--- /dev/null
+From 97fc15436b36ee3956efad83e22a557991f7d19d Mon Sep 17 00:00:00 2001
+From: Kyle McMartin <kyle@redhat.com>
+Date: Wed, 12 Nov 2014 21:07:44 +0000
+Subject: arm64: __clear_user: handle exceptions on strb
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kyle McMartin <kyle@redhat.com>
+
+commit 97fc15436b36ee3956efad83e22a557991f7d19d upstream.
+
+ARM64 currently doesn't fix up faults on the single-byte (strb) case of
+__clear_user... which means that we can cause a nasty kernel panic as an
+ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
+i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
+
+This is a pretty obscure bug in the general case since we'll only
+__do_kernel_fault (since there's no extable entry for pc) if the
+mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
+always fault.
+
+if (!down_read_trylock(&mm->mmap_sem)) {
+ if (!user_mode(regs) && !search_exception_tables(regs->pc))
+ goto no_context;
+retry:
+ down_read(&mm->mmap_sem);
+} else {
+ /*
+ * The above down_read_trylock() might have succeeded in
+ * which
+ * case, we'll have missed the might_sleep() from
+ * down_read().
+ */
+ might_sleep();
+ if (!user_mode(regs) && !search_exception_tables(regs->pc))
+ goto no_context;
+}
+
+Fix that by adding an extable entry for the strb instruction, since it
+touches user memory, similar to the other stores in __clear_user.
+
+Signed-off-by: Kyle McMartin <kyle@redhat.com>
+Reported-by: Miloš Prchlík <mprchlik@redhat.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/lib/clear_user.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/lib/clear_user.S
++++ b/arch/arm64/lib/clear_user.S
+@@ -46,7 +46,7 @@ USER(9f, strh wzr, [x0], #2 )
+ sub x1, x1, #2
+ 4: adds x1, x1, #1
+ b.mi 5f
+- strb wzr, [x0]
++USER(9f, strb wzr, [x0] )
+ 5: mov x0, #0
+ ret
+ ENDPROC(__clear_user)
--- /dev/null
+From aa1cf25887099bba68f1f3879c0d394e08b8779f Mon Sep 17 00:00:00 2001
+From: Simon Horman <horms+renesas@verge.net.au>
+Date: Mon, 27 Oct 2014 09:14:30 +0900
+Subject: ata: sata_rcar: Disable DIPM mode for r8a7790 ES1
+
+From: Simon Horman <horms+renesas@verge.net.au>
+
+commit aa1cf25887099bba68f1f3879c0d394e08b8779f upstream.
+
+Unlike other SATA R-Car r8a7790 controllers the r8a7790 ES1 SATA R-Car
+controller needs to be run with DIPM disabled.
+
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/devicetree/bindings/ata/sata_rcar.txt | 3 ++-
+ drivers/ata/sata_rcar.c | 10 ++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/ata/sata_rcar.txt
++++ b/Documentation/devicetree/bindings/ata/sata_rcar.txt
+@@ -3,7 +3,8 @@
+ Required properties:
+ - compatible : should contain one of the following:
+ - "renesas,sata-r8a7779" for R-Car H1
+- - "renesas,sata-r8a7790" for R-Car H2
++ - "renesas,sata-r8a7790-es1" for R-Car H2 ES1
++ - "renesas,sata-r8a7790" for R-Car H2 other than ES1
+ - "renesas,sata-r8a7791" for R-Car M2
+ - reg : address and length of the SATA registers;
+ - interrupts : must consist of one interrupt specifier.
+--- a/drivers/ata/sata_rcar.c
++++ b/drivers/ata/sata_rcar.c
+@@ -146,6 +146,7 @@
+ enum sata_rcar_type {
+ RCAR_GEN1_SATA,
+ RCAR_GEN2_SATA,
++ RCAR_R8A7790_ES1_SATA,
+ };
+
+ struct sata_rcar_priv {
+@@ -763,6 +764,9 @@ static void sata_rcar_setup_port(struct
+ ap->udma_mask = ATA_UDMA6;
+ ap->flags |= ATA_FLAG_SATA;
+
++ if (priv->type == RCAR_R8A7790_ES1_SATA)
++ ap->flags |= ATA_FLAG_NO_DIPM;
++
+ ioaddr->cmd_addr = base + SDATA_REG;
+ ioaddr->ctl_addr = base + SSDEVCON_REG;
+ ioaddr->scr_addr = base + SCRSSTS_REG;
+@@ -792,6 +796,7 @@ static void sata_rcar_init_controller(st
+ sata_rcar_gen1_phy_init(priv);
+ break;
+ case RCAR_GEN2_SATA:
++ case RCAR_R8A7790_ES1_SATA:
+ sata_rcar_gen2_phy_init(priv);
+ break;
+ default:
+@@ -838,6 +843,10 @@ static struct of_device_id sata_rcar_mat
+ .data = (void *)RCAR_GEN2_SATA
+ },
+ {
++ .compatible = "renesas,sata-r8a7790-es1",
++ .data = (void *)RCAR_R8A7790_ES1_SATA
++ },
++ {
+ .compatible = "renesas,sata-r8a7791",
+ .data = (void *)RCAR_GEN2_SATA
+ },
+@@ -849,6 +858,7 @@ static const struct platform_device_id s
+ { "sata_rcar", RCAR_GEN1_SATA }, /* Deprecated by "sata-r8a7779" */
+ { "sata-r8a7779", RCAR_GEN1_SATA },
+ { "sata-r8a7790", RCAR_GEN2_SATA },
++ { "sata-r8a7790-es1", RCAR_R8A7790_ES1_SATA },
+ { "sata-r8a7791", RCAR_GEN2_SATA },
+ { },
+ };
--- /dev/null
+From ece9c72accdc45c3a9484dacb1125ce572647288 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 30 Oct 2014 20:43:38 +0100
+Subject: block: Fix computation of merged request priority
+
+From: Jan Kara <jack@suse.cz>
+
+commit ece9c72accdc45c3a9484dacb1125ce572647288 upstream.
+
+Priority of a merged request is computed by ioprio_best(). If one of the
+requests has undefined priority (IOPRIO_CLASS_NONE) and another request
+has priority from IOPRIO_CLASS_BE, the function will return the
+undefined priority which is wrong. Fix the function to properly return
+priority of a request with the defined priority.
+
+Fixes: d58cdfb89ce0c6bd5f81ae931a984ef298dbda20
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ioprio.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/fs/ioprio.c
++++ b/fs/ioprio.c
+@@ -157,14 +157,16 @@ out:
+
+ int ioprio_best(unsigned short aprio, unsigned short bprio)
+ {
+- unsigned short aclass = IOPRIO_PRIO_CLASS(aprio);
+- unsigned short bclass = IOPRIO_PRIO_CLASS(bprio);
++ unsigned short aclass;
++ unsigned short bclass;
+
+- if (aclass == IOPRIO_CLASS_NONE)
+- aclass = IOPRIO_CLASS_BE;
+- if (bclass == IOPRIO_CLASS_NONE)
+- bclass = IOPRIO_CLASS_BE;
++ if (!ioprio_valid(aprio))
++ aprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
++ if (!ioprio_valid(bprio))
++ bprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
+
++ aclass = IOPRIO_PRIO_CLASS(aprio);
++ bclass = IOPRIO_PRIO_CLASS(bprio);
+ if (aclass == bclass)
+ return min(aprio, bprio);
+ if (aclass > bclass)
--- /dev/null
+From 899d5933b2dd2720f2b20b01eaa07871aa6ad096 Mon Sep 17 00:00:00 2001
+From: William Cohen <wcohen@redhat.com>
+Date: Tue, 11 Nov 2014 09:41:27 -0500
+Subject: Correct the race condition in aarch64_insn_patch_text_sync()
+
+From: William Cohen <wcohen@redhat.com>
+
+commit 899d5933b2dd2720f2b20b01eaa07871aa6ad096 upstream.
+
+When experimenting with patches to provide kprobes support for aarch64
+smp machines would hang when inserting breakpoints into kernel code.
+The hangs were caused by a race condition in the code called by
+aarch64_insn_patch_text_sync(). The first processor in the
+aarch64_insn_patch_text_cb() function would patch the code while other
+processors were still entering the function and incrementing the
+cpu_count field. This resulted in some processors never observing the
+exit condition and exiting the function. Thus, processors in the
+system hung.
+
+The first processor to enter the patching function performs the
+patching and signals that the patching is complete with an increment
+of the cpu_count field. When all the processors have incremented the
+cpu_count field the cpu_count will be num_cpus_online()+1 and they
+will return to normal execution.
+
+Fixes: ae16480785de arm64: introduce interfaces to hotpatch kernel and module code
+Signed-off-by: William Cohen <wcohen@redhat.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/insn.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/insn.c
++++ b/arch/arm64/kernel/insn.c
+@@ -156,9 +156,10 @@ static int __kprobes aarch64_insn_patch_
+ * which ends with "dsb; isb" pair guaranteeing global
+ * visibility.
+ */
+- atomic_set(&pp->cpu_count, -1);
++ /* Notify other processors with an additional increment. */
++ atomic_inc(&pp->cpu_count);
+ } else {
+- while (atomic_read(&pp->cpu_count) != -1)
++ while (atomic_read(&pp->cpu_count) <= num_online_cpus())
+ cpu_relax();
+ isb();
+ }
--- /dev/null
+From eaca2d8e75e90a70a63a6695c9f61932609db212 Mon Sep 17 00:00:00 2001
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Tue, 11 Nov 2014 17:16:44 +0100
+Subject: firewire: cdev: prevent kernel stack leaking into ioctl arguments
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+commit eaca2d8e75e90a70a63a6695c9f61932609db212 upstream.
+
+Found by the UC-KLEE tool: A user could supply less input to
+firewire-cdev ioctls than write- or write/read-type ioctl handlers
+expect. The handlers used data from uninitialized kernel stack then.
+
+This could partially leak back to the user if the kernel subsequently
+generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
+which notably would contain the _u64 closure field which many of the
+ioctl argument structures contain.
+
+The fact that the handlers would act on random garbage input is a
+lesser issue since all handlers must check their input anyway.
+
+The fix simply always null-initializes the entire ioctl argument buffer
+regardless of the actual length of expected user input. That is, a
+runtime overhead of memset(..., 40) is added to each firewirew-cdev
+ioctl() call. [Comment from Clemens Ladisch: This part of the stack is
+most likely to be already in the cache.]
+
+Remarks:
+ - There was never any leak from kernel stack to the ioctl output
+ buffer itself. IOW, it was not possible to read kernel stack by a
+ read-type or write/read-type ioctl alone; the leak could at most
+ happen in combination with read()ing subsequent event data.
+ - The actual expected minimum user input of each ioctl from
+ include/uapi/linux/firewire-cdev.h is, in bytes:
+ [0x00] = 32, [0x05] = 4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
+ [0x01] = 36, [0x06] = 20, [0x0b] = 4, [0x10] = 20, [0x15] = 20,
+ [0x02] = 20, [0x07] = 4, [0x0c] = 0, [0x11] = 0, [0x16] = 8,
+ [0x03] = 4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
+ [0x04] = 20, [0x09] = 24, [0x0e] = 4, [0x13] = 40, [0x18] = 4.
+
+Reported-by: David Ramos <daramos@stanford.edu>
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firewire/core-cdev.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -1637,8 +1637,7 @@ static int dispatch_ioctl(struct client
+ _IOC_SIZE(cmd) > sizeof(buffer))
+ return -ENOTTY;
+
+- if (_IOC_DIR(cmd) == _IOC_READ)
+- memset(&buffer, 0, _IOC_SIZE(cmd));
++ memset(&buffer, 0, sizeof(buffer));
+
+ if (_IOC_DIR(cmd) & _IOC_WRITE)
+ if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
--- /dev/null
+From 8c393f9a721c30a030049a680e1bf896669bb279 Mon Sep 17 00:00:00 2001
+From: Peng Tao <tao.peng@primarydata.com>
+Date: Wed, 5 Nov 2014 22:36:50 +0800
+Subject: nfs: fix pnfs direct write memory leak
+
+From: Peng Tao <tao.peng@primarydata.com>
+
+commit 8c393f9a721c30a030049a680e1bf896669bb279 upstream.
+
+For pNFS direct writes, layout driver may dynamically allocate ds_cinfo.buckets.
+So we need to take care to free them when freeing dreq.
+
+Ideally this needs to be done inside layout driver where ds_cinfo.buckets
+are allocated. But buckets are attached to dreq and reused across LD IO iterations.
+So I feel it's OK to free them in the generic layer.
+
+Signed-off-by: Peng Tao <tao.peng@primarydata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/direct.c | 1 +
+ include/linux/nfs_xdr.h | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -178,6 +178,7 @@ static void nfs_direct_req_free(struct k
+ {
+ struct nfs_direct_req *dreq = container_of(kref, struct nfs_direct_req, kref);
+
++ nfs_free_pnfs_ds_cinfo(&dreq->ds_cinfo);
+ if (dreq->l_ctx != NULL)
+ nfs_put_lock_context(dreq->l_ctx);
+ if (dreq->ctx != NULL)
+--- a/include/linux/nfs_xdr.h
++++ b/include/linux/nfs_xdr.h
+@@ -1247,11 +1247,22 @@ struct nfs41_free_stateid_res {
+ unsigned int status;
+ };
+
++static inline void
++nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo)
++{
++ kfree(cinfo->buckets);
++}
++
+ #else
+
+ struct pnfs_ds_commit_info {
+ };
+
++static inline void
++nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo)
++{
++}
++
+ #endif /* CONFIG_NFS_V4_1 */
+
+ struct nfs_page;
--- /dev/null
+From 2fe749f50b0bec07650ef135b29b1f55bf543869 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 10 Nov 2014 21:46:18 +0100
+Subject: parisc: Use compat layer for msgctl, shmat, shmctl and semtimedop syscalls
+
+From: Helge Deller <deller@gmx.de>
+
+commit 2fe749f50b0bec07650ef135b29b1f55bf543869 upstream.
+
+Switch over the msgctl, shmat, shmctl and semtimedop syscalls to use the compat
+layer. The problem was found with the debian procenv package, which called
+ shmctl(0, SHM_INFO, &info);
+in which the shmctl syscall then overwrote parts of the surrounding areas on
+the stack on which the info variable was stored and thus lead to a segfault
+later on.
+
+Additionally fix the definition of struct shminfo64 to use unsigned longs like
+the other architectures. This has no impact on userspace since we only have a
+32bit userspace up to now.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/uapi/asm/shmbuf.h | 25 +++++++++----------------
+ arch/parisc/kernel/syscall_table.S | 8 ++++----
+ 2 files changed, 13 insertions(+), 20 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/shmbuf.h
++++ b/arch/parisc/include/uapi/asm/shmbuf.h
+@@ -36,23 +36,16 @@ struct shmid64_ds {
+ unsigned int __unused2;
+ };
+
+-#ifdef CONFIG_64BIT
+-/* The 'unsigned int' (formerly 'unsigned long') data types below will
+- * ensure that a 32-bit app calling shmctl(*,IPC_INFO,*) will work on
+- * a wide kernel, but if some of these values are meant to contain pointers
+- * they may need to be 'long long' instead. -PB XXX FIXME
+- */
+-#endif
+ struct shminfo64 {
+- unsigned int shmmax;
+- unsigned int shmmin;
+- unsigned int shmmni;
+- unsigned int shmseg;
+- unsigned int shmall;
+- unsigned int __unused1;
+- unsigned int __unused2;
+- unsigned int __unused3;
+- unsigned int __unused4;
++ unsigned long shmmax;
++ unsigned long shmmin;
++ unsigned long shmmni;
++ unsigned long shmseg;
++ unsigned long shmall;
++ unsigned long __unused1;
++ unsigned long __unused2;
++ unsigned long __unused3;
++ unsigned long __unused4;
+ };
+
+ #endif /* _PARISC_SHMBUF_H */
+--- a/arch/parisc/kernel/syscall_table.S
++++ b/arch/parisc/kernel/syscall_table.S
+@@ -286,11 +286,11 @@
+ ENTRY_COMP(msgsnd)
+ ENTRY_COMP(msgrcv)
+ ENTRY_SAME(msgget) /* 190 */
+- ENTRY_SAME(msgctl)
+- ENTRY_SAME(shmat)
++ ENTRY_COMP(msgctl)
++ ENTRY_COMP(shmat)
+ ENTRY_SAME(shmdt)
+ ENTRY_SAME(shmget)
+- ENTRY_SAME(shmctl) /* 195 */
++ ENTRY_COMP(shmctl) /* 195 */
+ ENTRY_SAME(ni_syscall) /* streams1 */
+ ENTRY_SAME(ni_syscall) /* streams2 */
+ ENTRY_SAME(lstat64)
+@@ -323,7 +323,7 @@
+ ENTRY_SAME(epoll_ctl) /* 225 */
+ ENTRY_SAME(epoll_wait)
+ ENTRY_SAME(remap_file_pages)
+- ENTRY_SAME(semtimedop)
++ ENTRY_COMP(semtimedop)
+ ENTRY_COMP(mq_open)
+ ENTRY_SAME(mq_unlink) /* 230 */
+ ENTRY_COMP(mq_timedsend)
--- /dev/null
+From 48379270fe6808cf4612ee094adc8da2b7a83baa Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 3 Nov 2014 19:36:40 +0100
+Subject: scsi: only re-lock door after EH on devices that were reset
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 48379270fe6808cf4612ee094adc8da2b7a83baa upstream.
+
+Setups that use the blk-mq I/O path can lock up if a host with a single
+device that has its door locked enters EH. Make sure to only send the
+command to re-lock the door to devices that actually were reset and thus
+might have lost their state. Otherwise the EH code might be get blocked
+on blk_get_request as all requests for non-reset devices might be in use.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reported-by: Meelis Roos <meelis.roos@ut.ee>
+Tested-by: Meelis Roos <meelis.roos@ut.ee>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_error.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -1984,8 +1984,10 @@ static void scsi_restart_operations(stru
+ * is no point trying to lock the door of an off-line device.
+ */
+ shost_for_each_device(sdev, shost) {
+- if (scsi_device_online(sdev) && sdev->locked)
++ if (scsi_device_online(sdev) && sdev->was_reset && sdev->locked) {
+ scsi_eh_lock_door(sdev);
++ sdev->was_reset = 0;
++ }
+ }
+
+ /*
arm-8191-1-decompressor-ensure-i-side-picks-up-relocated-code.patch
pinctrl-dra-dt-bindings-fix-output-pull-up-down.patch
dm-thin-grab-a-virtual-cell-before-looking-up-the-mapping.patch
+arm64-__clear_user-handle-exceptions-on-strb.patch
+firewire-cdev-prevent-kernel-stack-leaking-into-ioctl-arguments.patch
+ata-sata_rcar-disable-dipm-mode-for-r8a7790-es1.patch
+nfs-fix-pnfs-direct-write-memory-leak.patch
+correct-the-race-condition-in-aarch64_insn_patch_text_sync.patch
+scsi-only-re-lock-door-after-eh-on-devices-that-were-reset.patch
+parisc-use-compat-layer-for-msgctl-shmat-shmctl-and-semtimedop-syscalls.patch
+block-fix-computation-of-merged-request-priority.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
