--- /dev/null
+From 09bfda10e6efd7b65bcc29237bee1765ed779657 Mon Sep 17 00:00:00 2001
+From: Jeffery Miller <jmiller@neverware.com>
+Date: Tue, 1 Sep 2015 11:23:02 -0400
+Subject: Add radeon suspend/resume quirk for HP Compaq dc5750.
+
+From: Jeffery Miller <jmiller@neverware.com>
+
+commit 09bfda10e6efd7b65bcc29237bee1765ed779657 upstream.
+
+With the radeon driver loaded the HP Compaq dc5750
+Small Form Factor machine fails to resume from suspend.
+Adding a quirk similar to other devices avoids
+the problem and the system resumes properly.
+
+Signed-off-by: Jeffery Miller <jmiller@neverware.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_combios.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_combios.c
++++ b/drivers/gpu/drm/radeon/radeon_combios.c
+@@ -3387,6 +3387,14 @@ void radeon_combios_asic_init(struct drm
+ rdev->pdev->subsystem_device == 0x30ae)
+ return;
+
++ /* quirk for rs4xx HP Compaq dc5750 Small Form Factor to make it resume
++ * - it hangs on resume inside the dynclk 1 table.
++ */
++ if (rdev->family == CHIP_RS480 &&
++ rdev->pdev->subsystem_vendor == 0x103c &&
++ rdev->pdev->subsystem_device == 0x280a)
++ return;
++
+ /* DYN CLK 1 */
+ table = combios_get_table_offset(dev, COMBIOS_DYN_CLK_1_TABLE);
+ if (table)
--- /dev/null
+From 4c17a6d56bb0cad3066a714e94f7185a24b40f49 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jann@thejh.net>
+Date: Fri, 11 Sep 2015 16:27:27 +0200
+Subject: CIFS: fix type confusion in copy offload ioctl
+
+From: Jann Horn <jann@thejh.net>
+
+commit 4c17a6d56bb0cad3066a714e94f7185a24b40f49 upstream.
+
+This might lead to local privilege escalation (code execution as
+kernel) for systems where the following conditions are met:
+
+ - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled
+ - a cifs filesystem is mounted where:
+ - the mount option "vers" was used and set to a value >=2.0
+ - the attacker has write access to at least one file on the filesystem
+
+To attack this, an attacker would have to guess the target_tcon
+pointer (but guessing wrong doesn't cause a crash, it just returns an
+error code) and win a narrow race.
+
+Signed-off-by: Jann Horn <jann@thejh.net>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/ioctl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/cifs/ioctl.c
++++ b/fs/cifs/ioctl.c
+@@ -67,6 +67,12 @@ static long cifs_ioctl_clone(unsigned in
+ goto out_drop_write;
+ }
+
++ if (src_file.file->f_op->unlocked_ioctl != cifs_ioctl) {
++ rc = -EBADF;
++ cifs_dbg(VFS, "src file seems to be from a different filesystem type\n");
++ goto out_fput;
++ }
++
+ if ((!src_file.file->private_data) || (!dst_file->private_data)) {
+ rc = -EBADF;
+ cifs_dbg(VFS, "missing cifsFileInfo on copy range src file\n");
--- /dev/null
+From 74b5037baa2011a2799e2c43adde7d171b072f9e Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 7 Aug 2015 16:19:43 +1000
+Subject: powerpc/mm: Fix pte_pagesize_index() crash on 4K w/64K hash
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 74b5037baa2011a2799e2c43adde7d171b072f9e upstream.
+
+The powerpc kernel can be built to have either a 4K PAGE_SIZE or a 64K
+PAGE_SIZE.
+
+However when built with a 4K PAGE_SIZE there is an additional config
+option which can be enabled, PPC_HAS_HASH_64K, which means the kernel
+also knows how to hash a 64K page even though the base PAGE_SIZE is 4K.
+
+This is used in one obscure configuration, to support 64K pages for SPU
+local store on the Cell processor when the rest of the kernel is using
+4K pages.
+
+In this configuration, pte_pagesize_index() is defined to just pass
+through its arguments to get_slice_psize(). However pte_pagesize_index()
+is called for both user and kernel addresses, whereas get_slice_psize()
+only knows how to handle user addresses.
+
+This has been broken forever, however until recently it happened to
+work. That was because in get_slice_psize() the large kernel address
+would cause the right shift of the slice mask to return zero.
+
+However in commit 7aa0727f3302 ("powerpc/mm: Increase the slice range to
+64TB"), the get_slice_psize() code was changed so that instead of a
+right shift we do an array lookup based on the address. When passed a
+kernel address this means we index way off the end of the slice array
+and return random junk.
+
+That is only fatal if we happen to hit something non-zero, but when we
+do return a non-zero value we confuse the MMU code and eventually cause
+a check stop.
+
+This fix is ugly, but simple. When we're called for a kernel address we
+return 4K, which is always correct in this configuration, otherwise we
+use the slice mask.
+
+Fixes: 7aa0727f3302 ("powerpc/mm: Increase the slice range to 64TB")
+Reported-by: Cyril Bur <cyrilbur@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/pgtable-ppc64.h | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/pgtable-ppc64.h
++++ b/arch/powerpc/include/asm/pgtable-ppc64.h
+@@ -135,7 +135,19 @@
+ #define pte_iterate_hashed_end() } while(0)
+
+ #ifdef CONFIG_PPC_HAS_HASH_64K
+-#define pte_pagesize_index(mm, addr, pte) get_slice_psize(mm, addr)
++/*
++ * We expect this to be called only for user addresses or kernel virtual
++ * addresses other than the linear mapping.
++ */
++#define pte_pagesize_index(mm, addr, pte) \
++ ({ \
++ unsigned int psize; \
++ if (is_kernel_addr(addr)) \
++ psize = MMU_PAGE_4K; \
++ else \
++ psize = get_slice_psize(mm, addr); \
++ psize; \
++ })
+ #else
+ #define pte_pagesize_index(mm, addr, pte) MMU_PAGE_4K
+ #endif
--- /dev/null
+From 36b35d5d807b7e57aff7d08e63de8b17731ee211 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
+Date: Tue, 15 Sep 2015 12:30:08 +0530
+Subject: powerpc/mm: Recompute hash value after a failed update
+
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
+
+commit 36b35d5d807b7e57aff7d08e63de8b17731ee211 upstream.
+
+If we had secondary hash flag set, we ended up modifying hash value in
+the updatepp code path. Hence with a failed updatepp we will be using
+a wrong hash value for the following hash insert. Fix this by
+recomputing hash before insert.
+
+Without this patch we can end up with using wrong slot number in linux
+pte. That can result in us missing an hash pte update or invalidate
+which can cause memory corruption or even machine check.
+
+Fixes: 6d492ecc6489 ("powerpc/THP: Add code to handle HPTE faults for hugepages")
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Reviewed-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/hugepage-hash64.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/hugepage-hash64.c
++++ b/arch/powerpc/mm/hugepage-hash64.c
+@@ -136,7 +136,6 @@ int __hash_page_thp(unsigned long ea, un
+ BUG_ON(index >= 4096);
+
+ vpn = hpt_vpn(ea, vsid, ssize);
+- hash = hpt_hash(vpn, shift, ssize);
+ hpte_slot_array = get_hpte_slot_array(pmdp);
+ if (psize == MMU_PAGE_4K) {
+ /*
+@@ -151,6 +150,7 @@ int __hash_page_thp(unsigned long ea, un
+ valid = hpte_valid(hpte_slot_array, index);
+ if (valid) {
+ /* update the hpte bits */
++ hash = hpt_hash(vpn, shift, ssize);
+ hidx = hpte_hash_index(hpte_slot_array, index);
+ if (hidx & _PTEIDX_SECONDARY)
+ hash = ~hash;
+@@ -176,6 +176,7 @@ int __hash_page_thp(unsigned long ea, un
+ if (!valid) {
+ unsigned long hpte_group;
+
++ hash = hpt_hash(vpn, shift, ssize);
+ /* insert new entry */
+ pa = pmd_pfn(__pmd(old_pmd)) << PAGE_SHIFT;
+ new_pmd |= _PAGE_HASHPTE;
--- /dev/null
+From 1c2cb594441d02815d304cccec9742ff5c707495 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Fri, 17 Jul 2015 12:46:58 +0200
+Subject: powerpc/rtas: Introduce rtas_get_sensor_fast() for IRQ handlers
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit 1c2cb594441d02815d304cccec9742ff5c707495 upstream.
+
+The EPOW interrupt handler uses rtas_get_sensor(), which in turn
+uses rtas_busy_delay() to wait for RTAS becoming ready in case it
+is necessary. But rtas_busy_delay() is annotated with might_sleep()
+and thus may not be used by interrupts handlers like the EPOW handler!
+This leads to the following BUG when CONFIG_DEBUG_ATOMIC_SLEEP is
+enabled:
+
+ BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:496
+ in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/1
+ CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.2.0-rc2-thuth #6
+ Call Trace:
+ [c00000007ffe7b90] [c000000000807670] dump_stack+0xa0/0xdc (unreliable)
+ [c00000007ffe7bc0] [c0000000000e1f14] ___might_sleep+0x134/0x180
+ [c00000007ffe7c20] [c00000000002aec0] rtas_busy_delay+0x30/0xd0
+ [c00000007ffe7c50] [c00000000002bde4] rtas_get_sensor+0x74/0xe0
+ [c00000007ffe7ce0] [c000000000083264] ras_epow_interrupt+0x44/0x450
+ [c00000007ffe7d90] [c000000000120260] handle_irq_event_percpu+0xa0/0x300
+ [c00000007ffe7e70] [c000000000120524] handle_irq_event+0x64/0xc0
+ [c00000007ffe7eb0] [c000000000124dbc] handle_fasteoi_irq+0xec/0x260
+ [c00000007ffe7ef0] [c00000000011f4f0] generic_handle_irq+0x50/0x80
+ [c00000007ffe7f20] [c000000000010f3c] __do_irq+0x8c/0x200
+ [c00000007ffe7f90] [c0000000000236cc] call_do_irq+0x14/0x24
+ [c00000007e6f39e0] [c000000000011144] do_IRQ+0x94/0x110
+ [c00000007e6f3a30] [c000000000002594] hardware_interrupt_common+0x114/0x180
+
+Fix this issue by introducing a new rtas_get_sensor_fast() function
+that does not use rtas_busy_delay() - and thus can only be used for
+sensors that do not cause a BUSY condition - known as "fast" sensors.
+
+The EPOW sensor is defined to be "fast" in sPAPR - mpe.
+
+Fixes: 587f83e8dd50 ("powerpc/pseries: Use rtas_get_sensor in RAS code")
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/rtas.h | 1 +
+ arch/powerpc/kernel/rtas.c | 17 +++++++++++++++++
+ arch/powerpc/platforms/pseries/ras.c | 3 ++-
+ 3 files changed, 20 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/rtas.h
++++ b/arch/powerpc/include/asm/rtas.h
+@@ -255,6 +255,7 @@ extern void rtas_power_off(void);
+ extern void rtas_halt(void);
+ extern void rtas_os_term(char *str);
+ extern int rtas_get_sensor(int sensor, int index, int *state);
++extern int rtas_get_sensor_fast(int sensor, int index, int *state);
+ extern int rtas_get_power_level(int powerdomain, int *level);
+ extern int rtas_set_power_level(int powerdomain, int level, int *setlevel);
+ extern bool rtas_indicator_present(int token, int *maxindex);
+--- a/arch/powerpc/kernel/rtas.c
++++ b/arch/powerpc/kernel/rtas.c
+@@ -584,6 +584,23 @@ int rtas_get_sensor(int sensor, int inde
+ }
+ EXPORT_SYMBOL(rtas_get_sensor);
+
++int rtas_get_sensor_fast(int sensor, int index, int *state)
++{
++ int token = rtas_token("get-sensor-state");
++ int rc;
++
++ if (token == RTAS_UNKNOWN_SERVICE)
++ return -ENOENT;
++
++ rc = rtas_call(token, 2, 2, state, sensor, index);
++ WARN_ON(rc == RTAS_BUSY || (rc >= RTAS_EXTENDED_DELAY_MIN &&
++ rc <= RTAS_EXTENDED_DELAY_MAX));
++
++ if (rc < 0)
++ return rtas_error_rc(rc);
++ return rc;
++}
++
+ bool rtas_indicator_present(int token, int *maxindex)
+ {
+ int proplen, count, i;
+--- a/arch/powerpc/platforms/pseries/ras.c
++++ b/arch/powerpc/platforms/pseries/ras.c
+@@ -187,7 +187,8 @@ static irqreturn_t ras_epow_interrupt(in
+ int state;
+ int critical;
+
+- status = rtas_get_sensor(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX, &state);
++ status = rtas_get_sensor_fast(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX,
++ &state);
+
+ if (state > 3)
+ critical = 1; /* Time Critical */
input-evdev-do-not-report-errors-form-flush.patch
alsa-hda-enable-headphone-jack-detect-on-old-fujitsu-laptops.patch
alsa-hda-use-alc880_fixup_fujitsu-for-fsc-amilo-m1437.patch
+powerpc-mm-fix-pte_pagesize_index-crash-on-4k-w-64k-hash.patch
+powerpc-rtas-introduce-rtas_get_sensor_fast-for-irq-handlers.patch
+powerpc-mm-recompute-hash-value-after-a-failed-update.patch
+cifs-fix-type-confusion-in-copy-offload-ioctl.patch
+add-radeon-suspend-resume-quirk-for-hp-compaq-dc5750.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
