1. 06 Sep, 2019 1 commit
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.3-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 13da6ac1
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "One fix for a boot hang on some Freescale machines when PREEMPT is
        enabled.
      
        Two CVE fixes for bugs in our handling of FP registers and
        transactional memory, both of which can result in corrupted FP state,
        or FP state leaking between processes.
      
        Thanks to: Chris Packham, Christophe Leroy, Gustavo Romero, Michael
        Neuling"
      
      * tag 'powerpc-5.3-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts
        powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction
        powerpc/64e: Drop stale call to smp_processor_id() which hangs SMP startup
      13da6ac1
  2. 05 Sep, 2019 5 commits
  3. 04 Sep, 2019 5 commits
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.3-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 3b47fd5c
      Linus Torvalds authored
      Pull NFS client bugfix from Trond Myklebust:
       "Regression fix inode fileid checks in attribute revalidation code"
      
      * tag 'nfs-for-5.3-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFS: Fix inode fileid checks in attribute revalidation code
      3b47fd5c
    • Ingo Molnar's avatar
      sched/core: Fix uclamp ABI bug, clean up and robustify sched_read_attr() ABI logic and code · 1251201c
      Ingo Molnar authored
      Thadeu Lima de Souza Cascardo reported that 'chrt' broke on recent kernels:
      
        $ chrt -p $$
        chrt: failed to get pid 26306's policy: Argument list too long
      
      and he has root-caused the bug to the following commit increasing sched_attr
      size and breaking sched_read_attr() into returning -EFBIG:
      
        a509a7cd
      
       ("sched/uclamp: Extend sched_setattr() to support utilization clamping")
      
      The other, bigger bug is that the whole sched_getattr() and sched_read_attr()
      logic of checking non-zero bits in new ABI components is arguably broken,
      and pretty much any extension of the ABI will spuriously break the ABI.
      That's way too fragile.
      
      Instead implement the perf syscall's extensible ABI instead, which we
      already implement on the sched_setattr() side:
      
       - if user-attributes have the same size as kernel attributes then the
         logic is unchanged.
      
       - if user-attributes are larger than the kernel knows about then simply
         skip the extra bits, but set attr->size to the (smaller) kernel size
         so that tooling can (in principle) handle older kernel as well.
      
       - if user-attributes are smaller than the kernel knows about then just
         copy whatever user-space can accept.
      
      Also clean up the whole logic:
      
       - Simplify the code flow - there's no need for 'ret' for example.
      
       - Standardize on 'kattr/uattr' and 'ksize/usize' naming to make sure we
         always know which side we are dealing with.
      
       - Why is it called 'read' when what it does is to copy to user? This
         code is so far away from VFS read() semantics that the naming is
         actively confusing. Name it sched_attr_copy_to_user() instead, which
         mirrors other copy_to_user() functionality.
      
       - Move the attr->size assignment from the head of sched_getattr() to the
         sched_attr_copy_to_user() function. Nothing else within the kernel
         should care about the size of the structure.
      
      With these fixes the sched_getattr() syscall now nicely supports an
      extensible ABI in both a forward and backward compatible fashion, and
      will also fix the chrt bug.
      
      As an added bonus the bogus -EFBIG return is removed as well, which as
      Thadeu noted should have been -E2BIG to begin with.
      
      Reported-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Tested-by: Dietmar Eggemann's avatarDietmar Eggemann <dietmar.eggemann@arm.com>
      Tested-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Acked-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Patrick Bellasi <patrick.bellasi@arm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: a509a7cd ("sched/uclamp: Extend sched_setattr() to support utilization clamping")
      Link: https://lkml.kernel.org/r/20190904075532.GA26751@gmail.com
      
      
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      1251201c
    • Gustavo Romero's avatar
      powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts · a8318c13
      Gustavo Romero authored
      When in userspace and MSR FP=0 the hardware FP state is unrelated to
      the current process. This is extended for transactions where if tbegin
      is run with FP=0, the hardware checkpoint FP state will also be
      unrelated to the current process. Due to this, we need to ensure this
      hardware checkpoint is updated with the correct state before we enable
      FP for this process.
      
      Unfortunately we get this wrong when returning to a process from a
      hardware interrupt. A process that starts a transaction with FP=0 can
      take an interrupt. When the kernel returns back to that process, we
      change to FP=1 but with hardware checkpoint FP state not updated. If
      this transaction is then rolled back, the FP registers now contain the
      wrong state.
      
      The process looks like this:
         Userspace:                      Kernel
      
                     Start userspace
                      with MSR FP=0 TM=1
                        < -----
         ...
         tbegin
         bne
                     Hardware interrupt
                         ---- >
                                          <do_IRQ...>
                                          ....
                                          ret_from_except
                                            restore_math()
      				        /* sees FP=0 */
                                              restore_fp()
                                                tm_active_with_fp()
      					    /* sees FP=1 (Incorrect) */
                                                load_fp_state()
                                              FP = 0 -> 1
                        < -----
                     Return to userspace
                       with MSR TM=1 FP=1
                       with junk in the FP TM checkpoint
         TM rollback
         reads FP junk
      
      When returning from the hardware exception, tm_active_with_fp() is
      incorrectly making restore_fp() call load_fp_state() which is setting
      FP=1.
      
      The fix is to remove tm_active_with_fp().
      
      tm_active_with_fp() is attempting to handle the case where FP state
      has been changed inside a transaction. In this case the checkpointed
      and transactional FP state is different and hence we must restore the
      FP state (ie. we can't do lazy FP restore inside a transaction that's
      used FP). It's safe to remove tm_active_with_fp() as this case is
      handled by restore_tm_state(). restore_tm_state() detects if FP has
      been using inside a transaction and will set load_fp and call
      restore_math() to ensure the FP state (checkpoint and transaction) is
      restored.
      
      This is a data integrity problem for the current process as the FP
      registers are corrupted. It's also a security problem as the FP
      registers from one process may be leaked to another.
      
      Similarly for VMX.
      
      A simple testcase to replicate this will be posted to
      tools/testing/selftests/powerpc/tm/tm-poison.c
      
      This fixes CVE-2019-15031.
      
      Fixes: a7771176
      
       ("powerpc: Don't enable FP/Altivec if not checkpointed")
      Cc: stable@vger.kernel.org # 4.15+
      Signed-off-by: default avatarGustavo Romero <gromero@linux.ibm.com>
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20190904045529.23002-2-gromero@linux.vnet.ibm.com
      a8318c13
    • Gustavo Romero's avatar
      powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction · 8205d5d9
      Gustavo Romero authored
      When we take an FP unavailable exception in a transaction we have to
      account for the hardware FP TM checkpointed registers being
      incorrect. In this case for this process we know the current and
      checkpointed FP registers must be the same (since FP wasn't used
      inside the transaction) hence in the thread_struct we copy the current
      FP registers to the checkpointed ones.
      
      This copy is done in tm_reclaim_thread(). We use thread->ckpt_regs.msr
      to determine if FP was on when in userspace. thread->ckpt_regs.msr
      represents the state of the MSR when exiting userspace. This is setup
      by check_if_tm_restore_required().
      
      Unfortunatley there is an optimisation in giveup_all() which returns
      early if tsk->thread.regs->msr (via local variable `usermsr`) has
      FP=VEC=VSX=SPE=0. This optimisation means that
      check_if_tm_restore_required() is not called and hence
      thread->ckpt_regs.msr is not updated and will contain an old value.
      
      This can happen if due to load_fp=255 we start a userspace process
      with MSR FP=1 and then we are context switched out. In this case
      thread->ckpt_regs.msr will contain FP=1. If that same process is then
      context switched in and load_fp overflows, MSR will have FP=0. If that
      process now enters a transaction and does an FP instruction, the FP
      unavailable will not update thread->ckpt_regs.msr (the bug) and MSR
      FP=1 will be retained in thread->ckpt_regs.msr.  tm_reclaim_thread()
      will then not perform the required memcpy and the checkpointed FP regs
      in the thread struct will contain the wrong values.
      
      The code path for this happening is:
      
             Userspace:                      Kernel
                         Start userspace
                          with MSR FP/VEC/VSX/SPE=0 TM=1
                            < -----
             ...
             tbegin
             bne
             fp instruction
                         FP unavailable
                             ---- >
                                              fp_unavailable_tm()
      					  tm_reclaim_current()
      					    tm_reclaim_thread()
      					      giveup_all()
      					        return early since FP/VMX/VSX=0
      						/* ckpt MSR not updated (Incorrect) */
      					      tm_reclaim()
      					        /* thread_struct ckpt FP regs contain junk (OK) */
                                                    /* Sees ckpt MSR FP=1 (Incorrect) */
      					      no memcpy() performed
      					        /* thread_struct ckpt FP regs not fixed (Incorrect) */
      					  tm_recheckpoint()
      					     /* Put junk in hardware checkpoint FP regs */
                                               ....
                            < -----
                         Return to userspace
                           with MSR TM=1 FP=1
                           with junk in the FP TM checkpoint
             TM rollback
             reads FP junk
      
      This is a data integrity problem for the current process as the FP
      registers are corrupted. It's also a security problem as the FP
      registers from one process may be leaked to another.
      
      This patch moves up check_if_tm_restore_required() in giveup_all() to
      ensure thread->ckpt_regs.msr is updated correctly.
      
      A simple testcase to replicate this will be posted to
      tools/testing/selftests/powerpc/tm/tm-poison.c
      
      Similarly for VMX.
      
      This fixes CVE-2019-15030.
      
      Fixes: f48e91e8
      
       ("powerpc/tm: Fix FP and VMX register corruption")
      Cc: stable@vger.kernel.org # 4.12+
      Signed-off-by: default avatarGustavo Romero <gromero@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20190904045529.23002-1-gromero@linux.vnet.ibm.com
      8205d5d9
    • Hui Wang's avatar
      ALSA: hda/realtek - Fix the problem of two front mics on a ThinkCentre · 2a36c16e
      Hui Wang authored
      This ThinkCentre machine has a new realtek codec alc222, it is not
      in the support list, we add it in the realtek.c then this machine
      can apply FIXUPs for the realtek codec.
      
      And this machine has two front mics which can't be handled
      by PA so far, it uses the pin 0x18 and 0x19 as the front mics, as
      a result the existing FIXUP ALC294_FIXUP_LENOVO_MIC_LOCATION doesn't
      work on this machine. Fortunately another FIXUP
      ALC283_FIXUP_HEADSET_MIC also can change the location for one of the
      two mics on this machine.
      
      Link: https://lore.kernel.org/r/20190904055327.9883-1-hui.wang@canonical.com
      
      
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      2a36c16e
  4. 03 Sep, 2019 2 commits
  5. 02 Sep, 2019 9 commits
    • Tianyu Lan's avatar
      x86/hyper-v: Fix overflow bug in fill_gva_list() · 4030b4c5
      Tianyu Lan authored
      
      
      When the 'start' parameter is >=  0xFF000000 on 32-bit
      systems, or >= 0xFFFFFFFF'FF000000 on 64-bit systems,
      fill_gva_list() gets into an infinite loop.
      
      With such inputs, 'cur' overflows after adding HV_TLB_FLUSH_UNIT
      and always compares as less than end.  Memory is filled with
      guest virtual addresses until the system crashes.
      
      Fix this by never incrementing 'cur' to be larger than 'end'.
      
      Reported-by: default avatarJong Hyun Park <park.jonghyun@yonsei.ac.kr>
      Signed-off-by: default avatarTianyu Lan <Tianyu.Lan@microsoft.com>
      Reviewed-by: default avatarMichael Kelley <mikelley@microsoft.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 2ffd9e33
      
       ("x86/hyper-v: Use hypercall for remote TLB flush")
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      4030b4c5
    • Trond Myklebust's avatar
      NFS: Fix inode fileid checks in attribute revalidation code · eb3d8f42
      Trond Myklebust authored
      
      
      We want to throw out the attrbute if it refers to the mounted on fileid,
      and not the real fileid. However we do not want to block cache consistency
      updates from NFSv4 writes.
      
      Reported-by: default avatarMurphy Zhou <jencce.kernel@gmail.com>
      Fixes: 7e10cc25
      
       ("NFS: Don't refresh attributes with mounted-on-file...")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      eb3d8f42
    • Linus Torvalds's avatar
      Linux 5.3-rc7 · 089cf7f6
      Linus Torvalds authored
      089cf7f6
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 49ffdb4c
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char and misc driver fixes for reported issues for
        5.3-rc7
      
        Also included in here is the documentation for how we are handling
        hardware issues under embargo that everyone has finally agreed on, as
        well as a MAINTAINERS update for the suckers who agreed to handle the
        LICENSES/ files.
      
        All of these have been in linux-next last week with no reported
        issues"
      
      * tag 'char-misc-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        fsi: scom: Don't abort operations for minor errors
        vmw_balloon: Fix offline page marking with compaction
        VMCI: Release resource if the work is already queued
        Documentation/process: Embargoed hardware security issues
        lkdtm/bugs: fix build error in lkdtm_EXHAUST_STACK
        mei: me: add Tiger Lake point LP device ID
        intel_th: pci: Add Tiger Lake support
        intel_th: pci: Add support for another Lewisburg PCH
        stm class: Fix a double free of stm_source_device
        MAINTAINERS: add entry for LICENSES and SPDX stuff
        fpga: altera-ps-spi: Fix getting of optional confd gpio
      49ffdb4c
    • Linus Torvalds's avatar
      Merge tag 'usb-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 2c248f92
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes that have been in linux-next this past
        week for 5.3-rc7
      
        They fix the usual xhci, syzbot reports, and other small issues that
        have come up last week.
      
        All have been in linux-next with no reported issues"
      
      * tag 'usb-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: cdc-wdm: fix race between write and disconnect due to flag abuse
        usb: host: xhci: rcar: Fix typo in compatible string matching
        usb: host: xhci-tegra: Set DMA mask correctly
        USB: storage: ums-realtek: Whitelist auto-delink support
        USB: storage: ums-realtek: Update module parameter description for auto_delink_en
        usb: host: ohci: fix a race condition between shutdown and irq
        usb: hcd: use managed device resources
        typec: tcpm: fix a typo in the comparison of pdo_max_voltage
        usb-storage: Add new JMS567 revision to unusual_devs
        usb: chipidea: udc: don't do hardware access if gadget has stopped
        usbtmc: more sanity checking for packet size
        usb: udc: lpc32xx: silence fall-through warning
      2c248f92
    • Sam Bazley's avatar
      ALSA: hda/realtek - Add quirk for HP Pavilion 15 · d33cd42d
      Sam Bazley authored
      
      
      HP Pavilion 15 (AMD Ryzen-based model) with 103c:84e7 needs the same
      quirk like HP Envy/Spectre x360 for enabling the mute LED over Mic3 pin.
      
      [ rearranged in the SSID number order by tiwai ]
      
      Signed-off-by: default avatarSam Bazley <sambazley@fastmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      d33cd42d
    • Peter Zijlstra's avatar
      x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation · 9b8bd476
      Peter Zijlstra authored
      Identical to __put_user(); the __get_user() argument evalution will too
      leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region.
      While uncommon this was observed to happen for:
      
        drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i]))
      
      where UBSAN added array bound checking.
      
      This complements commit:
      
        6ae86561
      
       ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation")
      
      Tested-by Sedat Dilek <sedat.dilek@gmail.com>
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: broonie@kernel.org
      Cc: sfr@canb.auug.org.au
      Cc: akpm@linux-foundation.org
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Cc: mhocko@suse.cz
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Link: https://lkml.kernel.org/r/20190829082445.GM2369@hirez.programming.kicks-ass.net
      9b8bd476
    • John S. Gruber's avatar
      x86/boot: Preserve boot_params.secure_boot from sanitizing · 29d9a0b5
      John S. Gruber authored
      Commit
      
        a90118c4 ("x86/boot: Save fields explicitly, zero out everything else")
      
      now zeroes the secure boot setting information (enabled/disabled/...)
      passed by the boot loader or by the kernel's EFI handover mechanism.
      
      The problem manifests itself with signed kernels using the EFI handoff
      protocol with grub and the kernel loses the information whether secure
      boot is enabled in the firmware, i.e., the log message "Secure boot
      enabled" becomes "Secure boot could not be determined".
      
      efi_main() arch/x86/boot/compressed/eboot.c sets this field early but it
      is subsequently zeroed by the above referenced commit.
      
      Include boot_params.secure_boot in the preserve field list.
      
       [ bp: restructure commit message and massage. ]
      
      Fixes: a90118c4
      
       ("x86/boot: Save fields explicitly, zero out everything else")
      Signed-off-by: default avatarJohn S. Gruber <JohnSGruber@gmail.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarJohn Hubbard <jhubbard@nvidia.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: stable <stable@vger.kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/CAPotdmSPExAuQcy9iAHqX3js_fc4mMLQOTr5RBGvizyCOPcTQQ@mail.gmail.com
      29d9a0b5
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 345464fb
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix some length checks during OGM processing in batman-adv, from
          Sven Eckelmann.
      
       2) Fix regression that caused netfilter conntrack sysctls to not be
          per-netns any more. From Florian Westphal.
      
       3) Use after free in netpoll, from Feng Sun.
      
       4) Guard destruction of pfifo_fast per-cpu qdisc stats with
          qdisc_is_percpu_stats(), from Davide Caratti. Similar bug is fixed
          in pfifo_fast_enqueue().
      
       5) Fix memory leak in mld_del_delrec(), from Eric Dumazet.
      
       6) Handle neigh events on internal ports correctly in nfp, from John
          Hurley.
      
       7) Clear SKB timestamp in NF flow table code so that it does not
          confuse fq scheduler. From Florian Westphal.
      
       8) taprio destroy can crash if it is invoked in a failure path of
          taprio_init(), because the list head isn't setup properly yet and
          the list del is unconditional. Perform the list add earlier to
          address this. From Vladimir Oltean.
      
       9) Make sure to reapply vlan filters on device up, in aquantia driver.
          From Dmitry Bogdanov.
      
      10) sgiseeq driver releases DMA memory using free_page() instead of
          dma_free_attrs(). From Christophe JAILLET.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits)
        net: seeq: Fix the function used to release some memory in an error handling path
        enetc: Add missing call to 'pci_free_irq_vectors()' in probe and remove functions
        net: bcmgenet: use ethtool_op_get_ts_info()
        tc-testing: don't hardcode 'ip' in nsPlugin.py
        net: dsa: microchip: add KSZ8563 compatibility string
        dt-bindings: net: dsa: document additional Microchip KSZ8563 switch
        net: aquantia: fix out of memory condition on rx side
        net: aquantia: linkstate irq should be oneshot
        net: aquantia: reapply vlan filters on up
        net: aquantia: fix limit of vlan filters
        net: aquantia: fix removal of vlan 0
        net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate
        taprio: Set default link speed to 10 Mbps in taprio_set_picos_per_byte
        taprio: Fix kernel panic in taprio_destroy
        net: dsa: microchip: fill regmap_config name
        rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2]
        net: stmmac: dwmac-rk: Don't fail if phy regulator is absent
        amd-xgbe: Fix error path in xgbe_mod_init()
        netfilter: nft_meta_bridge: Fix get NFT_META_BRI_IIFVPROTO in network byteorder
        mac80211: Correctly set noencrypt for PAE frames
        ...
      345464fb
  6. 01 Sep, 2019 18 commits