistare@oracle.com> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Alex Kogan 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- Move some of the code manipulating the spin lock into separate functions. This would allow easier integration of alternative ways to manipulate that lock. Signed-off-by: NAlex Kogan <alex.kogan@oracle.com> Reviewed-by: NSteve Sistare <steven.sistare@oracle.com> Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wei Li 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- This reverts commit eebaefa480c4 ("locking/qspinlock: Refactor the qspinlock slow path"). Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wei Li 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- This reverts commit 0e84763bf3bb ("locking/qspinlock: Introduce CNA into the slow path of qspinlock"). Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wei Li 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- This reverts commit a8405d5021ba ("locking/qspinlock: Introduce starvation avoidance into CNA"). Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wei Li 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- This reverts commit 1858ad4eb4f2 (“locking/qspinlock: Introduce the shuffle reduction optimization into CNA”). Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wei Li 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- This reverts commit 57b8f63a0a21 ("qspinlock: numaware: Add ARM64 support"). Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wei Li 提交于
hulk inclusion category: feature bugzilla: 13227 CVE: NA ------------------------------------------------- This reverts commit 08c9475f0ec7 ("numa-aware qspinlock: using boot option to enable it"). Signed-off-by: NWei Li <liwei391@huawei.com> Reviewed-by: NHanjun Guo <guohanjun@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hui Peng 提交于
hulk inclusion category: bugfix bugzilla: 13690 CVE: CVE-2019-15099 ------------------------------------------------- The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects are initialized to point to the containing `ath10k_usb` object according to endpoint descriptors read from the device side, as shown below in `ath10k_usb_setup_pipe_resources`: for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc; // get the address from endpoint descriptor pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); ...... // select the pipe object pipe = &ar_usb->pipes[pipe_num]; // initialize the ar_usb field pipe->ar_usb = ar_usb; } The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and `ath10k_usb_free_urb_to_pipe`. This patch fixes the bug by preventing potential NULL-ptr-deref. Signed-off-by: NHui Peng <benquike@gmail.com> Reported-by: NHui Peng <benquike@gmail.com> Reported-by: NMathias Payer <mathias.payer@nebelwelt.net> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 zhangwei 提交于
driver inclusion category: feature bugzilla: NA CVE: NA 1. update sgl code 2. sec modify buf_map & buf_unmap code for sgl 3. use SEC_DBGFS_VAL_MAX_LEN replace magic number 20 4. use ctx->dev replace ctx->sec_dev 5. use FORMAT_DECIMAL to replace magic number 10 6. use 2, 4, 6, ... sequence to imply ctx_q_num is even 7. sgl support multi-user Feature or Bugfix:Feature Signed-off-by: NZhangwei <zhangwei375@huawei.com> Reviewed-by: Nlingmingqiang <lingmingqiang@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 zhangwei 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA 1.ctx->fusion_limit <= 0 && ctx->fusion_limit > QM_Q_DEPTH this condition never reach 2.exceptions in queue_alloc may cause double free problem 3.use ERR_PTR() return error code for acc_alloc_multi_sgl function Feature or Bugfix:Bugfix Signed-off-by: NZhangwei <zhangwei375@huawei.com> Reviewed-by: Nlingmingqiang <lingmingqiang@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 zhangwei 提交于
driver inclusion category: feature bugzilla: NA CVE: NA 1.disable aes(ctr) algorithm 2.add cipher & digest support for user space driver 3.modify default ctx_q_num with 24 Feature or Bugfix:Feature Signed-off-by: NZhangwei <zhangwei375@huawei.com> Reviewed-by: Nlingmingqiang <lingmingqiang@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hui Peng 提交于
mainline inclusion from mainline-v5.3 commit 39d170b3 category: 13690 bugzilla: NA CVE: CVE-2019-15098 ------------------------------------------------- The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`: for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc; // get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); ...... // select the pipe object pipe = &ar_usb->pipes[pipe_num]; // initialize the ar_usb field pipe->ar_usb = ar_usb; } The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`. This patch fixes the bug by preventing potential NULL-ptr-deref (CVE-2019-15098). Signed-off-by: NHui Peng <benquike@gmail.com> Reported-by: NHui Peng <benquike@gmail.com> Reported-by: NMathias Payer <mathias.payer@nebelwelt.net> Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Xi Wang 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA when we config the PAGE_SIZE as 64K, kasan will report a BUG when run command 'insmod hns_roce_hw_v2.ko', the calltrace is as follows: ================================================================== BUG: KASAN: slab-out-of-bounds in hns_roce_v2_init_eq_table+0x1324/0x1948 [hns_roce_hw_v2] Read of size 8 at addr ffff8020e7a10608 by task insmod/256 CPU: 0 PID: 256 Comm: insmod Tainted: G O 5.2.0-rc4 #1 Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 Call trace: dump_backtrace+0x0/0x1e8 show_stack+0x14/0x20 dump_stack+0xc4/0xfc print_address_description+0x60/0x270 __kasan_report+0x164/0x1b8 kasan_report+0xc/0x18 __asan_load8+0x84/0xa8 hns_roce_v2_init_eq_table+0x1324/0x1948 [hns_roce_hw_v2] hns_roce_init+0xf8/0xfe0 [hns_roce] __hns_roce_hw_v2_init_instance+0x284/0x330 [hns_roce_hw_v2] hns_roce_hw_v2_init_instance+0xd0/0x1b8 [hns_roce_hw_v2] hclge_init_roce_client_instance+0x180/0x310 [hclge] hclge_init_client_instance+0xcc/0x508 [hclge] hnae3_init_client_instance.part.3+0x3c/0x80 [hnae3] hnae3_register_client+0x134/0x1a8 [hnae3] hns_roce_hw_v2_init+0x14/0x10000 [hns_roce_hw_v2] do_one_initcall+0x9c/0x3e0 do_init_module+0xd4/0x2d8 load_module+0x3284/0x3690 __se_sys_init_module+0x274/0x308 __arm64_sys_init_module+0x40/0x50 el0_svc_handler+0xbc/0x210 el0_svc+0x8/0xc Allocated by task 256: __kasan_kmalloc.isra.0+0xd0/0x180 kasan_kmalloc+0xc/0x18 __kmalloc+0x16c/0x328 hns_roce_v2_init_eq_table+0x764/0x1948 [hns_roce_hw_v2] hns_roce_init+0xf8/0xfe0 [hns_roce] __hns_roce_hw_v2_init_instance+0x284/0x330 [hns_roce_hw_v2] hns_roce_hw_v2_init_instance+0xd0/0x1b8 [hns_roce_hw_v2] hclge_init_roce_client_instance+0x180/0x310 [hclge] hclge_init_client_instance+0xcc/0x508 [hclge] hnae3_init_client_instance.part.3+0x3c/0x80 [hnae3] hnae3_register_client+0x134/0x1a8 [hnae3] hns_roce_hw_v2_init+0x14/0x10000 [hns_roce_hw_v2] do_one_initcall+0x9c/0x3e0 do_init_module+0xd4/0x2d8 load_module+0x3284/0x3690 __se_sys_init_module+0x274/0x308 __arm64_sys_init_module+0x40/0x50 el0_svc_handler+0xbc/0x210 el0_svc+0x8/0xc Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8020e7a10600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffff8020e7a10600, ffff8020e7a10680) The buggy address belongs to the page: page:ffff7fe00839e840 refcount:1 mapcount:0 mapping:ffff802340020200 index:0x0 flags: 0x5fffe00000000200(slab) raw: 5fffe00000000200 dead000000000100 dead000000000200 ffff802340020200 raw: 0000000000000000 0000000081000100 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8020e7a10500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8020e7a10580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8020e7a10600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8020e7a10680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8020e7a10700: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint Fixes: a5073d60 ("RDMA/hns: Add eq support of hip08") Feature or Bugfix:Bugfix Signed-off-by: NXi Wang <wangxi11@huawei.com> Reviewed-by: Nliuyixian <liuyixian@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Sirong Wang 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA The original one is to send 16 packets at one time, and now it is configured to send 1 packet once. This parameter is tested to make sure performance reach the standard. Feature or Bugfix: Bugfix Signed-off-by: NSirong Wang <wangsirong@huawei.com> Signed-off-by: NWeihang Li <liweihang@hisilicon.com> Reviewed-by: Nchenglang <chenglang@huawei.com> Reviewed-by: Nliuyixian <liuyixian@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Wenpeng Liang 提交于
driver inclusion category: cleanup bugzilla: NA CVE: NA Remove the semicolon after function, because it does not conform to programming specifications. Feature or Bugfix:Bugfix Signed-off-by: NWenpeng Liang <liangwenpeng@huawei.com> Reviewed-by: Nchenglang <chenglang@huawei.com> Reviewed-by: NYixian Liu <liuyixian@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Sirong Wang 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA We should consider size of pointer pointing to buf field in struct hns_roce_hem_chunk when calculating HNS_ROCE_HEM_CHUNK_LEN, or its value may be larger than we expected. Feature or Bugfix: Bugfix Signed-off-by: NSirong Wang <wangsirong@huawei.com> Signed-off-by: NWeihang Li <liweihang@hisilicon.com> Reviewed-by: Nchenglang <chenglang@huawei.com> Reviewed-by: NYixian Liu <liuyixian@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Yixing Liu 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA Since it is not judged whether qp receives srq, srq is associated with qp, the commit wr to rq is successful. Feature or Bugfix:Bugfix Signed-off-by: NYixing Liu <liuyixing1@huawei.com> Reviewed-by: Nliuyixian <liuyixian@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Guangbin Huang 提交于
driver inclusion category: cleanup bugzilla: NA CVE: NA This patch just changes location of function hclge_set_vlan_filter as same as kernel-dev branch. Signed-off-by: NGuangbin Huang <huangguangbin2@huawei.com> Reviewed-by: Nlinyunsheng <linyunsheng@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Guangbin Huang 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA The member data of struct hclge_desc is a __le32 type variabl, so it is necessary to convert the variable compat into __le32 type. Signed-off-by: NGuangbin Huang <huangguangbin2@huawei.com> Reviewed-by: Nlinyunsheng <linyunsheng@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Yonglong Liu 提交于
driver inclusion category: Feature bugzilla: NA CVE: NA When printing dma address, need to use %pad. This patch replace %llx to %pad to fix this problem. Signed-off-by: NYonglong Liu <liuyonglong@huawei.com> Reviewed-by: Nlinyunsheng <linyunsheng@huawei.com> Reviewed-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Greg Kroah-Hartman 提交于
Merge 76 patches from 4.19.75 stable branch (80 total) beside 4 already merged patches: 305c3b4 RDMA/restrack: Release task struct which was hold by CM_ID object 232a646 KVM: coalesced_mmio: add bounds checking 941431c mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings 65ad72c i2c: designware: Synchronize IRQs when unregistering slave client Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Sean Young 提交于
commit 0c4df39e upstream. Ensure we do not access the buffer beyond the end if no 0xff byte is encountered. Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com Signed-off-by: NSean Young <sean@mess.org> Reviewed-by: NKees Cook <keescook@chromium.org> Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Will Deacon 提交于
commit 2a355ec2 upstream. While the CSV3 field of the ID_AA64_PFR0 CPU ID register can be checked to see if a CPU is susceptible to Meltdown and therefore requires kpti to be enabled, existing CPUs do not implement this field. We therefore whitelist all unaffected Cortex-A CPUs that do not implement the CSV3 field. Signed-off-by: NWill Deacon <will.deacon@arm.com> Cc: Niklas Cassel <niklas.cassel@linaro.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: arch/arm64/kernel/cpufeature.c [yyl: adjust context] Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-