- Dec 27, 2019
-
-
Commit 945aceb1 upstream. Call the per-processor type check_bugs() method in the same way as we do other per-processor functions - move the "processor." detail into proc-fns.h. Reviewed-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Tested-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit 65987a85 upstream. Split out the lookup of the processor type and associated error handling from the rest of setup_processor() - we will need to use this in the secondary CPU bringup path for big.Little Spectre variant 2 mitigation. Reviewed-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Tested-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit 899a42f8 upstream. Move lookup_processor_type() out of the __init section so it is callable from (eg) the secondary startup code during hotplug. Reviewed-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Tested-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit 5df7a99b upstream. In vfp_preserve_user_clear_hwstate, ufp_exc->fpinst2 gets assigned to itself. It should actually be hwstate->fpinst2 that gets assigned to the ufp_exc field. Fixes commit 3aa2df6e ("ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state"). Reported-by:
David Binderman <dcb314@hotmail.com>
Signed-off-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit a1d09e07 upstream. Sanitize user pointer given to __copy_to_user, both for standard version and memcopy version of the user accessor. Signed-off-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit afaf6838 upstream. Introduce C and asm helpers to sanitize user address, taking the address range they target into account. Use asm helper for existing sanitization in __copy_from_user(). Signed-off-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit e3aa6243 upstream. When Spectre mitigation is required, __put_user() needs to include check_uaccess. This is already the case for put_user(), so just make __put_user() an alias of put_user(). Signed-off-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit 621afc67 upstream. A mispredicted conditional call to set_fs could result in the wrong addr_limit being forwarded under speculation to a subsequent access_ok check, potentially forming part of a spectre-v1 attack using uaccess routines. This patch prevents this forwarding from taking place, but putting heavy barriers in set_fs after writing the addr_limit. Porting commit c2f0ad4f ("arm64: uaccess: Prevent speculative use of the current addr_limit"). Signed-off-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit 18ea66bd upstream. With Spectre-v1.1 mitigations, __put_user_error is pointless. In an attempt to remove it, replace its references in frame setups with __put_user. Signed-off-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit 31950890 upstream. Copy events to user using __copy_to_user() rather than copy members of individually with __put_user_error(). This has the benefit of disabling/enabling PAN once per event intead of once per event member. Signed-off-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit 3aa2df6e upstream. Use __copy_to_user() rather than __put_user_error() for individual members when saving VFP state. This has the benefit of disabling/enabling PAN once per copied struct intead of once per write. Signed-off-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit 73839798 upstream. When setting a dummy iwmmxt context, create a local instance and use __copy_to_user both cases whether iwmmxt is being used or not. This has the benefit of disabling/enabling PAN once for the whole copy intead of once per write. Signed-off-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
Commit 5ca451cf upstream. When saving the ARM integer registers, use __copy_to_user() to copy them into user signal frame, rather than __put_user_error(). This has the benefit of disabling/enabling PAN once for the whole copy intead of once per write. Signed-off-by:
Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
[ Upstream commit 37cf28d3 ] Works with ST M24M02. Signed-off-by:
Adrian Bunk <bunk@kernel.org>
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
[ Upstream commit 6c0c5dc3 ] Add new compatible to the device tree bindings. Signed-off-by:
Adrian Bunk <bunk@kernel.org>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
谢秀奇 authored
hulk inclusion category: feature feature: performance/latency upstream: never bugzilla: 2680,10641 CVE: NA The pervious patch "kmod: run usermodehelpers only on cpus allowed for kthreadd V2" allow to set usermodehelper thread's affinity. add a interface to disable/enable usermodhelper_affinity. Disabled by default. [XQ: backport patch from euleros 2.x: - kmod.c => umh.c ] Signed-off-by:
Xie XiuQi <xiexiuqi@huawei.com>
Reviewed-by: Li Bin <huawei.libin@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
hulk inclusion category: feature feature: performance/latency upstream: never bugzilla: 2680,10641 CVE: NA isolate this usermodehelper kernel threads to other cpus, to avoid the latency issue. With this patch, the usermodehelper thread could inherit kthreadd's affinity. For example, if you want to isolate usermodehelper to cpu 1: 1) taskset -cp 1 2 # bind kthreadd task (pid = 2) to cpu 1 2) trigger call usermodhelper threads --------------------------------------------- usermodehelper() threads can currently run on all processors. This is an issue for low latency cores. Spawnig a new thread causes cpu holdoffs in the range of hundreds of microseconds to a few milliseconds. Not good for cores on which processes run that need to react as fast as possible. kthreadd threads can be restricted using taskset to a limited set of processors. Then the kernel thread pool will not fork processes on those anymore thereby protecting those processors from additional latencies. Make usermodehelper() threads obey the limitations that kthreadd is restricted to. Kthreadd is not the parent of usermodehelper threads so we need to explicitly get the allowed processors for kthreadd. Before this patch there is no way to limit the cpus that usermodehelper can run on since the affinity is set when the thread is spawned to all processors. [akpm@linux-foundation.org: set_cpus_allowed() doesn't exist when CONFIG_CPUMASK_OFFSTACK=y] [akpm@linux-foundation.org: coding-style fixes] Signed-off-by:
Christoph Lameter <cl@linux.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Mike Galbraith <bitbucket@online.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Gilad Ben-Yossef <gilad@benyossef.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Mike Frysinger <vapier@gentoo.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Link: https://patchwork.kernel.org/patch/3153671/
Reported-and-tested-by: Xiangyou Xie <xiexiangyou@huawei.com>
[
1) kmod.c => umh.c
2) ____call_usermodehelper => call_usermodehelper_exec_async
]
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
Reviewed-by: Li Bin <huawei.libin@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
euler inclusion category: bugfix CVE: NA Bugzilla: 9580 --------------------------- The patch control the open/close of the feature by the /proc/sys/vm/cache_reclaim_enable, hence we can completely close all background thread for user demand. Signed-off-by:
zhongjiang <zhongjiang@huawei.com>
Reviewed-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
hulk inclusion category: bugfix bugzilla: 9583 CVE: NA ------------------------------------------------- The output of "perf annotate -l --stdio xxx" changed since commit 425859ff ("perf annotate: No need to calculate notes->start twice") removed notes->start assignment in symbol__calc_lines(). It will get failed in find_address_in_section() from symbol__tty_annotate() subroutine as the a2l->addr is wrong. So the annotate summary doesn't report the line number of source code correctly. Before fix: [root@localhost tools]# ./perf/perf record -o perf.data /root/common_while_1 ^C[ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.261 MB perf.data (6538 samples) ] [root@localhost tools]# ./perf/perf annotate -i perf.data -l -s hotspot_1 --stdio | less Sorted summary for file /root/common_while_1 ---------------------------------------------- 32.53 common_while_1[3c] 32.26 common_while_1[14] 15.59 common_while_1[38] 14.89 common_while_1[2c] 2.48 common_while_1[48] 1.10 common_while_1[c] 0.58 common_while_1[8] Percent | Source code & Disassembly of common_while_1 for cycles:ppp (2457 samples, percent: local period) ---------------------------------------------------------------------------------------------------------------- : : : : Disassembly of section .text: : : 00000000004008b0 <hotspot_1>: : hotspot_1(): : for(i = 0; i<=100; i++) { : s_cnt2++; : } : } : : void hotspot_1() { 0.00 : 4008b0: stp x29, x30, [sp,#-32]! 0.00 : 4008b4: mov x29, sp : int i; : while(1) { : hotspot_2(); common_while_1[8] 0.58 : 4008b8: bl 400864 <hotspot_2> : for(i = 0; i<=100; i++) { common_while_1[c] 1.10 : 4008bc: str wzr, [x29,#28] 0.00 : 4008c0: b 4008ec <hotspot_1+0x3c> : s_cnt1++; common_while_1[14] 32.26 : 4008c4: adrp x0, 420000 <fclose@GLIBC_2.17> 0.00 : 4008c8: add x0, x0, #0x7c 0.16 : 4008cc: ldr w0, [x0] 0.00 : 4008d0: add w1, w0, #0x1 ... After fix: [root@localhost tools]# ./perf/perf record -o perf.data /root/common_while_1 ^C[ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.261 MB perf.data (6538 samples) ] [root@localhost tools]# ./perf/perf annotate -i perf.data -l -s hotspot_1 --stdio | less Sorted summary for file /root/common_while_1 ---------------------------------------------- 50.27 common_while_1.c:37 46.46 common_while_1.c:38 2.79 common_while_1.c:36 Percent | Source code & Disassembly of common_while_1 for cycles:ppp (3149 samples, percent: local period) ---------------------------------------------------------------------------------------------------------------- : : : : Disassembly of section .text: : : 00000000004008b0 <hotspot_1>: : hotspot_1(): : for(i = 0; i<=100; i++) { : s_cnt2++; : } : } : : void hotspot_1() { 0.00 : 4008b0: stp x29, x30, [sp,#-32]! 0.00 : 4008b4: mov x29, sp : int i; : while(1) { : hotspot_2(); common_while_1.c:36 0.82 : 4008b8: bl 400864 <hotspot_2> : for(i = 0; i<=100; i++) { common_while_1.c:37 1.17 : 4008bc: str wzr, [x29,#28] 0.00 : 4008c0: b 4008ec <hotspot_1+0x3c> : s_cnt1++; common_while_1.c:38 31.33 : 4008c4: adrp x0, 420000 <fclose@GLIBC_2.17> 0.00 : 4008c8: add x0, x0, #0x7c 0.19 : 4008cc: ldr w0, [x0] 0.00 : 4008d0: add w1, w0, #0x1 ... Fixes: 425859ff ("perf annotate: No need to calculate notes->start twice") Signed-off-by:
Wei Li <liwei391@huawei.com>
Signed-off-by: Wei Li <liwei391@huawei.com>
Reviewed-by: Li Bin <huawei.libin@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
euler inclusion category: feature bugzilla: 9511 CVE: NA ------------------------------------------------- Consider two IPVlan devices are set up on the same master, when they communicate with each other by TCP, the receive part is too fast to make the send packets coalesced, so in this case, the performace is not as good as we expect. This patch introduces a local xmit queue for l2e mode, when the packets are sent to the IPVlan devices of the same master, the packets will be cloned and added to the local xmit queue, this operation can make the send packets coalesced and improve the TCP performace in this case. Signed-off-by:
Keefe LIU <liuqifa@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
euler inclusion category: bugfix bugzilla: 9511 CVE: NA ------------------------------------------------- In commit <7a0f243de9e2> "ipvlan: Introduce l2e mode", we introduced ipvlan_default_mode as a way to enable the ipvlan's default mode. Howerver, we didn't check the value of this module parameter. This patch first fixed out a spelling error of "mode", and then add the value check for ipvlan_default_mode. Signed-off-by:
Keefe LIU <liuqifa@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
euler inclusion category: feature bugzilla: 9511 CVE: NA ------------------------------------------------- In a typical IPvlan L2 setup where master is in default-ns and each slave is into different (slave) ns. In this setup, if master and slaves in different net, egress packet processing for traffic originating from slave-ns can't be forwarded to master or other machine whose ip in the same net with master, and they can't be forwarded to other interface in default-ns. This patch introuce a new mode l2e for ipvlan to realize above goals, and it won't affect the original l2, l3, l3s mode. As the ip tool doesn't support l2e mode, We use module param "ipvlan_default_mode" to set the default work mode. 0 for l2 mode, 1 for l3, 2 for l2e, 3 for l3s, others invalid now. Attention, when we create ipvlan devices by "ip" commond, if we assign the mode, ipvlan will work in the mode we assigned other then the "ipvlan_default_mode". Signed-off-by:
Keefe LIU <liuqifa@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-4.20-rc7 commit 7bca603a category: bugfix bugzilla: 6625 CVE: NA ----------------------------- Since any page fault may be interrupted by a MMU invalidation and implicit Pagefaults occurred in non-ODP MR are completely valid events, so initialize return variable to 0. Fixes: 4d5422a3 ("IB/mlx5: Skip non-ODP MR when handling a page fault") Reported-by:
Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-4.20-rc7 commit 4d5422a3 category: bugfix bugzilla: 6625 CVE: NA ----------------------------- Since any page fault may be interrupted by a MMU invalidation and implicit It is possible that we call pagefault_single_data_segment() with a MKey that belongs to a memory region which is not on demand (i.e. pinned pages). This can happen if, for instance, a WQE that points to multiple MRs where some of them are ODP MRs and some are not. In this case we don't need to handle this MR in the ODP context besides reporting success. Otherwise the code will call pagefault_mr() which will do to_ib_umem_odp() on a non-ODP MR and thus access out of bounds. Conflicts: drivers/infiniband/hw/mlx5/odp.c [jingxiangfeng: '597ecc5a RDMA/umem: Get rid of struct ib_umem.odp_data' is not nessary to backport. so I have changed to 'umem->odp_data' instead of 'umem->is_odp'.] Fixes: 7bdf65d4 ("IB/mlx5: Handle page faults") Signed-off-by:
Artemy Kovalyov <artemyko@mellanox.com>
Signed-off-by: Moni Shoua <monis@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0-rc5 commit f45f8edb category: bugfix bugzilla: 7391 CVE: NA ----------------------------- Since any page fault may be interrupted by a MMU invalidation and implicit The commit cited below replaced rdma_create_ah with mlx4_ib_create_slave_ah when creating AHs for the paravirtualized special QPs. However, this change also required replacing rdma_destroy_ah with mlx4_ib_destroy_ah in the affected flows. The commit missed 3 places where rdma_destroy_ah should have been replaced with mlx4_ib_destroy_ah. As a result, the pd usecount was decremented when the ah was destroyed -- although the usecount was NOT incremented when the ah was created. This caused the pd usecount to become negative, and resulted in the WARN_ON stack trace below when the mlx4_ib.ko module was unloaded: WARNING: CPU: 3 PID: 25303 at drivers/infiniband/core/verbs.c:329 ib_dealloc_pd+0x6d/0x80 [ib_core] Modules linked in: rdma_ucm rdma_cm iw_cm ib_cm ib_umad mlx4_ib(-) ib_uverbs ib_core mlx4_en mlx4_core nfsv3 nfs fscache configfs xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c ipt_REJECT nf_reject_ipv4 tun ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter bridge stp llc dm_mirror dm_region_hash dm_log dm_mod dax rndis_wlan rndis_host coretemp kvm_intel cdc_ether kvm usbnet iTCO_wdt iTCO_vendor_support cfg80211 irqbypass lpc_ich ipmi_si i2c_i801 mii pcspkr i2c_core mfd_core ipmi_devintf i7core_edac ipmi_msghandler ioatdma pcc_cpufreq dca acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi mptsas scsi_transport_sas mptscsih crc32c_intel ata_piix bnx2 mptbase ipv6 crc_ccitt autofs4 [last unloaded: mlx4_core] CPU: 3 PID: 25303 Comm: modprobe Tainted: G W I 5.0.0-rc1-net-mlx4+ #1 Hardware name: IBM -[7148ZV6]-/Node 1, System Card, BIOS -[MLE170CUS-1.70]- 09/23/2011 RIP: 0010:ib_dealloc_pd+0x6d/0x80 [ib_core] Code: 00 00 85 c0 75 02 5b c3 80 3d aa 87 03 00 00 75 f5 48 c7 c7 88 d7 8f a0 31 c0 c6 05 98 87 03 00 01 e8 07 4c 79 e0 0f 0b 5b c3 <0f> 0b eb be 0f 0b eb ab 90 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 RSP: 0018:ffffc90005347e30 EFLAGS: 00010282 RAX: 00000000ffffffea RBX: ffff8888589e9540 RCX: 0000000000000006 RDX: 0000000000000006 RSI: ffff88885d57ad40 RDI: 0000000000000000 RBP: ffff88885b029c00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000004 R12: ffff8887f06c0000 R13: ffff8887f06c13e8 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fd6743c6740(0000) GS:ffff88887fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000ed1038 CR3: 00000007e3156000 CR4: 00000000000006e0 Call Trace: mlx4_ib_close_sriov+0x125/0x180 [mlx4_ib] mlx4_ib_remove+0x57/0x1f0 [mlx4_ib] mlx4_remove_device+0x92/0xa0 [mlx4_core] mlx4_unregister_interface+0x39/0x90 [mlx4_core] mlx4_ib_cleanup+0xc/0xd7 [mlx4_ib] __x64_sys_delete_module+0x17d/0x290 ? trace_hardirqs_off_thunk+0x1a/0x1c ? do_syscall_64+0x12/0x180 do_syscall_64+0x4a/0x180 entry_SYSCALL_64_after_hwframe+0x49/0xbe Conflicts: drivers/infiniband/hw/mlx4/mad.c [jingxiangfeng: '2553ba21 RDMA: Mark if destroy address handle is in a sleepable context' has not been backported. so a 'flag' fileld has not been introduced in destroy address handle.] Fixes: 5e62d5ff ("IB/mlx4: Create slave AH's directly") Signed-off-by:
Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-4.20-rc1 commit 39f24956 category: bugfix bugzilla: 6678 CVE: NA ----------------------------- Since any page fault may be interrupted by a MMU invalidation and implicit Fix to return a negative error code from the mthca_cmd_init() error handling case instead of 0, as done elsewhere in this function. Fixes: 80fd8238 ("[PATCH] IB/mthca: Encapsulate command interface init") Signed-off-by:
Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-4.20-rc7 commit 605728e6 category: bugfix bugzilla: 6607 CVE: NA ----------------------------- Since any page fault may be interrupted by a MMU invalidation and implicit The invalidate range was using PAGE_SIZE instead of the computed 'end', and had the wrong transformation of page_index due the weird construction. This can trigger during error unwind and would cause malfunction. Inline the code and correct the math. Fixes: 403cd12e ("IB/umem: Add contiguous ODP support") Signed-off-by:
Artemy Kovalyov <artemyko@mellanox.com>
Signed-off-by: Moni Shoua <monis@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-4.20-rc1 commit 67fecaf8 category: bugfix bugzilla: 6532 CVE: NA ----------------------------- Since any page fault may be interrupted by a MMU invalidation and implicit If port pkey list initialization fails, free the port_immutable memory during cleanup path. Currently it is missed out. If cache setup fails, free the pkey list during cleanup path. Fixes: d291f1a6 ("IB/core: Enforce PKey security on QPs") Signed-off-by:
Parav Pandit <parav@mellanox.com>
Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0 commit 2aa958c9 category: bugfix bugzilla: 9323 CVE: NA ------------------------------------------------- Kexec-ing a kernel with "efi=noruntime" on the first kernel's command line causes the following null pointer dereference: BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 #PF error: [normal kernel read fault] Call Trace: efi_runtime_map_copy+0x28/0x30 bzImage64_load+0x688/0x872 arch_kexec_kernel_image_load+0x6d/0x70 kimage_file_alloc_init+0x13e/0x220 __x64_sys_kexec_file_load+0x144/0x290 do_syscall_64+0x55/0x1a0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Just skip the EFI info setup if EFI runtime services are not enabled. [ bp: Massage commit message. ] Suggested-by:
Dave Young <dyoung@redhat.com>
Signed-off-by: Kairui Song <kasong@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Dave Young <dyoung@redhat.com>
Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: bhe@redhat.com
Cc: David Howells <dhowells@redhat.com>
Cc: erik.schmauss@intel.com
Cc: fanc.fnst@cn.fujitsu.com
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: kexec@lists.infradead.org
Cc: lenb@kernel.org
Cc: linux-acpi@vger.kernel.org
Cc: Philipp Rudo <prudo@linux.vnet.ibm.com>
Cc: rafael.j.wysocki@intel.com
Cc: robert.moore@intel.com
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Cc: Yannik Sembritzki <yannik@sembritzki.me>
Link: https://lkml.kernel.org/r/20190118111310.29589-2-kasong@redhat.com
Signed-off-by: Chen Zhou <chenzhou10@huawei.com>
Reviewed-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
euler inclusion category: bugfix CVE: NA Bugzilla: 9580 --------------------------- It enable the featuer default. Signed-off-by:
zhong jiang <zhongjiang@huawei.com>
Reviewed-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
euler inclusion category: bugfix CVE: NA Bugzilla: 9580 --------------------------- Just add Kconfig to the feature. Signed-off-by:
zhongjiang <zhongjiang@huawei.com>
Reviewed-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
euler inclusion category: bugfix CVE: NA Bugzilla: 9580 --------------------------- Signed-off-by:
zhongjiang <zhongjiang@huawei.com>
Reviewed-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0-rc1 commit cf7ad303 category: bugfix bugzilla: 6512 CVE: NA -------------------------- Since Virtual Lanes BCT credits and MTU are set through separate MADs, we ib_umad_reg_agent2() and ib_umad_reg_agent() access the device name in dev_notice(), while concurrently, ib_umad_kill_port() can destroy the device using device_destroy(). cpu-0 cpu-1 ----- ----- ib_umad_ioctl() [...] ib_umad_kill_port() device_destroy(dev) ib_umad_reg_agent() dev_notice(dev) Therefore, first mark ib_dev as NULL, to block any further access in file ops, unregister the mad agent and destroy the device at the end after mutex is unlocked. This ensures that device doesn't get destroyed, while it may get accessed. Conflicts: drivers/infiniband/core/user_mad.c [jingxiangfeng: '900d07c1 IB/umad: Simplify and avoid dynamic allocation of class' has not been backported.so I have changed "&umad_class" to "umad_class".] Fixes: 0f29b46d ("IB/mad: add new ioctl to ABI to support new registration options") Signed-off-by:
Parav Pandit <parav@mellanox.com>
Reviewed-by: Jack Morgenstein <jackm@mellanox.com>
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0 commit 98406133 category: bugfix bugzilla: 9397 CVE: NA ------------------------------------------------- Same story as before, these use struct ifreq and thus need to be read with the shorter version to not cause faults. Cc: stable@vger.kernel.org Fixes: f92d4fc9 ("kill bond_ioctl()") Signed-off-by:
Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Reviewed-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0 commit c6c9fee3 category: bugfix bugzilla: 9379 CVE: NA ------------------------------------------------- As reported by Robert O'Callahan in https://bugzilla.kernel.org/show_bug.cgi?id=202273 reverting the previous changes in this area broke the SIOCGIFNAME ioctl in compat again (I'd previously fixed it after his previous report of breakage in https://bugzilla.kernel.org/show_bug.cgi?id=199469 ). This is obviously because I fixed SIOCGIFNAME more or less by accident. Fix it explicitly now by making it pass through the restored compat translation code. Cc: stable@vger.kernel.org Fixes: 4cf808e7 ("kill dev_ifname32()") Reported-by:
Robert O'Callahan <robert@ocallahan.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Reviewed-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0 commit 37ac39bd category: bugfix bugzilla: 9384 CVE: NA ------------------------------------------------- This reverts commit bf440573 ("kill dev_ifsioc()"). This wasn't really unused as implied by the original commit, it still handles the copy to/from user differently, and the commit thus caused issues such as https://bugzilla.kernel.org/show_bug.cgi?id=199469 and https://bugzilla.kernel.org/show_bug.cgi?id=202273 However, deviating from a strict revert, rename dev_ifsioc() to compat_ifreq_ioctl() to be clearer as to its purpose and add a comment. Cc: stable@vger.kernel.org Fixes: bf440573 ("kill dev_ifsioc()") Signed-off-by:
Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Reviewed-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0 commit 63ff03ab category: bugfix bugzilla: 9409 CVE: NA ------------------------------------------------- This reverts commit 1cebf8f1 ("socket: fix struct ifreq size in compat ioctl"), it's a bugfix for another commit that I'll revert next. This is not a 'perfect' revert, I'm keeping some coding style intact rather than revert to the state with indentation errors. Cc: stable@vger.kernel.org Fixes: 1cebf8f1 ("socket: fix struct ifreq size in compat ioctl") Signed-off-by:
Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Reviewed-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0-rc7 commit 83e418a8 category: bugfix bugzilla: 9564 CVE: NA ------------------------------------------------- Commit bb364890 ("mmc: meson-gx: Free irq in release() callback") changed the _probe code to use request_threaded_irq() instead of devm_request_threaded_irq(). Unfortunately this removes a fallback for the interrupt name: devm_request_threaded_irq() uses the device name as fallback if the given IRQ name is NULL. request_threaded_irq() has no such fallback, thus /proc/interrupts shows "(null)" instead. Explicitly pass the dev_name() so we get the IRQ name shown in /proc/interrupts again. While here, also fix the indentation of the request_threaded_irq() parameter list. Fixes: bb364890 ("mmc: meson-gx: Free irq in release() callback") Signed-off-by:
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0-rc7 commit dcf6e2e3 category: bugfix bugzilla: 9571 CVE: NA ------------------------------------------------- The kblockd workqueue is created with the WQ_MEM_RECLAIM flag set. This generates a rescuer thread for that queue that will trigger when the CPU is under heavy load and collect the uncompleted work. In the case of mmc, this creates the possibility of a deadlock when there are multiple partitions on the device as other blk-mq work is also run on the same queue. For example: - worker 0 claims the mmc host to work on partition 1 - worker 1 attempts to claim the host for partition 2 but has to wait for worker 0 to finish - worker 0 schedules complete_work to release the host - rescuer thread is triggered after time-out and collects the dangling work - rescuer thread attempts to complete the work in order starting with claim host - the task to release host is now blocked by a task to claim it and will never be called The above results in multiple hung tasks that lead to failures to mount partitions. Handling complete_work on a separate workqueue avoids this by keeping the work completion tasks separate from the other blk-mq work. This allows the host to be released without getting blocked by other tasks attempting to claim the host. Signed-off-by:
Zachary Hays <zhays@lexmark.com>
Fixes: 81196976 ("mmc: block: Add blk-mq support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> -
mainline inclusion from mainline-5.0 commit 45725e0f category: bugfix bugzilla: 9453 CVE: NA ------------------------------------------------- In the unlikely event that we cannot find any available LPI in the system, we should gracefully return an error instead of carrying on with no LPI allocated at all. Fixes: 38dd7c49 ("irqchip/gic-v3-its: Drop chunk allocation compatibility") Signed-off-by:
Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
-