Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.19.16 2019-01-13T08:51:10+00:00 2019-01-13T08:51:10+00:00 Alexander Shishkin alexander.shishkin@linux.intel.com 2018-12-19T15:19:22+00:00 urn:sha1:f65b4d4ff3aa08efed2ad9f7efcde7cc16c5c642 commit ec5b5ad6e272d8d6b92d1007f79574919862a2d2 upstream. The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated list of window sizes, passed from userspace. However, there is a bug in the string parsing logic wherein it doesn't exclude the comma character from the range of characters as it consumes them. This leads to an out-of-bounds access given a sufficiently long list. For example: > # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages > ================================================================== > BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40 > Read of size 1 at addr ffff8803ffcebcd1 by task sh/825 > > CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+ > Call Trace: > dump_stack+0x7c/0xc0 > print_address_description+0x6c/0x23c > ? memchr+0x1e/0x40 > kasan_report.cold.5+0x241/0x308 > memchr+0x1e/0x40 > nr_pages_store+0x203/0xd00 [intel_th_msu] Fix this by accounting for the comma character. Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver") Cc: stable@vger.kernel.org # v4.4+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-13T19:08:36+00:00 Suzuki K Poulose suzuki.poulose@arm.com 2018-09-20T19:17:46+00:00 urn:sha1:3fa9b782dfc4a5acf888b61274388590b458100e [ Upstream commit 987d1e8dcd370d96029a3d76a0031b043c4a69ae ] If the ETB is already enabled in sysfs mode, the ETB reports success even if a perf mode is requested. Fix this by checking the requested mode. Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-09-18T14:08:38+00:00 Alexander Shishkin alexander.shishkin@linux.intel.com 2018-09-18T13:10:49+00:00 urn:sha1:59d08d00d43c644ee2011d7ff1807bdd69f31fe0 This adds Intel(R) Trace Hub PCI ID for Ice Lake PCH. Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-09-18T14:08:38+00:00 Alexander Shishkin alexander.shishkin@linux.intel.com 2018-09-18T13:10:48+00:00 urn:sha1:ebe4582281d6e90972f057318a6edea14810ea48 The core of the driver expects the resource array from the glue layer to be indexed by even numbers, as is the case for 64-bit PCI resources. This doesn't hold true for others, ACPI in this instance, which leads to an out-of-bounds access and an ioremap() on whatever address that access fetches. This patch fixes the problem by reading resource array differently based on whether the 64-bit flag is set, which would indicate PCI glue layer. Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> Fixes: ebc57e399b8e ("intel_th: Add ACPI glue layer") CC: stable@vger.kernel.org # v4.17+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-09-18T14:08:38+00:00 Alexander Shishkin alexander.shishkin@linux.intel.com 2018-09-18T13:10:47+00:00 urn:sha1:8801922cd94c918e4dc3a108ecaa500c4d40583f Commit a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") brings in new subdevice addition/removal logic that's broken for "host mode": the SWITCH device has no children to begin with, which is not handled in the code. This results in a null dereference bug later down the path. This patch fixes the subdevice removal code to handle host mode correctly. Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") CC: stable@vger.kernel.org # v4.14+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-24T01:48:43+00:00 Souptick Joarder jrdr.linux@gmail.com 2018-08-24T00:00:45+00:00 urn:sha1:42df050930e7dade82b4d38959320aa05f4022e3 Use new return type vm_fault_t for fault handler. For now, this is just documenting that the function returns a VM_FAULT value rather than an errno. Once all instances are converted, vm_fault_t will become a distinct type. See 1c8f422059ae ("mm: change return type to vm_fault_t") for reference. Link: http://lkml.kernel.org/r/20180702155801.GA4010@jordon-HP-15-Notebook-PC Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2018-07-15T11:52:59+00:00 Robin Murphy robin.murphy@arm.com 2018-07-11T19:40:35+00:00 urn:sha1:ccff2dfaceaca4517432f5c149594215fe9098cc Probing the TPIU driver under UBSan triggers an out-of-bounds shift warning in coresight_timeout(): ... [ 5.677530] UBSAN: Undefined behaviour in drivers/hwtracing/coresight/coresight.c:929:16 [ 5.685542] shift exponent 64 is too large for 64-bit type 'long unsigned int' ... On closer inspection things are exponentially out of whack because we're passing a bitmask where a bit number should be. Amusingly, it seems that both calls will find their expected values by sheer luck and appear to succeed: 1 << FFCR_FON_MAN ends up at bit 64 which whilst undefined evaluates as zero in practice, while 1 << FFSR_FT_STOPPED finds bit 2 (TCPresent) which apparently is usually tied high. Following the examples of other drivers, define separate FOO and FOO_BIT macros for masks vs. indices, and put things right. CC: Robert Walker <robert.walker@arm.com> CC: Mike Leach <mike.leach@linaro.org> CC: Mathieu Poirier <mathieu.poirier@linaro.org> Fixes: 11595db8e17f ("coresight: Fix disabling of CoreSight TPIU") Signed-off-by: Robin Murphy <robin.murphy@arm.com> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-15T11:52:59+00:00 Suzuki K Poulose suzuki.poulose@arm.com 2018-07-11T19:40:34+00:00 urn:sha1:434d611cddef1ceed32bf416a363992b01a3ff9a Now that we can use a CATU with a scatter gather table, add support for the TMC ETR to make use of the connected CATU in translate mode. This is done by adding CATU as new buffer mode. Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-15T11:52:59+00:00 Suzuki K Poulose suzuki.poulose@arm.com 2018-07-11T19:40:33+00:00 urn:sha1:8ed536b1e2838dad4f495347f0917b1cb6e3604f This patch adds the support for setting up a SG table for use by the CATU. We reuse the tmc_sg_table to represent the table/data pages, even though the table format is different. Similar to ETR SG table, CATU uses a 4KB page size for data buffers as well as page tables. All table entries are 64bit wide and have the following format: 63 12 1 0 x-----------------------------------x | Address [63-12] | SBZ | V | x-----------------------------------x Where [V] -> 0 - Pointer is invalid 1 - Pointer is Valid CATU uses only first half of the page for data page pointers. i.e, single table page will only have 256 page pointers, addressing upto 1MB of data. The second half of a table page contains only two pointers at the end of the page (i.e, pointers at index 510 and 511), which are used as links to the "Previous" and "Next" page tables respectively. The first table page has an "Invalid" previous pointer and the next pointer entry points to the second page table if there is one. Similarly the last table page has an "Invalid" next pointer to indicate the end of the table chain. Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-15T11:52:58+00:00 Suzuki K Poulose suzuki.poulose@arm.com 2018-07-11T19:40:31+00:00 urn:sha1:fcacb5c154baaeaee3d89b2a2b7cf6e4ce43f5f5 Add the initial support for Coresight Address Translation Unit, which augments the TMC in Coresight SoC-600 by providing an improved Scatter Gather mechanism. CATU is always connected to a single TMC-ETR and converts the AXI address with a translated address (from a given SG table with specific format). The CATU should be programmed in pass through mode and enabled even if the ETR doesn't use the translation by CATU. This patch provides mechanism to enable/disable the CATU always in the pass through mode. We reuse the existing ports mechanism to link the TMC-ETR to the connected CATU. i.e, TMC-ETR:output_port0 -> CATU:input_port0 Reference manual for CATU component is avilable in version r2p0 of : "Arm Coresight System-on-Chip SoC-600 Technical Reference Manual". Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>