<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/hwtracing/intel_th, branch linux-5.0.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>intel_th: msu: Fix single mode with IOMMU</title>
<updated>2019-05-25T16:22:03+00:00</updated>
<author>
<name>Alexander Shishkin</name>
<email>alexander.shishkin@linux.intel.com</email>
</author>
<published>2019-05-03T08:44:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=24cb69043d680963a30cb99eaf45100fea2820fc'/>
<id>24cb69043d680963a30cb99eaf45100fea2820fc</id>
<content type='text'>
commit 4e0eaf239fb33ebc671303e2b736fa043462e2f4 upstream.

Currently, the pages that are allocated for the single mode of MSC are not
mapped into the device's dma space and the code is incorrectly using
*_to_phys() in place of a dma address. This fails with IOMMU enabled and
is otherwise bad practice.

Fix the single mode buffer allocation to map the pages into the device's
DMA space.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: ba82664c134e ("intel_th: Add Memory Storage Unit driver")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4e0eaf239fb33ebc671303e2b736fa043462e2f4 upstream.

Currently, the pages that are allocated for the single mode of MSC are not
mapped into the device's dma space and the code is incorrectly using
*_to_phys() in place of a dma address. This fails with IOMMU enabled and
is otherwise bad practice.

Fix the single mode buffer allocation to map the pages into the device's
DMA space.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: ba82664c134e ("intel_th: Add Memory Storage Unit driver")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>intel_th: pci: Add Comet Lake support</title>
<updated>2019-05-10T16:36:12+00:00</updated>
<author>
<name>Alexander Shishkin</name>
<email>alexander.shishkin@linux.intel.com</email>
</author>
<published>2019-04-17T07:35:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=284af27884325c5260dbfd29672a46cc5bf0556c'/>
<id>284af27884325c5260dbfd29672a46cc5bf0556c</id>
<content type='text'>
commit e60e9a4b231a20a199d7a61caadc48693c30d695 upstream.

This adds support for Intel TH on Comet Lake.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e60e9a4b231a20a199d7a61caadc48693c30d695 upstream.

This adds support for Intel TH on Comet Lake.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>intel_th: gth: Fix an off-by-one in output unassigning</title>
<updated>2019-05-02T08:02:42+00:00</updated>
<author>
<name>Alexander Shishkin</name>
<email>alexander.shishkin@linux.intel.com</email>
</author>
<published>2019-03-01T08:09:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=92d4af2766a1645763c15c738223bb0f9254329c'/>
<id>92d4af2766a1645763c15c738223bb0f9254329c</id>
<content type='text'>
[ Upstream commit 91d3f8a629849968dc91d6ce54f2d46abf4feb7f ]

Commit 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs")
fixes a NULL dereference for all masters except the last one ("256+"),
which keeps the stale pointer after the output driver had been unassigned.

Fix the off-by-one.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs")
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 91d3f8a629849968dc91d6ce54f2d46abf4feb7f ]

Commit 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs")
fixes a NULL dereference for all masters except the last one ("256+"),
which keeps the stale pointer after the output driver had been unassigned.

Fix the off-by-one.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs")
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>intel_th: Don't reference unassigned outputs</title>
<updated>2019-03-23T19:11:25+00:00</updated>
<author>
<name>Alexander Shishkin</name>
<email>alexander.shishkin@linux.intel.com</email>
</author>
<published>2019-01-24T13:11:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d91315e99c550a0facdd01cb461305ed79ba0822'/>
<id>d91315e99c550a0facdd01cb461305ed79ba0822</id>
<content type='text'>
commit 9ed3f22223c33347ed963e7c7019cf2956dd4e37 upstream.

When an output port driver is removed, also remove references to it from
any masters. Failing to do this causes a NULL ptr dereference when
configuring another output port:

&gt; BUG: unable to handle kernel NULL pointer dereference at 000000000000000d
&gt; RIP: 0010:master_attr_store+0x9d/0x160 [intel_th_gth]
&gt; Call Trace:
&gt; dev_attr_store+0x1b/0x30
&gt; sysfs_kf_write+0x3c/0x50
&gt; kernfs_fop_write+0x125/0x1a0
&gt; __vfs_write+0x3a/0x190
&gt; ? __vfs_write+0x5/0x190
&gt; ? _cond_resched+0x1a/0x50
&gt; ? rcu_all_qs+0x5/0xb0
&gt; ? __vfs_write+0x5/0x190
&gt; vfs_write+0xb8/0x1b0
&gt; ksys_write+0x55/0xc0
&gt; __x64_sys_write+0x1a/0x20
&gt; do_syscall_64+0x5a/0x140
&gt; entry_SYSCALL_64_after_hwframe+0x44/0xa9

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: b27a6a3f97b9 ("intel_th: Add Global Trace Hub driver")
CC: stable@vger.kernel.org # v4.4+
Reported-by: Ammy Yi &lt;ammy.yi@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9ed3f22223c33347ed963e7c7019cf2956dd4e37 upstream.

When an output port driver is removed, also remove references to it from
any masters. Failing to do this causes a NULL ptr dereference when
configuring another output port:

&gt; BUG: unable to handle kernel NULL pointer dereference at 000000000000000d
&gt; RIP: 0010:master_attr_store+0x9d/0x160 [intel_th_gth]
&gt; Call Trace:
&gt; dev_attr_store+0x1b/0x30
&gt; sysfs_kf_write+0x3c/0x50
&gt; kernfs_fop_write+0x125/0x1a0
&gt; __vfs_write+0x3a/0x190
&gt; ? __vfs_write+0x5/0x190
&gt; ? _cond_resched+0x1a/0x50
&gt; ? rcu_all_qs+0x5/0xb0
&gt; ? __vfs_write+0x5/0x190
&gt; vfs_write+0xb8/0x1b0
&gt; ksys_write+0x55/0xc0
&gt; __x64_sys_write+0x1a/0x20
&gt; do_syscall_64+0x5a/0x140
&gt; entry_SYSCALL_64_after_hwframe+0x44/0xa9

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: b27a6a3f97b9 ("intel_th: Add Global Trace Hub driver")
CC: stable@vger.kernel.org # v4.4+
Reported-by: Ammy Yi &lt;ammy.yi@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>intel_th: msu: Fix an off-by-one in attribute store</title>
<updated>2018-12-19T19:21:06+00:00</updated>
<author>
<name>Alexander Shishkin</name>
<email>alexander.shishkin@linux.intel.com</email>
</author>
<published>2018-12-19T15:19:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ec5b5ad6e272d8d6b92d1007f79574919862a2d2'/>
<id>ec5b5ad6e272d8d6b92d1007f79574919862a2d2</id>
<content type='text'>
The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
list of window sizes, passed from userspace. However, there is a bug in
the string parsing logic wherein it doesn't exclude the comma character
from the range of characters as it consumes them. This leads to an
out-of-bounds access given a sufficiently long list. For example:

&gt; # echo 8,8,8,8 &gt; /sys/bus/intel_th/devices/0-msc0/nr_pages
&gt; ==================================================================
&gt; BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
&gt; Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
&gt;
&gt; CPU: 3 PID: 825 Comm: npktest.sh Tainted: G        W         4.20.0-rc1+
&gt; Call Trace:
&gt;  dump_stack+0x7c/0xc0
&gt;  print_address_description+0x6c/0x23c
&gt;  ? memchr+0x1e/0x40
&gt;  kasan_report.cold.5+0x241/0x308
&gt;  memchr+0x1e/0x40
&gt;  nr_pages_store+0x203/0xd00 [intel_th_msu]

Fix this by accounting for the comma character.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
list of window sizes, passed from userspace. However, there is a bug in
the string parsing logic wherein it doesn't exclude the comma character
from the range of characters as it consumes them. This leads to an
out-of-bounds access given a sufficiently long list. For example:

&gt; # echo 8,8,8,8 &gt; /sys/bus/intel_th/devices/0-msc0/nr_pages
&gt; ==================================================================
&gt; BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
&gt; Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
&gt;
&gt; CPU: 3 PID: 825 Comm: npktest.sh Tainted: G        W         4.20.0-rc1+
&gt; Call Trace:
&gt;  dump_stack+0x7c/0xc0
&gt;  print_address_description+0x6c/0x23c
&gt;  ? memchr+0x1e/0x40
&gt;  kasan_report.cold.5+0x241/0x308
&gt;  memchr+0x1e/0x40
&gt;  nr_pages_store+0x203/0xd00 [intel_th_msu]

Fix this by accounting for the comma character.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>intel_th: pci: Add Ice Lake PCH support</title>
<updated>2018-09-18T14:08:38+00:00</updated>
<author>
<name>Alexander Shishkin</name>
<email>alexander.shishkin@linux.intel.com</email>
</author>
<published>2018-09-18T13:10:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59d08d00d43c644ee2011d7ff1807bdd69f31fe0'/>
<id>59d08d00d43c644ee2011d7ff1807bdd69f31fe0</id>
<content type='text'>
This adds Intel(R) Trace Hub PCI ID for Ice Lake PCH.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This adds Intel(R) Trace Hub PCI ID for Ice Lake PCH.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>intel_th: Fix resource handling for ACPI glue layer</title>
<updated>2018-09-18T14:08:38+00:00</updated>
<author>
<name>Alexander Shishkin</name>
<email>alexander.shishkin@linux.intel.com</email>
</author>
<published>2018-09-18T13:10:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ebe4582281d6e90972f057318a6edea14810ea48'/>
<id>ebe4582281d6e90972f057318a6edea14810ea48</id>
<content type='text'>
The core of the driver expects the resource array from the glue layer
to be indexed by even numbers, as is the case for 64-bit PCI resources.
This doesn't hold true for others, ACPI in this instance, which leads
to an out-of-bounds access and an ioremap() on whatever address that
access fetches.

This patch fixes the problem by reading resource array differently based
on whether the 64-bit flag is set, which would indicate PCI glue layer.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: ebc57e399b8e ("intel_th: Add ACPI glue layer")
CC: stable@vger.kernel.org # v4.17+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The core of the driver expects the resource array from the glue layer
to be indexed by even numbers, as is the case for 64-bit PCI resources.
This doesn't hold true for others, ACPI in this instance, which leads
to an out-of-bounds access and an ioremap() on whatever address that
access fetches.

This patch fixes the problem by reading resource array differently based
on whether the 64-bit flag is set, which would indicate PCI glue layer.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: ebc57e399b8e ("intel_th: Add ACPI glue layer")
CC: stable@vger.kernel.org # v4.17+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>intel_th: Fix device removal logic</title>
<updated>2018-09-18T14:08:38+00:00</updated>
<author>
<name>Alexander Shishkin</name>
<email>alexander.shishkin@linux.intel.com</email>
</author>
<published>2018-09-18T13:10:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8801922cd94c918e4dc3a108ecaa500c4d40583f'/>
<id>8801922cd94c918e4dc3a108ecaa500c4d40583f</id>
<content type='text'>
Commit a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
brings in new subdevice addition/removal logic that's broken for "host
mode": the SWITCH device has no children to begin with, which is not
handled in the code. This results in a null dereference bug later down
the path.

This patch fixes the subdevice removal code to handle host mode correctly.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
CC: stable@vger.kernel.org # v4.14+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
brings in new subdevice addition/removal logic that's broken for "host
mode": the SWITCH device has no children to begin with, which is not
handled in the code. This results in a null dereference bug later down
the path.

This patch fixes the subdevice removal code to handle host mode correctly.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
CC: stable@vger.kernel.org # v4.14+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>drivers/hwtracing/intel_th/msu.c: change return type to vm_fault_t</title>
<updated>2018-08-24T01:48:43+00:00</updated>
<author>
<name>Souptick Joarder</name>
<email>jrdr.linux@gmail.com</email>
</author>
<published>2018-08-24T00:00:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=42df050930e7dade82b4d38959320aa05f4022e3'/>
<id>42df050930e7dade82b4d38959320aa05f4022e3</id>
<content type='text'>
Use new return type vm_fault_t for fault handler.  For now, this is just
documenting that the function returns a VM_FAULT value rather than an
errno.  Once all instances are converted, vm_fault_t will become a
distinct type.

See 1c8f422059ae ("mm: change return type to vm_fault_t") for reference.

Link: http://lkml.kernel.org/r/20180702155801.GA4010@jordon-HP-15-Notebook-PC
Signed-off-by: Souptick Joarder &lt;jrdr.linux@gmail.com&gt;
Cc: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Use new return type vm_fault_t for fault handler.  For now, this is just
documenting that the function returns a VM_FAULT value rather than an
errno.  Once all instances are converted, vm_fault_t will become a
distinct type.

See 1c8f422059ae ("mm: change return type to vm_fault_t") for reference.

Link: http://lkml.kernel.org/r/20180702155801.GA4010@jordon-HP-15-Notebook-PC
Signed-off-by: Souptick Joarder &lt;jrdr.linux@gmail.com&gt;
Cc: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>intel_th: Use correct device when freeing buffers</title>
<updated>2018-05-25T16:09:17+00:00</updated>
<author>
<name>Alexander Shishkin</name>
<email>alexander.shishkin@linux.intel.com</email>
</author>
<published>2018-05-24T08:27:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0ed2424b911f3a058dfea01b78817abed767433d'/>
<id>0ed2424b911f3a058dfea01b78817abed767433d</id>
<content type='text'>
Commit d5c435df4a890 ("intel_th: msu: Use the real device in case of IOMMU
domain allocation") changes dma buffer allocation to use the actual
underlying device, but forgets to change the deallocation path, which leads
to (if you've got CAP_SYS_RAWIO):

&gt; # echo 0,0 &gt; /sys/bus/intel_th/devices/0-msc0/nr_pages
&gt; ------------[ cut here ]------------
&gt; kernel BUG at ../linux/drivers/iommu/intel-iommu.c:3670!
&gt; CPU: 3 PID: 231 Comm: sh Not tainted 4.17.0-rc1+ #2729
&gt; RIP: 0010:intel_unmap+0x11e/0x130
...
&gt; Call Trace:
&gt;  intel_free_coherent+0x3e/0x60
&gt;  msc_buffer_win_free+0x100/0x160 [intel_th_msu]

This patch fixes the buffer deallocation code to use the correct device.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: d5c435df4a890 ("intel_th: msu: Use the real device in case of IOMMU domain allocation")
Reported-by: Baofeng Tian &lt;baofeng.tian@intel.com&gt;
CC: stable@vger.kernel.org # v4.14+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit d5c435df4a890 ("intel_th: msu: Use the real device in case of IOMMU
domain allocation") changes dma buffer allocation to use the actual
underlying device, but forgets to change the deallocation path, which leads
to (if you've got CAP_SYS_RAWIO):

&gt; # echo 0,0 &gt; /sys/bus/intel_th/devices/0-msc0/nr_pages
&gt; ------------[ cut here ]------------
&gt; kernel BUG at ../linux/drivers/iommu/intel-iommu.c:3670!
&gt; CPU: 3 PID: 231 Comm: sh Not tainted 4.17.0-rc1+ #2729
&gt; RIP: 0010:intel_unmap+0x11e/0x130
...
&gt; Call Trace:
&gt;  intel_free_coherent+0x3e/0x60
&gt;  msc_buffer_win_free+0x100/0x160 [intel_th_msu]

This patch fixes the buffer deallocation code to use the correct device.

Signed-off-by: Alexander Shishkin &lt;alexander.shishkin@linux.intel.com&gt;
Fixes: d5c435df4a890 ("intel_th: msu: Use the real device in case of IOMMU domain allocation")
Reported-by: Baofeng Tian &lt;baofeng.tian@intel.com&gt;
CC: stable@vger.kernel.org # v4.14+
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
