Skip to content
Snippets Groups Projects
  1. Feb 28, 2014
  2. Feb 27, 2014
    • Paolo Bonzini's avatar
      kvm, vmx: Really fix lazy FPU on nested guest · 1b385cbd
      Paolo Bonzini authored
      
      Commit e504c909 (kvm, vmx: Fix lazy FPU on nested guest, 2013-11-13)
      highlighted a real problem, but the fix was subtly wrong.
      
      nested_read_cr0 is the CR0 as read by L2, but here we want to look at
      the CR0 value reflecting L1's setup.  In other words, L2 might think
      that TS=0 (so nested_read_cr0 has the bit clear); but if L1 is actually
      running it with TS=1, we should inject the fault into L1.
      
      The effective value of CR0 in L2 is contained in vmcs12->guest_cr0, use
      it.
      
      Fixes: e504c909
      Reported-by: default avatarKashyap Chamarty <kchamart@redhat.com>
      Reported-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Tested-by: default avatarKashyap Chamarty <kchamart@redhat.com>
      Tested-by: default avatarAnthoine Bourgeois <bourgeois@bertin.fr>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      1b385cbd
    • Linus Torvalds's avatar
      Merge tag 'metag-fixes-v3.14' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag · 86c7654f
      Linus Torvalds authored
      Pull Metag arch and asm-generic fixes from James Hogan:
      
       - Add the new sched_setattr/sched_getattr syscalls to the asm-generic
         syscall list, which is used by arc, arm64, c6x, hexagon, metag,
        openrisc, score, tile, and unicore32.
      
       - An IRQ affinity bug fix for metag to prevent interrupts being
         vectored to offline CPUs when their affinity is changed via
         /proc/irq/ (thanks tglx).
      
      * tag 'metag-fixes-v3.14' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag:
        irq-metag*: stop set_affinity vectoring to offline cpus
        asm-generic: add sched_setattr/sched_getattr syscalls
      86c7654f
    • Linus Torvalds's avatar
      Merge tag 'pwm/for-3.14-rc5' of... · 3ebd3da6
      Linus Torvalds authored
      Merge tag 'pwm/for-3.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm
      
      Pull pwm fix from Thierry Reding:
       "Just a single trivial patch to plug a memory leak in an error path"
      
      * tag 'pwm/for-3.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm:
        pwm: lp3943: Fix potential memory leak during request
      3ebd3da6
    • Linus Torvalds's avatar
      Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 8d753182
      Linus Torvalds authored
      Pull filesystem fixes from Jan Kara:
       "Notification, writeback, udf, quota fixes
      
        The notification patches are (with one exception) a fallout of my
        fsnotify rework which went into -rc1 (I've extented LTP to cover these
        cornercases to avoid similar breakage in future).
      
        The UDF patch is a nasty data corruption Al has recently reported,
        the revert of the writeback patch is due to possibility of violating
        sync(2) guarantees, and a quota bug can lead to corruption of quota
        files in ocfs2"
      
      * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        fsnotify: Allocate overflow events with proper type
        fanotify: Handle overflow in case of permission events
        fsnotify: Fix detection whether overflow event is queued
        Revert "writeback: do not sync data dirtied after sync start"
        quota: Fix race between dqput() and dquot_scan_active()
        udf: Fix data corruption on file type conversion
        inotify: Fix reporting of cookies for inotify events
      8d753182
    • Linus Torvalds's avatar
      Merge tag 'upstream-3.14-rc5' of git://git.infradead.org/linux-ubifs · bb7d43b1
      Linus Torvalds authored
      Pull ubifs fix from Artem Bityutskiy:
       "Just a single fix for the UBI module unload path which makes sure we
        do not touch freed memory"
      
      * tag 'upstream-3.14-rc5' of git://git.infradead.org/linux-ubifs:
        UBI: fix some use after free bugs
      bb7d43b1
    • Andrew Honig's avatar
      kvm: x86: fix emulator buffer overflow (CVE-2014-0049) · a08d3b3b
      Andrew Honig authored
      
      The problem occurs when the guest performs a pusha with the stack
      address pointing to an mmio address (or an invalid guest physical
      address) to start with, but then extending into an ordinary guest
      physical address.  When doing repeated emulated pushes
      emulator_read_write sets mmio_needed to 1 on the first one.  On a
      later push when the stack points to regular memory,
      mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0.
      
      As a result, KVM exits to userspace, and then returns to
      complete_emulated_mmio.  In complete_emulated_mmio
      vcpu->mmio_cur_fragment is incremented.  The termination condition of
      vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
      The code bounces back and fourth to userspace incrementing
      mmio_cur_fragment past it's buffer.  If the guest does nothing else it
      eventually leads to a a crash on a memcpy from invalid memory address.
      
      However if a guest code can cause the vm to be destroyed in another
      vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
      can be used by the guest to control the data that's pointed to by the
      call to cancel_work_item, which can be used to gain execution.
      
      Fixes: f78146b0
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      Cc: stable@vger.kernel.org (3.5+)
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      a08d3b3b
    • Marc Zyngier's avatar
      arm/arm64: KVM: detect CPU reset on CPU_PM_EXIT · b20c9f29
      Marc Zyngier authored
      
      Commit 1fcf7ce0 (arm: kvm: implement CPU PM notifier) added
      support for CPU power-management, using a cpu_notifier to re-init
      KVM on a CPU that entered CPU idle.
      
      The code assumed that a CPU entering idle would actually be powered
      off, loosing its state entierely, and would then need to be
      reinitialized. It turns out that this is not always the case, and
      some HW performs CPU PM without actually killing the core. In this
      case, we try to reinitialize KVM while it is still live. It ends up
      badly, as reported by Andre Przywara (using a Calxeda Midway):
      
      [    3.663897] Kernel panic - not syncing: unexpected prefetch abort in Hyp mode at: 0x685760
      [    3.663897] unexpected data abort in Hyp mode at: 0xc067d150
      [    3.663897] unexpected HVC/SVC trap in Hyp mode at: 0xc0901dd0
      
      The trick here is to detect if we've been through a full re-init or
      not by looking at HVBAR (VBAR_EL2 on arm64). This involves
      implementing the backend for __hyp_get_vectors in the main KVM HYP
      code (rather small), and checking the return value against the
      default one when the CPU notifier is called on CPU_PM_EXIT.
      
      Reported-by: default avatarAndre Przywara <osp@andrep.de>
      Tested-by: default avatarAndre Przywara <osp@andrep.de>
      Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Cc: Rob Herring <rob.herring@linaro.org>
      Acked-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      b20c9f29
  3. Feb 26, 2014
  4. Feb 25, 2014
    • James Hogan's avatar
      irq-metag*: stop set_affinity vectoring to offline cpus · f229006e
      James Hogan authored
      
      Fix irq_set_affinity callbacks in the Meta IRQ chip drivers to AND
      cpu_online_mask into the cpumask when picking a CPU to vector the
      interrupt to.
      
      As Thomas pointed out, the /proc/irq/$N/smp_affinity interface doesn't
      filter out offline CPUs, so without this patch if you offline CPU0 and
      set an IRQ affinity to 0x3 it vectors the interrupt onto CPU0 even
      though it is offline.
      
      Reported-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-metag@vger.kernel.org
      Cc: stable@vger.kernel.org
      f229006e
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fixes-3.14-rc4' of... · 6dba6ecb
      Linus Torvalds authored
      Merge tag 'dmaengine-fixes-3.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/dmaengine
      
      Pull dmaengine fixes from Dan Williams:
       "Fix tasklet lifetime management in the ioat driver causing ksoftirqd
        to spin indefinitely.
      
          References:
          https://lkml.org/lkml/2014/1/27/282
          https://lkml.org/lkml/2014/2/19/672"
      
      * tag 'dmaengine-fixes-3.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/dmaengine:
        ioat: fix tasklet tear down
      6dba6ecb
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20140225' of git://git.infradead.org/linux-mtd · e4cc60cb
      Linus Torvalds authored
      Pull MTD fixes from Brian Norris:
       "Two main MTD fixes:
      
        1. Read retry counting was off by one, so if we had a true ECC error
           (i.e., no retry voltage threshold would give a clean read), we
           would end up returning -EINVAL on the Nth mode instead of -EBADMSG
           after then (N-1)th mode
      
        2. The OMAP NAND driver had some of its ECC layouts wrong when
           introduced in 3.13, causing incompatibilities between the
           bootloader on-flash layout and the layout expected in Linux.  The
           expected layouts are now documented in the commit messages, and we
           plan to add this under Documentation/mtd/nand/ eventually"
      
      * tag 'for-linus-20140225' of git://git.infradead.org/linux-mtd:
        mtd: nand: omap: fix ecclayout->oobfree->length
        mtd: nand: omap: fix ecclayout->oobfree->offset
        mtd: nand: omap: fix ecclayout to be in sync with u-boot NAND driver
        mtd: nand: fix off-by-one read retry mode counting
      e4cc60cb
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k · c378a656
      Linus Torvalds authored
      Pull m68k update from Geert Uytterhoeven:
        - More barrier.h consolidation
        - Sched_[gs]etattr() syscalls
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k:
        m68k: Wire up sched_setattr and sched_getattr
        m68k: Switch to asm-generic/barrier.h
        m68k: Sort arch/m68k/include/asm/Kbuild
      c378a656
    • Linus Torvalds's avatar
      Merge tag 'xtensa-next-20140224' of git://github.com/czankel/xtensa-linux · bafb8192
      Linus Torvalds authored
      Pull tensa fixes from Chris Zankel:
       "This series includes fixes for potentially serious bugs in the
        routines spilling processor registers to stack, as well as other
        issues and compiler errors and warnings.
      
         - allow booting xtfpga on boards with new uBoot and >128MBytes memory
         - drop nonexistent GPIO32 support from fsf variant
         - don't select USE_GENERIC_SMP_HELPERS
         - enable common clock framework support, set up ethoc clock on xtfpga
         - wire up sched_setattr and sched_getattr syscalls.
         - fix system call to spill the processor registers to stack.
         - improve kernel macro to spill the processor registers
         - export ccount_freq symbol
         - fix undefined symbol warning"
      
      * tag 'xtensa-next-20140224' of git://github.com/czankel/xtensa-linux:
        xtensa: wire up sched_setattr and sched_getattr syscalls
        xtensa: xtfpga: set ethoc clock frequency
        xtensa: xtfpga: use common clock framework
        xtensa: support common clock framework
        xtensa: no need to select USE_GENERIC_SMP_HELPERS
        xtensa: fsf: drop nonexistent GPIO32 support
        xtensa: don't pass high memory to bootmem allocator
        xtensa: fix fast_syscall_spill_registers
        xtensa: fix fast_syscall_spill_registers
        xtensa: save current register frame in fast_syscall_spill_registers_fixup
        xtensa: introduce spill_registers_kernel macro
        xtensa: export ccount_freq
        xtensa: fix warning '"CONFIG_OF" is not defined'
      bafb8192
    • Dan Williams's avatar
      ioat: fix tasklet tear down · da87ca4d
      Dan Williams authored
      Since commit 77873803 "net_dma: mark broken" we no longer pin dma
      engines active for the network-receive-offload use case.  As a result
      the ->free_chan_resources() that occurs after the driver self test no
      longer has a NET_DMA induced ->alloc_chan_resources() to back it up.  A
      late firing irq can lead to ksoftirqd spinning indefinitely due to the
      tasklet_disable() performed by ->free_chan_resources().  Only
      ->alloc_chan_resources() can clear this condition in affected kernels.
      
      This problem has been present since commit 3e037454 "I/OAT: Add
      support for MSI and MSI-X" in 2.6.24, but is now exposed. Given the
      NET_DMA use case is deprecated we can revisit moving the driver to use
      threaded irqs.  For now, just tear down the irq and tasklet properly by:
      
      1/ Disable the irq from triggering the tasklet
      
      2/ Disable the irq from re-arming
      
      3/ Flush inflight interrupts
      
      4/ Flush the timer
      
      5/ Flush inflight tasklets
      
      References:
      https://lkml.org/lkml/2014/1/27/282
      https://lkml.org/lkml/2014/2/19/672
      
      
      
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarMike Galbraith <bitbucket@online.de>
      Reported-by: default avatarStanislav Fomichev <stfomichev@yandex-team.ru>
      Tested-by: default avatarMike Galbraith <bitbucket@online.de>
      Tested-by: default avatarStanislav Fomichev <stfomichev@yandex-team.ru>
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      da87ca4d
    • Jan Kara's avatar
      fsnotify: Allocate overflow events with proper type · ff57cd58
      Jan Kara authored
      
      Commit 7053aee2 "fsnotify: do not share events between notification
      groups" used overflow event statically allocated in a group with the
      size of the generic notification event. This causes problems because
      some code looks at type specific parts of event structure and gets
      confused by a random data it sees there and causes crashes.
      
      Fix the problem by allocating overflow event with type corresponding to
      the group type so code cannot get confused.
      
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      ff57cd58
Loading