<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/arch, branch v3.14.5</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/arch?h=v3.14.5</id>
<link rel='self' href='https://git.amat.us/linux/atom/arch?h=v3.14.5'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2014-05-31T20:20:38Z</updated>
<entry>
<title>net: filter: s390: fix JIT address randomization</title>
<updated>2014-05-31T20:20:38Z</updated>
<author>
<name>Heiko Carstens</name>
<email>heiko.carstens@de.ibm.com</email>
</author>
<published>2014-05-14T07:48:21Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=4d3b152a2e4d79a6151c396e173e599e54ac6dfe'/>
<id>urn:sha1:4d3b152a2e4d79a6151c396e173e599e54ac6dfe</id>
<content type='text'>
[ Upstream commit e84d2f8d2ae33c8215429824e1ecf24cbca9645e ]

This is the s390 variant of Alexei's JIT bug fix.
(patch description below stolen from Alexei's patch)

bpf_alloc_binary() adds 128 bytes of room to JITed program image
and rounds it up to the nearest page size. If image size is close
to page size (like 4000), it is rounded to two pages:
round_up(4000 + 4 + 128) == 8192
then 'hole' is computed as 8192 - (4000 + 4) = 4188
If prandom_u32() % hole selects a number &gt;= PAGE_SIZE - sizeof(*header)
then kernel will crash during bpf_jit_free():

kernel BUG at arch/x86/mm/pageattr.c:887!
Call Trace:
 [&lt;ffffffff81037285&gt;] change_page_attr_set_clr+0x135/0x460
 [&lt;ffffffff81694cc0&gt;] ? _raw_spin_unlock_irq+0x30/0x50
 [&lt;ffffffff810378ff&gt;] set_memory_rw+0x2f/0x40
 [&lt;ffffffffa01a0d8d&gt;] bpf_jit_free_deferred+0x2d/0x60
 [&lt;ffffffff8106bf98&gt;] process_one_work+0x1d8/0x6a0
 [&lt;ffffffff8106bf38&gt;] ? process_one_work+0x178/0x6a0
 [&lt;ffffffff8106c90c&gt;] worker_thread+0x11c/0x370

since bpf_jit_free() does:
  unsigned long addr = (unsigned long)fp-&gt;bpf_func &amp; PAGE_MASK;
  struct bpf_binary_header *header = (void *)addr;
to compute start address of 'bpf_binary_header'
and header-&gt;pages will pass junk to:
  set_memory_rw(addr, header-&gt;pages);

Fix it by making sure that &amp;header-&gt;image[prandom_u32() % hole] and &amp;header
are in the same page.

Fixes: aa2d2c73c21f2 ("s390/bpf,jit: address randomize and write protect jit code")

Reported-by: Alexei Starovoitov &lt;ast@plumgrid.com&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v3.11+
Signed-off-by: Heiko Carstens &lt;heiko.carstens@de.ibm.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>net: filter: x86: fix JIT address randomization</title>
<updated>2014-05-31T20:20:38Z</updated>
<author>
<name>Alexei Starovoitov</name>
<email>ast@plumgrid.com</email>
</author>
<published>2014-05-13T22:05:55Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=070a08cd74daf53cd97f52f17636cc723c5cb370'/>
<id>urn:sha1:070a08cd74daf53cd97f52f17636cc723c5cb370</id>
<content type='text'>
[ Upstream commit 773cd38f40b8834be991dbfed36683acc1dd41ee ]

bpf_alloc_binary() adds 128 bytes of room to JITed program image
and rounds it up to the nearest page size. If image size is close
to page size (like 4000), it is rounded to two pages:
round_up(4000 + 4 + 128) == 8192
then 'hole' is computed as 8192 - (4000 + 4) = 4188
If prandom_u32() % hole selects a number &gt;= PAGE_SIZE - sizeof(*header)
then kernel will crash during bpf_jit_free():

kernel BUG at arch/x86/mm/pageattr.c:887!
Call Trace:
 [&lt;ffffffff81037285&gt;] change_page_attr_set_clr+0x135/0x460
 [&lt;ffffffff81694cc0&gt;] ? _raw_spin_unlock_irq+0x30/0x50
 [&lt;ffffffff810378ff&gt;] set_memory_rw+0x2f/0x40
 [&lt;ffffffffa01a0d8d&gt;] bpf_jit_free_deferred+0x2d/0x60
 [&lt;ffffffff8106bf98&gt;] process_one_work+0x1d8/0x6a0
 [&lt;ffffffff8106bf38&gt;] ? process_one_work+0x178/0x6a0
 [&lt;ffffffff8106c90c&gt;] worker_thread+0x11c/0x370

since bpf_jit_free() does:
  unsigned long addr = (unsigned long)fp-&gt;bpf_func &amp; PAGE_MASK;
  struct bpf_binary_header *header = (void *)addr;
to compute start address of 'bpf_binary_header'
and header-&gt;pages will pass junk to:
  set_memory_rw(addr, header-&gt;pages);

Fix it by making sure that &amp;header-&gt;image[prandom_u32() % hole] and &amp;header
are in the same page

Fixes: 314beb9bcabfd ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
Signed-off-by: Alexei Starovoitov &lt;ast@plumgrid.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>xen/spinlock: Don't enable them unconditionally.</title>
<updated>2014-05-31T20:20:29Z</updated>
<author>
<name>Konrad Rzeszutek Wilk</name>
<email>konrad.wilk@oracle.com</email>
</author>
<published>2014-04-04T18:48:04Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=540299d7c8e1946f3af29a632661e3b49cd12fd5'/>
<id>urn:sha1:540299d7c8e1946f3af29a632661e3b49cd12fd5</id>
<content type='text'>
commit e0fc17a936334c08b2729fff87168c03fdecf5b6 upstream.

The git commit a945928ea2709bc0e8e8165d33aed855a0110279
('xen: Do not enable spinlocks before jump_label_init() has executed')
was added to deal with the jump machinery. Earlier the code
that turned on the jump label was only called by Xen specific
functions. But now that it had been moved to the initcall machinery
it gets called on Xen, KVM, and baremetal - ouch!. And the detection
machinery to only call it on Xen wasn't remembered in the heat
of merge window excitement.

This means that the slowpath is enabled on baremetal while it should
not be.

Reported-by: Waiman Long &lt;waiman.long@hp.com&gt;
Acked-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
CC: Boris Ostrovsky &lt;boris.ostrovsky@oracle.com&gt;
Signed-off-by: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Signed-off-by: David Vrabel &lt;david.vrabel@citrix.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>parisc: remove _STK_LIM_MAX override</title>
<updated>2014-05-31T20:20:29Z</updated>
<author>
<name>John David Anglin</name>
<email>dave.anglin@bell.net</email>
</author>
<published>2014-04-27T20:20:47Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=7147ad6410de7f330650e47b198815fe0d907a65'/>
<id>urn:sha1:7147ad6410de7f330650e47b198815fe0d907a65</id>
<content type='text'>
commit e0d8898d76a785453bfaf6cd08b830a7d5189f78 upstream.

There are only a couple of architectures that override _STK_LIM_MAX to
a non-infinity value. This changes the stack allocation semantics in
subtle ways. For example, GNU make changes its stack allocation to the
hard maximum defined by _STK_LIM_MAX. As a results, threads executed
by processes running under make are allocated a stack size of
_STK_LIM_MAX rather than a sensible default value. This causes various
thread stress tests to fail when they can't muster more than about 50
threads.

The attached change implements the default behavior used by the
majority of architectures.

Signed-off-by: John David Anglin &lt;dave.anglin@bell.net&gt;
Reviewed-by: Carlos O'Donell &lt;carlos@systemhalted.org&gt;
Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>parisc: fix epoll_pwait syscall on compat kernel</title>
<updated>2014-05-31T20:20:28Z</updated>
<author>
<name>Helge Deller</name>
<email>deller@gmx.de</email>
</author>
<published>2014-04-12T22:03:55Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=3e7b54d984d455fe779c481972384082af1146c6'/>
<id>urn:sha1:3e7b54d984d455fe779c481972384082af1146c6</id>
<content type='text'>
commit ab3e55b119c9653b19ea4edffb86f04db867ac98 upstream.

This bug was detected with the libio-epoll-perl debian package where the
test case IO-Ppoll-compat.t failed.

Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>parisc: change value of SHMLBA from 0x00400000 to PAGE_SIZE</title>
<updated>2014-05-31T20:20:28Z</updated>
<author>
<name>Helge Deller</name>
<email>deller@gmx.de</email>
</author>
<published>2014-04-09T17:49:28Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=c400a1db3399aad8141d88df4545e3f50b38c416'/>
<id>urn:sha1:c400a1db3399aad8141d88df4545e3f50b38c416</id>
<content type='text'>
commit 0ef36bd2b37815719e31a72d2beecc28ca8ecd26 upstream.

On parisc, SHMLBA was defined to 0x00400000 (4MB) to reflect that we need to
take care of our caches for shared mappings. But actually, we can map a file at
any multiple address of PAGE_SIZE, so let us correct that now with a value of
PAGE_SIZE for SHMLBA.  Instead we now take care of this cache colouring via the
constant SHM_COLOUR while we map shared pages.

Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
CC: Jeroen Roovers &lt;jer@gentoo.org&gt;
CC: John David Anglin &lt;dave.anglin@bell.net&gt;
CC: Carlos O'Donell &lt;carlos@systemhalted.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>x86,preempt: Fix preemption for i386</title>
<updated>2014-05-31T20:20:28Z</updated>
<author>
<name>Peter Zijlstra</name>
<email>peterz@infradead.org</email>
</author>
<published>2014-04-09T14:24:47Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=4c03d4699182312ed42257834b915492af16022a'/>
<id>urn:sha1:4c03d4699182312ed42257834b915492af16022a</id>
<content type='text'>
Many people reported preemption/reschedule problems with i386 kernels
for .13 and .14. After Michele bisected this to a combination of

  3e8e42c69bb ("sched: Revert need_resched() to look at TIF_NEED_RESCHED")
  ded79754754 ("irq: Force hardirq exit's softirq processing on its own stack")

it finally dawned on me that i386's current_thread_info() was to
blame.

When we are on interrupt/exception stacks, we fail to observe the
right TIF_NEED_RESCHED bit and therefore the PREEMPT_NEED_RESCHED
folding malfunctions.

Current upstream fixes this by making i386 behave the same as x86_64
already did:

  2432e1364bbe ("x86: Nuke the supervisor_stack field in i386 thread_info")
  b807902a88c4 ("x86: Nuke GET_THREAD_INFO_WITH_ESP() macro for i386")
  0788aa6a23cb ("x86: Prepare removal of previous_esp from i386 thread_info structure")
  198d208df437 ("x86: Keep thread_info on thread stack in x86_32")

However, that is far too much to stuff into -stable. Therefore I
propose we merge the below patch which uses task_thread_info(current)
for tif_need_resched() instead of the ESP based current_thread_info().

This makes sure we always observe the one true TIF_NEED_RESCHED bit
and things will work as expected again.

Cc: bp@alien8.de
Cc: fweisbec@gmail.com
Cc: david.a.cohen@linux.intel.com
Cc: mingo@kernel.org
Cc: fweisbec@gmail.com
Cc: greg@kroah.com
Cc: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Cc: gregkh@linuxfoundation.org
Cc: pbonzini@redhat.com
Cc: rostedt@goodmis.org
Cc: stefan.bader@canonical.com
Cc: mingo@kernel.org
Cc: toralf.foerster@gmx.de
Cc: David Cohen &lt;david.a.cohen@linux.intel.com&gt;
Cc: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Cc: torvalds@linux-foundation.org
Cc: Paolo Bonzini &lt;pbonzini@redhat.com&gt;
Cc: David Cohen &lt;david.a.cohen@linux.intel.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Cc: Borislav Petkov &lt;bp@alien8.de&gt;
Cc: Paolo Bonzini &lt;pbonzini@redhat.com&gt;
Cc: &lt;stable-commits@vger.kernel.org&gt;
Cc: Borislav Petkov &lt;bp@alien8.de&gt;
Cc: peterz@infradead.org
Cc: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Cc: barra_cuda@katamail.com
Tested-by: Stefan Bader &lt;stefan.bader@canonical.com&gt;
Tested-by: Toralf F¿rster &lt;toralf.foerster@gmx.de&gt;
Tested-by: Michele Ballabio &lt;barra_cuda@katamail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Peter Zijlstra &lt;peterz@infradead.org&gt;
Link: http://lkml.kernel.org/r/20140409142447.GD13658@twins.programming.kicks-ass.net

</content>
</entry>
<entry>
<title>KVM: x86: remove WARN_ON from get_kernel_ns()</title>
<updated>2014-05-31T20:20:27Z</updated>
<author>
<name>Marcelo Tosatti</name>
<email>mtosatti@redhat.com</email>
</author>
<published>2014-04-10T21:19:12Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=8c02c2a4f89a4eda43b4679e8f0e170edeebc85f'/>
<id>urn:sha1:8c02c2a4f89a4eda43b4679e8f0e170edeebc85f</id>
<content type='text'>
commit b351c39cc9e0151cee9b8d52a1e714928faabb38 upstream.

Function and callers can be preempted.

https://bugzilla.kernel.org/show_bug.cgi?id=73721

Signed-off-by: Marcelo Tosatti &lt;mtosatti@redhat.com&gt;
Reviewed-by: Paolo Bonzini &lt;pbonzini@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>x86-64, build: Fix stack protector Makefile breakage with 32-bit userland</title>
<updated>2014-05-13T11:32:58Z</updated>
<author>
<name>George Spelvin</name>
<email>linux@horizon.com</email>
</author>
<published>2014-05-07T21:05:52Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=dec190e5b9428821cfffe7462fce43a234564711'/>
<id>urn:sha1:dec190e5b9428821cfffe7462fce43a234564711</id>
<content type='text'>
commit 14262d67fe348018af368a07430fbc06eadeabb1 upstream.

If you are using a 64-bit kernel with 32-bit userland, then
scripts/gcc-x86_64-has-stack-protector.sh invokes 32-bit gcc
with -mcmodel=kernel, which produces:

&lt;stdin&gt;:1:0: error: code model 'kernel' not supported in the 32 bit mode

and trips the "broken compiler" test at arch/x86/Makefile:120.

There are several places a fix is possible, but the following seems
cleanest.  (But it's minimal; it would also be possible to factor
out a bunch of stuff from the two branches of the if.)

Signed-off-by: George Spelvin &lt;linux@horizon.com&gt;
Link: http://lkml.kernel.org/r/20140507210552.7581.qmail@ns.horizon.com
Signed-off-by: H. Peter Anvin &lt;hpa@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>ARC: !PREEMPT: Ensure Return to kernel mode is IRQ safe</title>
<updated>2014-05-13T11:32:50Z</updated>
<author>
<name>Vineet Gupta</name>
<email>Vineet.Gupta1@synopsys.com</email>
</author>
<published>2014-04-30T09:56:45Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=13d90455089e51da4372e963196b1e77de87e5a0'/>
<id>urn:sha1:13d90455089e51da4372e963196b1e77de87e5a0</id>
<content type='text'>
commit 8aa9e85adac609588eeec356e5a85059b3b819ba upstream.

There was a very small race window where resume to kernel mode from a
Exception Path (or pure kernel mode which is true for most of ARC
exceptions anyways), was not disabling interrupts in restore_regs,
clobbering the exception regs

Anton found the culprit call flow (after many sleepless nights)

| 1. we got a Trap from user land
| 2. started to service it.
| 3. While doing some stuff on user-land memory (I think it is padzero()),
|     we got a DataTlbMiss
| 4. On return from it we are taking "resume_kernel_mode" path
| 5. NEED_RESHED is not set, so we go to "return from exception" path in
|     restore regs.
| 6. there seems to be IRQ happening

Signed-off-by: Vineet Gupta &lt;vgupta@synopsys.com&gt;
Cc: Anton Kolesov &lt;Anton.Kolesov@synopsys.com&gt;
Cc: Francois Bedard &lt;Francois.Bedard@synopsys.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
</feed>
