From 298a96c12b2d8fd845ae0c2c21c0a1c0b470f99e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= Date: Sun, 25 Oct 2015 23:11:43 +0200 Subject: x86/dma-mapping: Fix arch_dma_alloc_attrs() oops with NULL dev MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 6894258eda2f broke drivers that pass NULL as the device pointer to dma_alloc. The reason is that arch_dma_alloc_attrs() now calls dma_alloc_coherent_gfp_flags() which in turn calls dma_alloc_coherent_mask(), where the device pointer is dereferenced unconditionally. Fix things by moving the ISA DMA fallback device assignment before the call to dma_alloc_coherent_gfp_flags(). Fixes: 6894258eda2f ("dma-mapping: consolidate dma_{alloc,free}_{attrs,coherent}") Reported-and-tested-by: Meelis Roos Signed-off-by: Ville Syrjälä Cc: Christoph Hellwig Link: http://lkml.kernel.org/r/1445807503-8920-1-git-send-email-ville.syrjala@linux.intel.com Signed-off-by: Thomas Gleixner --- arch/x86/kernel/pci-dma.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/pci-dma.c b/arch/x86/kernel/pci-dma.c index 1b55de1267cf..cd99433b8ba1 100644 --- a/arch/x86/kernel/pci-dma.c +++ b/arch/x86/kernel/pci-dma.c @@ -131,11 +131,12 @@ void dma_generic_free_coherent(struct device *dev, size_t size, void *vaddr, bool arch_dma_alloc_attrs(struct device **dev, gfp_t *gfp) { + if (!*dev) + *dev = &x86_dma_fallback_dev; + *gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32); *gfp = dma_alloc_coherent_gfp_flags(*dev, *gfp); - if (!*dev) - *dev = &x86_dma_fallback_dev; if (!is_device_dma_capable(*dev)) return false; return true; -- cgit v1.2.1 From ababae44108b0e94b58eef6cb5bd830bd040a47f Mon Sep 17 00:00:00 2001 From: Werner Pawlitschko Date: Tue, 27 Oct 2015 09:08:04 +0900 Subject: x86/ioapic: Prevent NULL pointer dereference in setup_ioapic_dest() Commit 4857c91f0d19 changed the way how irq affinity is setup in setup_ioapic_dest() from using the core helper function to unconditionally calling the irq_set_affinity() callback of the underlying irq chip. That results in a NULL pointer dereference for the rare case where the underlying irq chip is lapic_chip which has no irq_set_affinity() callback. lapic_chip is occasionally used for the timer interrupt (irq 0). The fix is simple: Check the availability of the callback instead of calling it unconditionally. Fixes: 4857c91f0d19 "x86/ioapic: Force affinity setting in setup_ioapic_dest()" Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org --- arch/x86/kernel/apic/io_apic.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c index bb6bfc01cb82..4f2821527014 100644 --- a/arch/x86/kernel/apic/io_apic.c +++ b/arch/x86/kernel/apic/io_apic.c @@ -2547,7 +2547,9 @@ void __init setup_ioapic_dest(void) mask = apic->target_cpus(); chip = irq_data_get_irq_chip(idata); - chip->irq_set_affinity(idata, mask, false); + /* Might be lapic_chip for irq 0 */ + if (chip->irq_set_affinity) + chip->irq_set_affinity(idata, mask, false); } } #endif -- cgit v1.2.1 From 226f1f729ce277720fab60c91dd1b12574cfe66c Mon Sep 17 00:00:00 2001 From: Andy Lutomirski Date: Fri, 30 Oct 2015 22:42:45 -0700 Subject: selftests/x86: Add a fork() to entry_from_vm86 to catch fork bugs Mere possession of vm86 state is strange. Make sure that nothing gets corrupted if we fork after calling vm86(). Signed-off-by: Andy Lutomirski Cc: Brian Gerst Cc: Linus Torvalds Cc: Borislav Petkov Cc: Stas Sergeev Link: http://lkml.kernel.org/r/08f83295460a80e41dc5e3e81ec40d6844d316f5.1446270067.git.luto@kernel.org Signed-off-by: Thomas Gleixner --- tools/testing/selftests/x86/entry_from_vm86.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/testing/selftests/x86/entry_from_vm86.c b/tools/testing/selftests/x86/entry_from_vm86.c index 421c607a8856..d075ea0e5ca1 100644 --- a/tools/testing/selftests/x86/entry_from_vm86.c +++ b/tools/testing/selftests/x86/entry_from_vm86.c @@ -230,5 +230,9 @@ int main(void) } clearhandler(SIGSEGV); + /* Make sure nothing explodes if we fork. */ + if (fork() > 0) + return 0; + return (nerrs == 0 ? 0 : 1); } -- cgit v1.2.1 From 2459ee8651dc5ab72790c2ffa99af288c7641b64 Mon Sep 17 00:00:00 2001 From: Andy Lutomirski Date: Fri, 30 Oct 2015 22:42:46 -0700 Subject: x86/vm86: Set thread.vm86 to NULL on fork/clone thread.vm86 points to per-task information -- the pointer should not be copied on clone. Fixes: d4ce0f26c790 ("x86/vm86: Move fields from 'struct kernel_vm86_struct' to 'struct vm86'") Signed-off-by: Andy Lutomirski Cc: Brian Gerst Cc: Linus Torvalds Cc: Borislav Petkov Cc: Stas Sergeev Link: http://lkml.kernel.org/r/71c5d6985d70ec8197c8d72f003823c81b7dcf99.1446270067.git.luto@kernel.org Signed-off-by: Thomas Gleixner --- arch/x86/kernel/process.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c index e28db181e4fc..9f7c21c22477 100644 --- a/arch/x86/kernel/process.c +++ b/arch/x86/kernel/process.c @@ -84,6 +84,9 @@ EXPORT_SYMBOL_GPL(idle_notifier_unregister); int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src) { memcpy(dst, src, arch_task_struct_size); +#ifdef CONFIG_VM86 + dst->thread.vm86 = NULL; +#endif return fpu__copy(&dst->thread.fpu, &src->thread.fpu); } -- cgit v1.2.1