--- /dev/null
+From 6914e1e3f63caa829431160f0f7093292daef2d5 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Thu, 26 Mar 2015 09:25:44 +0530
+Subject: ARC: SA_SIGINFO ucontext regs off-by-one
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 6914e1e3f63caa829431160f0f7093292daef2d5 upstream.
+
+The regfile provided to SA_SIGINFO signal handler as ucontext was off by
+one due to pt_regs gutter cleanups in 2013.
+
+Before handling signal, user pt_regs are copied onto user_regs_struct and copied
+back later. Both structs are binary compatible. This was all fine until
+commit 2fa919045b72 (ARC: pt_regs update #2) which removed the empty stack slot
+at top of pt_regs (corresponding to first pad) and made the corresponding
+fixup in struct user_regs_struct (the pad in there was moved out of
+@scratch - not removed altogether as it is part of ptrace ABI)
+
+ struct user_regs_struct {
++ long pad;
+ struct {
+- long pad;
+ long bta, lp_start, lp_end,....
+ } scratch;
+ ...
+ }
+
+This meant that now user_regs_struct was off by 1 reg w.r.t pt_regs and
+signal code needs to user_regs_struct.scratch to reflect it as pt_regs,
+which is what this commit does.
+
+This problem was hidden for 2 years, because both save/restore, despite
+using wrong location, were using the same location. Only an interim
+inspection (reproducer below) exposed the issue.
+
+ void handle_segv(int signo, siginfo_t *info, void *context)
+ {
+ ucontext_t *uc = context;
+ struct user_regs_struct *regs = &(uc->uc_mcontext.regs);
+
+ printf("regs %x %x\n", <=== prints 7 8 (vs. 8 9)
+ regs->scratch.r8, regs->scratch.r9);
+ }
+
+ int main()
+ {
+ struct sigaction sa;
+
+ sa.sa_sigaction = handle_segv;
+ sa.sa_flags = SA_SIGINFO;
+ sigemptyset(&sa.sa_mask);
+ sigaction(SIGSEGV, &sa, NULL);
+
+ asm volatile(
+ "mov r7, 7 \n"
+ "mov r8, 8 \n"
+ "mov r9, 9 \n"
+ "mov r10, 10 \n"
+ :::"r7","r8","r9","r10");
+
+ *((unsigned int*)0x10) = 0;
+ }
+
+Fixes: 2fa919045b72ec892e "ARC: pt_regs update #2: Remove unused gutter at start of pt_regs"
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/kernel/signal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arc/kernel/signal.c
++++ b/arch/arc/kernel/signal.c
+@@ -67,7 +67,7 @@ stash_usr_regs(struct rt_sigframe __user
+ sigset_t *set)
+ {
+ int err;
+- err = __copy_to_user(&(sf->uc.uc_mcontext.regs), regs,
++ err = __copy_to_user(&(sf->uc.uc_mcontext.regs.scratch), regs,
+ sizeof(sf->uc.uc_mcontext.regs.scratch));
+ err |= __copy_to_user(&sf->uc.uc_sigmask, set, sizeof(sigset_t));
+
+@@ -83,7 +83,7 @@ static int restore_usr_regs(struct pt_re
+ if (!err)
+ set_current_blocked(&set);
+
+- err |= __copy_from_user(regs, &(sf->uc.uc_mcontext.regs),
++ err |= __copy_from_user(regs, &(sf->uc.uc_mcontext.regs.scratch),
+ sizeof(sf->uc.uc_mcontext.regs.scratch));
+
+ return err;
--- /dev/null
+From a1b7f2f6367944d445c6853035830a35c6343939 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Thu, 26 Feb 2015 09:55:03 +0100
+Subject: PCI/AER: Avoid info leak in __print_tlp_header()
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit a1b7f2f6367944d445c6853035830a35c6343939 upstream.
+
+Commit fab4c256a58b ("PCI/AER: Add a TLP header print helper") introduced
+the helper function __print_tlp_header(), but contrary to the intention,
+the behaviour did change: Since we're taking the address of the parameter
+t, the first 4 or 8 bytes printed will be the value of the pointer t
+itself, and the remaining 12 or 8 bytes will be who-knows-what (something
+from the stack).
+
+We want to show the values of the four members of the struct
+aer_header_log_regs; that can be done without ugly and error-prone casts.
+On little-endian this should produce the same output as originally
+intended, and since no-one has complained about getting garbage output so
+far, I think big-endian should be ok too.
+
+Fixes: fab4c256a58b ("PCI/AER: Add a TLP header print helper")
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pcie/aer/aerdrv_errprint.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/drivers/pci/pcie/aer/aerdrv_errprint.c
++++ b/drivers/pci/pcie/aer/aerdrv_errprint.c
+@@ -127,16 +127,8 @@ static const char *aer_agent_string[] =
+ static void __print_tlp_header(struct pci_dev *dev,
+ struct aer_header_log_regs *t)
+ {
+- unsigned char *tlp = (unsigned char *)&t;
+-
+- dev_err(&dev->dev, " TLP Header:"
+- " %02x%02x%02x%02x %02x%02x%02x%02x"
+- " %02x%02x%02x%02x %02x%02x%02x%02x\n",
+- *(tlp + 3), *(tlp + 2), *(tlp + 1), *tlp,
+- *(tlp + 7), *(tlp + 6), *(tlp + 5), *(tlp + 4),
+- *(tlp + 11), *(tlp + 10), *(tlp + 9),
+- *(tlp + 8), *(tlp + 15), *(tlp + 14),
+- *(tlp + 13), *(tlp + 12));
++ dev_err(&dev->dev, " TLP Header: %08x %08x %08x %08x\n",
++ t->dw0, t->dw1, t->dw2, t->dw3);
+ }
+
+ static void __aer_print_error(struct pci_dev *dev,
--- /dev/null
+From 6436a123a147db51a0b06024a8350f4c230e73ff Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Mon, 23 Mar 2015 18:01:35 -0700
+Subject: selinux: fix sel_write_enforce broken return value
+
+From: Joe Perches <joe@perches.com>
+
+commit 6436a123a147db51a0b06024a8350f4c230e73ff upstream.
+
+Return a negative error value like the rest of the entries in this function.
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+[PM: tweaked subject line]
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/selinuxfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -152,7 +152,7 @@ static ssize_t sel_write_enforce(struct
+ goto out;
+
+ /* No partial writes. */
+- length = EINVAL;
++ length = -EINVAL;
+ if (*ppos != 0)
+ goto out;
+
alsa-usb-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch
alsa-hda-realtek-make-more-stable-to-get-pin-sense-for-alc283.patch
alsa-hda-fix-headphone-pin-config-for-lifebook-t731.patch
+pci-aer-avoid-info-leak-in-__print_tlp_header.patch
+arc-sa_siginfo-ucontext-regs-off-by-one.patch
+selinux-fix-sel_write_enforce-broken-return-value.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
