24 Oct, 2014
6 commits
-
Far jmp/call/ret may fault while loading a new RIP. Currently KVM does not
handle this case, and may result in failed vm-entry once the assignment is
done. The tricky part of doing so is that loading the new CS affects the
VMCS/VMCB state, so if we fail during loading the new RIP, we are left in
unconsistent state. Therefore, this patch saves on 64-bit the old CS
descriptor and restores it if loading RIP failed.This fixes CVE-2014-3647.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini -
Before changing rip (during jmp, call, ret, etc.) the target should be asserted
to be canonical one, as real CPUs do. During sysret, both target rsp and rip
should be canonical. If any of these values is noncanonical, a #GP exception
should occur. The exception to this rule are syscall and sysenter instructions
in which the assigned rip is checked during the assignment to the relevant
MSRs.This patch fixes the emulator to behave as real CPUs do for near branches.
Far branches are handled by the next patch.This fixes CVE-2014-3647.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini -
Relative jumps and calls do the masking according to the operand size, and not
according to the address size as the KVM emulator does today.This patch fixes KVM behavior.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini -
There's a race condition in the PIT emulation code in KVM. In
__kvm_migrate_pit_timer the pit_timer object is accessed without
synchronization. If the race condition occurs at the wrong time this
can crash the host kernel.This fixes CVE-2014-3611.
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig
Signed-off-by: Paolo Bonzini -
The previous patch blocked invalid writes directly when the MSR
is written. As a precaution, prevent future similar mistakes by
gracefulling handle GPs caused by writes to shared MSRs.Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig
[Remove parts obsoleted by Nadav's patch. - Paolo]
Signed-off-by: Paolo Bonzini -
Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
written to certain MSRs. The behavior is "almost" identical for AMD and Intel
(ignoring MSRs that are not implemented in either architecture since they would
anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
non-canonical address is written on Intel but not on AMD (which ignores the top
32-bits).Accordingly, this patch injects a #GP on the MSRs which behave identically on
Intel and AMD. To eliminate the differences between the architecutres, the
value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
canonical value before writing instead of injecting a #GP.Some references from Intel and AMD manuals:
According to Intel SDM description of WRMSR instruction #GP is expected on
WRMSR "If the source register contains a non-canonical address and ECX
specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."According to AMD manual instruction manual:
LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical
form, a general-protection exception (#GP) occurs."
IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
base field must be in canonical form or a #GP fault will occur."
IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
be in canonical form."This patch fixes CVE-2014-3610.
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini
22 Oct, 2014
3 commits
-
Pull SCSI target updates from Nicholas Bellinger:
"Here are the target updates for v3.18-rc2 code. These where
originally destined for -rc1, but due to the combination of travel
last week for KVM Forum and my mistake of taking the three week merge
window literally, the pull request slipped.. Apologies for that.Things where reasonably quiet this round. The highlights include:
- New userspace backend driver (target_core_user.ko) by Shaohua Li
and Andy Grover
- A number of cleanups in target, iscsi-taret and qla_target code
from Joern Engel
- Fix an OOPs related to queue full handling with CHECK_CONDITION
status from Quinn Tran
- Fix to disable TX completion interrupt coalescing in iser-target,
that was causing problems on some hardware
- Fix for PR APTPL metadata handling with demo-mode ACLsI'm most excited about the new backend driver that uses UIO + shared
memory ring to dispatch I/O and control commands into user-space.
This was probably the most requested feature by users over the last
couple of years, and opens up a new area of development + porting of
existing user-space storage applications to LIO. Thanks to Shaohua +
Andy for making this happen.Also another honorable mention, a new Xen PV SCSI driver was merged
via the xen/tip.git tree recently, which puts us now at 10 target
drivers in upstream! Thanks to David Vrabel + Juergen Gross for their
work to get this code merged"* 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (40 commits)
target/file: fix inclusive vfs_fsync_range() end
iser-target: Disable TX completion interrupt coalescing
target: Add force_pr_aptpl device attribute
target: Fix APTPL metadata handling for dynamic MappedLUNs
qla_target: don't delete changed nacls
target/user: Recalculate pad size inside is_ring_space_avail()
tcm_loop: Fixup tag handling
iser-target: Fix smatch warning
target/user: Fix up smatch warnings in tcmu_netlink_event
target: Add a user-passthrough backstore
target: Add documentation on the target userspace pass-through driver
uio: Export definition of struct uio_device
target: Remove unneeded check in sbc_parse_cdb
target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE
qla_target: rearrange struct qla_tgt_prm
qla_target: improve qlt_unmap_sg()
qla_target: make some global functions static
qla_target: remove unused parameter
target: simplify core_tmr_abort_task
target: encapsulate smp_mb__after_atomic()
... -
Pull email address change from Boaz Harrosh.
* 'for-linus' of git://git.open-osd.org/linux-open-osd:
Boaz Harrosh - fix email in Documentation
Boaz Harrosh - Fix broken email address
MAINTAINERS: Change Boaz Harrosh's email -
Pull mailbox framework from Jassi Brar:
"A framework for Mailbox controllers and clients have been cooking for
more than a year now.Everybody in the CC list had been copied on patchset revisions and
most of them have made sounds of approval, though just one concrete
Reviewed-by. The patchset has also been in linux-next for a couple of
weeks now and no conflict has been reported. The framework has the
backing of at least 5 platforms, though I can't say if/when they
upstream their drivers (some businesses have 'changed')"(Further acked-by by Arnd Bergmann and Suman Anna in the pull request
thread)* 'mailbox-for-linus' of git://git.linaro.org/landing-teams/working/fujitsu/integration:
dt: mailbox: add generic bindings
doc: add documentation for mailbox framework
mailbox: Introduce framework for mailbox
mailbox: rename pl320-ipc specific mailbox.h
21 Oct, 2014
31 commits
-
Pull watchdog updates from Wim Van Sebroeck:
- new Cadence WDT driver
- new Ricoh RN5T618 watchdog
- new DA9063 PMIC watchdog driver
- new Meson WDT driver
- add restart handling code
- fixes and improvements* git://www.linux-watchdog.org/linux-watchdog: (25 commits)
watchdog: meson: remove magic value for reboot
watchdog: Let XILINX_WATCHDOG and TEGRA_WATCHDOG depend on HAS_IOMEM
watchdog: sunxi: Add A31 watchdog support
watchdog: sunxi: support parameterized compatible strings
watchdog: imx2_wdt: add restart handler support
watchdog: qcom: register a restart notifier
watchdog: s3c2410: add restart handler
watchdog: dw_wdt: add restart handler support
ARM: defconfig: update multi_v7_defconfig
ARM: meson: add watchdog driver
ARM: docs: add documentation binding for meson watchdog
stmp3xxx_rtc_wdt: Add suspend/resume PM support
watchdog: Add DA9063 PMIC watchdog driver.
watchdog: add driver for Ricoh RN5T618 watchdog
watchdog: s3c2410_wdt: Add support for Watchdog device on Exynos7
watchdog: qcom: document device tree bindings
watchdog: qcom: add support for KPSS WDT
watchdog: dw_wdt: initialise TOP_INIT in dw_wdt_set_top()
devicetree: Add Cadence WDT devicetree bindings documentation
watchdog: Add Cadence WDT driver
... -
Pull LED update from Bryan Wu:
"Basically we have some bug fixing and clean up and one big thing is we
start to merge patch to add support LED Flash class"* 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds:
leds: gpio: cleanup the leds-gpio driver
led: gpio: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
led: gpio: Sort include headers alphabetically
leds: Improve and export led_update_brightness
leds: trigger: gpio: fix warning in gpio trigger for gpios whose accessor function may sleep
leds: lp3944: fix sparse warning
leds: avoid using DEVICE_ATTR macro for max_brightness attribute
leds: make brightness type consistent across whole subsystem
leds: Reorder include directives -
…ierry.reding/linux-pwm
Pull pwm changes from Thierry Reding:
"There are no new drivers here, only a couple of fixes all over the
place"* tag 'pwm/for-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm:
pwm: Let PWM_CLPS711X depend on HAS_IOMEM
pwm: atmel: Fix calculation of prescale value
pwm: Fix uninitialized warnings in pwm_get()
pwm: rockchip: Allow polarity invert on rk3288
pwm: imx: Avoid sample FIFO overflow for i.MX PWM version2
pwm: imx: Cleanup indentation for register definitions
pwm: imx: Fix the macro MX3_PWMCR_PRESCALER(x) definition
pwm: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
pwm: lpss: make it buildable only on X86
pwm: lpss: use c99 initializers in structures
pwm: lpss: Fix build failure on PowerPC
pwm: lpss: pci: Move to use pcim_enable_device()
pwm: lpss: Properly split driver to parts
pwm: lpss: Add ACPI and PCI IDs for Intel Braswell
pwm: fsl-ftm: Select REGMAP_MMIO
pwm: fsl-ftm: Document 'big-endian' property
pwm: fsl-ftm: Convert to direct regmap API usage
pwm: fsl-ftm: Clean up the code -
Pull ARC updates from Vineet Gupta:
"Sorry for the late pull request. Current stuff was ready for a while
but I was hoping to squeeze in support for almost ready ARC SDP
platform (and avoid a 2nd pull request), however it seems there are
still some loose ends which warrant more time.- Platform code reduction/moving-up (TB10X no longer needs any
callbacks)
- updated boot printing
- kgdb update for arc gdb 7.5
- bug fixes (some marked for stable)
- more code refactoring/consolidation"* tag 'arc-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
ARC: boot: cpu feature print enhancements
ARC: boot: consolidate cross-checking of h/w and s/w
ARC: unbork FPU save/restore
ARC: remove extraneous __KERNEL__ guards
ARC: Update order of registers in KGDB to match GDB 7.5
ARC: Remove unneeded Kconfig entry NO_DMA
ARC: BUG() dumps stack after @msg (@msg now same as in generic BUG))
ARC: refactoring: reduce the scope of some local vars
ARC: remove gcc mpy heuristics
ARC: RIP @running_on_hw
ARC: Update comments about uncached address space
ARC: rename kconfig option for unaligned emulation
ARC: [nsimosci] Allow "headless" models to boot
ARC: [arcfpga] Get rid of ARC_BOARD_ANGEL4 and ARC_BOARD_ML509
ARC: [arcfpga] Remove more dead code
ARC: [plat*] move code out of .init_machine into common
ARC: [arcfpga] consolidate machine description, DT
ARC: Allow SMP kernel to build/boot on UP-only infrastructure -
Pull more powerpc updates from Michael Ellerman:
"Here's some more updates for powerpc for 3.18.They are a bit late I know, though must are actually bug fixes. In my
defence I nearly cut the top of my finger off last weekend in a
gruesome bike maintenance accident, so I spent a good part of the week
waiting around for doctors. True story, I can send photos if you like :)Probably the most interesting fix is the sys_call_table one, which
enables syscall tracing for powerpc. There's a fix for HMI handling
for old firmware, more endian fixes for firmware interfaces, more EEH
fixes, Anton fixed our routine that gets the current stack pointer,
and a few other misc bits"* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux: (22 commits)
powerpc: Only do dynamic DMA zone limits on platforms that need it
powerpc: sync pseries_le_defconfig with pseries_defconfig
powerpc: Add printk levels to setup_system output
powerpc/vphn: NUMA node code expects big-endian
powerpc/msi: Use WARN_ON() in msi bitmap selftests
powerpc/msi: Fix the msi bitmap alignment tests
powerpc/eeh: Block CFG upon frozen Shiner adapter
powerpc/eeh: Don't collect logs on PE with blocked config space
powerpc/eeh: Block PCI config access upon frozen PE
powerpc/pseries: Drop config requests in EEH accessors
powerpc/powernv: Drop config requests in EEH accessors
powerpc/eeh: Rename flag EEH_PE_RESET to EEH_PE_CFG_BLOCKED
powerpc/eeh: Fix condition for isolated state
powerpc/pseries: Make CPU hotplug path endian safe
powerpc/pseries: Use dump_stack instead of show_stack
powerpc: Rename __get_SP() to current_stack_pointer()
powerpc: Reimplement __get_SP() as a function not a define
powerpc/numa: Add ability to disable and debug topology updates
powerpc/numa: check error return from proc_create
powerpc/powernv: Fallback to old HMI handling behavior for old firmware
... -
Pull s390 updates from Martin Schwidefsky:
"One patch to enable the BPF system call and three more bug fixes"* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/uprobes: fix kprobes dependency
s390: wire up bpf syscall
s390/mm: fixing calls of pte_unmap_unlock
s390/hmcdrv: Restrict s390 HMC driver to S390 arch -
This patch removes the magic value used for rebooting the board. This
value is useless and leads to a static checker warning as reported by
Dan Carpenter.Signed-off-by: Carlo Caione
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
They need HAS_IOMEM, so let them depend on it, the related error (with
allmodconfig under um):MODPOST 1205 modules
ERROR: "devm_ioremap_resource" [drivers/watchdog/tegra_wdt.ko] undefined!
ERROR: "devm_ioremap_resource" [drivers/watchdog/of_xilinx_wdt.ko] undefined!Signed-off-by: Chen Gang
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
This patch adds support for the watchdog hardware found in A31 and
newer SoCs. This new hardware has registers at different offsets, and
the system reset control has been split out of the "mode" register
into a new "configuration" register.Differences not supported by this driver include separate interrupt
lines for each watchdog, instead of sharing an interrupt line and
registers with the timer block.Signed-off-by: Chen-Yu Tsai
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
This patch adds support for hardware parameters tied to compatible
strings, so similar hardware can reuse the driver.This will be used to support the newer watchdog found in A31 and
later SoCs. Differences in the new hardware include separate
interrupt lines for each watchdog, and corresponding interrupt
control/status registers. Watchdog control registers were also
slightly rearranged.Also replace ioread32()/iowrite32() with readl()/writel() in various
places changed.Signed-off-by: Chen-Yu Tsai
Signed-off-by: Guenter Roeck
Acked-by: Heiko Stuebner
Signed-off-by: Wim Van Sebroeck
Signed-off-by: Andrew Morton -
Register the watchdog as the system restart function
to the new introducing kernel restart call chain in the
driver instead of providing the restart in machine desc.
This restart handler function is from the mxc_restart()
in arch/arm/mach-imx/system.cSigned-off-by: Jingchang Lu
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
The WDT's BITE_TIME warm-reset behavior can be leveraged as a last
resort mechanism for triggering chip reset. Usually, other restart
methods (such as PS_HOLD) are preferrable for issuing a more complete
reset of the chip. As such, keep the priority of the watchdog notifier
low.Signed-off-by: Josh Cartwright
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
On a lot of Samsung systems the watchdog is responsible for restarting the
system and until now this code was contained in plat-samsung/watchdog-reset.c.With the introduction of the restart handlers, this code can now move into
driver itself, removing the need for arch-specific code.Tested on a S3C2442 based GTA02
Signed-off-by: Heiko Stuebner
Signed-off-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck
Signed-off-by: Andrew Morton -
The kernel core now provides an API to trigger a system restart.
Register with it to support restarting the system via. watchdog.Signed-off-by: Jisheng Zhang
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
Update the multi_v7_defconfig enabling the watchdog driver for Meson
SoCs.Signed-off-by: Carlo Caione
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
This patch adds the watchdog driver for the Amlogic Meson SoCs used also
to reboot the device.Signed-off-by: Carlo Caione
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
Signed-off-by: Carlo Caione
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
There is no conflict with rtc/rtc-stmp3xxx.c parent
because modified registers in PM functions of stmp3xxx_rtc_wdt
are different.Signed-off-by: Janusz Uzycki
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
This driver supports the watchdog device inside the DA9063 PMIC.
Signed-off-by: Krystian Garbaciak
Signed-off-by: Philipp Zabel
Signed-off-by: Markus Pargmann
Acked-by: Steve Twiss
Tested-by: Steve Twiss
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
This adds a driver for the watchdog timer available in Ricoh RN5T618
PMIC. The device supports a programmable expiration time of 1, 8, 32
or 128 seconds.Signed-off-by: Beniamino Galvani
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
Exynos7 SoC has a Watchdog for Atlas (A57) cores
This patch adds support for the Atlas watchdog.Signed-off-by: Naveen Krishna Chatradhi
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
The Qualcomm Krait Processor Sub-system (KPSS) contains one or more
instances of the WDT. Provide documentation on how to describe these in
the device tree.Signed-off-by: Josh Cartwright
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
Add a driver for the watchdog timer block found in the Krait Processor
Subsystem (KPSS) on the MSM8960, APQ8064, and IPQ8064.Signed-off-by: Josh Cartwright
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
The TOP_INIT, ie bit 4-7 of the WDOG_TIMEOUT_RANGE_REG_OFFSET register
may be zero, so the timeout period may be very short after initialization
is done, thus the system may be reset soon after enabling. We fix this
problem by also initialising the TOP_INIT when setting TOP in function
dw_wdt_set_top().Signed-off-by: Jisheng Zhang
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
Add cadence-wdt bindings documentation.
Signed-off-by: Harini Katakam
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
Add Cadence WDT driver. This is used by Xilinx Zynq.
Signed-off-by: Harini Katakam
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
Signed-off-by: Uwe Kleine-K=C3=B6nig
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
Signed-off-by: Xiubo Li
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
There is no need to store the return value of misc_deregister() in a
variable. Instead we can just return the value directly.Signed-off-by: Mika Westerberg
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
Building booke_wdt fails when trying to build as a module as there is no
early_param() in module. Fix by using module_param() instead of early_param().Signed-off-by: Pranith Kumar
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck -
There is no need to init .owner field.
Based on the patch from Peter Griffin
"mmc: remove .owner field for drivers using module_platform_driver"This patch removes the superflous .owner field for drivers which
use the module_platform_driver API, as this is overriden in
platform_driver_register anyway."Signed-off-by: Michal Simek
Reviewed-by: Guenter Roeck
Signed-off-by: Wim Van Sebroeck
